即使存在ignore_changes开关,Terraform也会清除Azure应用程序配置设置
Pal*_*lab 5 azure terraform azure-web-app-service terraform-provider-azure
我在一个应用程序服务计划中包含三个网络应用程序。一个应用程序是前端,另一个是 API,第三个是功能应用程序。所有这些都包含在 Linux 应用服务计划中。
我在这三个应用程序中有很多应用程序配置设置。我注意到的是,如果我输入:
lifecycle {
ignore_changes = [
"auth_settings",
"app_settings"
]
}
每次应用后,terraform 都会继续从其中一个应用程序重写应用程序配置。如果我注释掉其中一个应用程序的 app_settings 以重新部署应用程序配置,则另一个应用程序将被清除。
这是 Terraform 中的错误还是其他问题?我正在使用 AzureRM 提供程序 2.0
代码如下所示:
module "name_app_service_plan" {
version = "~> 3.0"
source = "contoso.com/names/azurerm"
providers = { azurerm = azurerm, random = random }
resource_environment = var.project.environment.name
resource_location = var.location
resource_name = var.project.name
}
module "name_app_service_api" {
version = "~> 3.0"
source = "contoso.com/names/azurerm"
providers = { azurerm = azurerm, random = random }
resource_environment = var.project.environment.name
resource_location = module.resourcegroup.resource_group.location
resource_name = format("%s-api", var.project.name)
}
module "name_app_service_fe" {
version = "~> 3.0"
source = "contoso.com/names/azurerm"
providers = { azurerm = azurerm, random = random }
resource_environment = var.project.environment.name
resource_location = module.resourcegroup.resource_group.location
resource_name = format("%s-fe", var.project.name)
}
module "name_function_app" {
version = "~> 3.0"
source = "contoso.com/names/azurerm"
providers = { azurerm = azurerm, random = random }
resource_environment = var.project.environment.name
resource_location = module.resourcegroup.resource_group.location
resource_name = format("%s-01", var.project.name)
}
resource "azurerm_app_service_plan" "default" {
resource_group_name = module.resourcegroup.resource_group.name
location = module.resourcegroup.resource_group.location
name = module.name_app_service_plan.location.app_service_plan.name_unique
kind = "Linux"
reserved = true
sku {
tier = "PremiumV3"
size = "P2v3"
}
tags = module.resourcegroup.resource_group.tags
}
应用程序接口
resource "azurerm_app_service" "api" {
location = module.resourcegroup.resource_group.location
resource_group_name = module.resourcegroup.resource_group.name
tags = local.tags
app_service_plan_id = azurerm_app_service_plan.default.id
name = module.name_app_service_api.location.app_service.name_unique
identity { type = "SystemAssigned" }
site_config {
always_on = true
app_command_line = ""
default_documents = []
dotnet_framework_version = "v4.0"
ftps_state = "AllAllowed"
health_check_path = ""
http2_enabled = true
linux_fx_version = "DOTNETCORE|3.1"
local_mysql_enabled = false
managed_pipeline_mode = "Integrated"
min_tls_version = "1.2"
python_version = "3.4"
remote_debugging_enabled = false
remote_debugging_version = "VS2019"
use_32_bit_worker_process = false
windows_fx_version = ""
websockets_enabled = true
cors {
allowed_origins = [format("https://%s", azurerm_app_service.fe.default_site_hostname)]
support_credentials = true
}
}
app_settings = {
"WEBSITE_DNS_SERVER" = "168.63.129.16"
"WEBSITE_VNET_ROUTE_ALL" = "1"
"WEBSITE_ENABLE_SYNC_UPDATE_SITE" = "true"
"APPINSIGHTS_INSTRUMENTATIONKEY" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-default-api-instrumentation-key)", module.key-vault.key_vault.self.name)
"APPLICATIONINSIGHTS_CONNECTION_STRING" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-api-connection-string)", module.key-vault.key_vault.self.name)
"applicationStorage" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=StorageAccount-ConnectionString-PrimaryKey)", module.key-vault.key_vault.self.name)
"frontendappid" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=frontendappid)", module.key-vault.key_vault.self.name)
"webapiappid" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=webapiappid)", module.key-vault.key_vault.self.name)
"clientsecret" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=Webapp-API-Secret)", module.key-vault.key_vault.self.name)
