使用Azure Policy和Terraform模板进行标记,忽略标记

mnemlml8  于 2022-11-25  发布在  其他
关注(0)|答案(1)|浏览(126)

我正在努力实现以下目标:

  • 使用生命周期命令忽略Azure策略应用于资源的标记。
    背景我有一个将标记应用到资源组的平台模板,但同一模板中的资源没有应用标记。相反,我有一个强制从资源组继承标记的Azure策略。

当我对模板进行任何更改并运行terraform plan时,我得到了一个更改负载,它们将把标记从值更改为空。它只会给我的地形计划增加不必要的变动。

问题我已尝试使用lifecycle命令指示忽略更改并将值设置为标记,但似乎不起作用,计划仍显示标记将被删除.

下面是一个资源示例,该资源表示如果发生更改,则将删除标记。

示例代码

resource "azurerm_virtual_machine_extension" "ext_ade" {
   depends_on = [azurerm_virtual_machine_extension.ext_domain_join, azurerm_virtual_machine_extension.ext_dsc]
   count = var.session_hosts.quantity
    name = var.ext_ade.name  
    virtual_machine_id = azurerm_windows_virtual_machine.vm.*.id[count.index]
    publisher = "Microsoft.Azure.Security"
    type = "AzureDiskEncryption"
    type_handler_version = "2.2"
    auto_upgrade_minor_version = true

    settings = <<SETTINGS
    {
        "EncryptionOperation": "EnableEncryption",
        "KeyVaultURL": "${data.azurerm_key_vault.key_vault.vault_uri}",
        "KeyVaultResourceId": "${data.azurerm_key_vault.key_vault.id}",
        "KeyEncryptionKeyURL": "${azurerm_key_vault_key.ade_key.*.id[count.index]}",
        "KekVaultResourceId": "${data.azurerm_key_vault.key_vault.id}",
        "KeyEncryptionAlgorithm": "RSA-OAEP",
        "VolumeType": "All"
    }
    SETTINGS

    lifecycle {
      ignore_changes = [settings,tags]
    }
}
f4t66c6m

f4t66c6m1#

使用Azure Policy和Terraform模板进行标记,忽略标记
我已经在我的环境中尝试过,并且能够使用***lifecycle***命令成功部署它。
从@Jim Xu提供的SO解决方案中提取Terraform的片段,并对其进行修改以满足您的要求,如下所示:

主文件格式

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.99.0"
    }
  }
}
provider "azurerm" {
        features {}

}
resource "random_string" "password" {
  length  = 16
  special = false
}
data "azurerm_resource_group" "newtest" {
  name = var.resource_group_name
}
resource "azurerm_key_vault" "keyvault" {
  name                = var.key_vault_name
  resource_group_name = var.resource_group_name
   enabled_for_disk_encryption = true
   enabled_for_deployment=true
   enabled_for_template_deployment =true
   location=data.azurerm_resource_group.newtest.location
   tenant_id = "<tenant-id>"
   sku_name = "standard"
   soft_delete_retention_days=90
   
}
resource "azurerm_key_vault_access_policy" "myPolicy" {
  key_vault_id = azurerm_key_vault.keyvault.id
  tenant_id = "<tenant-id>"
  object_id = "<object-id>"
  key_permissions = [
    "Create",
    "Delete",
    "Get",
    "Purge",
    "Recover",
    "Update",
    "List",
    "Decrypt",
    "Sign"
  ]
}

resource "azurerm_key_vault_key" "testKEK" {
  name         = "testKEK"
  key_vault_id = azurerm_key_vault.keyvault.id
  key_type     = "RSA"
  key_size     = 2048
   depends_on = [
    azurerm_key_vault_access_policy.myPolicy
  ]
  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
}
 
resource "azurerm_virtual_machine_extension" "vmextension" {
  name                       = random_string.password.result
  virtual_machine_id         = "/subscriptions/<subscription_ID>/resourceGroups/<resourceGroup>/providers/Microsoft.Compute/virtualMachines/<VMName>"
  publisher                  = "Microsoft.Azure.Security"
  type                       = "AzureDiskEncryption"
  type_handler_version       = var.type_handler_version
  auto_upgrade_minor_version = true

  settings = <<SETTINGS
    {
        "EncryptionOperation": "${var.encrypt_operation}",
        "KeyVaultURL": "${azurerm_key_vault.keyvault.vault_uri}",
        "KeyVaultResourceId": "${azurerm_key_vault.keyvault.id}",                   
        "KeyEncryptionKeyURL": "${azurerm_key_vault_key.testKEK.id}",
        "KekVaultResourceId": "${azurerm_key_vault.keyvault.id}",                   
        "KeyEncryptionAlgorithm": "${var.encryption_algorithm}",
        "VolumeType": "${var.volume_type}"
    }
SETTINGS

 lifecycle {
      ignore_changes = [settings,tags]
    } 
}

变量.tf:

variable "resource_group_name" {
  default     = "newtest"
}
variable "location" {
  default     = "EastUS"
}
variable key_vault_name {
  default     = ""
}
variable virtual_machine_id {
    default     = ""
}
variable "volume_type" {
  default = "All"
}
variable "encrypt_operation" {
  default = "EnableEncryption"
}
variable "type_handler_version" {
  description = "Defaults to 2.2 on Windows"
  default     = "2.2"
}

注意:您可以修改tfvars档案以符合您的需求。
已执行terraform initterraform init -upgrade

已执行terraform plan

在成功运行以上命令后,给予terraform apply*****:

已从Portal创建密钥库,但未观察到密钥库发生任何变化

x1c4d 1x指令集

部署在门户中的资源组(newtest):

相关问题