英文:
Add primary acces key to KV from storage by terraform
问题
resource "azurerm_storage_account" "storage" {
name = "mystorageaccount"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
account_tier = "Standard"
account_replication_type = "LRS"
}
output "storage_account_key" {
value = azurerm_storage_account.storage.primary_access_key
}
resource "azurerm_key_vault_secret" "storage_account_key" {
name = "storageAccountKey"
value = azurerm_storage_account.storage.primary_access_key
key_vault_id = azurerm_key_vault.kv.id
}
英文:
I have a Terraform file called 'main.tf' that creates an RG (resource group), a storage account, an event hub namespace, and a key vault. Is it possible to configure the key vault to write the primary secret from the storage account that was created? All of this should be done within the context of a single file, of course.
I tried add code like this:
resource "azurerm_storage_account" "storage" {
name = "mystorageaccount"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
account_tier = "Standard"
account_replication_type = "LRS"
}
output "storage_account_key" {
value = azurerm_storage_account.storage.primary_access_key
}
resource "azurerm_key_vault_secret" "storage_account_key" {
name = "storageAccountKey"
value = azurerm_storage_account.storage.primary_access_key
key_vault_id = azurerm_key_vault.kv.id
}
But when I run terraform plan, it requires me to type in storage_account_key in the terminal.
答案1
得分: 1
> 将主访问密钥通过terraform从存储添加到KV
我已经创建了一个RG,存储帐户,事件中心命名空间和一个密钥保管库,并使用以下terraform代码将存储帐户访问密钥存储在密钥保管库中。
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "sample-rg" {
name = "sample-resources"
location = "West Europe"
}
resource "azurerm_storage_account" "storage" {
name = "vijaystorageaccounttest"
resource_group_name = azurerm_resource_group.sample-rg.name
location = azurerm_resource_group.sample-rg.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_key_vault" "example" {
name = "venkatdemosamplevault"
location = azurerm_resource_group.sample-rg.location
resource_group_name = azurerm_resource_group.sample-rg.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey"]
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set"]
storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update"]
}
}
resource "azurerm_key_vault_secret" "storage_account_key" {
name = "storageAccountKey"
value = azurerm_storage_account.storage.primary_access_key
key_vault_id = azurerm_key_vault.example.id
depends_on = [
azurerm_storage_account.storage
]
}
resource "azurerm_eventhub_namespace" "example" {
name = "venkat-namespace"
location = azurerm_resource_group.sample-rg.location
resource_group_name = azurerm_resource_group.sample-rg.name
sku = "Standard"
capacity = 2
tags = {
environment = "Production"
}
}
Terraform Apply:
运行上述terraform代码后,资源在门户中成功创建。
成功将存储帐户访问密钥存储在密钥保管库的秘密中。
英文:
> Add primary acces key to KV from storage by terraform
I have created a RG , Storage account, Event hub namespace, and a key vault and stored Storage account access key in Key vault using below terraform code.
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "sample-rg" {
name = "sample-resources"
location = "West Europe"
}
resource "azurerm_storage_account" "storage" {
name = "vijaystorageaccounttest"
resource_group_name = azurerm_resource_group.sample-rg.name
location = azurerm_resource_group.sample-rg.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_key_vault" "example" {
name = "venkatdemosamplevault"
location = azurerm_resource_group.sample-rg.location
resource_group_name = azurerm_resource_group.sample-rg.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ]
storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}
}
resource "azurerm_key_vault_secret" "storage_account_key" {
name = "storageAccountKey"
value = azurerm_storage_account.storage.primary_access_key
key_vault_id = azurerm_key_vault.example.id
depends_on = [
azurerm_storage_account.storage
]
}
resource "azurerm_eventhub_namespace" "example" {
name = "venkat-namespace"
location = azurerm_resource_group.sample-rg.location
resource_group_name = azurerm_resource_group.sample-rg.name
sku = "Standard"
capacity = 2
tags = {
environment = "Production"
}
}
Terraform Apply:
Once ran the above terraform code, resources are created successfully in portal.
Successfully stored storage account access key in Key vault secret.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论