【问题标题】:How do I prevent Terraform from destroying the virtual machine after changing keyvault or change of vm credentials?如何防止 Terraform 在更改 keyvault 或更改 vm 凭据后破坏虚拟机?
【发布时间】:2023-01-31 19:07:58
【问题描述】:
我正在尝试更改我的虚拟机在 terraform 中使用的密钥库。当我尝试应用更改时,Terraform 然后尝试用新的密钥保管库替换虚拟机。如何在不破坏虚拟机的情况下仅更改 vm 使用的 keyvault 或更改 terraform 中的凭据?
我尝试使用 lifecyle (prevent_destroy = true) 但它无法显示此消息
`> 错误:无法销毁实例
在 .terraform\modules\avd_vm\Modules\AVD_VM\main.tf 第 388 行:
388:资源“azurerm_windows_virtual_machine”“acumen_vm_kv”{
资源模块.avd_vm.azurerm_windows_virtual_machine.acumen_vm_kv有
lifecycle.prevent_destroy 设置,但计划要求此资源
被毁。要避免此错误并继续执行计划,请禁用
lifecycle.prevent_destroy 或使用 -target 缩小计划范围
旗帜。`
【问题讨论】:
标签:
terraform
azure-keyvault
azure-virtual-machine
destroy
【解决方案1】:
我试图从头开始重现相同的内容。
收到同样的错误:
Resource vmpassword has lifecycle.prevent_destroy set, but the plan calls for this resource to be destroyed. To avoid this error and continue
│ with the plan, either disable lifecycle.prevent_destroy or reduce the scope of the plan using the -target flag
笔记:如果您尝试为 VM 使用两个不同的 Key Vault,
最好为新的 keyvault 使用另一个资源块。
resource "azurerm_key_vault_secret" "vmpassword" {
name = "vmpassword"
value = random_password.vmpassword.result
key_vault_id = azurerm_key_vault.kv1.id
depends_on = [ azurerm_key_vault.kv1 ]
lifecycle {
prevent_destroy = true
}
}
resource "azurerm_key_vault" "kv2" {
//depends_on = [ azurerm_resource_group.rg2 ]
name = "kavy-newkv2"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get","Create", "Decrypt", "Delete", "Encrypt", "Update"
]
secret_permissions = [
"Get", "Backup", "Delete", "List", "Purge", "Recover", "Restore", "Set",
]
storage_permissions = [
"Get", "Restore","Set"
]
}
}
resource "azurerm_key_vault_secret" "vmpassword" {
name = "vmpassword"
value = random_password.vmpassword.result
key_vault_id = azurerm_key_vault.kv1.id
depends_on = [ azurerm_key_vault.kv1 ]
}
手动导入每个资源以显示在您的状态文件中。 Terraform 单独跟踪每个资源。
参考:
- Terraform prevent deletion of resource - Stack Overflow
-
https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#prevent_destroy