Terraform for_each azure 客户托管密钥

时间:2021-03-18 16:37:49

标签: automation terraform terraform-provider-azure

我正在尝试使用 for_each 创建多个 Azure 存储帐户以及 Azure 机密和密钥。

到目前为止一切顺利,并设法创建了应该使用此代码的所有内容:


variable "storage-foreach" {
  type    = list(string)
  default = ["storage1", "storage2"]
}

variable "key-name" {
  type    = list(string)
  default = ["key1", "key2"]
}

resource "azurerm_storage_account" "storage-foreach" {
  for_each                 = toset(var.storage-foreach)
  access_tier              = "Hot"
  account_kind             = "StorageV2"
  account_replication_type = "LRS"
  account_tier             = "Standard"
  location                 = var.location
  name                     = each.value
  resource_group_name      = azurerm_resource_group.tenant-testing-test.name
  lifecycle {
    prevent_destroy = false
  }
}

resource "azurerm_key_vault_secret" "storagesctforeach" {
  for_each     = toset(var.storage-foreach)
  key_vault_id = azurerm_key_vault.tenantsnbshared.id
  name         = each.value
  value        = azurerm_storage_account.storage-foreach[each.key].primary_connection_string
  content_type = "${each.value} Storage Account Connection String"
  lifecycle {
    prevent_destroy = false
  }
}

resource "azurerm_storage_table" "tableautomation" {
  for_each             = toset(var.storage-foreach)
  name                 = "UserAnswer"
  storage_account_name = azurerm_storage_account.storage-foreach[each.key].name
  lifecycle {
    prevent_destroy = false
  }
}

resource "azurerm_key_vault_key" "client-key" {
  for_each     = toset(var.key-name)
  key_vault_id = azurerm_key_vault.tenantsnbshared.id
  name         = "Key-Client-${each.value}"
  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
  key_type = "RSA"
  key_size = 2048
}

这段代码工作得很好,直到我尝试创建客户管理的密钥资源并自动将密钥分配给存储帐户。

resource "azurerm_storage_account_customer_managed_key" "storage-managed-key" {
  for_each           = toset(var.key-name)
  key_name           = each.value
  key_vault_id       = azurerm_key_vault.tenantsnbshared.id
  storage_account_id = azurerm_storage_account.storage-foreach[each.value].id
  key_version        = "current"
}

我面临的问题是,由于我在上述资源中使用 for_each 创建了所有以前的资源,因此在我的存储帐户 ID 中需要 [each.value]。我放置了它,但该参数针对的是 var.key-name,这会引发错误,因为它在我的存储帐户中找不到这些字符串。 我想知道您是否可以帮助我考虑一个好的做法来自动执行此过程并确保它选择正确的密钥来加密资源组中的正确存储帐户 ID。

非常感谢大家,很抱歉,我一直在努力解决这个代码块以及如何自动化它。

1 个答案:

答案 0 :(得分:3)

问题是您正在尝试使用 var.storage-foreach 访问 var.key-name 项。

我认为以下内容适合您:

resource "azurerm_storage_account_customer_managed_key" "storage-managed-key" {
  count              = length(var.key-name)
  
  key_name           = var.key-name[count.index]
  key_vault_id       = azurerm_key_vault.tenantsnbshared.id
  storage_account_id = azurerm_storage_account.storage-foreach[var.storage-foreach[count.index]].id
  key_version        = "current"
}
相关问题
最新问题