"webapiappuri" = format("https://contoso.onmicrosoft.com/api-%s-%s", var.project.name, var.project.environment.name)
"functionappid" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=functionappid)", module.key-vault.key_vault.self.name)
"functionappuri" = format("https://contoso.onmicrosoft.com/func-%s-%s", var.project.name, var.project.environment.name)
"funcappsecret" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=Function-App-Secret)", module.key-vault.key_vault.self.name)
"frontendhost" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=frontendhost)", module.key-vault.key_vault.self.name)
"functionhost" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=functionhost)", module.key-vault.key_vault.self.name)
"webapihost" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=webapihost)", module.key-vault.key_vault.self.name)
"cosmosIntegrationConnection" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=CosmosDB-PrimaryKey-ConnectionString)", module.key-vault.key_vault.self.name)
"cosmosIntegrationContainer" = "cosmosdb_container"
"cosmosIntegrationDatabase" = "cosmosdb_db"
"tokenauthority" = format("https://login.microsoftonline.com/%s", data.azurerm_client_config.default.tenant_id)
}
lifecycle {
ignore_changes = [
auth_settings,
app_settings
]
}
}
API 应用程序的 VNET 集成
resource "azurerm_app_service_virtual_network_swift_connection" "api" {
app_service_id = azurerm_app_service.api.id
subnet_id = module.virtualnetwork["centralus"].virtual_network.subnets["webapp"].id
}
API 应用程序的 Pvt 端点
module "privateendpoint_api" {
# registry
version = "~> 10.0.0"
source = "contoso.com/virtual-network/azurerm//modules/privateendpoint"
# metas
providers = { azurerm = azurerm, azurerm.hub = azurerm.hub, random = random }
# arguments
hub_resource_group_name = var.project.hub.resourcegroup.name
resource_group_name = module.resourcegroup.resource_group.name
private_endpoint_location = module.resourcegroup.resource_group.location
private_endpoint_environment = var.project.environment.name
private_endpoint_name = format("api-webapp-%s", var.project.name)
private_endpoint_resource_type = "appservice"
private_endpoint_resource_subresource = "sites"
private_endpoint_subnet_id = module.virtualnetwork["centralus"].virtual_network.subnets["general"].id
private_endpoint_resource_id = azurerm_app_service.api.id
}
富裕网络应用程序
resource "azurerm_app_service" "fe" {
location = module.resourcegroup.resource_group.location
resource_group_name = module.resourcegroup.resource_group.name
tags = local.tags
app_service_plan_id = azurerm_app_service_plan.default.id
name = module.name_app_service_fe.location.app_service.name_unique
identity { type = "SystemAssigned" }
auth_settings {
enabled = true
default_provider = "AzureActiveDirectory"
issuer = format("https://sts.windows.net/%s/", data.azurerm_client_config.default.tenant_id)
runtime_version = "~1"
token_store_enabled = true
unauthenticated_client_action = "RedirectToLoginPage"
allowed_external_redirect_urls = module.application_webapp_fe.application.self.reply_urls
additional_login_params = {
"response_type" = "code id_token",
"resource" = module.application_webapp_fe.application.self.application_id
}
active_directory {
client_id = module.application_webapp_fe.application.self.application_id
client_secret = module.application_webapp_fe.service_principal.secret.value
allowed_audiences = []
}
}
site_config {
always_on = true
app_command_line = ""
default_documents = []
dotnet_framework_version = "v4.0"
ftps_state = "Disabled"
health_check_path = ""
http2_enabled = true
linux_fx_version = "STATICSITE|1.0"
local_mysql_enabled = false
managed_pipeline_mode = "Integrated"
min_tls_version = "1.2"
#pre_warmed_instance_count = 0
python_version = "3.4"
remote_debugging_enabled = false
remote_debugging_version = "VS2019"
use_32_bit_worker_process = false
websockets_enabled = false
windows_fx_version = ""
cors {
allowed_origins = []
