英文:
Terraform/Azure - Deploying Resource and Assing KeyVault Access
问题
我在尝试创建资源时,为资源的托管标识分配密钥保管库访问策略时遇到了循环错误。目前,我们有用于App_Config、Windows Function、Redis等的模块。它们都使用系统托管或用户托管标识创建。它们都需要访问密钥保管库。
目前,我通过循环遍历资源并获取每个资源的托管标识来生成密钥保管库的访问策略。
如何最好地解决这个循环错误并将密钥保管库访问应用于资源?
更新 1
将 azurerm_user_assigned_identity 移出模块后,解决了循环错误,但 Windows Function 现在报告需要系统分配的标识。
回到测试其他选项。
英文:
I am running into a cycle error when assigning keyvault access policy to the resource's managed identity I am trying to create. Currently we have modules for App_Config, Windows Function, Redis, etc.. All of them are created with either system or user managed identiy. They all need access to keyvaults.
Currently I use the generate the keyvault's access_policies by looping thru the resources and grabbing the manage_identity for each resource.
What is the best way to break this cycle error and apply keyvault access to resources???
#################################
Update 1
After moving the azurerm_user_assigned_identity outside of the module it solved the Cycle error but Windows Function is complaining now that it needs System Assigned Identity..
Back to testing other options
1: https://i.stack.imgur.com/zwVgd.png
答案1
得分: 1
循环错误发生在 azurerm_key_vault 依赖于 azurerm_managed_identity 资源时,将访问策略分配给托管标识时。而 azurerm_managed_identity 资源在使用 Key Vault 的 ID 时也依赖于 azurerm_key_vault 资源。
要解决这个循环错误,将托管标识的创建和分配 Key Vault 访问策略分为两个单独的 Terraform 配置或模块是一种方法。
资源定义:
resource "azurerm_key_vault" "nscsecrets" {
name = "kkkvault0123456"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = true
}
间接依赖关系的资源之间可以避免,从而解决循环错误。
代码示例:
resource "azurerm_key_vault_access_policy" "app_config_policy" {
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = var.tenant_id
tenant_id = azurerm_app_service.website_app.identity[0].tenant_id
object_id = azurerm_managed_identity.app_config_identity.principal_id
# 定义访问策略的权限
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge"]
key_permissions = ["Backup", "Create","List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey"]
storage_permissions = ["Backup", "Delete", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update"]
}
resource "azurerm_key_vault_access_policy" "function_policy" {
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = var.tenant_id
object_id = data.azurerm_client_config.current.tenant_id
# 定义访问策略的权限
secret_permissions = ["Backup", "Delete", "Get", "List"]
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey"]
storage_permissions = ["Backup", "Delete", "Update"]
}
参考链接:导入多个 Azure KeyVault 访问策略 | StackOverflow
英文:
Cycle error occurs, when the azurerm_key_vault depends on the azurerm_managed_identity resource, when assigning access policy to the managed identity. Whereas azurerm_managed_identity resource also depends on the azurerm_key_vault resource, when using Key Vault's ID .
resource "azurerm_key_vault" "nscsecrets" {
name = "kkkvault0123456"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = true
}
To resolve this cycle error, separating managed identity creation and the assignment of the Key Vault access policy into two separate Terraform configurations or modules is the way.
Indirect dependency between the resources can be avoided and cycle error can be resolved.
code:
resource "azurerm_key_vault_access_policy" "app_config_policy" {
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = var.tenant_id
tenant_id = azurerm_app_service.website_app.identity[0].tenant_id
object_id = azurerm_managed_identity.app_config_identity.principal_id
# Define the permissions for the access policy
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge"]
key_permissions = ["Backup", "Create","List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
storage_permissions = ["Backup", "Delete", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}
resource "azurerm_key_vault_access_policy" "function_policy" {
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = var.tenant_id
object_id = data.azurerm_client_config.current.tenant_id
# Define the permissions for the access policy
secret_permissions = ["Backup", "Delete", "Get", "List” ]
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
storage_permissions = ["Backup", "Delete", "Update", ]
}
Reference: Importing multiple Azure KeyVault Access Policies | StackOverflow
答案2
得分: 0
- 使用
azurerm_user_assigned_identity资源创建用户分配的托管标识。 - 创建密钥保管库。
- 调用消耗模块(App_Config、Windows 功能、Redis)。
英文:
If you were to use user-assigned managed identities created by the azurerm_user_assigned_identity resource then you could:
- Create the user-assigned managed identities using
azurerm_user_assigned_identity. - Create the Key Vault.
- Call the consuming modules (App_Config, Windows Function, Redis).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论