我正在尝试创建一个 Terraform 脚本,该脚本将由 Azure DevOps 中的 yml 管道驱动。它需要创建一个 pfx 自签名证书以用于基于证书的身份验证。下面的脚本将创建一个证书,但即使我设置了 Secret_properties 内容类型,它似乎也没有创建 pfx。
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.89.0"
}
}
}
provider "azurerm" {
features {
# key_vault {
# purge_soft_deleted_certificates_on_destroy = true
# recover_soft_deleted_certificates = true
# }
}
}
# Required so that the tenant_id element can be dynamically added
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "mtc-rg" {
name = "mtc-resources"
location = "Australia Southeast"
tags = {
environment = "dev"
}
}
resource "azurerm_key_vault" "mtc-keyv" {
name = "mtc-keyvault"
location = azurerm_resource_group.mtc-rg.location
resource_group_name = azurerm_resource_group.mtc-rg.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 90
purge_protection_enabled = true # <------ TODO
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = "<< user object_id here >>"
certificate_permissions = [
"Create",
"Delete",
"List",
"Get"
]
}
}
resource "azurerm_key_vault_certificate" "mtc-cert" {
name = "snoogans"
key_vault_id = azurerm_key_vault.mtc-keyv.id
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_type = "RSA"
key_size = 2048
reuse_key = false
}
secret_properties {
content_type = "application/x-pkcs12"
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 30
}
}
x509_certificate_properties {
# Adjust the subject, validity period, etc., as needed
subject = "CN=SomeSubject"
validity_in_months = 60
key_usage = [
"digitalSignature",
"keyEncipherment",
]
# serverAuth OID = 1.3.6.1.5.5.7.3.1
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
}
}
depends_on = [
azurerm_key_vault.mtc-keyv,
]
}
在运行 tf 下载证书后,我一直在运行 azure cli 脚本,以便我可以导出公钥并编码为 Base 64,以提供给管理部门令牌服务器的团队。我要求此证书为 pfx,以便我的 .NET Core REST API 可以从 Azure 获取证书并生成 jwt(需要私钥),然后将其与身份验证请求一起传递到令牌服务器,然后令牌服务器使用之前的内容验证 jwt导出公钥。
因此,从天蓝色下载证书后,我无法导出,因为它的格式显然错误。我检查了 Azure 门户 KeyVault,可以看到下载 pfx 的选项已禁用。
任何人都可以在我的tf中看到我缺少的东西吗?
我尝试使用 terraform 在 azure key Vault 上创建 PKCS12 证书,并且能够成功配置要求
您已基本正确配置了脚本,使用
secret_properties
块将内容类型设置为 application/x-pkcs12
,这是 PFX 文件的 MIME 类型。
在 Azure 门户中禁用下载为 PFX 选项的一个可能原因是证书的私钥不可用或未标记为可导出。您已在 Terraform 代码中的
exportable = true
下指定了 key_properties
,这应该使私钥可导出。但是,如果问题仍然存在,您可以尝试以下步骤:
权限: Terraform 脚本应由服务主体或具有从 Key Vault 生成和导出密钥和证书的正确权限的用户运行。
Azure CLI 或 SDK: 要使用 Azure CLI 或任何 SDK 获取证书,您需要使用正确的命令并拥有适当的权限。
我的地形配置:
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "mtcvk-resources"
location = "east us"
}
resource "azurerm_key_vault" "example" {
name = "mtcvk-keyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 90
purge_protection_enabled = true
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = "enter your user or SP object ID"
key_permissions = ["Create", "Get", "Delete", "List", "Update", "Import", "Backup", "Restore", "Recover"]
secret_permissions = ["Set", "Get", "Delete", "List", "Recover", "Backup", "Restore"]
certificate_permissions = ["Create", "Delete", "Get", "List", "Update", "ManageContacts", "GetIssuers", "ListIssuers", "SetIssuers", "DeleteIssuers"]
}
}
resource "azurerm_key_vault_certificate" "example" {
name = "snoogans"
key_vault_id = azurerm_key_vault.example.id
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_type = "RSA"
key_size = 2048
reuse_key = false
}
secret_properties {
content_type = "application/x-pkcs12"
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 30
}
}
x509_certificate_properties {
subject = "CN=SomeSubject"
validity_in_months = 60
key_usage = ["digitalSignature", "keyEncipherment"]
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
}
}
}
输出: