azure 如何使用Terraform批准Blob Storage ADLS Gen2上的托管专用端点?

oxcyiej7  于 2023-06-24  发布在  其他
关注(0)|答案(3)|浏览(133)

我已经使用Terraform在Synapse Analytics工作区上创建了几个受管理的私有端点。现在我不知道如何“批准”它们,因为我似乎找不到执行此操作的正确资源。
要手动执行,我需要转到存储帐户->网络->私有端点,选择要“批准”的并按批准。

mnemlml8

mnemlml81#

如果你还感兴趣,我在Terraform中这样做了:

resource "null_resource" "endpoint_approval" {
  depends_on = [module.sql_managed_endpoint, module.storage_managed_endpoint]
  provisioner "local-exec" {
    command     = <<-EOT
          $sql_id = $(az network private-endpoint-connection list --id ${module.mssql_server.id} --query "[?contains(properties.privateEndpoint.id, 'vnet')].id" -o json) | ConvertFrom-Json
          $storage_id = $(az network private-endpoint-connection list --id ${module.storage_account.storage_account_id} --query "[?contains(properties.privateEndpoint.id, 'vnet')].id" -o json) | ConvertFrom-Json
          az network private-endpoint-connection approve --id $sql_id --description "Approved in Terraform"
          az network private-endpoint-connection approve --id $storage_id --description "Approved in Terraform"
        EOT
    interpreter = ["pwsh", "-Command"]
  }
}
thigvfpy

thigvfpy2#

从今天起,您无法使用Terraform批准托管专用端点。
你可以 checkout 已经在hashicorp问过的Synapse Managed Private Endpoint - auto_approval option

注意:Azure PowerShellAzure CLI是管理Microsoft合作伙伴服务或客户拥有的服务上的专用端点连接的首选方法。

有关详细信息,请参阅管理客户/合作伙伴拥有的专用链接服务上的专用端点连接。

eqzww0vc

eqzww0vc3#

可以批准与Terraform的私有端点连接。
请参阅下面的示例,以批准Synapse Analytics工作区和存储帐户之间的托管专用端点。
诀窍是使用azapi提供程序检索和过滤存储帐户上的私有端点连接,然后批准它。

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_storage_account" "example" {
  name                     = "examplestorageacc"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  account_kind             = "StorageV2"
  is_hns_enabled           = "true"
}

resource "azurerm_storage_data_lake_gen2_filesystem" "example" {
  name               = "example"
  storage_account_id = azurerm_storage_account.example.id
}

resource "azurerm_synapse_workspace" "example" {
  name                                 = "example"
  resource_group_name                  = azurerm_resource_group.example.name
  location                             = azurerm_resource_group.example.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
  sql_administrator_login              = "sqladminuser"
  sql_administrator_login_password     = "H@Sh1CoR3!"
  managed_virtual_network_enabled      = true

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_synapse_firewall_rule" "example" {
  name                 = "AllowAll"
  synapse_workspace_id = azurerm_synapse_workspace.example.id
  start_ip_address     = "0.0.0.0"
  end_ip_address       = "255.255.255.255"
}

resource "azurerm_storage_account" "example_connect" {
  name                     = "examplestorage2"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  account_kind             = "BlobStorage"
}

resource "azurerm_synapse_managed_private_endpoint" "example" {
  name                 = "example-endpoint"
  synapse_workspace_id = azurerm_synapse_workspace.example.id
  target_resource_id   = azurerm_storage_account.example_connect.id
  subresource_name     = "blob"

  depends_on = [azurerm_synapse_firewall_rule.example]
}

# Retrieve the storage account details, including the private endpoint connections
data "azapi_resource" "example_storage" {
  type                   = "Microsoft.Storage/storageAccounts@2022-09-01"
  resource_id            = azurerm_storage_account.example.id
  response_export_values = ["properties.privateEndpointConnections"]
}

# Retrieve the private endpoint connection name from the storage account based on the private endpoint name
locals {
  private_endpoint_connection_name = element([
    for connection in jsondecode(data.azapi_resource.example_storage.output).properties.privateEndpointConnections
    : connection.name
    if endswith(connection.properties.privateEndpoint.id, azurerm_synapse_managed_private_endpoint.example.name)
  ], 0)
}

# Approve the private endpoint
resource "azapi_update_resource" "approval" {
  type      = "Microsoft.Storage/storageAccounts/privateEndpointConnections@2022-09-01"
  name      = local.private_endpoint_connection_name
  parent_id = azurerm_storage_account.example.id

  body = jsonencode({
    properties = {
      privateLinkServiceConnectionState = {
        description = "Approved via Terraform"
        status      = "Approved"
      }
    }
  })
}

相关问题