有没有办法合并 terraform 变量以跨多个 AWS 区域使用相同的模块？

Question

我是 terraform 的新手，我正在使用 terragrunt 来帮助我完成任务。我有相当数量的基础设施可以迁移并使用 terraform 进行设置，但我首先要脚踏实地。我们在不同的地区有多个 VPC，使用了很多相同的安全组规则，即（web、db 等），我想在每个地区复制这些规则。

我有一个简单的示例，说明我目前如何设置 EC2 模块来重新创建安全组规则，并且想知道是否有更好的方法来组织此代码，这样我就不必为同一个 SG 创建新模块每个地区的规则？即一些聪明的方式来利用我的 vpc、提供者等的列表......

由于这只是跨两个区域的一个 SG 规则，我试图避免这种变得丑陋，因为我们扩展到更多区域并且我输入了多个 SG 规则

我的状态当前存储在 S3 中，在此设置中，我提取状态，以便我可以从用于创建 VPC 的另一个模块访问 VPC 输出

terraform {
  backend "s3" {}
}

provider "aws" {
  version = "~> 1.31.0"
  region  = "${var.region}"
  profile = "${var.profile}"
}

provider "aws" {
  version = "~> 1.31.0"
  alias  = "us-west-1"
  region = "us-west-1"
  profile = "${var.profile}"
}

#################################
# Data sources to get VPC details
#################################

data "terraform_remote_state" "vpc" {
  backend = "s3"

  config {
    bucket = "${var.vpc_remote_state_bucket}"
    key    = "${var.vpc_remote_state_key}"
    region = "${var.region}"
    profile = "${var.profile}"
  }
}

#####################
# Security group rule
#####################

module "east1_vpc_web_server_sg" {
  source = "terraform-aws-modules/security-group/aws"
  version = "2.5.0"

  name        = "web-server"
  description = "Security group for web-servers with HTTP ports open within the VPC"
  vpc_id      = "${data.terraform_remote_state.vpc.us_east_vpc1_id}"

  # Allow VPC public subnets to talk to each other for API's
  ingress_cidr_blocks = ["${data.terraform_remote_state.vpc.us_east_vpc1_public_subnets_cidr_blocks}"]
  ingress_rules       = ["https-443-tcp", "http-80-tcp"]

  # List of maps
  ingress_with_cidr_blocks = "${var.web_server_ingress_with_cidr_blocks}"

  # Allow engress all protocols to outside
  egress_rules = ["all-all"]

  tags = {
    Terraform = "true"
    Environment = "${var.environment}"
  }
}

module "west1_vpc_web_server_sg" {
  source = "terraform-aws-modules/security-group/aws"
  version = "2.5.0"

  providers {
    aws = "aws.us-west-1"
  }

  name        = "web-server"
  description = "Security group for web-servers with HTTP ports open within the VPC"
  vpc_id      = "${data.terraform_remote_state.vpc.us_west_vpc1_id}"

  # Allow VPC public subnets to talk to each other for API's
  ingress_cidr_blocks = ["${data.terraform_remote_state.vpc.us_west_vpc1_public_subnets_cidr_blocks}"]
  ingress_rules       = ["https-443-tcp", "http-80-tcp"]

  ingress_with_cidr_blocks = "${var.web_server_ingress_with_cidr_blocks}"

  # Allow engress all protocols to outside
  egress_rules = ["all-all"]

  tags = {
    Terraform = "true"
    Environment = "${var.environment}"
  }
}

Answer 1

您当前的设置使用了两次在提供程序中不同的相同模块。您可以将多个提供程序传递给模块 (see the documentation)。然后，在模块中，您可以使用您在主文档中指定一次的相同变量来创建您需要的所有实例。

但是，由于您为每种资源类型使用一个单独的提供程序，因此您必须至少有一些代码重复。

您的代码可能看起来像这样

module "vpc_web_server_sg" {
  source = "terraform-aws-modules/security-group/aws"
  version = "2.5.0"

  providers {
    aws.main = "aws"
    aws.secondary = "aws.us-west-1"
  }

  name        = "web-server"
  description = "Security group for web-servers with HTTP ports open within the VPC"
  vpc_id      = "${data.terraform_remote_state.vpc.us_west_vpc1_id}"

  # Allow VPC public subnets to talk to each other for API's
  ingress_cidr_blocks = ["${data.terraform_remote_state.vpc.us_west_vpc1_public_subnets_cidr_blocks}"]
  ingress_rules       = ["https-443-tcp", "http-80-tcp"]

  ingress_with_cidr_blocks = "${var.web_server_ingress_with_cidr_blocks}"

  # Allow engress all protocols to outside
  egress_rules = ["all-all"]

  tags = {
    Terraform = "true"
    Environment = "${var.environment}"
  }
}

在您的模块中，您可以使用main 和secondary 提供程序来部署您所需的所有资源。