azure 如何从前门自动批准私有端点请求?

xpcnnkqh  于 2023-10-22  发布在  其他
关注(0)|答案(1)|浏览(119)

我正在使用“结构即代码”来创建一个应用程序服务,以及一个使用私有端点的前门端点。我这样做与二头肌模板。
一旦创建,我必须在UI中批准私有端点链接。
如何自动批准此专用端点请求?有没有办法做到这一点与二头肌部署?
我用二头肌来创建原点和端点。

resource appService 'Microsoft.Web/sites@2022-09-01' existing = {
  name: applicationName
  scope: resourceGroup(resourceGroup)
}

resource fdOrigin 'Microsoft.Cdn/profiles/originGroups/origins@2021-06-01' = {
  name: 'fd-origin'
  parent: fdOriginGroup
  properties: {
    hostName: '${applicationName}.azurewebsites.net'
    httpPort: 80
    httpsPort: 443
    originHostHeader: '${applicationName}.azurewebsites.net'
    priority: 1
    weight: 1000
    sharedPrivateLinkResource: {
      groupId: 'sites'
      privateLinkLocation: 'EastUS2'
      requestMessage: 'Created by Deployment Pipeline'
      status: 'Approved'
      privateLink: {
        id: appService.id
      }
    }
  }
}

我尝试在sharedPrivateLinkResource部分将状态设置为已批准,但它不批准。它不会抛出错误,但链接仍处于挂起状态。
我可以批准它与二头肌下面,但我必须硬编码的私人链接名称。我找不到一种方法来获得私人链接的名称从二头肌以上。

resource privateEndpointConnection 'Microsoft.Web/sites/privateEndpointConnections@2022-09-01' = {
  name: 'MyAppService/ecc50509-75b1-xxxx-92c9-62bebcececf3-13f6a331-6472-4497-bf94-67adda467e22'
  properties: {
      privateLinkServiceConnectionState: {
          status: 'Approved' 
          description: 'Approved by pipeline'
      }
  }
}
ttygqcqt

ttygqcqt1#

一旦前端部署完成,私有端点连接信息就可以在webapp属性本身上获得。您可以通过运行以下命令进行验证:

az rest --method get --uri <webapp-resource-id>?api-version=2022-09-01

您将看到此部分:

"privateEndpointConnections": [
  {
    "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/resourceGroups/front-door-test/providers/Microsoft.Web/sites/myapp-bckwiz6zgci7k/privateEndpointConnections/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    ...
  }
]

您可以创建一个模块来获取端点名称:

// fetch-private-endpoint.bicep
param appName string
resource app 'Microsoft.Web/sites@2020-06-01' existing = {
  name: appName
}
output name string = last(split(first(app.properties.privateEndpointConnections).id,'/'))

然后具有第二模块来批准连接:

// approve-private-endpoint.bicep
param appName string
param endPointName string

resource app 'Microsoft.Web/sites@2022-09-01' existing = {
  name: appName
}

resource privateEndpointConnection 'Microsoft.Web/sites/privateEndpointConnections@2022-09-01' = {
  parent: app
  name: endPointName
  properties: {
    privateLinkServiceConnectionState: {
      status: 'Approved'
      description: 'Approved by pipeline'
    }
  }
}

然后在你的主模板中,你可以添加:

// Need to wait for front door deployment to be completed
module fetchPrivateEdnpointName 'modules/fetch-private-endpoint.bicep' = {
  name: 'fetch-private-endpoint'
  dependsOn: [
    fdOrigin
  ]
  params: {
    appName: appName
  }
}

module approvePrivateEndpoint 'modules/approve-private-endpoint.bicep' = {
  name: 'approve-private-endpoint'
  params: {
    appName: appName
    endPointName: fetchPrivateEdnpointName.outputs.name
  }
}

相关问题