我正在尝试使用下面的地形代码创建使用地形的数据工厂访问策略。对于第一次部署(通过Azure Devops),一切都创建完美。当我重新部署而不进行任何更改时,我可以看到terraform正在检测密钥库的一些更改,并且完整的ADF访问策略正在从访问策略中删除。当我再次重新部署时,ADF访问策略再次被创建。每一次都是一样的。但每次我的遗嘱文件看起来都一样。
密钥库代码
resource "azurerm_key_vault" "kv" {
name = "${lower("${var.applicationName}-${var.environment}")}-akv"
location = azurerm_resource_group.myresourcegroup.location
resource_group_name = azurerm_resource_group.myresourcegroup.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = var.skuname
purge_protection_enabled = false
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get","List","Create"
]
secret_permissions = [ "Backup", "Delete", "Get", "List", "Recover", "Restore", "Set", "Purge"]
storage_permissions = [ "Get","List","Set"]
}
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = var.group_object_id
key_permissions = [
"Get","List","Create"
]
secret_permissions = [
"Backup", "Delete", "Get", "List", "Recover", "Restore", "Set", "Purge"
]
storage_permissions = [
"Get","List","Set"
]
}
network_acls {
bypass = "AzureServices"
default_action = "Deny"
ip_rules = ["198....."]
}
}
数据工厂访问策略代码。
resource "azurerm_key_vault_access_policy" "adfpolicy" {
key_vault_id = azurerm_key_vault.kv.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_data_factory.adf.identity[0].principal_id
key_permissions = [
"Get", "Create", "List", "Restore", "Recover", "Unwrapkey", "Wrapkey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"
]
secret_permissions = [
"Get", "List"
]
depends_on = [azurerm_resource_group.myresourcegroup, azurerm_virtual_network.vnet, azurerm_subnet.public_subnet, azurerm_key_vault.kv, azurerm_data_factory.adf]
}
数据工厂代码
resource "azurerm_data_factory" "adf" {
name = "${var.applicationName}-${var.environment}-adf"
location = azurerm_resource_group.myresourcegroup.location
resource_group_name = azurerm_resource_group.myresourcegroup.name
identity {
type = "SystemAssigned,UserAssigned"
identity_ids = [azurerm_user_assigned_identity.base.id]
}
}
根据azurerm_key_vault|资源| hashicorp/azurerm | Terraform Registry
我们可以用两种方式定义密钥库访问策略Azurerm_key_vault资源通过access_policy块和其他通过azurerm_key_vault_access_policy资源。但是同时使用方法可能会导致冲突。
所以请检查这种情况。并且尝试仅通过azurerm_key_vault_access_policy资源定义策略,而不是在azurerm_key_vault模块本身中定义策略。
还试着看看你可以使用条件(for_each如果)更新访问政策只有变化和不适用,当一切都是相同的。
引用:
<- terraform-provider-azurerm/问题/gh>
- terraform-importing-multiple-azure-keyvault-access-policies