foreach - 模块:S3 存储桶 for_each,每个存储桶具有不同的策略
问题描述
我想看看这是否可能 Terraform 0.12.28
bucket_names = {
"bucket1" = "test_temp"
"bucket2" = "test_jump"
"bucket3" = "test_run"
}
module "s3" {
source = "./modules/s3"
name = var.bucket_names
region = var.region
tags = var.tags
}
module
resource "aws_s3_bucket" "s3" {
for_each = var.name
bucket = "${each.value}"
region = var.region
request_payer = "BucketOwner"
tags = var.tags
versioning {
enabled = false
mfa_delete = false
}
}
工作得很好,每个桶都被创建了。但现在我的问题是如何保持一种干净的方式将特定策略应用于列表中的每个存储桶?
policy 1 => test1_temp
policy 2 => test2_jump
policy 3 => test2_run
每个政策都会略有不同我的想法,正则表达式查找_temp并应用policy1等
解决方案
我同意@ydaetkocR。在实际系统中它的复杂性没有任何好处,但它可能对学习很有趣。
terraform.tfvars
bucket_names = {
"bucket1" = "test_temp"
"bucket2" = "test_jump"
"bucket3" = "test_run"
}
bucket_policy = {
"bucket1" = <<POLICY
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::test_temp/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
}
}
]
}
POLICY
"bucket2" = "..."
"bucket3" = "..."
}
根模块
module "s3" {
source = "./modules/s3"
name = var.bucket_names
policy = var.bucket_policies
region = var.region
tags = var.tags
}
模块/s3
resource "aws_s3_bucket" "s3" {
for_each = var.name
bucket = each.value
region = var.region
request_payer = "BucketOwner"
tags = var.tags
versioning {
enabled = false
mfa_delete = false
}
}
resource "aws_s3_bucket_policy" "s3" {
for_each = var.policy
bucket = aws_s3_bucket.s3[each.key].id
policy = each.value
}
这里的诀窍是名称、策略和资源实例具有相同的键。您不必使用两张地图,但这可能是最简单的示例。
正如您在上面看到的那样,这样做会很麻烦,因为您必须手动同步策略中的存储桶名称或编写一些非常复杂的代码来替换模块中的值。