support_credentials = false
}
}
app_settings = {
"WEBSITE_DNS_SERVER" = "168.63.129.16"
"WEBSITE_VNET_ROUTE_ALL" = "1"
"MICROSOFT_PROVIDER_AUTHENTICATION_SECRET" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=Webapp-FE-Secret)", module.key-vault.key_vault.self.name)
"APPINSIGHTS_INSTRUMENTATIONKEY" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-default-fe-instrumentation-key)", module.key-vault.key_vault.self.name)
"APPLICATIONINSIGHTS_CONNECTION_STRING" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-fe-connection-string)", module.key-vault.key_vault.self.name)
"webapiappid" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=webapiappid)", module.key-vault.key_vault.self.name)
"webapiappsecret" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=Webapp-API-Secret)", module.key-vault.key_vault.self.name)
}
lifecycle {
ignore_changes = [
auth_settings,
app_settings
]
}
}
fe 应用程序的 VNET 集成
resource "azurerm_app_service_virtual_network_swift_connection" "fe" {
app_service_id = azurerm_app_service.fe.id
subnet_id = module.virtualnetwork["centralus"].virtual_network.subnets["webapp"].id
}
Fe 应用程序的 Pvt 端点
module "privateendpoint_fe" {
# registry
version = "~> 10.0.0"
source = "contoso.com/virtual-network/azurerm//modules/privateendpoint"
# metas
providers = { azurerm = azurerm, azurerm.hub = azurerm.hub, random = random }
# arguments
hub_resource_group_name = var.project.hub.resourcegroup.name
resource_group_name = module.resourcegroup.resource_group.name
private_endpoint_location = module.resourcegroup.resource_group.location
private_endpoint_environment = var.project.environment.name
private_endpoint_name = format("fe-webapp-%s", var.project.name)
private_endpoint_resource_type = "appservice"
private_endpoint_resource_subresource = "sites"
private_endpoint_subnet_id = module.virtualnetwork["centralus"].virtual_network.subnets["general"].id
private_endpoint_resource_id = azurerm_app_service.fe.id
}
功能应用程序
resource "azurerm_function_app" "default" {
location = module.resourcegroup.resource_group.location
resource_group_name = module.resourcegroup.resource_group.name
tags = local.tags
app_service_plan_id = azurerm_app_service_plan.default.id
name = module.name_function_app.location.function_app.name_unique
version = "~3"
identity { type = "SystemAssigned" }
os_type = "linux"
storage_account_name = module.storageaccount.storage_account.self.name
storage_account_access_key = module.storageaccount.storage_account.self.primary_access_key
auth_settings {
enabled = true
default_provider = "AzureActiveDirectory"
issuer = format("https://login.microsoftonline.com/%s/", data.azurerm_client_config.default.tenant_id)
runtime_version = "~1"
token_store_enabled = true
unauthenticated_client_action = "RedirectToLoginPage"
active_directory {
client_id = module.application_func_01.application.self.application_id
client_secret = module.application_func_01.service_principal.secret.value
allowed_audiences = module.application_webapp_api.application.self.identifier_uris
}
}
site_config {
always_on = true
ftps_state = "Disabled"
health_check_path = ""
http2_enabled = true
linux_fx_version = "DOCKER|mcr.microsoft.com/azure-functions/dotnet:3.0-dotnet3-appservice"
min_tls_version = "1.2"
pre_warmed_instance_count = 0
use_32_bit_worker_process = false
websockets_enabled = false
cors {
allowed_origins = []
support_credentials = false
}
}
app_settings = {
"WEBSITE_DNS_SERVER" = "168.63.129.16"
"WEBSITE_VNET_ROUTE_ALL" = "1"
"WEBSITE_ENABLE_SYNC_UPDATE_SITE" = "true"
"WEBSITE_RUN_FROM_PACKAGE" = "1"
"WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "true"
"APPINSIGHTS_INSTRUMENTATIONKEY" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-default-func-instrumentation-key)", module.key-vault.key_vault.self.name)
"APPLICATIONINSIGHTS_CONNECTION_STRING" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-func-connection-string)", module.key-vault.key_vault.self.name)
