问题描述
我正在使用以下代码将单个证书从Test1-KV复制到New-KV,但是我收到以下错误:
azurerm_key_vault_certificate.new-cert:正在创建...
错误:keyvault.BaseClient#CreateCertificate:未能响应请求:StatusCode = 400-原始错误:autorest / azure:服务返回了错误。 Status = 400 Code =“ BadParameter” Message =“属性策略的值无效\ r \ n”
在resource.tf第91行的资源“ azurerm_key_vault_certificate”“新证书”中,: 91:资源“ azurerm_key_vault_certificate”“新证书” {
代码:
data "azurerm_key_vault" "existing" {
name = "Test1-KV"
resource_group_name = "Test1-RG"
}
data "azurerm_key_vault_certificate" "new-cert" {
name = "new-cert"
key_vault_id = data.azurerm_key_vault.existing.id
}
resource "azurerm_key_vault_certificate" "new-cert" {
name = "new-cert"
key_vault_id = azurerm_key_vault.new-kv.id
certificate_policy {
issuer_parameters {
name = "My CA"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
secret_properties {
content_type = "application/x-pkcs12"
}
}
}
//编辑部分:这是我的完整代码。将机密和证书从Test1-KV复制到New-KV中。
provider "azurerm" {
version = "~>2.14.0"
features {}
}
resource "azurerm_resource_group" "main" {
name = "${var.prefix}-RG"
location = var.location
}
# --- Get reference to logged on Azure subscription ---
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "NewKV" {
name = "New-KV"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_enabled = true
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
certificate_permissions = [
"create","delete","deleteissuers","get","getissuers","import","list","listissuers","managecontacts","manageissuers","setissuers","update",]
key_permissions = [
"backup","create","decrypt","encrypt","purge","recover","restore","sign","unwrapKey","verify","wrapKey",]
secret_permissions = [
"backup","set",]
}
}
# -------------------- Importing Secrets from Central Key Vault to New-KV ---------------------------
# --- Defining where to import secrets ---
data "azurerm_key_vault" "existing" {
name = "Test1-KV"
resource_group_name = "Test1-RG"
}
# --- telling what to import ---
data "azurerm_key_vault_secret" "Cred" {
name = "Cred"
key_vault_id = data.azurerm_key_vault.existing.id
}
# --- defining where to import ---
resource "azurerm_key_vault_secret" "Cred" {
name = "Cred"
value = data.azurerm_key_vault_secret.Cred.value
key_vault_id = azurerm_key_vault.NewKV.id
}
# ----------------------- Importing Certificate from Central Key Vault Certificates ----------------------------------
// It stores the actual cert as a secret
data "azurerm_key_vault_secret" "New-Cert" {
name = "New-Cert"
key_vault_id = data.azurerm_key_vault.existing.id
}
data "azurerm_key_vault_certificate" "New-Cert" {
name = "New-Cert"
key_vault_id = data.azurerm_key_vault.existing.id
}
resource "azurerm_key_vault_certificate" "New-Cert" {
name = "New-Cert"
key_vault_id = azurerm_key_vault.NewKV.id
certificate {
contents = data.azurerm_key_vault_secret.New-Cert.value
}
certificate_policy {
issuer_parameters {
name = "My Company CA"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 30
}
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
# Server Authentication = 1.3.6.1.5.5.7.3.1
# Client Authentication = 1.3.6.1.5.5.7.3.2
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
key_usage = [
"digitalSignature","keyEncipherment",]
subject_alternative_names {
dns_names = ["hello-world.io","Hello-World"]
}
subject = "CN=New-Cert"
validity_in_months = 61
}
}
}
解决方法
不确定您的错误具体是什么,但是您的代码无法正常运行。我将提供一个示例,其中第一次创建证书,第二次将其导入到新的kv中。诀窍是获取证书生成的机密以将其导入。我通过指纹验证了该过程是否有效。
这是第一个生成初始kv和cert的main.tf
provider "azurerm" {
version = "~>2.23.0"
features {}
}
data "azurerm_client_config" "current" {
}
resource "azurerm_resource_group" "example" {
name = "key-vault-certificate-example"
location = "East US"
}
output "certificate_thumbprint" {
value = azurerm_key_vault_certificate.example.thumbprint
}
resource "azurerm_key_vault" "example" {
name = "pearceckvcertexample"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
certificate_permissions = [
"create","delete","deleteissuers","get","getissuers","import","list","listissuers","managecontacts","manageissuers","setissuers","update",]
key_permissions = [
"backup","create","decrypt","encrypt","purge","recover","restore","sign","unwrapKey","verify","wrapKey",]
secret_permissions = [
"backup","set",]
}
tags = {
environment = "Production"
}
}
resource "azurerm_key_vault_certificate" "example" {
name = "generated-cert"
key_vault_id = azurerm_key_vault.example.id
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 30
}
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
# Server Authentication = 1.3.6.1.5.5.7.3.1
# Client Authentication = 1.3.6.1.5.5.7.3.2
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
key_usage = [
"cRLSign","dataEncipherment","digitalSignature","keyAgreement","keyCertSign","keyEncipherment",]
subject_alternative_names {
dns_names = ["internal.contoso.com","domain.hello.world"]
}
subject = "CN=hello-world"
validity_in_months = 12
}
}
}
THis是第二个main.tf(不同状态),用于生成第二个kv并从原始保管库中的秘密导入证书。
provider "azurerm" {
version = "~>2.23.0"
features {}
}
data "azurerm_client_config" "current" {
}
data "azurerm_key_vault" "example" {
name = "pearceckvcertexample"
resource_group_name = "key-vault-certificate-example"
}
// It stores the actual cert as a secret
data "azurerm_key_vault_secret" "example" {
name = "generated-cert"
key_vault_id = data.azurerm_key_vault.example.id
}
data "azurerm_key_vault_certificate" "example" {
name = "generated-cert"
key_vault_id = data.azurerm_key_vault.example.id
}
output "certificate_thumbprint" {
value = data.azurerm_key_vault_certificate.example.thumbprint
}
output "certificate_thumbprint2" {
value = azurerm_key_vault_certificate.example.thumbprint
}
resource "azurerm_resource_group" "example" {
name = "key-vault-certificate-example2"
location = "East US"
}
resource "azurerm_key_vault" "example" {
name = "pearceckvcertexample2"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
certificate_permissions = [
"create",]
}
tags = {
environment = "Production"
}
}
resource "azurerm_key_vault_certificate" "example" {
name = "generated-cert"
key_vault_id = azurerm_key_vault.example.id
certificate {
contents = data.azurerm_key_vault_secret.example.value
}
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 30
}
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
# Server Authentication = 1.3.6.1.5.5.7.3.1
# Client Authentication = 1.3.6.1.5.5.7.3.2
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
key_usage = [
"cRLSign","domain.hello.world"]
}
subject = "CN=hello-world"
validity_in_months = 12
}
}
}
运行结果:
Apply complete! Resources: 3 added,0 changed,0 destroyed.
Outputs:
certificate_thumbprint = 8ADC0C8B2255E7B19FBEFC3B348B7E075D5AB1DA
certificate_thumbprint2 = 8ADC0C8B2255E7B19FBEFC3B348B7E075D5AB1DA
通过添加以下代码可以解决该问题
data "azurerm_key_vault" "New-KV" {
name = "New-KV"
resource_group_name = "New-RG"
}
data "azurerm_key_vault_secret" "Test1-KV" {
name = "Cert"
key_vault_id = data.azurerm_key_vault.existing.id
}
data "azurerm_key_vault_certificate" "Cert" {
name = "Cert"
key_vault_id = data.azurerm_key_vault.existing.id
}
resource "azurerm_key_vault_certificate" "Cert" {
name = "Cert"
key_vault_id = data.azurerm_key_vault.New-KV.id
certificate {
contents = data.azurerm_key_vault_secret.Test1-KV.value
}
certificate_policy {
issuer_parameters {
name = "self" (instead using original issuer use self)
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
secret_properties {
content_type = "application/x-pkcs12"
}
}
}