在 terraform 中,azurerm cosmosdb default_identity_type 设置是什么?
In terraform, what is the azurerm cosmosdb default_identity_type setting?
Azure 中 CosmosDB 的默认标识类型是什么?
当我 运行 我的 Terraform 计划时,default_identity_type 正在更新,但我不知道那是什么。我可以在 CLI、资源管理器或门户中看到这个值吗?这个设置对应Azure中的什么属性?
这是 azurerm 文档的内容:
default_identity_type -(可选)用于访问 Key Vault 的默认身份。可能的值为 FirstPartyIdentity、SystemAssignedIdentity 或以 UserAssignedIdentity 开头。默认为 FirstPartyIdentity。
有一个身份块,但这似乎与 default_identity_type 不同。
文档说它是为了将 CosmosDB 与密钥保管库一起使用,但据我所知,CosmosDB 资源中没有用于使用密钥保管库的特殊设置。
identity 块定义了 cosmosdb 帐户 的托管身份,目前只能是 System Assigned 和default_identity_type 用于使用一个托管身份从 cosmosdb 帐户访问密钥保管库,用于 加密目的 .
default_identity_type 默认为 FirstPartyIdentity,这意味着有一个名为 Azure Cosmos DB 的默认身份,Azure 中的所有 cosmosdb 资源都使用它并使用它可以像下面的 示例 1 一样访问密钥库。如果您将 identity 块与 SystemAssigned 一起使用,那么您可以在 default_identity_type 参数中提及 SystemAssignedIdentity,如下面 示例 2.
示例 1:
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "ansumantest-resources"
location = "eastus"
}
## firstparty identity which is provided by Microsoft
data "azuread_service_principal" "cosmosdb" {
display_name = "Azure Cosmos DB"
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "example" {
name = "ansumantestkv12"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
purge_protection_enabled = true
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"list",
"create",
"delete",
"get",
"update",
]
}
# identity added in access policy
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_service_principal.cosmosdb.id
key_permissions = [
"get",
"unwrapKey",
"wrapKey",
]
}
}
resource "azurerm_key_vault_key" "example" {
name = "ansumantestkey1"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 3072
key_opts = [
"decrypt",
"encrypt",
"wrapKey",
"unwrapKey",
]
}
resource "azurerm_cosmosdb_account" "example" {
name = "ansumantest-cosmosdb"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
offer_type = "Standard"
kind = "MongoDB"
key_vault_key_id = azurerm_key_vault_key.example.versionless_id
default_identity_type = "FirstPartyIdentity"
consistency_policy {
consistency_level = "Strong"
}
geo_location {
location = azurerm_resource_group.example.location
failover_priority = 0
}
}
在此方法中,用于访问的标识是 默认 Azure Cosmos DB 服务主体,因此不会有身份中的任何详细信息 blade。仅在数据加密Blade中您可以看到密钥保管库详细信息。
示例 2:
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "ansumantest-resources"
location = "eastus"
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "example" {
name = "ansumantestkv12"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
purge_protection_enabled = true
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"list",
"create",
"delete",
"get",
"update",
]
}
}
resource "azurerm_key_vault_key" "example" {
name = "ansumantestkey2"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 3072
key_opts = [
"decrypt",
"encrypt",
"wrapKey",
"unwrapKey",
]
}
resource "azurerm_cosmosdb_account" "example" {
name = "ansumantest-cosmosdb"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
offer_type = "Standard"
kind = "MongoDB"
key_vault_key_id = azurerm_key_vault_key.example.versionless_id
default_identity_type = "FirstPartyIdentity"
#after deployment change to below
#default_identity_type = "SystemAssignedIdentity"
consistency_policy {
consistency_level = "Strong"
}
##system managed identity for this cosmosdb resource
identity {
type="SystemAssigned"
}
geo_location {
location = azurerm_resource_group.example.location
failover_priority = 0
}
}
#providing access to the system managed identity of cosmosdb to keyvault
resource "azurerm_key_vault_access_policy" "example" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_cosmosdb_account.example.identity.0.principal_id
key_permissions = [
"get",
"unwrapKey",
"wrapKey",
]
}
在此示例中,您无法在配置 cosmosdb 帐户时设置 default_identity_type = SystemAssignedIdentity。一旦使用默认身份类型 firstPartyIdentity 部署了 cosmos db,您就可以将其修改为 SystemAssignedIdentity,然后使用以下命令在 cosmosdb 块上应用更新:
terraform apply -target="azurerm_cosmosdb_account.example" -auto-approve
Azure 中 CosmosDB 的默认标识类型是什么?
