![](/img/trans.png)
[英]In google cloud, I am getting this error while using the command "terraform apply"?
[英]On deploying Script to enable Customer Managed Key in Azure Data Factory using terraform, I am getting an error which I have stated below
在嘗試使用此代碼片段啟用客戶管理的密鑰時,我無法繼續執行 terraform 計划本身。 我嘗試了幾種方法,但即使它們也不起作用。 誰能幫我解決這個問題?? **
'''
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "testadfrg"
location = "West Europe"
}
resource "azurerm_key_vault" "example" {
name = "testkeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 7
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
"purge",
"recover"
]
secret_permissions = [
"set",
]
}
}
resource "azurerm_key_vault_key" "generated" {
name = "adfkey"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_data_factory" "df" {
name = "testadfadf"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
public_network_enabled = "true"
customer_managed_key_id = azurerm_key_vault_key.generated.id
identity {
type = "SystemAssigned"
}
}
'''
**
您必須為 ADF 創建用戶分配的標識才能訪問 Keyvault。 然后,在 Keyvault 中為該用戶分配的身份創建訪問策略,最后在創建 ADF 時必須使用以下內容:
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.base.id]
}
代替
identity {
type = "SystemAssigned"
}
因此,您的整體代碼將如下所示:
provider "azurerm" {
features{}
}
data "azurerm_client_config" "current" {}
data "azurerm_resource_group" "example"{
name = "yourresourcegroupname"
}
resource "azurerm_user_assigned_identity" "base" {
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
name = "mi-adf-keyvault"
}
resource "azurerm_key_vault" "kv" {
name = "ansumankeyvault01"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
access_policy {
object_id = data.azurerm_client_config.current.object_id
tenant_id = data.azurerm_client_config.current.tenant_id
certificate_permissions = [
"Create",
"Delete",
"DeleteIssuers",
"Get",
"GetIssuers",
"Import",
"List",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"Purge",
"SetIssuers",
"Update"
]
key_permissions = [
"Backup",
"Create",
"Decrypt",
"Delete",
"Encrypt",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Sign",
"UnwrapKey",
"Update",
"Verify",
"WrapKey"
]
secret_permissions = [
"Backup",
"Delete",
"Get",
"List",
"Purge",
"Restore",
"Restore",
"Set"
]
}
access_policy {
object_id = azurerm_user_assigned_identity.base.principal_id
tenant_id = data.azurerm_client_config.current.tenant_id
secret_permissions = [
"Get"
]
key_permissions = [
"Get",
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
certificate_permissions = [
"Get"
]
}
}
resource "azurerm_key_vault_key" "generated" {
name = "generated-certificate"
key_vault_id = azurerm_key_vault.kv.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "null_resource" "previous" {}
resource "time_sleep" "wait_120_seconds" {
depends_on = [azurerm_key_vault.kv]
create_duration = "120s"
}
resource "azurerm_data_factory" "df" {
name = "ansumantestadf" #uniquename
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
public_network_enabled = "true"
customer_managed_key_id = azurerm_key_vault_key.generated.id
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.base.id]
}
depends_on = [time_sleep.wait_120_seconds]
}
注意:我使用了 time sleep 塊,因為訪問策略可能需要一些時間才能反映在用戶分配標識的密鑰保管庫中。
輸出:
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.