当我重新部署 terraform 代码时，Azure 数据工厂 key 保管库访问策略被删除？

Question

我正在尝试使用以下 terraform 代码使用 terraform 创建数据工厂的访问策略。对于首次部署(通过 Azure Devops)，一切都很完美。当我在不进行任何更改的情况下重新部署时，我可以看到 terraform 检测到 key 保管库的一些更改，并且完整的 ADF 访问策略已从访问策略中删除。当我再次重新部署时，ADF 访问策略将再次创建。每一次同样的事情都会发生。但每次我的遗嘱文件看起来都一样。

keystore 代码

resource "azurerm_key_vault" "kv" {
  name                        = "${lower("${var.applicationName}-${var.environment}")}-akv"
  location                    = azurerm_resource_group.myresourcegroup.location
  resource_group_name         = azurerm_resource_group.myresourcegroup.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  sku_name                    = var.skuname
  purge_protection_enabled    = false
    
   access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "Get","List","Create"
    ]

    secret_permissions =  [ "Backup", "Delete", "Get", "List", "Recover", "Restore", "Set", "Purge"]
    storage_permissions = [ "Get","List","Set"]

  }
    
    access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = var.group_object_id

    key_permissions = [
            "Get","List","Create"
    ]

    secret_permissions =  [
        "Backup", "Delete", "Get", "List", "Recover", "Restore", "Set", "Purge"
    ]
    storage_permissions = [ 
       "Get","List","Set"
    ]

  }

      
    network_acls {
    bypass         = "AzureServices"
    default_action = "Deny"
    ip_rules       = ["198....."]
  }
}

数据工厂访问策略的代码。

resource "azurerm_key_vault_access_policy" "adfpolicy" {
key_vault_id = azurerm_key_vault.kv.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_data_factory.adf.identity[0].principal_id
     key_permissions = [
    "Get", "Create", "List", "Restore", "Recover", "Unwrapkey", "Wrapkey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"
    ]
    secret_permissions = [
    "Get", "List"
    ]
    depends_on = [azurerm_resource_group.myresourcegroup, azurerm_virtual_network.vnet, azurerm_subnet.public_subnet, azurerm_key_vault.kv, azurerm_data_factory.adf]
}

数据工厂代码

resource "azurerm_data_factory" "adf" {
  name                = "${var.applicationName}-${var.environment}-adf"
  location            = azurerm_resource_group.myresourcegroup.location
  resource_group_name = azurerm_resource_group.myresourcegroup.name
    
identity {
    type = "SystemAssigned,UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.base.id]
 }
    
}

Answer 1

根据azurerm_key_vault | Resources | hashicorp/azurerm | Terraform Registry

We can define Key Vault Access Policies in two ways i.e,one in theazurerm_key_vault resource via the access_policy block and the otherby the azurerm_key_vault_access_policy resource. But using both theways may lead to conflicts.

所以请检查这种情况。还可以尝试通过 azurerm_key_vault_access_policy 定义策略仅资源而不是在 azurerm_key_vault module 内本身。

还尝试看看是否可以使用条件条件(for_each 和 if )仅在访问策略发生变化时更新它，而在一切都相同时不应用。

引用文献:

1. terraform-provider-azurerm/issues
2. terraform-importing-multiple-azure-keyvault-access-policies