如何确保资源在Terraform某个模块中的资源之前被销毁?

时间:2020-02-09 06:17:54

标签: terraform

我有一个模块,用于设置对密钥库的默认访问。然后,我有一个在密钥库中设置秘密的资源:

module "default_kv_access" {
  source = "../default_kv_access"
  key_vault = azurerm_key_vault.kv
}
...
resource "azurerm_key_vault_secret" "secrets" {
  for_each = local.secrets

  name         = each.key
  value        = each.value
  key_vault_id = azurerm_key_vault.kv.id
}

当被破坏时,terraform首先破坏模块,然后尝试破坏秘密(这很浪费,因为密钥库无论如何都会被破坏,但是会给出)。

无论如何,terraform会首先破坏模块,因此会删除所有访问策略,因此在破坏azurerm_key_vault_secret资源时会失败-因为运行代码的服务主体没有必要的访问权,机密。

我需要告诉terraform azurerm_key_vault_secret取决于default_kv_access模块。

因此,考虑到我不能仅在depends_on语句中提及该模块,问题是我该怎么做。

编辑1

模块代码为:

variable "key_vault" {}

locals {
  ctx = jsondecode(file("${path.root}/../${basename(abspath(path.root)) == "product" ? "" : "../"}metadata.g.json"))

  # Will have to be replaced when the hosting is ready
  hosting_ad_group_name = "AdminRole-Product-DFDevelopmentOps"
}

data "azurerm_client_config" "client" {}

data "azuread_service_principal" "hosting_sp" {
  display_name = local.ctx.HostingAppName
}

data "azuread_group" "hosting_ad_group" {
  name = local.hosting_ad_group_name
}

locals {
  allow_kv_access_to = {
    client = {
      object_id          = data.azurerm_client_config.client.object_id
      secret_permissions = ["get", "set", "list", "delete", "recover", "backup", "restore"]
    }
    hosting_sp = {
      object_id          = data.azuread_service_principal.hosting_sp.object_id
      secret_permissions = ["get", "set", "list", "delete", "recover", "backup", "restore"]
    }
    hosting_ad_group = {
      object_id          = data.azuread_group.hosting_ad_group.id
      secret_permissions = ["get", "list"]
    }
  }
}

resource "azurerm_key_vault_access_policy" "default" {
  for_each = local.allow_kv_access_to

  key_vault_id = var.key_vault.id
  tenant_id    = var.key_vault.tenant_id
  object_id    = each.value.object_id

  secret_permissions = each.value.secret_permissions
}

1 个答案:

答案 0 :(得分:0)

我已看到完成此操作的一种方法(使用模块进行depends_on)是在locals属性中引用模块的属性,然后在资源中depends_on引用该本地引用。我已经在一些自己的配置中进行了此工作,并且得到了预期的结果,该资源没有在模块之前被破坏或创建。

示例:

module "default_kv_access" {
  source = "../default_kv_access"
  key_vault = azurerm_key_vault.kv
}

locals {
  module_depends_on = module.default_kv_access.name
}

resource "azurerm_key_vault_secret" "secrets" {
  depends_on = [local.module_depends_on]
  for_each = local.secrets

  name         = each.key
  value        = each.value
  key_vault_id = azurerm_key_vault.kv.id
}
相关问题
最新问题