Terraform for-每个都有对象地图和列表

Question

我需要实现嵌套的for -每个循环，以定义服务帐户map(object)，计划创建什么，以及visibility将访问存储在RBAC的Azure密钥库中的一个包含其密码的秘密。

我检查了多篇文章，并试图应用它们，但是没有成功。这里的问题是，当每个principal_id都已经就位时，如何访问单个的

可变定义：

variable "user_collection" {
  type = map(object({
      name       = string,
      role       = string,
      namespace  = string,
      warehouse  = string,
      ## What user (ObjectID within AAD should have access to generated password)
      visibility = list(string)
    }))
}

在这里，我试图为两个人提供对用户密码的访问：

module "SVC_USERS" {
  source              = "./user-module"
  user_collection   = {
    user_1 = {
    name       = "TEST_SVC_1"
    namespace  = "ADMINISTRATION"
    role       = "PUBLIC"
    warehouse  = "ADMIN_WH"
    visibility = ["b9ad7db3-ea64-4815-aad5-a5a72b5bbee9", "d634ebdf-6928-427c-9678-fc3bad8eccc4"] 
  }
 }
}

设置基于角色的对创建的秘密的访问

# Provide access to see generated passwords for key users
resource "azurerm_role_assignment" "secret_access_provision" {
  for_each             = var.user_collection
  scope                = "${module.variables.keyVault-id}/secrets/${replace(each.value["name"] , "_", "-")}"
  role_definition_name = "Key Vault Secrets User"
  principal_id = each.value.visibility
}

Answer 1

如果我对您的理解是正确的，我相信您需要使用每个可见id来压扁用户对象的产品。我相信你可以这样做。

注意:我已经将user_collection的缩写版本显示为本地版本，但您可以用var替换local.user_collection。

locals {
  user_collection = {
    user_1 = {
      name       = "TEST_SVC_1"
      visibility = ["b9ad7db3-ea64-4815-aad5-a5a72b5bbee9", "d634ebdf-6928-427c-9678-fc3bad8eccc4"]
    }
  }

  user_vis = flatten([
    for user, cfg in local.user_collection : [
      for id in cfg.visibility : {
        user = user
        cfg  = cfg
        id   = id
      }
    ]
  ])
}

然后你可以做这样的事情：

resource "azurerm_role_assignment" "secret_access_provision" {
  for_each = { for uv in local.user_vis : "${uv.user}-${uv.id}" => uv }

  scope                = "${module.variables.keyVault-id}/secrets/${replace(each.value.cfg.name, "_", "-")}"
  role_definition_name = "Key Vault Secrets User"
  principal_id         = each.value.id
}

在这里，每个用户/可见性组合将获得一个azurerm_role_assignment。

由于我无法获得测试结果以进行澄清，所以我创建了这个输出以进行说明。

output "user_vis" {
  value = { for uv in local.user_vis : "${uv.user}-${uv.id}" => uv }
}

这意味着：

Changes to Outputs:
  + user_vis = {
      + user_1-b9ad7db3-ea64-4815-aad5-a5a72b5bbee9 = {
          + cfg  = {
              + name       = "TEST_SVC_1"
              + visibility = [
                  + "b9ad7db3-ea64-4815-aad5-a5a72b5bbee9",
                  + "d634ebdf-6928-427c-9678-fc3bad8eccc4",
                ]
            }
          + id   = "b9ad7db3-ea64-4815-aad5-a5a72b5bbee9"
          + user = "user_1"
        }
      + user_1-d634ebdf-6928-427c-9678-fc3bad8eccc4 = {
          + cfg  = {
              + name       = "TEST_SVC_1"
              + visibility = [
                  + "b9ad7db3-ea64-4815-aad5-a5a72b5bbee9",
                  + "d634ebdf-6928-427c-9678-fc3bad8eccc4",
                ]
            }
          + id   = "d634ebdf-6928-427c-9678-fc3bad8eccc4"
          + user = "user_1"
        }
    }