Terraform密钥保险库访问策略
我正在尝试自动创建密钥库、存储帐户和密钥以加密存储 块的代码如下所示:Terraform密钥保险库访问策略,terraform,terraform-provider-azure,Terraform,Terraform Provider Azure,我正在尝试自动创建密钥库、存储帐户和密钥以加密存储 块的代码如下所示: resource "azurerm_key_vault_access_policy" "storage" { for_each = toset(var.storage-foreach) key_vault_id = azurerm_key_vault.tenantsnbshared.id tenant_id = <tenant-id> object_id
resource "azurerm_key_vault_access_policy" "storage" {
for_each = toset(var.storage-foreach)
key_vault_id = azurerm_key_vault.tenantsnbshared.id
tenant_id = <tenant-id>
object_id = azurerm_storage_account.storage-foreach[each.value]
key_permissions = ["get", "create", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "encrypt", "decrypt", "sign", "verify"]
secret_permissions = ["get"]
depends_on = [azurerm_storage_account.storage-foreach]
}
esource "azurerm_key_vault" "tenantsnbshared" {
location = var.location
name = "tenantsnbshared"
resource_group_name = azurerm_resource_group.tenant-testing-test.name
sku_name = "standard"
tenant_id = "tenant-id"
enabled_for_deployment = false
enabled_for_disk_encryption = false
enabled_for_template_deployment = false
purge_protection_enabled = true
soft_delete_enabled = true
access_policy {
object_id = "my-obj-id"
tenant_id = "tenant-id"
secret_permissions = [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore",
"Purge"
]
key_permissions = [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"Purge",
"encrypt",
"decrypt",
"sign",
"verify"
]
certificate_permissions = [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers",
]
}
tags = {
"Owner" : "test"
}
}
resource "azurerm_storage_account" "storage-foreach" {
for_each = toset(var.storage-foreach)
access_tier = "Hot"
account_kind = "StorageV2"
account_replication_type = "LRS"
account_tier = "Standard"
location = var.location
name = each.value
resource_group_name = azurerm_resource_group.tenant-testing-hamza.name
identity {
type = "SystemAssigned"
}
lifecycle {
prevent_destroy = false
}
}
您应该将存储帐户的
对象ID
分配给KV访问策略
请将访问策略资源更改为以下内容:
resource "azurerm_key_vault_access_policy" "storage" {
for_each = toset(var.storage-foreach)
...
object_id = azurerm_storage_account.storage-foreach[each.value].0.principal_id
...
}
这是需要的。。它指向存储帐户的第一个身份,而不是存储本身..好的,明白了,在这种情况下,根本不知道。没问题。。以防我在这里留下一个azurerm_钥匙_保险库_访问_政策示例:对不起,我正要回家。我尝试编写代码,错误如下:``n main.tf第21行,在资源“azurerm\u key\u vault\u access\u policy”“storage”:21:dependens\u on=[azurerm\u storage\u account.storage foreach[each.value]]中需要一个静态变量引用:仅使用常量键进行属性访问和索引。此处不允许计算、函数调用、模板表达式等```嗯,好的。。我想你可以简单地去掉依赖块。。由于将存储的对象id分配给访问策略,因此访问策略和存储之间已经存在隐式依赖关系。。
resource "azurerm_key_vault_access_policy" "storage" {
for_each = toset(var.storage-foreach)
...
object_id = azurerm_storage_account.storage-foreach[each.value].0.principal_id
...
}