Terraform:如何创建具有动态和静态内容的块
Terraform: How to create block with dynamic and static content
对于资源,如何创建一个既有动态内容又有静态内容的块?对于下面的示例,我所有的 Azure Key Vault 都将具有一组标准的访问策略,并且少数具有一个或多个附加策略。对于此测试密钥保管库,我想应用动态访问策略块,以及仅添加此密钥保管库独有的特定策略。
我尝试了多种方法将两者结合起来,但没有成功。
resource "azurerm_key_vault" "key_vault-test" {
name = "kv-test"
location = azurerm_resource_group.rg-webapps.location
resource_group_name = azurerm_resource_group.rg-webapps.name
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
dynamic "access_policy" {
for_each = var.keyvault_accesspolicies
content {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = access_policy.value["object_id"]
certificate_permissions = access_policy.value["certificate_permissions"]
key_permissions = access_policy.value["key_permissions"]
secret_permissions = access_policy.value["secret_permissions"]
}
}
access_policy = [
{
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = "<some guid>"
application_id = ""
certificate_permissions = []
key_permissions = []
secret_permissions = [
"Get"
]
storage_permissions = []
}
]
}
您以错误的方式声明了静态访问策略。访问策略后不应有 "=["。
我尝试使用以下代码并成功添加:
provider "azurerm" {
features {}
}
variable "keyvault_accesspolicies" {
default={
one ={
object_id="objectID1"
certificate_permissions=["Get"]
key_permissions=["Get"]
secret_permissions=["Get"]
},
second={
object_id="objectid2"
certificate_permissions=["Get","List"]
key_permissions=["Get","List"]
secret_permissions=["Get","List"]
}
}
}
data "azurerm_client_config" "current" {}
data "azurerm_resource_group" "name" {
name = "ansumantest"
}
resource "azurerm_key_vault" "key_vault-test" {
name = "ansumankvtest12"
location = data.azurerm_resource_group.name.location
resource_group_name = data.azurerm_resource_group.name.name
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = ["Get"]
}
dynamic "access_policy" {
for_each = var.keyvault_accesspolicies
content {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = access_policy.value["object_id"]
certificate_permissions = access_policy.value["certificate_permissions"]
key_permissions = access_policy.value["key_permissions"]
secret_permissions = access_policy.value["secret_permissions"]
}
}
}
输出:
对于资源,如何创建一个既有动态内容又有静态内容的块?对于下面的示例,我所有的 Azure Key Vault 都将具有一组标准的访问策略,并且少数具有一个或多个附加策略。对于此测试密钥保管库,我想应用动态访问策略块,以及仅添加此密钥保管库独有的特定策略。
我尝试了多种方法将两者结合起来,但没有成功。
resource "azurerm_key_vault" "key_vault-test" {
name = "kv-test"
location = azurerm_resource_group.rg-webapps.location
resource_group_name = azurerm_resource_group.rg-webapps.name
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
dynamic "access_policy" {
for_each = var.keyvault_accesspolicies
content {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = access_policy.value["object_id"]
certificate_permissions = access_policy.value["certificate_permissions"]
key_permissions = access_policy.value["key_permissions"]
secret_permissions = access_policy.value["secret_permissions"]
}
}
access_policy = [
{
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = "<some guid>"
application_id = ""
certificate_permissions = []
key_permissions = []
secret_permissions = [
"Get"
]
storage_permissions = []
}
]
}
您以错误的方式声明了静态访问策略。访问策略后不应有 "=["。
我尝试使用以下代码并成功添加:
provider "azurerm" {
features {}
}
variable "keyvault_accesspolicies" {
default={
one ={
object_id="objectID1"
certificate_permissions=["Get"]
key_permissions=["Get"]
secret_permissions=["Get"]
},
second={
object_id="objectid2"
certificate_permissions=["Get","List"]
key_permissions=["Get","List"]
secret_permissions=["Get","List"]
}
}
}
data "azurerm_client_config" "current" {}
data "azurerm_resource_group" "name" {
name = "ansumantest"
}
resource "azurerm_key_vault" "key_vault-test" {
name = "ansumankvtest12"
location = data.azurerm_resource_group.name.location
resource_group_name = data.azurerm_resource_group.name.name
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = ["Get"]
}
dynamic "access_policy" {
for_each = var.keyvault_accesspolicies
content {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = access_policy.value["object_id"]
certificate_permissions = access_policy.value["certificate_permissions"]
key_permissions = access_policy.value["key_permissions"]
secret_permissions = access_policy.value["secret_permissions"]
}
}
}
输出: