使用 terraform 轮换 Azure 存储帐户访问密钥
[英]Rotate Azure storage account access keys using terraform
问题描述
I have below requirments.
我有以下要求。
- Rotate Storage account access keys (primary_access_key and secondary_access_key both) via a terraform.通过 terraform 轮换存储帐户访问密钥(primary_access_key 和 secondary_access_key 两者)。
- add the new regenerated keys as a new version to Secrets created in keyvault for both primary and secondary access keys.将新的重新生成的密钥作为新版本添加到在 keyvault 中为主要和辅助访问密钥创建的 Secrets。
resource "azurerm_storage_account" "example" {
name = "storageaccrotatekeys"
resource_group_name = "accessrotate"
location = "East US"
account_tier = "Standard"
account_replication_type = "LRS"
public_network_access_enabled = false
}
Below azure_storage_account resource only contains attributes for primary_access_key and secondary_access_key that too sensitive values.下面azure_storage_account资源仅包含primary_access_key和secondary_access_key的属性,这些属性值过于敏感。 I couldn't find any option to rotate keys.我找不到任何旋转密钥的选项。 Please help https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#import请帮助https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#import
1 个解决方案
解决方案1
0 2022-09-15 10:05:47
It may directly be not happening with terraform to rotate the access keys AFAIK but please check this customer_managed_key block that can be given in resource azurerm_storage_account block where auto rotation can be enabled with keyvaultId and version.This customer_managed_key which contains the argument key_version which is Optional to mention the version of Key Vault Key. terraform 可能不会直接发生旋转访问密钥 AFAIK 但请检查可以在资源 azurerm_storage_account 块中给出的这个 customer_managed_key 块,其中可以使用 keyvaultId 和 version 启用自动旋转。这个 customer_managed_key 包含参数 key_version 是可选的提及 Key Vault Key 的版本。 To enable Automatic Key Rotation you can avoid this option.要启用自动密钥轮换,您可以避免使用此选项。
- To manually rotate, give the version in the block key_version.要手动轮换,请在块 key_version 中给出版本。
- If separate block is created for customer_managed_key, you can provide required argument key_vault_key_id where in giving version-less key ID will enable auto-rotation of this key.如果为 customer_managed_key 创建了单独的块,您可以提供所需的参数 key_vault_key_id,其中提供无版本密钥 ID 将启用此密钥的自动轮换。
Note: customer_managed_key needs account_kind to be StorageV2 UserAssigned as the identity type.
Code : from azurerm_storage_account_customer_managed_key |代码:来自azurerm_storage_account_customer_managed_key | Resources | 资源 | hashicorp/azurerm | 哈希公司/azurerm | Terraform Registry Terraform 注册表
provider "azurerm" {
features {
resource_group {
prevent_deletion_if_contains_resources = false
}
}
}
resource "azurerm_resource_group" "example" {
name = "<resource group>"
location = "westus2"
}
provider "azurerm" {
features {}
alias = "cloud_operations"
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "example" {
name = "ka-examplekv"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
purge_protection_enabled = true
}
resource "azurerm_key_vault_access_policy" "storage" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_storage_account.example.identity.0.principal_id
key_permissions = ["Get", "Create", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
secret_permissions = ["Get"]
}
resource "azurerm_key_vault_access_policy" "client" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
secret_permissions = ["Get","List"]
}
resource "azurerm_key_vault_key" "example" {
name = "ka-tfexkey"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
depends_on = [
azurerm_key_vault_access_policy.client,
azurerm_key_vault_access_policy.storage,
]
}
resource "azurerm_storage_account" "example" {
name = "kaexamplestor"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_storage_account_customer_managed_key" "example" {
storage_account_id = azurerm_storage_account.example.id
key_vault_id = azurerm_key_vault.example.id
key_name = azurerm_key_vault_key.example.name
}
Also check this time rotaing resource which rotates UTC timestamp stored in the Terraform state and recreates resource when the current time in the locally stored source is beyond the rotation time.还要检查这个时间旋转资源,它旋转存储在 Terraform state 中的 UTC 时间戳,并在本地存储的源中的当前时间超过旋转时间时重新创建资源。 This occurs only when Terraform is executed这仅在执行 Terraform 时发生
Reference: customer_managed_key in azurerm_storage_account |参考: azurerm_storage_account 中的 customer_managed_key | Resources | 资源 | hashicorp/azurerm | 哈希公司/azurerm | Terraform Registry Terraform 注册表
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.