将 OCI Terraform 提供程序变量作为机密存储在 Azure Key Vault 中并通过 Azure DevOps Pipeline 执行

Question

I'm using Azure Key Vault, Git and DevOps Pipelines and my intention is to execute Terraform code against Oracle Cloud Infrastructure (OCI). I've configured the necessary resource group, storage account, container, uploaded the OCI provider variables into Key Vault.

I've tried storing the API signing key as a secret, and as a key, but Terraform throws provider-related errors regarding the private key. I'm looking for the proper way to get the content of the private key from Azure Key Vault and pass it to the OCI provider. Or just the proper way to leverage Key Vault with the OCI provider.

This is the error I'm getting during Terraform Plan:

Error: Incorrect attribute value type. Inappropriate value for attribute "private_key": string required.

My code looks as follows:

provider "oci" {
  ### Tenancy Connectivity variables
  tenancy_ocid = "${data.azurerm_key_vault_secret.tenancy-ocid.value}"
  user_ocid    = "${data.azurerm_key_vault_secret.dev-user-ocid.value}"
  fingerprint  = "${data.azurerm_key_vault_secret.key-fprint.value}"
  private_key = "${data.azurerm_key_vault_key.oci-private-key}"
  private_key_password = ""
  region = var.home_region
}

The Terraform Plan operation only seems to complain about the private key, while the other secrets are read successuflly. Any help would be appreciated!

Answer 1

For the first three pairs, you retrieve the value, which is translated to a string. The provider is not complaining, as these are accepted values.

However, it looks like for the private key, you are not passing the key contents (value attribute might be missing). I am no expert in how to retrieve the contents of the private key from Azure, but you have to pass the "value" of the key...