azure - "count"值取决于资源属性，这些属性在应用之前无法确定，因此Terraform无法预测将创建多少个实例

Question

我想免除 Azure VM 的某些策略。我有以下 terraform 代码来免除这些政策。

它使用局部变量来确定策略应豁免的范围。

locals {
  exemption_scope = try({
    mg       = length(regexall("(\\/managementGroups\\/)", var.scope)) > 0 ? 1 : 0,
    sub      = length(split("/", var.scope)) == 3 ? 1 : 0,
    rg       = length(regexall("(\\/managementGroups\\/)", var.scope)) < 1 ? length(split("/", var.scope)) == 5 ? 1 : 0 : 0,
    resource = length(split("/", var.scope)) >= 6 ? 1 : 0,
  })

  expires_on = var.expires_on != null ? "${var.expires_on}T23:00:00Z" : null

  metadata = var.metadata != null ? jsonencode(var.metadata) : null

  # generate reference Ids when unknown, assumes the set was created with the initiative module
  policy_definition_reference_ids = length(var.member_definition_names) > 0 ? [for name in var.member_definition_names :
    replace(substr(title(replace(name, "/-|_|\\s/", " ")), 0, 64), "/\\s/", "")
  ] : var.policy_definition_reference_ids

  exemption_id = try(
    azurerm_management_group_policy_exemption.management_group_exemption[0].id,
    azurerm_subscription_policy_exemption.subscription_exemption[0].id,
    azurerm_resource_group_policy_exemption.resource_group_exemption[0].id,
    azurerm_resource_policy_exemption.resource_exemption[0].id,
  "")
}

并且上面的本地用法如下所述

resource "azurerm_management_group_policy_exemption" "management_group_exemption" {
  count                           = local.exemption_scope.mg
  name                            = var.name
  display_name                    = var.display_name
  description                     = var.description
  management_group_id             = var.scope
  policy_assignment_id            = var.policy_assignment_id
  exemption_category              = var.exemption_category
  expires_on                      = local.expires_on
  policy_definition_reference_ids = local.policy_definition_reference_ids
  metadata                        = local.metadata
}

本地变量和 azurerm_management_group_policy_exemption 都是同一模块文件的一部分。并且政策豁免适用如下所述

module exemption_jumpbox_sql_vulnerability_assessment {
  count                           = var.enable_jumpbox == true ? 1 : 0  
  source                          = "../policy_exemption"
  name                            = "Exemption - SQL servers on machines should have vulnerability"
  display_name                    = "Exemption - SQL servers on machines should have vulnerability"
  description                     = "Not required for Jumpbox"
  scope                           = module.create_jumbox_vm[0].virtual_machine_id
  policy_assignment_id            = module.security_center.azurerm_subscription_policy_assignment_id
  policy_definition_reference_ids = var.exemption_policy_definition_ids
  exemption_category              = "Waiver"
  depends_on                      = [module.create_jumbox_vm,module.security_center]
}

它适用于现有的 Azure VM。但是，在尝试配置 Azure VM 并在此 Azure VM 上应用策略豁免时，它会引发以下错误。

理想情况下， module.exemption_jumpbox_sql_vulnerability_assessment 应该仅在 [module.create_jumbox_vm 之后执行，因为它被定义为依赖项。但不确定为什么会抛出错误

│ The "count" value depends on resource attributes that cannot be determined
│ until apply, so Terraform cannot predict how many instances will be
│ created. To work around this, use the -target argument to first apply only
│ the resources that the count depends on.

Answer 1

我尝试在我的环境中重现该场景。

resource "azurerm_management_group_policy_exemption" "management_group_exemption" {
  count                           = local.exemption_scope.mg
  name                            = var.name
  display_name                    = var.display_name
  description                     = var.description
  management_group_id             = var.scope
  policy_assignment_id            = var.policy_assignment_id
  exemption_category              = var.exemption_category
  expires_on                      = local.expires_on
  policy_definition_reference_ids = local.policy_definition_reference_ids
  metadata                        = local.metadata
}


locals {
  exemption_scope = try({
        ...
  })

收到相同的错误:

The "count" value depends on resource attributes that cannot be determined
│ until apply, so Terraform cannot predict how many instances will be
│ created. To work around this, use the -target argument to first apply only
│ the resources that the count depends on.

引用本地值，这些值仅在应用时才知道，而不是在应用期间。因此，如果不依赖于其他源，它将显示策略，但它依赖于可能是仍在创作中。

因此，仅针对首先依赖的资源，因为只有在创建 vm 时，才可以将豁免策略分配给该 vm。 检查count:using-expressions-in-count | Terraform | HashiCorp Developer

另请注意，在 Azure 虚拟机中使用 terraform count 参数时，还要为每个虚拟机资源创建 NIC 资源。

resource "azurerm_network_interface" "nic" {
  count               = var.vm_count
  name                = "${var.vm_name_pfx}-${count.index}-nic"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
  //tags = var.tags
 

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.internal.id
    private_ip_address_allocation = "Dynamic"
  }
}

引用: terraform-azurerm-policy-exemptions/examples/count at main · AnsumanBal-MT/terraform-azurerm-policy-exemptions · GitHub