1

我目前正在 Terraform 中编写一些新的 Azure 基础架构的脚本,并使用嵌套模块来执行此操作,以使我们基础架构的不同部分的管理和部署变得更好和受限。

我创建了一个名为global,其中包含多个共享资源(几乎只是 azure 资源组和权限)以及一些 azure 广告查找和当前的客户端配置。将这些放在一个中央模块中似乎很有意义,可以避免代码重用并确保在整个项目中始终如一地处理它们。

但是,我注意到当我terraform destroy任何模块运行时,全局模块中的所有对象都被标记为被销毁。有没有办法从销毁过程中排除嵌套模块?

我实际上是否应该将我的全局模块中的资源创建(它们是专门的资源组和应用于这些资源组的权限)放在一个单独的非嵌套模块中,然后使用我的嵌套全局模块的数据模块来查看提高他们的价值观等?

全局模块的示例代码:-

data "azurerm_client_config" "current" {}

data "azurerm_subscription" "subscription_current" {}

data "azuread_group" "dba" {
  name = "DBAs"
}

data "azuread_group" "bi-developer" {
  name = "BIDevelopers"
}

## local variables

locals {
  subscription_name = substr(lower("${data.azurerm_subscription.subscription_current.display_name}"),0,4)
  tenant_id = data.azurerm_subscription.subscription_current.tenant_id
}

## Create resource group and add permission

resource "azurerm_resource_group" "data" {
  name     = "data"
  location = var.location

  tags = {
    owner       = "Data"
    environment = local.subscription_name
  }
}

resource "azurerm_role_assignment" "DBA_Data_Permission" {
    scope = azurerm_resource_group.data.id
    role_definition_name = var.permission_level
    principal_id = data.azuread_group.dba.id
}

resource "azurerm_resource_group" "key-vault" {
  name     = "key-vault"
  location = var.location

  tags = {
    owner       = "techops"
    environment = local.subscription_name
  }
}

## Output Locals

output "subscription_name" {
    value = local.subscription_name
}

output "tenant_id" {
    value = local.tenant_id
}

output "object_id" {
    value = data.azurerm_client_config.current.object_id
}

## Output Resource Groups

output "rg_data_id" {
    value = azurerm_resource_group.data.id
}

output "rg_data_name" {
    value = azurerm_resource_group.data.name
}

output "rg_key-vault_id" {
    value = azurerm_resource_group.key-vault.id
}

output "rg_key-vault_name" {
    value = azurerm_resource_group.key-vault.name
}

## Output Azure AD lookups

output "aad_dba_id" {
    value = data.azuread_group.dba.id
}

output "aad_dba_name" {
    value = data.azuread_group.dba.name
}

output "aad_bi-developer_id" {
    value = data.azuread_group.bi-developer.id
}

output "aad_data-science_id" {
    value = data.azuread_group.data-science.id
}

以及在我的一个嵌套模块中的用法示例,以在此实例中创建数据库资源:-

module "global" {
  source = "../global"
  permission_level = var.permission_level
  location = var.location
  prefix = var.prefix
}

resource "azurerm_sql_server" "dwh" {
  name                         = "${var.prefix}-dwh-${module.global.subscription_name}"
  resource_group_name          = module.global.rg_data_name
  location                     = var.location
  version                      = "12.0"
  administrator_login          = var.sql_login_name
  administrator_login_password = var.sql_login_password

  tags = {
    environment = module.global.subscription_name
    owner       = "Data"
    subscription = "${module.global.subscription_name}"
  }
}

resource "azurerm_sql_active_directory_administrator" "dwh" {
  server_name          = azurerm_sql_server.dwh.name
  resource_group_name = module.global.rg_data_name
  login               = module.global.aad_dba_name
  tenant_id           = module.global.tenant_id
  object_id           = module.global.aad_dba_id
}

resource "azurerm_mssql_elasticpool" "dwh-ep" {
  name                = "${var.prefix}-dwh-${module.global.subscription_name}"
  resource_group_name = module.global.rg_data_name
  location            = var.location
  server_name         = azurerm_sql_server.dwh.name
  max_size_gb         = 1000

  sku {
      name  = "GP_Gen5"
      tier  = "GeneralPurpose"
      family = "Gen5"
      capacity = 6
  }

  per_database_settings {
    min_capacity = 0.25
    max_capacity = 4
  }

  depends_on = [azurerm_sql_server.dwh,azurerm_sql_active_directory_administrator.dwh]
}

然后在一个单独的模块中,使用以下代码创建一个密钥库,重用全局模块的一些输出:-

module "global" {
  source = "../global"
  permission_level = var.permission_level
  location = var.location
  prefix = var.prefix
}

resource "azurerm_key_vault" "data" {
    name = "${var.prefix}-data-${module.global.subscription_name}"
    location = var.location
    resource_group_name = "${module.global.rg_key-vault_name}"
    enabled_for_disk_encryption = true
    tenant_id = module.global.tenant_id

    sku_name = "standard"

    tags = {
        environment = module.global.subscription_name
        owner = "data"
    }
}

resource "azurerm_key_vault_access_policy" "data-bi-developer" {
    key_vault_id = "${azurerm_key_vault.data.id}"
    tenant_id = module.global.tenant_id
    object_id = module.global.aad_bi-developer_id

    certificate_permissions = ["get","list"]
    key_permissions = ["get", "list"]
    secret_permissions = ["get", "list"]   
}

resource "azurerm_key_vault_access_policy" "data-admin" {
    key_vault_id = "${azurerm_key_vault.data.id}"
    tenant_id = module.global.tenant_id
    object_id = "${module.global.object_id}"

certificate_permissions = [
      "create",
      "delete",
      "deleteissuers",
      "get",
      "getissuers",
      "import",
      "list",
      "listissuers",
      "managecontacts",
      "manageissuers",
      "setissuers",
      "update",
    ]

    key_permissions = [
      "backup",
      "create",
      "decrypt",
      "delete",
      "encrypt",
      "get",
      "import",
      "list",
      "purge",
      "recover",
      "restore",
      "sign",
      "unwrapKey",
      "update",
      "verify",
      "wrapKey",
    ]

    secret_permissions = [
      "backup",
      "delete",
      "get",
      "list",
      "purge",
      "recover",
      "restore",
      "set",
    ]
}
4

1 回答 1

1

好的,设法解决了这个问题,基本上将全局模块分成三个模块;一种是通过 terraform 保存根本没有创建的资源作为查找(例如订阅、azure ad 等),一种是创建资源组并应用权限,另一种是纯粹的数据模块,用于读取资源组其他模块。

于 2020-01-02T16:49:57.887 回答