Я пытаюсь создать Azure Application Gateway с ssl-сертификатом от keyvaults. Но не нашел никакой опции для добавления ключей в шаблон ARM с файлами .pfx и .cer. Таким образом, я закодировал содержимое сертификата и добавил в качестве секретного в существующий keyvault. Сейчас пытаюсь передать секреты используя шаблон ARM. Проверка прошла успешно, но на этапе развертывания произошла ошибка. Прикрепленный шаблон и параметры, которые я использую.
Ошибка при развертывании ресурса
Deployment template validation failed: 'Template parameter JToken type is not valid. Expected 'String, Uri'. Actual 'Object'
"additionalInfo": [
{
"type": "TemplateViolation",
"info": {
"lineNumber": 226,
"linePosition": 33,
"path": "properties.template.parameters.appgwfesslcertsecret"
}
}
]
Обновленный шаблон:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"namingSettings": {
"type": "object"
},
"taggingSettings": {
"type": "object"
},
"applicationGatewaySettings": {
"type": "object"
},
"appgwfesslcertsecret": {
"type": "securestring"
},
"appgwbecertsecret": {
"type": "securestring"
}
},
"variables": {
"namePrefix": "[concat(parameters('namingSettings').name.org,'-',parameters('namingSettings').name.cloud,'-',parameters('namingSettings').name.region,'-',parameters('namingSettings').name.businessUnit,'-',parameters('namingSettings').name.account,'-',parameters('namingSettings').name.app,'-',parameters('namingSettings').name.sdlc,'-')]" },
"resources": [
{
"apiVersion": "2018-11-01",
"name": "[concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].name)]",
"type": "Microsoft.Network/applicationGateways",
"location": "[resourceGroup().location]",
"copy": {
"name": "appgwCopy",
"count": "[length(parameters('applicationGatewaySettings').settings)]"
},
"tags": "[parameters('taggingSettings').tags]",
"properties": {
"sku": {
"name": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].applicationGatewaySku]",
"tier": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].applicationGatewayTier]",
"capacity": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].applicationGatewayInstanceCount]"
},
"sslPolicy": {
"policyType": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].policyType]",
"policyName": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].policy]"
},
"copy": [
{
"name": "frontendPorts",
"count": "[length(parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].frontendPorts)]",
"input": {
"name": "[concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].frontendPorts[copyIndex('frontendPorts')].name)]",
"properties": {
"port": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].frontendPorts[copyIndex('frontendPorts')].properties.port]"
}
}
},
{
"name": "gatewayIPConfigurations",
"count": "[length(parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].gatewayIPConfigurations)]",
"input": {
"name": "[concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].gatewayIPConfigurations[copyIndex('gatewayIPConfigurations')].name)]",
"properties": {
"subnet": {
"id": "[resourceId(parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].gatewayIPConfigurations[copyIndex('gatewayIPConfigurations')].properties.subnet.vnetRGName,'microsoft.network/virtualnetworks/subnets', parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].gatewayIPConfigurations[copyIndex('gatewayIPConfigurations')].properties.subnet.vnetName, parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].gatewayIPConfigurations[copyIndex('gatewayIPConfigurations')].properties.subnet.subnetName)]"
}
}
}
},
{
"name": "frontendIPConfigurations",
"count": "[length(parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].frontendIPConfigurations)]",
"input": {
"name": "[concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].frontendIPConfigurations[copyIndex('frontendIPConfigurations')].name)]",
"properties": {
"subnet": {
"id": "[resourceId(parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].gatewayIPConfigurations[copyIndex('frontendIPConfigurations')].properties.subnet.vnetRGName,'microsoft.network/virtualnetworks/subnets', parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].frontendIPConfigurations[copyIndex('frontendIPConfigurations')].properties.subnet.vnetName, parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].frontendIPConfigurations[copyIndex('frontendIPConfigurations')].properties.subnet.subnetName)]"
}
}
}
},
{
"name": "backendHttpSettingsCollection",
"count": "[length(parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].backendHttpSettingsCollection)]",
"input": {
"name": "[concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].backendHttpSettingsCollection[copyIndex('backendHttpSettingsCollection')].name)]",
"properties": {
"port": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].backendHttpSettingsCollection[copyIndex('backendHttpSettingsCollection')].properties.port]",
"protocol": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].backendHttpSettingsCollection[copyIndex('backendHttpSettingsCollection')].properties.protocol]",
"authenticationCertificates": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].backendHttpSettingsCollection[copyIndex('backendHttpSettingsCollection')].properties.authenticationCertificates]"
}
}
},
{
"name": "backendAddressPools",
"count": "[length(parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].backendAddressPools)]",
"input": {
"name": "[concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].backendAddressPools[copyIndex('backendAddressPools')].name)]"
}
},
{
"name": "httpListeners",
"count": "[length(parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].httpListeners)]",
"input": {
"name": "[concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].httpListeners[copyIndex('httpListeners')].name)]",
"properties": {
"frontendIPConfiguration": {
"id": "[resourceId(resourceGroup().name, 'microsoft.network/applicationGateways/frontendIPConfigurations', concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].name),concat(variables('namePrefix'), parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].httpListeners[copyIndex('httpListeners')].properties.frontendIPConfiguration))]"
},
"frontendPort": {
"id": "[resourceId(resourceGroup().name, 'microsoft.network/applicationGateways/frontendPorts', concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].name),concat(variables('namePrefix'), parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].httpListeners[copyIndex('httpListeners')].properties.frontendPort))]"
},
"protocol": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].httpListeners[copyIndex('httpListeners')].properties.protocol]",
"sslCertificate": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].httpListeners[copyIndex('httpListeners')].properties.sslCertificate]"
}
}
},
{
"name": "requestRoutingRules",
"count": "[length(parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].requestRoutingRules)]",
"input": {
"name": "[concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].requestRoutingRules[copyIndex('requestRoutingRules')].name)]",
"properties": {
"httpListener": {
"id": "[resourceId(resourceGroup().name, 'microsoft.network/applicationGateways/httpListeners', concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].name),concat(variables('namePrefix'), parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].requestRoutingRules[copyIndex('requestRoutingRules')].properties.httpListener))]"
},
"backendAddressPool": {
"id": "[resourceId(resourceGroup().name, 'microsoft.network/applicationGateways/backendAddressPools', concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].name),concat(variables('namePrefix'), parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].requestRoutingRules[copyIndex('requestRoutingRules')].properties.backendAddressPool))]"
},
"backendHttpSettings": {
"id": "[resourceId(resourceGroup().name, 'microsoft.network/applicationGateways/backendHttpSettingsCollection', concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].name),concat(variables('namePrefix'), parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].requestRoutingRules[copyIndex('requestRoutingRules')].properties.backendHttpSettings))]"
}
}
}
},
{
"name": "sslCertificates",
"count": "[length(parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].sslCertificates)]",
"input": {
"name": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].sslCertificates[copyIndex('sslCertificates')].name]",
"properties": {
"data": "[parameters('appgwfesslcertsecret')]",
"password": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].sslCertificates[copyIndex('sslCertificates')].properties.password]"
}
}
},
{
"name": "authenticationCertificates",
"count": "[length(parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].authenticationCertificates)]",
"input": {
"name": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].authenticationCertificates[copyIndex('authenticationCertificates')].name]",
"properties": {
"data": "[parameters('appgwbecertsecret')]"
}
}
}
],
"probes": [],
"webApplicationFirewallConfiguration": {
"enabled": true,
"firewallMode": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].firewallMode]",
"ruleSetType": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].ruleSetType]",
"ruleSetVersion": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].ruleSetVersion]",
"requestBodyCheck": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].requestBodyCheck]",
"maxRequestBodySizeInKb": "[if(parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].requestBodyCheck, parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].maxReqBodySize, json('null'))]",
"fileUploadLimitInMb": "[int(100)]"
},
"enableHttp2": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].enableHTTP2]"
},
"resources": [
{
"type": "providers/diagnosticSettings",
"name": "[concat('Microsoft.Insights/', parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].diagname)]",
"dependsOn": [
"[concat(variables('namePrefix'),parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].name)]"
],
"apiVersion": "2017-05-01-preview",
"properties": {
"name": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].diagname]",
"logs": [
{
"category": "ApplicationGatewayAccessLog",
"enabled": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].enableApplicationGatewayAccessLog]",
"retentionPolicy": {
"days": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].applicationGatewayAccessLogRetentionDays]",
"enabled": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].enableApplicationGatewayAccessLogRetention]"
}
},
{
"category": "ApplicationGatewayPerformanceLog",
"enabled": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].enableApplicationGatewayPerformanceLog]",
"retentionPolicy": {
"days": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].applicationGatewayPerformanceLogRetentionDays]",
"enabled": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].enableApplicationGatewayPerformanceLogRetention]"
}
},
{
"category": "ApplicationGatewayFirewallLog",
"enabled": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].enableApplicationGatewayFirewallLog]",
"retentionPolicy": {
"days": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].applicationGatewayFirewallLogRetentionDays]",
"enabled": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].enableApplicationGatewayFirewallLogRetention]"
}
}
],
"metrics": [
{
"category": "AllMetrics",
"enabled": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].enableAllMetrics]",
"retentionPolicy": {
"enabled": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].enableAllMetricsRetentionPolicy]",
"days": "[parameters('applicationGatewaySettings').settings[copyIndex('appgwCopy')].allMetricsRetentionDays]"
}
}
]
}
}
]
}
],
"outputs": {}
}
Обновленный файл параметров:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"namingSettings": {
"value": {
"name": {
"app": "demo",
"cloud": "azu",
"region": "eus2",
}
}
},
"taggingSettings": {
"value": {
"tags": {
"AppID": "demo",
"Environment": "nonprod",
}
}
},
"applicationGatewaySettings": {
"value": {
"settings": [
{
"name": "appgw-pcs01",
"applicationGatewaySku": "WAF_Medium",
"applicationGatewayTier": "WAF",
"applicationGatewayInstanceCount": 2,
"policyType": "Predefined",
"policy": "AppGwSslPolicy20170401S",
"publicIP": null,
"firewallMode": "Prevention",
"diagname": "Demo-Appgw",
"ruleSetType": "OWASP",
"ruleSetVersion": "3.0",
"requestBodyCheck": true,
"maxReqBodySize": 10,
"enableHTTP2": false,
"enableApplicationGatewayAccessLog": true,
"applicationGatewayAccessLogRetentionDays": 30,
"enableApplicationGatewayAccessLogRetention": true,
"enableApplicationGatewayPerformanceLog": true,
"applicationGatewayPerformanceLogRetentionDays": 30,
"enableApplicationGatewayPerformanceLogRetention": true,
"enableApplicationGatewayFirewallLog": true,
"applicationGatewayFirewallLogRetentionDays": 30,
"enableApplicationGatewayFirewallLogRetention": true,
"enableAllMetrics": true,
"enableAllMetricsRetentionPolicy": true,
"allMetricsRetentionDays": 30,
"frontendPorts": [
{
"name": "feport-80",
"properties": {
"port": 80
}
},
{
"name": "feport-443",
"properties": {
"port": 443
}
}
],
"gatewayIPConfigurations": [
{
"name": "gwipconfig-pcs01",
"properties": {
"subnet": {
"vnetName": "demo-vnet",
"vnetRGName": "demo",
"subnetName": "demo-subgw"
}
}
}
],
"sslCertificates": [
{
"name": "appgwfesslcert",
"properties": {
"data": null,
"password": "password"
}
}
],
"authenticationCertificates": [
{
"name": "appgwbecert",
"properties": {
"data": null
}
}
],
"frontEndIPConfigurations": [
{
"name": "feipcfg-pcs01",
"properties": {
"subnet": {
"vnetName": "demo-vnet",
"vnetRGName": "demo",
"subnetName": "demo-subgw"
}
}
}
],
"httpListeners": [
{
"name": "httplistener-pcs01",
"properties": {
"frontendIPConfiguration": "feipcfg-pcs01",
"frontendPort": "feport-80",
"protocol": "Http",
"sslCertificate": {}
}
},
{
"name": "httpslistener-pcs01",
"properties": {
"frontendIPConfiguration": "feipcfg-pcs01",
"frontendPort": "feport-443",
"protocol": "Https",
"sslCertificate": {
"id": "/subscriptions/105dcee5-gy46-48e3-9046-265c7379e647/resourceGroups/demo/providers/Microsoft.Network/applicationGateways/azu-eus2-nonprod-appgw-pcs01/sslCertificates/appgwfesslcert"
}
}
}
],
"backendHttpSettingsCollection": [
{
"name": "httpsetcol-default",
"properties": {
"protocol": "Http",
"port": 80,
"authenticationCertificates": []
}
},
{
"name": "httpssetcol-default",
"properties": {
"protocol": "Https",
"port": 443,
"authenticationCertificates": [
{
"id": "/subscriptions/105dcee5-gy46-48e3-9046-265c7379e647/resourceGroups/demo/providers/Microsoft.Network/applicationGateways/azu-eus2-nonprod-appgw-pcs01/authenticationCertificates/appgwbecert"
}
]
}
}
],
"backendAddressPools": [
{
"name": "beap-pcs01"
}
],
"requestRoutingRules": [
{
"name": "httpreqrtrule-pcs01",
"properties": {
"httpListener": "httplistener-pcs01",
"backendAddressPool": "beap-pcs01",
"backendHttpSettings": "httpsetcol-default"
}
},
{
"name": "httpsreqrtrule-pcs01",
"properties": {
"httpListener": "httpslistener-pcs01",
"backendAddressPool": "beap-pcs01",
"backendHttpSettings": "httpssetcol-default"
}
}
]
}
]
}
},
"appgwfesslcertsecret": {
"value": {
"reference": {
"keyVault": {
"id": "/subscriptions/105dcee5-gy46-48e3-9046-265c7379e647/resourceGroups/demo/providers/Microsoft.KeyVault/vaults/demo-kv-new"
},
"secretName": "appgwfesslcert"
}
}
},
"appgwbecertsecret": {
"value": {
"reference": {
"keyVault": {
"id": "/subscriptions/105dcee5-gy46-48e3-9046-265c7379e647/resourceGroups/demo/providers/Microsoft.KeyVault/vaults/demo-kv-new"
},
"secretName": "appgwbecert"
}
}
}
}
}