我有一个 terraform 变量,如下所示
variable "named_values" {
type = map(object({
value = string
secret = bool
secret_id = optional(string)
identity_client_id = optional(string)
}))
default = {
"my-named-value-1" = {
value = "my-plain-text-value-1"
secret = false
secret_id = ""
identity_client_id = ""
}
"my-named-value-2" = {
value = "my-sensitive-value-2"
secret = true
secret_id = ""
identity_client_id = ""
}
"my-named-value-3" = {
value = ""
secret = true
secret_id = "https://testvault.vault.azure.net/secrets/secret/dfa2bed047414c528ea41889da6a66b3"
identity_client_id = "cc0d2f31-ff6d-495b-5773-ecfgh2fd6098"
}
}
}
下面给出了指定值的 terraform 资源
resource "azurerm_api_management_named_value" "named_value" {
for_each = var.named_values
name = each.key
resource_group_name = local.resource_group_name
api_management_name = var.api_management_name
display_name = each.key
value = each.value.secret && each.value.secret_id != "" ? null : each.value.value
secret = each.value.secret
dynamic "value_from_key_vault" {
for_each = each.value.secret && each.value.secret_id != "" ? [each.value] : []
content {
secret_id = each.value.secret_id
identity_client_id = try(each.value.identity_client_id, null)
}
}
}
我的要求是 my-named-value-1 的值应为纯文本,my-named-value-2 作为安全变量,my-named-value-3 应从密钥库获取。但在 my-named-value-1 和 my-named-value-2 的情况下,它按预期工作。但对于 my-named-value-3 来说,它因以下错误而失败
creating or updating Named Value (Subscription: "70b2-37e3-3346-8da0-
55e55e73fed6"
│ Resource Group Name: "AZR-PFS-D62-0031-1234"
│ Service Name: "cyet101003c0237750017001"
│ Named Value: "my-named-value-3"): polling after CreateOrUpdate: executing request:
unexpected status 404 (404 Not Found) with error: ResourceNotFound: NamedValue not
found.
│
│ with
module.api_management_named_value.azurerm_api_management_named_value.named_value["my-
named-value-3"],
│ on module/main.tf line 37, in resource "azurerm_api_management_named_value"
"named_value":
│ 37: resource "azurerm_api_management_named_value" "named_value" {
我建议你稍微简化你的设计 - 为什么不使用 2 个不同的变量和相应的
azurerm_api_management_named_value
资源来管理命名值?
一个存储纯文本值,另一个存储密钥库中的值。
示例(未测试):
variable "named_values" {
type = map(object({
value = string
secret = bool
}))
default = {
"my-named-value-1" = {
value = "my-plain-text-value-1"
secret = false
}
"my-named-value-2" = {
value = "my-sensitive-value-2"
secret = true
}
}
}
variable "named_values_from_keyvault" {
type = map(object({
secret_id = string
identity_client_id = string
}))
default = {
"my-named-value-3" = {
secret_id = "https://testvault.vault.azure.net/secrets/secret/dfa2bed047414c528ea41889da6a66b3"
identity_client_id = "cc0d2f31-ff6d-495b-5773-ecfgh2fd6098"
}
}
}
resource "azurerm_api_management_named_value" "named_value" {
for_each = var.named_values
name = each.key
resource_group_name = local.resource_group_name
api_management_name = var.api_management_name
display_name = each.key
value = each.value.value
secret = each.value.secret
}
resource "azurerm_api_management_named_value" "named_value_from_keyvault" {
for_each = var.named_values_from_keyvault
name = "${each.key}-from-keyvault" # Append a suffix to avoid name conflicts
resource_group_name = local.resource_group_name
api_management_name = var.api_management_name
display_name = each.key
# when value_from_key_vault is specified, secret must also be set to true
secret = true
value_from_key_vault {
secret_id = each.value.secret_id
identity_client_id = each.value.identity_client_id
}
}