将keyvault导入terraform后如何添加keyvault访问策略
How to add keyvault access policies after importing keyvault into terraform
我的 Terraform 设计依赖于一个预先配置的密钥库,其中包含应用服务使用的秘密。我将此密钥保管库导入到我的远程状态。我可以看到它已被导入。现在,当我 运行 terraform plan 时,它就好像不知道导入的资源一样。
这就是我的 terraform 的样子
provider "azurerm" {
version="=2.20.0"
skip_provider_registration="true"
features{}
}
terraform {
backend "azurerm" {}
}
resource "azurerm_key_vault" "kv" {
name = "${var.env}ActicoDQM-kv"
}
module "app_service_plan"{
source = "./modules/app-service-plan"
...redacted for brevity
tags = var.tags
}
module "app-service"{
source = "./modules/app-service"
...redacted for brevity
tags = var.tags
key_vault_id = azurerm_key_vault.kv.key_vault_id
}
为模块内的应用服务添加访问策略
resource "azurerm_app_service" "app" {
... redacted for brevity
}
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "app" {
key_vault_id = var.key_vault_id
tenant_id = azurerm_app_service.app.identity[0].tenant_id
object_id = azurerm_app_service.app.identity[0].principal_id
secret_permissions = ["get", "list"]
}
在我的理解中似乎缺少一些link,因为现在当我这样做时
terraform plan
它就像不知道导入的密钥库一样
Error: Missing required argument
on main.tf line 19, in resource "azurerm_key_vault" "kv":
19: resource "azurerm_key_vault" "kv" {
The argument "tenant_id" is required, but no definition was found.
即使您将现有的密钥保管库导入您的 terraform 状态,您也需要根据 keyvault resource docs.
完全定义所有必需的参数
您的 keyvault 资源至少应指定这些参数:
resource "azurerm_key_vault" "kv" {
name = "${var.env}ActicoDQM-kv"
location = ..
resource_group_name = ..
sku_name = "standard" or "premium"
tenant_id = data.azurerm_client_config.current.tenant_id
}
您可以使用数据资源公开 tenant_id:
data "azurerm_client_config" "current" {
}
我的 Terraform 设计依赖于一个预先配置的密钥库,其中包含应用服务使用的秘密。我将此密钥保管库导入到我的远程状态。我可以看到它已被导入。现在,当我 运行 terraform plan 时,它就好像不知道导入的资源一样。
这就是我的 terraform 的样子
provider "azurerm" {
version="=2.20.0"
skip_provider_registration="true"
features{}
}
terraform {
backend "azurerm" {}
}
resource "azurerm_key_vault" "kv" {
name = "${var.env}ActicoDQM-kv"
}
module "app_service_plan"{
source = "./modules/app-service-plan"
...redacted for brevity
tags = var.tags
}
module "app-service"{
source = "./modules/app-service"
...redacted for brevity
tags = var.tags
key_vault_id = azurerm_key_vault.kv.key_vault_id
}
为模块内的应用服务添加访问策略
resource "azurerm_app_service" "app" {
... redacted for brevity
}
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "app" {
key_vault_id = var.key_vault_id
tenant_id = azurerm_app_service.app.identity[0].tenant_id
object_id = azurerm_app_service.app.identity[0].principal_id
secret_permissions = ["get", "list"]
}
在我的理解中似乎缺少一些link,因为现在当我这样做时
terraform plan
它就像不知道导入的密钥库一样
Error: Missing required argument
on main.tf line 19, in resource "azurerm_key_vault" "kv":
19: resource "azurerm_key_vault" "kv" {
The argument "tenant_id" is required, but no definition was found.
即使您将现有的密钥保管库导入您的 terraform 状态,您也需要根据 keyvault resource docs.
完全定义所有必需的参数您的 keyvault 资源至少应指定这些参数:
resource "azurerm_key_vault" "kv" {
name = "${var.env}ActicoDQM-kv"
location = ..
resource_group_name = ..
sku_name = "standard" or "premium"
tenant_id = data.azurerm_client_config.current.tenant_id
}
您可以使用数据资源公开 tenant_id:
data "azurerm_client_config" "current" {
}