【问题标题】:How do I prevent Terraform from destroying the virtual machine after changing keyvault or change of vm credentials?如何防止 Terraform 在更改 keyvault 或更改 vm 凭据后破坏虚拟机?
【发布时间】:2023-01-31 19:07:58
【问题描述】:

我正在尝试更改我的虚拟机在 terraform 中使用的密钥库。当我尝试应用更改时,Terraform 然后尝试用新的密钥保管库替换虚拟机。如何在不破坏虚拟机的情况下仅更改 vm 使用的 keyvault 或更改 terraform 中的凭据?

我尝试使用 lifecyle (prevent_destroy = true) 但它无法显示此消息

`> 错误:无法销毁实例

在 .terraform\modules\avd_vm\Modules\AVD_VM\main.tf 第 388 行: 388:资源“azurerm_windows_virtual_machine”“acumen_vm_kv”{

资源模块.avd_vm.azurerm_windows_virtual_machine.acumen_vm_kv有 lifecycle.prevent_destroy 设置,但计划要求此资源 被毁。要避免此错误并继续执行计划,请禁用 lifecycle.prevent_destroy 或使用 -target 缩小计划范围 旗帜。`

【问题讨论】:

  • Azure 是否允许在这种情况下进行更新?

标签: terraform azure-keyvault azure-virtual-machine destroy


【解决方案1】:

我试图从头开始重现相同的内容。

收到同样的错误:

Resource vmpassword has lifecycle.prevent_destroy set, but the plan calls for this resource to be destroyed. To avoid this error and continue 
│ with the plan, either disable lifecycle.prevent_destroy or reduce the scope of the plan using the -target flag

笔记:如果您尝试为 VM 使用两个不同的 Key Vault, 最好为新的 keyvault 使用另一个资源块。

resource "azurerm_key_vault_secret" "vmpassword" {
  name         = "vmpassword"
  value        = random_password.vmpassword.result
  key_vault_id = azurerm_key_vault.kv1.id
  depends_on = [ azurerm_key_vault.kv1 ]


  lifecycle {
            prevent_destroy = true
    }

}

resource "azurerm_key_vault" "kv2" {
  //depends_on = [ azurerm_resource_group.rg2 ]
  name                        = "kavy-newkv2"
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
  sku_name = "standard"
  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id
    key_permissions = [
      "Get","Create", "Decrypt", "Delete", "Encrypt", "Update"
    ]
    secret_permissions = [
      "Get", "Backup", "Delete", "List", "Purge", "Recover", "Restore", "Set",
    ]
    storage_permissions = [
      "Get", "Restore","Set"
    ]
  }
}

resource "azurerm_key_vault_secret" "vmpassword" {
  name         = "vmpassword"
  value        = random_password.vmpassword.result
  key_vault_id = azurerm_key_vault.kv1.id
  depends_on = [ azurerm_key_vault.kv1 ]
}

手动导入每个资源以显示在您的状态文件中。 Terraform 单独跟踪每个资源。

参考:

  1. Terraform prevent deletion of resource - Stack Overflow
  2. https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#prevent_destroy

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 2017-04-28
    • 2020-12-06
    • 1970-01-01
    • 1970-01-01
    • 2021-06-13
    • 2020-08-10
    • 1970-01-01
    • 2021-01-17
    相关资源
    最近更新 更多