Terraform with Azure 提供循环依赖
Terraform with Azure gives circular dependency
我正在尝试使用 Azure 提供商来配置基础结构。我通过 AzureCLI 获得了相同的流程,但我想转移到 Terraform。
不幸的是,我遇到了似乎无法解决的循环依赖。我有以下物品。
- 具有生成的 API 密钥的认知服务
- 具有 SystemAssigned 标识的 AppService;
- Keyvault,具有在 (2) 中分配的身份,具有读取权限;
- 使用 (1) 中生成的 API 密钥的 Keyvault 机密。
- (2)中的AppService需要更新为(3)中生成的secret Id。 - 问题。
现在:我需要设置 AppService 的配置以引用我在添加到保管库时生成的秘密 ID,但我不能。
有没有办法编辑这些值以便可以分段设置配置?即provision x 然后修改?
编辑:我的 Terraform 文件如下:
provider "azurerm" {
version = "=1.28.0"
}
variable "TENANT_ID" {
type = string
}
resource "azurerm_resource_group" "test" {
name = "resourceGroup1"
location = "australiaeast"
}
resource "azurerm_app_service_plan" "plan" {
name = "resourceGroup1"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
kind = "Linux"
sku {
tier = "Basic"
size = "B1"
}
}
resource "azurerm_cognitive_account" "cognitive" {
name = "resourceGroup1-cognitive"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
kind = "ComputerVision"
sku {
name = "S0"
tier = "Standard"
}
}
resource "azurerm_key_vault" "keyvault" {
name = "resourceGroup1-keyvault"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
tenant_id = var.TENANT_ID
sku {
name = "standard"
}
access_policy {
tenant_id = "${azurerm_app_service.api.identity.0.tenant_id}"
object_id = "${azurerm_app_service.api.identity.0.principal_id}"
secret_permissions = [ "get" ]
}
}
resource "azurerm_key_vault_secret" "keyvault-apikey" {
name = "AzureComputerVisionApiKey"
value = "${azurerm_cognitive_account.cognitive.primary_access_key}"
key_vault_id = "${azurerm_key_vault.keyvault.id}"
}
resource "azurerm_app_service" "api" {
name = "resourceGroup1-api"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
app_service_plan_id = "${azurerm_app_service_plan.plan.id}"
identity {
type = "SystemAssigned"
}
app_settings = {
"ASPNETCORE_AzureComputerVisionApiKey" = "THIS IS A NORMAL SECRET VALUE"
}
}
如果我将 "ASPNETCORE_AzureComputerVisionApiKey" 行的值更改为:
"ASPNETCORE_AzureComputerVisionApiKey" = "@Microsoft.KeyVault(${azurerm_key_vault_secret.keyvault-apikey.id})"
为了引用 Key Vault 机密,我在 terraform plan 操作期间收到以下错误:
Error: Cycle: azurerm_app_service.api, azurerm_key_vault.keyvault, azurerm_key_vault_secret.keyvault-apikey
你的问题,如报错所示,是循环依赖的问题。
当您像这样更改资源 azurerm_app_service 中的 appsettings 时:
"ASPNETCORE_AzureComputerVisionApiKey" = "@Microsoft.KeyVault(${azurerm_key_vault_secret.keyvault-apikey.id})"
那么依赖会是这样的:
azurerm_key_vault_secret 依赖于 azurerm_key_vault
azurerm_key_vault 依赖于 azurerm_app_service
azurerm_app_service 依赖于 azurerm_key_vault
所以显示错误,无法创建所有资源。
解决办法是像这样改变资源的创建顺序:
- azurerm_cognitive_account
- azurerm_key_vault 没有访问策略
- azurerm_key_vault_secret
- azurerm_app_service
- azurerm_key_vault_access_policy
只需将密钥库和密钥库访问策略分开,循环依赖就会消失。
我正在尝试使用 Azure 提供商来配置基础结构。我通过 AzureCLI 获得了相同的流程,但我想转移到 Terraform。
不幸的是,我遇到了似乎无法解决的循环依赖。我有以下物品。
- 具有生成的 API 密钥的认知服务
- 具有 SystemAssigned 标识的 AppService;
- Keyvault,具有在 (2) 中分配的身份,具有读取权限;
- 使用 (1) 中生成的 API 密钥的 Keyvault 机密。
- (2)中的AppService需要更新为(3)中生成的secret Id。 - 问题。
现在:我需要设置 AppService 的配置以引用我在添加到保管库时生成的秘密 ID,但我不能。
有没有办法编辑这些值以便可以分段设置配置?即provision x 然后修改?
编辑:我的 Terraform 文件如下:
provider "azurerm" {
version = "=1.28.0"
}
variable "TENANT_ID" {
type = string
}
resource "azurerm_resource_group" "test" {
name = "resourceGroup1"
location = "australiaeast"
}
resource "azurerm_app_service_plan" "plan" {
name = "resourceGroup1"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
kind = "Linux"
sku {
tier = "Basic"
size = "B1"
}
}
resource "azurerm_cognitive_account" "cognitive" {
name = "resourceGroup1-cognitive"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
kind = "ComputerVision"
sku {
name = "S0"
tier = "Standard"
}
}
resource "azurerm_key_vault" "keyvault" {
name = "resourceGroup1-keyvault"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
tenant_id = var.TENANT_ID
sku {
name = "standard"
}
access_policy {
tenant_id = "${azurerm_app_service.api.identity.0.tenant_id}"
object_id = "${azurerm_app_service.api.identity.0.principal_id}"
secret_permissions = [ "get" ]
}
}
resource "azurerm_key_vault_secret" "keyvault-apikey" {
name = "AzureComputerVisionApiKey"
value = "${azurerm_cognitive_account.cognitive.primary_access_key}"
key_vault_id = "${azurerm_key_vault.keyvault.id}"
}
resource "azurerm_app_service" "api" {
name = "resourceGroup1-api"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
app_service_plan_id = "${azurerm_app_service_plan.plan.id}"
identity {
type = "SystemAssigned"
}
app_settings = {
"ASPNETCORE_AzureComputerVisionApiKey" = "THIS IS A NORMAL SECRET VALUE"
}
}
如果我将 "ASPNETCORE_AzureComputerVisionApiKey" 行的值更改为:
"ASPNETCORE_AzureComputerVisionApiKey" = "@Microsoft.KeyVault(${azurerm_key_vault_secret.keyvault-apikey.id})"
为了引用 Key Vault 机密,我在 terraform plan 操作期间收到以下错误:
Error: Cycle: azurerm_app_service.api, azurerm_key_vault.keyvault, azurerm_key_vault_secret.keyvault-apikey
你的问题,如报错所示,是循环依赖的问题。
当您像这样更改资源 azurerm_app_service 中的 appsettings 时:
"ASPNETCORE_AzureComputerVisionApiKey" = "@Microsoft.KeyVault(${azurerm_key_vault_secret.keyvault-apikey.id})"
那么依赖会是这样的:
azurerm_key_vault_secret 依赖于 azurerm_key_vault
azurerm_key_vault 依赖于 azurerm_app_service
azurerm_app_service 依赖于 azurerm_key_vault
所以显示错误,无法创建所有资源。
解决办法是像这样改变资源的创建顺序:
- azurerm_cognitive_account
- azurerm_key_vault 没有访问策略
- azurerm_key_vault_secret
- azurerm_app_service
- azurerm_key_vault_access_policy
只需将密钥库和密钥库访问策略分开,循环依赖就会消失。