我正在尝试使用 for_each
创建多个 Azure 存储帐户以及 Azure 机密和密钥。
到目前为止一切顺利,并设法创建了应该使用此代码的所有内容:
variable "storage-foreach" {
type = list(string)
default = ["storage1", "storage2"]
}
variable "key-name" {
type = list(string)
default = ["key1", "key2"]
}
resource "azurerm_storage_account" "storage-foreach" {
for_each = toset(var.storage-foreach)
access_tier = "Hot"
account_kind = "StorageV2"
account_replication_type = "LRS"
account_tier = "Standard"
location = var.location
name = each.value
resource_group_name = azurerm_resource_group.tenant-testing-test.name
lifecycle {
prevent_destroy = false
}
}
resource "azurerm_key_vault_secret" "storagesctforeach" {
for_each = toset(var.storage-foreach)
key_vault_id = azurerm_key_vault.tenantsnbshared.id
name = each.value
value = azurerm_storage_account.storage-foreach[each.key].primary_connection_string
content_type = "${each.value} Storage Account Connection String"
lifecycle {
prevent_destroy = false
}
}
resource "azurerm_storage_table" "tableautomation" {
for_each = toset(var.storage-foreach)
name = "UserAnswer"
storage_account_name = azurerm_storage_account.storage-foreach[each.key].name
lifecycle {
prevent_destroy = false
}
}
resource "azurerm_key_vault_key" "client-key" {
for_each = toset(var.key-name)
key_vault_id = azurerm_key_vault.tenantsnbshared.id
name = "Key-Client-${each.value}"
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
key_type = "RSA"
key_size = 2048
}
这段代码工作得很好,直到我尝试创建客户管理的密钥资源并自动将密钥分配给存储帐户。
resource "azurerm_storage_account_customer_managed_key" "storage-managed-key" {
for_each = toset(var.key-name)
key_name = each.value
key_vault_id = azurerm_key_vault.tenantsnbshared.id
storage_account_id = azurerm_storage_account.storage-foreach[each.value].id
key_version = "current"
}
我面临的问题是,由于我在上述资源中使用 for_each
创建了所有以前的资源,因此在我的存储帐户 ID 中需要 [each.value]
。我放置了它,但该参数针对的是 var.key-name
,这会引发错误,因为它在我的存储帐户中找不到这些字符串。
我想知道您是否可以帮助我考虑一个好的做法来自动执行此过程并确保它选择正确的密钥来加密资源组中的正确存储帐户 ID。
非常感谢大家,很抱歉,我一直在努力解决这个代码块以及如何自动化它。
答案 0 :(得分:3)
问题是您正在尝试使用 var.storage-foreach
访问 var.key-name
项。
我认为以下内容适合您:
resource "azurerm_storage_account_customer_managed_key" "storage-managed-key" {
count = length(var.key-name)
key_name = var.key-name[count.index]
key_vault_id = azurerm_key_vault.tenantsnbshared.id
storage_account_id = azurerm_storage_account.storage-foreach[var.storage-foreach[count.index]].id
key_version = "current"
}