"AzureWebJobsStorage" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=StorageAccount-FunctionApp-ConnectionString-PrimaryKey)", module.key-vault.key_vault.self.name)
"AzureWebJobsDashboard" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=StorageAccount-FunctionApp-ConnectionString-PrimaryKey)", module.key-vault.key_vault.self.name)
"cosmosIntegrationConnection" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=CosmosDB-PrimaryKey-ConnectionString)", module.key-vault.key_vault.self.name)
"cosmosIntegrationContainer" = "cosmosdb_container"
"cosmosIntegrationDatabase" = "cosmosdb_db"
"functionappid" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=functionappid)", module.key-vault.key_vault.self.name)
"clientsecret" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=Function-App-Secret)", module.key-vault.key_vault.self.name)
"webapihost" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=webapihost)", module.key-vault.key_vault.self.name)
"webapiappuri" = format("https://contoso.onmicrosoft.com/api-%s-%s", var.project.name, var.project.environment.name)
"functionappuri" = format("https://contoso.onmicrosoft.com/func-%s-%s", var.project.name, var.project.environment.name)
"functionhost" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=functionhost)", module.key-vault.key_vault.self.name)
"applicationStorage" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=StorageAccount-FunctionApp-ConnectionString-PrimaryKey)", module.key-vault.key_vault.self.name)
"tokenauthority" = format("https://login.microsoftonline.com/%s", data.azurerm_client_config.default.tenant_id)
"FUNCTIONS_EXTENSION_VERSION" = "~3"
}
lifecycle {
ignore_changes = [
auth_settings,
app_settings
]
}
}
函数应用程序的 VNET 集成
resource "azurerm_app_service_virtual_network_swift_connection" "function-app" {
app_service_id = azurerm_function_app.default.id
subnet_id = module.virtualnetwork["centralus"].virtual_network.subnets["webapp"].id
}
Func 应用程序的 Pvt 端点
module "privateendpoint_func" {
# registry
version = "~> 10.0.0"
source = "contoso.com/virtual-network/azurerm//modules/privateendpoint"
# metas
providers = { azurerm = azurerm, azurerm.hub = azurerm.hub, random = random }
# arguments
hub_resource_group_name = var.project.hub.resourcegroup.name
resource_group_name = module.resourcegroup.resource_group.name
private_endpoint_location = module.resourcegroup.resource_group.location
private_endpoint_environment = var.project.environment.name
private_endpoint_name = format("func-%s", var.project.name)
private_endpoint_resource_type = "appservice"
private_endpoint_resource_subresource = "sites"
private_endpoint_subnet_id = module.virtualnetwork["centralus"].virtual_network.subnets["general"].id
private_endpoint_resource_id = azurerm_function_app.default.id
}
我注意到 Terraform 仅尊重 Function App 的ignore_changes 值。对于 API 和 FE 应用程序,如果我注释掉 FE 的 app_settings 的ignore_changes,Terraform 还会清除 API 应用程序的 app_settings,只保留 VNET_ROUTE_ALL 设置。所有其他设置都被清除。
如果我注释掉 API 应用程序的ignore_changes 中的 app_settings 并取消注释 FE 应用程序的 app_settings,也会发生同样的事情。
正如评论中提到的,查看 的输出tf plan很重要。但鉴于您问题中的信息,我可以想到三个潜在的罪魁祸首:
如果重新创建或更改依赖资源,则可能必须重新创建应用程序,这会导致擦除
app_settings(至少是通过门户添加的设置)。您正在使用具有悲观约束的远程模块
"~> 3.0",因此如果有新版本(例如 3.1)并且您正在没有缓存的远程代理上部署或在本地使用标记进行部署,-upgradeTerraform 将重新部署该模块以获得最新版本。这不应该是问题,但值得一提的是:忽略一个对象及其内部其他对象的特定更改在过去一直是有问题的。
azurerm 2.0 似乎存在特定问题,Terraform 会在
app-settings更改时重新创建整个应用程序,这会导致ignore_changes冗余,这应该在 2.1 版本中修复
也就是说,atm 资源已被弃用;所以升级似乎是最简单的解决办法。请参阅:已弃用和最新
对于任何试图重现此问题的人;这是使用 azurerm 提供的“2.48.0”和 tf 版本 1.3.9 的简单代码示例。此示例显示忽略门户或 Terraform 代码中所做的更改没有任何问题。
文件夹结构:
main.tf
# locals
locals {
resource_environment = "dev"
resource_location = "westeurope"
resource_name = "stack" # name of the resource group
resource_name_app = "stack12345678" # needs to be unique
resource_name_function = "stack87654321" # needs to be unique
tags = {
environment = local.resource_environment
project = local.resource_name
}
}
terraform {
