如何在ARM模板的变量/参数中检查多个条件。

huangapple go评论68阅读模式
英文:

How to check multiple conditions in ARM Template variables/parameters

问题

我需要修改一个ARM模板,以便用户在部署过程中可以选择3个选项作为参数,每个选项对应一个特定的Azure RBAC内置角色(Owner、Contributor或Reader)。然后,我需要将每个角色与其在Azure中唯一的角色ID相关联。我希望避免用户必须从角色ID中进行选择,因为它们显然不具有描述性,但在这种情况下,分配必须通过角色ID进行,只有角色定义的名称不足以直接进行分配。

下面的模板已经简化了我需要实现的逻辑,但它只检查参数的一个值(Contributor)。因此,我需要为3个不同的值执行相同的操作。如果只有2个可能的值,我可以将“json('null')”更改为另一个角色ID,但对于3个值,它变得更加复杂。

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "exampleParameter": {
            "defaultValue": "Contributor",
            "allowedValues": [
                "Contributor",
                "Owner",
                "Reader"
            ],
            "type": "String",
            "metadata": {
                "description": "Test parameter"
            }
        }
    },
    "variables": {
        "exampleVariable": "[if(equals(parameters('exampleParameter'), 'Contributor'), 'ContributorRoleID', json('null'))]"
    },
    "resources": [],
    "outputs": {
        "exampleOutput": {
            "type": "String",
            "value": "[variables('exampleVariable')]"
        }
    }
}

我从这个问题中获得了一些参考资料,但最终我并没有完全理解,因为即使它使用了OR条件,我也没有注意到如何传递true和false评估的值,就像上面的示例中只有一个值一样。然后,我尝试了不同的方法来调整它以满足我的需求,但我真的找不到解决这个问题的方法,因为我找不到可以使用相同逻辑处理多个值的有效语法。

对于这个新问题,我为创建新主题道歉,因为我无法在原始问题中进行评论。

注:如果有其他实现相同结果的解决方案,请随时提出建议。我的问题涉及变量/参数中的条件,因为这是我想象中的唯一使这种关联成为可能的方法,但我不是ARM模板的专家,也许还有另一种适用于我的用例的简单解决方案。

如果有人能帮助我,我将不胜感激。谢谢!

英文:

I need to modify an ARM template in a way that the user will have 3 options to select for a parameter during the deployment, each one for a specific Azure RBAC built-in role (Owner, Contributor or Reader). Then I need to correlate each role to the respective role ID, that are unique in Azure. I want to avoid the user having to select from the roleID´s, as they are obviously not descritive, but the assignment in this case must be done by the roleID, just the name of the role definition is not sufficient to make the assignment directly.

The template below was simplified with just the logic that I need to implement, however it´s checking just one value for the parameter (Contributor). So I need to do same but for the 3 different values. If it was just 2 possible values I could change the "json('null')" to the other RoleID, but with 3 values it gets more complex.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "exampleParameter": {
            "defaultValue": "Contributor",
            "allowedValues": [
                "Contributor",
                "Owner",
                "Reader"
            ],
            "type": "String",
            "metadata": {
                "description": "Test parameter"
            }
        }
    },
    "variables": {
        "exampleVariable": "[if(equals(parameters('exampleParameter'), 'Contributor'), 'ContributorRoleID', json('null'))]"
    },
    "resources": [],
    "outputs": {
        "exampleOutput": {
            "type": "String",
            "value": "[variables('exampleVariable')]"
        }
    }
}

I´ve got some references from this question, but I really didnt´t únderstand the example in the end, as even though it uses the OR condition, I didn´t noticed how to pass the value for true and false evaluation, as in the example above with a single value. Then I have tried different ways to adjust it for my needs, but I really couldn´t find a way of solving that as I couldn´t find any valid sintaxe to use this same logic with multiple values.

I apologize for creating a new topic for that, but I couldn´t make a comment in the original question.

Note: if there any other solution to achieve the same result, please feel free to suggest. My question is about the conditions in variables/parameters because it´s the only way that I could imagine to make this association, but I am not an expert in ARM templates, maybe there is another simple solution for my use case.

I appreciate if someone can help me. Thanks!

答案1

得分: 1

我需要将每个角色与Azure中唯一的角色ID相关联。

  • 无法在ARM模板中直接分配**基于角色的访问控制(RBAC)**角色给特定资源。Azure RBAC角色只能分配给管理组、订阅或资源组级别,而不能直接分配给像虚拟网络这样的单个资源。

  • 要为特定资源分配角色,您需要使用Azure策略,Azure策略允许您配置类似RBAC角色分配的资源。

创建一个资源,不应直接分配任何RBAC角色。

如何在ARM模板的变量/参数中检查多个条件。

创建一个Azure策略定义,根据所选角色名和角色ID分配RBAC角色分配。

{
  "properties": {
    "displayName": "Enforce RBAC Role Assignment",
    "description": "根据所选角色名强制执行RBAC角色分配。",
    "mode": "Indexed",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Authorization/roleAssignments"
          },
          {
            "field": "Microsoft.Authorization/roleAssignments/principalId",
            "equals": "[field('Microsoft.Network/virtualNetworks/identity/principalId')]"
          }
        ]
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Authorization/roleAssignments",
          "roleDefinitionId": "[variables('selectedRoleID')]",
          "principalId": "[field('Microsoft.Network/virtualNetworks/identity/principalId')]",
          "scope": "[field('Microsoft.Network/virtualNetworks/id')]"
        }
      }
    },
    "parameters": {}
  }
}

以下是处理角色名称与其相应角色ID之间关联的模板。

{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "exampleParameter": {
      "defaultValue": "Contributor",
      "allowedValues": ["Contributor", "Owner", "Reader"],
      "type": "String",
      "metadata": {
        "description": "选择部署的角色。"
      }
    }
  },
  "variables": {
    "roleMappings": {
      "Contributor": "b24988ac-6180-4783-ad44-20f7382dd24c", // 重复的Contributor角色ID
      "Owner": "8s7hf657-a8ff-443c-a75c-2fe8c4cjve635",       // 重复的Owner角色ID
      "Reader": "acvg80a7-3385-48ef-bd02-f685gda81ae7"      // 重复的Reader角色ID
    },
    "selectedRoleID": "[variables('roleMappings')[parameters('exampleParameter')]]"
  },
  "resources": [],
  "outputs": {
    "exampleOutput": {
      "type": "String",
      "value": "[variables('selectedRoleID')]"
    }
  }
}

根据要求的参数

如何在ARM模板的变量/参数中检查多个条件。

  • 在部署期间,用户可以选择角色名(Owner、Contributor或Reader)。

您需要使用Azure策略定义和Azure策略的内置策略规则类型,具体是"基于角色的访问控制(RBAC)角色分配"策略。

英文:

>I need to correlate each role to the respective role ID, that are unique in Azure.

  • It is not possible to directly assign an (Role-Based Access Control) role to a specific resource in an ARM template. Azure RBAC roles can only be assigned at the management group, subscription, or resource group level, and not directly to individual resources like virtual networks.

  • To assign role to a specific resource you need to use Azure Policy, Azure Policy allows you to configure like RBAC role assignments on resources.

Create a resource that shouldn't have any RBAC role assigned directly.

如何在ARM模板的变量/参数中检查多个条件。

Create an Azure Policy definition to assign the RBAC role assignment based on the selected role name and Role ID.

{
  "properties": {
    "displayName": "Enforce RBAC Role Assignment",
    "description": "Enforce RBAC role assignment based on the selected role name.",
    "mode": "Indexed",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Authorization/roleAssignments"
          },
          {
            "field": "Microsoft.Authorization/roleAssignments/principalId",
            "equals": "[field('Microsoft.Network/virtualNetworks/identity/principalId')]"
          }
        ]
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Authorization/roleAssignments",
          "roleDefinitionId": "[variables('selectedRoleID')]",
          "principalId": "[field('Microsoft.Network/virtualNetworks/identity/principalId')]",
          "scope": "[field('Microsoft.Network/virtualNetworks/id')]"
        }
      }
    },
    "parameters": {}
  }
}

Below is the template to handle the correlation between the role names and their respective Role IDs.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "exampleParameter": {
      "defaultValue": "Contributor",
      "allowedValues": ["Contributor", "Owner", "Reader"],
      "type": "String",
      "metadata": {
        "description": "Select the role for the deployment."
      }
    }
  },
  "variables": {
    "roleMappings": {
      "Contributor": "b24988ac-6180-4783-ad44-20f7382dd24c", // Duplicate Contributor Role ID
      "Owner": "8s7hf657-a8ff-443c-a75c-2fe8c4cjve635",       // Duplicate Owner Role ID
      "Reader": "acvg80a7-3385-48ef-bd02-f685gda81ae7"      // Duplicate Reader Role ID
    },
    "selectedRoleID": "[variables('roleMappings')[parameters('exampleParameter')]]"
  },
  "resources": [],
  "outputs": {
    "exampleOutput": {
      "type": "String",
      "value": "[variables('selectedRoleID')]"
    }
  }
}

Parameters as per the requirement.

如何在ARM模板的变量/参数中检查多个条件。

  • During the deployment the user can select the role name (Owner, Contributor, or Reader).

You need to use an Azure Policy definition with Azure Policy's built-in policy rule types, specifically "Role-Based Access Control (RBAC) Role Assignment" policies.

huangapple
  • 本文由 发表于 2023年7月14日 03:45:08
  • 转载请务必保留本文链接:https://go.coder-hub.com/76682758.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定