问题描述

我正在尝试使用 Terraform 在 Azure 中设置 Terraform 创建的场景:
- 具有托管服务标识的 Azure 函数应用
- Azure Key Vault
- 允许函数应用访问密钥保管库中的机密的 Key Vault 访问策略

I'm experimenting with using Terraform to set up a scenario in Azure where Terraform creates:
- an Azure function app with Managed Service Identity
- an Azure Key Vault
- a Key Vault access policy that allows the function app to access secrets in the key vault

我的问题是在密钥库访问策略的定义中使用为功能应用设置的 MSI 的对象 ID(原则 ID)，我怀疑我做错了什么(和/或愚蠢)...

My problem is around using the object id (principle id) of the MSI set up for the function app in the definition of the key vault access policy, I suspect I doing something wrong (and/or stupid)...

我从 Terraform 应用中得到的错误是:

The error I get from a Terraform apply is:

azurerm_key_vault_access_policy.msi-test-to-keyvault-test: "object_id" is an invalid UUUID: uuid: UUID string too short: 1

我怀疑问题可能出在我试图引用服务原则的对象 ID 的方式上，该服务原则是根据访问策略定义中的 msi 身份创建的:

I suspect the issue may be with the way I'm trying to reference the object id of the service principle created created off the msi identity in the access policy definition:

object_id = "${azurerm_function_app.rg-func-app__funcapp.identity.principal_id}"

(azurerm 函数应用程序属性部分的 doco 说身份导出 principal_id，但是我不知道引用此属性的正确语法是什么 :()

(the doco for azurerm function app attribute section says that identity exports principle_id, however I have no idea what the correct syntax is to reference this attribute :( )

Terraform 模板是:

The Terraform template is:

resource "azurerm_function_app" "rg-func-app__funcapp" {
  name = "${local.deployed-func-app-name}"
  location                  = "${azurerm_resource_group.rg-func-app.location}"
  resource_group_name       = "${azurerm_resource_group.rg-func-app.name}"
  app_service_plan_id       = "${azurerm_app_service_plan.rg-func-app__appsvcpln.id}"
  storage_connection_string = "${azurerm_storage_account.rg-func-app__sa.primary_connection_string}"

  version = "~1"

  app_settings {
    "TEST_KEYVAULT_URL" = "${azurerm_key_vault.test.vault_uri}"
  }

  identity {
    type = "SystemAssigned"
  }

}


resource "azurerm_key_vault" "test" {
  name = "msi-test-vault"
  location = "${azurerm_resource_group.rg-func-app.location}"
  resource_group_name = "${azurerm_resource_group.rg-func-app.name}"

  sku {
    name = "standard"
  }

  tenant_id = "${data.azurerm_client_config.current.tenant_id}"
}

resource "azurerm_key_vault_secret" "test" {
  name      = "secret-sauce"
  value     = "szechuan"
  vault_uri = "${azurerm_key_vault.test.vault_uri}"
}


resource "azurerm_key_vault_access_policy" "msi-test-to-keyvault-test" {
  vault_name           = "${azurerm_key_vault.test.name}"
  resource_group_name  = "${azurerm_key_vault.test.resource_group_name}"

  tenant_id = "${azurerm_key_vault.test.tenant_id}"
  object_id = "${azurerm_function_app.rg-func-app__funcapp.identity.principal_id}"

  key_permissions = [
    "get",
  ]

  secret_permissions = [
    "get",
  ]
}

感谢您的指点.

干杯，安迪

推荐答案

经过一番摸索后，一个解决方案似乎是将检索 principal_id 的咒语更改为:

After a bit more poking around, a solution appears to be changing the incantation to retrieve the principle_id to:

object_id = "${lookup(azurerm_function_app.rg-func-app__funcapp.identity[0],"principal_id")}"

这会按预期创建访问策略.

This results in the access policy being created as expected.

这篇关于Terraform 授予带有 msi 访问权限的 azure 函数应用程序以访问 azure keyvault的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！