问题描述
我的terraform设计依赖于预先设置的密钥库,其中包含应用程序服务要使用的机密。我将此密钥保管库导入了远程状态。我可以看到它已导入。现在,当我运行terraform Plan时,它的作用就好像它不了解导入的资源一样。
这是我的地形外观
class User(AbstractUser):
groups = models.ManyToManyField(
Group,verbose_name=_('groups'),blank=True,help_text=_(
'The groups this user belongs to. A user will get all permissions '
'granted to each of their groups.'
),related_name="user_set",related_query_name="user",through="UserGroups"
)
class UserGroups(models.Model):
user = models.ForeignKey(User,on_delete=models.CASCADE)
group = models.ForeignKey(Group,on_delete=models.CASCADE)
organization = models.ForeignKey(Organization,on_delete=models.CASCADE,null=True)
在模块内部为应用程序服务添加访问策略
provider "azurerm" {
version="=2.20.0"
skip_provider_registration="true"
features{}
}
terraform {
backend "azurerm" {}
}
resource "azurerm_key_vault" "kv" {
name = "${var.env}ActicoDQM-kv"
}
module "app_service_plan"{
source = "./modules/app-service-plan"
...redacted for brevity
tags = var.tags
}
module "app-service"{
source = "./modules/app-service"
...redacted for brevity
tags = var.tags
key_vault_id = azurerm_key_vault.kv.key_vault_id
}
在我的理解中似乎缺少一些联系,因为现在当我这样做
resource "azurerm_app_service" "app" {
... redacted for brevity
}
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "app" {
key_vault_id = var.key_vault_id
tenant_id = azurerm_app_service.app.identity[0].tenant_id
object_id = azurerm_app_service.app.identity[0].principal_id
secret_permissions = ["get","list"]
}
它好像不了解导入的密钥库一样
terraform plan
解决方法
即使要将现有的密钥库导入到Terraform状态,也需要根据keyvault resource docs完全定义所有必需的参数。
您的密钥库资源至少应指定以下参数:
resource "azurerm_key_vault" "kv" {
name = "${var.env}ActicoDQM-kv"
location = ..
resource_group_name = ..
sku_name = "standard" or "premium"
tenant_id = data.azurerm_client_config.current.tenant_id
}
您可以使用数据资源公开tenant_id:
data "azurerm_client_config" "current" {
}