在 terraform 模块中显式使用提供程序

【问题标题】:Explicitly use a provider within terraform module在 terraform 模块中显式使用提供程序
【发布时间】:2021-12-26 11:54:50
【问题描述】:

我试图在我的模块中显式调用提供程序以在 AzureCloud 和 AzureChinaCloud 中创建命名空间。 但是,我在这样做时遇到了问题。以下是我的配置:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.78.0"
    }
  }
  backend "azurerm" {
    resource_group_name = "Terraform-rg"
    storage_account_name = "terraformstate"
    container_name = "tfstate"
    subscription_id = "00000000-0000-0000-0000-000000000000"
    key = "prod"
  }
}

provider "azurerm" {
  features {}
}


provider "azurerm" {
  features {}
  alias           = "sub2"
  subscription_id = "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"
  client_id       = "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"
  client_secret   = var.client_secret
  tenant_id       = "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"
  environment     = "china"
}

module "helm_ns_creation" {
  source = "./namespace/"
  providers = {
    azurerm = azurerm
    azurerm.sub2 = azurerm.sub2
   }
  applications = var.applications
  geo = var.geo
  ns_values = ["${file("../namespace/values.yaml")}"]
}

-------------------

provider "kubernetes" {
  config_path    = "config"
}

provider "helm" {
  kubernetes {
    config_path = "config"
  }
}

resource "kubernetes_namespace" "aks_namespace" {
  provider = azurerm.sub2
  for_each = {for ns in var.applications : ns.namespace_name => ns}
  metadata {
    annotations = {
      name = "${each.value.namespace_name}"
    }
    labels = {
      name = "${each.value.team_name}"
    }
    name = "${each.value.namespace_name}"
  }
  }

locals {
# get json
namespace_data = jsondecode(file(var.inputfile))
principal_ids = distinct([for principal in local.namespace_data.applications : principal.principal_id])
principal_ids_cn = distinct([for principal_cn in local.namespace_data.applications : principal_cn.principal_id_cn])
get_principal_ids = (var.geo == "cn" ? local.principal_ids_cn : local.principal_ids)
}

data "azurerm_subscription" "global" {
}

resource "azurerm_role_assignment" "custom" {
  for_each = toset(local.get_principal_ids)
  scope = data.azurerm_subscription.global.id
# scope = "/subscriptions/{$var.subscription_id}"
  role_definition_name = var.custom_role
  principal_id = each.key
}

resource "azurerm_role_assignment" "builtin" {
  for_each = toset(local.get_principal_ids)
  scope = data.azurerm_subscription.global.id
  role_definition_name = var.builtin_role
  principal_id = each.key
}

data "azurerm_subscription" "china" {
  provider = azurerm.sub2
}

resource "azurerm_role_assignment" "custom_cn" {
  for_each = toset(local.get_principal_ids)
  scope = data.azurerm_subscription.china.id
# scope = "/subscriptions/{$var.subscription_id}"
  role_definition_name = var.custom_role
  principal_id = each.key
}

resource "azurerm_role_assignment" "builtin_cn" {
  for_each = toset(local.get_principal_ids)
  scope = data.azurerm_subscription.china.id
  role_definition_name = var.builtin_role
  principal_id = each.key
}

当我运行代码在两个不同的云(中国和全球)中创建命名空间时,我仅在中国地区收到以下错误。但是,对于全球也是如此:

│ 错误:无法列出提供者注册状态,可能是由于凭据无效或服务主体没有使用资源管理器API的权限,Azure错误:resources.ProvidersClient#List:响应失败请求:StatusCode=404 -- 原始错误:autorest/azure:服务返回错误。 Status=404 Code="SubscriptionNotFound" Message="找不到订阅'xxxxxxx-xxxxxx-xxxx-xxxx-xxxxxxxxxx'。"

with provider["registry.terraform.io/hashicorp/azurerm"],
│   on main.tf line 18, in provider "azurerm":
│   18: provider "azurerm" {

现在中国供应商的订阅失败了。我如何使它适用于两个云(中国和全球)。如果需要任何其他详细信息,请告诉我..

