Terraform 将变量分配给点亮的块答案

【问题标题】：Terraform assign variable to a lit blockTerraform 将变量分配给点亮的块
【发布时间】：2021-04-12 19:48:56
【问题描述】：

我使用 aws 提供程序。对于每个安全组，我为 ssh 指定相同的规则。如何将其提取到变量并分配给 aws_security_group.ingress 列表？

我期待什么：

variable "ssh_ingress" {
  default = {
    from_port = 22
    protocol = "tcp"
    to_port = 22
    description = "SSH for administration."
  }
}

resource "aws_security_group" "main" {
  ingress += var.ssh_ingress // That not work.

  ingress {
    from_port = 0
    protocol = "-1"
    to_port = 0
    self = true
  }

}

【问题讨论】：

标签： amazon-web-services terraform hcl

【解决方案1】：

您可以使用aws_security_group_rule 将规则添加到现有安全组。

例如：

variable "ssh_ingress" {
  default = {
    from_port = 22
    protocol = "tcp"
    to_port = 22
    description = "SSH for administration."
  }
}

resource "aws_security_group" "main" {
  name        = "allow_tls"
  description = "Allow TLS inbound traffic"
  vpc_id      = data.aws_vpc.main.id
}

resource "aws_security_group_rule" "default" {
  type              = "ingress"
  from_port         = 0
  to_port           = 0
  protocol          = -1
  self              = true
  security_group_id = aws_security_group.main.id
}

resource "aws_security_group_rule" "example" {
  type              = "ingress"
  from_port         = var.ssh_ingress.from_port
  to_port           = var.ssh_ingress.to_port
  protocol          = var.ssh_ingress.protocol
  cidr_blocks       = ["10.0.0.0/11"]
  security_group_id = aws_security_group.main.id
}

具有多个内联入口规则的替代方案

resource "aws_security_group" "main" {
  name        = "allow_tls"
  description = "Allow TLS inbound traffic"
  vpc_id      = data.aws_vpc.main.id
  
  ingress {
    from_port = 0
    protocol = "-1"
    to_port = 0
    self = true
  }
  
 ingress {
   from_port         = var.ssh_ingress.from_port
   to_port           = var.ssh_ingress.to_port
   protocol          = var.ssh_ingress.protocol
   cidr_blocks       = ["10.0.0.0/11"]
  }
  
}

【讨论】：

谢谢，但是 aws_security_group 文档页面上的这个注释怎么样。内联入口规则不会被覆盖吗？ Terraform currently provides both a standalone Security Group Rule resource (a single ingress or egress rule), and a Security Group resource with ingress and egress rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.registry.terraform.io/providers/hashicorp/aws/latest/docs/…
@Belenot 你是对的。它会部署，但最好不要冒险。然后，您可以将所有规则分开或使用多个内联规则。我会更新答案。

【解决方案2】：

你可以写出一个 ingress 块引用你的变量的属性：

variable "ssh_ingress" {
  type = object({
    from_port   = number
    to_port     = number
    protocol    = string
    description = string
  })

  default = {
    from_port = 22
    protocol = "tcp"
    to_port = 22
    description = "SSH for administration."
  }
}

resource "aws_security_group" "main" {
  ingress {
    from_port   = var.ssh_ingress.from_port
    protocol    = var.ssh_ingress.protocol
    to_port     = var.ssh_ingress.to_port
    description = var.ssh_ingress.description
  }
}

ingress 块本身是一个静态结构而不是一个值。您可以使用动态值填充其参数，但不能动态生成参数本身。在考虑配置有效之前，Terraform 会验证所有预期的参数是否存在。

但是，Terraform 认为像这样的块中的值 null 等同于省略参数，因此，例如，如果您的模块的调用者要设置 description = null，那么 AWS 提供商将在与完全省略 description 参数完全相同。

【讨论】：