Apim(私有端点)命名值,keyvault 秘密 404

问题描述 投票:0回答:1

我有一个带有专用端点的 apim。这是我的代码:

resource "azurerm_private_endpoint" "apim" {
  name                = "${var.organization}-apim-pep-${var.environment}"
  location            = var.azure_location
  resource_group_name = var.resourcegroups.apim.name
  subnet_id           = data.azurerm_subnet.pep.id

  private_service_connection {
    name                           = "apim_private_service_connection"
    private_connection_resource_id = azurerm_api_management.apim.id
    is_manual_connection           = false
    subresource_names              = ["Gateway"]
  }
}

resource "azurerm_api_management" "apim" {
  name                = "${var.organization}-hub-${var.environment}-apim"
  location            = var.azure_location
  resource_group_name = var.resourcegroups.apim.name
  publisher_name      = "${var.organization}-hub-${var.environment}-apim"
  publisher_email     = "email"
  sku_name            = "Developer_1"

  identity {
    type = "SystemAssigned, UserAssigned"
    identity_ids = [
      data.azurerm_user_assigned_identity.apim.id
    ]
  }
}

我无法解析 keyvault 机密。我在他们身上得到了 404。早些时候,当我有 vnet 集成并且没有专用端点时,我可以解决它们。 那么这可能是一个网络问题。但是,我无法更改 vnet 上的设置,因为网络是由 azure、水下完成的(默认 vnet 类型 =“无”)。 部署专用终结点的子网具有 Microsoft.KeyVault 的服务终结点。

我缺少哪一块拼图?

azure terraform azure-api-management azure-private-link azure-private-dns
1个回答
0
投票

Apim(私有端点)命名值,keyvault 秘密 404:

如果无法更改已创建的虚拟网络的设置,则必须使用名为 

azurerm_private_dns_zone_virtual_network_link
的虚拟网络链接资源提供程序为 keyvault 建立网络链接连接。并且还创建一个
azurerm_private_dns_a_record
 用于密钥保管库并链接到托管 API 管理服务专用端点的虚拟网络。

修改后的 terraform 代码如下:

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "4.3.0"
    }
  }
}

provider "azurerm" {
  features{}
 subscription_id="fxxxx014"
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
  name     = "examplejahresources"
  location = "West Europe"
}
resource "azurerm_api_management" "apim" {
  name                = "newja-apim"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  publisher_name      = "My Company-apim"
  publisher_email     = "[email protected]"
  sku_name            = "Developer_1"

  identity {
    type = "SystemAssigned"
  }
}
resource "azurerm_virtual_network" "example" {
  name                = "ejanetwork"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "service" {
  name                 = "jahservice"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.1.0/24"]
}
resource "azurerm_key_vault" "example" {
  name                        = "examplejahkeyvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false

  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "Get",
    ]

    secret_permissions = [
      "Get",
    ]

    storage_permissions = [
      "Get",
    ]
  }
}

resource "azurerm_private_dns_zone" "example" {
  name                = "privatelink.vaultcore.azure.net"
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_private_dns_zone_virtual_network_link" "example" {
  name                  = "test"
  resource_group_name   = azurerm_resource_group.example.name
  private_dns_zone_name = azurerm_private_dns_zone.example.name
  virtual_network_id    = azurerm_virtual_network.example.id
}
resource "azurerm_private_dns_a_record" "example" {
  name                = azurerm_key_vault.example.name
  zone_name           = azurerm_private_dns_zone.example.name
  resource_group_name = azurerm_resource_group.example.name
  ttl                 = 300
  records             = ["10.0.180.17"]
}
resource "azurerm_private_endpoint" "apim" {
  name                = "jahendpoint"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  subnet_id           = azurerm_subnet.service.id

  private_service_connection {
    name                           = "apim_private_service_connection"
    private_connection_resource_id = azurerm_api_management.apim.id
    is_manual_connection           = false
    subresource_names              = ["Gateway"]
  }
}
resource "azurerm_private_endpoint" "keyvaultep" {
  name                = "jah-kv-pep"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  subnet_id           = azurerm_subnet.service.id

  private_service_connection {
    name                           = "keyvault_private_service_connection"
    private_connection_resource_id = azurerm_key_vault.example.id
    is_manual_connection           = false
    subresource_names              = ["vault"]
  }
}

部署成功:

enter image description here

enter image description here

enter image description here

enter image description here

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.