terraform 和 kms 密钥别名
terraform and kms key aliases
我正在使用 aws 提供商并尝试创建一个 aws_workspaces_workspace 加密卷。
我创建了一个带有关联别名 (aws_kms_alias) 的 aws_kms_key。
我为 volume_encryption_key 指定了密钥别名(作为字符串)。
资源按预期创建,我可以在控制台中验证卷是否使用指定密钥加密。
我的问题是,每次我重新 运行 terraform apply 时,terraform 都会报告 aws_workspaces_workspace 需要更换,因为键值更新(从键 id 到别名)
如何防止这种情况发生?这是一个错误吗?我做错了什么吗?部分相关代码如下。
resource "aws_workspaces_workspace" "workspace" {
directory_id = aws_workspaces_directory.ws-ad.id
bundle_id = var.bundle_id
user_name = var.username
root_volume_encryption_enabled = true
user_volume_encryption_enabled = true
volume_encryption_key = "alias/workspace-volume"
workspace_properties {
compute_type_name = "POWER"
user_volume_size_gib = 80
root_volume_size_gib = 50
running_mode = "AUTO_STOP"
running_mode_auto_stop_timeout_in_minutes = 60
}
}
resource "aws_kms_key" "kms-ws-volume" {
description = "Workspace Volume Encryption Key"
key_usage = "ENCRYPT_DECRYPT"
deletion_window_in_days = 30
is_enabled = true
}
resource "aws_kms_alias" "kms-ws-volume-alias" {
name = "alias/workspace-volume"
target_key_id = aws_kms_key.kms-ws-volume.key_id
}
这是 terraform apply 报告的内容:
# aws_workspaces_workspace.workspace["1"] must be replaced
-/+ resource "aws_workspaces_workspace" "workspace" {
~ computer_name = "WSAMZN-T34E23BK" -> (known after apply)
~ id = "ws-v98b0y17z" -> (known after apply)
~ ip_address = "10.0.0.45" -> (known after apply)
~ state = "STOPPED" -> (known after apply)
tags = {
"Name" = "workspace-user1-env1"
"Owner" = "mario"
"Profile" = "dev"
"Stack" = "env1"
}
~ volume_encryption_key = "arn:aws:kms:us-west-2:927743275319:key/09de3db9-ecdd-4be1-a781-705fdd0294f9" -> "alias/workspace-volume" # forces replacement
# (6 unchanged attributes hidden)
# (1 unchanged block hidden)
}
使用密钥的ARN:aws_kms_key.kms-ws-volume.arn
volume_encryption_key 正在存储密钥的 ARN,因此计划检测到更改。
https://registry.terraform.io/providers/hcavarsan/aws/latest/docs/resources/workspaces_workspace 上的示例在这方面可能会产生误导,尽管别名也可以。
类似的事情发生在 aws_instance 的 kms_key_id 中,因为它存储 ARN 而不是 key_id,而且计划总是使用 key_id 而不是 ARN 时需要更换卷。 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#kms_key_id
我正在使用 aws 提供商并尝试创建一个 aws_workspaces_workspace 加密卷。
我创建了一个带有关联别名 (aws_kms_alias) 的 aws_kms_key。
我为 volume_encryption_key 指定了密钥别名(作为字符串)。 资源按预期创建,我可以在控制台中验证卷是否使用指定密钥加密。
我的问题是,每次我重新 运行 terraform apply 时,terraform 都会报告 aws_workspaces_workspace 需要更换,因为键值更新(从键 id 到别名)
如何防止这种情况发生?这是一个错误吗?我做错了什么吗?部分相关代码如下。
resource "aws_workspaces_workspace" "workspace" {
directory_id = aws_workspaces_directory.ws-ad.id
bundle_id = var.bundle_id
user_name = var.username
root_volume_encryption_enabled = true
user_volume_encryption_enabled = true
volume_encryption_key = "alias/workspace-volume"
workspace_properties {
compute_type_name = "POWER"
user_volume_size_gib = 80
root_volume_size_gib = 50
running_mode = "AUTO_STOP"
running_mode_auto_stop_timeout_in_minutes = 60
}
}
resource "aws_kms_key" "kms-ws-volume" {
description = "Workspace Volume Encryption Key"
key_usage = "ENCRYPT_DECRYPT"
deletion_window_in_days = 30
is_enabled = true
}
resource "aws_kms_alias" "kms-ws-volume-alias" {
name = "alias/workspace-volume"
target_key_id = aws_kms_key.kms-ws-volume.key_id
}
这是 terraform apply 报告的内容:
# aws_workspaces_workspace.workspace["1"] must be replaced
-/+ resource "aws_workspaces_workspace" "workspace" {
~ computer_name = "WSAMZN-T34E23BK" -> (known after apply)
~ id = "ws-v98b0y17z" -> (known after apply)
~ ip_address = "10.0.0.45" -> (known after apply)
~ state = "STOPPED" -> (known after apply)
tags = {
"Name" = "workspace-user1-env1"
"Owner" = "mario"
"Profile" = "dev"
"Stack" = "env1"
}
~ volume_encryption_key = "arn:aws:kms:us-west-2:927743275319:key/09de3db9-ecdd-4be1-a781-705fdd0294f9" -> "alias/workspace-volume" # forces replacement
# (6 unchanged attributes hidden)
# (1 unchanged block hidden)
}
使用密钥的ARN:aws_kms_key.kms-ws-volume.arn
volume_encryption_key 正在存储密钥的 ARN,因此计划检测到更改。
https://registry.terraform.io/providers/hcavarsan/aws/latest/docs/resources/workspaces_workspace 上的示例在这方面可能会产生误导,尽管别名也可以。
类似的事情发生在 aws_instance 的 kms_key_id 中,因为它存储 ARN 而不是 key_id,而且计划总是使用 key_id 而不是 ARN 时需要更换卷。 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#kms_key_id