stackoom
  简体   繁体   中英

Azure KeyVault Terraform cycle

 原文  2022-07-26 08:05:36       azure/ terraform/ azure-functions/ azure-keyvault

Question

I am trying to write a Terraform descriptor for integration Azure Functions, KeyVault and CosmosDB.

On one hand I need Azure Functions identity id to create KeyVault access policy. On the other I need KeyVault's CosmosDB key reference to put into Azure Functions configuration. That causes cycle dependency Azure Functions <-> KeyVault. Is there a way to solve it some way? If I would do it manually, I would create Azure Functions App, create KeyVault, add access policy in KeyVault and update Azure Functions with KeyVault key reference. But as far as I know, Terraform doesn't allow to create and update resource later.

Some code snippets:

functions.tf

variable "db_key" {
   type = string
}

resource "azurerm_linux_function_app" "my_functions" {
   ...
   app_settings = {
      "DB_KEY": var.db_key
   }
} 

output "functions_app_id" {
   value = azurerm_linux_function_app.my_functions.identity[0].principal_id
}

keyvault.tf

variable "functions_app_id" {
  type = string
}

resource "azurerm_key_vault" "my_keyvault" {
   access_policy {
      tenant_id = ...
      object_id = var.functions_app_id

      secret_permissions {
         "Get"
      }
   }
}

resource "azurerm_key_vault_secret" "db_key" {
   ...
}

output "db_key" {
   value = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.db_key.id})"
}

main.tf

module "functions" {
   ...
   db_key = module.key-vault.db_key
}

module "key-vault" {
   ...
   functions_app_id = module.functions.functions_app_id
}

2 answers

solution1
 0  2022-07-27 00:36:41

You can:

  1. Create Key Vault with key
  2. Create function with key reference
  3. Add access policy or RBAC to vault for function

solution2
 0  2022-07-27 12:50:05

Ok I have figured out how to do this. Instead of using access_policy block in key_vault script, I should have used "azurerm_key_vault_access_policy" resource in functions.tf. Now it looks like this

functions.tf

variable "db_key" {
   type = string
}

resource "azurerm_linux_function_app" "my_functions" {
   ...
   app_settings = {
      "DB_KEY": var.db_key
   }

   identity {
      type = "SystemAssigned"
   }
} 

resource "azurerm_key_vault_access_policy" "functions_app_access_policy" {
   key_vault_id = ... //passed as output from key_vault.tf
   tenant_id = ...
   object_id = azurerm_linux_function_app.my_functions.identity[0].principal_id

   secret_permissions = ["Get"]
}

And there is no access_policy block in key_vault.tf file anymore

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Terraform azure - keyvault key generation - access denied Terraform azure keyVault SetSecret - Forbidden Access denied Update firewall rule of Azure KeyVault using Terraform Terraform: Adding sensitive data to Azure KeyVault terraform on azure - create keyvault with private connection Terraform Azure KeyVault Key version - terraform v2.63.0 Terraform grant azure function app with msi access to azure keyvault How to save the azure keyvault certificate to a local folder with terraform? Terraform Azure AKS - How to install azure-keyvault-secrets-provider add-on Terraform and Azure Policy: Errors using “field”: “Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths”
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM