提问人:Swabha 提问时间:11/18/2023 更新时间:11/18/2023 访问量:39
需要有关使用特定命名约定对代码 (azure keyvault) 进行地形改造的帮助
Need help in terraforming the code (azure keyvault )with the specific naming conventions
问:
我有下面的 terraform 代码,需要帮助来确定要为特定solution_settings变量提供哪个值,并且该代码应该可以工作,因为我是 Terraform 的新手。
错误:
PS C:> terraform plan -out main.tfplan var.solution_settings 输入值:test
var.标签 输入值:test
╷
│ 错误:不允许变量
│
│ 上线1:
│ (源代码不可用)
│
│ 此处不得使用变量。
╵
╷
│ 错误:不允许变量
│
│ 上线1:
│ (源代码不可用)
│
│ 此处不得使用变量。
╵
╷
│ 错误:所需变量没有值
│
│ variables.tf 第 1 行:
│ 1: 变量 “solution_settings” {
│
│ 根模块输入变量“solution_settings”未设置,无默认值。使用 -var 或
│ -var-file 命令行参数为该变量提供值。
╵
╷
│ 错误:所需变量没有值
│
│ variables.tf 第 18 行:
│ 18: 变量 “tags” {
│
│ 根模块输入变量“tags”未设置,无默认值。使用 -var 或 -var-file 命令
│ line 参数为此变量提供值。
KeyVault 的 main.tf
locals {
key_vault_name = coalesce(var.key_vault_name, var.solution_settings["key_vault_name"])
resource_group_name = coalesce(var.resource_group_name, var.solution_settings["resource_group_name"])
}
data "azurerm_virtual_network" "vnet" {
name = var.solution_settings["virtual_network_name"]
resource_group_name = var.solution_settings["vnet_resource_group_name"]
}
data "azurerm_subnet" "akv_subnet" {
name = var.akv_subnet
resource_group_name = var.solution_settings["vnet_resource_group_name"]
virtual_network_name = data.azurerm_virtual_network.vnet.name
}
data "azuread_group" "prov_group" {
display_name = var.prov_group_name
}
resource "azurerm_key_vault" "datalib_key_vault" {
name = local.key_vault_name
resource_group_name = local.resource_group_name
location = var.solution_settings["location"]
tenant_id = var.azure_tenant_id
public_network_access_enabled = try(var.tags["Data Classification"] == "Highly Confidential", false) ? false : true
soft_delete_retention_days = 7
purge_protection_enabled = true
sku_name = "standard"
tags = var.tags
enabled_for_deployment = "true"
enabled_for_disk_encryption = "true"
enabled_for_template_deployment = "false"
network_acls {
bypass = "AzureServices"
default_action = "Deny"
virtual_network_subnet_ids = []
}
}
resource "azurerm_monitor_diagnostic_setting" "akv-monitor" {
name = "${local.key_vault_name}log"
target_resource_id = azurerm_key_vault.datalib_key_vault.id
log_analytics_workspace_id = var.log_analytics_id
lifecycle {
ignore_changes = [
# Ignore changes to tags, e.g. because a management agent
# updates these based on some ruleset managed elsewhere.
log_analytics_workspace_id,
log,
metric
]
}
log {
category = "AuditEvent"
enabled = true
}
}
resource "azurerm_key_vault_access_policy" "acs_prov" {
key_vault_id = azurerm_key_vault.datalib_key_vault.id
tenant_id = var.azure_tenant_id
object_id = data.azuread_group.prov_group.id
depends_on = [azurerm_key_vault.datalib_key_vault]
secret_permissions = [
"Set",
"Get",
"List",
"Delete",
"Recover",
]
key_permissions = [
]
certificate_permissions = [
]
}
resource "azurerm_private_endpoint" "pe1" {
name = "${local.key_vault_name}pe"
location = var.solution_settings["location"]
resource_group_name = local.resource_group_name
subnet_id = data.azurerm_subnet.akv_subnet.id
private_service_connection {
name = "${local.key_vault_name}psc"
is_manual_connection = false
private_connection_resource_id = azurerm_key_vault.datalib_key_vault.id
subresource_names = ["vault"]
}
}
}
Keyvault 的 variables.tf:
variable "solution_settings" {
type = any
validation {
condition = contains(["1.0.0"], var.solution_settings.schema.version)
error_message = "Unsupported schema version."
}
}
variable "tags" {
type = map(any)
}
variable "storage_account_name" {
description = "Use to set a non standard name for the account, by default the name will be generated based on the solution name"
type = string
default = ""
}
variable "cmk_enabled" {
description = "True to enable customer managed keys for encrypting storage blobs at rest. False to disable."
type = bool
default = false
}
variable "key_vault_is_required" {
description = "By default the connection string will be stored in the solution key vault, set this to false if you don't want this."
type = bool
default = true
}
variable "keyvault_secret_name" {
description = "By default the storage account connection string will be stored in keyvault under as <storageaccountname>Connection, use this to override the secret name."
type = string
default = ""
}
variable "lock_resource" {
description = "By default any storage accounts created will be locked to prevent accidental deletion. Set this to false if you do not want a lock"
type = bool
default = true
}
variable "location" {
description = "Optional varaible to set the azure region where you want the databricks workspace. By default this will be the main solution location"
type = string
default = ""
}
variable "hns" {
description = "Whether to enable hierarchical namespaces"
type = bool
default = true
}
variable "dfs_subnet" {
description = "Name of the subnet to deploy Storage Private endpoint"
type = string
default = ""
}
variable "sftp" {
description = "Flag to indicate if SFTP is enabled"
type = bool
default = false
}
variable "resource_group_name" {
description = "If set, will use the RG provided. If not, will default to the RG given in solution_settings."
type = string
default = "" # If unchanged, this is set in main.tf, see locals.
}
variable "key_vault_id" {
description = "the id of the keyvault to integrate with, use the keyvault module to get this result."
type = string
default = ""
}
variable "fileshare_is_required" {
description = "does a pe with a fileshare needed, needs to be true for logic apps"
type = bool
default = false
}
variable "queue_is_required" {
description = "does a pe with a queue needed, needs to be true for logic apps"
type = bool
default = false
}
variable "table_is_required" {
description = "does a pe with a table needed, needs to be true for logic apps"
type = bool
default = false
}
variable "network_rules_default_action" {
description = "Public network access"
type = string
default = "Deny"
}
variable "blob_soft_delete_days" {
description = "Specifies the number of days that the blob should be retained, between 0 and 365 days."
type = number
default = 0
validation {
condition = 0 <= var.blob_soft_delete_days && var.blob_soft_delete_days <= 365
error_message = "Expected to be in the range (0 - 365)."
}
}
solutionsettings.tf
module "solution_settings" {
source = "./solutionsettings"
solution_name = "testmm"
location = "westeurope"
resource_group_name = "testrg"
environment = "dev"
devops_tenant_id = "***"
tags = {
"Environment" : "Dev",
"Program" : "TEST",
"Project" : "TESTPROJ",
"Application" : "Data Blocks",
"Product" : "TESTPRO",
"CMDB" : "AZR-LAKE-DNA",
"Charge Reference" : "0000000000",
"Charge Type" : "Cost Center",
"Region" : "Europe",
"Segment" : "Testsegment",
"Banner" : "TESTBANNER",
"Function" : "Demand",
"Business Owner" : "***@***.com",
"Product Owner" : "***@***.com",
"Application Architect" : "***@***.com",
"Data Classification" : "Internal Use Only",
"Application Category" : "Class C",
"Infrastructure Tier" : "Class C",
"Expiry" : "9999-12-31",
"Created" : "2023-06-01",
"Created By" : "Terraform",
"Parent" : "TESTHUB",
"Brand" : "",
"Business Unit" : "test",
"Charge Reference" : "0000000000",
"CMDB" : "",
"Data Classification" : "Confidential",
"Data Sensitivity" : "Non-PII",
"Division" : "",
"Infrastructure Tier" : "",
"Parent" : "",
"Product" : "",
"Product Owner" : "",
"Program" : "TEST",
"Project" : "TESTProject",
"Region" : "Global",
"Support Model" : "***@***.com",
"Updated" : "2023-06-01"
}
vnet_name = "testvnet"
vnet_rg = "testrg"
}
solutionsettings 模块:
解决方案设置 main.tf:
locals {
location_ab_dict = {
westus = "wus"
eastus = "eus"
centralus = "cus"
eastus2 = "eus2"
centraluseuap = "usia"
southcentralus = "scus"
northcentralus = "ncus"
northeurope = "neu"
westeurope = "weu"
eastasia = "eas"
southeastasia = "sea"
japanwest = "japw"
japaneast = "jape"
southindia = "sin"
westindia = "win"
centralindia = "cin"
australiaeast = "aue"
australiasoutheast = "ause"
uksouth = "uks"
ukwest = "ukw"
}
solution_name_short = replace(var.solution_name, " ", "-")
location_abrv = local.location_ab_dict[var.location]
name_prefix = lower("${substr(replace(lower(var.solution_name), "/[-| _]/", ""), 0, 13)}${local.location_abrv}${var.environment}")
key_vault_name = "${local.name_prefix}akv"
app_insights_name = "${local.name_prefix}ai"
app_insights_secret_name = "${local.name_prefix}aik"
log_analytics_name = "${local.name_prefix}law"
sa_name = "${local.name_prefix}sa"
}
data "azurerm_client_config" "current" {}
SolutionSettings 模块 variables.tf:
variable "solution_name" {
description = "Solution name"
type = string
validation {
condition = can(regex("^[A-Za-z][\\w]{1,23}[A-Za-z0-9]$", var.solution_name))
error_message = "Can include up to 25 alphanumeric characters (including underscope). Should start with letter and end with letter or digit."
}
}
variable "location" {
type = string
}
variable "resource_group_name" {
type = string
}
variable "environment" {
description = "Environment"
type = string
validation {
condition = contains(["dev", "prod"], var.environment)
error_message = "Valid environments are: dev, prod."
}
}
variable "devops_tenant_id" {
type = string
description = "Azure Devops tenant Id"
default = "***"
}
variable "tags" {
type = map(any)
description = "a dictionary (map) of tags to propagate"
validation {
condition = can([for item in ["Environment", "Brand", "Program", "Project", "Application", "Product", "Charge Reference", "Charge Type", "Region", "Segment", "Division", "Function", "Business Owner", "Business Unit", "Product Owner", "Application Architect", "Data Classification", "Data Sensitivity", "Application Category", "Infrastructure Tier", "Support Model", "Expiry", "Created", "Created By", "Updated", "Parent"] : var.tags[item]])
error_message = "Following properties must be populated: 'Environment', 'Brand', 'Program', 'Project', 'Application', 'Product', 'CMDB', 'Charge Reference', 'Charge Type', 'Region', 'Segment', 'Division', 'Function', 'Business Owner', 'Business Unit', 'Product Owner', 'Application Architect', 'Data Classification', 'Data Sensitivity', 'Application Category', 'Infrastructure Tier', 'Support Model', 'Expiry', 'Created', 'Created By', 'Updated', 'Parent'."
}
validation {
condition = contains(["Dev", "Prod"], var.tags["Environment"])
error_message = "'Environment' must be either 'Dev', 'Prod'."
}
validation {
condition = contains(["Cost Center", "Internal Order"], var.tags["Charge Type"])
error_message = "'Charge Type' must be either 'Cost Center' or 'Internal Order'."
}
validation {
condition = contains(["Global", "Asia Pacific", "Europe", "India", "Latin America", "North America", "CIS RU"], var.tags["Region"])
error_message = "'Region' must be either of: 'Global', 'Asia Pacific', 'Europe', 'India', 'Latin America', 'North America', 'CIS RU'."
}
validation {
condition = contains(["Corporate", "Cross Segment", "Food", "* Global Services", "* Wrigley", "Multisales", "Petcare", "Other"], var.tags["Segment"])
error_message = "'Segment' must be either of: 'Corporate', 'Cross Segment', 'Food', '* Global Services', '', 'Multisales', '', 'Other'."
}
validation {
condition = contains(["Commercial", "Corporate Strategy", "Finance", "Manufacturing", "Marketing", "P&O", "R&D", "Sales", "SCM", "Supply", "Demand"], var.tags["Function"])
error_message = "'Function' must be either of: 'Commercial', 'Corporate Strategy', 'Cross MGS', 'Finance', 'Manufacturing', 'Marketing', 'P&O', 'R&D', 'Sales', 'SCM', Supply', 'Demand'."
}
validation {
condition = contains(["Highly Confidential", "Confidential", "Internal Use Only", "Non-Confidential"], var.tags["Data Classification"])
error_message = "'Data Classification' must be either of: 'Highly Confidential', 'Confidential', 'Internal Use Only', 'Non-Confidential'."
}
validation {
condition = contains(["PII", "Non-PII", "UserID"], var.tags["Data Sensitivity"])
error_message = "'Data Sensitivity' must be either 'PII', 'Non-PII', or 'UserID'."
}
validation {
condition = contains(["Manual", "Terraform", "Provisioning Tool"], var.tags["Created By"])
error_message = "'Created By' must be either of: 'Manual', 'Terraform', 'Provisioning Tool'."
}
validation {
condition = substr(var.tags["Support Model"], -10, -1) == "@***.com"
error_message = "'Support Model' must contain: @***.com'."
}
validation {
condition = substr(var.tags["Application Architect"], -10, -1) == "@***.com"
error_message = "'Application Architect' must contain: @***.com'."
}
validation {
condition = substr(var.tags["Business Owner"], -10, -1) == "@***.com"
error_message = "'Business Owner' must contain: @***.com'."
}
validation {
condition = can(regex("^[0-9]{4}-[0-9]{2}-[0-9]{2}$", var.tags["Created"]))
error_message = "'Created' must be of format: 'YYYY-MM-DD'."
}
validation {
condition = can(regex("^[0-9]{4}-[0-9]{2}-[0-9]{2}$", var.tags["Expiry"]))
error_message = "'Expiry' must be of format: 'YYYY-MM-DD'."
}
validation {
condition = can(regex("^[0-9]{4}-[0-9]{2}-[0-9]{2}$", var.tags["Updated"]))
error_message = "'Updated' must be of format: 'YYYY-MM-DD'."
}
validation {
condition = length(var.tags["Application"]) > 0
error_message = "'Application' must contain text."
}
validation {
condition = length(var.tags["Project"]) > 0
error_message = "'Project' must contain text."
}
validation {
condition = length(var.tags["Application Category"]) > 0
error_message = "'Application Category' must contain text."
}
validation {
condition = length(var.tags["Business Unit"]) > 0
error_message = "'Business Unit' must contain text."
}
validation {
condition = length(var.tags["Charge Reference"]) > 0
error_message = "'Charge Reference' must contain text."
}
validation {
condition = length(var.tags["Program"]) > 0
error_message = "'Program' must contain text."
}
}
variable "vnet_name" {
type = string
description = "Name of the virtual network"
}
variable "vnet_rg" {
type = string
description = "Name of the resource group where the virtual network resides"
}
在变量中识别解决方案名称solution_setting需要帮助
答:
-2赞
SoySolisCarlos
11/18/2023
#1
在命令执行期间遇到的错误表明 Terraform 需要变量的值,但未设置该值。的结构和要求在文件中的变量 definition 下定义。terraform plansolution_settingssolution_settingsvariables.tfsolution_settings
根据您的文件,似乎应该是一个复杂的结构(可能是映射或对象),包含多个嵌套字段,例如 、 、 、 、 、 和 。solutionsettings.tfsolution_settingssolution_namelocationresource_group_nameenvironmentdevops_tenant_idtagsvnet_namevnet_rg
确定所需的值solution_settings
若要正确提供 的值,需要构造与 Terraform 配置预期的结构匹配的对象或映射。这可以通过在命令行中传递选项或使用文件来完成。solution_settings-var.tfvars
下面是根据您提供的配置,该值可能如下所示的示例:solution_settings
solution_settings = {
solution_name = "YourSolutionName"
location = "YourLocation"
resource_group_name = "YourResourceGroupName"
environment = "dev" # or "prod"
devops_tenant_id = "YourDevOpsTenantId"
tags = {
Environment = "Dev"
Program = "YourProgram"
Project = "YourProject"
// ...other required tags as per your validation rules
}
vnet_name = "YourVNetName"
vnet_rg = "YourVNetResourceGroup"
}
您可以在文件中定义它,也可以直接在命令中传递它,如下所示:.tfvarsterraform plan
terraform plan -var 'solution_settings={"solution_name"="YourSolutionName", "location"="YourLocation", "resource_group_name"="YourResourceGroupName", "environment"="dev", "devops_tenant_id"="YourDevOpsTenantId", "tags"={"Environment"="Dev", "Program"="YourProgram", "Project"="YourProject"}, "vnet_name"="YourVNetName", "vnet_rg"="YourVNetResourceGroup"}' -out main.tfplan
