Azurerm:KeyVault 嵌套项目应包含 2 或 3 个段,有 10 个

问题描述 投票:0回答:4

我收到以下错误消息:

Error: parsing "/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/applicationGateways/<app_gateway_name>/sslCertificates/<cert_name>": KeyVault Nested Item should contain 2 or 3 segments, got 10 from "subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/applicationGateways/<app_gateway_name>/sslCertificates/<cert_name>"

我认为关键错误是“KeyVault 嵌套项目应包含 2 或 3 个段,有 10 个”,但我不知道这意味着什么。

我正在尝试做的事情:

通过 Terraform (azurerm),使用 HTTPS(443) 侦听器创建应用程序网关资源。我将证书上传到 Azure 密钥(使用保管库访问策略)并创建了托管标识来访问该证书。在门户中,我可以使用托管身份和证书通过 HTTPS 设置侦听器 - 没有问题。一切都按预期进行。

但是,当我尝试在 Terraform 中执行相同操作时,我收到了上述错误。

这是我所拥有的:

data "azurerm_key_vault" "cert_store" {
  name                = "certstore"
  resource_group_name = local.resource_group.name
}

data "azurerm_key_vault_certificate" "tls_cert" {
  name         = "tls_cert"
  key_vault_id = data.azurerm_key_vault.cert_store.id
}

resource "azurerm_application_gateway" "app_gateway" {
  name                = "app_gateway1"
  resource_group_name = local.resource_group.name
  location            = local.resource_group.location
  sku {
    name     = var.gateway_vars.sku.name
    tier     = var.gateway_vars.sku.tier
    capacity = 2
  }

  gateway_ip_configuration {
    name      = "${var.gateway_vars.name}-ip-configuration"
    subnet_id = data.azurerm_subnet.gateway_subnet.id
  }

  frontend_port {
    name = "port_80"
    port = 80
  }

  frontend_port {
    name = "port_443"
    port = 443
  }

  identity {
    type = "UserAssigned"
    identity_ids = [
      azurerm_user_assigned_identity.app_gateway_managed_identity.id
    ]
  }

  ssl_certificate {
    key_vault_secret_id = data.azurerm_key_vault_certificate.cert_store.id
    name                = "tls_cert"
  }

  frontend_ip_configuration {
    name                 = "frontendIp"
    public_ip_address_id = azurerm_public_ip.app_gateway.id
  }

  backend_address_pool {
    name  = "frontend-pool"
    fqdns = ["fqdn.com"]
  }

  # https settings - used to connect to backend services via https
  backend_http_settings {
    name                                = "https"
    cookie_based_affinity               = "Disabled"
    port                                = 443
    protocol                            = "Https"
    request_timeout                     = 60
    path                                = "/"
    pick_host_name_from_backend_address = true
  }

  http_listener {
    name                           = "http80-listener"
    frontend_ip_configuration_name = "frontendIp"
    frontend_port_name             = "port_80"
    protocol                       = "Http"
  }

  http_listener {
    name                           = "https443-listener"
    frontend_ip_configuration_name = "frontendIp"
    frontend_port_name             = "port_443"
    protocol                       = "Https"
    ssl_certificate_name           = "tls_cert"
    require_sni                    = false
  }


  url_path_map {
    name                               = "path-map"
    default_backend_address_pool_name  = "frontend-pool"
    default_backend_http_settings_name = "https"
    path_rule {
      name                       = "xx"
      paths                      = ["/path"]
      backend_address_pool_name  = "frontend-pool"
      backend_http_settings_name = "https"
    }

  }

  request_routing_rule {
    name               = "tdr-routing-rule-443"
    rule_type          = "PathBasedRouting"
    http_listener_name = "https443-listener"
    url_path_map_name  = "path-map"
  }

}
terraform ssl-certificate azure-keyvault azure-rm
4个回答
1
投票

当我发表这篇文章并发布它时,一位同事伸出手来,认为他不久前看到了类似的东西。在这里找到的:

https://github.com/hashicorp/terraform-provider-azurerm/issues/6188

问题在于所引用的证书版本。我认为它不知道要使用哪个版本的证书,所以我必须告诉它哪个版本。在应用程序网关资源块中的 ssl_certificate 块中,我使用了 trimsuffix 函数:

  ssl_certificate {
    name                = "tls_cert"
    key_vault_secret_id = trimsuffix(data.azurerm_key_vault_secret.certificate_secret.id, "${data.azurerm_key_vault_secret.certificate_secret.version}")
  }

其次,我必须使用 

azurerm_key_vault_secret
而不是 
azurerm_key_vault_certificate
,如下所示:

data "azurerm_key_vault_secret" "certificate_secret" {
  name         = "name_of_cert"
  key_vault_id = data.azurerm_key_vault.cert_store.id
}

在那之后,它似乎起作用了。我仍然不完全理解为什么在尝试获取证书时使用 keyvault 秘密比 keyvault 证书有效,但是:耸肩:。

0
投票

我解决同样的问题有点不同:

首先使用azurerm_key_vault_certificate:

data "azurerm_key_vault_certificate" "ssl_certificate" {
  name = "certificatename"
  key_vault_id = data.azurerm_key_vault.kv.id
}

并引用 azurerm_application_gateway 资源中的无版本秘密 ID 

  ssl_certificate {
    name = "certificatename"
    key_vault_secret_id = data.azurerm_key_vault_certificate.certificatename.versionless_secret_id
  }
0
投票

请记住:始终使用 version_less 秘密 ID。如果不这样做,证书轮换将不起作用

0
投票

密钥保管库机密具有不同的格式

https://{保管库名称}.vault.azure.net/secrets/{秘密名称}/{版本} enter image description here

您可以像下面一样使用秘密导入

import {
  id = "https://${local.key_vault_name}.vault.azure.net/secrets/${local.key_vault_episerver_servicebus_secret}/5345b0955729461a90fd705113f8ae72"
  to = module.server_dependency.azurerm_key_vault_secret.connection_string_episerver_servicebus
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.