个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
25
4
我试图显式调用模块中的提供程序以在 AzureCloud 和 AzureChinaCloud 中创建命名空间。但是,我在这样做时遇到了问题。以下是我的配置:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.78.0"
}
}
backend "azurerm" {
resource_group_name = "Terraform-rg"
storage_account_name = "terraformstate"
container_name = "tfstate"
subscription_id = "00000000-0000-0000-0000-000000000000"
key = "prod"
}
}
provider "azurerm" {
features {}
}
provider "azurerm" {
features {}
alias = "sub2"
subscription_id = "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"
client_id = "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"
client_secret = var.client_secret
tenant_id = "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"
environment = "china"
}
module "helm_ns_creation" {
source = "./namespace/"
providers = {
azurerm = azurerm
azurerm.sub2 = azurerm.sub2
}
applications = var.applications
geo = var.geo
ns_values = ["${file("../namespace/values.yaml")}"]
}
-------------------
provider "kubernetes" {
config_path = "config"
}
provider "helm" {
kubernetes {
config_path = "config"
}
}
resource "kubernetes_namespace" "aks_namespace" {
provider = azurerm.sub2
for_each = {for ns in var.applications : ns.namespace_name => ns}
metadata {
annotations = {
name = "${each.value.namespace_name}"
}
labels = {
name = "${each.value.team_name}"
}
name = "${each.value.namespace_name}"
}
}
locals {
# get json
namespace_data = jsondecode(file(var.inputfile))
principal_ids = distinct([for principal in local.namespace_data.applications : principal.principal_id])
principal_ids_cn = distinct([for principal_cn in local.namespace_data.applications : principal_cn.principal_id_cn])
get_principal_ids = (var.geo == "cn" ? local.principal_ids_cn : local.principal_ids)
}
data "azurerm_subscription" "global" {
}
resource "azurerm_role_assignment" "custom" {
for_each = toset(local.get_principal_ids)
scope = data.azurerm_subscription.global.id
# scope = "/subscriptions/{$var.subscription_id}"
role_definition_name = var.custom_role
principal_id = each.key
}
resource "azurerm_role_assignment" "builtin" {
for_each = toset(local.get_principal_ids)
scope = data.azurerm_subscription.global.id
role_definition_name = var.builtin_role
principal_id = each.key
}
data "azurerm_subscription" "china" {
provider = azurerm.sub2
}
resource "azurerm_role_assignment" "custom_cn" {
for_each = toset(local.get_principal_ids)
scope = data.azurerm_subscription.china.id
# scope = "/subscriptions/{$var.subscription_id}"
role_definition_name = var.custom_role
principal_id = each.key
}
resource "azurerm_role_assignment" "builtin_cn" {
for_each = toset(local.get_principal_ids)
scope = data.azurerm_subscription.china.id
role_definition_name = var.builtin_role
principal_id = each.key
}
当我运行代码在两个不同的云(中国和全局)中创建命名空间时,我仅在中国区域收到以下错误。但是,对于全局也是如此:
│错误:无法列出提供程序注册状态,这可能是由于凭据无效或服务主体无权使用资源管理器 API,Azure 错误:resources.ProvidersClient#List:响应失败请求:StatusCode=404 -- 原始错误:autorest/azure:服务返回错误。 Status=404 Code="SubscriptionNotFound"Message="找不到订阅 'xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxx'。"
with provider["registry.terraform.io/hashicorp/azurerm"],
│ on main.tf line 18, in provider "azurerm":
│ 18: provider "azurerm" {
现在中国提供商的订阅失败。我如何使其适用于两个云(中国和全局)。如果需要任何其他详细信息,请告诉我..
最佳答案
为了解释,我将整个代码分为下面提到的三个部分:
使用以下提供程序 block ,您必须已创建 AKS 集群在公共(public)和中国云中。
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.78.0"
}
}
backend "azurerm" {
resource_group_name = "Terraform-rg"
storage_account_name = "terraformstate"
container_name = "tfstate"
subscription_id = "00000000-0000-0000-0000-000000000000"
key = "prod"
}
}
provider "azurerm" {
features {}
}
provider "azurerm" {
features {}
alias = "sub2"
subscription_id = "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"
client_id = "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"
client_secret = var.client_secret
tenant_id = "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"
environment = "china"
}
resource "azurerm_kubernetes_cluster" "aks_cluster_public" {
provider = azurerm
name = "ansuman-aks-001"
location = data.azurerm_resource_group.sub1.location
resource_group_name = data.azurerm_resource_group.sub1.name
dns_prefix = "ansuman-aks-cluster"
.....
}
resource "azurerm_kubernetes_cluster" "aks_cluster_china" {
provider = azurerm.sub2
name = "ansuman-aks-001"
location = data.azurerm_resource_group.sub1.location
resource_group_name = data.azurerm_resource_group.sub1.name
dns_prefix = "ansuman-aks-cluster"
.....
}
创建 AKS 集群后,您可以在公共(public)和中国使用 Kubernetes Providers 并创建 Kubernetes 命名空间云如下所示:
provider "kubernetes" {
host = "${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.host}"
username = "${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.username}"
password = "${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.password}"
client_certificate = base64decode("${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.client_certificate}")
client_key = base64decode("${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.client_key}")
cluster_ca_certificate = base64decode("${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.cluster_ca_certificate}")
}
provider "kubernetes" {
alias = "sub2"
host = "${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.host}"
username = "${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.username}"
password = "${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.password}"
client_certificate = base64decode("${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.client_certificate}")
client_key = base64decode("${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.client_key}")
cluster_ca_certificate = base64decode("${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.cluster_ca_certificate}")
}
resource "kubernetes_namespace" "app_namespace_public" {
provider = kubernetes
metadata {
name = "my-namespace"
}
depends_on = [
azurerm_kubernetes_cluster.aks_cluster_public
]
}
resource "kubernetes_namespace" "app_namespace_china" {
provider = kubernetes.sub2
metadata {
name = "my-namespace"
}
depends_on = [
azurerm_kubernetes_cluster.aks_cluster_china
]
}
正如您在 Kubernetes Provider 中看到的,我使用了aks_cluster_configs 对于公共(public)和中国,因为我也在创建 AKS 集群,如果您不创建 AKS 集群,那么您也可以使用 config paths 但概念是相同,即一个供应商用于公共(public),另一个供应商用于中国,资源 block 也将如此。
完成上述操作后,您可以使用azurermprovider作为角色任务如下:
data "azurerm_subscription" "global" {
provider = azurerm.sub2
}
resource "azurerm_role_assignment" "custom" {
provider = azurerm.sub2
for_each = toset(local.get_principal_ids)
scope = data.azurerm_subscription.global.id
role_definition_name = var.custom_role
principal_id = each.key
}
resource "azurerm_role_assignment" "builtin" {
provider = azurerm
for_each = toset(local.get_principal_ids)
scope = data.azurerm_subscription.global.id
role_definition_name = var.builtin_role
