azure - Terraform Azure 数据工厂创建
问题描述
我正在尝试将 Azure 数据工厂与客户管理的密钥和身份一起部署,但是在应用 terraform 之后,客户管理的密钥未显示在数据工厂中。当我尝试在数据工厂中手动添加客户管理的密钥时,它给出了以下错误。手术失败。未找到 CMK 中使用的托管身份。
data "azurerm_client_config" "main" {}
resource "azurerm_resource_group" "main" {
name = "rgsupports01"
location = "East US 2"
}
resource "azurerm_user_assigned_identity" "main" {
depends_on = [azurerm_resource_group.main]
name = "supports01-mid"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
}
resource "azurerm_key_vault" "main" {
name = "supportskv01"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.main.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.main.tenant_id
object_id = data.azurerm_client_config.main.object_id
key_permissions = [
"Get",
"Unwrapkey",
"Wrapkey",
"Create",
"Delete",
]
secret_permissions = [
"Get",
]
storage_permissions = [
"Get",
]
}
}
resource "azurerm_key_vault_access_policy" "main" {
key_vault_id = azurerm_key_vault.main.id
tenant_id = data.azurerm_client_config.main.tenant_id
object_id = azurerm_user_assigned_identity.main.client_id
key_permissions = [
"Get","List","Unwrapkey","Wrapkey"
]
secret_permissions = [
"Get","List",
]
}
resource "azurerm_key_vault_key" "main" {
depends_on = [azurerm_key_vault_access_policy.main]
name = "supportrsakeys01"
key_vault_id = azurerm_key_vault.main.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_data_factory" "adf" {
#depends_on = [azurerm_key_vault_key.main]
name = "supportdfs01"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
public_network_enabled = false
customer_managed_key_id = resource.azurerm_key_vault_key.main.id
identity {
type = "UserAssigned"
identity_ids = [resource.azurerm_user_assigned_identity.main.id]
}
}
resource "azurerm_key_vault_access_policy" "new" {
depends_on = [azurerm_data_factory.adf]
key_vault_id = azurerm_key_vault.main.id
tenant_id = data.azurerm_client_config.main.tenant_id
object_id = azurerm_user_assigned_identity.main.principal_id
key_permissions = [
"Get","List","Unwrapkey","Wrapkey"
]
secret_permissions = [
"Get","List",
]
}
解决方案
不特定access_policy于 Key Vault 资源内,仅使用azurerm_key_vault_access_policy资源。您指定的方式会带来冲突并可能会弄乱访问策略。见这里。
推荐阅读
- android - 设备上的文件系统处于错误状态。WorkManager 无法访问应用程序的内部数据存储
- c - 尽管在程序中的某个时刻使用了 free(),为什么我的程序在 C 中泄漏内存?
- java - 一种使Android始终使用http的方法?
- java - 可以在 Java 中评估 YAML 值字符串吗?
- python - 为什么我的代码错误地计算了(大小、角度)对列表中的总力?
- python - 如何在不知道 Python 中使用 Selenium 的元素的情况下导航文件上传窗口
- arrays - 我们如何在数组中显示集合数据
- vba - 在 Word VBA 中设置多个表单域的值
- javascript - Firebase 用户的详细信息在 Javascript 中更改侦听器
- oracle - 在 Oracle 中使用双表作为子查询的 Select 语句生成“未找到来自关键字”错误