如何在 Terraform 中传递带有秘密(用户、密码)的变量
How to pass Variables with Secrets (User, Password) in Terraform
根据我创建的文档 Main.tf、Terraform.tfvars、variables.tf、
###Terraform 提供商是 Azure,我打算做什么?构建一个 VM 并通过变量传递 User/Password 以避免泄露秘密,或者将它们写入 Main.tf 文件(我已经这样做了,对我来说效果很好,但不是一个好的安全实践)
###main.tf,这里是与 User/Passwords 交互的相关内容,我试图传递给 VM 以允许我管理它:
resource "azurerm_network_interface" "nic_poc" {
count = 1
name = "nic_test_persistent${count.index}"
location = "North Europe"
resource_group_name = local.rg.name
ip_configuration {
name = "internal"
subnet_id = data.terraform_remote_state.my_azure_dev.outputs.org_dev.subnet.northeurope.main.subnets["dev1-XX.XXX.XXX.X_XX"].id
private_ip_address_allocation = "Dynamic"
}
}
resource "azurerm_windows_virtual_machine" "vm_persistent" {
count = 1
name = "vm-persistent${count.index}"
resource_group_name = local.rg.name
location = "North Europe"
size = "Standard_D4_v3"
# Here my variables for User/Password
admin_username = "var.admin_username"
admin_password = "var.admin_password"
network_interface_ids = [
element(azurerm_network_interface.nic_poc.*.id, count.index)
]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2019-Datacenter"
version = "latest"
}
}
###terraform.tfvars,这里声明变量的值,因为它是我从几个例子中理解的(可能误解了它们)
###terrafrom.tfvars, here declaring the value for these variables:
TF_VAR_admin_username = "adminuser"
TF_VAR_admin_password = "OurP@**w0rd1998#"
###variables.tf,这里声明的变量没有值因为不知道能不能在这里声明,怎么声明
variable "admin_username" {
type = string
}
variable "admin_password" {
type = string
}
###错误
Error: creating Windows Virtual Machine "vm-persistent0" (Resource Group "nXXX-XXX-dev1-org-dev-XX"): compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InvalidParameter" Message="The supplied password must be between 8-123 characters long and must satisfy at least 3 of password complexity requirements from the following:\r\n1) Contains an uppercase character\r\n2) Contains a lowercase character\r\n3) Contains a numeric digit\r\n4) Contains a special character\r\n5) Control characters are not allowed" Target="adminPassword"
当我 运行 我的 terraform 代码时,它抱怨说:
密码不符合要求,小写,大写,数字,符号
这不是真的,为什么?好吧,当直接在我的 Main.tf 文件中声明相同的密码时,它可以完美地工作,但这不是一个好习惯,因为它是完全可见的,这就是为什么我想通过变量传递它以防止它被嗅探
我错过了什么?
您正在使用:
admin_username = "var.admin_username"
admin_password = "var.admin_password"
你应该使用
admin_username = var.admin_username
admin_password = var.admin_password
就像您在双引号中给出值一样,它将采用其中存在的值,如下所示:
如果您使用 .tfvars 文件来保存值,那么您应该仅使用该名称声明变量,如下所示:
variable "TF_VAR_admin_username" {
type = string
}
variable "TF_VAR_admin_password" {
type = string
}
然后在虚拟机块中使用此变量,如:
admin_username = var.TF_VAR_admin_username
admin_password = var.TF_VAR_admin_password
或者您可以直接在变量中调用它们,这样您就不必在 .tfvars 文件中提及
Var.tf 文件:
variable "admin_username" {
type = string
default = "adminuser"
}
variable "admin_password" {
type = string
default = "OurP@**w0rd1998#"
}
** 我的 main.tf 文件:**
data "azurerm_resource_group" "example" {
name = "ansumantest"
}
resource "azurerm_virtual_network" "example" {
name = "example-network"
address_space = ["10.0.0.0/16"]
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "internal"
resource_group_name = data.azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.2.0/24"]
}
resource "azurerm_network_interface" "example" {
name = "example-nic"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.example.id
private_ip_address_allocation = "Dynamic"
}
}
resource "azurerm_windows_virtual_machine" "vm_persistent" {
name = "vm-persistent"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
size = "Standard_D4_v3"
# Here my variables for User/Password
admin_username = var.admin_username
admin_password = var.admin_password
network_interface_ids = [azurerm_network_interface.example.id]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2019-Datacenter"
