Terraform 将 SSL 证书绑定到 Azure WebApp
Terraform bind SSL Certificate to Azure WebApp
我最近一直在尝试使用 Azure 中的 Terraform 将域和 SSL 证书绑定到 Web 应用程序。
我做这件事很不走运,文档有点混乱/实际情况不明。
我在做计划时遇到的错误是:
Error: parsing "/subscriptions/<SUB-ID>/resourceGroups/Testing_Prod_KeyVault_JC/providers/Microsoft.KeyVault/vaults/secrets-testingprodjc": KeyVault Nested Item should contain 2 or 3 segments, got 8 from "subscriptions/<SUB-ID>/resourceGroups/Testing_Prod_KeyVault_JC/providers/Microsoft.KeyVault/vaults/secrets-testingprodjc"
我想知道到目前为止是否有人能够做到这一点?
这是我的证书和域绑定代码:
//First Read the External Key Vault
data "azurerm_key_vault" "production_keyvault" {
name = "secrets-testingprodjc"
resource_group_name = "Testing_Prod_KeyVault_JC"
}
// Now Read the Certificate
data "azurerm_key_vault_certificate" "prod_certificate" {
name = "testing-certificate-for-cic"
key_vault_id = data.azurerm_key_vault.production_keyvault.id
}
// Now bind the webapp to the domain and look for certificate.
resource "azurerm_app_service_custom_hostname_binding" "website_app_hostname_bind" {
hostname = "portal-staging-westeurope.jasoncontenttestingdomain.com"
app_service_name = azurerm_app_service.website_app.name
resource_group_name = azurerm_resource_group.Terraform.name
ssl_state = "SniEnabled"
thumbprint = azurerm_app_service_certificate.cert.thumbprint
}
/* // Following block NOT BEING USED
resource "azurerm_app_service_certificate_binding" "bind_certificate_to_webapp" {
hostname_binding_id = azurerm_app_service_custom_hostname_binding.website_app_hostname_bind.id
ssl_state = "SniEnabled"
thumbprint = azurerm_app_service_certificate.cert.thumbprint
}
*/
// Get Certificate from External KeyVault
resource "azurerm_app_service_certificate" "cert" {
name = "testing-certificate-for-cic"
resource_group_name = azurerm_resource_group.Terraform.name
location = azurerm_resource_group.Terraform.location
key_vault_secret_id = data.azurerm_key_vault.production_keyvault.id
}
我现在只是用我登录的用户帐户来做这件事,这不是我知道服务主体部分的服务原则,但现在我只是在测试这个。我的登录帐户确实可以完全访问外部密钥库。
要使用 terraform 管理应用服务证书绑定,请参阅此 link。
要使用 terraform 在应用服务中管理主机名绑定,请参阅此 link。
你可以试试这个:
// First Read the External Key Vault
data "azurerm_key_vault" "production_keyvault" {
name = "secrets-testingprodjc"
resource_group_name = "Testing_Prod_KeyVault_JC"
}
// Now Read the Certificate
data "azurerm_key_vault_certificate" "prod_certificate" {
name = "testing-certificate-for-cic"
key_vault_id = data.azurerm_key_vault.production_keyvault.id
}
// Get Certificate from External KeyVault
resource "azurerm_app_service_certificate" "cert" {
name = "testing-certificate-for-cic"
resource_group_name = azurerm_resource_group.Terraform.name
location = azurerm_resource_group.Terraform.location
key_vault_secret_id = data.azurerm_key_vault.production_keyvault.id
}
// Now bind the webapp to the domain.
resource "azurerm_app_service_custom_hostname_binding" "website_app_hostname_bind" {
hostname = "portal-staging-westeurope.jasoncontenttestingdomain.com"
app_service_name = azurerm_app_service.website_app.name
resource_group_name = azurerm_resource_group.Terraform.name
}
// Now bind certificate to the webapp.
resource "azurerm_app_service_certificate_binding" "bind_certificate_to_webapp" {
hostname_binding_id = azurerm_app_service_custom_hostname_binding.website_app_hostname_bind.id
ssl_state = "SniEnabled"
certificate_id = azurerm_app_service_certificate.cert.id
}
前几天我用下面的代码自己解决了这个问题,我在 HashiCorp 的 GitHub 回购中找到了答案,但我现在找不到 link。它与资源 azurerm_app_service_certificate 有关,如果您使用 key_vault_secret_id 部分它不起作用,您需要使用 pfx_blob.
这是任何人的参考代码:
//First Read the External Key Vault
data "azurerm_key_vault" "production_keyvault" {
name = "testingkeyvault2022"
resource_group_name = "KeyVaultWestEuropeBackend"
}
// Now Read the Certificate
data "azurerm_key_vault_secret" "prod_certificate" {
name = "testcert"
key_vault_id = data.azurerm_key_vault.production_keyvault.id
}
// Now bind the webapp to the domain and look for certificate.
resource "azurerm_app_service_custom_hostname_binding" "website_app_hostname_bind" { //Website App
depends_on = [
azurerm_app_service_certificate.cert,
]
hostname = var.websiteurlbind
app_service_name = data.azurerm_app_service.read_website_app.name
resource_group_name = data.azurerm_resource_group.Terraform.name
ssl_state = "SniEnabled"
thumbprint = azurerm_app_service_certificate.cert.thumbprint
}
// Get Certificate from External KeyVault
resource "azurerm_app_service_certificate" "cert" {
name = "testingcert"
resource_group_name = data.azurerm_resource_group.Terraform.name
location = data.azurerm_resource_group.Terraform.location
pfx_blob = data.azurerm_key_vault_secret.prod_certificate.value
}
我在测试中还注意到,您必须将证书资源作为绑定的依赖项。它在我的代码中,但为了清楚起见,这里是这段代码:
depends_on = [
azurerm_app_service_certificate.cert,
]
我最近一直在尝试使用 Azure 中的 Terraform 将域和 SSL 证书绑定到 Web 应用程序。
我做这件事很不走运,文档有点混乱/实际情况不明。
我在做计划时遇到的错误是:
Error: parsing "/subscriptions/<SUB-ID>/resourceGroups/Testing_Prod_KeyVault_JC/providers/Microsoft.KeyVault/vaults/secrets-testingprodjc": KeyVault Nested Item should contain 2 or 3 segments, got 8 from "subscriptions/<SUB-ID>/resourceGroups/Testing_Prod_KeyVault_JC/providers/Microsoft.KeyVault/vaults/secrets-testingprodjc"
我想知道到目前为止是否有人能够做到这一点?
这是我的证书和域绑定代码:
//First Read the External Key Vault
data "azurerm_key_vault" "production_keyvault" {
name = "secrets-testingprodjc"
resource_group_name = "Testing_Prod_KeyVault_JC"
}
// Now Read the Certificate
data "azurerm_key_vault_certificate" "prod_certificate" {
name = "testing-certificate-for-cic"
key_vault_id = data.azurerm_key_vault.production_keyvault.id
}
// Now bind the webapp to the domain and look for certificate.
