Terraform: how to run multiple actions on same resource during deployment?
Question
This question is related to deploying resources on Azure using provider version 2.99.
I'm trying to:
- deploy a resource (eg key vault, azurerm_key_vault)
- populate this resource (eg secrets, azurerm_key_vault_secret)
- change the deployed resource (eg activate firewall, azurerm_key_vault)
Something like this:
resource "azurerm_key_vault" "kv" {
# create key vault
}
resource "azurerm_key_vault_secret" "kv-secret-01" {
# create first secret
}
resource "azurerm_key_vault_secret" "kv-secret-02" {
# create second secret
}
resource "azurerm_key_vault" "kv" {
# enable firewall on deployed kv
}
Any ideas on how to do this?
1 answers
solution1
0 2022-04-12 06:28:35
Tested in my Environment was getting the below error while creating Key Vault Secret as my IP Address is not lised allowed ip addresses in network_acls .
If you Requirement is Deploy a Keyvault with either firewall or specific access policies enabled (Allowed to access KeyVault with Specific IP address only, You need to add the Ip address, As i have added above Ip address in terrform code from where i am accessing, you can use the below terraform code)
main.tf
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "2.99"
}
}
}
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {
}
data "azurerm_resource_group" "example" {
name = "v-XXXX-xXXXtree"
#location = "West Europe"
}
resource "azurerm_key_vault" "example" {
name = "TestKeyVault3246"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
soft_delete_retention_days = 7
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
]
secret_permissions = [
"set",
"get",
"delete",
"purge",
"recover"
]
}
network_acls {
# The Default Action to use when no rules match from ip_rules /
# virtual_network_subnet_ids. Possible values are Allow and Deny
default_action = "Deny"
# Allows all azure services to acces your keyvault. Can be set to 'None'
bypass = "AzureServices"
# The list of allowed ip addresses.
ip_rules = ["1.1.1.1","2.2.2.2","115.187.40.49"]
}
}
resource "azurerm_key_vault_secret" "example" {
count = length(var.key_vault_Secret_Value)
name = "TestKeyVaultSecret-${count.index}"
value = var.key_vault_Secret_Value[count.index]
key_vault_id = azurerm_key_vault.example.id
}
variable.tf
variable "key_vault_Secret_Value" {
type = list(string)
default = ["szechuan", "szechuan1"]
}
Did not want to add the terraform user or source IP in the TF code, but will appreciate other approaches on how to do this. Besides: how do people populate a vault that is already locked (firewall + access policies) with TF.
If you have the Key Vault firewall enabled then any machine that needs to talk to it will need to be allowed in that firewall, it would be a pretty terrible firewall if that was not the case. There are a few ways you can work with this:
Add your machines IP into the firewall permanently, maybe as part of your Terraform deployment
Run your Terraform Pipelines from another machine, like a build agent, and allow this IP. Moving to using CI/CD tools for your Terraform is going to be beneficial in may other ways too
As above, use a build agent, but instead of using adding it's external IP to the KV firewall, use private endpoints to allow access over the private.network. This requires the machine to be in Azure, or connected to Azure over VPN/ExpressRoute
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.