version = "latest"
}
}
输出:
根据我创建的文档 Main.tf、Terraform.tfvars、variables.tf、
###Terraform 提供商是 Azure,我打算做什么?构建一个 VM 并通过变量传递 User/Password 以避免泄露秘密,或者将它们写入 Main.tf 文件(我已经这样做了,对我来说效果很好,但不是一个好的安全实践)
###main.tf,这里是与 User/Passwords 交互的相关内容,我试图传递给 VM 以允许我管理它:
resource "azurerm_network_interface" "nic_poc" {
count = 1
name = "nic_test_persistent${count.index}"
location = "North Europe"
resource_group_name = local.rg.name
ip_configuration {
name = "internal"
subnet_id = data.terraform_remote_state.my_azure_dev.outputs.org_dev.subnet.northeurope.main.subnets["dev1-XX.XXX.XXX.X_XX"].id
private_ip_address_allocation = "Dynamic"
}
}
resource "azurerm_windows_virtual_machine" "vm_persistent" {
count = 1
name = "vm-persistent${count.index}"
resource_group_name = local.rg.name
location = "North Europe"
size = "Standard_D4_v3"
# Here my variables for User/Password
admin_username = "var.admin_username"
admin_password = "var.admin_password"
network_interface_ids = [
element(azurerm_network_interface.nic_poc.*.id, count.index)
]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2019-Datacenter"
version = "latest"
}
}
###terraform.tfvars,这里声明变量的值,因为它是我从几个例子中理解的(可能误解了它们)
###terrafrom.tfvars, here declaring the value for these variables:
TF_VAR_admin_username = "adminuser"
TF_VAR_admin_password = "OurP@**w0rd1998#"
###variables.tf,这里声明的变量没有值因为不知道能不能在这里声明,怎么声明
variable "admin_username" {
type = string
}
variable "admin_password" {
type = string
}
###错误
Error: creating Windows Virtual Machine "vm-persistent0" (Resource Group "nXXX-XXX-dev1-org-dev-XX"): compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InvalidParameter" Message="The supplied password must be between 8-123 characters long and must satisfy at least 3 of password complexity requirements from the following:\r\n1) Contains an uppercase character\r\n2) Contains a lowercase character\r\n3) Contains a numeric digit\r\n4) Contains a special character\r\n5) Control characters are not allowed" Target="adminPassword"
当我 运行 我的 terraform 代码时,它抱怨说: 密码不符合要求,小写,大写,数字,符号
这不是真的,为什么?好吧,当直接在我的 Main.tf 文件中声明相同的密码时,它可以完美地工作,但这不是一个好习惯,因为它是完全可见的,这就是为什么我想通过变量传递它以防止它被嗅探
我错过了什么?
您正在使用:
admin_username = "var.admin_username"
admin_password = "var.admin_password"
你应该使用
admin_username = var.admin_username
admin_password = var.admin_password
就像您在双引号中给出值一样,它将采用其中存在的值,如下所示:
如果您使用 .tfvars 文件来保存值,那么您应该仅使用该名称声明变量,如下所示:
variable "TF_VAR_admin_username" {
type = string
}
variable "TF_VAR_admin_password" {
type = string
}
然后在虚拟机块中使用此变量,如:
admin_username = var.TF_VAR_admin_username
admin_password = var.TF_VAR_admin_password
或者您可以直接在变量中调用它们,这样您就不必在 .tfvars 文件中提及
Var.tf 文件:
variable "admin_username" {
type = string
default = "adminuser"
}
variable "admin_password" {
type = string
default = "OurP@**w0rd1998#"
}
** 我的 main.tf 文件:**
data "azurerm_resource_group" "example" {
name = "ansumantest"
}
resource "azurerm_virtual_network" "example" {
name = "example-network"
address_space = ["10.0.0.0/16"]
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "internal"
resource_group_name = data.azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.2.0/24"]
}
resource "azurerm_network_interface" "example" {
name = "example-nic"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.example.id
private_ip_address_allocation = "Dynamic"
}
}
resource "azurerm_windows_virtual_machine" "vm_persistent" {
name = "vm-persistent"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
size = "Standard_D4_v3"
# Here my variables for User/Password
admin_username = var.admin_username
admin_password = var.admin_password
network_interface_ids = [azurerm_network_interface.example.id]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2019-Datacenter"
version = "latest"
}
}
输出: