我得到以下错误消息:
Error: parsing "/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/applicationGateways/<app_gateway_name>/sslCertificates/<cert_name>": KeyVault Nested Item should contain 2 or 3 segments, got 10 from "subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/applicationGateways/<app_gateway_name>/sslCertificates/<cert_name>"
我想关键错误是";KeyVault嵌套项应包含2或3个段;但我不知道这意味着什么。
我想做的事:
通过Terraform(azurerm(,创建一个具有HTTPS(443(侦听器的应用程序网关资源。我将证书上载到Azure密钥(使用Vault访问策略(,并创建了一个托管身份来访问该证书。在门户中,我可以使用托管身份和证书使用HTTPS设置侦听器-没有问题。一切如预期。
然而,当我试图在Terraform中做同样的事情时,我会得到上面的错误。
这是我的:
data "azurerm_key_vault" "cert_store" {
name = "certstore"
resource_group_name = local.resource_group.name
}
data "azurerm_key_vault_certificate" "tls_cert" {
name = "tls_cert"
key_vault_id = data.azurerm_key_vault.cert_store.id
}
resource "azurerm_application_gateway" "app_gateway" {
name = "app_gateway1"
resource_group_name = local.resource_group.name
location = local.resource_group.location
sku {
name = var.gateway_vars.sku.name
tier = var.gateway_vars.sku.tier
capacity = 2
}
gateway_ip_configuration {
name = "${var.gateway_vars.name}-ip-configuration"
subnet_id = data.azurerm_subnet.gateway_subnet.id
}
frontend_port {
name = "port_80"
port = 80
}
frontend_port {
name = "port_443"
port = 443
}
identity {
type = "UserAssigned"
identity_ids = [
azurerm_user_assigned_identity.app_gateway_managed_identity.id
]
}
ssl_certificate {
key_vault_secret_id = data.azurerm_key_vault_certificate.cert_store.id
name = "tls_cert"
}
frontend_ip_configuration {
name = "frontendIp"
public_ip_address_id = azurerm_public_ip.app_gateway.id
}
backend_address_pool {
name = "frontend-pool"
fqdns = ["fqdn.com"]
}
# https settings - used to connect to backend services via https
backend_http_settings {
name = "https"
cookie_based_affinity = "Disabled"
port = 443
protocol = "Https"
request_timeout = 60
path = "/"
pick_host_name_from_backend_address = true
}
http_listener {
name = "http80-listener"
frontend_ip_configuration_name = "frontendIp"
frontend_port_name = "port_80"
protocol = "Http"
}
http_listener {
name = "https443-listener"
frontend_ip_configuration_name = "frontendIp"
frontend_port_name = "port_443"
protocol = "Https"
ssl_certificate_name = "tls_cert"
require_sni = false
}
url_path_map {
name = "path-map"
default_backend_address_pool_name = "frontend-pool"
default_backend_http_settings_name = "https"
path_rule {
name = "xx"
paths = ["/path"]
backend_address_pool_name = "frontend-pool"
backend_http_settings_name = "https"
}
}
request_routing_rule {
name = "tdr-routing-rule-443"
rule_type = "PathBasedRouting"
http_listener_name = "https443-listener"
url_path_map_name = "path-map"
}
}
所以当我发布这篇文章时,一位同事联系了我,发现他不久前看到了类似的东西。在这里找到:
https://github.com/hashicorp/terraform-provider-azurerm/issues/6188
问题在于所引用的证书的版本。我想它不知道该使用哪个版本的证书,所以我不得不告诉它是哪个。在应用网关资源块中,在ssl_certificate块中,我使用了trimssuffix函数:
ssl_certificate {
name = "tls_cert"
key_vault_secret_id = trimsuffix(data.azurerm_key_vault_secret.certificate_secret.id, "${data.azurerm_key_vault_secret.certificate_secret.version}")
}
其次,我不得不使用azurerm_key_vault_secret而不是azurerm_key_vault_certificate,如下所示:
data "azurerm_key_vault_secret" "certificate_secret" {
name = "name_of_cert"
key_vault_id = data.azurerm_key_vault.cert_store.id
}
在那之后,它似乎起了作用。我仍然不完全理解为什么在试图获得证书时,使用密钥保管库秘密会超过密钥保管库证书,但是:耸耸肩:。
我解决了同样的问题,但有点不同:
首次使用azurerm_key_vault_certificate:
data "azurerm_key_vault_certificate" "ssl_certificate" {
name = "certificatename"
key_vault_id = data.azurerm_key_vault.kv.id
}
以及参考azurerm_application_gateway资源内的无版本秘密ID
ssl_certificate {
name = "certificatename"
key_vault_secret_id = data.azurerm_key_vault_certificate.certificatename.versionless_secret_id
}