我有一个Terraform版本v0.11.7,代码看起来像这样:
resource "vault_policy" "vault-auth" {
name = "vault-auth"
policy = <<_EOT
path "secret/approle-acl/*" {
capabilities = ["read", "list"]
}
path "auth/approle/role/*" {
capabilities = ["update"]
}
_EOT
}
resource "vault_generic_secret" "approle-vault-auth" {
path = "auth/approle/role/vault-auth"
data_json = <<_EOT
{
"bind_secret_id": false,
"bound_cidr_list": "127.0.0.0/24",
"policies": "${vault_policy.vault-auth.name}",
"period": 1200
}
_EOT
}
data "vault_generic_secret" "vault-auth-approle-id" {
path = "${vault_generic_secret.approle-vault-auth.path}/role-id"
}
resource "consul_keys" "vault-auth-approle-id" {
key {
path = "vault-auth/vault-approle-id"
value = "${lookup(data.vault_generic_secret.vault-auth-approle-id.data, "role_id")}"
delete = "true"
}
}
我将这段代码与 Terraform 0.9.4 一起使用,它按预期工作,但在 0.11.7 中我看到错误:
Error: Error refreshing state: 1 error(s) occurred:
module.roles.data.vault_generic_secret.vault-auth-approle-id: 1 error(s) occurred:
module.roles.data.vault_generic_secret.vault-auth-approle-id: data.vault_generic_secret.vault-auth-approle-id: No secret found at "auth/approle/role/vault-auth/role-id"
在我看来,这可能与输出值的错误检查相关,因为我们在刷新时没有值。
或者这里发生了什么,因为我不确定我错在哪里。
重现步骤
terraform init
terraform apply
您可能会将data_json转储到"vault-auth"中,然后当您尝试通过路径调用机密时,您使用的是"auth/approle/role/vault-auth/role-id"。请尝试以下操作:
resource "vault_generic_secret" "approle-vault-auth" {
path = "auth/approle/role/vault-auth/role-id"
data_json = <<_EOT
{
"bind_secret_id": false,
"bound_cidr_list": "127.0.0.0/24",
"policies": "${vault_policy.vault-auth.name}",
"period": 1200
}
_EOT
}
data "vault_generic_secret" "vault-auth-approle-id" {
path = "${vault_generic_secret.approle-vault-auth.path}"
}
现在,您将机密转储到"role-id"中,然后尝试从同一终结点检索它们。希望这有帮助!
参考: https://www.terraform.io/docs/providers/vault/r/generic_secret.html