我正在通过ARM模板和“ azurerm_template_deployment”资源在Azure中部署Key Vault,但是我需要启用诊断设置并将诊断数据流式传输到我现有的日志分析工作区中。
目的是将具有诊断设置的密钥库本身部署在同一“ terraform apply”中
在运行terraform应用时,将部署密钥库本身,但未启用诊断设置,并通过以下消息失败:
[error]Error: Error creating Monitor Diagnostics Setting "kv-diagnostics" for Resource "/subscriptions/----/resourceGroups/rg-test-001/providers/Microsoft.Resources/deployments/kv-diagnostics": insights.DiagnosticSettingsClient#CreateOrUpdate: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="" Message="No HTTP resource was found that matches the request URI 'h_ttps://management.azure.com/subscriptions/---/resourceGroups/rg-test-001/providers/Microsoft.Resources/deployments/kv_test/providers/microsoft.insights/diagnosticSettings/kv-diagnostics?api-version=2017-05-01-preview'."
以下是我在Terraform中用于诊断设置资源的代码:
resource "azurerm_monitor_diagnostic_setting" "kv-diag" {
count = length(var.kv_name)
name = "kv-diagnostics"
target_resource_id = azurerm_template_deployment.kv[count.index].id
log_analytics_workspace_id = azurerm_log_analytics_workspace.log.id
log {
...
}
}
metric {
...
}
}
}
azurerm_log_analytics_workspace.logs.id
已存在且变量var.kv_name是名称列表(到目前为止,列表中只有1个名称)。 “ terraform plan ”的输出显示target_resource_id =(在应用后知道),这很有意义,因为在理想情况下,尚未部署密钥保管库,因此它没有id
为什么Azure会抛出此错误?我要去哪里错了?
答案 0 :(得分:1)
您可以使用outputs从模板azurerm_template_deployment
导出密钥库ID的值,然后将密钥库ID而不是模板部署ID作为代码引用到target_resource_id
。 / p>
例如
resource "azurerm_resource_group" "example" {
name = "nancy-resources"
location = "West US"
}
resource "azurerm_template_deployment" "example" {
name = "nancytemplate-01"
resource_group_name = azurerm_resource_group.example.name
deployment_mode = "Incremental"
template_body = <<DEPLOY
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaults_ancykeyvault_name": {
"defaultValue": "nanvalut123",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[parameters('vaults_ancykeyvault_name')]",
"location": "westus",
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"accessPolicies": [
{
"tenantId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"objectId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"permissions": {
"keys": [
"Get",
"Create",
"Delete",
"List",
"Update",
"Import",
"Backup",
"Restore",
"Recover"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Backup",
"Restore",
"Recover"
],
"certificates": [
"Get",
"List",
"Delete",
"Create",
"Import",
"Update",
"ManageContacts",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers",
"ManageIssuers",
"Recover"
],
"storage": [
"get",
"list",
"delete",
"set",
"update",
"regeneratekey",
"setsas",
"listsas",
"getsas",
"deletesas"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": true
}
}
],
"outputs": {
"myKvID": {
"type": "string",
"value": "[resourceId('Microsoft.KeyVault/vaults',parameters('vaults_ancykeyvault_name'))]"
}
}
}
DEPLOY
}
resource "azurerm_log_analytics_workspace" "example" {
name = "nancytest-01"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "PerGB2018"
retention_in_days = 30
}
resource "azurerm_monitor_diagnostic_setting" "example" {
name = "nancymonitoring"
target_resource_id = azurerm_template_deployment.example.outputs["myKvID"]
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
log {
category = "AuditEvent"
enabled = false
retention_policy {
enabled = false
}
}
metric {
category = "AllMetrics"
retention_policy {
enabled = false
}
}
}
output "exsitingKvID" {
value = azurerm_template_deployment.example.outputs["myKvID"]
}
结果