描述错误
我们有密钥保管库 (Azure) 的 terraform 代码,其中对象 ID 是访问策略的字符串。但想以数组形式给出,即单个对象 ID 中的多个用户 ID(对象 ID)。
重现问题的步骤。
main.tf:
resource "azurerm_key_vault" "example" {
name = "examplekeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
dynamic "access_policy" {
for_each = var.access_policies
content {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = access_policy.value["object_id"]
secret_permissions = access_policy.value["secret_permissions"]
key_permissions = access_policy.value["key_permissions"]
}
}
}
变量.tf:
variable "access_policies" {
type = set(
object({
object_id = string,
secret_permissions = set(string),
key_permissions = set(string)
})
)
}
keyvault > terragrunt.hcl :
input ={
access_policies = [
{ object_id = "xyz", secret_permissions = ["Get","Set"], key_permissions = ["Get"] },
{ object_id = "abc", secret_permissions = ["Get"], key_permissions = ["Get"] } ]
预期行为如下...
我想将对象 ID 保留为数组,并将秘密权限和密钥权限保留在 1 行中...类似于下面的内容,即使在变量中保留 object_id = set(string) 也不起作用
{ object_id = ["xyz","abc"], secret_permissions = ["Get","Set"], key_permissions = ["Get"] },
事实上,我想在 global_var.hcl 文件中保持此对象 id 相同,以便所有环境都可以使用相同的 object_id 而不是本地 terragrunt 文件。
====================================================== ==================
我尝试在 varaibles.tf 文件中使用 set(string) 获取对象 id,如下所示,但问题仍然存在。
错误 - object_id 必须是字符串
变量.tf:
variable "access_policies" {
type = set(
object({
object_id = set(string),
secret_permissions = set(string),
key_permissions = set(string)
})
)
}
我已经尝试过,它显示“错误 - object_id 必须是字符串”,它不接受数组中的 object_ID ..我已在问题正文中编辑了该内容
要在 Terraform 的约束内处理多个
object_id
,您需要使用嵌套循环方法。
object_id
创建另一个动态块。变量.tf:
variable "access_policies" {
type = list(
object({
object_ids = list(string),
secret_permissions = list(string),
key_permissions = list(string)
})
)
}
main.tf:
resource "azurerm_key_vault" "example" {
name = "examplekeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
dynamic "access_policy" {
for_each = flatten([for policy in var.access_policies : [
for object_id in policy.object_ids : {
object_id = object_id
secret_permissions = policy.secret_permissions
key_permissions = policy.key_permissions
}
]])
content {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = access_policy.value["object_id"]
secret_permissions = access_policy.value["secret_permissions"]
key_permissions = access_policy.value["key_permissions"]
}
}
}
global_var.hcl:
access_policies = [
{ object_ids = ["xyz", "abc"], secret_permissions = ["Get", "Set"], key_permissions = ["Get"] }
]
外部
dynamic
块迭代 var.access_policies
中的每个策略。对于每个策略,内部 dynamic
块会迭代策略的 object_id
中的每个 object_ids
。
此嵌套结构在其策略内单独作用于每个
object_id
。
结果: