terraform 是“循环"吗?无用?还是我错过了什么? [英] Are terraform "loops" useless? Or am I missing something?

问题描述

我今天写了一些使用循环"的配置，但后来我才想知道这是否是正确的路径，因为 terraform 将状态文件中的资源保存为列表/数组.

I wrote some configuration today that uses "loops", but only afterwards I wondered if this is the right path to go, since terraform keeps the resources in the state file as a list/array.

考虑以下配置:

locals {
    users_list = [ "ab", "cd", "ef" ]
}

resource "aws_iam_user" "users" {
    count = "${length(local.users_list)}"
    name = "${local.users_list["${count.index}"]}"
    path = "/"
}

运行terraform apply"将创建用户，并在状态文件中创建以下资源:

Running 'terraform apply' will create the users, and create the following resources in the state file:

• aws_iam_user.users[0]
• aws_iam_user.users[1]
• aws_iam_user.users[2]

但是，例如，如果我删除了前两个用户中的一个，如下所示:

But if, for example, I remove one of the first two users, like so:

locals {
        users_list = [ "cd", "ef" ]
}

然后 terraform 将尝试更改状态文件 ( [0] --> "cd", [1] --> "ef" ) 中的资源，以及 AWS 中的用户本身，这可能是灾难性的，因为每个用户都有自己的密钥，这样做会造成混乱.这也与其他资源类型有关，虽然有些资源删除并重新创建不会造成如此混乱，但这仍然是错误的.

then terraform will try to change the resources in the state file ( [0] --> "cd", [1] --> "ef" ), and the users themselves in AWS, which can be catastrophic, since every user will have his own keys, and doing so will create a mess. This is relevant to other resource types as well, although there are resources that deleting and creating again won't do such a mess, but still this is a wrong.

所以，对于我的问题，如标题所示 - 也许我完全错了?或者这就是它的工作方式?(使整个循环"机制无用)

So, to my question, as in the title - maybe I got it all wrong? Or this is just the way it works? (making this whole "looping" mechanism useless)

推荐答案

实际上 v0.11.x 之前的 terraform 并没有正式支持循环.使用 count.index 作为循环的方式来自博客 Terraform 提示和技巧:循环、if 语句和陷阱

terraform before v0.11.x doesn't officially support loops in fact. The way to use with count.index as loops is coming from the blog Terraform tips & tricks: loops, if-statements, and gotchas

从 0.12 版本开始(目前仍处于测试阶段)，它支持带有新关键字 for_each，但我仍然不能保证它是否能解决您的问题.

From version 0.12 (still in beta currently), it supports loops with new key word for_each, but I still don't guarantee if it fixes the problem in your question.

所以我详细说明了问题是什么，以及如何解决它，像@Aniket Chopade 这样的人可以理解这个问题的根源.

So I show the detail what the problem it is, and how to fix it, people like @Aniket Chopade can understand where this problem comes from.

更改本地人后，

$ terraform apply -auto-approve
aws_iam_user.users[0]: Refreshing state... (ID: ab)
aws_iam_user.users[1]: Refreshing state... (ID: cd)
aws_iam_user.users[2]: Refreshing state... (ID: ef)
aws_iam_user.users[2]: Destroying... (ID: ef)
aws_iam_user.users[1]: Modifying... (ID: cd)
  name: "cd" => "ef"
aws_iam_user.users[0]: Modifying... (ID: ab)
  name: "ab" => "cd"
aws_iam_user.users[2]: Destruction complete after 2s

Error: Error applying plan:

2 error(s) occurred:

* aws_iam_user.users[0]: 1 error(s) occurred:

* aws_iam_user.users.0: Error updating IAM User ab: EntityAlreadyExists: User with name cd already exists.
    status code: 409, request id: 24853da7-452c-11e9-a853-bf4c89d8ebba
* aws_iam_user.users[1]: 1 error(s) occurred:

* aws_iam_user.users.1: Error updating IAM User cd: EntityAlreadyExists: User with name ef already exists.
    status code: 409, request id: 24839027-452c-11e9-b3d5-3deb12943195

我必须taint 这些资源，将它们标记为销毁并再次申请.

I have to taint these resources, mark them to be destroyed and apply again.

$ terraform taint aws_iam_user.users.1
The resource aws_iam_user.users.1 in the module root has been marked as tainted!

$ terraform taint aws_iam_user.users.0
The resource aws_iam_user.users.0 in the module root has been marked as tainted!

$ terraform apply -auto-approve
...
aws_iam_user.users[0]: Destroying... (ID: ab)
aws_iam_user.users[1]: Destroying... (ID: cd)
aws_iam_user.users[0]: Destruction complete after 2s
aws_iam_user.users[0]: Creating...
  arn:           "" => "<computed>"
  force_destroy: "" => "false"
  name:          "" => "cd"
  path:          "" => "/"
  unique_id:     "" => "<computed>"
aws_iam_user.users[1]: Destruction complete after 2s
aws_iam_user.users[1]: Creating...
  arn:           "" => "<computed>"
  force_destroy: "" => "false"
  name:          "" => "ef"
  path:          "" => "/"
  unique_id:     "" => "<computed>"

我的结论是，在当前情况下，taint 强制 terraform 创建新资源的资源如果您更改列表中的顺序.

My conclusion is, in current situation, taint the resources to force terraform create new resources if you change the order in a list.

这篇关于terraform 是“循环"吗?无用?还是我错过了什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！