练习 - 对模板规格进行更新和版本管理
Azure Cosmos DB 模板规格现已在整个组织中用于预配大量新的 Azure Cosmos DB 帐户。 因此,所有这些配置都配置为使用连续备份。
安全团队最近查看了 Azure Cosmos DB 安全功能。 它决定新帐户应使用 Microsoft Entra 身份验证和 Azure Cosmos DB 基于角色的访问控制。
在本练习中,你将使用包含更新身份验证配置的新版本来更新模板规范。
在此过程中,你将:
- 更新模板以重新配置备份策略。
- 发布模板规格的新版本。
- 验证模板规格是否已更新。
- 通过部署另一个 Azure Cosmos DB 帐户来测试模板规格的新版本。
更新模板
在 Visual Studio Code 中,打开 azuredeploy.json 文件。
更新 azuredeploy.json 文件以包括以下更改:
{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "___location": { "type": "string", "defaultValue": "[resourceGroup().___location]", "metadata": { "description": "The Azure region into which the Cosmos DB resources should be deployed." } }, "cosmosDBAccountName": { "type": "string", "defaultValue": "[concat('toy-', uniqueString(resourceGroup().id))]", "maxLength": 44, "minLength": 3, "metadata": { "description": "The name of the Cosmos DB account. This name must be globally unique, and it must only include lowercase letters, numbers, and hyphens." } }, "roleDefinitionFriendlyName": { "type": "string", "defaultValue": "Read and Write", "metadata": { "description": "A descriptive name for the role definition." } }, "roleDefinitionDataActions": { "type": "array", "defaultValue": [ "Microsoft.DocumentDB/databaseAccounts/readMetadata", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*" ], "metadata": { "description": "The list of actions that the role definition permits." } }, "roleAssignmentPrincipalId": { "type": "string", "metadata": { "description": "The object ID of the Azure AD principal that should be granted access using the role definition." } } }, "variables": { "roleDefinitionName": "[guid('sql-role-definition', resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('cosmosDBAccountName')))]", "roleAssignmentName": "[guid('sql-role-assignment', resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('cosmosDBAccountName')))]" }, "resources": [ { "type": "Microsoft.DocumentDB/databaseAccounts", "apiVersion": "2021-04-15", "name": "[parameters('cosmosDBAccountName')]", "kind": "GlobalDocumentDB", "___location": "[parameters('___location')]", "properties": { "consistencyPolicy": { "defaultConsistencyLevel": "Session" }, "locations": [ { "locationName": "[parameters('___location')]", "failoverPriority": 0, "isZoneRedundant": false } ], "databaseAccountOfferType": "Standard", "enableAutomaticFailover": false, "enableMultipleWriteLocations": false, "backupPolicy": { "type": "Continuous" } } }, { "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions", "apiVersion": "2021-04-15", "name": "[format('{0}/{1}', parameters('cosmosDBAccountName'), variables('roleDefinitionName'))]", "properties": { "roleName": "[parameters('roleDefinitionFriendlyName')]", "type": "CustomRole", "assignableScopes": [ "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('cosmosDBAccountName'))]" ], "permissions": [ { "dataActions": "[parameters('roleDefinitionDataActions')]" } ] }, "dependsOn": [ "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('cosmosDBAccountName'))]" ] }, { "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments", "apiVersion": "2021-04-15", "name": "[format('{0}/{1}', parameters('cosmosDBAccountName'), variables('roleAssignmentName'))]", "properties": { "roleDefinitionId": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('cosmosDBAccountName'), variables('roleDefinitionName'))]", "principalId": "[parameters('roleAssignmentPrincipalId')]", "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('cosmosDBAccountName'))]" }, "dependsOn": [ "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('cosmosDBAccountName'))]", "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('cosmosDBAccountName'), variables('roleDefinitionName'))]" ] } ] }保存文件。
在 Visual Studio Code 中,打开 main.bicep 文件。
更新 main.bicep 文件以包括以下更改:
@description('The Azure region into which the Cosmos DB resources should be deployed.') param ___location string = resourceGroup().___location @description('The name of the Cosmos DB account. This name must be globally unique, and it must only include lowercase letters, numbers, and hyphens.') @minLength(3) @maxLength(44) param cosmosDBAccountName string = 'toy-${uniqueString(resourceGroup().id)}' @description('A descriptive name for the role definition.') param roleDefinitionFriendlyName string = 'Read and Write' @description('The list of actions that the role definition permits.') param roleDefinitionDataActions array = [ 'Microsoft.DocumentDB/databaseAccounts/readMetadata' 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*' ] @description('The object ID of the Azure AD principal that should be granted access using the role definition.') param roleAssignmentPrincipalId string var roleDefinitionName = guid('sql-role-definition', cosmosDBAccount.id) var roleAssignmentName = guid('sql-role-assignment', cosmosDBAccount.id) resource cosmosDBAccount 'Microsoft.DocumentDB/databaseAccounts@2021-04-15' = { name: cosmosDBAccountName kind: 'GlobalDocumentDB' ___location: ___location properties: { consistencyPolicy: { defaultConsistencyLevel: 'Session' } locations: [ { locationName: ___location failoverPriority: 0 isZoneRedundant: false } ] databaseAccountOfferType: 'Standard' enableAutomaticFailover: false enableMultipleWriteLocations: false } } resource roleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-04-15' = { parent: cosmosDBAccount name: roleDefinitionName properties: { roleName: roleDefinitionFriendlyName type: 'CustomRole' assignableScopes: [ cosmosDBAccount.id ] permissions: [ { dataActions: roleDefinitionDataActions } ] } } resource roleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-04-15' = { parent: cosmosDBAccount name: roleAssignmentName properties: { roleDefinitionId: roleDefinition.id principalId: roleAssignmentPrincipalId scope: cosmosDBAccount.id } }保存文件。
发布新版本的模板规格
在 Visual Studio Code 终端中使用此 Azure PowerShell cmdlet 发布模板规格:
New-AzTemplateSpec `
-ResourceGroupName <rgn>[sandbox resource group name]</rgn> `
-Name ToyCosmosDBAccount `
-Version '2.0' `
-VersionDescription 'Adds Cosmos DB role-based access control.' `
-TemplateFile main.bicep
New-AzTemplateSpec `
-ResourceGroupName <rgn>[sandbox resource group name]</rgn> `
-Name ToyCosmosDBAccount `
-Version '2.0' `
-VersionDescription 'Adds Cosmos DB role-based access control.' `
-TemplateFile azuredeploy.json
在 Visual Studio Code 终端中使用此 Azure CLI 命令发布模板规格:
az ts create \
--name ToyCosmosDBAccount \
--version 2.0 \
--version-description "Adds Cosmos DB role-based access control." \
--template-file main.bicep
az ts create \
--name ToyCosmosDBAccount \
--version 2.0 \
--version-description "Adds Cosmos DB role-based access control." \
--template-file azuredeploy.json
验证模板规格
在浏览器中返回到 Azure 门户。 转到你的资源组。
选择模板规格。请注意,最新版本现已列为 2.0。
选择 “版本 ”菜单项。 请注意,现在列出了这两个版本。
如果需要,模板规格版本使你能够返回到模板规格的早期版本。
部署新的模板规格版本
通过运行以下 Azure PowerShell 命令获取新的模板规格版本资源 ID:
$templateSpecVersionResourceId = ( ` Get-AzTemplateSpec ` -ResourceGroupName <rgn>[sandbox resource group name]</rgn> ` -Name ToyCosmosDBAccount ` -Version 2.0 ` ).Versions[0].Id请注意,您可以使用
Versions属性来获取模板规格版本的资源 ID。新模板规格版本具有一个代表用户主体 ID 的参数。 使用以下命令获取自己的用户帐户主体标识符:
$token = (Get-AzAccessToken -ResourceUrl "https://graph.windows.net/").Token $userObjectId = (Invoke-RestMethod -Uri 'https://graph.windows.net/me?api-version=1.6' -Headers @{ 'Authorization' = "Bearer $token"}).objectID这些命令使用 Microsoft Graph API 查询您自己的用户档案。
在 Visual Studio Code 终端中使用此 Azure PowerShell 命令部署模板规格:
New-AzResourceGroupDeployment ` -TemplateSpecId $templateSpecVersionResourceId ` -roleAssignmentPrincipalId $userObjectId
通过运行以下 Azure CLI 命令获取模板规格版本的资源 ID:
id=$(az ts show \ --name ToyCosmosDBAccount \ --resource-group "<rgn>[sandbox resource group name]</rgn>" \ --version "2.0" \ --query "id")在 Visual Studio Code 终端中使用此 Azure CLI 命令部署模板规格:
az deployment group create \ --template-spec $id \ --parameters roleAssignmentPrincipalId="d68d19b3-d7ef-4ae9-9ee4-90695a4e417d"
该部署过程可能需要一两分钟才能完成。
验证部署
在浏览器中返回到 Azure 门户。 转到你的资源组。
在 “部署”旁边,选择 “2 成功”。
选择最新的部署。
选择“部署详细信息”将其展开。 确认部署了 Azure Cosmos DB 基于角色的访问控制的资源。
