amazon-web-services - 带有 KMS 加密密码的 MySQL 用户名和密码的 Terraform 列表
问题描述
我正在使用 Terraform 来管理数据库中的 MySQL 用户。我想从变量中提取用户名、密码和权限。
由于 Terraform 0.12,以下内容非常适合赠款:
resource "mysql_grant" "ro" {
for_each = var.db_grants
user = each.key
host = "%"
database = mysql_database.app.name
privileges = each.value["privileges"]
table = ""
tls_option = ""
}
variable "db_grants" {
default = {
"user1" = {
"privileges" = ["SELECT"]
}
}
}
这种方法也适用于密码:
resource "mysql_user" "ro" {
for_each = var.db_passwds
user = each.key
host = "%"
plaintext_password = each.value["password"]
tls_option = ""
}
variable "db_passwds" {
default = {
"user1" = {
"password" = "password"
}
}
}
但是,我想使用数据源 aws_kms_secrets 作为密码。我已经读过应该可以将 for_each 用于数据源 - https://www.terraform.io/docs/configuration/data-sources.html但我不确定 aws_kms_secrets 数据源和 mysql_user 的语法资源让这个工作。
我尝试了各种方法,还尝试使用 mysql_user 资源进行计数和查找,但始终保持空白!包括这个答案
使用以下代码
data "aws_kms_secrets" "mysql-ro" {
dynamic "secret" {
for_each = var.db_passwords
content {
name = secret.name
payload = secret.payload
}
}
}
variable "db_passwords" {
default = {
user1 = "AQICAHiDBkUhG...etc"
user2 = "AQICAHiDBkJiH...etc"
}
}
我收到以下错误:
Error: Unsupported attribute
on data.tf line 37, in data "aws_kms_secrets" "mysql-ro":
37: name = secret.name
This object does not have an attribute named "name".
Error: Unsupported attribute
on data.tf line 38, in data "aws_kms_secrets" "mysql-ro":
38: payload = secret.payload
This object does not have an attribute named "payload".
对于以下代码:
resource "mysql_user" "ro" {
count = "${length(var.db_users)}"
user = "${lookup(var.db_users[count.index], "username")}"
host = "%"
plaintext_password = "${lookup(data.aws_kms_secrets.mysql-ro.plaintext), element(keys(var.db_passwords), count.index)}"
tls_option = ""
}
variable "db_passwords" {
default = {
user1 = "AQICAHiDBkUhG...etc"
user2 = "AQICAHiDBkJiH...etc"
}
}
variable "db_users" {
description = "Username and Passwords"
default = [
{
"username" = "user1"
"password" = "AQICAHiDBkUhG...etc"
},
{
"username" = "user2"
"password" = "AQICAHiDBkJiH...etc"
}
]
}
我收到此错误:
Error: Extra characters after interpolation expression
on main.tf line 115, in resource "mysql_user" "ro":
115: plaintext_password = "${lookup(data.aws_kms_secrets.mysql-ro.plaintext), element(keys(var.db_passwords), count.index)}"
Expected a closing brace to end the interpolation expression, but found extra
characters.
任何想法表示赞赏。最终,我希望能够从变量文件中提取 KMS 加密密码。
解决方案
您可以将dynamic
块与aws_kms_secrets
数据源一起使用,如下所示:
data "aws_kms_secrets" "mysql-ro" {
dynamic "secret" {
for_each = var.db_passwords
content {
name = secret.key
payload = secret.value
}
}
}
variable "db_passwords" {
default = {
user1 = "AQICAH..."
user2 = "AQICAH..."
}
}
output "user_passwords_plaintext" {
value = data.aws_kms_secrets.mysql-ro.plaintext
}
如果您想将其馈送到mysql_user
资源中,您希望for_each
在资源上使用类似以下内容:
resource "mysql_user" "ro" {
for_each = data.aws_kms_secrets.mysql-ro.plaintext
user = each.key
host = "%"
plaintext_password = each.value
tls_option = ""
}
推荐阅读
- javascript - package.json 中指定的依赖项
- ios - jenkins 无法构建共享扩展 ios xcode
- javascript - jquery父子选择器返回未定义
- java - 以 ServletContext 作为参数的工厂方法与构造函数
- angular - ionic Framework 3 firebase google 身份验证
- php - 管理员 Woocommerce 产品列表页面中显示的自定义价格计算
- python - 仅从二进制文件python中的字典中读取某些键
- node.js - 未加载 require 的模块的 Jest/Istanbul 覆盖率
- android - 如何在 RecylerView 中显示来自 Android 中 Firestore 的多个集合的数据
- java - 拆分 JavaFX 控制器类