Azure Functions で staging スロットと production スロットをスワップしたら、関数のアクセスキーもスワップされてしまった。アクセスキーのスワップを防ぐには、例えば Key Vault にアクセスキーが保存されるように構成する必要があるみたい。知らなかった。
同じ Key Vault のコンテナを production と staging の両方で参照することで、スワップしてもアクセスキーが変わらないことを確認できた。以下、その構成で作成するための Terraform コード。
resource "azurerm_resource_group" "example" { name = "rg-example" location = "japaneast" } data "azurerm_client_config" "current" {} # 関数アプリのキーを保管する Azure Key Vault のキーコンテナ resource "azurerm_key_vault" "example" { name = "kv-example" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location tenant_id = data.azurerm_client_config.current.tenant_id soft_delete_retention_days = 90 sku_name = "standard" } # 関数アプリ用のストレージアカウント resource "azurerm_storage_account" "example" { name = "stexample" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location account_tier = "Standard" account_replication_type = "LRS" } # 関数アプリ用の従量課金 App Service プラン resource "azurerm_service_plan" "example" { name = "plan-example" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location os_type = "Windows" sku_name = "Y1" } # キーを固定したい関数アプリ resource "azurerm_windows_function_app" "example" { name = "func-example" resource_group_name = azurerm_service_plan.example.resource_group_name location = azurerm_service_plan.example.location storage_account_name = azurerm_storage_account.example.name storage_account_access_key = azurerm_storage_account.example.primary_access_key service_plan_id = azurerm_service_plan.example.id site_config { application_stack { dotnet_version = "v8.0" use_dotnet_isolated_runtime = true } } identity { type = "SystemAssigned" } app_settings = { "WEBSITE_RUN_FROM_PACKAGE" = "1" "WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED" = "1" # Key Vault にキーを保存する "AzureWebJobsSecretStorageType" = "keyvault" "AzureWebJobsSecretStorageKeyVaultUri" = azurerm_key_vault.example.vault_uri } } # 関数アプリのデプロイスロット resource "azurerm_windows_function_app_slot" "staging" { name = "staging" function_app_id = azurerm_windows_function_app.example.id storage_account_name = azurerm_storage_account.example.name storage_account_access_key = azurerm_storage_account.example.primary_access_key site_config { application_stack { dotnet_version = "v8.0" use_dotnet_isolated_runtime = true } } identity { type = "SystemAssigned" } app_settings = { "WEBSITE_RUN_FROM_PACKAGE" = "1" "WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED" = "1" # Key Vault にキーを保存する "AzureWebJobsSecretStorageType" = "keyvault" "AzureWebJobsSecretStorageKeyVaultUri" = azurerm_key_vault.example.vault_uri } } # 関数アプリが Key Vault にアクセスできるようにするためのポリシー resource "azurerm_key_vault_access_policy" "example" { key_vault_id = azurerm_key_vault.example.id tenant_id = azurerm_key_vault.example.tenant_id object_id = azurerm_windows_function_app.example.identity[0].principal_id secret_permissions = [ "Get", "List", "Set", "Delete", "Recover", "Backup", "Restore", ] } # デプロイスロット用アクセスポリシー resource "azurerm_key_vault_access_policy" "staging" { key_vault_id = azurerm_key_vault.example.id tenant_id = azurerm_key_vault.example.tenant_id object_id = azurerm_windows_function_app_slot.staging.identity[0].principal_id secret_permissions = [ "Get", "List", "Set", "Delete", "Recover", "Backup", "Restore", ] }
