运行 Terraform 应用时 Azure Key Vault 访问策略出现问题
Problems with Azure Key Vault Access Policies when running Terraform Apply
当 Terraform 应用 运行s 时,在两种情况下使用 Key Vault 会发生以下情况。
当 运行 从管道通过服务原则时,它将仅应用服务原则访问 Key Vault 策略。
当从 cmd 行 运行 时,它将仅应用 Key Vault 的租户用户广告访问策略。
我需要它来完成这两项工作,因为我有开发人员想要在 Kay Vault 上线时查看生成的秘密。当 运行 通过管道时,只有服务原则有权执行此操作。
状态文件的背景信息:
State 文件位于 Azure 中,可以在 运行 执行以下命令时从管道服务原则和 cmd 行访问: terraform init -backend-config=/DevOpsProject/Terraform/azure.conf
Key Vault 代码:
data "azurerm_client_config" "current" {}
data "azuread_service_principal" "current" {
object_id = "VALUE" // This will need changing per tenant used for KeyVault
}
// This gets the Azure AD Tenant ID information to deploy for KeyVault.
resource "azurerm_key_vault" "nscsecrets" {
name = "${var.key_vault_name}-${random_string.myrandom.id}"
resource_group_name = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
location = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = true
}
resource "azurerm_key_vault_access_policy" "client" { // This is for AD Users Logged into Azure to give them the right access when creating resources.
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ]
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}
resource "azurerm_key_vault_access_policy" "service_principal" { // This is for the Service Principal in the pipeline to be able to make changes to Key Vault.
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_service_principal.current.object_id
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ]
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}
resource "azurerm_key_vault_access_policy" "website_accesspolicy" {
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = azurerm_app_service.website_app.identity[0].tenant_id
object_id = azurerm_app_service.website_app.identity[0].principal_id
secret_permissions = ["get"]
}
resource "azurerm_key_vault_access_policy" "website_logs_storage_accesspolicy" { // This is for the Storage Account for Website Logs.
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_storage_account.website_log_storage.identity[0].principal_id
key_permissions = ["get", "create", "delete", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "encrypt", "decrypt", "sign", "verify", ]
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ]
}
resource "azurerm_key_vault_key" "website_logs_key" {
name = "website-logs-key"
key_vault_id = azurerm_key_vault.nscsecrets.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey", ]
depends_on = [
azurerm_key_vault_access_policy.client,
azurerm_key_vault_access_policy.website_logs_storage_accesspolicy
]
}
使用管道时,您必须使用服务主体对 Azure 进行身份验证。
将 User 和 Service Principal 添加到 keyvault 的访问策略中。当您通过服务主体进行身份验证时,您应该使用 azuread_user 的数据源而不是 azuread_service_principal 的数据源,数据源 azurerm_client_config 将具有服务主体的 objectId。所以,您的代码将类似于下面 (I tested this by authenticating via service principal from local):
provider "azurerm" {
subscription_id = "88073b30-xxxx-xxxx-xxx-8442c93573ae"
tenant_id = "ab078f81-xxxx-xxxx-xxxx-620b694ded30"
client_id = "7f1a4457-xxxx-xxxx-xxxx-293b51794fb3"
client_secret = "aGY7Q~0n2iKMOxxxxxxxxxxxxlnNG9Pnt2k"
features {}
}
provider "azuread"{
tenant_id = "ab078f81-xxxx-xxxx-xxxx-620b694ded30"
client_id = "7f1a4457-xxxx-xxxx-xxxx-293b51794fb3"
client_secret = "aGY7Q~0n2iKMOxxxxxxxxxxxxlnNG9Pnt2k"
}
data "azurerm_client_config" "current" {}
// This gets the Azure AD Tenant ID information to deploy for KeyVault and also contains the service principal objectID.
data "azurerm_resource_group" "Classroom_In_The_Cloud_Terraform"{
name = "ansuman-resourcegroup"
}
// user which I want to give permissions to be able to access the keyvault.
data "azuread_user" "user"{
user_principal_name = "ansuman@xxxxx.onmicrosoft.com"
}
resource "azurerm_key_vault" "nscsecrets" {
name = "Ansumankeyvault0123456"
resource_group_name = data.azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
location = data.azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = true
}
resource "azurerm_key_vault_access_policy" "client" { // This is for AD Users Logged into Azure to give them the right access when creating resources.
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_user.user.object_id
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ]
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}
resource "azurerm_key_vault_access_policy" "service_principal" { // This is for the Service Principal in the pipeline to be able to make changes to Key Vault.
