ARM 资源组部署显示新部署的修改，即使没有更改

Question

我在 Azure 角色分配下面使用 Bicep 文件。所以在这里我有一个 Azuredevops 管道，它将构建 bicepfile 到 arm 模板，并且从管道变量中，paramaters.json 文件将得到更新。

主二头肌

targetScope = 'resourceGroup' 

@description('Principal type of the assignee.')
@allowed([
  'Device'
  'ForeignGroup'
  'Group'
  'ServicePrincipal'
  'User'
])
param principalType string

@description('the id for the role defintion, to define what permission should be assigned')
param RoleDefinitionId string

@description('the id of the principal that would get the permission')
param principalId string

@description('the role deffinition is collected')
resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
  scope: resourceGroup()
  name: RoleDefinitionId
}

resource RoleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: guid(resourceGroup().id, RoleDefinitionId, principalId)
  properties: {
    roleDefinitionId: roleDefinition.id
    principalId: principalId
    principalType: principalType
  }
}

参数.json

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
     "principalType": {
         "value": "#{principalType}#"
     },
     "RoleDefinitionId": {
       "value": "#{RoleDefinitionId}#"          
     },     
     "principalId": {
       "value": "#{principalId}#"
     }
  } 
}

用于创建部署的管道构建任务。

'az deployment group create --resource-group $(resourceGroup) --template-file $(System.DefaultWorkingDirectory)/template/main.json --parameters $(System.DefaultWorkingDirectory)/template/parameters.json' 

当我第一次触发管道时，我得到如下输出摘要。

The deployment will update the following scope:

Scope: /subscriptions/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/resourceGroups/XXXXXXXXXXXXXXXXXXX-rg

  + Microsoft.Authorization/roleAssignments/xxxxxxxxxxxxxxxx [2020-10-01-preview]

      apiVersion:                  "2020-10-01-preview"
      id:                          "/subscriptions/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/resourceGroups/XXXXXXXXXXXXXXXXXXX-rg/providers/Microsoft.Authorization/roleAssignments/xxxxxxxxxxxxxxxxx"
      name:                        "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
      properties.principalId:      "xxxxxxxxxxxxx"
      properties.roleDefinitionId: "/subscriptions/XXXXXXXXXXXXXXXXXXXXX/resourceGroups/XXXXXXXXXXXXXXXXXXX-rg/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxxxxxxxxxxxxxxxxx"
      type:                        "Microsoft.Authorization/roleAssignments"

之后，如果我再次重新触发管道而不对模板进行任何更改。它显示为 1 进行修改，但预计输出将显示为“无变化”。因为我们已经从管道端或手动对资源进行了任何更改。

Scope: /subscriptions/xxxxxxxxxxxxxxxxxx/resourceGroups/xxxxxxxxxxxxxxxx-rg

  ~ Microsoft.Authorization/roleAssignments/xxxxxxxxxxxxxxxxxxxxxxx [2020-10-01-preview]
    ~ properties.roleDefinitionId: "/subscriptions/xxxxxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxxxxxxxxxxxxxxxxxxx" => "/subscriptions/xxxxxxxxxxxxxxxxxxxx/resourceGroups/xxxxxxxxxxxxxxx-rg/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxxxxxxxxxxxxx"
    x properties.principalType:    "Group"

Resource changes: 1 to modify

iF i 再次部署，下一次将显示与 1 相同的输出以进行修改

这里有什么问题，为什么即使没有变化，ARM 部署也会显示变化。

Answer 1

Azure built-in role 定义在订阅级别定义，除非它是您在另一个范围内创建的自定义角色。

在您的二头肌文件中，您可以更改 roleDefinition 资源的范围：

@description('the role deffinition is collected')
resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
  scope: subscription()
  name: RoleDefinitionId
}

或者你也可以使用subscriptionResourceId：

resource RoleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: guid(resourceGroup().id, RoleDefinitionId, principalId)
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', RoleDefinitionId)
    principalId: principalId
    principalType: principalType
  }
}