在Azure中，Terraform操作适用于除了将状态迁移到Blob存储之外的所有操作

yyyllmsg 于 2023-10-22 发布在其他

关注(0)|答案(1)|浏览(105)

当运行terraform计划和应用时，一切都很好。当尝试将状态迁移到Azure Blob时，会发生以下情况：→地形初始化-迁移状态正在初始化后端... Terraform检测到后端类型从“local”更改为“azurerm”。正在初始化模块...错误：检查“本地”后端中的状态时出错：客户端#ListBlobs：未能响应请求：403 --原始错误：autorest/azure：服务返回错误。状态=403代码=“AuthenticationFailed”消息=“服务器无法验证请求。请确保Authorization标头的值格式正确，包括签名。\nRequestId：19 d51 fce-001 e-0001- 26 cf-fa 1cb 6000000\n Time：2023-10- 09 T16：40：54.4441668Z”迁移在更改后端之前，Terraform会检查源和目标的迁移状态，以确定需要采取哪种迁移步骤（如果有）。Terraform无法加载状态。源和目标中的数据保持不变。请解决上述错误并重试。
我们已经重置了凭据，手动创建了存储帐户和容器。我们使用一个服务主体来登录，terraform从shell ENV中提取这些信用。下面是tf文件：

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 3.75.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = ">=2.43.0"
    }
  }
}

provider "azurerm" {
  features {}
  client_id       = var.client_id
  client_secret   = var.client_secret
  subscription_id = var.subscription_id
  tenant_id       = var.tenant_id
}

provider "azuread" {
  client_id     = var.client_id
  client_secret = var.client_secret
  tenant_id     = var.tenant_id
}

resource "azurerm_resource_group" "primary_resource_group" {
  name     = var.primary_rg_name
  location = var.primary_location

  tags = {
    creator      = var.creator
  }
}

locals {
  scope = "/subscriptions/${var.subscription_id}"
}

resource "azurerm_storage_account" "storage_account" {
  name                     = var.storage_account_name
  resource_group_name      = azurerm_resource_group.primary_resource_group.name
  location                 = var.storage_account_location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  account_kind             = "StorageV2"

  blob_properties {
    versioning_enabled = true
    delete_retention_policy {
      days = 7
    }
    container_delete_retention_policy {
      days = 21
    }
  }

  tags = {
    creator      = var.creator
    product_line = "Astra"
  }
}

terraform {
  backend "azurerm" {
    container_name       = "astra-dev-qa"
    key                  = "qa.terraform.tfstate"
    resource_group_name  = "rg_astra-dev-qa"
    storage_account_name = "astradevqa"
  }
}

Azure

来源：https://stackoverflow.com/questions/77260541/terraform-operations-work-in-azure-for-everything-but-the-migration-of-state-to

1条答案

按热度按时间

tag5nh1u1#

我尝试在Azure中执行操作，以便在将状态迁移到Blob存储中的所有内容中工作，我能够成功地提供需求。
在尝试将Terraform状态迁移到Azure Blob存储时，您似乎同时遇到了多个问题。

*验证错误：错误消息表明尝试列出blob时身份验证失败。这可能是由于以下几个原因：

服务主体的凭据不正确。
服务主体没有访问存储帐户所需的权限。
backend "azurerm"配置中的信息可能是错误的（如container_name、resource_group_name等）。
*Azure后端的Terraform配置：当前的Terraform配置显示了如何在Azure中定义资源。但是，在设置后端时，通常还需要为后端提供身份验证详细信息
我的地形配置：

main.tf：

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 3.75.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = ">=2.43.0"
    }
  }

  backend "azurerm" {
    resource_group_name   = "v-sakavya"
    storage_account_name  = "myvksbstorageaccount"
    container_name        = "astravksb"
    key                   = "qa.terraform.tfstate"
  }
}

provider "azurerm" {
  features {}
  client_id       = var.client_id
  client_secret   = var.client_secret
  subscription_id = var.subscription_id
  tenant_id       = var.tenant_id
}

provider "azuread" {
  client_id     = var.client_id
  client_secret = var.client_secret
  tenant_id     = var.tenant_id
}

resource "azurerm_resource_group" "primary_resource_group" {
  name     = var.primary_rg_name
  location = var.primary_location

  tags = {
    creator = var.creator
  }
}

resource "azurerm_storage_account" "storage_account" {
  name                     = var.storage_account_name
  resource_group_name      = azurerm_resource_group.primary_resource_group.name
  location                 = var.storage_account_location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  account_kind             = "StorageV2"

  blob_properties {
    versioning_enabled = true
    delete_retention_policy {
      days = 7
    }
    container_delete_retention_policy {
      days = 21
    }
  }

  tags = {
    creator = var.creator
  }
}

variables.tf：

variable "client_id" {
  description = "The Azure Service Principal client ID"
  type        = string
}

variable "client_secret" {
  description = "The Azure Service Principal client secret"
  type        = string
  sensitive   = true
}

variable "subscription_id" {
  description = "The Azure subscription ID"
  type        = string
}

variable "tenant_id" {
  description = "The Azure tenant ID"
  type        = string
}

variable "primary_rg_name" {
  description = "The primary resource group name"
  type        = string
}

variable "primary_location" {
  description = "The Azure region for resources"
  type        = string
}

variable "storage_account_name" {
  description = "The name of the Azure storage account"
  type        = string
}

variable "storage_account_location" {
  description = "The Azure region for the storage account"
  type        = string
}

variable "creator" {
  description = "Tag for the creator of the resources"
  type        = string
}

output.tf：

output "resource_group_name" {
  value = azurerm_resource_group.primary_resource_group.name
}

output "storage_account_name" {
  value = azurerm_storage_account.storage_account.name
}

输出：

按照这里提到的命令来实现您正在寻找的要求。

terraform init -backend-config="client_id=YOUR_CLIENT_ID" -backend-config="client_secret=YOUR_CLIENT_SECRET" -backend-config="tenant_id=YOUR_TENANT_ID" -backend-config="subscription_id=YOUR_SUBSCRIPTION_ID"

terraform apply -var "client_id=YOUR_CLIENT_ID" -var "client_secret=YOUR_CLIENT_SECRET" -var "tenant_id=YOUR_TENANT_ID" -var "subscription_id=YOUR_SUBSCRIPTION_ID" -var "primary_rg_name=YOUR_RG_NAME" -var "primary_location=YOUR_LOCATION" -var "storage_account_name=YOUR_STORAGE_ACCOUNT_NAME" -var "storage_account_location=YOUR_STORAGE_LOCATION" -var "creator=YOUR_NAME"