[英]Rotate Azure storage account access keys using terraform
I have below requirments.我有以下要求。
resource "azurerm_storage_account" "example" {
name = "storageaccrotatekeys"
resource_group_name = "accessrotate"
location = "East US"
account_tier = "Standard"
account_replication_type = "LRS"
public_network_access_enabled = false
}
Below azure_storage_account
resource only contains attributes for primary_access_key
and secondary_access_key
that too sensitive values.下面
azure_storage_account
资源仅包含primary_access_key
和secondary_access_key
的属性,这些属性值过于敏感。 I couldn't find any option to rotate keys.我找不到任何旋转密钥的选项。 Please help https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#import
请帮助https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#import
It may directly be not happening with terraform to rotate the access keys AFAIK but please check this customer_managed_key block that can be given in resource azurerm_storage_account block where auto rotation can be enabled with keyvaultId and version.This customer_managed_key which contains the argument key_version which is Optional to mention the version of Key Vault Key. terraform 可能不会直接发生旋转访问密钥 AFAIK 但请检查可以在资源 azurerm_storage_account 块中给出的这个 customer_managed_key 块,其中可以使用 keyvaultId 和 version 启用自动旋转。这个 customer_managed_key 包含参数 key_version 是可选的提及 Key Vault Key 的版本。 To enable Automatic Key Rotation you can avoid this option.
要启用自动密钥轮换,您可以避免使用此选项。
Note: customer_managed_key needs account_kind to be StorageV2 UserAssigned as the identity type.
注意: customer_managed_key 需要 account_kind 是 StorageV2 UserAssigned 作为身份类型。
Code : from azurerm_storage_account_customer_managed_key |代码:来自azurerm_storage_account_customer_managed_key | Resources |
资源 | hashicorp/azurerm |
哈希公司/azurerm | Terraform Registry
Terraform 注册表
provider "azurerm" {
features {
resource_group {
prevent_deletion_if_contains_resources = false
}
}
}
resource "azurerm_resource_group" "example" {
name = "<resource group>"
location = "westus2"
}
provider "azurerm" {
features {}
alias = "cloud_operations"
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "example" {
name = "ka-examplekv"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
purge_protection_enabled = true
}
resource "azurerm_key_vault_access_policy" "storage" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_storage_account.example.identity.0.principal_id
key_permissions = ["Get", "Create", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
secret_permissions = ["Get"]
}
resource "azurerm_key_vault_access_policy" "client" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
secret_permissions = ["Get","List"]
}
resource "azurerm_key_vault_key" "example" {
name = "ka-tfexkey"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
depends_on = [
azurerm_key_vault_access_policy.client,
azurerm_key_vault_access_policy.storage,
]
}
resource "azurerm_storage_account" "example" {
name = "kaexamplestor"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_storage_account_customer_managed_key" "example" {
storage_account_id = azurerm_storage_account.example.id
key_vault_id = azurerm_key_vault.example.id
key_name = azurerm_key_vault_key.example.name
}
Also check this time rotaing resource which rotates UTC timestamp stored in the Terraform state and recreates resource when the current time in the locally stored source is beyond the rotation time.还要检查这个时间旋转资源,它旋转存储在 Terraform state 中的 UTC 时间戳,并在本地存储的源中的当前时间超过旋转时间时重新创建资源。 This occurs only when Terraform is executed
这仅在执行 Terraform 时发生
Reference: customer_managed_key in azurerm_storage_account |参考: azurerm_storage_account 中的 customer_managed_key | Resources |
资源 | hashicorp/azurerm |
哈希公司/azurerm | Terraform Registry
Terraform 注册表
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.