我正在尝试使用 terraform 部署 Azure 存储帐户,但我已将我的服务凭据存储在 Azure Keyvault 中,它应该从保管库中选择值并部署资源。下面是我试图实现相同目标的脚本
错误:无法为资源管理器 API 构建授权者:无法配置 AzureCli 授权者:无法解析 Azure CLI 版本: 启动 Azure CLI:exec:“az”:在 %PATH% 中找不到可执行文件 │ │ 与提供者["registry.terraform.io/hashicorp/azurerm"], │ 上 main.tf 第 19 行,提供商“azurerm”中: │ 19:提供商“azurerm”
data "azurerm_key_vault_secret" "client_id" {
name = "clientid"
key_vault_id = "/subscriptions/id/resourceGroups/Cloud360-AzCred/providers/Microsoft.KeyVault/vaults/AzCredentials"
}
data "azurerm_key_vault_secret" "tenant_id" {
name = "tenantid"
key_vault_id = "/subscriptions/id/resourceGroups/Cloud360-AzCred/providers/Microsoft.KeyVault/vaults/AzCredentials"
}
data "azurerm_key_vault_secret" "client_secret" {
name = "clientsecret"
key_vault_id = "/subscriptions/id/resourceGroups/Cloud360-AzCred/providers/Microsoft.KeyVault/vaults/AzCredentials"
}
data "azurerm_key_vault_secret" "subscription_id" {
name = "subscriptionid"
key_vault_id = "/subscriptions/id/resourceGroups/Cloud360-AzCred/providers/Microsoft.KeyVault/vaults/AzCredentials"
}
provider "azurerm" {
features {}
skip_provider_registration = true
}
locals{
client_id = data.azurerm_key_vault_secret.client_id.value
tenant_id = data.azurerm_key_vault_secret.tenant_id.value
client_secret = data.azurerm_key_vault_secret.client_secret.value
subscription_id = data.azurerm_key_vault_secret.subscription_id.value
}
provider "azurerm" {
alias = "keyvault"
client_id = local.client_id
tenant_id = local.tenant_id
client_secret = local.client_secret
subscription_id = local.subscription_id
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resourcesw"
location = "East US"
}
resource "azurerm_storage_account" "example" {
name = "cndstorageacunt2023212"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
}
我尝试使用 Terraform 脚本获取 Azure KeyVault 中的凭据,例如订阅 ID、客户端 ID、客户端密钥等,并且我能够成功满足要求。
该错误表明 Terraform 尝试使用 Azure CLI 进行身份验证,但找不到
az
命令。当未安装 Azure CLI 或未正确添加到系统的 PATH 时,通常会发生这种情况。
作为参考,您可以使用此路径在 VSC 中重新安装 Azure CLI。
安装后,请尝试使用以下命令登录您的 Azure 订阅
az login
在进行 terraform 步骤之前,请确保在环境变量中定义 terraform 的正确路径。
完成登录后,在运行 terraform 命令之前,请确保您的用户对密钥保管库和订阅级别拥有必要的权限,以避免不必要的阻止。
用户所需的权限应为
secret reader
和 key vault administrator
。
我的地形配置:
provider "azurerm" {
features {}
}
data "azurerm_key_vault" "example" {
name = "exkvvksb"
resource_group_name = "demorg-vk"
}
data "azurerm_key_vault_secret" "client_id" {
name = "clientid"
key_vault_id = data.azurerm_key_vault.example.id
}
data "azurerm_key_vault_secret" "tenant_id" {
name = "tenantid"
key_vault_id = data.azurerm_key_vault.example.id
}
data "azurerm_key_vault_secret" "client_secret" {
name = "clientsecret"
key_vault_id = data.azurerm_key_vault.example.id
}
data "azurerm_key_vault_secret" "subscription_id" {
name = "subscriptionid"
key_vault_id = data.azurerm_key_vault.example.id
}
provider "azurerm" {
alias = "credentials"
client_id = data.azurerm_key_vault_secret.client_id.value
client_secret = data.azurerm_key_vault_secret.client_secret.value
tenant_id = data.azurerm_key_vault_secret.tenant_id.value
subscription_id = data.azurerm_key_vault_secret.subscription_id.value
features {}
}
resource "azurerm_resource_group" "storage_rg" {
name = "StorageRGvk"
location = "east us"
provider = azurerm.credentials
}
resource "azurerm_storage_account" "example" {
name = "devkstoracc12"
resource_group_name = azurerm_resource_group.storage_rg.name
location = azurerm_resource_group.storage_rg.location
account_tier = "Standard"
account_replication_type = "LRS"
provider = azurerm.credentials
}
输出: