Azure KeyVault Terraform 循环
[英]Azure KeyVault Terraform cycle
问题描述
I am trying to write a Terraform descriptor for integration Azure Functions, KeyVault and CosmosDB.
我正在尝试为集成 Azure 函数、KeyVault 和 CosmosDB 编写 Terraform 描述符。
On one hand I need Azure Functions identity id to create KeyVault access policy.一方面,我需要 Azure 函数身份 id 来创建 KeyVault 访问策略。 On the other I need KeyVault's CosmosDB key reference to put into Azure Functions configuration.另一方面,我需要将 KeyVault 的 CosmosDB 密钥引用放入 Azure 功能配置中。 That causes cycle dependency Azure Functions <-> KeyVault.这会导致循环依赖 Azure Functions <-> KeyVault。 Is there a way to solve it some way?有没有办法以某种方式解决它? If I would do it manually, I would create Azure Functions App, create KeyVault, add access policy in KeyVault and update Azure Functions with KeyVault key reference.如果我要手动执行此操作,我将创建 Azure Functions App、创建 KeyVault、在 KeyVault 中添加访问策略并使用 KeyVault 密钥引用更新 Azure Functions。 But as far as I know, Terraform doesn't allow to create and update resource later.但据我所知,Terraform 不允许以后创建和更新资源。
Some code snippets:一些代码片段:
functions.tf函数.tf
variable "db_key" {
type = string
}
resource "azurerm_linux_function_app" "my_functions" {
...
app_settings = {
"DB_KEY": var.db_key
}
}
output "functions_app_id" {
value = azurerm_linux_function_app.my_functions.identity[0].principal_id
}
keyvault.tf密钥库.tf
variable "functions_app_id" {
type = string
}
resource "azurerm_key_vault" "my_keyvault" {
access_policy {
tenant_id = ...
object_id = var.functions_app_id
secret_permissions {
"Get"
}
}
}
resource "azurerm_key_vault_secret" "db_key" {
...
}
output "db_key" {
value = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.db_key.id})"
}
main.tf主文件
module "functions" {
...
db_key = module.key-vault.db_key
}
module "key-vault" {
...
functions_app_id = module.functions.functions_app_id
}
2 个解决方案
解决方案1
0 2022-07-27 00:36:41
You can:你可以:
- Create Key Vault with key使用密钥创建 Key Vault
- Create function with key reference使用密钥参考创建 function
- Add access policy or RBAC to vault for function将访问策略或 RBAC 添加到 function 的保管库
解决方案2
0 2022-07-27 12:50:05
Ok I have figured out how to do this.好的,我已经想出了如何做到这一点。 Instead of using access_policy block in key_vault script, I should have used "azurerm_key_vault_access_policy" resource in functions.tf.我应该在 functions.tf 中使用“azurerm_key_vault_access_policy”资源,而不是在 key_vault 脚本中使用 access_policy 块。 Now it looks like this现在看起来像这样
functions.tf函数.tf
variable "db_key" {
type = string
}
resource "azurerm_linux_function_app" "my_functions" {
...
app_settings = {
"DB_KEY": var.db_key
}
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "functions_app_access_policy" {
key_vault_id = ... //passed as output from key_vault.tf
tenant_id = ...
object_id = azurerm_linux_function_app.my_functions.identity[0].principal_id
secret_permissions = ["Get"]
}
And there is no access_policy block in key_vault.tf file anymore key_vault.tf 文件中不再有 access_policy 块
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.