如果秘密不存在,则迭代地图以创建密钥保管库秘密会引发错误
Iterating over map to create key vault secrets throws error if secret doesn't exist
我有一张我想在应用程序中使用的密钥保管库机密图。其中一些已存在于 Azure Key Vault 中:
variable "keyvault_secrets" {
type = map(string)
default = {
service_bus = "AzureWebJobsServiceBus",
mongo_connection = "MongoConnection",
sendgrid_api_key = "SendgridApiKey",
twilio_auth_token = "TwilioAccountAuthToken",
twilio_sid = "TwilioAccountSid",
twilio_message_service_sid = "TwilioMessageServiceSid",
resdis_session_connection = "RedisSessionConnection"
}
}
然后我有以下块来创建密钥保管库和机密:
data "azurerm_key_vault_secret" "these" {
for_each = var.keyvault_secrets
key_vault_id = azurerm_key_vault.default.id
name = each.value
}
resource "azurerm_key_vault_access_policy" "api" {
key_vault_id = azurerm_key_vault.default.id
object_id = azurerm_app_service.api[0].identity[0].principal_id
tenant_id = data.azurerm_client_config.current.tenant_id
depends_on = [azurerm_app_service.api]
key_permissions = []
secret_permissions = [
"Get"
]
}
resource "azurerm_key_vault" "default" {
location = var.azure_location
name = "kv-quiztime-${terraform.workspace}-001"
resource_group_name = azurerm_resource_group.default[0].name
sku_name = module.vars.env["keyvault_plan_sku"]["name"]
tenant_id = data.azurerm_client_config.current.tenant_id
tags = local.common_tags
}
resource "azurerm_key_vault_secret" "these" {
for_each = var.keyvault_secrets
key_vault_id = azurerm_key_vault.default.id
name = each.value
value = data.azurerm_key_vault_secret.these[each.key] ? data.azurerm_key_vault_secret.these[each.key].value : "not set"
content_type = "Connection String"
}
但是,当我 运行 terraform plan 我得到以下错误:
Error: KeyVault Secret "RedisSessionConnection" (KeyVault URI "https://kv-[hidden]-dev-001.vault.azure.net/") does not exist
│
│ with data.azurerm_key_vault_secret.these["resdis_session_connection"],
│ on keyvaults.tf line 2, in data "azurerm_key_vault_secret" "these":
│ 2: data "azurerm_key_vault_secret" "these" {
因为它不存在,所以我希望它被创建。我究竟做错了什么?还是我的期望不正确?
错误“不存在”来自 data.azurerm_key_vault_secret.these。数据源 必须存在 ,否则会出现该错误。您无法查询不存在的资源的数据。 TF 不支持此类功能,也无法事先检查是否存在。
您必须自己设计 custom data source 才能使用可能存在或不存在的资源。
我有一张我想在应用程序中使用的密钥保管库机密图。其中一些已存在于 Azure Key Vault 中:
variable "keyvault_secrets" {
type = map(string)
default = {
service_bus = "AzureWebJobsServiceBus",
mongo_connection = "MongoConnection",
sendgrid_api_key = "SendgridApiKey",
twilio_auth_token = "TwilioAccountAuthToken",
twilio_sid = "TwilioAccountSid",
twilio_message_service_sid = "TwilioMessageServiceSid",
resdis_session_connection = "RedisSessionConnection"
}
}
然后我有以下块来创建密钥保管库和机密:
data "azurerm_key_vault_secret" "these" {
for_each = var.keyvault_secrets
key_vault_id = azurerm_key_vault.default.id
name = each.value
}
resource "azurerm_key_vault_access_policy" "api" {
key_vault_id = azurerm_key_vault.default.id
object_id = azurerm_app_service.api[0].identity[0].principal_id
tenant_id = data.azurerm_client_config.current.tenant_id
depends_on = [azurerm_app_service.api]
key_permissions = []
secret_permissions = [
"Get"
]
}
resource "azurerm_key_vault" "default" {
location = var.azure_location
name = "kv-quiztime-${terraform.workspace}-001"
resource_group_name = azurerm_resource_group.default[0].name
sku_name = module.vars.env["keyvault_plan_sku"]["name"]
tenant_id = data.azurerm_client_config.current.tenant_id
tags = local.common_tags
}
resource "azurerm_key_vault_secret" "these" {
for_each = var.keyvault_secrets
key_vault_id = azurerm_key_vault.default.id
name = each.value
value = data.azurerm_key_vault_secret.these[each.key] ? data.azurerm_key_vault_secret.these[each.key].value : "not set"
content_type = "Connection String"
}
但是,当我 运行 terraform plan 我得到以下错误:
Error: KeyVault Secret "RedisSessionConnection" (KeyVault URI "https://kv-[hidden]-dev-001.vault.azure.net/") does not exist │ │ with data.azurerm_key_vault_secret.these["resdis_session_connection"], │ on keyvaults.tf line 2, in data "azurerm_key_vault_secret" "these": │ 2: data "azurerm_key_vault_secret" "these" {
因为它不存在,所以我希望它被创建。我究竟做错了什么?还是我的期望不正确?
错误“不存在”来自 data.azurerm_key_vault_secret.these。数据源 必须存在 ,否则会出现该错误。您无法查询不存在的资源的数据。 TF 不支持此类功能,也无法事先检查是否存在。
您必须自己设计 custom data source 才能使用可能存在或不存在的资源。