Azure 门户仅允许通过 ARM 模板或 Terraform 进行部署

【问题标题】:Azure portal allow deployment only through ARM templates or TerraformAzure 门户仅允许通过 ARM 模板或 Terraform 进行部署
【发布时间】:2021-11-05 10:17:00
【问题描述】:

我到处寻找,但找不到解决这个问题的方法。

在 azure 中,我有一个 productionsubscription,我想拒绝任何形式的手动部署,只允许使用 arm 模板或 terraform 进行部署。

使用 azure 组管理策略,我确实制定了阻止各种部署 not allowed 的定义。但这不仅会拒绝从门户进行部署,还会阻止使用武器或 terraform 进行部署。

谁能帮助了解我如何允许部署为代码,并阻止所有门户部署?

非常感谢您提供的任何帮助,如果我的问题不清楚,请随时询问更多信息

【问题讨论】:

  • 不给用户Contributor权限,通过服务主体进行所有部署。
  • 对不起,您的意思是通过服务原则进行所有部署?为此,我是否需要为用户设置任何特定权限?
  • 首先查看服务主体是什么以及它们是如何使用的。这将回答你的问题。

标签: azure terraform arm-template azure-policy


【解决方案1】:

谢谢Daniel Mann。发布您的建议作为帮助其他社区成员的答案。

正如 Daniel 所建议的,“不要授予用户 Contributor 权限,而是通过服务主体进行所有部署。”

您可以使用 ARM 模板向现有服务主体添加角色分配。

Subscription deployments with ARM templates

例如:

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.4.1.14562",
      "templateHash": "17666923867108240565"
    }
  },
  "parameters": {
    "rgName": {
      "type": "string",
      "metadata": {
        "description": "Name of the resourceGroup to create"
      }
    },
    "rgLocation": {
      "type": "string",
      "metadata": {
        "description": "Location for the resourceGroup"
      }
    },
    "principalId": {
      "type": "string",
      "metadata": {
        "description": "principalId of the user that will be given contributor access to the resourceGroup"
      }
    },
    "roleDefinitionId": {
      "type": "string",
      "defaultValue": "b24988ac-6180-42a0-ab88-20f7382dd24c",
      "metadata": {
        "description": "roleDefinition to apply to the resourceGroup - default is contributor"
      }
    },
    "roleAssignmentName": {
      "type": "string",
      "defaultValue": "[guid(parameters('principalId'), parameters('roleDefinitionId'), parameters('rgName'))]",
      "metadata": {
        "description": "Unique name for the roleAssignment in the format of a guid"
      }
    }
  },
  "functions": [],
  "resources": [
    {
      "type": "Microsoft.Resources/resourceGroups",
      "apiVersion": "2019-10-01",
      "name": "[parameters('rgName')]",
      "location": "[parameters('rgLocation')]",
      "tags": {
        "Note": "subscription level deployment"
      },
      "properties": {}
    },
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2019-10-01",
      "name": "applyLock",
      "resourceGroup": "[parameters('rgName')]",
      "properties": {
        "expressionEvaluationOptions": {
          "scope": "inner"
        },
        "mode": "Incremental",
        "parameters": {
          "principalId": {
            "value": "[parameters('principalId')]"
          },
          "roleDefinitionId": {
            "value": "[parameters('roleDefinitionId')]"
          },
          "roleAssignmentName": {
            "value": "[parameters('roleAssignmentName')]"
          }
        },
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "metadata": {
            "_generator": {
              "name": "bicep",
              "version": "0.4.1.14562",
              "templateHash": "12740078983609655962"
            }
          },
          "parameters": {
            "principalId": {
              "type": "string",
              "metadata": {
                "description": "principalId of the user that will be given contributor access to the resourceGroup"
              }
            },
            "roleDefinitionId": {
              "type": "string",
              "metadata": {
                "description": "roleDefinition to apply to the resourceGroup - default is contributor"
              }
            },
            "roleAssignmentName": {
              "type": "string",
              "metadata": {
                "description": "Unique name for the roleAssignment in the format of a guid"
              }
            }
          },
          "functions": [],
          "resources": [
            {
              "type": "Microsoft.Authorization/locks",
              "apiVersion": "2016-09-01",
              "name": "DontDelete",
              "properties": {
                "level": "CanNotDelete",
                "notes": "Prevent deletion of the resourceGroup"
              }
            },
            {
              "type": "Microsoft.Authorization/roleAssignments",
              "apiVersion": "2020-04-01-preview",
              "name": "[guid(parameters('roleAssignmentName'))]",
              "properties": {
                "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
                "principalId": "[parameters('principalId')]"
              }
            }
          ]
        }
      },
      "dependsOn": [
        "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('rgName'))]"
      ]
    }
  ]
}

您可以参考Is there a way to use ARM Template to create an Azure Service Principal?Assign Azure roles using Azure Resource Manager templatesAutomatic Service Principal creation in the Azure deployment

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 2021-10-30
    • 2020-07-22
    • 2020-09-28
    • 1970-01-01
    • 2019-02-11
    • 1970-01-01
    • 2016-10-13
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode