时间戳

首页 > 解决方案 > 天蓝色上的 terraform - 创建具有私有连接的密钥库

azure - 天蓝色上的 terraform - 创建具有私有连接的密钥库

问题描述

希望获得一些有关设置具有专用连接的密钥库的指示。查看 TF 站点和其他站点上的示例,我将其放在一起,但它崩溃了。

简而言之,它创建 KV,分配一些策略,然后创建与服务端点相关联的私有链接。任何帮助将不胜感激。

locals {
  prefix = "kv01am"
}
data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "sandbox" {
  name                        = "${local.prefix}-KV"
  location                    = "eastus2"
  resource_group_name         = "rg-hsc-uscodappname01-137941ad"
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
#  soft_delete_enabled         = true
#  purge_protection_enabled    = false

  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "get",
    ]

    secret_permissions = [
      "get",
    ]

    storage_permissions = [
      "get",
    ]
  }

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
  }

}
resource "azurerm_private_link_service" "example" {
  name                        = "kv-privatelink"
  location                    = "eastus2"
  resource_group_name         = "rg-hsc-uscodappname01-137941ad"

  nat_ip_configuration {
    name      = azurerm_public_ip.example.name
    primary   = true
    subnet_id = "zzzzzzzzzzzzzzzzzzzzzzzz"
  }

}
resource "azurerm_private_endpoint" "sandbox_kv" {
  name                        = azurerm_key_vault.sandbox.name
  location                    = "eastus2"
  resource_group_name         = "rg-hsc-uscodappname01-137941ad"
  #subnet_id           = azurerm_subnet.sandbox["PrivateLink"].id
  subnet_id               = "zzzzzzzzzzzzzzzz"

  private_service_connection {
    name                           = azurerm_key_vault.sandbox.name
    private_connection_resource_id = azurerm_key_vault.sandbox.id
    is_manual_connection           = false
    subresource_names = ["Vault"]
  }
}

标签: azureterraform

解决方案

您可以private_dns_zone_group声明一个,而不是“手动”创建 dns 记录。

# ============PrivateLink==========================

resource "azurerm_private_endpoint" "pe_kv" {
  name                = format("pe-2%s", var.name)
  location            = data.azurerm_resource_group.main.location
  resource_group_name = data.azurerm_resource_group.main.name
  subnet_id           = data.azurerm_subnet.main.id

  private_dns_zone_group {
    name                 = "privatednszonegroup"
    private_dns_zone_ids = [azurerm_private_dns_zone.main.id]
  }

  private_service_connection {
    name                           = format("pse-2%s", var.name)
    private_connection_resource_id = azurerm_key_vault.main.id
    is_manual_connection           = false
    subresource_names = ["Vault"]
  }
}
resource "azurerm_private_dns_zone" "main" {
  name                = "privatelink.vaultcore.azure.net"
  resource_group_name = data.azurerm_resource_group.main.name
}

推荐阅读