![](/img/trans.png)
[英]Azure PHP web app using system assigned managed identity connecting to Azure Storage Blob
[英]Can not get web app to write to Azure Storage Blob in Terraform
我在让我的 Web 应用程序写入 Azure 中的 Terraform 中的存储 blob 时遇到问题。
据我所知,我已经创建了所有内容,我想让它做的就是以 blob 格式向那里发送一些 .Net 日志文件。 连接将通过 Key Vault 进行,我已经指定了一个密钥并制定了相关的密钥保管库策略。
请在所有构建文件下方查看我的代码,但我没有在存储帐户中转储任何日志。 我必须创建一个存储 blob 还是 web 应用程序可以这样做? 我之前创建了一个,但后来没有写任何东西。
供应商:
# Terraform Block terraform { required_version = ">= 1.0" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 2.0" } random = { source = "hashicorp/random" version = ">= 3.0" } } #Terraform State Storage Account backend "azurerm" {} } # Providers Block provider "azurerm" { features {} } # Random String Resource resource "random_string" "myrandom" { length = 6 number = false upper = false special = false }
Web 应用程序:
resource "azurerm_app_service_plan" "websiteappserviceplan" { name = "appserviceplan-dgyn27h2dfoyojc" location = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location resource_group_name = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name sku { tier = "Standard" size = "B1" } } resource "azurerm_app_service" "website_app" { name = var.website_name location = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location resource_group_name = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name app_service_plan_id = azurerm_app_service_plan.websiteappserviceplan.id #storage_account { #name = azurerm_storage_account.website_logs_key.name #type = "AzureBlob" #access_key = lookup(azurerm_storage_account.value,"access_key") #} app_settings = { "KEY_VAULT_URL" = azurerm_key_vault.nscsecrets.vault_uri "DIAGNOSTICS_AZUREBLOBCONTAINERSASURL" = azurerm_storage_container.website_logs_container.name "DIAGNOSTICS_AZUREBLOBRETENTIONINDAYS" = 365 } connection_string { name = "StorageAccount" type = "Custom" value = azurerm_storage_account.website_log_storage.primary_access_key } identity { type = "SystemAssigned" } }
存储帐户:
resource "azurerm_storage_account" "website_log_storage" { name = "cicweblogsstorageacc" resource_group_name = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name location = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location account_tier = "Standard" account_replication_type = "LRS" identity { type = "SystemAssigned" } } resource "azurerm_storage_container" "website_logs_container" { name = "${var.website_name}-cont" storage_account_name = azurerm_storage_account.website_log_storage.name container_access_type = "private" } #resource "azurerm_storage_blob" "website_logs_blob" { # name = "website-logs.zip" # storage_account_name = azurerm_storage_account.website_log_storage.name # storage_container_name = azurerm_storage_container.website_logs_container.name # type = "Block" #} resource "azurerm_storage_account_customer_managed_key" "website_log_key" { depends_on = [azurerm_key_vault_access_policy.website_logs_storage_accesspolicy, azurerm_key_vault_key.website_logs_key ] storage_account_id = azurerm_storage_account.website_log_storage.id key_vault_id = azurerm_key_vault.nscsecrets.id key_name = azurerm_key_vault_key.website_logs_key.name }
密钥库:
// This gets the Azure AD Tenant ID information to deploy for KeyVault. resource "azurerm_key_vault" "nscsecrets" { name = "${var.key_vault_name}-${random_string.myrandom.id}" resource_group_name = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name location = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location sku_name = "standard" tenant_id = data.azurerm_client_config.current.tenant_id soft_delete_retention_days = 7 purge_protection_enabled = true } resource "azurerm_key_vault_access_policy" "client" { // This is for AD Users Logged into Azure to give them the right access when creating resources. key_vault_id = azurerm_key_vault.nscsecrets.id tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ] key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ] storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ] } resource "azurerm_key_vault_access_policy" "service_principal" { // This is for the Service Principal in the pipeline to be able to make changes to Key Vault. key_vault_id = azurerm_key_vault.nscsecrets.id tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azuread_service_principal.current.object_id secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ] key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ] storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ] } resource "azurerm_key_vault_access_policy" "website_accesspolicy" { key_vault_id = azurerm_key_vault.nscsecrets.id tenant_id = azurerm_app_service.website_app.identity[0].tenant_id object_id = azurerm_app_service.website_app.identity[0].principal_id secret_permissions = ["get"] } resource "azurerm_key_vault_access_policy" "website_logs_storage_accesspolicy" { // This is for the Storage Account for Website Logs. key_vault_id = azurerm_key_vault.nscsecrets.id tenant_id = data.azurerm_client_config.current.tenant_id object_id = azurerm_storage_account.website_log_storage.identity[0].principal_id key_permissions = ["get", "create", "delete", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "encrypt", "decrypt", "sign", "verify", ] secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ] } resource "azurerm_key_vault_key" "website_logs_key" { name = "website-logs-key" key_vault_id = azurerm_key_vault.nscsecrets.id key_type = "RSA" key_size = 2048 key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey", ] depends_on = [ azurerm_key_vault_access_policy.client, azurerm_key_vault_access_policy.website_logs_storage_accesspolicy ] }
我通过对您的代码进行一些更改来在我的环境中对此进行了测试,它对我有用。
无需在应用程序设置中提供这些值,即
"DIAGNOSTICS_AZUREBLOBCONTAINERSASURL"
和"DIAGNOSTICS_AZUREBLOBRETENTIONINDAYS"
,因为当您启用日志时,它们将自动填充。你应该使用
connection_string { name = "StorageAccount" type = "Custom" value = azurerm_storage_account.website_log_storage.primary_connection_string }
代替
connection_string { name = "StorageAccount" type = "Custom" value = azurerm_storage_account.website_log_storage.primary_access_key }
因此,在修改和一些添加之后,整体代码将如下所示:
provider "azurerm" {
features {}
}
provider "random"{}
provider "time" {}
resource "random_string" "myrandom" {
length = 6
number = false
upper = false
special = false
}
data "azurerm_client_config" "current"{}
data "azurerm_resource_group" "Classroom_In_The_Cloud_Terraform"{
name="yourresourcegroup"
}
variable "website_name" {
default = "ansuman-app"
}
// This gets the Azure AD Tenant ID information to deploy for KeyVault.
resource "azurerm_key_vault" "nscsecrets" {
name = "${var.website_name}-${random_string.myrandom.id}"
resource_group_name = data.azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
location = data.azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
}
resource "azurerm_key_vault_access_policy" "client" { // This is for AD Users Logged into Azure to give them the right access when creating resources.
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ]
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}
resource "azurerm_key_vault_access_policy" "website_accesspolicy" {
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = azurerm_app_service.website_app.identity[0].tenant_id
object_id = azurerm_app_service.website_app.identity[0].principal_id
secret_permissions = ["get"]
}
resource "azurerm_key_vault_access_policy" "website_logs_storage_accesspolicy" { // This is for the Storage Account for Website Logs.
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_storage_account.website_log_storage.identity[0].principal_id
key_permissions = ["get", "create", "delete", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "encrypt", "decrypt", "sign", "verify", ]
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", ]
}
resource "azurerm_key_vault_key" "website_logs_key" {
name = "website-logs-key"
key_vault_id = azurerm_key_vault.nscsecrets.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey", ]
depends_on = [
azurerm_key_vault_access_policy.client,
azurerm_key_vault_access_policy.website_logs_storage_accesspolicy
]
}
resource "azurerm_storage_account" "website_log_storage" {
name = "ansumanstorageacc12345"
resource_group_name = data.azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
location = data.azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
account_tier = "Standard"
account_replication_type = "GRS"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_storage_container" "website_logs_container" {
name = "${var.website_name}-cont"
storage_account_name = azurerm_storage_account.website_log_storage.name
}
resource "time_rotating" "main" {
rotation_rfc3339 = null
rotation_years = 2
triggers = {
end_date = null
years = 2
}
}
data "azurerm_storage_account_blob_container_sas" "website_logs_container_sas" {
connection_string = azurerm_storage_account.website_log_storage.primary_connection_string
container_name = azurerm_storage_container.website_logs_container.name
start = timestamp()
expiry = time_rotating.main.rotation_rfc3339
permissions {
read = true
add = true
create = true
write = true
delete = true
list = true
}
cache_control = "max-age=5"
content_disposition = "inline"
content_encoding = "deflate"
content_language = "en-US"
content_type = "application/json"
}
resource "azurerm_app_service_plan" "websiteappserviceplan" {
name = "appserviceplan-dgyn27h2dfoyojc"
location = data.azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
resource_group_name = data.azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
sku {
tier = "Standard"
size = "B1"
}
}
resource "azurerm_app_service" "website_app" {
name = var.website_name
location = data.azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
resource_group_name = data.azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
app_service_plan_id = azurerm_app_service_plan.websiteappserviceplan.id
app_settings = {
"KEY_VAULT_URL" = azurerm_key_vault.nscsecrets.vault_uri
}
site_config {
always_on = true
dotnet_framework_version = "v5.0"
app_command_line = "dotnet EventManagement.Web.dll"
}
logs{
detailed_error_messages_enabled = true
failed_request_tracing_enabled = true
application_logs {
azure_blob_storage {
level="Information"
sas_url = format("https://${azurerm_storage_account.website_log_storage.name}.blob.core.windows.net/${azurerm_storage_container.website_logs_container.name}%s", data.azurerm_storage_account_blob_container_sas.website_logs_container_sas.sas)
retention_in_days = 365
}
}
http_logs {
azure_blob_storage{
sas_url=format("https://${azurerm_storage_account.website_log_storage.name}.blob.core.windows.net/${azurerm_storage_container.website_logs_container.name}%s", data.azurerm_storage_account_blob_container_sas.website_logs_container_sas.sas)
retention_in_days = 365
}
}
}
connection_string {
name = "StorageAccount"
type = "Custom"
value = azurerm_storage_account.website_log_storage.primary_connection_string
}
identity {
type = "SystemAssigned"
}
}
Output:
注:以上仅针对terraform修改。 因此,在创建新的应用服务之后,在将 .net 应用示例代码部署到应用服务之前,您必须对应用代码进行一些其他修改,如下所示。
- 您已使用以下命令将
Microsoft.Extensions.Logging.AzureAppServices
package 添加到您的 do.net 项目中:
do.net add package Microsoft.Extensions.Logging.AzureAppServices --version 5.0.10
- 完成上述操作后,您必须将以下代码粘贴到项目的
program.cs
文件中。Host.CreateDefaultBuilder(args).ConfigureWebHostDefaults(webBuilder => { webBuilder.UseStartup<Startup>().ConfigureLogging(logging => { logging.ClearProviders(); logging.AddConsole(); logging.AddAzureWebAppDiagnostics(); }); });
- 完成上述步骤后,您应该能够看到容器中的文件,如果仍然没有反映,请 go 到您的
Web app>>App service logs >> click to install the asp.net core site extenstion to enable application logging.
在此之后,您应该能够看到如下文件:
有关日志的更多信息,请参考:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.