教程:保护 Azure 资源管理器模板部署中的项目Tutorial: Secure artifacts in Azure Resource Manager template deployments

了解如何使用 Azure 存储帐户和共享访问签名 (SAS) 保护 Azure 资源管理器模板中使用的项目。Learn how to secure the artifacts used in your Azure Resource Manager templates using Azure Storage account with shared access signatures (SAS). 部署项目是指完成部署所需的任何文件以及主模板文件。Deployment artifacts are any files, in addition to the main template file, that are needed to complete a deployment. 例如,在教程:使用 Azure 资源管理器模板导入 SQL BACPAC 文件中,主模板创建 Azure SQL 数据库;它还调用一个 BACPAC 文件来创建表和插入数据。For example, in Tutorial: Import SQL BACPAC files with Azure Resource Manager templates, the main template creates an Azure SQL Database; it also calls a BACPAC file to create tables and insert data. BACPAC 文件是一个项目。The BACPAC file is an artifact. 该项目存储在具有公共访问权限的 Azure 存储帐户中。The artifact is stored in an Azure storage account with public access. 在本教程中,你将使用 SAS 来授予对自己 Azure 存储帐户中 BACPAC 文件的有限访问权限。In this tutorial, you use SAS to grant limited access to the BACPAC file in your own Azure Storage account. 有关 SAS 的详细信息,请参阅使用共享访问签名 (SAS)For more information about SAS, see Using shared access signatures (SAS).

若要了解如何保护链接的模板,请参阅教程:创建链接的 Azure 资源管理器模板To learn how to secure linked template, see Tutorial: Create linked Azure Resource Manager templates.

本教程涵盖以下任务:This tutorial covers the following tasks:

  • 准备 BACPAC 文件Prepare a BACPAC file
  • 打开现有模板Open an existing template
  • 编辑模板Edit the template
  • 部署模板Deploy the template
  • 验证部署Verify the deployment

如果没有 Azure 订阅,请在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

先决条件Prerequisites

若要完成本文,需要做好以下准备:To complete this article, you need:

准备 BACPAC 文件Prepare a BACPAC file

在本部分准备 BACPAC 文件,以便在部署资源管理器模板时可以安全访问该文件。In this section, you prepare the BACPAC file so the file is accessible securely when you deploy the Resource Manager template. 本部分包括五个过程:There are five procedures in this section:

  • 下载 BACPAC 文件。Download the BACPAC file.
  • 创建 Azure 存储帐户。Create an Azure Storage account.
  • 创建存储帐户 Blob 容器。Create a Storage account Blob container.
  • 将 BACPAC 文件上传到该容器。Upload the BACPAC file to the container.
  • 检索 BACPAC 文件的 SAS 令牌。Retrieve the SAS token of the BACPAC file.

若要使用 PowerShell 脚本自动完成这些步骤,请参阅上传链接的模板中的脚本。To automate these steps using a PowerShell script, see the script from Upload the linked template.

下载 BACPAC 文件Download the BACPAC file

下载 BACPAC 文件,并以相同的名称 SQLDatabaseExtension.bacpac 将其保存到本地计算机。Download the BACPAC file, and save the file to your local computer with the same name, SQLDatabaseExtension.bacpac.

创建存储帐户Create a storage account

  1. 选择以下映像在 Azure 门户中打开一个资源管理器模板。Select the following image to open a Resource Manager template in the Azure portal.

    Deploy to Azure

  2. 选择“编辑模板”。Select Edit template.

  3. 输入以下属性:Enter the following properties:

    • “部署解决方案模板”面板。Deploy Solution Template panel. |名称|值| |订阅| 选择你的 Azure 订阅。| |资源组| 选择“新建”并为其提供一个名称。|Name|Value| |Subscription| Select your Azure subscription.| |Resource Group| Select Create new and give it a name. 资源组是 Azure 资源的容器,用于实现管理目的。A resource group is a container for Azure resources for the management purpose. 在本教程中,可为存储帐户和 Azure SQL 数据库使用同一个资源组。In this tutorial, you can use the same resource group for the storage account and the Azure SQL Database. 请记下此资源组名称,因为稍后在本教程中创建 Azure SQL 数据库时需要用到。| |资源组位置|选择一个区域。Make a note of this resource group name, you need it when you create the Azure SQL Database later in the tutorials.| |Resource Group Location|Select a region. 例如,中国北部For example, China North. |

    • 选择“编辑参数”,显示“参数”面板。Select Edit parameters and show Parameters panel. |存储帐户类型|使用默认值,即 Standard_LRS。| |位置| 使用默认值,即 [resourceGroup().location]|Storage Account Type|use the default value, which is Standard_LRS.| |Location| Use the default value, which is [resourceGroup().location]. 这意味着,你将使用存储帐户的资源组位置。|That means you use the resource group location for the storage account.|

    • 选择“确定” 。Select OK.

  4. 选择“查看法律条款”,然后选择“创建”。Select Review legal terms and Create.

  5. 选择“创建” 。Select Create.

  6. 选择门户右上角的通知图标(钟形图标)查看部署状态。Select the notification icon (the bell icon) on the upper right corner of the portal to see the deployment status.

    资源管理器教程门户通知窗格

  7. 成功部署存储帐户后,在通知窗格中选择“转到资源组”打开该资源组。After the storage account is deployed successfully, select Go to resource group from the notification pane to open the resource group.

创建 Blob 容器Create a Blob container

在上传任何文件之前,需要创建一个 Blob 容器。A Blob container is needed before you can upload any files.

  1. 选择存储帐户以将其打开。Select the storage account to open it. 应会看到,资源组中只列出了一个存储帐户。You shall see only one storage account listed in the resource group. 你的存储帐户名称不同于以下屏幕截图所示的名称。Your storage account name is different from the one shown in the following screenshot.

    资源管理器教程存储帐户

  2. 选择“Blob”磁贴。Select the Blobs tile.

    资源管理器教程 Blob

  3. 选择顶部的“+ 容器”创建新容器。Select + Container from the top to create a new container.

  4. 输入以下值:Enter the following values:

    • 名称:输入 sqlbacpacName: enter sqlbacpac.
    • 公共访问级别:使用默认值“专用(不允许匿名访问)”。Public access level: use the default value, Private (no anonymous access).
  5. 选择“确定” 。Select OK.

  6. 选择“sqlbacpac”打开新建的容器。Select sqlbacpac to open the newly created container.

将 BACPAC 文件上传到容器Upload the BACPAC file to the container

  1. 选择“上传”。Select Upload.

  2. 输入以下值:Enter the following values:

    • 文件:遵照说明选择前面下载的 BACPAC 文件。Files: Following the instructions to select the BACPAC file you downloaded earlier. 默认名称为 SQLDatabaseExtension.bacpacThe default name is SQLDatabaseExtension.bacpac.
    • 身份验证类型:选择“SAS”。Authentication type: Select SAS. “SAS”是默认值。SAS is the default value.
  3. 选择“上传”。Select Upload. 成功上传文件后,容器中应会列出其文件名。Once the file is uploaded successfully, the file name shall be listed in the container.

生成 SAS 令牌Generate a SAS token

  1. 右键单击容器中的“SQLDatabaseExtension.bacpac”,并选择“生成 SAS”。Right-click SQLDatabaseExtension.bacpac from the container, and then select Generate SAS.

  2. 输入以下值:Enter the following values:

    • 权限:使用默认值“读取”。Permission: Use the default, Read.
    • 开始和过期日期/时间:默认值为使用 SAS 令牌八小时。Start and expiry date/time: The default value gives you eight hours to use the SAS token. 如果需要更多的时间来完成本教程,请更新“过期时间”。If you need more time to complete this tutorial, update Expiry.
    • 允许的 IP 地址:将此字段留空。Allowed IP addresses: Leave this field blank.
    • 允许的协议:使用默认值“HTTPS”。Allowed protocols: use the default value: HTTPS.
    • 签名密钥:使用默认值“密钥 1”。Signing key: use the default value: Key 1.
  3. 选择“生成 Blob SAS 令牌和 URL”。Select Generate blob SAS token and URL.

  4. 复制“Blob SAS URL”。Make a copy of Blob SAS URL. URL 的中间是文件名 SQLDatabaseExtension.bacpacIn the middle of the URL is the file name SQLDatabaseExtension.bacpac. 文件名将 URL 划分为三个部分:The file name divides the URL into three parts:

打开现有模板Open an existing template

在此会话中,修改在教程:使用 Azure 资源管理器模板导入 SQL BACPAC 文件中创建的模板,以通过 SAS 令牌调用 BACPAC 文件。In this session, you modify the template you created in Tutorial: Import SQL BACPAC files with Azure Resource Manager templates to call the BACPAC file with a SAS token. 在 SQL 扩展教程中开发的模板已在 https://armtutorials.blob.core.windows.net/sqlextensionbacpac/azuredeploy.json 位置共享。The template developed in the SQL extension tutorial is shared at https://armtutorials.blob.core.windows.net/sqlextensionbacpac/azuredeploy.json.

  1. 在 Visual Studio Code 中,选择“文件”>“打开文件”。From Visual Studio Code, select File>Open File.

  2. 在“文件名”中粘贴以下 URL:In File name, paste the following URL:

    https://armtutorials.blob.core.windows.net/sqlextensionbacpac/azuredeploy.json
    
  3. 选择“打开”以打开该文件。Select Open to open the file.

    该模板中定义了五个资源:There are five resources defined in the template:

    • Microsoft.Sql/serversMicrosoft.Sql/servers
    • Microsoft.SQL/servers/securityAlertPoliciesMicrosoft.SQL/servers/securityAlertPolicies
    • Microsoft.SQL/servers/filewallRulesMicrosoft.SQL/servers/filewallRules
    • Microsoft.SQL/servers/databasesMicrosoft.SQL/servers/databases
    • Microsoft.SQL/server/databases/extensionsMicrosoft.SQL/server/databases/extensions

    在自定义模板之前,不妨对其进行一些基本的了解。It is helpful to get some basic understanding of the template before customizing it.

  4. 选择“文件”>“另存为”,将该文件的副本保存到名为 azuredeploy.json 的本地计算机。Select File>Save As to save a copy of the file to your local computer with the name azuredeploy.json.

编辑模板Edit the template

添加以下附加参数:Add the following additional parameters:

"_artifactsLocation": {
    "type": "string",
    "metadata": {
        "description": "The base URI where artifacts required by this template are located."
    }
},
"_artifactsLocationSasToken": {
    "type": "securestring",
    "metadata": {
        "description": "The sasToken required to access _artifactsLocation."
    },
    "defaultValue": ""
},
"bacpacFileName": {
    "type": "string",
    "defaultValue": "SQLDatabaseExtension.bacpac",
    "metadata": {
        "description": "The bacpac for configure the database and tables."
    }
}

资源管理器教程安全项目参数

更新以下两个元素的值:Update the value of the following two elements:

"storageKey": "[parameters('_artifactsLocationSasToken')]",
"storageUri": "[uri(parameters('_artifactsLocation'), parameters('bacpacFileName'))]",

部署模板Deploy the template

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

有关部署过程,请参阅部署模板部分。Refer to the Deploy the template section for the deployment procedure. 改用以下 PowerShell 部署脚本:Use the following PowerShell deployment script instead:

$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"
$location = Read-Host -Prompt "Enter the location (i.e. chinaeast)"
$adminUsername = Read-Host -Prompt "Enter the virtual machine admin username"
$adminPassword = Read-Host -Prompt "Enter the admin password" -AsSecureString
$artifactsLocation = Read-Host -Prompt "Enter the artifacts location"
$artifactsLocationSasToken = Read-Host -Prompt "Enter the artifacts location SAS token" -AsSecureString
$bacpacFileName = Read-Host -Prompt "Enter the BACPAC file name"

New-AzResourceGroup -Name $resourceGroupName -Location $location
New-AzResourceGroupDeployment `
    -ResourceGroupName $resourceGroupName `
    -adminUser $adminUsername `
    -adminPassword $adminPassword `
    -_artifactsLocation $artifactsLocation `
    -_artifactsLocationSasToken $artifactsLocationSasToken `
    -bacpacFileName $bacpacFileName `
    -TemplateFile azuredeploy.json

使用生成的密码。Use a generated password. 请参阅先决条件See Prerequisites. 有关 _artifactsLocation、_artifactsLocationSasToken 和 bacpacFileName 的值,请参阅生成 SAS 令牌For the values of _artifactsLocation, _artifactsLocationSasToken and bacpacFileName, see Generate a SAS token.

验证部署Verify the deployment

在门户中,从新部署的资源组中选择 SQL 数据库。In the portal, select the SQL database from the newly deployed resource group. 选择“查询编辑器(预览)”,然后输入管理员凭据。Select Query editor (preview), and then enter the administrator credentials. 此时会看到两个表导入到数据库中:You shall see two tables imported into the database:

Azure 资源管理器部署 sql 扩展 BACPAC

清理资源Clean up resources

不再需要 Azure 资源时,请通过删除资源组来清理部署的资源。When the Azure resources are no longer needed, clean up the resources you deployed by deleting the resource group.

  1. 在 Azure 门户上的左侧菜单中选择“资源组”。From the Azure portal, select Resource group from the left menu.
  2. 在“按名称筛选”字段中输入资源组名称。Enter the resource group name in the Filter by name field.
  3. 选择资源组名称。Select the resource group name. 应会看到,该资源组中总共有六个资源。You shall see a total of six resources in the resource group.
  4. 在顶部菜单中选择“删除资源组”。Select Delete resource group from the top menu.

后续步骤Next steps

在本教程中,你已部署 SQL Server、SQL 数据库,并已使用 SAS 令牌导入 BACPAC 文件。In this tutorial, you deployed a SQL Server, a SQL Database, and imported a BACPAC file using SAS token. 若要了解如何跨多个区域部署 Azure 资源,以及如何使用安全部署做法,请参阅To learn how to deploy Azure resources across multiple regions, and how to use safe deployment practices, see