我正在使用 Azure keyvault 来管理我在部署管道中使用的一些 secret 。除了来自 Azure DevOps 的个人访问 token 之外,所有 secret 均有效。我正在使用个人访问 token 在虚拟机上安装 ADO 代理
data "azurerm_key_vault" "keyvault" {
name = "keyvault"
resource_group_name = "keyault-RG"
}
data "azurerm_key_vault_secret" "pat" {
name = "ADOPAT"
key_vault_id = data.azurerm_key_vault.keyvault.id
}
例如,在我的虚拟机模块中,我有这样的内容:
resource "azurerm_virtual_machine_extension" "ado" {
count = length(var.VMs)
name = "${element(var.VMs, count.index)}-TeamServicesAgent"
virtual_machine_id = azurerm_virtual_machine.VMs[count.index].id
publisher = "Microsoft.VisualStudio.Services"
type = "TeamServicesAgent"
type_handler_version = "1.0"
auto_upgrade_minor_version = true
settings = <<SETTINGS
{
"PATToken": "${data.azurerm_key_vault_secret.pat.value}",
"VSTSAccountName": "orgname",
"TeamProject": "${var.ado_project}",
"DeploymentGroup": "${var.deployment_group}"
}
SETTINGS
tags = var.tags
}
当我将 PAT 定义为变量时,一切正常。仅当我实现 key 保管库时,扩展程序才无法配置。我不想将 PAT 定义为变量,因为这样我就会在代码中将 PAT 作为明文。我在网上没有看到很多使用 ado 代理扩展的示例,但是有人知道可能导致该问题的原因吗?
我尝试将 data.azurerm_key_vault_secret.pat.value 设置为本地变量,但出现同样的问题。当我将 PAT 定义为变量时,不会出现此问题。
最佳答案
如果扩展未安装,
在 azurerm_virtual_machine_extension block 中添加 depends_on=[ azurerm_virtual_machine.example ] 参数,因为它取决于 VM 创建。
注意: 确保 keyvault 在 keyvault block 中被授予适当的权限
我尝试了以下代码:
resource "azurerm_key_vault" "example" {
name = "kasaraexmplkeyvault"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
certificate_permissions = [
"Create",
"Delete",
"DeleteIssuers",
"Get",
"GetIssuers",
"Import",
"List",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"Purge",
"SetIssuers",
"Update",
]
key_permissions = [
"Backup",
"Create",
"Decrypt",
"Delete",
"Encrypt",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Sign",
"UnwrapKey",
"Update",
"Verify",
"WrapKey",
]
secret_permissions = [
"Backup",
"Delete",
"Get",
"List",
"Purge",
"Recover",
"Restore",
"Set",
]
storage_permissions = [
"Get","Set"
]
}
}
resource "azurerm_key_vault_secret" "pat" {
name = "patvalue"
value = "gsdnjgsgjh3.3jgjshgfdj"
key_vault_id = azurerm_key_vault.example.id
}
resource "azurerm_virtual_network" "example" {
name = "acctvnkav"
address_space = ["10.0.0.0/16"]
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "acctsubkav"
resource_group_name = data.azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.2.0/24"]
}
resource "azurerm_network_interface" "example" {
name = "acctnickav"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
ip_configuration {
name = "testconfiguration1"
subnet_id = azurerm_subnet.example.id
private_ip_address_allocation = "Dynamic"
}
}
resource "azurerm_storage_account" "examplen" {
name = "kasaraaccsa"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
tags = {
environment = "staging"
}
}
resource "azurerm_storage_container" "example" {
name = "vhdskav"
storage_account_name = azurerm_storage_account.examplen.name
container_access_type = "private"
}
resource "azurerm_virtual_machine" "example" {
name = "acctvmkav"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
network_interface_ids = [azurerm_network_interface.example.id]
vm_size = "Standard_F2"
storage_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
storage_os_disk {
name = "myosdisk1"
//vhd_uri = "${azurerm_storage_account.examplen.primary_blob_endpoint}${azurerm_storage_containern.example.name}/myosdisk1.vhd"
caching = "ReadWrite"
create_option = "FromImage"
}
os_profile {
computer_name = "hostname"
admin_username = "testadmin"
admin_password = "Password1234!"
}
os_profile_linux_config {
disable_password_authentication = false
}
tags = {
environment = "staging"
}
}
resource "azurerm_virtual_machine_extension" "example" {
name = "hostname"
virtual_machine_id = azurerm_virtual_machine.example.id
publisher = "Microsoft.VisualStudio.Services"
type = "TeamServicesAgent"
type_handler_version = "1.0"
auto_upgrade_minor_version = true
# publisher = "Microsoft.Azure.Extensions"
# type = "CustomScript"
# type_handler_version = "2.0"
settings = <<SETTINGS
{
"PATToken": "${azurerm_key_vault_secret.pat.value}",
"VSTSAccountName": "orgname",
"TeamProject": "someproject",
"DeploymentGroup": "somegroup"
}
SETTINGS
tags = {
environment = "Production"
}
depends_on=[ azurerm_virtual_machine.example ]
}
authenticating_using_the_personal_access_token | terraform registry
PAT 可能需要执行额外的步骤才能从 key 保管库访问它。 PAT-Azure Devops | Microsoft Learn
尝试在 Azure Active Directory 中创建新的 Azure AD 应用程序。
在 Azure Key Vault 的访问策略中向该应用程序分配“Key Vault secret 用户”角色。
为 Azure AD 应用程序生成新的客户端 key 。
授予此应用程序从 Key Vault 读取 secret 的必要权限。
使用 Azure CLI 设置 PAT 的环境变量:
AZURE_TENANT_ID: "" ,AZURE_CLIENT_ID:"", AZURE_CLIENT_SECRET: "",
KEYVAULT_NAME: "",SECRET_NAME: "".
在 Terraform 代码中,使用“azurerm_key_vault_secret”数据源从 key 保管库检索 PAT:
data "azurerm_key_vault_secret" "ado_pat" {
name = var.secret_name
key_vault_id = var.key_vault_id
}
resource "azurerm_virtual_machine_extension" "ado_agent" {
name = "ado_agent_installation"
virtual_machine_id = azurerm_virtual_machine.vm.id
publisher = "Microsoft.Compute"
type = "CustomScriptExtension"
type_handler_version = "1.9"
settings = <<SETTINGS
{
"commandToExecute": "wget https://vs......tar.gz -P /tmp/ && cd /tmp && tar zxvf ........tar.gz && ./config.sh --unattended --url https://dev.azure.com/your-organization --auth pat --token ${data.azurerm_key_vault_secret.ado_pat.value} --pool your-pool --agent your-agent-name .."
}
SETTINGS
}
扩展:
另请检查Automate Azure DevOps self-hosted agent installation using Terraform - DEV Community
关于azure - 来自 Azure Key Vault 的个人访问 token ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/75828559/