【问题讨论】:

  • 您好@pk_dhruv,我可以知道您在命名空间定义中提到的提供者azurerm.mooncake 块在哪里吗?因为我看到中国云别名为“sub2”..
  • @AnsumanBal-MT .. 对错误感到抱歉.. 我现在已经编辑了它.. 我也试过在资源部分没有提供程序块,没有区别..
  • 我试过没有成功..我仍然得到同样的错误..
  • kubernetes_namespace 不是 azurerm 提供者的一部分,它是kubernetes 提供者的一部分。所以,为了使用 kubernetes namespace ,你应该使用 kubernetes provider 而不是 azure rm 。你可以参考这个link
  • @AnsumanBal-MT .. 我现在在我的查询中更新了代码.. 我需要按照上面的代码使用 azurerm.. 但是,这似乎不起作用并且失败了错误信息..

标签: azure terraform terraform-provider-azure azure-aks


【解决方案1】:

为了说明,我将整个代码分为 3 个部分,如下所述:

  1. 使用以下提供程序块,您必须已创建 AKS 群集的 在公共中国云中。

    terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.78.0"
    }
  }
  backend "azurerm" {
    resource_group_name = "Terraform-rg"
    storage_account_name = "terraformstate"
    container_name = "tfstate"
    subscription_id = "00000000-0000-0000-0000-000000000000"
    key = "prod"
  }
}
provider "azurerm" {
  features {}
}
provider "azurerm" {
  features {}
  alias           = "sub2"
  subscription_id = "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"
  client_id       = "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"
  client_secret   = var.client_secret
  tenant_id       = "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx"
  environment     = "china"
}
resource "azurerm_kubernetes_cluster" "aks_cluster_public" {
  provider = azurerm
  name                = "ansuman-aks-001"
  location            = data.azurerm_resource_group.sub1.location
  resource_group_name = data.azurerm_resource_group.sub1.name
  dns_prefix          = "ansuman-aks-cluster"


.....
}

resource "azurerm_kubernetes_cluster" "aks_cluster_china" {
  provider = azurerm.sub2
  name                = "ansuman-aks-001"
  location            = data.azurerm_resource_group.sub1.location
  resource_group_name = data.azurerm_resource_group.sub1.name
  dns_prefix          = "ansuman-aks-cluster"


.....
}

  2. 创建 AKS 集群后,您可以在公共和中国使用 Kubernetes Providers 和创建 Kubernetes Namespace 云将如下所示:

    provider "kubernetes" {
  host                   = "${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.host}"
  username               = "${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.username}"
  password               = "${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.password}"
  client_certificate     = base64decode("${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.client_certificate}")
  client_key             = base64decode("${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.client_key}")
  cluster_ca_certificate = base64decode("${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.cluster_ca_certificate}")
}
provider "kubernetes" {
  alias = "sub2"
  host                   = "${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.host}"
  username               = "${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.username}"
  password               = "${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.password}"
  client_certificate     = base64decode("${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.client_certificate}")
  client_key             = base64decode("${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.client_key}")
  cluster_ca_certificate = base64decode("${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.cluster_ca_certificate}")
}

resource "kubernetes_namespace" "app_namespace_public" {
  provider = kubernetes
  metadata {
    name = "my-namespace"
  }
  depends_on = [
    azurerm_kubernetes_cluster.aks_cluster_public
  ]
}
resource "kubernetes_namespace" "app_namespace_china" {
  provider = kubernetes.sub2
  metadata {
    name = "my-namespace"
  }
  depends_on = [
    azurerm_kubernetes_cluster.aks_cluster_china
  ]
}

    正如您在 Kubernetes Provider 中看到的,我使用过 aks_cluster_configs 用于公共和中国,因为我也在创建 AKS 集群,如果您不创建 AKS 集群,那么您也可以使用 config paths,但概念将是相同的,即一个提供者用于公共,另一个用于中国和资源块也是如此。

  3. 以上完成后,就可以使用azurerm provider作为角色了 任务如下:

    data "azurerm_subscription" "global" {
  provider = azurerm.sub2
}

resource "azurerm_role_assignment" "custom" {
  provider = azurerm.sub2
  for_each = toset(local.get_principal_ids)
  scope = data.azurerm_subscription.global.id
  role_definition_name = var.custom_role
  principal_id = each.key
}

resource "azurerm_role_assignment" "builtin" {
  provider = azurerm
  for_each = toset(local.get_principal_ids)
  scope = data.azurerm_subscription.global.id
  role_definition_name = var.builtin_role
  principal_id = each.key
}

data "azurerm_subscription" "china" {
  provider = azurerm.sub2
}

resource "azurerm_role_assignment" "custom_cn" {
  provider = azurerm.sub2
  for_each = toset(local.get_principal_ids)
  scope = data.azurerm_subscription.china.id
  role_definition_name = var.custom_role
  principal_id = each.key
}

resource "azurerm_role_assignment" "builtin_cn" {
  provider = azurerm.sub2
  for_each = toset(local.get_principal_ids)
  scope = data.azurerm_subscription.china.id
  role_definition_name = var.builtin_role
  principal_id = each.key
}

注意:如果您也在使用Helm Provider,那么您必须在此处遵循与 Kubernetes Provider 相同的概念,您可以参考此Terraform Helm Provider Documentation。请确保按照我们配置 azurermkubernetes 提供程序的方式进行配置,并在模块或资源块中使用相同的方式。

我在具有 AKS 集群、命名空间和内置角色且没有自定义角色的环境中使用以下代码测试了上述内容,输出如下:

我的 Main.tf 文件:

provider "azurerm" {
  features {}
}
provider "azurerm" {
  alias = "sub2"
  subscription_id = "948d4068-xxxx-xxxx-xxxx-e00a844e059b"
  tenant_id = "72f988bf-xxxx-xxxx-xxxx-2d7cd011db47"
  client_id = "f6a2f33d-xxxx-xxxx-xxxx-d713a1bb37c0"
  client_secret = "inl7Q~Gvddxxxx-xxxx-xxxxaGPF3uSoL"
  features {}
}

data "azurerm_resource_group" "sub2" {
  provider = azurerm.sub2
  name = "ansumantest"
}
data "azurerm_resource_group" "sub1" {
  provider = azurerm
  name = "xxx-ansbal-xxxx"
}
resource "azurerm_kubernetes_cluster" "aks_cluster_public" {
  provider = azurerm
  name                = "ansuman-aks-001"
  location            = data.azurerm_resource_group.sub1.location
  resource_group_name = data.azurerm_resource_group.sub1.name
  dns_prefix          = "ansuman-aks-cluster"

  default_node_pool {
    name                  = "default"
    vm_size               = "Standard_D2_v2"
    availability_zones    = [1, 2]
    enable_auto_scaling   = true
    max_count             = 4
    min_count             = 1
    node_count            = 2
    type                  = "VirtualMachineScaleSets"
  }

  network_profile {
    network_plugin = "kubenet"
  }

  service_principal {
    client_id     = "f6a2f33d-xxxx-xxxx-xxxx-d713a1bb37c0"
    client_secret = "inl7Q~Gvxxxx-xxxx-xxxxiyaGPF3uSoL"
  }
  role_based_access_control {
    enabled = true
  }

}

resource "azurerm_kubernetes_cluster" "aks_cluster_china" {
  provider = azurerm.sub2
  name                = "ansuman-aks-001"
  location            = data.azurerm_resource_group.sub2.location
  resource_group_name = data.azurerm_resource_group.sub2.name
  dns_prefix          = "ansuman-aks-cluster"

  default_node_pool {
    name                  = "default"
    vm_size               = "Standard_D2_v2"
    availability_zones    = [1, 2]
    enable_auto_scaling   = true
    max_count             = 4
    min_count             = 1
    node_count            = 2
    type                  = "VirtualMachineScaleSets"
  }

  network_profile {
    network_plugin = "kubenet"
  }

  service_principal {
    client_id     = "f6a2f33d-xxxx-xxxx-xxxx-d713a1bb37c0"
    client_secret = "inl7Q~Gvddxxxx-xxxx-xxxx6ntiyaGPF3uSoL"
  }
  role_based_access_control {
    enabled = true
  }

}

provider "kubernetes" {
  host                   = "${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.host}"
  username               = "${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.username}"
  password               = "${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.password}"
  client_certificate     = base64decode("${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.client_certificate}")
  client_key             = base64decode("${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.client_key}")
  cluster_ca_certificate = base64decode("${azurerm_kubernetes_cluster.aks_cluster_public.kube_config.0.cluster_ca_certificate}")
}
provider "kubernetes" {
  alias = "sub2"
  host                   = "${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.host}"
  username               = "${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.username}"
  password               = "${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.password}"
  client_certificate     = base64decode("${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.client_certificate}")
  client_key             = base64decode("${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.client_key}")
  cluster_ca_certificate = base64decode("${azurerm_kubernetes_cluster.aks_cluster_china.kube_config.0.cluster_ca_certificate}")
}

resource "kubernetes_namespace" "app_namespace_public" {
  provider = kubernetes
  metadata {
    name = "my-namespace"
  }
  depends_on = [
    azurerm_kubernetes_cluster.aks_cluster_public
  ]
}
resource "kubernetes_namespace" "app_namespace_china" {
  provider = kubernetes.sub2
  metadata {
    name = "my-namespace"
  }
  depends_on = [
    azurerm_kubernetes_cluster.aks_cluster_china
  ]
}

data "azurerm_subscription" "global" {
  provider = azurerm
}
data "azurerm_client_config" "global" {
  provider = azurerm
}
resource "azurerm_role_assignment" "builtin" {
  provider = azurerm
  scope = data.azurerm_resource_group.sub1.id
  role_definition_name = "Azure Kubernetes Service Cluster Admin Role"
  principal_id = data.azurerm_client_config.global.object_id
}

data "azurerm_subscription" "china" {
  provider = azurerm.sub2
}
data "azurerm_client_config" "China" {
  provider = azurerm.sub2
}
resource "azurerm_role_assignment" "builtin_cn" {
  provider = azurerm.sub2
  scope = data.azurerm_subscription.china.id
  role_definition_name = "Azure Kubernetes Service Cluster Admin Role"
  principal_id = data.azurerm_client_config.China.object_id
}

输出:

注意:我只在公共云中使用了 2 次订阅,因为我没有中国云订阅,但不同云也一样,请务必添加 environment azurerm 提供程序块中的参数。

【讨论】:

  • 感谢您尝试这个复杂的场景。感谢您的努力。但是,当订阅来自同一个公共云时,我能够让事情正常运行。只有当它在不同的云,比如一个在公共的云和一个在中国的..我在提供程序部分添加了环境,希望它可以工作..但是,它不起作用,而且中国和公共的订阅都没有被阅读..跨度>
  • Hey AnsumanBal.. 我们知道了.. 我会尽快分享答案.. 感谢您的努力..
  • 确定@pk_dhruv。
【解决方案2】:

我通过使用提供程序块中的条件解决了这个问题..

provider "azurerm" {
  subscription_id = var.subscription_id 
  client_id       = var.geo == "cn" ? var.client_id_cn : var.client_id
  client_secret   = var.geo == "cn" ? var.client_secret_cn : var.client_secret
  tenant_id       = var.geo == "cn" ? var.tenant_id_cn : var.tenant_id
  environment     = var.geo == "cn" ? "china" : "public"
  features {}
}

module "helm_ns_creation" {
  source = "./namespace/"
  applications = var.applications
  geo = var.geo
  values = ["${file("../namespace/values.yaml")}"]
}

-------

## data block for reading subscription

data "azurerm_subscription" "current" {
}

resource "azurerm_role_assignment" "custom" {
  for_each = toset(local.get_principal_ids)
  scope = data.azurerm_subscription.current.id
  role_definition_name = var.custom_role
  principal_id = each.key
}

resource "azurerm_role_assignment" "builtin" {
  for_each = toset(local.get_principal_ids)
  scope = data.azurerm_subscription.current.id
  role_definition_name = var.builtin_role
  principal_id = each.key
}

这只是多提供者使用的所有别名。因此,当变量 geo 为 china 时,它将使用 provider 中的变量 for china,如果不等于 china,它将使用 provider 中的其他变量。这样,提供者根据条件切换,就像一个魅力..

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 2021-01-03
    • 2019-11-23
    • 2018-12-15
    • 1970-01-01
    • 2021-04-02
    • 2020-02-12
    • 2021-05-03
    • 2021-03-29
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode