想获得一些有关建立带有专用连接的密钥库的指示。通过查看TF网站和其他网站上的示例,我将其放在一起,但是崩溃了。
简而言之,它创建KV,分配一些策略,然后创建专用链接,该专用链接又与服务端点关联。任何帮助将不胜感激。locals {
prefix = "kv01am"
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "sandbox" {
name = "${local.prefix}-KV"
location = "eastus2"
resource_group_name = "rg-hsc-uscodappname01-137941ad"
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
# soft_delete_enabled = true
# purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"get",
]
secret_permissions = [
"get",
]
storage_permissions = [
"get",
]
}
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
}
resource "azurerm_private_link_service" "example" {
name = "kv-privatelink"
location = "eastus2"
resource_group_name = "rg-hsc-uscodappname01-137941ad"
nat_ip_configuration {
name = azurerm_public_ip.example.name
primary = true
subnet_id = "zzzzzzzzzzzzzzzzzzzzzzzz"
}
}
resource "azurerm_private_endpoint" "sandbox_kv" {
name = azurerm_key_vault.sandbox.name
location = "eastus2"
resource_group_name = "rg-hsc-uscodappname01-137941ad"
#subnet_id = azurerm_subnet.sandbox["PrivateLink"].id
subnet_id = "zzzzzzzzzzzzzzzz"
private_service_connection {
name = azurerm_key_vault.sandbox.name
private_connection_resource_id = azurerm_key_vault.sandbox.id
is_manual_connection = false
subresource_names = ["Vault"]
}
}
答案 0 :(得分:1)
这就是我最终要做的。找不到为私有链接终结点派生IP地址的好方法,所以我只是对它进行了硬编码,如果有人有更好的方法来处理这个问题,那将是很好的,有关该主题的文献也不太多。另外,添加了一个部分以在私有DNS中注册A记录,但是请注意,这会在与kv相同的子网中创建DNS私有区域。
data "azurerm_resource_group" "main" {
name = var.resource_group_name
}
data "azurerm_subnet" "main" {
name = var.virtual_network_subnet_name
virtual_network_name = var.virtual_network_name
resource_group_name = var.vnet_resource_group_name
}
data "azurerm_client_config" "main" {}
resource "azurerm_key_vault" "main" {
name = var.name
location = data.azurerm_resource_group.main.location
resource_group_name = data.azurerm_resource_group.main.name
tenant_id = data.azurerm_client_config.main.tenant_id
enabled_for_deployment = var.enabled_for_deployment
enabled_for_disk_encryption = var.enabled_for_disk_encryption
enabled_for_template_deployment = var.enabled_for_template_deployment
# soft_delete_enabled = false
# purge_protection_enabled = false
sku_name = var.sku
network_acls {
default_action = "Deny"
bypass = "AzureServices"
# ip_rules = var.ip_rules
}
# ============PrivateLink==========================
resource "azurerm_private_endpoint" "pe_kv" {
name = format("pe-2%s", var.name)
location = data.azurerm_resource_group.main.location
resource_group_name = data.azurerm_resource_group.main.name
subnet_id = data.azurerm_subnet.main.id
private_service_connection {
name = format("pse-2%s", var.name)
private_connection_resource_id = azurerm_key_vault.main.id
is_manual_connection = false
subresource_names = ["Vault"]
}
}
resource "azurerm_private_dns_zone" "main" {
name = "privatelink.vaultcore.azure.net"
resource_group_name = data.azurerm_resource_group.main.name
}
resource "azurerm_private_dns_a_record" "pe_kv" {
name = var.name
zone_name = azurerm_private_dns_zone.main.name
resource_group_name = data.azurerm_resource_group.main.name
ttl = 300
records = ["1.2.3.4"]
}
output kv_private_ip {
value = ["1.2.3.4"]
}
答案 1 :(得分:0)
这就是我获得 fqdn 和私有 IP 的方式:
resource "azurerm_private_endpoint" "private_endpoint" {
count = var.private_link_subnet != null ? 1 : 0
name = "${var.private_link_subnet.virtual_network_name}-${var.name}"
location = var.location
resource_group_name = var.resource_group
subnet_id = var.private_link_subnet.id
private_service_connection {
is_manual_connection = false
name = "${var.private_link_subnet.virtual_network_name}-${var.name}"
private_connection_resource_id = azurerm_key_vault.vault.id
subresource_names = ["vault"]
}
lifecycle { ignore_changes = [tags] }
}
resource "null_resource" "dns_update" {
triggers = {
priv_fqdn = "${azurerm_private_endpoint.private_endpoint[0].custom_dns_configs[0].fqdn}"
priv_ip = "${azurerm_private_endpoint.private_endpoint[0].custom_dns_configs[0].ip_addresses[0]}"
}
provisioner "local-exec" {
when = destroy
command = <<EOF
echo ${self.triggers.priv_fqdn}
bash ${path.module}/dns_update.sh destroy ${self.triggers.priv_fqdn}
EOF
}
provisioner "local-exec" {
command = <<EOF
echo ${self.triggers.priv_fqdn}
echo ${self.triggers.priv_ip}
bash ${path.module}/dns_update.sh apply ${self.triggers.priv_fqdn} ${self.triggers.priv_ip}
bash ${path.module}/dns_update.sh get ${self.triggers.priv_fqdn}
EOF
}
}
然后我有:
self.triggers.priv_fqdn >> szp.vaultcore.azure.net
self.triggers.priv_ip >> 10.10.8.205
答案 2 :(得分:0)
您可以声明一个 private_dns_zone_group,而不是“手动”创建 dns 记录。
# ============PrivateLink==========================
resource "azurerm_private_endpoint" "pe_kv" {
name = format("pe-2%s", var.name)
location = data.azurerm_resource_group.main.location
resource_group_name = data.azurerm_resource_group.main.name
subnet_id = data.azurerm_subnet.main.id
private_dns_zone_group {
name = "privatednszonegroup"
private_dns_zone_ids = [azurerm_private_dns_zone.main.id]
}
private_service_connection {
name = format("pse-2%s", var.name)
private_connection_resource_id = azurerm_key_vault.main.id
is_manual_connection = false
subresource_names = ["Vault"]
}
}
resource "azurerm_private_dns_zone" "main" {
name = "privatelink.vaultcore.azure.net"
resource_group_name = data.azurerm_resource_group.main.name
}