在部署脚本以使用 terraform 在 Azure 数据工厂中启用客户管理的密钥时,我收到一个错误,我在下面说明了这一点
On deploying Script to enable Customer Managed Key in Azure Data Factory using terraform, I am getting an error which I have stated below
在尝试使用此代码片段启用客户管理的密钥时,我无法继续执行 Terraform 计划本身。我尝试了几种方法,但即使它们也不起作用。谁能帮我解决这个问题??
**
'''
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "testadfrg"
location = "West Europe"
}
resource "azurerm_key_vault" "example" {
name = "testkeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 7
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
"purge",
"recover"
]
secret_permissions = [
"set",
]
}
}
resource "azurerm_key_vault_key" "generated" {
name = "adfkey"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_data_factory" "df" {
name = "testadfadf"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
public_network_enabled = "true"
customer_managed_key_id = azurerm_key_vault_key.generated.id
identity {
type = "SystemAssigned"
}
}
'''
**
您必须为 ADF 创建用户分配的身份才能访问 Keyvault。然后,在 Keyvault 中为该用户分配的身份创建访问策略,最后在创建 ADF 时必须使用以下内容:
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.base.id]
}
而不是
identity {
type = "SystemAssigned"
}
因此,您的整体代码如下所示:
provider "azurerm" {
features{}
}
data "azurerm_client_config" "current" {}
data "azurerm_resource_group" "example"{
name = "yourresourcegroupname"
}
resource "azurerm_user_assigned_identity" "base" {
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
name = "mi-adf-keyvault"
}
resource "azurerm_key_vault" "kv" {
name = "ansumankeyvault01"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
access_policy {
object_id = data.azurerm_client_config.current.object_id
tenant_id = data.azurerm_client_config.current.tenant_id
certificate_permissions = [
"Create",
"Delete",
"DeleteIssuers",
"Get",
"GetIssuers",
"Import",
"List",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"Purge",
"SetIssuers",
"Update"
]
key_permissions = [
"Backup",
"Create",
"Decrypt",
"Delete",
"Encrypt",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Sign",
"UnwrapKey",
"Update",
"Verify",
"WrapKey"
]
secret_permissions = [
"Backup",
"Delete",
"Get",
"List",
"Purge",
"Restore",
"Restore",
"Set"
]
}
access_policy {
object_id = azurerm_user_assigned_identity.base.principal_id
tenant_id = data.azurerm_client_config.current.tenant_id
secret_permissions = [
"Get"
]
key_permissions = [
"Get",
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
certificate_permissions = [
"Get"
]
}
}
resource "azurerm_key_vault_key" "generated" {
name = "generated-certificate"
key_vault_id = azurerm_key_vault.kv.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "null_resource" "previous" {}
resource "time_sleep" "wait_120_seconds" {
depends_on = [azurerm_key_vault.kv]
create_duration = "120s"
}
resource "azurerm_data_factory" "df" {
name = "ansumantestadf" #uniquename
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
public_network_enabled = "true"
customer_managed_key_id = azurerm_key_vault_key.generated.id
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.base.id]
}
depends_on = [time_sleep.wait_120_seconds]
}
注意:我使用了时间休眠块,因为访问策略可能需要一些时间才能反映在用户分配身份的密钥库中。
输出:
在尝试使用此代码片段启用客户管理的密钥时,我无法继续执行 Terraform 计划本身。我尝试了几种方法,但即使它们也不起作用。谁能帮我解决这个问题?? **
'''
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "testadfrg"
location = "West Europe"
}
resource "azurerm_key_vault" "example" {
name = "testkeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 7
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
"purge",
"recover"
]
secret_permissions = [
"set",
]
}
}
resource "azurerm_key_vault_key" "generated" {
name = "adfkey"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_data_factory" "df" {
name = "testadfadf"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
public_network_enabled = "true"
customer_managed_key_id = azurerm_key_vault_key.generated.id
identity {
type = "SystemAssigned"
}
}
'''
**
您必须为 ADF 创建用户分配的身份才能访问 Keyvault。然后,在 Keyvault 中为该用户分配的身份创建访问策略,最后在创建 ADF 时必须使用以下内容:
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.base.id]
}
而不是
identity {
type = "SystemAssigned"
}
因此,您的整体代码如下所示:
provider "azurerm" {
features{}
}
data "azurerm_client_config" "current" {}
data "azurerm_resource_group" "example"{
name = "yourresourcegroupname"
}
resource "azurerm_user_assigned_identity" "base" {
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
name = "mi-adf-keyvault"
}
resource "azurerm_key_vault" "kv" {
name = "ansumankeyvault01"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
access_policy {
object_id = data.azurerm_client_config.current.object_id
tenant_id = data.azurerm_client_config.current.tenant_id
certificate_permissions = [
"Create",
"Delete",
"DeleteIssuers",
"Get",
"GetIssuers",
"Import",
"List",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"Purge",
"SetIssuers",
"Update"
]
key_permissions = [
"Backup",
"Create",
"Decrypt",
"Delete",
"Encrypt",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Sign",
"UnwrapKey",
"Update",
"Verify",
"WrapKey"
]
secret_permissions = [
"Backup",
"Delete",
"Get",
"List",
"Purge",
"Restore",
"Restore",
"Set"
]
}
access_policy {
object_id = azurerm_user_assigned_identity.base.principal_id
tenant_id = data.azurerm_client_config.current.tenant_id
secret_permissions = [
"Get"
]
key_permissions = [
"Get",
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
certificate_permissions = [
"Get"
]
}
}
resource "azurerm_key_vault_key" "generated" {
name = "generated-certificate"
key_vault_id = azurerm_key_vault.kv.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "null_resource" "previous" {}
resource "time_sleep" "wait_120_seconds" {
depends_on = [azurerm_key_vault.kv]
create_duration = "120s"
}
resource "azurerm_data_factory" "df" {
name = "ansumantestadf" #uniquename
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
public_network_enabled = "true"
customer_managed_key_id = azurerm_key_vault_key.generated.id
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.base.id]
}
depends_on = [time_sleep.wait_120_seconds]
}
注意:我使用了时间休眠块,因为访问策略可能需要一些时间才能反映在用户分配身份的密钥库中。
输出: