个人中心
gpt4 book ai didi

azure - 如何防止 Terraform 在更改 keyvault 后破坏虚拟机?

转载 作者:行者123 更新时间:2023-12-03 00:53:18 31 4
gpt4 key购买 nike

现有 KeyVault 的 secret 密码已过期并已更改。然后我的虚拟机被销毁并重新创建。有什么办法可以阻止这种情况吗?所有代码都是用 terraform 编写的。

keyvault.tf

## Keyvault Creation
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "kv" {
  name                = var.kv_name
  location            = var.location
  resource_group_name = var.system_rg
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = var.sku_name

  soft_delete_retention_days      = var.soft_delete_retention_days
  enabled_for_deployment          = var.enabled_for_deployment
  enabled_for_disk_encryption     = var.enabled_for_disk_encryption
  enabled_for_template_deployment = var.enabled_for_template_deployment
  purge_protection_enabled        = var.purge_protection_enabled
}

resource "azurerm_key_vault_access_policy" "access_policy" {
  for_each     = var.access_policy
  key_vault_id = azurerm_key_vault.kv.id

  tenant_id = data.azurerm_client_config.current.tenant_id
  object_id = each.value.object_id

  secret_permissions      = each.value.secret_permissions
  key_permissions         = each.value.key_permissions
  certificate_permissions = each.value.certificate_permissions
  storage_permissions     = each.value.storage_permissions
}

## Create Key Vault Secret
resource "azurerm_key_vault_secret" "password" {
  name         = var.kv_secret_name
  value        = var.password_value
  key_vault_id = azurerm_key_vault.kv.id
  depends_on   = [azurerm_key_vault.kv]
}

vm.tf

resource "azurerm_resource_group" "system_rg" {
  name     = "${var.system_rg}"
  location = "${var.location}"
}

data "azurerm_resource_group" "system_rg_name" {
  name = azurerm_resource_group.system_rg.name
}

data "azurerm_subnet" "network-subnet" {
  name                 = "${var.network_subnet}"
  virtual_network_name = "${var.network_vnet}"
  resource_group_name  = "${var.network_rg}"
}

data "azurerm_key_vault" "kv" {
  name = var.kv_name
  resource_group_name = var.kv_rg
}

data "azurerm_key_vault_secret" "password" {
  name = var.kv_secret_name
  key_vault_id = data.azurerm_key_vault.kv.id
}

resource "azurerm_network_interface" "nic" {
  for_each                      = "${var.vm_template}"
  name                          = "${each.value.vm_name}-${each.value.nic}"
  location                      = "${var.location}"
  resource_group_name           = data.azurerm_resource_group.system_rg_name.name
  enable_accelerated_networking = true
  ip_configuration {
    name                          = "internal"
    subnet_id                     = data.azurerm_subnet.network-subnet.id
    private_ip_address_allocation = "${var.private-ip-type}"
  }
}

resource "azurerm_linux_virtual_machine" "vm" {
  for_each = var.vm_template
  name                = each.value.vm_name
  location            = "${var.location}"
  resource_group_name = data.azurerm_resource_group.system_rg_name.name
  size = each.value.vm_type
  source_image_id     = each.value.source_image_id
  network_interface_ids = [
    azurerm_network_interface.nic[each.key].id,
  ]

  identity {
    type = "SystemAssigned"
  }
  
  os_disk {
    name                 = "${each.value.vm_name}-${each.value.os_disk}"
    caching              = "ReadWrite"
    storage_account_type = each.value.osdisk_type
    disk_size_gb         = each.value.osdisk_size
  }

  plan {
    name      = each.value.os_sku
    publisher = each.value.os_publisher
    product   = each.value.os_offer
  }

  computer_name  = each.value.hostname
  admin_username = "${var.adminid}"
  admin_password = data.azurerm_key_vault_secret.password.value  
  disable_password_authentication = false

}

如果我在这种状态下应用 Terraform,我将销毁我的虚拟机并重新创建它,如下所示。

 # azurerm_windows_virtual_machine.vm["vm1"] must be replaced
-/+ resource "azurerm_windows_virtual_machine" "vm" {
      ~ admin_password             = (sensitive value) # forces replacement
      - encryption_at_host_enabled = false -> null
      ~ id                         = "/subscriptions/.../vm-testwindows" -> (known after apply)
        name                       = "vm-testwindows"
      + public_ip_address          = (known after apply)
      ~ public_ip_addresses        = [] -> (known after apply)
      - secure_boot_enabled        = false -> null
      - tags                       = {} -> null
      ~ virtual_machine_id         = ""xxxxx-xxx-xxxxx-xxxx-xxxxxxx" " -> (known after apply)
      - vtpm_enabled               = false -> null
        # (18 unchanged attributes hidden)

      ~ identity {
          - identity_ids = [] -> null
          ~ principal_id = "xxxxx-xxx-xxxxx-xxxx-xxxxxxx" -> (known after apply)
          ~ tenant_id    = "xxxxx-xxx-xxxxx-xxxx-xxxxxxx" -> (known after apply)
            # (1 unchanged attribute hidden)
        }

        # (3 unchanged blocks hidden)
    }

Plan: 3 to add, 0 to change, 3 to destroy.

第一次应用Keyvault secret 密码时,我只得到了“更改”状态,但我不知道为什么在 secret 密码过期后应用它时要尝试像这样重新创建虚拟机。

我请求你的帮助。

最佳答案

通常您会使用lifecycle Meta-Argument ignore_changes:

resource "azurerm_linux_virtual_machine" "vm" {

 #...

  lifecycle {
    ignore_changes = [
      admin_password,
    ]
  }
}

关于azure - 如何防止 Terraform 在更改 keyvault 后破坏虚拟机?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/76059912/

31 4 0
文章推荐: azure - Pandas 到 Pyspark 警告消息 : "iteritems is deprecated and will be removed in a future version"
文章推荐: c# - 为什么 Graph API 无法正确提供 AAD 用户上次事件
文章推荐: azure - 二头肌 : merge objects to avoid redundancy
文章推荐: java - 在 Java 中,Azure applicationinsights 启动程序依赖项与 Spring Boot 3.x.x 不兼容
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com