要点
- 请确保您提供的值符合 Terraform 配置中设置的验证规则。
solution_settings - 命令行选项允许您设置单个变量,同时允许您指定包含变量定义的文件。
-var-var-file - 确保安全处理敏感信息(如 ),尤其是在通过命令行参数传递信息或将其存储在文件中时。
devops_tenant_id
使用此方法,应该能够为变量提供成功执行 Terraform 计划所需的值。solution_settings
评论
0赞
Swabha
11/19/2023
谢谢 Soy 的解释。我创建了 solution_settings.tfvars 文件: solution_settings { solution_name = “testmm” location = “westeurope” resource_group_name = “testrg” environment = “dev” devops_tenant_id = “***” tags = { } vnet_name = “vnetdemo01” vnet_rg = “testrg” } 当我创建这个 .tfvars 文件时,它会出错,例如“意外块:此处不应出现”solution_settings“类型的块Terraform”
0赞
Swabha
11/19/2023
错误输出:PS C:\> terraform plan -var-file=“solution_settings.tfvars” ╷ │ 错误:意外的“solution_settings”块 │ │ 在 solution_settings.tfvars 上 第 1 行: │ 1: solution_settings { │ │ 此处不允许使用块。
0赞
Vinay B
11/22/2023
#2
我尝试了使用解决方案设置变量的特定命名约定的代码 (azure key vault),我能够成功预配要求。
错误消息指示两个主要问题:
- 系统会提示您输入 和 的值,但未设置它们,从而导致错误。
var.solution_settingsvar.tags - 在不允许变量的某些上下文中使用变量。
这些变量需要正确定义并传递给 Terraform。文件中未提供默认值,因此必须通过命令行(Terraform.tfvars 文件)提供它们variables.tf
确保在允许的上下文中使用变量。Terraform 不允许在某些位置(例如模块源字段或提供程序配置)中使用变量。
我尝试了一个演示配置来使用变量传递解决方案设置并使用 terraform.tfvars 声明它们,因为我无法演示您正在寻找的完整配置。
我的 terraform 配置:
Main.tf:
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = var.solution_settings["resource_group_name"]
location = var.location
}
resource "azurerm_virtual_network" "example" {
name = "edemovk-vnet"
address_space = ["10.0.0.0/16"]
location = var.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "demovk-subnet"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.1.0/24"]
}
resource "azurerm_log_analytics_workspace" "example" {
name = "demovk-law"
location = var.location
resource_group_name = azurerm_resource_group.example.name
sku = "PerGB2018"
}
resource "azurerm_key_vault" "example" {
name = var.solution_settings["key_vault_name"]
location = var.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = var.solution_settings["azure_tenant_id"]
sku_name = "standard"
tags = var.tags
soft_delete_retention_days = 7
purge_protection_enabled = true
}
resource "azurerm_key_vault_access_policy" "example" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = var.solution_settings["azure_tenant_id"]
object_id = data.azurerm_client_config.current.object_id
secret_permissions = [
"Get",
"List",
"Set",
"Delete",
"Recover"
]
key_permissions = []
certificate_permissions = []
}
resource "azurerm_monitor_diagnostic_setting" "example" {
name = "${azurerm_key_vault.example.name}-log"
target_resource_id = azurerm_key_vault.example.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
enabled_log {
category = "AuditEvent"
}
metric {
category = "AllMetrics"
enabled = true
}
}
resource "azurerm_private_endpoint" "example" {
name = "${azurerm_key_vault.example.name}-pe"
location = var.location
resource_group_name = azurerm_resource_group.example.name
subnet_id = azurerm_subnet.example.id
private_service_connection {
name = "${azurerm_key_vault.example.name}-psc"
is_manual_connection = false
private_connection_resource_id = azurerm_key_vault.example.id
subresource_names = ["vault"]
}
}
variable.tf:
variable "solution_settings" {
type = map(string)
description = "Settings for the solution"
}
variable "tags" {
type = map(string)
description = "Tags for the resources"
}
variable "location" {
description = "Azure region for the resources"
type = string
default = "West Europe"
}
terraform.tfvars:
solution_settings = {
resource_group_name = "demorg-vk"
key_vault_name = "vksbKeyVault"
azure_tenant_id = "your tenent ID"
}
tags = {
Environment = "Dev"
Project = "MyProject"
}
输出:
评论