我正在尝试设置一个可重复使用的全局aurora-rds集群模块,并在us-east-1中设置主实例,在us-west-1中设置次实例。我正在使用数据从我的主要区域获取kms密钥。我的问题是,如何从单个data.tf文件中获取不同区域中的kms密钥?
这是我的全球极光星团:-
provider "aws" {
alias = "primary"
region = var.primary_provider_region
}
provider "aws" {
alias = "secondary"
region = var.secondary_provider_region
}
resource "aws_rds_global_cluster" "example" {
global_cluster_identifier = var.global_cluster_identifier
engine = var.engine
engine_version = var.engine_version
storage_encrypted = var.storage_encrypted
}
resource "aws_rds_cluster" "primary" {
provider = aws.primary
engine = aws_rds_global_cluster.example.engine
engine_version = aws_rds_global_cluster.example.engine_version
cluster_identifier = var.primary_cluster_identifier
master_username = var.audit_mysql_master_username
master_password = var.audit_mysql_master_password
database_name = join("_", ["bmw", "${var.stage}"])
global_cluster_identifier = aws_rds_global_cluster.example.id
db_subnet_group_name = var.db_subnet_group_name_primary
kms_key_id = var.kms_master_key_arn_primary
vpc_security_group_ids = ["${var.vpc_security_group_ids_primary}"]
}
resource "aws_rds_cluster_instance" "primary" {
provider = aws.primary
engine = aws_rds_global_cluster.example.engine
engine_version = aws_rds_global_cluster.example.engine_version
identifier = var.primary_instance_identifier
cluster_identifier = aws_rds_cluster.primary.id
instance_class = var.instance_type
db_subnet_group_name = var.db_subnet_group_name_primary
}
resource "aws_rds_cluster" "secondary" {
provider = aws.secondary
engine = aws_rds_global_cluster.example.engine
engine_version = aws_rds_global_cluster.example.engine_version
cluster_identifier = var.secondary_cluster_identifier
global_cluster_identifier = aws_rds_global_cluster.example.id
db_subnet_group_name = var.db_subnet_group_name_secondary
kms_key_id = var.kms_master_key_arn_secondary
vpc_security_group_ids = ["${var.vpc_security_group_ids_secondary}"]
}
resource "aws_rds_cluster_instance" "secondary" {
provider = aws.secondary
engine = aws_rds_global_cluster.example.engine
engine_version = aws_rds_global_cluster.example.engine_version
identifier = var.secondary_instance_identifier
cluster_identifier = aws_rds_cluster.secondary.id
instance_class = var.instance_type
db_subnet_group_name = var.db_subnet_group_name_secondary
depends_on = [
aws_rds_cluster_instance.primary
]
}
我这样调用模块:-
module "rds" {
source = "../../../../modules/aws/rds"
stage = var.stage
primary_provider_region = "us-east-1"
secondary_provider_region = "us-west-2"
kms_master_key_arn_primary = data.aws_kms_alias.amy_key_for_primary.arn
kms_master_key_arn_secondary = "Hardcoded arn but this should come from the data.tf file"
}
这是我的data.tf文件:-
data "aws_kms_alias" "amy_key_for_primary" {
name = "alias/primary"
}
现在,我的data.tf代码片段完成了为我的主区域(也称为us-east-1(中的密钥提取arn的工作,但我如何配置它,以便我也可以使用us-west-2区域中的另一个密钥。任何帮助都将不胜感激。非常感谢。
根据文档可以使用provider元参数。
根据我从您的设置中了解到的情况,您需要将aws_kms_alias移动到rds模块本身中。(从模块中删除kms_master_key_arn_primary和kms_master_key_arn_secondary变量。
# modules/aws/rds.tf
...
data "aws_kms_alias" "amy_key_for_primary" {
provider = aws.primary
name = "alias/primary"
}
data "aws_kms_alias" "amy_key_for_secondary" {
provider = aws.secondary
name = "alias/secondary"
}
...
resource "aws_rds_cluster" "primary" {
provider = aws.primary
...
kms_key_id = aws_kms_alias.amy_key_for_primary.arn
...
}
...
resource "aws_rds_cluster" "secondary" {
provider = aws.secondary
...
kms_key_id = aws_kms_alias.amy_key_for_secondary.arn
...
}