个人中心
gpt4 book ai didi

azure - Terraform 计划期间证书访问错误

转载 作者:行者123 更新时间:2023-12-03 06:27:25 28 4
gpt4 key购买 nike

我认为我处于一种先有鸡还是先有蛋的情况,我需要为我们的应用程序网关声明一个证书资源,但是在我们的管道中运行 Terraform 的应用程序主体在申请之后才具有权限完全的。基本上,服务主体在规划期间无法访问证书,因此规划永远不会完成,并且 apply 无法运行,因为没有计划文件输出。

除了在 UI 中手动配置权限之外,还有其他方法可以解决此问题吗?

访问策略确实包含证书的“获取”权限

keystore 

resource "azurerm_key_vault" "web" {
  name                = lower(format("az-kv-web-%s-%s-%s", var.instance.environment, var.instance.az-region, var.instance.serial))
  location            = azurerm_resource_group.web.location
  resource_group_name = azurerm_resource_group.web.name

  sku_name = var.instance.key-vault.sku-name

  # Azure AD tenant
  tenant_id = var.instance.aad-tenant-id

  dynamic "access_policy" {
    for_each = var.instance.key-vault.access

    content {
      tenant_id               = var.instance.aad-tenant-id
      object_id               = access_policy.value.object-id

      certificate_permissions = access_policy.value.cert-permissions
      key_permissions         = access_policy.value.key-permissions
      secret_permissions      = access_policy.value.secret-permissions
      storage_permissions     = access_policy.value.storage-permissions
    }
  }
}

证书

data "azurerm_key_vault_certificate" "gateway" {
  name = var.gateway.certificate-name

  key_vault_id = var.key-vault.id
}

错误


│ Error: reading Key Vault Certificate: keyvault.BaseClient#GetCertificate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=***;oid=***;numgroups=3;iss=https://sts.windows.net/***/' does not have certificates get permission on key vault 'az-kv-web-dev-eastus-001;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"ForbiddenByPolicy"}

│   with module.web["001"].module.app-gateway.data.azurerm_key_vault_certificate.gateway,
│   on modules\app-gateway\main.tf line 123, in data "azurerm_key_vault_certificate" "gateway":
│  123: data "azurerm_key_vault_certificate" "gateway" {


最佳答案

为了创建证书并访问它,我使用了以下代码:

给出了 terraform 计划并terraform 应用

代码:

data "azurerm_subscription" "current" {}

resource "azuread_application" "example" {
  display_name     = "newexample"
 // identifier_uris  = ["https://kavyaexample.com"]
  owners           = [data.azuread_client_config.current.object_id]
  sign_in_audience = "AzureADMultipleOrgs"

  api {
    mapped_claims_enabled          = true
    requested_access_token_version = 2

    oauth2_permission_scope {
      admin_consent_description  = "Allow the application to access example on behalf of the signed-in user."
      admin_consent_display_name = "Access example"
      enabled                    = true
      id                         = "96183846-204b-4b43-82e1-5d2222eb4b9b"
      type                       = "User"
      user_consent_description   = "Allow the application to access example on your behalf."
      user_consent_display_name  = "Access example"
      value                      = "user_impersonation"
    }

    oauth2_permission_scope {
      admin_consent_description  = "Administer the example application"
      admin_consent_display_name = "Administer"
      enabled                    = true
      id                         = "be98fa3e-ab5b-4b11-83d9-04ba2b7946bc"
      type                       = "Admin"
      value                      = "administer"
    }
  }

  app_role {
    allowed_member_types = ["User", "Application"]
    description          = "Admins can manage roles and perform all task actions"
    display_name         = "Admin"
    enabled              = true
    id                   = "1b19509b-32b1-4e9f-b71d-4992aa991967"
    value                = "admin"
  }

  app_role {
    allowed_member_types = ["User"]
    description          = "ReadOnly roles have limited query access"
    display_name         = "ReadOnly"
    enabled              = true
    id                   = "497406e4-012a-4267-bf18-45a1cb148a01"
    value                = "User"
  }

  feature_tags {
    enterprise = true
    gallery    = true
  }

  optional_claims {
    access_token {
      name = "myclaim"
    }

    access_token {
      name = "otherclaim"
    }

    id_token {
      name                  = "userclaim"
      source                = "user"
      essential             = true
      additional_properties = ["emit_as_roles"]
    }

    saml2_token {
      name = "samlexample"
    }
  }

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
      type = "Role"
    }

    resource_access {
      id   = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite
      type = "Scope"
    }
  }

  required_resource_access {
    resource_app_id = "c5393580-f805-4401-95e8-94b7a6ef2fc2" # Office 365 Management

    resource_access {
      id   = "594c1fb6-4f81-4475-ae41-0c394909246c" # ActivityFeed.Read
      type = "Role"
    }
  }

  web {
    homepage_url  = "https://app.example.net"
    logout_url    = "https://app.example.net/logout"
    redirect_uris = ["https://app.example.net/account"]

    implicit_grant {
      access_token_issuance_enabled = true
      id_token_issuance_enabled     = true
    }
  }

  
}

resource "azuread_service_principal" "example" {
  application_id               = azuread_application.example.application_id
  app_role_assignment_required = false
  owners                       = [data.azuread_client_config.current.object_id]
  
}

/*
resource "azurerm_role_assignment" "example" {
  scope              = "/subscriptions/f10a5570-53f3-473f-9c2f-bd0ee87ca71c/resourceGroups/v-sakavya-Mindtree"
  role_definition_id = "b24988ac-6180-42a0-ab88-20f7382dd24c"
  principal_id       = azuread_service_principal.example.object_id

}

*/
resource "azurerm_key_vault" "example" {
  name                        = "kavyaexmplkeyvault"
  location                    = data.azurerm_resource_group.example.location
  resource_group_name         = data.azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
   object_id = data.azurerm_client_config.current.object_id

   //object_id= azuread_service_principal.example.object_id
    
    certificate_permissions = [
      "Create",
      "Delete",
      "DeleteIssuers",
      "Get",
      "GetIssuers",
      "Import",
      "List",
      "ListIssuers",
      "ManageContacts",
      "ManageIssuers",
      "Purge",
      "SetIssuers",
      "Update",
    ]

    key_permissions = [
      "Backup",
      "Create",
      "Decrypt",
      "Delete",
      "Encrypt",
      "Get",
      "Import",
      "List",
      "Purge",
      "Recover",
      "Restore",
      "Sign",
      "UnwrapKey",
      "Update",
      "Verify",
      "WrapKey",
    ]

    secret_permissions = [
      "Backup",
      "Delete",
      "Get",
      "List",
      "Purge",
      "Recover",
      "Restore",
      "Set",
    ]
    storage_permissions = [
      "Get","Set"
    ]
  }

  
}



resource "tls_private_key" "example" {
  algorithm = "RSA"
  rsa_bits  = 4096
}



resource "azurerm_key_vault_certificate" "example" {
  name         = "kavya-cert"
  key_vault_id = azurerm_key_vault.example.id

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = true
    }

    lifetime_action {
      action {
        action_type = "AutoRenew"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    x509_certificate_properties {
      # Server Authentication = 1.3.6.1.5.5.7.3.1
      # Client Authentication = 1.3.6.1.5.5.7.3.2
      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

      key_usage = [
        "cRLSign",
        "dataEncipherment",
        "digitalSignature",
        "keyAgreement",
        "keyCertSign",
        "keyEncipherment",
      ]

      subject_alternative_names {
        dns_names = ["internal.contoso.com", "domain.hello.world"]
      }

      subject            = "CN=hello-world"
      validity_in_months = 12
    }
  }
}



resource "azuread_application_certificate" "example" {
  application_object_id = azuread_application.example.id
  type                  = "AsymmetricX509Cert"
  encoding              = "hex"
  value                 = azurerm_key_vault_certificate.example.certificate_data
  //end_date              = azurerm_key_vault_certificate.example.certificate_attribute[0].expires
  //start_date            = azurerm_key_vault_certificate.example.certificate_attribute[0].not_before
}

enter image description here

当服务主体获得证书时,获得、列出、创建和删除访问权限。

enter image description here

但是当我尝试删除服务主体的访问策略时,我遇到了类似的错误

resource "azurerm_key_vault" "example" {
  name                        = "kavyaexmplkeyvault"
  location                    = data.azurerm_resource_group.example.location
  resource_group_name         = data.azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
  // object_id = data.azurerm_client_config.current.object_id

   object_id= azuread_service_principal.example.object_id
    
    certificate_permissions = [
      "Create",
      "Delete",
      "DeleteIssuers",
      "Get",
      "GetIssuers",
      "Import",
      "List",
      "ListIssuers",
      "ManageContacts",
      "ManageIssuers",
      "Purge",
      "SetIssuers",
      "Update",
    ]

    key_permissions = [
      "Backup",
      "Create",
      "Decrypt",
      "Delete",
      "Encrypt",
      "Get",
      "Import",
      "List",
      "Purge",
      "Recover",
      "Restore",
      "Sign",
      "UnwrapKey",
      "Update",
      "Verify",
      "WrapKey",
    ]

    secret_permissions = [
      "Backup",
      "Delete",
      "Get",
      "List",
      "Purge",
      "Recover",
      "Restore",
      "Set",
    ]
    storage_permissions = [
      "Get","Set"
    ]
  }

  
}

错误:

Status=403 Code="Forbidden"Message="用户、组或应用程序 'appid=***;oid=***;numgroups=3;iss=https://sts.windows。 net/***/' 没有证书获得 key 保管库的权限

<小时/>

enter image description here

<小时/>
  • 然后我尝试使用 servicepricipal 提供访问策略再次创建它。但仍然面临同样的错误。
  • 然后我销毁了这些文件,但没有进行任何更改,因为它存储在后端,并且除非我们有访问权限,否则无法更改证书权限。
<小时/>

enter image description here

  • 相反,我在 terraform 中更改了 keyvault 名称和证书名称。
  • 删除了 Azure 广告应用中的现有证书。
  • 然后创建并运行 terraform plan 和 terraform apply 。

enter image description here

<小时/>

直接 terraform apply 也适用于上述起始代码。

它创建了服务主体访问策略。

enter image description here

在 azure 广告应用程序中检索到证书。

enter image description here

关于azure - Terraform 计划期间证书访问错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/75461022/

28 4 0
文章推荐: azure - 修复 Azure DevOps 上的应用程序部署错误
文章推荐: .net - 流响应在 Azure APIM 中不起作用
文章推荐: azure - 对不同的作业使用不同的计划(YAML)
文章推荐: azure - 使用 Azure 逻辑应用创建 Jira 票证时更新受让人
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com