azure Terraform计划期间的证书访问错误

imzjd6km  于 2023-02-16  发布在  其他
关注(0)|答案(1)|浏览(104)

我想我处在一个鸡和蛋的情况下,我需要为我们的应用网关声明一个证书资源,但是在我们的管道中运行Terraform的应用主体直到应用完成后才拥有权限。基本上,服务主体在规划期间无法访问证书,因此规划永远不会完成,并且应用无法运行,因为没有计划文件输出。
除了在UI中手动配置权限之外,还有什么方法可以解决这个问题吗?
访问策略 * 不包括证书的“获取”权限 *
密钥库

resource "azurerm_key_vault" "web" {
  name                = lower(format("az-kv-web-%s-%s-%s", var.instance.environment, var.instance.az-region, var.instance.serial))
  location            = azurerm_resource_group.web.location
  resource_group_name = azurerm_resource_group.web.name

  sku_name = var.instance.key-vault.sku-name

  # Azure AD tenant
  tenant_id = var.instance.aad-tenant-id

  dynamic "access_policy" {
    for_each = var.instance.key-vault.access

    content {
      tenant_id               = var.instance.aad-tenant-id
      object_id               = access_policy.value.object-id

      certificate_permissions = access_policy.value.cert-permissions
      key_permissions         = access_policy.value.key-permissions
      secret_permissions      = access_policy.value.secret-permissions
      storage_permissions     = access_policy.value.storage-permissions
    }
  }
}

证书

data "azurerm_key_vault_certificate" "gateway" {
  name = var.gateway.certificate-name

  key_vault_id = var.key-vault.id
}

错误

╷
│ Error: reading Key Vault Certificate: keyvault.BaseClient#GetCertificate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=***;oid=***;numgroups=3;iss=https://sts.windows.net/***/' does not have certificates get permission on key vault 'az-kv-web-dev-eastus-001;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"ForbiddenByPolicy"}
│ 
│   with module.web["001"].module.app-gateway.data.azurerm_key_vault_certificate.gateway,
│   on modules\app-gateway\main.tf line 123, in data "azurerm_key_vault_certificate" "gateway":
│  123: data "azurerm_key_vault_certificate" "gateway" {
│ 
╵
Azure

1条答案

按热度按时间
8yparm6h

8yparm6h1#

要创建证书并访问它,我使用以下代码:
给出地形图和terraform apply

    • 代码:**
data "azurerm_subscription" "current" {}

resource "azuread_application" "example" {
  display_name     = "newexample"
 // identifier_uris  = ["https://kavyaexample.com"]
  owners           = [data.azuread_client_config.current.object_id]
  sign_in_audience = "AzureADMultipleOrgs"

  api {
    mapped_claims_enabled          = true
    requested_access_token_version = 2

    oauth2_permission_scope {
      admin_consent_description  = "Allow the application to access example on behalf of the signed-in user."
      admin_consent_display_name = "Access example"
      enabled                    = true
      id                         = "96183846-204b-4b43-82e1-5d2222eb4b9b"
      type                       = "User"
      user_consent_description   = "Allow the application to access example on your behalf."
      user_consent_display_name  = "Access example"
      value                      = "user_impersonation"
    }

    oauth2_permission_scope {
      admin_consent_description  = "Administer the example application"
      admin_consent_display_name = "Administer"
      enabled                    = true
      id                         = "be98fa3e-ab5b-4b11-83d9-04ba2b7946bc"
      type                       = "Admin"
      value                      = "administer"
    }
  }

  app_role {
    allowed_member_types = ["User", "Application"]
    description          = "Admins can manage roles and perform all task actions"
    display_name         = "Admin"
    enabled              = true
    id                   = "1b19509b-32b1-4e9f-b71d-4992aa991967"
    value                = "admin"
  }

  app_role {
    allowed_member_types = ["User"]
    description          = "ReadOnly roles have limited query access"
    display_name         = "ReadOnly"
    enabled              = true
    id                   = "497406e4-012a-4267-bf18-45a1cb148a01"
    value                = "User"
  }

  feature_tags {
    enterprise = true
    gallery    = true
  }

  optional_claims {
    access_token {
      name = "myclaim"
    }

    access_token {
      name = "otherclaim"
    }

    id_token {
      name                  = "userclaim"
      source                = "user"
      essential             = true
      additional_properties = ["emit_as_roles"]
    }

    saml2_token {
      name = "samlexample"
    }
  }

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
      type = "Role"
    }

    resource_access {
      id   = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite
      type = "Scope"
    }
  }

  required_resource_access {
    resource_app_id = "c5393580-f805-4401-95e8-94b7a6ef2fc2" # Office 365 Management

    resource_access {
      id   = "594c1fb6-4f81-4475-ae41-0c394909246c" # ActivityFeed.Read
      type = "Role"
    }
  }

  web {
    homepage_url  = "https://app.example.net"
    logout_url    = "https://app.example.net/logout"
    redirect_uris = ["https://app.example.net/account"]

    implicit_grant {
      access_token_issuance_enabled = true
      id_token_issuance_enabled     = true
    }
  }