当我 运行 我的 Terraform 计划时,default_identity_type 正在更新,但我不知道那是什么。我可以在 CLI、资源管理器或门户中看到这个值吗?这个设置对应Azure中的什么属性?
这是 azurerm 文档的内容: default_identity_type -(可选)用于访问 Key Vault 的默认身份。可能的值为 FirstPartyIdentity、SystemAssignedIdentity 或以 UserAssignedIdentity 开头。默认为 FirstPartyIdentity。
有一个身份块,但这似乎与 default_identity_type 不同。
文档说它是为了将 CosmosDB 与密钥保管库一起使用,但据我所知,CosmosDB 资源中没有用于使用密钥保管库的特殊设置。
identity 块定义了 cosmosdb 帐户 的托管身份,目前只能是 System Assigned 和default_identity_type 用于使用一个托管身份从 cosmosdb 帐户访问密钥保管库,用于 加密目的 .
default_identity_type 默认为 FirstPartyIdentity,这意味着有一个名为 Azure Cosmos DB 的默认身份,Azure 中的所有 cosmosdb 资源都使用它并使用它可以像下面的 示例 1 一样访问密钥库。如果您将 identity 块与 SystemAssigned 一起使用,那么您可以在 default_identity_type 参数中提及 SystemAssignedIdentity,如下面 示例 2.
示例 1:
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "ansumantest-resources"
location = "eastus"
}
## firstparty identity which is provided by Microsoft
data "azuread_service_principal" "cosmosdb" {
display_name = "Azure Cosmos DB"
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "example" {
name = "ansumantestkv12"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
purge_protection_enabled = true
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"list",
"create",
"delete",
"get",
"update",
]
}
# identity added in access policy
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_service_principal.cosmosdb.id
key_permissions = [
"get",
"unwrapKey",
"wrapKey",
]
}
}
resource "azurerm_key_vault_key" "example" {
name = "ansumantestkey1"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 3072
key_opts = [
"decrypt",
"encrypt",
"wrapKey",
"unwrapKey",
]
}
resource "azurerm_cosmosdb_account" "example" {
name = "ansumantest-cosmosdb"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
offer_type = "Standard"
kind = "MongoDB"
key_vault_key_id = azurerm_key_vault_key.example.versionless_id
default_identity_type = "FirstPartyIdentity"
consistency_policy {
consistency_level = "Strong"
}
geo_location {
location = azurerm_resource_group.example.location
failover_priority = 0
}
}
在此方法中,用于访问的标识是 默认 Azure Cosmos DB 服务主体,因此不会有身份中的任何详细信息 blade。仅在数据加密Blade中您可以看到密钥保管库详细信息。
示例 2:
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "ansumantest-resources"
location = "eastus"
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "example" {
name = "ansumantestkv12"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
purge_protection_enabled = true
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"list",
"create",
"delete",
"get",
"update",
]
}
}
resource "azurerm_key_vault_key" "example" {
name = "ansumantestkey2"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 3072
key_opts = [
"decrypt",
"encrypt",
"wrapKey",
"unwrapKey",
]
}
resource "azurerm_cosmosdb_account" "example" {
name = "ansumantest-cosmosdb"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
offer_type = "Standard"
kind = "MongoDB"
key_vault_key_id = azurerm_key_vault_key.example.versionless_id
default_identity_type = "FirstPartyIdentity"
#after deployment change to below
#default_identity_type = "SystemAssignedIdentity"
consistency_policy {
consistency_level = "Strong"
}
##system managed identity for this cosmosdb resource
identity {
type="SystemAssigned"
}
geo_location {
location = azurerm_resource_group.example.location
failover_priority = 0
}
}
#providing access to the system managed identity of cosmosdb to keyvault
resource "azurerm_key_vault_access_policy" "example" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_cosmosdb_account.example.identity.0.principal_id
key_permissions = [
"get",
"unwrapKey",
"wrapKey",
]
}
在此示例中,您无法在配置 cosmosdb 帐户时设置 default_identity_type = SystemAssignedIdentity。一旦使用默认身份类型 firstPartyIdentity 部署了 cosmos db,您就可以将其修改为 SystemAssignedIdentity,然后使用以下命令在 cosmosdb 块上应用更新:
terraform apply -target="azurerm_cosmosdb_account.example" -auto-approve
