Terraform - Azure Key Vault Secrets创建不是幂等的

dba5bblo  于 2023-10-22  发布在  其他
关注(0)|答案(1)|浏览(93)

在第一次应用terraform时,此配置当前成功地创建了一个密钥保管库,并使用随机资源创建的值从列表“secrets”中填充secrets。
此后每次运行此配置时都会抛出此错误:用户名错误:ID为“www.example.com“的资源https://testingkeyvault.vault.azure.net/secrets/Password1/3e4cdc60c7e12345a228fd4250b58191已经存在-要通过Terraform管理此资源,需要将其导入State。有关详细信息,请参阅“azurerm_key_vault_secret”的资源文档。

variable "secrets" {
  type = list(string)
  default = [
  "Password1",
  "Password2",
  "Password3",
  "Password4"
]
}

data "azurerm_client_config" "current" {
  provider = azurerm.PlatformManagement
}

data "azurerm_key_vault" "existing" {
  provider            = azurerm.PlatformManagement
  name                = var.KeyVaultName
  resource_group_name = var.KeyVault_Rg_Name
  depends_on          = [azurerm_key_vault.pman-vault]
}

resource "azurerm_key_vault" "pman-vault" {
  provider = azurerm.PlatformManagement

  name                        = var.KeyVaultName
  location                    = var.Location
  resource_group_name         = var.KeyVault_Rg_Name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
  sku_name                    = "standard"
  enable_rbac_authorization   = true

data "azurerm_key_vault_secret" "existing-secrets" {
  count               = length(var.secrets)
  name                = var.secrets[count.index]
  key_vault_id        = azurerm_key_vault.pman-vault.id
  depends_on          = [azurerm_key_vault_secret.pman-secrets]
}

resource "random_password" "password" {
  count            = var.create_secrets ? length(var.secrets) : 0
  length           = 15
  special          = true
  override_special = "!@#$%&*()-_=+[]{}<>:?"
}

 resource "azurerm_key_vault_secret" "pman-secrets" {
   count        = var.create_secrets ? length(var.secrets) : 0
   name         = var.secrets[count.index]
   value        = random_password.password[count.index].result
   key_vault_id = azurerm_key_vault.pman-vault.id
   lifecycle {
     prevent_destroy = true
   }
   depends_on = [azurerm_key_vault.pman-vault]
 }

我期待的结果是,它能够检测到它已经创建并存在于密钥库中的密码,并使terraform代码等幂运行。我做错了什么,我能做些什么来实现这一目标?

xcitsw88

xcitsw881#

我尝试配置Terraform - Azure Key Vault Secrets创建,但不是幂等的,我能够成功配置要求。
Terraform配置的问题在于,您在azurerm_key_vault_secret资源上使用了count属性,而没有指定for_each参数。这意味着Terraform将为secrets变量中的每个项目创建一个新的秘密,即使秘密已经存在于密钥库中。
要使Terraform配置具有等幂性,您需要使用for_each参数来指定在创建秘密时要覆盖的数据源。在本例中,您希望覆盖azurerm_key_vault_secret.existing-secrets数据源。
下面是一个修改后的Terraform配置版本,它是幂等的:

我的地形配置:

provider "azurerm" {
    features {}
}
  
  variable "secrets" {
  type = list(string)
  default = [
    "Password1",
    "Password2",
    "Password3",
    "Password4"
  ]
}

variable "KeyVaultName" {
  description = "Name of the KeyVault"
  default     = "demovksbvaultvk"
}

variable "KeyVault_Rg_Name" {
  description = "Resource Group of the KeyVault"
  default     = "v-sakavya"
}

variable "Location" {
  description = "Azure region for the KeyVault"
  default     = "East US"
}

data "azurerm_client_config" "current" {}


data "azurerm_key_vault" "existing" {
  name                = var.KeyVaultName
  resource_group_name = var.KeyVault_Rg_Name
}

resource "azurerm_key_vault" "pman-vault" {
  count                       = data.azurerm_key_vault.existing.id != null ? 0 : 1
  name                        = var.KeyVaultName
  location                    = var.Location
  resource_group_name         = var.KeyVault_Rg_Name
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  sku_name                    = "standard"
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
}

resource "random_password" "password" {
  count            = length(var.secrets)
  length           = 15
  special          = true
  override_special = "!@#$%&*()-_=+[]{}<>:?"
}

resource "azurerm_key_vault_secret" "pman-secrets" {
  for_each = toset(var.secrets)

  name         = each.value
  value        = random_password.password[index(var.secrets, each.value)].result
  key_vault_id = length(azurerm_key_vault.pman-vault) > 0 ? azurerm_key_vault.pman-vault[0].id : data.azurerm_key_vault.existing.id

  lifecycle {
    ignore_changes = [value]
    prevent_destroy = true
  }
}

data "azurerm_key_vault_secret" "fetched_secrets" {
  for_each = toset(var.secrets)
  name         = each.value
  key_vault_id = data.azurerm_key_vault.existing.id
}

output "fetched_secrets_values" {
  value = { for s in var.secrets : s => lookup(data.azurerm_key_vault_secret.fetched_secrets[s], "value", null) }
  description = "The fetched secret values from Azure Key Vault."
  sensitive = true
}

输出:

Terraform apply:

再次重复命令

Terraform apply:

相关问题