resource "azurerm_app_service_custom_hostname_binding" "website_app_hostname_bind" {
hostname = "portal-staging-westeurope.jasoncontenttestingdomain.com"
app_service_name = azurerm_app_service.website_app.name
resource_group_name = azurerm_resource_group.Terraform.name
ssl_state = "SniEnabled"
thumbprint = azurerm_app_service_certificate.cert.thumbprint
}
/* // Following block NOT BEING USED
resource "azurerm_app_service_certificate_binding" "bind_certificate_to_webapp" {
hostname_binding_id = azurerm_app_service_custom_hostname_binding.website_app_hostname_bind.id
ssl_state = "SniEnabled"
thumbprint = azurerm_app_service_certificate.cert.thumbprint
}
*/
// Get Certificate from External KeyVault
resource "azurerm_app_service_certificate" "cert" {
name = "testing-certificate-for-cic"
resource_group_name = azurerm_resource_group.Terraform.name
location = azurerm_resource_group.Terraform.location
key_vault_secret_id = data.azurerm_key_vault.production_keyvault.id
}
我现在只是用我登录的用户帐户来做这件事,这不是我知道服务主体部分的服务原则,但现在我只是在测试这个。我的登录帐户确实可以完全访问外部密钥库。
要使用 terraform 管理应用服务证书绑定,请参阅此 link。
要使用 terraform 在应用服务中管理主机名绑定,请参阅此 link。
你可以试试这个:
// First Read the External Key Vault
data "azurerm_key_vault" "production_keyvault" {
name = "secrets-testingprodjc"
resource_group_name = "Testing_Prod_KeyVault_JC"
}
// Now Read the Certificate
data "azurerm_key_vault_certificate" "prod_certificate" {
name = "testing-certificate-for-cic"
key_vault_id = data.azurerm_key_vault.production_keyvault.id
}
// Get Certificate from External KeyVault
resource "azurerm_app_service_certificate" "cert" {
name = "testing-certificate-for-cic"
resource_group_name = azurerm_resource_group.Terraform.name
location = azurerm_resource_group.Terraform.location
key_vault_secret_id = data.azurerm_key_vault.production_keyvault.id
}
// Now bind the webapp to the domain.
resource "azurerm_app_service_custom_hostname_binding" "website_app_hostname_bind" {
hostname = "portal-staging-westeurope.jasoncontenttestingdomain.com"
app_service_name = azurerm_app_service.website_app.name
resource_group_name = azurerm_resource_group.Terraform.name
}
// Now bind certificate to the webapp.
resource "azurerm_app_service_certificate_binding" "bind_certificate_to_webapp" {
hostname_binding_id = azurerm_app_service_custom_hostname_binding.website_app_hostname_bind.id
ssl_state = "SniEnabled"
certificate_id = azurerm_app_service_certificate.cert.id
}
前几天我用下面的代码自己解决了这个问题,我在 HashiCorp 的 GitHub 回购中找到了答案,但我现在找不到 link。它与资源 azurerm_app_service_certificate 有关,如果您使用 key_vault_secret_id 部分它不起作用,您需要使用 pfx_blob.
这是任何人的参考代码:
//First Read the External Key Vault
data "azurerm_key_vault" "production_keyvault" {
name = "testingkeyvault2022"
resource_group_name = "KeyVaultWestEuropeBackend"
}
// Now Read the Certificate
data "azurerm_key_vault_secret" "prod_certificate" {
name = "testcert"
key_vault_id = data.azurerm_key_vault.production_keyvault.id
}
// Now bind the webapp to the domain and look for certificate.
resource "azurerm_app_service_custom_hostname_binding" "website_app_hostname_bind" { //Website App
depends_on = [
azurerm_app_service_certificate.cert,
]
hostname = var.websiteurlbind
app_service_name = data.azurerm_app_service.read_website_app.name
resource_group_name = data.azurerm_resource_group.Terraform.name
ssl_state = "SniEnabled"
thumbprint = azurerm_app_service_certificate.cert.thumbprint
}
// Get Certificate from External KeyVault
resource "azurerm_app_service_certificate" "cert" {
name = "testingcert"
resource_group_name = data.azurerm_resource_group.Terraform.name
location = data.azurerm_resource_group.Terraform.location
pfx_blob = data.azurerm_key_vault_secret.prod_certificate.value
}
我在测试中还注意到,您必须将证书资源作为绑定的依赖项。它在我的代码中,但为了清楚起见,这里是这段代码:
depends_on = [
azurerm_app_service_certificate.cert,
]