Terraform Azure 数据工厂标识

【问题标题】:Terraform Azure Data Factory IdentityTerraform Azure 数据工厂标识
【发布时间】:2021-08-06 00:36:11
【问题描述】:

我正在尝试为新创建的数据工厂授予对密钥库的访问权限。为了实现这一点,我有以下代码......

    module "subscription" {
      source = "../../general/subscription_getdetails"
    }
    
    module "df_resourcegroup" {
      source = "../../general/rg_getdetails"
      rg_name_solution = var.df_rg_name_solution
      rg_name_seqnr    = var.df_rg_name_seqnr
    }
    
    module "location" {
      source = "../../general/location/location_getdetails"
      location_name = var.df_location_name
      location_tier = var.df_location_tier
    }
    
    module "keyvault" {
      source = "../../security/kv_getdetails"
      kv_name_solution    = var.kv_name_solution
      kv_name_seqnr       = var.kv_name_seqnr
      kv_name_purpose     = var.kv_name_purpose
      kv_location_name    = var.kv_location_name
      kv_location_tier    = var.kv_location_tier
      kv_rg_name_solution = var.kv_rg_name_solution
      kv_rg_name_seqnr    = var.kv_rg_name_seqnr
    }
    
    resource "azurerm_data_factory" "df" {
      name                     = "adf-${module.df_resourcegroup.sitecode}-${module.subscription.environment}-${var.df_name_dataset}-${var.df_name_seqnr}"
      location                 = module.location.azure
      resource_group_name      = module.df_resourcegroup.rg.name
      public_network_enabled   = var.df_allow_public_access
  identity {
      type = "SystemAssigned"
  }    }
    
    
    resource "azurerm_key_vault_access_policy" "df_grant_keyvault_read" {
      key_vault_id = module.keyvault.kv.id
      tenant_id    = azurerm_data_factory.df.identity[0].tenant_id
      object_id    = azurerm_data_factory.df.identity[0].principal_id
    
      key_permissions = [
        "Get",
      ]
    
      secret_permissions = [
        "Get",
      ]
    }

但是这一定有什么问题,因为我收到了这个错误...(我试图不把它作为一个列表来解决,不起作用)。

│ Error: Invalid index
│ 
│   on _modules/das/df_create/main.tf line 68, in resource "azurerm_key_vault_access_policy" "df_grant_keyvault_read":
│   68:   tenant_id    = azurerm_data_factory.df.identity[0].tenant_id
│     ├────────────────
│     │ azurerm_data_factory.df.identity is empty list of object
│ 
│ The given key does not identify an element in this collection value.

【问题讨论】:

  • 您使用的是哪个版本的 Terraform?
  • 它状态 v0.15.4
  • 错误消息暗示资源没有为该对象生成任何属性。您是否希望该资源拥有identity 的信息?

标签: terraform terraform-provider-azure


【解决方案1】:

我找到了一种方法,但使用了 UserAssigned Identity....

resource "azurerm_user_assigned_identity" "uai_adf" {
  resource_group_name = module.df_resourcegroup.rg.name
  location            = module.location.azure

  name = "id-${module.df_resourcegroup.sitecode}-${module.subscription.environment}-adf-0${var.df_name_dataset}"
}

resource "azurerm_data_factory" "df" {
  name                     = "adf-${module.df_resourcegroup.sitecode}-${module.subscription.environment}-${var.df_name_dataset}-${var.df_name_seqnr}"

  location                 = module.location.azure
  resource_group_name      = module.df_resourcegroup.rg.name

  public_network_enabled   = var.df_allow_public_access
 
  identity {
      type         = "UserAssigned"
    identity_ids = [ azurerm_user_assigned_identity.uai_adf.id ]
  }
}

resource "azurerm_key_vault_access_policy" "df_grant_keyvault_read_secret" {
  key_vault_id = module.keyvault.kv.id
  tenant_id    = "${azurerm_user_assigned_identity.uai_adf.tenant_id}"
  object_id    = "${azurerm_user_assigned_identity.uai_adf.principal_id}"

  key_permissions = []
  secret_permissions = [ "Get" ]
}

【讨论】:

  • 这对你真的有用吗?我尝试了它(也使用托管标识),但是当我尝试创建一个从 Key Vault 中提取其机密的链接服务时,我收到一个错误,即没有设置托管标识(即使在 Azure 门户中我可以清楚地看到已设置托管标识)。
【解决方案2】: 
 module "subscription" {
      source = "../../general/subscription_getdetails"
    }
    
    module "df_resourcegroup" {
      source = "../../general/rg_getdetails"
      rg_name_solution = var.df_rg_name_solution
      rg_name_seqnr    = var.df_rg_name_seqnr
    }
    
    module "location" {
      source = "../../general/location/location_getdetails"
      location_name = var.df_location_name
      location_tier = var.df_location_tier
    }
    
    module "keyvault" {
      source = "../../security/kv_getdetails"
      kv_name_solution    = var.kv_name_solution
      kv_name_seqnr       = var.kv_name_seqnr
      kv_name_purpose     = var.kv_name_purpose
      kv_location_name    = var.kv_location_name
      kv_location_tier    = var.kv_location_tier
      kv_rg_name_solution = var.kv_rg_name_solution
      kv_rg_name_seqnr    = var.kv_rg_name_seqnr
    }
    
    resource "azurerm_data_factory" "df" {
      name                     = "adf-${module.df_resourcegroup.sitecode}-${module.subscription.environment}-${var.df_name_dataset}-${var.df_name_seqnr}"
      location                 = module.location.azure
      resource_group_name      = module.df_resourcegroup.rg.name
      public_network_enabled   = var.df_allow_public_access
  identity {
      type = "SystemAssigned"
  }    }
    
    **data "azurerm_client_config" "current" {
}**
    resource "azurerm_key_vault_access_policy" "df_grant_keyvault_read" {
      key_vault_id = module.keyvault.kv.id
      **tenant_id    = data.azurerm_client_config.current.tenant_id**
      object_id    = azurerm_data_factory.df.identity[0].principal_id
    
      key_permissions = [
        "Get",
      ]
    
      secret_permissions = [
        "Get",
      ]
    }

【讨论】:

  • 请尝试将代码与突出显示的代码一起运行。
猜你喜欢
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 2017-08-21
  • 2015-02-21
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode