gpt4 book ai didi

azure - 使用 terraform 轮换 Azure 存储帐户访问 key

转载 作者:行者123 更新时间:2023-12-02 23:55:01 30 4
gpt4 key购买 nike

我有以下要求。

  1. 通过 terraform 轮换存储帐户访问 key (primary_access_key 和 secondary_access_key)。
  2. 将新生成的 key 作为新版本添加到在 keyvault 中为主访问 key 和辅助访问 key 创建的 Secrets 中。
resource "azurerm_storage_account" "example" {
name = "storageaccrotatekeys"
resource_group_name = "accessrotate"
location = "East US"
account_tier = "Standard"
account_replication_type = "LRS"
public_network_access_enabled = false
}

下面的azure_storage_account资源仅包含过于敏感值的primary_access_key secondary_access_key属性。我找不到任何旋转 key 的选项。请帮忙 https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#import

最佳答案

terraform 可能不会直接轮换访问 key 据我所知但是请检查可以在资源中给出的这个 customer_management_key block azurerm_storage_account block ,其中可以使用 keyvaultId 和 version 启用自动轮换。此 customer_managed_key 包含参数 key_version,该参数是可选的,用于提及 Key Vault Key 的版本。要启用自动 key 轮换,您可以避免此选项。

  • 要手动轮换,请在 block 中提供版本 key_version。
  • 如果为 customer_management_key 创建单独的 block ,您可以提供必需的参数 key_vault_key_id,其中提供无版本 key ID 将启用此 key 的自动轮换。

Note: customer_managed_key needs account_kind to be StorageV2 UserAssigned as the identity type.

代码:来自 azurerm_storage_account_customer_managed_key | Resources | hashicorp/azurerm | Terraform Registry

provider "azurerm" {
features {
resource_group {
prevent_deletion_if_contains_resources = false
}

}
}

resource "azurerm_resource_group" "example" {
name = "<resource group>"
location = "westus2"
}

provider "azurerm" {
features {}
alias = "cloud_operations"
}

data "azurerm_client_config" "current" {}



resource "azurerm_key_vault" "example" {
name = "ka-examplekv"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"

purge_protection_enabled = true
}

resource "azurerm_key_vault_access_policy" "storage" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_storage_account.example.identity.0.principal_id
key_permissions = ["Get", "Create", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
secret_permissions = ["Get"]

}

resource "azurerm_key_vault_access_policy" "client" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id

key_permissions = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
secret_permissions = ["Get","List"]
}


resource "azurerm_key_vault_key" "example" {
name = "ka-tfexkey"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]

depends_on = [
azurerm_key_vault_access_policy.client,
azurerm_key_vault_access_policy.storage,
]
}


resource "azurerm_storage_account" "example" {
name = "kaexamplestor"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"

identity {
type = "SystemAssigned"
}
}

resource "azurerm_storage_account_customer_managed_key" "example" {
storage_account_id = azurerm_storage_account.example.id
key_vault_id = azurerm_key_vault.example.id
key_name = azurerm_key_vault_key.example.name
}

enter image description here
另请检查此time rotaing resource它会旋转 Terraform 状态中存储的 UTC 时间戳,并在本地存储源中的当前时间超出旋转时间时重新创建资源。仅当执行 Terraform 时才会发生这种情况

引用: customer_managed_key in azurerm_storage_account | Resources | hashicorp/azurerm | Terraform Registry

关于azure - 使用 terraform 轮换 Azure 存储帐户访问 key ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73586640/

30 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com