【发布时间】:2020-02-14 07:48:16
【问题描述】:
我有一个模块可以设置对密钥保管库的默认访问权限。然后我有一个在密钥保管库中设置秘密的资源:
module "default_kv_access" {
source = "../default_kv_access"
key_vault = azurerm_key_vault.kv
}
...
resource "azurerm_key_vault_secret" "secrets" {
for_each = local.secrets
name = each.key
value = each.value
key_vault_id = azurerm_key_vault.kv.id
}
当销毁时,terraform 首先销毁模块,然后尝试销毁机密(浪费,因为密钥库无论如何都会被销毁,但是给定的)。
无论如何,通过首先销毁模块,terraform 会删除所有访问策略,因此在销毁 azurerm_key_vault_secret 资源时 - 它失败了,因为运行代码的服务主体没有对机密的必要访问权限。
我需要告诉 terraform azurerm_key_vault_secret 依赖于 default_kv_access 模块。
所以,问题是我该怎么做,因为我不能只在 depends_on 语句中提及模块。
编辑 1
模块代码为:
variable "key_vault" {}
locals {
ctx = jsondecode(file("${path.root}/../${basename(abspath(path.root)) == "product" ? "" : "../"}metadata.g.json"))
# Will have to be replaced when the hosting is ready
hosting_ad_group_name = "AdminRole-Product-DFDevelopmentOps"
}
data "azurerm_client_config" "client" {}
data "azuread_service_principal" "hosting_sp" {
display_name = local.ctx.HostingAppName
}
data "azuread_group" "hosting_ad_group" {
name = local.hosting_ad_group_name
}
locals {
allow_kv_access_to = {
client = {
object_id = data.azurerm_client_config.client.object_id
secret_permissions = ["get", "set", "list", "delete", "recover", "backup", "restore"]
}
hosting_sp = {
object_id = data.azuread_service_principal.hosting_sp.object_id
secret_permissions = ["get", "set", "list", "delete", "recover", "backup", "restore"]
}
hosting_ad_group = {
object_id = data.azuread_group.hosting_ad_group.id
secret_permissions = ["get", "list"]
}
}
}
resource "azurerm_key_vault_access_policy" "default" {
for_each = local.allow_kv_access_to
key_vault_id = var.key_vault.id
tenant_id = var.key_vault.tenant_id
object_id = each.value.object_id
secret_permissions = each.value.secret_permissions
}
【问题讨论】:
-
能否也分享一下模块源码?
标签: terraform