摘要:
使用Terraform的目的是禁用";kube_audit"以及";kube_audit_admin"从Azure诊断设置中记录设置。然而,我的解决方案似乎同时启用和禁用了这些设置。我正在寻找通过Terraform禁用这些设置的正确方法。
我的解决方案
在Terraform中,我为AKS集群定义了以下诊断设置:
resource "azurerm_monitor_diagnostic_setting" "aks" {
name = var.diag_name
target_resource_id = azurerm_kubernetes_cluster.aks.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.log_workspace.id
dynamic "log" {
for_each = local.diag_agw_logs
content {
category = log.value
retention_policy {
days = var.cluster_log_metrics_retention_in_days
enabled = var.cluster_monitor_event_retention
}
}
}
dynamic "metric" {
for_each = local.diag_agw_metrics
content {
category = metric.value
retention_policy {
days = var.cluster_log_metrics_retention_in_days
enabled = var.cluster_monitor_event_retention
}
}
}
}
资源JSON如下所示(这是预期行为):
>> az monitor diagnostic-settings list --resource $(az aks list --query '[?contains(@.name, `mycluster`)].id | [0]' | tr -d '"')
[
{
"eventHubAuthorizationRuleId": null,
"eventHubName": null,
"id": "/subscriptions/xxx/resourcegroups/myresourcegroup/providers/microsoft.containerservice/managedclusters/mycluster/providers/microsoft.insights/diagnosticSettings/mydiagnosticsetting",
"identity": null,
"kind": null,
"location": null,
"logAnalyticsDestinationType": null,
"logs": [
{
"category": "cluster-autoscaler",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
},
{
"category": "kube-scheduler",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
},
{
"category": "kube-audit",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
},
{
"category": "kube-audit-admin",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
},
{
"category": "kube-controller-manager",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
},
{
"category": "guard",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
},
{
"category": "kube-apiserver",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
}
],
"marketplacePartnerId": null,
"metrics": [
{
"category": "AllMetrics",
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
},
"timeGrain": null
}
],
"name": "mydiagnosticsetting",
"resourceGroup": "myresourcegroup",
"serviceBusRuleId": null,
"storageAccountId": null,
"systemData": null,
"tags": null,
"type": "Microsoft.Insights/diagnosticSettings",
"workspaceId": "/subscriptions/xxx/resourceGroups/myresourcegroup/providers/Microsoft.OperationalInsights/workspaces/myloganalyticsworkspace"
}
]
我的目标是禁用";kube_audit"以及";kube_audit_admin"日志设置。然而,当我在Terraform中添加日志块以禁用这些审计日志时,在应用我的更改后,资源JSON看起来出乎意料。这是Terraform中的新资源定义(我只添加了两个日志块,没有进行其他更改):
resource "azurerm_monitor_diagnostic_setting" "aks" {
name = var.diag_name
target_resource_id = azurerm_kubernetes_cluster.aks.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.log_workspace.id
# Change 1 to disable "kube-audit"
log {
category = "kube-audit"
enabled = false
}
# Change 2 to disable "kube-audit-admin"
log {
category = "kube-audit-admin"
enabled = false
}
dynamic "log" {
for_each = local.diag_agw_logs
content {
category = log.value
retention_policy {
days = var.cluster_log_metrics_retention_in_days
enabled = var.cluster_monitor_event_retention
}
}
}
dynamic "metric" {
for_each = local.diag_agw_metrics
content {
category = metric.value
retention_policy {
days = var.cluster_log_metrics_retention_in_days
enabled = var.cluster_monitor_event_retention
}
}
}
}
这就是应用后资源JSON的样子:
>> az monitor diagnostic-settings list --resource $(az aks list --query '[?contains(@.name, `mycluster`)].id | [0]' | tr -d '"')
[
{
"eventHubAuthorizationRuleId": null,
"eventHubName": null,
"id": "/subscriptions/xxx/resourcegroups/myresourcegroup/providers/microsoft.containerservice/managedclusters/mycluster/providers/microsoft.insights/diagnosticSettings/mydiagnosticsetting",
"identity": null,
"kind": null,
"location": null,
"logAnalyticsDestinationType": null,
"logs": [
{
"category": "cluster-autoscaler",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
},
{
"category": "kube-scheduler",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
},
{
"category": "kube-audit",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
},
{
"category": "kube-audit-admin",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
},
{
"category": "kube-controller-manager",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
},
{
"category": "guard",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
},
{
"category": "kube-audit",
"categoryGroup": null,
"enabled": false,
"retentionPolicy": null
},
{
"category": "kube-audit-admin",
"categoryGroup": null,
"enabled": false,
"retentionPolicy": null
},
{
"category": "kube-apiserver",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
}
}
],
"marketplacePartnerId": null,
"metrics": [
{
"category": "AllMetrics",
"enabled": true,
"retentionPolicy": {
"days": 7,
"enabled": true
},
"timeGrain": null
}
],
"name": "mydiagnosticsetting",
"resourceGroup": "myresourcegroup",
"serviceBusRuleId": null,
"storageAccountId": null,
"systemData": null,
"tags": null,
"type": "Microsoft.Insights/diagnosticSettings",
"workspaceId": "/subscriptions/xxx/resourceGroups/myresourcegroup/providers/Microsoft.OperationalInsights/workspaces/myloganalyticsworkspace"
}
]
正如你所看到的;kube_audit"以及";kube_audit_admin"日志设置似乎同时被启用和禁用。通过Terraform禁用这些设置的正确方法是什么?
我自己想好了,所以我没有删除这个问题,而是决定把它发布在这里。问题是dynamic "log"资源不断覆盖各个log块。
dynamic "log" {
for_each = local.diag_agw_logs. # <--- This was iterating over a list
# with all the log settings, no
# individual block needed
content {
category = log.value
retention_policy {
days = var.cluster_log_metrics_retention_in_days
enabled = var.cluster_monitor_event_retention
}
}
}
因此,所要做的就是删除已经插入的log块,以恢复资源azurerm_monitor_diagnostic_setting.aks的原始状态。然后修改dynamic块正在迭代的列表,一切都按预期进行。