堆栈内存溢出
  繁体   English   中英

azure 上的 terraform - 创建具有私有连接的密钥库

[英]terraform on azure - create keyvault with private connection

 原文  2020-07-30 20:55:59       azure/ terraform

问题描述

希望获得一些有关设置具有专用连接的密钥库的指示。 查看 TF 站点和其他站点上的示例,我将其放在一起,但它崩溃了。

简而言之,它创建 KV,分配一些策略,然后创建与服务端点相关联的私有链接。 任何帮助将不胜感激。

locals {
  prefix = "kv01am"
}
data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "sandbox" {
  name                        = "${local.prefix}-KV"
  location                    = "eastus2"
  resource_group_name         = "rg-hsc-uscodappname01-137941ad"
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
#  soft_delete_enabled         = true
#  purge_protection_enabled    = false

  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "get",
    ]

    secret_permissions = [
      "get",
    ]

    storage_permissions = [
      "get",
    ]
  }

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
  }

}
resource "azurerm_private_link_service" "example" {
  name                        = "kv-privatelink"
  location                    = "eastus2"
  resource_group_name         = "rg-hsc-uscodappname01-137941ad"

  nat_ip_configuration {
    name      = azurerm_public_ip.example.name
    primary   = true
    subnet_id = "zzzzzzzzzzzzzzzzzzzzzzzz"
  }

}
resource "azurerm_private_endpoint" "sandbox_kv" {
  name                        = azurerm_key_vault.sandbox.name
  location                    = "eastus2"
  resource_group_name         = "rg-hsc-uscodappname01-137941ad"
  #subnet_id           = azurerm_subnet.sandbox["PrivateLink"].id
  subnet_id               = "zzzzzzzzzzzzzzzz"

  private_service_connection {
    name                           = azurerm_key_vault.sandbox.name
    private_connection_resource_id = azurerm_key_vault.sandbox.id
    is_manual_connection           = false
    subresource_names = ["Vault"]
  }
}

3 个解决方案

解决方案1
 2  2021-06-01 07:07:04

除了“手动”创建 dns 记录之外,您还可以声明一个private_dns_zone_group

# ============PrivateLink==========================

resource "azurerm_private_endpoint" "pe_kv" {
  name                = format("pe-2%s", var.name)
  location            = data.azurerm_resource_group.main.location
  resource_group_name = data.azurerm_resource_group.main.name
  subnet_id           = data.azurerm_subnet.main.id

  private_dns_zone_group {
    name                 = "privatednszonegroup"
    private_dns_zone_ids = [azurerm_private_dns_zone.main.id]
  }

  private_service_connection {
    name                           = format("pse-2%s", var.name)
    private_connection_resource_id = azurerm_key_vault.main.id
    is_manual_connection           = false
    subresource_names = ["Vault"]
  }
}
resource "azurerm_private_dns_zone" "main" {
  name                = "privatelink.vaultcore.azure.net"
  resource_group_name = data.azurerm_resource_group.main.name
}

解决方案2
 1 已采纳  2020-08-10 21:29:07

这就是我最终做的。 找不到为私有链接端点派生 ip 地址的好方法,所以我只是对其进行了硬编码,如果有人有更好的方法来处理这个问题,那就太好了,没有太多关于该主题的文献。 此外,添加了一个部分以在私有 DNS 中注册 A 记录,但请注意这会在与 kv 相同的子网中创建 DNS 私有区域。

data "azurerm_resource_group" "main" {
  name = var.resource_group_name
}

data "azurerm_subnet" "main" {
  name                 = var.virtual_network_subnet_name
  virtual_network_name = var.virtual_network_name
  resource_group_name  = var.vnet_resource_group_name
}

data "azurerm_client_config" "main" {}

resource "azurerm_key_vault" "main" {
  name                = var.name
  location            = data.azurerm_resource_group.main.location
  resource_group_name = data.azurerm_resource_group.main.name
  tenant_id           = data.azurerm_client_config.main.tenant_id

  enabled_for_deployment          = var.enabled_for_deployment
  enabled_for_disk_encryption     = var.enabled_for_disk_encryption
  enabled_for_template_deployment = var.enabled_for_template_deployment
#  soft_delete_enabled         = false
#  purge_protection_enabled    = false  
  
  sku_name = var.sku  
  
  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
#    ip_rules       = var.ip_rules
  }
  

# ============PrivateLink==========================

resource "azurerm_private_endpoint" "pe_kv" {
  name                = format("pe-2%s", var.name)
  location            = data.azurerm_resource_group.main.location
  resource_group_name = data.azurerm_resource_group.main.name
  subnet_id           = data.azurerm_subnet.main.id

  private_service_connection {
    name                           = format("pse-2%s", var.name)
    private_connection_resource_id = azurerm_key_vault.main.id
    is_manual_connection           = false
    subresource_names = ["Vault"]
  }
}
resource "azurerm_private_dns_zone" "main" {
  name                = "privatelink.vaultcore.azure.net"
  resource_group_name = data.azurerm_resource_group.main.name
}
resource "azurerm_private_dns_a_record" "pe_kv" {
  name                = var.name
  zone_name           = azurerm_private_dns_zone.main.name
  resource_group_name = data.azurerm_resource_group.main.name
  ttl                 = 300
  records             = ["1.2.3.4"]
}

output kv_private_ip {
  value =   ["1.2.3.4"]
}

解决方案3
 0  2021-01-08 12:25:23

这就是我获得 fqdn 和私有 IP 的方式:

resource "azurerm_private_endpoint" "private_endpoint" {
  count               = var.private_link_subnet != null ? 1 : 0
  name                = "${var.private_link_subnet.virtual_network_name}-${var.name}"
  location            = var.location
  resource_group_name = var.resource_group
  subnet_id           = var.private_link_subnet.id
  private_service_connection {
    is_manual_connection           = false
    name                           = "${var.private_link_subnet.virtual_network_name}-${var.name}"
    private_connection_resource_id = azurerm_key_vault.vault.id
    subresource_names              = ["vault"]
  }
  lifecycle { ignore_changes = [tags] }
}

resource "null_resource" "dns_update" {
  triggers = {
    priv_fqdn = "${azurerm_private_endpoint.private_endpoint[0].custom_dns_configs[0].fqdn}"
    priv_ip   = "${azurerm_private_endpoint.private_endpoint[0].custom_dns_configs[0].ip_addresses[0]}"
  }

  provisioner "local-exec" {
    when    = destroy
    command = <<EOF
      echo ${self.triggers.priv_fqdn}
      bash ${path.module}/dns_update.sh destroy ${self.triggers.priv_fqdn}
    EOF
  }

  provisioner "local-exec" {
    command = <<EOF
      echo ${self.triggers.priv_fqdn}
      echo ${self.triggers.priv_ip}
      bash ${path.module}/dns_update.sh apply ${self.triggers.priv_fqdn} ${self.triggers.priv_ip}
      bash ${path.module}/dns_update.sh get ${self.triggers.priv_fqdn}
    EOF
  }
}

然后我有:
self.triggers.priv_fqdn >> szp.vaultcore.azure.net
self.triggers.priv_ip >> 10.10.8.205

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure KeyVault Terraform 循环 Azure:: Terraform 在 azure keyvault 机密上失败 Terraform 将 Cosmos 数据库连接字符串传递给 KeyVault Terraform azure - 密钥库密钥生成 - 访问被拒绝 Terraform天蓝色keyVault SetSecret-禁止访问被拒绝 使用 Terraform 更新 Azure KeyVault 的防火墙规则 Terraform:将敏感数据添加到 Azure KeyVault Terraform - 尝试使用服务主体在 Azure 中创建资源并从 keyvault 中提取该 SP 密钥 如何使用 Terraform 在现有密钥库中创建机密? Azure 私有端点和 Terraform
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM