[英]Terraform grant azure function app with msi access to azure keyvault
我正在嘗試使用Terraform在Azure中設置Terraform創建的場景:
- 具有托管服務標識的Azure功能應用程序
- Azure Key Vault
- 密鑰保管庫訪問策略,允許功能應用程序訪問密鑰保管庫中的密鑰
我的問題是在密鑰保險庫訪問策略的定義中使用為功能應用程序設置的MSI的對象id(主要ID),我懷疑我做錯了什么(和/或愚蠢)...
我從Terraform應用中得到的錯誤是:
azurerm_key_vault_access_policy.msi-test-to-keyvault-test: "object_id" is an invalid UUUID: uuid: UUID string too short: 1
我懷疑問題可能與我試圖引用在訪問策略定義中創建的msi身份創建的服務原則的對象id的方式有關:
object_id = "${azurerm_function_app.rg-func-app__funcapp.identity.principal_id}"
(doco for azurerm function app屬性部分說標識導出principle_id,但我不知道正確的語法是什么引用這個屬性:()
Terraform模板是:
resource "azurerm_function_app" "rg-func-app__funcapp" {
name = "${local.deployed-func-app-name}"
location = "${azurerm_resource_group.rg-func-app.location}"
resource_group_name = "${azurerm_resource_group.rg-func-app.name}"
app_service_plan_id = "${azurerm_app_service_plan.rg-func-app__appsvcpln.id}"
storage_connection_string = "${azurerm_storage_account.rg-func-app__sa.primary_connection_string}"
version = "~1"
app_settings {
"TEST_KEYVAULT_URL" = "${azurerm_key_vault.test.vault_uri}"
}
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault" "test" {
name = "msi-test-vault"
location = "${azurerm_resource_group.rg-func-app.location}"
resource_group_name = "${azurerm_resource_group.rg-func-app.name}"
sku {
name = "standard"
}
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
}
resource "azurerm_key_vault_secret" "test" {
name = "secret-sauce"
value = "szechuan"
vault_uri = "${azurerm_key_vault.test.vault_uri}"
}
resource "azurerm_key_vault_access_policy" "msi-test-to-keyvault-test" {
vault_name = "${azurerm_key_vault.test.name}"
resource_group_name = "${azurerm_key_vault.test.resource_group_name}"
tenant_id = "${azurerm_key_vault.test.tenant_id}"
object_id = "${azurerm_function_app.rg-func-app__funcapp.identity.principal_id}"
key_permissions = [
"get",
]
secret_permissions = [
"get",
]
}
任何指針都感激不盡。
干杯,安迪
經過一番討論后,解決方案似乎正在改變咒語以檢索original_id:
object_id = "${lookup(azurerm_function_app.rg-func-app__funcapp.identity[0],"principal_id")}"
這會導致按預期創建訪問策略。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.