  
}

resource "azuread_service_principal" "example" {
  application_id               = azuread_application.example.application_id
  app_role_assignment_required = false
  owners                       = [data.azuread_client_config.current.object_id]
  
}

/*
resource "azurerm_role_assignment" "example" {
  scope              = "/subscriptions/f10a5570-53f3-473f-9c2f-bd0ee87ca71c/resourceGroups/v-sakavya-Mindtree"
  role_definition_id = "b24988ac-6180-42a0-ab88-20f7382dd24c"
  principal_id       = azuread_service_principal.example.object_id

}

*/
resource "azurerm_key_vault" "example" {
  name                        = "kavyaexmplkeyvault"
  location                    = data.azurerm_resource_group.example.location
  resource_group_name         = data.azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
   object_id = data.azurerm_client_config.current.object_id

   //object_id= azuread_service_principal.example.object_id
    
    certificate_permissions = [
      "Create",
      "Delete",
      "DeleteIssuers",
      "Get",
      "GetIssuers",
      "Import",
      "List",
      "ListIssuers",
      "ManageContacts",
      "ManageIssuers",
      "Purge",
      "SetIssuers",
      "Update",
    ]

    key_permissions = [
      "Backup",
      "Create",
      "Decrypt",
      "Delete",
      "Encrypt",
      "Get",
      "Import",
      "List",
      "Purge",
      "Recover",
      "Restore",
      "Sign",
      "UnwrapKey",
      "Update",
      "Verify",
      "WrapKey",
    ]

    secret_permissions = [
      "Backup",
      "Delete",
      "Get",
      "List",
      "Purge",
      "Recover",
      "Restore",
      "Set",
    ]
    storage_permissions = [
      "Get","Set"
    ]
  }

  
}


resource "tls_private_key" "example" {
  algorithm = "RSA"
  rsa_bits  = 4096
}


resource "azurerm_key_vault_certificate" "example" {
  name         = "kavya-cert"
  key_vault_id = azurerm_key_vault.example.id

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = true
    }

    lifetime_action {
      action {
        action_type = "AutoRenew"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    x509_certificate_properties {
      # Server Authentication = 1.3.6.1.5.5.7.3.1
      # Client Authentication = 1.3.6.1.5.5.7.3.2
      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

      key_usage = [
        "cRLSign",
        "dataEncipherment",
        "digitalSignature",
        "keyAgreement",
        "keyCertSign",
        "keyEncipherment",
      ]

      subject_alternative_names {
        dns_names = ["internal.contoso.com", "domain.hello.world"]
      }

      subject            = "CN=hello-world"
      validity_in_months = 12
    }
  }
}


resource "azuread_application_certificate" "example" {
  application_object_id = azuread_application.example.id
  type                  = "AsymmetricX509Cert"
  encoding              = "hex"
  value                 = azurerm_key_vault_certificate.example.certificate_data
  //end_date              = azurerm_key_vault_certificate.example.certificate_attribute[0].expires
  //start_date            = azurerm_key_vault_certificate.example.certificate_attribute[0].not_before
}

由于服务主体获得了证书的获取、列出、创建和删除访问权限。

但是,当我尝试将此访问策略删除到服务主体时,出现了类似的错误

resource "azurerm_key_vault" "example" {
  name                        = "kavyaexmplkeyvault"
  location                    = data.azurerm_resource_group.example.location
  resource_group_name         = data.azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
  // object_id = data.azurerm_client_config.current.object_id

   object_id= azuread_service_principal.example.object_id
    
    certificate_permissions = [
      "Create",
      "Delete",
      "DeleteIssuers",
      "Get",
      "GetIssuers",
      "Import",
      "List",
      "ListIssuers",
      "ManageContacts",
      "ManageIssuers",
      "Purge",
      "SetIssuers",
      "Update",
    ]

    key_permissions = [
      "Backup",
      "Create",
      "Decrypt",
      "Delete",
      "Encrypt",
      "Get",
      "Import",
      "List",
      "Purge",
      "Recover",
      "Restore",
      "Sign",
      "UnwrapKey",
      "Update",
      "Verify",
      "WrapKey",
    ]

    secret_permissions = [
      "Backup",
      "Delete",
      "Get",
      "List",
      "Purge",
      "Recover",
      "Restore",
      "Set",
    ]
    storage_permissions = [
      "Get","Set"
    ]
  }

  
}
    • 错误:**

Status=403 Code="Forbidden" Message="The user, group or application 'appid=***;oid=***;numgroups=3;iss=https://sts.windows.net/***/' does not have certificates get permission on key vault

  • 然后,我试图用serviceprincipal给出访问策略再次创建它。但仍然面临同样的错误。
  • 然后,我销毁了文件,但没有改变,因为它是存储在备份和证书特权不能改变,除非我们有访问权。

  • 相反,我在terraform中更改了密钥库名称和证书名称。
  • 已删除Azure广告应用中的现有证书。
  • 然后创建并运行地形计划和地形应用。

直接地形应用也适用于上述启动代码。
它创建了服务主体访问策略。

    • 在Azure广告应用程序中检索到证书。**

赞(0)分享  回复(0)举报  2023-02-16
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com