terraform - 如何保持 Terraform aws_security_group 的使用 DRY
问题描述
我编写了一个简单的模块来预置一个变量 AZ 编号的 AWS VPC。它创建路由表、网关、路由等,但我在保持安全组部分干燥时遇到了麻烦,即在指定安全组时保持模块可重用。
这是我能得到的最接近的:
变量.tf:
variable "staging_security_groups" {
type = "list"
default = [ {
"name" = "staging_ssh"
"from port" = "22"
"to port" = "22"
"protocol" = "tcp"
"cidrs" = "10.0.0.5/32,10.0.0.50/32,10.0.0.200/32"
"description" = "Port 22"
} ]
}
主文件:
resource "aws_security_group" "this_security_group" {
count = "${length(var.security_groups)}"
name = "${lookup(var.security_groups[count.index], "name")}"
description = "${lookup(var.security_groups[count.index], "description")}"
vpc_id = "${aws_vpc.this_vpc.id}"
ingress {
from_port = "${lookup(var.security_groups[count.index], "from port")}"
to_port = "${lookup(var.security_groups[count.index], "to port")}"
protocol = "${lookup(var.security_groups[count.index], "protocol")}"
cidr_blocks = ["${split(",", lookup(var.security_groups[count.index], "cidrs"))}"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags {
Name = "${lookup(var.security_groups[count.index], "name")}"
environment = "${var.name}"
terraform = "true"
}
}
现在这很好,只要您想要为每个端口创建一个安全组 :) 我真正需要的是某种方式来调用ingress
变量中有值的次数staging_security_groups[THE SECURITY GROUP].from_port
(请原谅虚构的符号)。
解决方案
你可以看看使用aws_security_group_rule
而不是让你的规则内联。然后,您可以像这样创建一个模块:
模块/sg/sg.tf
resource "aws_security_group" "default" {
name = "${var.security_group_name}"
description = "${var.security_group_name} group managed by Terraform"
vpc_id = "${var.vpc_id}"
}
resource "aws_security_group_rule" "egress" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
description = "All egress traffic"
security_group_id = "${aws_security_group.default.id}"
}
resource "aws_security_group_rule" "tcp" {
count = "${var.tcp_ports == "default_null" ? 0 : length(split(",", var.tcp_ports))}"
type = "ingress"
from_port = "${element(split(",", var.tcp_ports), count.index)}"
to_port = "${element(split(",", var.tcp_ports), count.index)}"
protocol = "tcp"
cidr_blocks = ["${var.cidrs}"]
description = ""
security_group_id = "${aws_security_group.default.id}"
}
resource "aws_security_group_rule" "udp" {
count = "${var.udp_ports == "default_null" ? 0 : length(split(",", var.udp_ports))}"
type = "ingress"
from_port = "${element(split(",", var.udp_ports), count.index)}"
to_port = "${element(split(",", var.udp_ports), count.index)}"
protocol = "udp"
cidr_blocks = ["${var.cidrs}"]
description = ""
security_group_id = "${aws_security_group.default.id}"
}
模块/sg/variables.tf
variable "tcp_ports" {
default = "default_null"
}
variable "udp_ports" {
default = "default_null"
}
variable "cidrs" {
type = "list"
}
variable "security_group_name" {}
variable "vpc_id" {}
使用 main.tf 中的模块
module "sg1" {
source = "modules/sg"
tcp_ports = "22,80,443"
cidrs = ["10.0.0.5/32", "10.0.0.50/32", "10.0.0.200/32"]
security_group_name = "SomeGroup"
vpc_id = "${aws_vpc.this_vpc.id}"
}
module "sg2" {
source = "modules/sg"
tcp_ports = "22,80,443"
cidrs = ["10.0.0.5/32", "10.0.0.50/32", "10.0.0.200/32"]
security_group_name = "SomeOtherGroup"
vpc_id = "${aws_vpc.this_vpc.id}"
}
参考:
为什么可选地排除具有计数的资源看起来像这样(来源):
count = "${var.udp_ports == "default_null" ? 0 : length(split(",", var.udp_ports))}"
并且变量设置为:
variable "udp_ports" {
default = "default_null"
}
推荐阅读
- sql - 有没有办法从 DB2 中 where 子句中的条件集获取结果
- database - 在工作台 MySQL 上调整导航栏的大小
- api - 发送数千个 API 请求的有效方式
- angular - NullInjectorError 试图使用 AngularFire
- amazon-route53 - 在不同的 aws 帐户中使用 aws route 53 域
- elasticsearch - ElasticSearch - Unable To Search Using Fuzzy Match Query For Underscore in value (ES Fuzzy not matching underscore value)
- c++ - 将 libtensorflow 与 C API 一起使用时的非确定性行为
- node.js - 应用程序运行一整天后,节点调度运行任务两次
- linux - 系统升级(Open SUSE Tumbleweed)后,我得到与 /usr/lib64/libgnutls.so.30 相关的一致符号查找错误
- r - 将所有相似的列表合并到一个列表列表中