时间戳

首页 > 解决方案 > Terraform 密钥保管库访问策略

terraform - Terraform 密钥保管库访问策略

问题描述

我正在尝试自动创建密钥库、存储帐户和用于加密存储的密钥。

块的代码如下所示:

resource "azurerm_key_vault_access_policy" "storage" {
  for_each = toset(var.storage-foreach)
  key_vault_id = azurerm_key_vault.tenantsnbshared.id
  tenant_id = <tenant-id>
  object_id    = azurerm_storage_account.storage-foreach[each.value]
  key_permissions    = ["get", "create", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "encrypt", "decrypt", "sign", "verify"]
  secret_permissions = ["get"]
  depends_on = [azurerm_storage_account.storage-foreach]
}

esource "azurerm_key_vault" "tenantsnbshared" {
  location                        = var.location
  name                            = "tenantsnbshared"
  resource_group_name             = azurerm_resource_group.tenant-testing-test.name
  sku_name                        = "standard"
  tenant_id                       = "tenant-id"
  enabled_for_deployment          = false
  enabled_for_disk_encryption     = false
  enabled_for_template_deployment = false
  purge_protection_enabled        = true
  soft_delete_enabled             = true
  access_policy {
    object_id = "my-obj-id"
    tenant_id = "tenant-id"
    secret_permissions = [
      "Get",
      "List",
      "Set",
      "Delete",
      "Recover",
      "Backup",
      "Restore",
      "Purge"

    ]
    key_permissions = [
      "Get",
      "List",
      "Update",
      "Create",
      "Import",
      "Delete",
      "Recover",
      "Backup",
      "Restore",
      "Purge",
      "encrypt",
      "decrypt",
      "sign",
      "verify"
    ]
    certificate_permissions = [
      "Get",
      "List",
      "Update",
      "Create",
      "Import",
      "Delete",
      "Recover",
      "Backup",
      "Restore",
      "ManageContacts",
      "ManageIssuers",
      "GetIssuers",
      "ListIssuers",
      "SetIssuers",
      "DeleteIssuers",
    ]
  }
  tags = {
    "Owner" : "test"
  }
}

resource "azurerm_storage_account" "storage-foreach" {
  for_each                 = toset(var.storage-foreach)
  access_tier              = "Hot"
  account_kind             = "StorageV2"
  account_replication_type = "LRS"
  account_tier             = "Standard"
  location                 = var.location
  name                     = each.value
  resource_group_name      = azurerm_resource_group.tenant-testing-hamza.name
  identity {
    type = "SystemAssigned"
  }

  lifecycle {
    prevent_destroy = false
  }
}

如您所见,所有资源都使用 for each 来自动化流程。但是当我尝试运行这段代码时,我得到了这个与 key_vault_access_policy 相关的错误

Error: Incorrect attribute value type

  on main.tf line 13, in resource "azurerm_key_vault_access_policy" "storage":
  13:   object_id    = azurerm_storage_account.storage-foreach[each.value]
    |----------------
    | azurerm_storage_account.storage-foreach is object with 2 attributes
    | each.value is "storage2"

Inappropriate value for attribute "object_id": string required.

标签: terraformterraform-provider-azure

解决方案

您应该将 分配object ids of storage accounts给 KV 访问策略。

请将访问策略资源更改为以下内容:

resource "azurerm_key_vault_access_policy" "storage" {
  for_each = toset(var.storage-foreach)

  ...

  object_id    = azurerm_storage_account.storage-foreach[each.value].0.principal_id

  ...    
}

推荐阅读