了解terraform中的共享模块和destroy命令,销毁时如何排除共享模块?
Understanding shared modules in terraform and the destroy command, how do I exclude the shared module when destroying?
我目前正在 Terraform 中编写一些新的 Azure 基础设施脚本,并使用嵌套模块这样做,以便更好地管理和部署我们基础设施的不同部分。
我创建了一个名为 global 的模块,其中包含多个共享资源(几乎只是 azure 资源组和权限)以及一些 azure 广告查找和当前客户端配置。将这些放在中央模块中似乎可以避免代码重用并确保在整个项目中一致地处理它们。
但是,我注意到当我从 any 模块 运行 terraform destroy 时,全局模块中的所有对象都被标记为被毁。有没有办法从销毁过程中排除嵌套模块?
我是否真的应该在我的全局模块中将资源的创建(它们是专门的资源组和应用于这些资源组的权限)放在一个单独的、非嵌套的模块中,然后为我的使用数据模块嵌套的全局模块来查找它们的值等?
全局模块的示例代码:-
data "azurerm_client_config" "current" {}
data "azurerm_subscription" "subscription_current" {}
data "azuread_group" "dba" {
name = "DBAs"
}
data "azuread_group" "bi-developer" {
name = "BIDevelopers"
}
## local variables
locals {
subscription_name = substr(lower("${data.azurerm_subscription.subscription_current.display_name}"),0,4)
tenant_id = data.azurerm_subscription.subscription_current.tenant_id
}
## Create resource group and add permission
resource "azurerm_resource_group" "data" {
name = "data"
location = var.location
tags = {
owner = "Data"
environment = local.subscription_name
}
}
resource "azurerm_role_assignment" "DBA_Data_Permission" {
scope = azurerm_resource_group.data.id
role_definition_name = var.permission_level
principal_id = data.azuread_group.dba.id
}
resource "azurerm_resource_group" "key-vault" {
name = "key-vault"
location = var.location
tags = {
owner = "techops"
environment = local.subscription_name
}
}
## Output Locals
output "subscription_name" {
value = local.subscription_name
}
output "tenant_id" {
value = local.tenant_id
}
output "object_id" {
value = data.azurerm_client_config.current.object_id
}
## Output Resource Groups
output "rg_data_id" {
value = azurerm_resource_group.data.id
}
output "rg_data_name" {
value = azurerm_resource_group.data.name
}
output "rg_key-vault_id" {
value = azurerm_resource_group.key-vault.id
}
output "rg_key-vault_name" {
value = azurerm_resource_group.key-vault.name
}
## Output Azure AD lookups
output "aad_dba_id" {
value = data.azuread_group.dba.id
}
output "aad_dba_name" {
value = data.azuread_group.dba.name
}
output "aad_bi-developer_id" {
value = data.azuread_group.bi-developer.id
}
output "aad_data-science_id" {
value = data.azuread_group.data-science.id
}
以及在我的嵌套模块之一中用于在此实例中创建数据库资源的用法示例:-
module "global" {
source = "../global"
permission_level = var.permission_level
location = var.location
prefix = var.prefix
}
resource "azurerm_sql_server" "dwh" {
name = "${var.prefix}-dwh-${module.global.subscription_name}"
resource_group_name = module.global.rg_data_name
location = var.location
version = "12.0"
administrator_login = var.sql_login_name
administrator_login_password = var.sql_login_password
tags = {
environment = module.global.subscription_name
owner = "Data"
subscription = "${module.global.subscription_name}"
}
}
resource "azurerm_sql_active_directory_administrator" "dwh" {
server_name = azurerm_sql_server.dwh.name
resource_group_name = module.global.rg_data_name
login = module.global.aad_dba_name
tenant_id = module.global.tenant_id
object_id = module.global.aad_dba_id
}
resource "azurerm_mssql_elasticpool" "dwh-ep" {
name = "${var.prefix}-dwh-${module.global.subscription_name}"
resource_group_name = module.global.rg_data_name
location = var.location
server_name = azurerm_sql_server.dwh.name
max_size_gb = 1000
sku {
name = "GP_Gen5"
tier = "GeneralPurpose"
family = "Gen5"
capacity = 6
}
per_database_settings {
min_capacity = 0.25
max_capacity = 4
}
depends_on = [azurerm_sql_server.dwh,azurerm_sql_active_directory_administrator.dwh]
}
然后在单独的模块中使用以下代码创建密钥保管库,重复使用全局模块的一些输出:-
module "global" {
source = "../global"
permission_level = var.permission_level
location = var.location
prefix = var.prefix
}
resource "azurerm_key_vault" "data" {
name = "${var.prefix}-data-${module.global.subscription_name}"
location = var.location
resource_group_name = "${module.global.rg_key-vault_name}"
enabled_for_disk_encryption = true
tenant_id = module.global.tenant_id
sku_name = "standard"
tags = {
environment = module.global.subscription_name
owner = "data"
}
}
resource "azurerm_key_vault_access_policy" "data-bi-developer" {
key_vault_id = "${azurerm_key_vault.data.id}"
tenant_id = module.global.tenant_id
object_id = module.global.aad_bi-developer_id
certificate_permissions = ["get","list"]
key_permissions = ["get", "list"]
secret_permissions = ["get", "list"]
}
resource "azurerm_key_vault_access_policy" "data-admin" {
key_vault_id = "${azurerm_key_vault.data.id}"
tenant_id = module.global.tenant_id
object_id = "${module.global.object_id}"
certificate_permissions = [
"create",
"delete",
"deleteissuers",
"get",
"getissuers",
"import",
"list",
"listissuers",
"managecontacts",
"manageissuers",
"setissuers",
"update",
]
key_permissions = [
"backup",
"create",
"decrypt",
"delete",
"encrypt",
"get",
"import",
"list",
"purge",
"recover",
"restore",
"sign",
"unwrapKey",
"update",
"verify",
"wrapKey",
]
secret_permissions = [
"backup",
"delete",
"get",
"list",
"purge",
"recover",
"restore",
"set",
]
}
好的,设法解决了这个问题,基本上将全局模块拆分为三个模块;一种是将根本没有通过 Terraform 创建的资源作为查找(例如订阅、Azure 广告等),一种是创建资源组并应用权限,然后一种是纯粹的数据模块,用于读取资源组其他模块。
我目前正在 Terraform 中编写一些新的 Azure 基础设施脚本,并使用嵌套模块这样做,以便更好地管理和部署我们基础设施的不同部分。
我创建了一个名为 global 的模块,其中包含多个共享资源(几乎只是 azure 资源组和权限)以及一些 azure 广告查找和当前客户端配置。将这些放在中央模块中似乎可以避免代码重用并确保在整个项目中一致地处理它们。
但是,我注意到当我从 any 模块 运行 terraform destroy 时,全局模块中的所有对象都被标记为被毁。有没有办法从销毁过程中排除嵌套模块?
我是否真的应该在我的全局模块中将资源的创建(它们是专门的资源组和应用于这些资源组的权限)放在一个单独的、非嵌套的模块中,然后为我的使用数据模块嵌套的全局模块来查找它们的值等?