principal_id = each.key
}
data "azurerm_subscription" "china" {
provider = azurerm.sub2
}
resource "azurerm_role_assignment" "custom_cn" {
provider = azurerm.sub2
for_each = toset(local.get_principal_ids)
scope = data.azurerm_subscription.china.id
role_definition_name = var.custom_role
principal_id = each.key
}
resource "azurerm_role_assignment" "builtin_cn" {
provider = azurerm.sub2
for_each = toset(local.get_principal_ids)
scope = data.azurerm_subscription.china.id
role_definition_name = var.builtin_role
principal_id = each.key
}
注意:如果您也使用 Helm Provider,那么您必须遵循 Kubernetes Provider 的相同概念,您可以引用此 Terraform Helm Provider Documentation 。请确保以与我们配置 azurerm 和 kubernetes 提供程序相同的方式对其进行配置,并在模块或资源 block 中使用相同的方式。
我在我的环境中使用以下代码测试了上述内容,该环境具有 AKS 群集、命名空间和内置角色且没有自定义角色,输出如下:
我的 Main.tf 文件:
provider "azurerm" {
features {}
}
provider "azurerm" {
alias = "sub2"
subscription_id = "948d4068-xxxx-xxxx-xxxx-e00a844e059b"
tenant_id = "72f988bf-xxxx-xxxx-xxxx-2d7cd011db47"
client_id = "f6a2f33d-xxxx-xxxx-xxxx-d713a1bb37c0"
client_secret = "inl7Q~Gvddxxxx-xxxx-xxxxaGPF3uSoL"
features {}
}
data "azurerm_resource_group" "sub2" {
provider = azurerm.sub2
name = "ansumantest"
}
data "azurerm_resource_group" "sub1" {
provider = azurerm
name = "xxx-ansbal-xxxx"
}
resource "azurerm_kubernetes_cluster" "aks_cluster_public" {
provider = azurerm
name = "ansuman-aks-001"
location = data.azurerm_resource_group.sub1.location
resource_group_name = data.azurerm_resource_group.sub1.name
dns_prefix = "ansuman-aks-cluster"
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
availability_zones = [1, 2]
enable_auto_scaling = true
max_count = 4
min_count = 1
node_count = 2
type = "VirtualMachineScaleSets"
}
network_profile {
network_plugin = "kubenet"
}
service_principal {
client_id = "f6a2f33d-xxxx-xxxx-xxxx-d713a1bb37c0"
client_secret = "inl7Q~Gvxxxx-xxxx-xxxxiyaGPF3uSoL"
}
role_based_access_control {
enabled = true
}
}
resource "azurerm_kubernetes_cluster" "aks_cluster_china" {
provider = azurerm.sub2
name = "ansuman-aks-001"
location = data.azurerm_resource_group.sub2.location
resource_group_name = data.azurerm_resource_group.sub2.name
dns_prefix = "ansuman-aks-cluster"
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
availability_zones = [1, 2]
enable_auto_scaling = true
max_count = 4
min_count = 1
node_count = 2
type = "VirtualMachineScaleSets"
}
network_profile {
network_plugin = "kubenet"
}
service_principal {
client_id = "f6a2f33d-xxxx-xxxx-xxxx-d713a1bb37c0"
client_secret = "inl7Q~Gvddxxxx-xxxx-xxxx6ntiyaGPF3uSoL"
}
role_based_access_control {
enabled = true
}
}
provider "kubernetes" {
host = "${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.host}"
username = "${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.username}"
password = "${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.password}"
client_certificate = base64decode("${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.client_certificate}")
client_key = base64decode("${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.client_key}")
cluster_ca_certificate = base64decode("${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.cluster_ca_certificate}")
}
provider "kubernetes" {
alias = "sub2"
host = "${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.host}"
username = "${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.username}"
password = "${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.password}"
client_certificate = base64decode("${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.client_certificate}")
client_key = base64decode("${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.client_key}")
cluster_ca_certificate = base64decode("${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.cluster_ca_certificate}")
}
resource "kubernetes_namespace" "app_namespace_public" {
provider = kubernetes
metadata {
name = "my-namespace"
}
depends_on = [
azurerm_kubernetes_cluster.aks_cluster_public
]
}
resource "kubernetes_namespace" "app_namespace_china" {
provider = kubernetes.sub2
metadata {
name = "my-namespace"
}
depends_on = [
azurerm_kubernetes_cluster.aks_cluster_china
]
}
data "azurerm_subscription" "global" {
provider = azurerm
}
data "azurerm_client_config" "global" {
provider = azurerm
}
resource "azurerm_role_assignment" "builtin" {
provider = azurerm
scope = data.azurerm_resource_group.sub1.id
role_definition_name = "Azure Kubernetes Service Cluster Admin Role"
principal_id = data.azurerm_client_config.global.object_id
}
data "azurerm_subscription" "china" {
provider = azurerm.sub2
}
data "azurerm_client_config" "China" {
provider = azurerm.sub2
}
resource "azurerm_role_assignment" "builtin_cn" {
provider = azurerm.sub2
scope = data.azurerm_subscription.china.id
role_definition_name = "Azure Kubernetes Service Cluster Admin Role"
principal_id = data.azurerm_client_config.China.object_id
}
输出:
注意:我仅在公共(public)云中使用了 2 个订阅,因为我没有中国云订阅,但对于不同的云也是相同的,只需确保添加 参数。azurerm 提供程序 block 中的环境
关于azure - 在 terraform 模块中显式使用提供程序,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/69971624/
25
4
0
有什么方法可以将 Terraform 模板输出用于另一个 Terraform 模板的输入? 例如:我有一个创建 ELB 的 Terraform 模板,我有另一个 Terraform 模板,它将创建一个
我正在使用 Terraform 在 Azure 中设置虚拟网络。 我有几个 VNet,每个 VNet 都有自己的网络安全组 100% 在 Terraform 中管理,在运行 Terraform 之前不
resources and data sources在 terraform 文档中 link ,谁能解释一下它们的区别以及可以使用它们的示例场景 最佳答案 Data Sources :允许 Terra
terraform plan 等命令如何知道/决定使用哪些文件? -help 显示了一个 DIR-OR-PLAN 参数,但没有显示如何使用它: $ terraform -help plan Usage
我在尝试运行使用 terraform lock 的 terraform 脚本时收到以下错误消息。 *Acquiring state lock. This may take a few moments.
我想简化这样的构造 variable "google" { type = object({ project = string region = string
这是一个场景 - 您开发用于研发组织的 terraform 模块。它们已经被一两个微服务使用,转化为十几个 pod。您确定了重构机会,例如将某些功能提取到其自己的 terraform 模块中。很好,但
Terraform 是否支持条件属性?我只想根据变量的值使用属性。 例子: resource "aws_ebs_volume" "my_volume" { availability_zone =
我想将此作为功能请求发布,但我想在发布之前看看是否有其他人找到了一些聪明的方法。或者也许 Hashicorp 的某个人可以告诉我这将是 future 的一个功能 在运行 terraform apply
我在 terraform 的变量插值中遇到了麻烦。这是我的 terraform 配置的样子。即内置函数内的变量 variable "key" {} ssh_keys { pat
运行 terraform 并等待需要很长时间。 所以我想运行它来排除需要最长执行时间的 rds 或者我只想运行 ec2 资源。 有没有办法在 terraform 中做这样的事情? 最佳答案 您可以使用
terraform 是否提供这样的功能来覆盖变量值?假设我已经声明了下面给出的两个变量。 variable "foo" {} variable "bar" { default = "false"} f
我正在为 Terraform Associate Certification 做准备考试。我在 Udemy 上进行了一次练习考试,并收到了一个关于自动安装社区提供程序的问题。但是,根据实际 terra
我有很多使用 Terraform 的 gcp-provider 用 Terraform 0.11 编写的 Terraform 模块,并希望将其升级到 Terraform 0.12。 为此,我需要保留系
我的项目有 2 个存储库。静态网站和服务器。我希望网站由 cloudfront 和 s3 托管,服务器在 elasticbeanstalk 上。我知道这些资源至少需要了解 Route53 资源才能在同
我能有这样的资源吗 resource "foo" "bar.baz"{ ... } 或者以后 . 会把我搞砸吗?特别是,是否允许这样做: resource "foo" "other"{ ...
我能有这样的资源吗 resource "foo" "bar.baz"{ ... } 或者以后 . 会把我搞砸吗?特别是,是否允许这样做: resource "foo" "other"{ ...
运行时terraform init使用 Terraform 时 0.11.3我们收到以下错误: Initializing provider plugins... - Checking for avai
我正在尝试将项目的 CLI 工作区迁移到 Terraform Cloud。我正在使用 Terraform 版本 0.14.8 并遵循官方指南 here . $ terraform0.14.8 work
尝试在Azure Pipeline中将terraform init作为任务运行时,错误指出 spawn C:\hostedtoolcache\windows\terraform\0.12.7\x64\
我是一名优秀的程序员,十分优秀!