从 Terraform 在 Azure 存储帐户中设置 CORS

Question

我已经编写了一些 Terraform 代码来创建 Azure 存储帐户。这是代码：

resource "azurerm_storage_account" "i_ten_prov_storage" {
  name                     = "${var.storage_account_name}"
  resource_group_name      = "${azurerm_resource_group.i_resource_group.name}"
  location                 = "${var.location}"
  account_tier             = "Standard"
  account_replication_type = "LRS"
  account_kind             = "StorageV2"

/*  cors_rule {
    allowed_headers = "${var.allowed_headers}"
    allowed_methods = "${var.allowed_methods}"
    allowed_origins = "${var.allowed_origins}"
    exposed_headers = "${var.exposed_headers}"
    max_age_in_seconds = "${var.max_age_in_seconds}"
  }*/
  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["*"]
    allowed_origins = ["*"]
    exposed_headers = ["*"]
    max_age_in_seconds = ["*"]
  }
  tags = "${local.tags}"
}

我正在关注此文档，其中说明 Terraform 中允许 CORS 用于 Azure 存储帐户： https://www.terraform.io/docs/providers/azurerm/r/storage_account.html#allowed_headers

但是当我 运行 terraform apply:

时出现以下错误

Error: azurerm_storage_account.idl_tenant_provisioning_storage: : invalid or unknown key: cors_rule
ERROR: Job failed: exit code 1

我正在使用 Terraform 0.11.11。

从 azure 门户我可以看到 cors 可以单独应用于所有类型的存储

我想申请各种对象

Answer 1

此处的文档不清楚，但 cors_rule 块应嵌套在 queue_properties 块下，如 the documentation for the resource:

中所述

A queue_properties block supports the following:

• cors_rule - (Optional) A cors_rule block as defined below.

• logging - (Optional) A logging block as defined below.

• minute_metrics - (Optional) A minute_metrics block as defined below.

• hour_metrics - (Optional) A hour_metrics block as defined below.

你也可以在the schema for the resource in the source code中看到这个：

// ...
            "queue_properties": {
                Type:     schema.TypeList,
                Optional: true,
                Computed: true,
                MaxItems: 1,
                Elem: &schema.Resource{
                    Schema: map[string]*schema.Schema{
                        "cors_rule": {
                            // ...

Answer 2

我认为可能的解决方案是在 Terraform 中执行 Azure CLI 命令。

我发现 CLI 命令 az storage cors add 可以将 cors 规则添加到所有服务，如果您将参数 --services 设置为值 bfqt。然后你可以使用 Terraform null_resource 来执行命令。示例代码如下：

resource "null_resource" "test" {
    provisioner "local-exec" {
        command = "az storage cors add --methods GET POST PUT --origins '*' --services bqft --account-name xxx"       
    }
}

您可以根据需要在 CLI 命令中添加更多参数。 PowerShell命令Set-AzStorageCORSRule，但CLI命令更方便更适合

Answer 3

cors_rule 必须在 blob_properties 块内。

resource "azurerm_storage_account" "strgacc" {
  name                     = "strgacc"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
  blob_properties{
    cors_rule{
        allowed_headers = ["*"]
        allowed_methods = ["GET","HEAD","POST","PUT"]
        allowed_origins = ["https://example.com"]
        exposed_headers = ["*"]
        max_age_in_seconds = 3600
        }
    }
}

Answer 4

resource "azurerm_storage_account" "storage" {
  name                      = var.storage_account_name
  resource_group_name       = data.terraform_remote_state.rg.outputs.rg_name
  location                  = data.terraform_remote_state.rg.outputs.rg_location
  account_tier              = "Standard"
  account_replication_type  = "LRS"

  allow_blob_public_access  = true

  blob_properties {
    cors_rule {
      allowed_headers = ["*"]
      allowed_methods = ["GET","HEAD","OPTIONS","PUT"]
      allowed_origins = ["https://google.ga", "http://localhost:4200"]
      exposed_headers = ["*"]
      max_age_in_seconds = 200
    }
  }

  tags = {
    Environment = "QA"
    Team        = "Yes"
  }
}