个人中心
gpt4 book ai didi

当我重新部署 terraform 代码时,Azure 数据工厂 key 保管库访问策略被删除?

转载 作者:行者123 更新时间:2023-12-02 08:16:55 26 4
gpt4 key购买 nike

我正在尝试使用以下 terraform 代码使用 terraform 创建数据工厂的访问策略。对于首次部署(通过 Azure Devops),一切都很完美。当我在不进行任何更改的情况下重新部署时,我可以看到 terraform 检测到 key 保管库的一些更改,并且完整的 ADF 访问策略已从访问策略中删除。当我再次重新部署时,ADF 访问策略将再次创建。每一次同样的事情都会发生。但每次我的遗嘱文件看起来都一样。

keystore 代码

resource "azurerm_key_vault" "kv" {
  name                        = "${lower("${var.applicationName}-${var.environment}")}-akv"
  location                    = azurerm_resource_group.myresourcegroup.location
  resource_group_name         = azurerm_resource_group.myresourcegroup.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  sku_name                    = var.skuname
  purge_protection_enabled    = false
    
   access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "Get","List","Create"
    ]

    secret_permissions =  [ "Backup", "Delete", "Get", "List", "Recover", "Restore", "Set", "Purge"]
    storage_permissions = [ "Get","List","Set"]

  }
    
    access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = var.group_object_id

    key_permissions = [
            "Get","List","Create"
    ]

    secret_permissions =  [
        "Backup", "Delete", "Get", "List", "Recover", "Restore", "Set", "Purge"
    ]
    storage_permissions = [ 
       "Get","List","Set"
    ]

  }

      
    network_acls {
    bypass         = "AzureServices"
    default_action = "Deny"
    ip_rules       = ["198....."]
  }
}

数据工厂访问策略的代码。

resource "azurerm_key_vault_access_policy" "adfpolicy" {
key_vault_id = azurerm_key_vault.kv.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_data_factory.adf.identity[0].principal_id
     key_permissions = [
    "Get", "Create", "List", "Restore", "Recover", "Unwrapkey", "Wrapkey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"
    ]
    secret_permissions = [
    "Get", "List"
    ]
    depends_on = [azurerm_resource_group.myresourcegroup, azurerm_virtual_network.vnet, azurerm_subnet.public_subnet, azurerm_key_vault.kv, azurerm_data_factory.adf]
}

数据工厂代码

resource "azurerm_data_factory" "adf" {
  name                = "${var.applicationName}-${var.environment}-adf"
  location            = azurerm_resource_group.myresourcegroup.location
  resource_group_name = azurerm_resource_group.myresourcegroup.name
    
identity {
    type = "SystemAssigned,UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.base.id]
 }
    
}

最佳答案

根据azurerm_key_vault | Resources | hashicorp/azurerm | Terraform Registry

We can define Key Vault Access Policies in two ways i.e,one in theazurerm_key_vault resource via the access_policy block and the otherby the azurerm_key_vault_access_policy resource. But using both theways may lead to conflicts.

所以请检查这种情况。还可以尝试通过 azurerm_key_vault_access_policy 定义策略仅资源而不是在 azurerm_key_vault module 内本身。

还尝试看看是否可以使用条件条件(for_each 和 if )仅在访问策略发生变化时更新它,而在一切都相同时不应用。

引用文献:

  1. terraform-provider-azurerm/issues
  2. terraform-importing-multiple-azure-keyvault-access-policies

关于当我重新部署 terraform 代码时,Azure 数据工厂 key 保管库访问策略被删除?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/72801324/

26 4 0
文章推荐: c# - 系统参数异常 : Format of the initialization string does not conform to specification starting at index 197?
文章推荐: azure - 数据工厂数据流 - 路径未解析为任何文件
文章推荐: Azure 函数失败和警告
文章推荐: azure - New-PSDrive 对其他 shell 不可见,与 MS 文档相反
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com