required_version = ">= 0.13.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "= 2.48.0"
}
random = {
source = "hashicorp/random"
version = ">= 2.0.0"
}
}
}
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "stack_test" {
name = local.resource_name
location = local.resource_location
tags = local.tags
}
module "test_app_service2" {
source = "./module_app_service"
providers = { azurerm = azurerm, random = random }
#resource_environment = local.resource_environment
resource_location = local.resource_location
resource_group_name = local.resource_name
resource_name = local.resource_name_app
tags = local.tags
depends_on = [
azurerm_resource_group.stack_test
]
}
module "test_function_app1" {
source = "./module_function_app"
providers = { azurerm = azurerm, random = random }
#resource_environment = local.resource_environment
resource_location = local.resource_location
resource_group_name = local.resource_name
resource_name = local.resource_name_function
tags = local.tags
depends_on = [
azurerm_resource_group.stack_test
]
}
module_function.tf
variable "resource_location" {}
variable "resource_group_name" {}
variable resource_name {}
variable "tags" {}
resource "azurerm_app_service_plan" "default" {
location = var.resource_location
resource_group_name = var.resource_group_name
tags = var.tags
name = "api-appserviceplan-pro"
kind = "Linux"
reserved = true
sku {
tier = "Standard"
size = "S1"
}
}
resource "azurerm_storage_account" "example" {
name = var.resource_name
resource_group_name = var.resource_group_name
location = var.resource_location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_function_app" "default" {
location = var.resource_location
resource_group_name = var.resource_group_name
tags = var.tags
app_service_plan_id = azurerm_app_service_plan.default.id
name = var.resource_name
version = "~3"
identity {
type = "SystemAssigned"
}
os_type = "linux"
storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
auth_settings {
enabled = true
}
site_config {
always_on = true
ftps_state = "Disabled"
health_check_path = ""
http2_enabled = true
linux_fx_version = "DOCKER|mcr.microsoft.com/azure-functions/dotnet:3.0-dotnet3-appservice"
min_tls_version = "1.2"
pre_warmed_instance_count = 0
use_32_bit_worker_process = false
websockets_enabled = false
}
app_settings = {
something = "new"
name_service_plan = azurerm_app_service_plan.default.name
new = "this"}
lifecycle {
ignore_changes = [
auth_settings,
app_settings
]
}
}
module_app_service.tf
variable "resource_location" {}
variable "resource_group_name" {}
variable resource_name {}
variable "tags" {}
resource "azurerm_app_service_plan" "default" {
location = var.resource_location
resource_group_name = var.resource_group_name
tags = var.tags
name = "api-appserviceplan-pro"
kind = "Linux"
reserved = true
sku {
tier = "Standard"
size = "S1"
}
}
resource "azurerm_app_service" "api" {
location = var.resource_location
resource_group_name = var.resource_group_name
tags = var.tags
app_service_plan_id = azurerm_app_service_plan.default.id
name = var.resource_name
identity { type = "SystemAssigned" }
site_config {
always_on = true
app_command_line = ""
default_documents = []
dotnet_framework_version = "v4.0"
ftps_state = "AllAllowed"
health_check_path = ""
http2_enabled = true
linux_fx_version = "DOTNETCORE|3.1"
local_mysql_enabled = false
managed_pipeline_mode = "Integrated"
min_tls_version = "1.2"
python_version = "3.4"
remote_debugging_enabled = false
remote_debugging_version = "VS2019"
use_32_bit_worker_process = false
windows_fx_version = ""
websockets_enabled = true
cors {
allowed_origins = []
support_credentials = false
}
}
app_settings = {
something = "some thing"
name_service_plan = azurerm_app_service_plan.default.name
new = "this"}
lifecycle {
ignore_changes = [
auth_settings,
app_settings
]
}
}
也可以看看:
https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#ignore_changes
| 归档时间: |
|
| 查看次数: |
3306 次 |
| 最近记录: |