我面临一个与 terraform 相关的问题和工作流程,以自动创建存储帐户、密钥保管库和访问策略。 我想要实现的目标如下:
我有一个使用 for_each 循环运行的存储帐户:
//==================================================
// Automation storage accounts
//==================================================
resource "azurerm_storage_account" "storage-foreach" {
for_each = var.storage-foreach
access_tier = "Hot"
account_kind = "StorageV2"
account_replication_type = "LRS"
account_tier = "Standard"
location = var.location
name = each.value
resource_group_name = azurerm_resource_group.tenant-testing-hamza.name
depends_on = [azurerm_key_vault_key.client-key]
identity {
type = "SystemAssigned"
}
lifecycle {
prevent_destroy = false
}
}
此存储帐户资源,循环访问此变量以创建存储帐户
variable "storage-foreach" {
type = map(string)
default = { "storage1" = "storage1", "storage2" = "storage2", "storage3" = "storage3", "storage4" = "storage4"}
}
到目前为止一切顺利。我想将这些存储帐户对象 ID 添加到我的密钥保管库访问策略中,如下所示:
resource "azurerm_key_vault_access_policy" "storage" {
for_each = var.storage-foreach
key_vault_id = azurerm_key_vault.tenantsnbshared.id
tenant_id = "<tenant-id"
object_id = azurerm_storage_account.storage-foreach[each.key].identity.0.principal_id
key_permissions = ["get", "Create", "List", "Restore", "Recover", "Unwrapkey", "Wrapkey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
secret_permissions = ["get", "set", "list", "delete", "recover"]
}
到目前为止,在创建资源时一切正常,我已经制定了所有访问策略。但是,如果我尝试从我的变量中删除,例如 storage1,存储帐户将被删除,并且与该特定存储相关的访问策略,这很好。
这是我面临的主要问题。如果我尝试在变量中再次添加相同的存储并运行 terraform apply ,则会发生 3 个仍然存在的策略被删除并创建存储帐户的访问策略。如果我再做一次 terraform apply 逻辑被颠倒,它将删除第一个存储帐户访问策略并添加其他 3 个。
我找不到仅根据我在变量中设置的元素来更新我的访问策略的解决方案。