全局模块的示例代码:-
data "azurerm_client_config" "current" {}
data "azurerm_subscription" "subscription_current" {}
data "azuread_group" "dba" {
name = "DBAs"
}
data "azuread_group" "bi-developer" {
name = "BIDevelopers"
}
## local variables
locals {
subscription_name = substr(lower("${data.azurerm_subscription.subscription_current.display_name}"),0,4)
tenant_id = data.azurerm_subscription.subscription_current.tenant_id
}
## Create resource group and add permission
resource "azurerm_resource_group" "data" {
name = "data"
location = var.location
tags = {
owner = "Data"
environment = local.subscription_name
}
}
resource "azurerm_role_assignment" "DBA_Data_Permission" {
scope = azurerm_resource_group.data.id
role_definition_name = var.permission_level
principal_id = data.azuread_group.dba.id
}
resource "azurerm_resource_group" "key-vault" {
name = "key-vault"
location = var.location
tags = {
owner = "techops"
environment = local.subscription_name
}
}
## Output Locals
output "subscription_name" {
value = local.subscription_name
}
output "tenant_id" {
value = local.tenant_id
}
output "object_id" {
value = data.azurerm_client_config.current.object_id
}
## Output Resource Groups
output "rg_data_id" {
value = azurerm_resource_group.data.id
}
output "rg_data_name" {
value = azurerm_resource_group.data.name
}
output "rg_key-vault_id" {
value = azurerm_resource_group.key-vault.id
}
output "rg_key-vault_name" {
value = azurerm_resource_group.key-vault.name
}
## Output Azure AD lookups
output "aad_dba_id" {
value = data.azuread_group.dba.id
}
output "aad_dba_name" {
value = data.azuread_group.dba.name
}
output "aad_bi-developer_id" {
value = data.azuread_group.bi-developer.id
}
output "aad_data-science_id" {
value = data.azuread_group.data-science.id
}
以及在我的嵌套模块之一中用于在此实例中创建数据库资源的用法示例:-
module "global" {
source = "../global"
permission_level = var.permission_level
location = var.location
prefix = var.prefix
}
resource "azurerm_sql_server" "dwh" {
name = "${var.prefix}-dwh-${module.global.subscription_name}"
resource_group_name = module.global.rg_data_name
location = var.location
version = "12.0"
administrator_login = var.sql_login_name
administrator_login_password = var.sql_login_password
tags = {
environment = module.global.subscription_name
owner = "Data"
subscription = "${module.global.subscription_name}"
}
}
resource "azurerm_sql_active_directory_administrator" "dwh" {
server_name = azurerm_sql_server.dwh.name
resource_group_name = module.global.rg_data_name
login = module.global.aad_dba_name
tenant_id = module.global.tenant_id
object_id = module.global.aad_dba_id
}
resource "azurerm_mssql_elasticpool" "dwh-ep" {
name = "${var.prefix}-dwh-${module.global.subscription_name}"
resource_group_name = module.global.rg_data_name
location = var.location
server_name = azurerm_sql_server.dwh.name
max_size_gb = 1000
sku {
name = "GP_Gen5"
tier = "GeneralPurpose"
family = "Gen5"
capacity = 6
}
per_database_settings {
min_capacity = 0.25
max_capacity = 4
}
depends_on = [azurerm_sql_server.dwh,azurerm_sql_active_directory_administrator.dwh]
}
然后在单独的模块中使用以下代码创建密钥保管库,重复使用全局模块的一些输出:-
module "global" {
source = "../global"
permission_level = var.permission_level
location = var.location
prefix = var.prefix
}
resource "azurerm_key_vault" "data" {
name = "${var.prefix}-data-${module.global.subscription_name}"
location = var.location
resource_group_name = "${module.global.rg_key-vault_name}"
enabled_for_disk_encryption = true
tenant_id = module.global.tenant_id
sku_name = "standard"
tags = {
environment = module.global.subscription_name
owner = "data"
}
}
resource "azurerm_key_vault_access_policy" "data-bi-developer" {
key_vault_id = "${azurerm_key_vault.data.id}"
tenant_id = module.global.tenant_id
object_id = module.global.aad_bi-developer_id
certificate_permissions = ["get","list"]
key_permissions = ["get", "list"]
secret_permissions = ["get", "list"]
}
resource "azurerm_key_vault_access_policy" "data-admin" {
key_vault_id = "${azurerm_key_vault.data.id}"
tenant_id = module.global.tenant_id
object_id = "${module.global.object_id}"
certificate_permissions = [
"create",
"delete",
"deleteissuers",
"get",
"getissuers",
"import",
"list",
"listissuers",
"managecontacts",
"manageissuers",
"setissuers",
"update",
]
key_permissions = [
"backup",
"create",
"decrypt",
"delete",
"encrypt",
"get",
"import",
"list",
"purge",
"recover",
"restore",
"sign",
"unwrapKey",
"update",
"verify",
"wrapKey",
]
secret_permissions = [
"backup",
"delete",
"get",
"list",
"purge",
"recover",
"restore",
"set",
]
}
好的,设法解决了这个问题,基本上将全局模块拆分为三个模块;一种是将根本没有通过 Terraform 创建的资源作为查找(例如订阅、Azure 广告等),一种是创建资源组并应用权限,然后一种是纯粹的数据模块,用于读取资源组其他模块。