azure 在Terraform中部署AKS时“service_principal”的含义

ghhaqwfi  于 2023-05-07  发布在  其他
关注(0)|答案(1)|浏览(119)

我正在使用Terraform和“service_principal”部署AKS。下面是一些包含这些信息的代码。

resource "azurerm_kubernetes_cluster" "aks" {
  name                                = "${var.cluster_name}"
  location                            = var.location
  resource_group_name                 = data.azurerm_resource_group.aks-rg.name
  node_resource_group                 = "${var.system_rg}-node"
  dns_prefix                          = "${var.cluster_name}"
  kubernetes_version                  = var.aks_version
  private_cluster_enabled             = var.private_cluster_enabled
  private_cluster_public_fqdn_enabled = var.private_cluster_public_fqdn_enabled
  private_dns_zone_id                 = var.private_dns_zone_id
  sku_tier                            = var.sku_tier

  default_node_pool {
    name                         = "syspool01"
    vm_size                      = var.agents_size
    os_disk_size_gb              = var.os_disk_size_gb
    node_count                   = var.agents_count
    vnet_subnet_id               = data.azurerm_subnet.subnet.id
    zones                        = [1, 2, 3]
    kubelet_disk_type            = "OS"
    os_sku                       = "Ubuntu"
    os_disk_type                 = "Managed"
    ultra_ssd_enabled            = "false"
    max_pods                     = var.max_pods
    only_critical_addons_enabled = var.only_critical_addons_enabled
  }

  service_principal {
    client_id     = var.client_id
    client_secret = var.client_secret
  }

  linux_profile {
    admin_username = var.admin_username

    ssh_key {
      key_data = replace(coalesce("${var.ssh_public_key}", tls_private_key.ssh[0].public_key_openssh), "\n", "")
    }
  }

  network_profile {
    network_plugin     = "azure"
    network_policy     = "azure"
    load_balancer_sku  = "standard"           # standard
    outbound_type      = "userDefinedRouting" # loadBalancer, userDefinedRouting, managedNATGateway, userAssignedNATGateway
    service_cidr       = var.service_cidr
    dns_service_ip     = var.dns_service_ip

  }

  tags = {
    Environment = "${var.tag}"
  }

}

1.当我在“service_principal”中更改“client_secret”时,似乎整个pod都被逐个删除并重新创建。
1.如果我改变了“service_principal”中的“client_secret”,并添加了一个可以忽略它的代码,我使用AKS会有问题吗?

lifecycle {
    ignore_changes = [
      service_principal,
    ]
  }

1.另外,在部署AKS时是否必须使用“service_principal”?
请给予我一些建议。

vlju58qv

vlju58qv1#

如果我改变了“service_principal”中的“client_secret”,并添加了一个可以忽略它的代码,我使用AKS会有问题吗?
您可以使用Terraform生命周期阻止删除AKSPod。你可以在azurerm_kubernetes_cluster资源块中将prevent_destroy属性设置为true,以防止它被删除。

地形编码

provider "azurerm" {
  features {}
}

data "azurerm_resource_group" "Mindtree_ResourceGroup" {
  name = "Mindtree_ResourceGroup"
}

resource "azurerm_kubernetes_cluster" "akscluster" {
  name                = "sampleaks1"
  location            = azurerm_resource_group.Mindtree_ResourceGroup.location
  resource_group_name = azurerm_resource_group.Mindtree_ResourceGroup.name
  dns_prefix          = "exampleaks1"

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"
  }
  
  service_principal {
    client_id     = deb40947-xxxx-xxx-a626-b3a4c3c7a13f
    client_secret = xxxxxx.NvDo.wQyDb0kqeZMVJcsc
  }
  lifecycle  {
    prevent_destroy = true
    }
    tags = {
    Environment = "Production"
  }
}

Terraform申请:

当我在azurerm_kubernetes_cluster块中修改App secret值时,它只修改指定的值,不会删除任何现有资源。

参考:Stack Link

相关问题