向存储添加 Terraform 中的主访问密钥至 KV。

huangapple go评论61阅读模式
英文:

Add primary acces key to KV from storage by terraform

问题

resource "azurerm_storage_account" "storage" {
  name                     = "mystorageaccount"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

output "storage_account_key" {
  value = azurerm_storage_account.storage.primary_access_key
}
resource "azurerm_key_vault_secret" "storage_account_key" {
  name         = "storageAccountKey"
  value        = azurerm_storage_account.storage.primary_access_key
  key_vault_id = azurerm_key_vault.kv.id
}
英文:

I have a Terraform file called 'main.tf' that creates an RG (resource group), a storage account, an event hub namespace, and a key vault. Is it possible to configure the key vault to write the primary secret from the storage account that was created? All of this should be done within the context of a single file, of course.

I tried add code like this:

resource "azurerm_storage_account" "storage" {
  name                     = "mystorageaccount"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

output "storage_account_key" {
  value = azurerm_storage_account.storage.primary_access_key
}
resource "azurerm_key_vault_secret" "storage_account_key" {
  name         = "storageAccountKey"
  value        = azurerm_storage_account.storage.primary_access_key
  key_vault_id = azurerm_key_vault.kv.id
}

But when I run terraform plan, it requires me to type in storage_account_key in the terminal.

答案1

得分: 1

> 将主访问密钥通过terraform从存储添加到KV

我已经创建了一个RG存储帐户事件中心命名空间和一个密钥保管库,并使用以下terraform代码将存储帐户访问密钥存储在密钥保管库中。

provider "azurerm" {
  features {}
}

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "sample-rg" {
  name     = "sample-resources"
  location = "West Europe"
}

resource "azurerm_storage_account" "storage" {
  name                = "vijaystorageaccounttest"
  resource_group_name = azurerm_resource_group.sample-rg.name
  location            = azurerm_resource_group.sample-rg.location
  account_tier        = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_key_vault" "example" {
  name                        = "venkatdemosamplevault"
  location                    = azurerm_resource_group.sample-rg.location
  resource_group_name         = azurerm_resource_group.sample-rg.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
  sku_name                    = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey"]
    secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set"]
    storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update"]
  }
}

resource "azurerm_key_vault_secret" "storage_account_key" {
  name         = "storageAccountKey"
  value        = azurerm_storage_account.storage.primary_access_key
  key_vault_id = azurerm_key_vault.example.id

  depends_on = [
    azurerm_storage_account.storage
  ]
}

resource "azurerm_eventhub_namespace" "example" {
  name                = "venkat-namespace"
  location            = azurerm_resource_group.sample-rg.location
  resource_group_name = azurerm_resource_group.sample-rg.name
  sku                 = "Standard"
  capacity            = 2

  tags = {
    environment = "Production"
  }
}

Terraform Apply:

向存储添加 Terraform 中的主访问密钥至 KV。

运行上述terraform代码后,资源在门户中成功创建。

向存储添加 Terraform 中的主访问密钥至 KV。

成功将存储帐户访问密钥存储在密钥保管库的秘密中。

向存储添加 Terraform 中的主访问密钥至 KV。

英文:

> Add primary acces key to KV from storage by terraform

I have created a RG , Storage account, Event hub namespace, and a key vault and stored Storage account access key in Key vault using below terraform code.

provider  "azurerm"  {
features  {}
}
data  "azurerm_client_config"  "current"  {}
resource  "azurerm_resource_group"  "sample-rg"  {
name = "sample-resources"
location = "West Europe"
}
resource  "azurerm_storage_account"  "storage"  {
name = "vijaystorageaccounttest"
resource_group_name = azurerm_resource_group.sample-rg.name
location = azurerm_resource_group.sample-rg.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource  "azurerm_key_vault"  "example"  {
name = "venkatdemosamplevault"
location = azurerm_resource_group.sample-rg.location
resource_group_name = azurerm_resource_group.sample-rg.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy  {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["Backup",  "Create",  "Decrypt",  "Delete",  "Encrypt",  "Get",  "Import",  "List",  "Purge",  "Recover",  "Restore",  "Sign",  "UnwrapKey",  "Update",  "Verify",  "WrapKey",  ]
secret_permissions = ["Backup",  "Delete",  "Get",  "List",  "Purge",  "Recover",  "Restore",  "Set",  ]
storage_permissions = ["Backup",  "Delete",  "DeleteSAS",  "Get",  "GetSAS",  "List",  "ListSAS",  "Purge",  "Recover",  "RegenerateKey",  "Restore",  "Set",  "SetSAS",  "Update",  ]
}
}
resource  "azurerm_key_vault_secret"  "storage_account_key"  {
name = "storageAccountKey"
value = azurerm_storage_account.storage.primary_access_key
key_vault_id = azurerm_key_vault.example.id
depends_on = [
azurerm_storage_account.storage
]
}
resource  "azurerm_eventhub_namespace"  "example"  {
name = "venkat-namespace"
location = azurerm_resource_group.sample-rg.location
resource_group_name = azurerm_resource_group.sample-rg.name
sku = "Standard"
capacity = 2
tags = {
environment = "Production"
}
}

Terraform Apply:

向存储添加 Terraform 中的主访问密钥至 KV。

Once ran the above terraform code, resources are created successfully in portal.

向存储添加 Terraform 中的主访问密钥至 KV。

Successfully stored storage account access key in Key vault secret.

向存储添加 Terraform 中的主访问密钥至 KV。

huangapple
  • 本文由 发表于 2023年4月19日 21:24:50
  • 转载请务必保留本文链接:https://go.coder-hub.com/76055078.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定