terraform 中的 aws_security_group_rule 嵌套 For_each 或动态计数

【问题标题】:Nested For_each or count with dynamic for aws_security_group_rule in terraformterraform 中的 aws_security_group_rule 嵌套 For_each 或动态计数
【发布时间】:2021-10-18 10:56:58
【问题描述】:

我需要创建具有以下要求的安全组规则。

Port 22 should have CIDR as [1,2,3]
Port 443 & 80 each should have CIDR as [4,5]
ingress_ports_tcp = [[22], [443,80]]
ingress_cidr_tcp = [[1,2,3], [4,5]]

I am trying below code

  resource "aws_security_group_rule" "tcp1" {
    type               = "ingress"
    count              = (length(var.ingress_cidr_tcp) == length(var.ingress_ports_tcp)) && ( var.ingress_cidr_tcp != "" || var.ingress_ports_tcp != "" ) ? length(var.ingress_ports_tcp) : 0
     dynamic "sg" {  
      for_each = toset(var.ingress_ports_tcp[count.index])
      content {
       from_port = each.value
       to_port = each.value 
       cidr_blocks = var.ingress_cidr_tcp[count.index]
     }
    }    
    security_group_id  = aws_security_group.default-sg[0].id
  }

错误:

Error:Missing required argument on security-group.tf line 16, in resource \"aws_security_group_rule\" \"tcp1\"resource \"aws_security_group_rule\" \"tcp1\" The argument \"from_port\" is required, but no definition was found.Error: Missing required argument\  on security-group.tf line 16, in resource \"aws_security_group_rule\" \"tcp1\"resource \"aws_security_group_rule\" \"tcp1\" The argument \"to_port\" is required, but no definition was found.Error: Unsupported block type  in resource \"aws_security_group_rule\" \"tcp1\":\n  19: dynamic \"sg\" Blocks of type \"sg\" are not expected here.

请帮忙。

【问题讨论】:

  • 这些变量是什么? var.ingress_cidr_tcp) == length(var.ingress_ports_tcp)) && ( var.ingress_cidr_tcp != "" || var.ingress_ports_tcp != "" ) ? length(var.ingress_ports_tcp?它们都没有被定义,也没有显示它们的值。
  • 相应地修改了查询。请检查。
  • 我正在尝试使用动态块来实现这一点 端口 22 的 CIDR 应为 [1,2,3] 端口 443 和 80 的 CIDR 应为 [4,5]
  • 不可能。 aws_security_group_rule 没有任何动态块。
  • 好的,那我们如何实现呢?请给出一些想法。

标签: amazon-web-services terraform terraform-provider-aws


【解决方案1】:

aws_security_group_rule没有像 sg 这样的块。因此,您不能使用dynamic

您的问题可以通过以下方式解决:

variable "ingress_ports_tcp" {
    default = [[22], [443,80]]
}

# example with some CIDRs
variable "ingress_cidr_tcp" {
    default = [["172.31.32.0/20", "172.31.64.0/20", "172.31.96.0/20"], 
               ["172.31.128.0/20", "172.31.160.0/20"]]
}


locals {
    my_rules = merge([
            for idx_port, ports in var.ingress_ports_tcp:
                   { for port in ports:
                          "${idx_port}-${port}" => {
                              "port" = port
                              "cidrs" = var.ingress_cidr_tcp[idx_port]
                      }
                   }  
        ]...)
}

给予:

{
  "0-22" = {
    "cidrs" = [
      "172.31.32.0/20",
      "172.31.64.0/20",
      "172.31.96.0/20",
    ]
    "port" = 22
  }
  "1-443" = {
    "cidrs" = [
      "172.31.128.0/20",
      "172.31.160.0/20",
    ]
    "port" = 443
  }
  "1-80" = {
    "cidrs" = [
      "172.31.128.0/20",
      "172.31.160.0/20",
    ]
    "port" = 80
  }
}

然后:

resource "aws_security_group_rule" "tcp1" {
  
   for_each           = local.my_rules  

   from_port = each.value.port
   to_port = each.value.port
   cidr_blocks = each.value.cidrs

   protocol = "tcp"
   type               = "ingress"    
   security_group_id  = "sg-005923c14af064eec"
}

【讨论】:

    猜你喜欢
    • 2021-08-02
    • 2021-02-13
    • 2021-07-21
    • 2021-01-17
    • 2021-10-06
    • 2021-10-03
    • 2021-05-25
    • 2020-12-27
    • 2020-09-25
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode