Terraform/Azure – 部署资源并分配 KeyVault 访问权限

huangapple go评论89阅读模式
英文:

Terraform/Azure - Deploying Resource and Assing KeyVault Access

问题

我在尝试创建资源时,为资源的托管标识分配密钥保管库访问策略时遇到了循环错误。目前,我们有用于App_Config、Windows Function、Redis等的模块。它们都使用系统托管或用户托管标识创建。它们都需要访问密钥保管库。

目前,我通过循环遍历资源并获取每个资源的托管标识来生成密钥保管库的访问策略。

如何最好地解决这个循环错误并将密钥保管库访问应用于资源?

更新 1

将 azurerm_user_assigned_identity 移出模块后,解决了循环错误,但 Windows Function 现在报告需要系统分配的标识。

回到测试其他选项。

英文:

I am running into a cycle error when assigning keyvault access policy to the resource's managed identity I am trying to create. Currently we have modules for App_Config, Windows Function, Redis, etc.. All of them are created with either system or user managed identiy. They all need access to keyvaults.

Currently I use the generate the keyvault's access_policies by looping thru the resources and grabbing the manage_identity for each resource.

What is the best way to break this cycle error and apply keyvault access to resources???

#################################

Update 1

After moving the azurerm_user_assigned_identity outside of the module it solved the Cycle error but Windows Function is complaining now that it needs System Assigned Identity..

Terraform/Azure – 部署资源并分配 KeyVault 访问权限

Back to testing other options
1: https://i.stack.imgur.com/zwVgd.png

答案1

得分: 1

循环错误发生在 azurerm_key_vault 依赖于 azurerm_managed_identity 资源时,将访问策略分配给托管标识时。而 azurerm_managed_identity 资源在使用 Key Vault 的 ID 时也依赖于 azurerm_key_vault 资源。

要解决这个循环错误,将托管标识的创建和分配 Key Vault 访问策略分为两个单独的 Terraform 配置或模块是一种方法。

资源定义:

resource "azurerm_key_vault" "nscsecrets" {
  name                       = "kkkvault0123456"
  resource_group_name        = data.azurerm_resource_group.example.name
  location                   = data.azurerm_resource_group.example.location
  sku_name                   = "standard"
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days = 7
  purge_protection_enabled   = true  
}

间接依赖关系的资源之间可以避免,从而解决循环错误。

代码示例:

resource "azurerm_key_vault_access_policy" "app_config_policy" {
  key_vault_id = azurerm_key_vault.key_vault.id

  tenant_id = var.tenant_id
  tenant_id          = azurerm_app_service.website_app.identity[0].tenant_id
  object_id = azurerm_managed_identity.app_config_identity.principal_id

  # 定义访问策略的权限
  secret_permissions  = ["Backup", "Delete", "Get", "List", "Purge"]
  key_permissions     = ["Backup", "Create","List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey"]
  storage_permissions = ["Backup", "Delete", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update"]
}

resource "azurerm_key_vault_access_policy" "function_policy" {
  key_vault_id = azurerm_key_vault.key_vault.id

  tenant_id = var.tenant_id
  object_id =  data.azurerm_client_config.current.tenant_id

  # 定义访问策略的权限
  secret_permissions  = ["Backup", "Delete", "Get", "List"]
  key_permissions     = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey"]
  storage_permissions = ["Backup", "Delete", "Update"]
}

参考链接:导入多个 Azure KeyVault 访问策略 | StackOverflow

英文:

Cycle error occurs, when the azurerm_key_vault depends on the azurerm_managed_identity resource, when assigning access policy to the managed identity. Whereas azurerm_managed_identity resource also depends on the azurerm_key_vault resource, when using Key Vault's ID .

resource "azurerm_key_vault" "nscsecrets" {
  name                       = "kkkvault0123456"
  resource_group_name        = data.azurerm_resource_group.example.name
  location                   = data.azurerm_resource_group.example.location
  sku_name                   = "standard"
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days = 7
  purge_protection_enabled   = true  

}

To resolve this cycle error, separating managed identity creation and the assignment of the Key Vault access policy into two separate Terraform configurations or modules is the way.

Indirect dependency between the resources can be avoided and cycle error can be resolved.

code:

resource "azurerm_key_vault_access_policy" "app_config_policy" {
  key_vault_id = azurerm_key_vault.key_vault.id

  tenant_id = var.tenant_id
  tenant_id          = azurerm_app_service.website_app.identity[0].tenant_id
  object_id = azurerm_managed_identity.app_config_identity.principal_id

  # Define the permissions for the access policy
  secret_permissions  = ["Backup", "Delete", "Get", "List", "Purge"]
  key_permissions     = ["Backup", "Create","List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
  storage_permissions = ["Backup", "Delete", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}

resource "azurerm_key_vault_access_policy" "function_policy" {
  key_vault_id = azurerm_key_vault.key_vault.id

  tenant_id = var.tenant_id
  object_id =  data.azurerm_client_config.current.tenant_id

  # Define the permissions for the access policy
  secret_permissions  = ["Backup", "Delete", "Get", "List” ]
  key_permissions     = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
  storage_permissions = ["Backup", "Delete", "Update", ]
}

Terraform/Azure – 部署资源并分配 KeyVault 访问权限

Reference: Importing multiple Azure KeyVault Access Policies | StackOverflow

答案2

得分: 0

  1. 使用 azurerm_user_assigned_identity 资源创建用户分配的托管标识。
  2. 创建密钥保管库。
  3. 调用消耗模块(App_Config、Windows 功能、Redis)。
英文:

If you were to use user-assigned managed identities created by the azurerm_user_assigned_identity resource then you could:

  1. Create the user-assigned managed identities using azurerm_user_assigned_identity.
  2. Create the Key Vault.
  3. Call the consuming modules (App_Config, Windows Function, Redis).

huangapple
  • 本文由 发表于 2023年6月16日 05:02:50
  • 转载请务必保留本文链接:https://go.coder-hub.com/76485492.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定