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ]
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}
输出:
注:
请确保您正在使用的服务主体具有以下 API 权限,并已获得该租户的管理员同意:
当 Terraform 应用 运行s 时,在两种情况下使用 Key Vault 会发生以下情况。
当 运行 从管道通过服务原则时,它将仅应用服务原则访问 Key Vault 策略。
当从 cmd 行 运行 时,它将仅应用 Key Vault 的租户用户广告访问策略。
我需要它来完成这两项工作,因为我有开发人员想要在 Kay Vault 上线时查看生成的秘密。当 运行 通过管道时,只有服务原则有权执行此操作。
状态文件的背景信息:
State 文件位于 Azure 中,可以在 运行 执行以下命令时从管道服务原则和 cmd 行访问: terraform init -backend-config=/DevOpsProject/Terraform/azure.conf
Key Vault 代码:
data "azurerm_client_config" "current" {}
data "azuread_service_principal" "current" {
object_id = "VALUE" // This will need changing per tenant used for KeyVault
}
// This gets the Azure AD Tenant ID information to deploy for KeyVault.
resource "azurerm_key_vault" "nscsecrets" {
name = "${var.key_vault_name}-${random_string.myrandom.id}"
resource_group_name = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
location = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = true
}
resource "azurerm_key_vault_access_policy" "client" { // This is for AD Users Logged into Azure to give them the right access when creating resources.
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ]
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}
resource "azurerm_key_vault_access_policy" "service_principal" { // This is for the Service Principal in the pipeline to be able to make changes to Key Vault.
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_service_principal.current.object_id
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ]
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}
resource "azurerm_key_vault_access_policy" "website_accesspolicy" {
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = azurerm_app_service.website_app.identity[0].tenant_id
object_id = azurerm_app_service.website_app.identity[0].principal_id
secret_permissions = ["get"]
}
resource "azurerm_key_vault_access_policy" "website_logs_storage_accesspolicy" { // This is for the Storage Account for Website Logs.
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_storage_account.website_log_storage.identity[0].principal_id
key_permissions = ["get", "create", "delete", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "encrypt", "decrypt", "sign", "verify", ]
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ]
}
resource "azurerm_key_vault_key" "website_logs_key" {
name = "website-logs-key"
key_vault_id = azurerm_key_vault.nscsecrets.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey", ]
depends_on = [
azurerm_key_vault_access_policy.client,
azurerm_key_vault_access_policy.website_logs_storage_accesspolicy
]
}
使用管道时,您必须使用服务主体对 Azure 进行身份验证。
将 User 和 Service Principal 添加到 keyvault 的访问策略中。当您通过服务主体进行身份验证时,您应该使用 azuread_user 的数据源而不是 azuread_service_principal 的数据源,数据源 azurerm_client_config 将具有服务主体的 objectId。所以,您的代码将类似于下面 (I tested this by authenticating via service principal from local):
provider "azurerm" {
subscription_id = "88073b30-xxxx-xxxx-xxx-8442c93573ae"
tenant_id = "ab078f81-xxxx-xxxx-xxxx-620b694ded30"
client_id = "7f1a4457-xxxx-xxxx-xxxx-293b51794fb3"
client_secret = "aGY7Q~0n2iKMOxxxxxxxxxxxxlnNG9Pnt2k"
features {}
}
provider "azuread"{
tenant_id = "ab078f81-xxxx-xxxx-xxxx-620b694ded30"
client_id = "7f1a4457-xxxx-xxxx-xxxx-293b51794fb3"
client_secret = "aGY7Q~0n2iKMOxxxxxxxxxxxxlnNG9Pnt2k"
}
data "azurerm_client_config" "current" {}
// This gets the Azure AD Tenant ID information to deploy for KeyVault and also contains the service principal objectID.
data "azurerm_resource_group" "Classroom_In_The_Cloud_Terraform"{
name = "ansuman-resourcegroup"
}
// user which I want to give permissions to be able to access the keyvault.
data "azuread_user" "user"{
user_principal_name = "ansuman@xxxxx.onmicrosoft.com"
}
resource "azurerm_key_vault" "nscsecrets" {
name = "Ansumankeyvault0123456"
resource_group_name = data.azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
location = data.azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = true
}
resource "azurerm_key_vault_access_policy" "client" { // This is for AD Users Logged into Azure to give them the right access when creating resources.
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_user.user.object_id
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ]
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}
resource "azurerm_key_vault_access_policy" "service_principal" { // This is for the Service Principal in the pipeline to be able to make changes to Key Vault.
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ]
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}
输出:
注:
请确保您正在使用的服务主体具有以下 API 权限,并已获得该租户的管理员同意: