当我重新部署Terraform代码时,Azure Data Factory钥匙库访问策略正在删除?
我正在尝试使用TerraForm使用以下Terraform代码为数据工厂创建访问策略。 对于第一次部署(通过Azure Devops),一切都完美地创造了。当我在没有更改的情况下重新部署任何内容时,我可以看到Terraform正在从钥匙库中检测到很少的更改,并且从访问策略中删除了完整的ADF访问策略。当我再次重新部署时,ADF访问策略再次创建。每个替代时期都在发生。但是每当我的遗嘱文件看起来一样。
关键保险库
resource "azurerm_key_vault" "kv" {
name = "${lower("${var.applicationName}-${var.environment}")}-akv"
location = azurerm_resource_group.myresourcegroup.location
resource_group_name = azurerm_resource_group.myresourcegroup.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = var.skuname
purge_protection_enabled = false
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get","List","Create"
]
secret_permissions = [ "Backup", "Delete", "Get", "List", "Recover", "Restore", "Set", "Purge"]
storage_permissions = [ "Get","List","Set"]
}
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = var.group_object_id
key_permissions = [
"Get","List","Create"
]
secret_permissions = [
"Backup", "Delete", "Get", "List", "Recover", "Restore", "Set", "Purge"
]
storage_permissions = [
"Get","List","Set"
]
}
network_acls {
bypass = "AzureServices"
default_action = "Deny"
ip_rules = ["198....."]
}
}
数据工厂访问策略的
resource "azurerm_key_vault_access_policy" "adfpolicy" {
key_vault_id = azurerm_key_vault.kv.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_data_factory.adf.identity[0].principal_id
key_permissions = [
"Get", "Create", "List", "Restore", "Recover", "Unwrapkey", "Wrapkey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"
]
secret_permissions = [
"Get", "List"
]
depends_on = [azurerm_resource_group.myresourcegroup, azurerm_virtual_network.vnet, azurerm_subnet.public_subnet, azurerm_key_vault.kv, azurerm_data_factory.adf]
}
代码。数据工厂代码
resource "azurerm_data_factory" "adf" {
name = "${var.applicationName}-${var.environment}-adf"
location = azurerm_resource_group.myresourcegroup.location
resource_group_name = azurerm_resource_group.myresourcegroup.name
identity {
type = "SystemAssigned,UserAssigned"
identity_ids = [azurerm_user_assigned_identity.base.id]
}
}
I am trying to create access policy for data factory using terraform using below terraform code.
For first deployment(Through Azure Devops) everything creating perfectly. When I redeploy without changes anything i can see terraform is detecting few changes with key vault and complete ADF access policy is getting removed from access policies. And when I redeploy once again ADF access policy is getting created again. Every alternative times same is happing. But every time my testate file looks same.
Key vault code
resource "azurerm_key_vault" "kv" {
name = "${lower("${var.applicationName}-${var.environment}")}-akv"
location = azurerm_resource_group.myresourcegroup.location
resource_group_name = azurerm_resource_group.myresourcegroup.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = var.skuname
purge_protection_enabled = false
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get","List","Create"
]
secret_permissions = [ "Backup", "Delete", "Get", "List", "Recover", "Restore", "Set", "Purge"]
storage_permissions = [ "Get","List","Set"]
}
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = var.group_object_id
key_permissions = [
"Get","List","Create"
]
secret_permissions = [
"Backup", "Delete", "Get", "List", "Recover", "Restore", "Set", "Purge"
]
storage_permissions = [
"Get","List","Set"
]
}
network_acls {
bypass = "AzureServices"
default_action = "Deny"
ip_rules = ["198....."]
}
}
code for Access policy for data factory.
resource "azurerm_key_vault_access_policy" "adfpolicy" {
key_vault_id = azurerm_key_vault.kv.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_data_factory.adf.identity[0].principal_id
key_permissions = [
"Get", "Create", "List", "Restore", "Recover", "Unwrapkey", "Wrapkey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"
]
secret_permissions = [
"Get", "List"
]
depends_on = [azurerm_resource_group.myresourcegroup, azurerm_virtual_network.vnet, azurerm_subnet.public_subnet, azurerm_key_vault.kv, azurerm_data_factory.adf]
}
Data factory code
resource "azurerm_data_factory" "adf" {
name = "${var.applicationName}-${var.environment}-adf"
location = azurerm_resource_group.myresourcegroup.location
resource_group_name = azurerm_resource_group.myresourcegroup.name
identity {
type = "SystemAssigned,UserAssigned"
identity_ids = [azurerm_user_assigned_identity.base.id]
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
根据“ nofollow noreferrer”> /em> | 资源 | Hashicorp/azurerm | Terraform注册表
,请检查该情况。
还可以通过” 仅资源而不是 azurerm_key_vault模块本身。
另外,只需在更改并且在所有情况下都不应用时,才能查看是否可以使用条件(for_each和If)更新访问策略。
参考:
According to azurerm_key_vault | Resources | hashicorp/azurerm | Terraform Registry
So please check for that case.
And also try definig policies through
azurerm_key_vault_access_policyresource only rather than within the azurerm_key_vault module itself.Also try see if you can use conditional (for_each and if )to update access policy only if it changes and not apply when everything is same.
References: