azure - 使用 terraform 轮换 Azure 存储帐户访问 key

Question

我有以下要求。

1. 通过 terraform 轮换存储帐户访问 key (primary_access_key 和 secondary_access_key)。
2. 将新生成的 key 作为新版本添加到在 keyvault 中为主访问 key 和辅助访问 key 创建的 Secrets 中。

resource "azurerm_storage_account" "example" {
  name                     = "storageaccrotatekeys"
  resource_group_name      = "accessrotate"
  location                 = "East US"
  account_tier             = "Standard"
  account_replication_type = "LRS"
  public_network_access_enabled = false
}

下面的azure_storage_account资源仅包含过于敏感值的primary_access_key和 secondary_access_key属性。我找不到任何旋转 key 的选项。请帮忙 https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#import

Answer 1

terraform 可能不会直接轮换访问 key 据我所知但是请检查可以在资源中给出的这个 customer_management_key block azurerm_storage_account block ，其中可以使用 keyvaultId 和 version 启用自动轮换。此 customer_managed_key 包含参数 key_version，该参数是可选的，用于提及 Key Vault Key 的版本。要启用自动 key 轮换，您可以避免此选项。

• 要手动轮换，请在 block 中提供版本 key_version。
• 如果为 customer_management_key 创建单独的 block ，您可以提供必需的参数 key_vault_key_id，其中提供无版本 key ID 将启用此 key 的自动轮换。

Note: customer_managed_key needs account_kind to be StorageV2 UserAssigned as the identity type.

代码:来自 azurerm_storage_account_customer_managed_key | Resources | hashicorp/azurerm | Terraform Registry

provider "azurerm" {
  features {
resource_group {
  prevent_deletion_if_contains_resources = false
  }

}
}

resource "azurerm_resource_group" "example" {
  name     = "<resource group>"  
 location = "westus2"
}

provider "azurerm" {
 features {}
 alias = "cloud_operations"
}

data "azurerm_client_config" "current" {}



resource "azurerm_key_vault" "example" {
  name                = "ka-examplekv"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"

  purge_protection_enabled = true
}

resource "azurerm_key_vault_access_policy" "storage" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = azurerm_storage_account.example.identity.0.principal_id
  key_permissions    = ["Get", "Create", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
  secret_permissions = ["Get"]

}

resource "azurerm_key_vault_access_policy" "client" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azurerm_client_config.current.object_id

  key_permissions    = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
  secret_permissions = ["Get","List"]
}


resource "azurerm_key_vault_key" "example" {
  name         = "ka-tfexkey"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048
  key_opts     = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]

  depends_on = [
    azurerm_key_vault_access_policy.client,
    azurerm_key_vault_access_policy.storage,
  ]
}


resource "azurerm_storage_account" "example" {
  name                     = "kaexamplestor"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_storage_account_customer_managed_key" "example" {
  storage_account_id = azurerm_storage_account.example.id
  key_vault_id       = azurerm_key_vault.example.id
  key_name           = azurerm_key_vault_key.example.name
}

另请检查此time rotaing resource它会旋转 Terraform 状态中存储的 UTC 时间戳，并在本地存储源中的当前时间超出旋转时间时重新创建资源。仅当执行 Terraform 时才会发生这种情况

引用: customer_managed_key in azurerm_storage_account | Resources | hashicorp/azurerm | Terraform Registry