带Azure的Terraform提供循环依赖

时间:2019-07-08 02:32:58

标签: terraform terraform-provider-azure

我正在尝试使用Azure提供程序来配置基础结构。我已经通过AzureCLI进行了相同的处理,但是想转到Terraform。

不幸的是,我遇到了似乎无法解决的循环依赖。我有以下物品。

  1. 具有生成的API密钥的认知服务
  2. 具有SystemAssigned身份的AppService;
  3. Keyvault,具有在(2)中指定的标识的读取权限;
  4. 具有(1)中生成的API密钥的密钥秘密。
    5. 需要使用(3)中生成的秘密ID更新(2)中的
  5. AppService。 -问题。

现在:我需要设置AppService的配置,以引用添加到Vault时生成的秘密ID,但是我不能。

是否有一种方法可以编辑这些值,以便可以分部分设置配置?即提供x然后修改?

编辑:我的Terraform文件在下面:

provider "azurerm" {
    version = "=1.28.0"
}

variable "TENANT_ID" {
  type = string
}

resource "azurerm_resource_group" "test" {
    name = "resourceGroup1"
    location = "australiaeast"
}

resource "azurerm_app_service_plan" "plan" {
  name = "resourceGroup1"
  location = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  kind = "Linux"

  sku {
    tier = "Basic"
    size = "B1"
  }
}

resource "azurerm_cognitive_account" "cognitive" {
  name = "resourceGroup1-cognitive"
  location = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  kind = "ComputerVision"

  sku {
    name = "S0"
    tier = "Standard"
  }
}

resource "azurerm_key_vault" "keyvault" {
  name = "resourceGroup1-keyvault"
  location = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  tenant_id = var.TENANT_ID

  sku {
    name = "standard"
  }

  access_policy {
    tenant_id = "${azurerm_app_service.api.identity.0.tenant_id}"
    object_id = "${azurerm_app_service.api.identity.0.principal_id}"

    secret_permissions = [ "get" ]
  }
}

resource "azurerm_key_vault_secret" "keyvault-apikey" {
  name = "AzureComputerVisionApiKey"
  value = "${azurerm_cognitive_account.cognitive.primary_access_key}"
  key_vault_id = "${azurerm_key_vault.keyvault.id}"
}

resource "azurerm_app_service" "api" {
  name = "resourceGroup1-api"
  location = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  app_service_plan_id = "${azurerm_app_service_plan.plan.id}"

  identity {
    type = "SystemAssigned"
  }

  app_settings = {
    "ASPNETCORE_AzureComputerVisionApiKey" = "THIS IS A NORMAL SECRET VALUE"
  }
}

如果我将“ ASPNETCORE_AzureComputerVisionApiKey”行的值更改为:

    "ASPNETCORE_AzureComputerVisionApiKey" = "@Microsoft.KeyVault(${azurerm_key_vault_secret.keyvault-apikey.id})"

为了引用Key Vault机密,我在terraform plan操作期间收到以下错误:

Error: Cycle: azurerm_app_service.api, azurerm_key_vault.keyvault, azurerm_key_vault_secret.keyvault-apikey

1 个答案:

答案 0 :(得分:1)

对于您的问题,如错误所示,这是关于循环依赖性的问题。

当您像这样更改资源appsettings中的azurerm_app_service时:

"ASPNETCORE_AzureComputerVisionApiKey" = "@Microsoft.KeyVault(${azurerm_key_vault_secret.keyvault-apikey.id})"

然后依赖项将如下所示:

azurerm_key_vault_secret 取决于 azurerm_key_vault

azurerm_key_vault 依赖于 azurerm_app_service

azurerm_app_service 依赖于 azurerm_key_vault

因此它显示错误并且无法创建所有资源。

解决方案是像这样更改资源创建的顺序:

  1. azurerm_cognitive_account
  2. 没有访问策略的azurerm_key_vault
  3. azurerm_key_vault_secret
  4. azurerm_app_service
  5. azurerm_key_vault_access_policy

只需将密钥保管库和密钥保管库访问策略分开,然后循环依赖关系就会消失。

相关问题
最新问题