Я пытаюсь использовать поставщик Azure AzApi для обновления политики ротации ключей хранилища ключей Azure. И «Поставщик Azure AzApi», и «Политика ротации ключей» — это очень новые функции, выпущенные на прошлой неделе.
Я не получаю никаких ошибок, но атрибуты не обновляются.
Код очень простой:
Мой код:
data "azurerm_key_vault" "this" {
name = "kv33eerr"
resource_group_name = "test"
}
resource "time_offset" "expiration_days" {
offset_days = 364
}
resource "azurerm_key_vault_key" "generated" {
name = "testkey01"
key_vault_id = data.azurerm_key_vault.this.id
key_type = "RSA"
key_size = 2048
expiration_date = time_offset.expiration_days.rfc3339
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azapi_update_resource" "rotaion" {
type = "Microsoft.KeyVault/vaults/keys@2021-10-01"
parent_id = data.azurerm_key_vault.this.id
name = azurerm_key_vault_key.generated.name
body = jsonencode(
{
properties = {
lifetimeactions = [
{
action = "rotate"
timeaftercreate = "p545d"
timebeforeexpiry = null
},
{
action = "notify"
timeaftercreate = null
timebeforeexpiry = "p20d"
}
],
expiresin = "p2y"
}
}
)
depends_on = [
azurerm_key_vault_key.generated
]
}
Применить терраформ:
Terraform will perform the following actions:
# azapi_update_resource.rotaion will be updated in-place
~ resource "azapi_update_resource" "rotaion" {
~ body = jsonencode(
~ {
~ properties = {
+ expiresin = "p2y"
+ lifetimeactions = [
+ {
+ action = "rotate"
+ timeaftercreate = "p545d"
+ timebeforeexpiry = null
},
+ {
+ action = "notify"
+ timeaftercreate = null
+ timebeforeexpiry = "p30d"
},
]
}
}
)
id = "/subscriptions/32055728-56f6-46dd-8fd1-3f50d4ae69a5/resourceGroups/test/providers/Microsoft.KeyVault/vaults/kv33eerr/keys/testkey01"
name = "testkey01"
~ output = jsonencode({}) -> (known after apply)
# (5 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
azapi_update_resource.rotaion: Modifying... [id=/subscriptions/32055728-56f6-46dd-8fd1-3f50d4ae69a5/resourceGroups/test/providers/Microsoft.KeyVault/vaults/kv33eerr/keys/testkey01]
azapi_update_resource.rotaion: Modifications complete after 3s [id=/subscriptions/3205xxxx-56f6-46dd-8fd1-3f50d4ae69a5/resourceGroups/test/providers/Microsoft.KeyVault/vaults/kv33eerr/keys/testkey01]
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
политика ротации ключей:
az keyvault key rotation-policy show -n testkey01 --vault-name kv33eerr
{
"createdOn": null,
"expiresIn": null,
"id": null,
"lifetimeActions": [
{
"action": "Notify",
"timeAfterCreate": null,
"timeBeforeExpiry": "P30D"
}
],
"updatedOn": null
Полезная нагрузка не является точной, настоятельно рекомендуется установить расширение AzApi VSCode, оно предоставляет широкие возможности разработки, которые помогут вам использовать поставщика AzApi: https://marketplace.visualstudio.com/items?itemName=azapi-vscode.azapi
resource "azapi_update_resource" "test" {
type = "Microsoft.KeyVault/vaults/keys@2021-11-01-preview"
name = azurerm_key_vault_key.generated.name
parent_id = azurerm_key_vault_key.generated.key_vault_id
body = jsonencode({
properties = {
rotationPolicy = {
lifetimeActions = [
{
action = {
type = "Rotate"
}
trigger = {
timeAfterCreate = "P20D"
timeBeforeExpiry = null
}
},
{
action = {
type = "Notify"
}
trigger = {
timeAfterCreate = null
timeBeforeExpiry = "P20D"
}
}
],
attributes = {
expiryTime = "P2Y"
}
}
}
})
}