我正在尝试使用数据源vault_identity_entity获取所有实体名称,但无法获取位于别名下的实体的名称。
示例代码:''
data “vault_identity_group” “group” {
group_name = “vaultadmin”
}
data “vault_identity_entity” “entity” {
for_each = toset(data.vault_identity_group.group.member_entity_ids)
entity_id = each.value
}
data “null_data_source” “values” {
for_each = data.vault_identity_entity.entity
inputs = {
ssh_user_details = lookup(jsondecode(data.vault_identity_entity.entity[each.key].data_json),“name”,{})
}
}
"data_json": "{"aliases":[{"canonical_id":"37b4c764-a4ec-dcb7-c3c7-31cf9c51e456","creation_time":"2022-07-20T08:53:36.553988277Z","custom_metadata":null,"id":"59fb8a9c-1c0c-0591-0f6e-1a153233e456","last_update_time":"2022-07-20T08:53:36.553988277Z","local":false,"merged_from_canonical_ids":null,"metadata":null,"mount_accessor":"auth_approle_12d1d8af","mount_path":"auth/approle/","mount_type":"approle","name":"name.user@test.com"}],"creation_time":"2022-07-20T08:53:36.553982983Z","direct_group_ids":["e456cb46-2b51-737c-3277-64082352f47e"],"disabled":false,"group_ids":["e456cb46-2b51-737c-3277-64082352f47e"],"id":"37b4c764-a4ec-dcb7-c3c7-31cf9c51e456","inherited_group_ids":[],"last_update_time":"2022-07-20T08:53:36.553982983Z","merged_entity_ids":null,"metadata":null,"name":"entity_ec5c123","namespace_id":"root","policies":[]}",
上面的脚本返回实体id entity_ec5c123。任何在别名下检索名称字段的建议,该字段具有用户的电子邮件id。
也许是这样的?
data “vault_identity_group” “group” {
group_name = “vaultadmin”
}
data “vault_identity_entity” “entity” {
for_each = toset(data.vault_identity_group.group.member_entity_ids)
entity_id = each.value
}
locals {
mount_accessor = "auth_approle_12d1d8af"
# mount_path = "auth/approle/"
aliases = {for k,v in data.vault_identity_entity.entity : k => jsondecode(v.data_json, "aliases") }
}
data “null_data_source” “values” {
for_each = data.vault_identity_entity.entity
inputs = {
ssh_user_details = lookup({for alias in lookup(local.aliases, each.key, "ent_missing") : alias.mount_accessor => alias.name}, local.mount_accessor, "ent_no_alias_on_auth_method")
}
}
基本上,您想在这里进行两次查找,如果您可以保证每个实体只有一个别名,则可以简化这一过程,但除此之外,您可能应该查找特定mount_accessor的别名,并丢弃其他条目。
还没有用这段代码进行过大量测试,但在工作区上进行初始化后,您应该能够运行terraform console,并在出现问题时弄清楚数据结构是什么样子的。