[英]Azure KeyVault Terraform cycle
I am trying to write a Terraform descriptor for integration Azure Functions, KeyVault and CosmosDB.我正在尝试为集成 Azure 函数、KeyVault 和 CosmosDB 编写 Terraform 描述符。
On one hand I need Azure Functions identity id to create KeyVault access policy.一方面,我需要 Azure 函数身份 id 来创建 KeyVault 访问策略。 On the other I need KeyVault's CosmosDB key reference to put into Azure Functions configuration.
另一方面,我需要将 KeyVault 的 CosmosDB 密钥引用放入 Azure 功能配置中。 That causes cycle dependency Azure Functions <-> KeyVault.
这会导致循环依赖 Azure Functions <-> KeyVault。 Is there a way to solve it some way?
有没有办法以某种方式解决它? If I would do it manually, I would create Azure Functions App, create KeyVault, add access policy in KeyVault and update Azure Functions with KeyVault key reference.
如果我要手动执行此操作,我将创建 Azure Functions App、创建 KeyVault、在 KeyVault 中添加访问策略并使用 KeyVault 密钥引用更新 Azure Functions。 But as far as I know, Terraform doesn't allow to create and update resource later.
但据我所知,Terraform 不允许以后创建和更新资源。
Some code snippets:一些代码片段:
functions.tf函数.tf
variable "db_key" {
type = string
}
resource "azurerm_linux_function_app" "my_functions" {
...
app_settings = {
"DB_KEY": var.db_key
}
}
output "functions_app_id" {
value = azurerm_linux_function_app.my_functions.identity[0].principal_id
}
keyvault.tf密钥库.tf
variable "functions_app_id" {
type = string
}
resource "azurerm_key_vault" "my_keyvault" {
access_policy {
tenant_id = ...
object_id = var.functions_app_id
secret_permissions {
"Get"
}
}
}
resource "azurerm_key_vault_secret" "db_key" {
...
}
output "db_key" {
value = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.db_key.id})"
}
main.tf主文件
module "functions" {
...
db_key = module.key-vault.db_key
}
module "key-vault" {
...
functions_app_id = module.functions.functions_app_id
}
You can:你可以:
Ok I have figured out how to do this.好的,我已经想出了如何做到这一点。 Instead of using access_policy block in key_vault script, I should have used "azurerm_key_vault_access_policy" resource in functions.tf.
我应该在 functions.tf 中使用“azurerm_key_vault_access_policy”资源,而不是在 key_vault 脚本中使用 access_policy 块。 Now it looks like this
现在看起来像这样
functions.tf函数.tf
variable "db_key" {
type = string
}
resource "azurerm_linux_function_app" "my_functions" {
...
app_settings = {
"DB_KEY": var.db_key
}
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "functions_app_access_policy" {
key_vault_id = ... //passed as output from key_vault.tf
tenant_id = ...
object_id = azurerm_linux_function_app.my_functions.identity[0].principal_id
secret_permissions = ["Get"]
}
And there is no access_policy block in key_vault.tf file anymore key_vault.tf 文件中不再有 access_policy 块
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.