时间戳

首页 > 解决方案 > Terraform AWS 安全组自我参考

amazon-web-services - Terraform AWS 安全组自我参考

问题描述

我正在使用 terraform 进行 AWS 资源配置。我需要自我引用“mySG”。来自我可以使用的 Terraform 文档

 ingress {
          from_port = 0
          to_port = 0
          protocol = -1
          self = true
      }

但是不同的协议呢?使用控制台 有以下可用的历史入站规则:

      Type      Protocol         PortRange      Source
1. All TCP      TCP             0-65535         mySG 
2. All UDP       UDP              0-65535         mySG 
3. Custom TCP    TCP             1856            mySG

(是否需要第三个条目?考虑到所有端口的第一个条目)上述入口规则是否处理所有 3 个条目?如果不是什么应该是 terraform 语法。

标签: amazon-web-servicesaws-cliterraform-provider-awsaws-security-groupaws-cloudformation-custom-resource

解决方案

您可以通过分别使用资源 aws_security_group 和 aws_security_group_rule 将 sec 组与规则分开来实现自引用组。这样做,结合你现有的 3 条规则,大致看起来像这个 terraform:

resource "aws_security_group" "sec_group" {
  name   = "sec_group"
  vpc_id = "${local.vpc_id}"
}

resource "aws_security_group_rule" "sec_group_allow_tcp" {
  type              = "ingress"
  from_port         = 0 // first part of port range 
  to_port           = 65535 // second part of port range
  protocol          = "tcp" // Protocol, could be "tcp" "udp" etc. 
  security_group_id = "${aws_security_group.sec_group.id}" // Which group to attach it to
  source_security_group_id = "${aws_security_group.sec_group.id}" // Which group to specify as source
}

resource "aws_security_group_rule" "sec_group_allow_udp" {
  type              = "ingress"
  from_port         = 0 // first part of port range 
  to_port           = 65535 // second part of port range
  protocol          = "udp" // Protocol, could be "tcp" "udp" etc. 
  security_group_id = "${aws_security_group.sec_group.id}" // Which group to attach it to
  source_security_group_id = "${aws_security_group.sec_group.id}" // Which group to specify as source
}

resource "aws_security_group_rule" "sec_group_allow_1865" {
  type              = "ingress"
  from_port         = 1865 // first part of port range 
  to_port           = 1865 // second part of port range
  protocol          = "tcp" // Protocol, could be "tcp" "udp" etc. 
  security_group_id = "${aws_security_group.sec_group.id}" // Which group to attach it to
  source_security_group_id = "${aws_security_group.sec_group.id}" // Which group to specify as source
}

请注意,该规则采用协议类型,从端口/到端口(用于范围)和一个可选的 source_security_group_id 来指定

推荐阅读