我正在尝试为我的Azure应用程序网关分配“用户分配的身份”,以便应用程序网关可以从特定的Azure Key Vault读取SSL证书。我正在跟踪链接--〉https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway
在Identity部分,它说块需要像这样:
identity {
type = "UserAssigned"
identity_ids = [User Assigned Identities that need to be assigned to the App Gw ]
}
下面给出了Terraform的代码块:
App GW用户标识
resource "azurerm_user_assigned_identity" "app-gw-identity" {
location = module.resourcegroup.resource_group.location
name = format("app-gw-id-%s", var.project.environment.name)
resource_group_name = module.resourcegroup.resource_group.name
}
向我的指定AAD组添加用户分配身份,此组已在存储SSL证书的Azure KV中分配了证书管理员角色
resource "azuread_group_member" "mygrpmember" {
group_object_id = data.azuread_group.cloud_developer_group.id
member_object_id = azurerm_user_assigned_identity.app-gw-identity.principal_id
}
Azure应用网关
resource "azurerm_application_gateway" "application_gateway" {
name = module.names-default.location.application_gateway.name_unique
resource_group_name = module.resourcegroup.resource_group.name
location = module.resourcegroup.resource_group.location
enable_http2 = true
sku {
name = "WAF_v2"
tier = "WAF_v2"
}
waf_configuration {
enabled = true
firewall_mode = "Prevention"
rule_set_type = "OWASP"
rule_set_version = "3.2"
}
autoscale_configuration {
min_capacity = 1
max_capacity = 5
}
gateway_ip_configuration {
name = "waf-ipconfig"
subnet_id = module.virtualnetwork["centralus"].virtual_network.subnets["waf"].id
}
# HTTP port used for customer traffic
frontend_port {
name = "front-http"
port = 443
}
frontend_ip_configuration {
name = "feip-config"
public_ip_address_id = azurerm_public_ip.waf-pub-ip.id
}
dynamic "ssl_certificate" {
for_each = local.app_gateway.ssl_certificate
content {
name = ssl_certificate.value.name
data = ssl_certificate.value.data
}
}
dynamic "backend_address_pool" {
for_each = local.app_gateway.backend_address_pools
content {
name = backend_address_pool.value.name
fqdns = [format("%s.azurewebsites.net", backend_address_pool.value.app_service_name)
]
}
}
dynamic "backend_http_settings" {
for_each = local.app_gateway.backend_http_settings
content {
name = backend_http_settings.value.name
path = backend_http_settings.value.path
protocol = backend_http_settings.value.protocol
port = backend_http_settings.value.port
cookie_based_affinity = backend_http_settings.value.cookie_based_affinity
request_timeout = backend_http_settings.value.request_timeout
probe_name = backend_http_settings.value.probe_name
host_name = backend_http_settings.value.host_name
pick_host_name_from_backend_address = false
}
}
dynamic "http_listener" {
for_each = local.app_gateway.http_listener
content {
name = http_listener.value.name
frontend_ip_configuration_name = http_listener.value.frontend_ip_configuration_name
frontend_port_name = http_listener.value.frontend_port_name
protocol = http_listener.value.protocol
host_name = http_listener.value.host_name
ssl_certificate_name = http_listener.value.ssl_certificate_name
}
}
# Routing rule used to redirect customer traffic to the backend
dynamic "request_routing_rule" {
for_each = local.app_gateway.request_routing_rule
content {
name = request_routing_rule.value.name
rule_type = request_routing_rule.value.rule_type
http_listener_name = request_routing_rule.value.listener_name
url_path_map_name = lookup(request_routing_rule.value, "url_path_map_name", null)
redirect_configuration_name = lookup(request_routing_rule.value, "redirect_configuration_name", null)
}
}
dynamic "redirect_configuration" {
for_each = local.app_gateway.redirect_configuration
content {
name = redirect_configuration.value.name
redirect_type = redirect_configuration.value.redirect_type
target_listener_name = redirect_configuration.value.target_listener_name
include_path = redirect_configuration.value.include_path
include_query_string = redirect_configuration.value.include_query_string
}
}
dynamic "url_path_map" {
for_each = local.app_gateway.url_path_map
content {
name = url_path_map.value.name
default_backend_address_pool_name = url_path_map.value.default_backend_address_pool_name
default_backend_http_settings_name = url_path_map.value.default_backend_http_settings_name
dynamic "path_rule" {
for_each = url_path_map.value.path_rules
content {
name = path_rule.value.name
paths = path_rule.value.paths
backend_address_pool_name = path_rule.value.backend_address_pool_name
backend_http_settings_name = path_rule.value.backend_http_settings_name
firewall_policy_id = path_rule.value.firewall_policy_id
}
}
}
}
dynamic "probe" {
for_each = local.app_gateway.probes
content {
name = probe.value.name
host = probe.value.host
path = probe.value.path
protocol = probe.value.protocol
interval = probe.value.interval
timeout = probe.value.timeout
unhealthy_threshold = probe.value.unhealthy_threshold
match {
status_code = probe.value.status_code
}
}
}
identity {
type = "UserAssigned"
identity_ids = ["azurerm_user_assigned_identity.app-gw-identity.principal_id"]
}
tags = local.tags
}
但当我做Terraform Plan时,它抛出了以下错误:
│ Error: parsing "azurerm_user_assigned_identity.app-gw-identity.principal_id": expected 8 segments within the Resource ID but got 1 for "azurerm_user_assigned_identity.app-gw-identity.principal_id"
│
│ with azurerm_application_gateway.application_gateway,
│ on resources.appgw.tf line 577, in resource "azurerm_application_gateway" "application_gateway":
│ 577: identity_ids = ["azurerm_user_assigned_identity.app-gw-identity.principal_id"]
│
我不确定这里的问题是什么,因为我正在创建的“user_assigned_identity”的输出可以是-- id,client_id,principal_id或tenant_id。
所以最初我试了一下“ID”,结果失败了。当我在identity块中尝试“principal_id”时,它仍然抛出这个错误
1条答案
按热度按时间63lcw9qa1#
我用下面的代码检查了identity_ids = [azurerm_user_assigned_identity。app-gw-identity。principal_id]。
它给出了下面的错误。
验证码:
必须是用户分配标识的对象id。
验证码:
此操作已成功执行