【发布时间】:2021-09-15 08:31:36
【问题描述】:
我的公司要求我在安全组入口规则中明确指定所有允许的端口和协议。我想要一长串端口协议和安全组以允许入口/出口
from_port, to_port, protocol, security_group_that_port_protocol_restriction_applies_to
以下示例存在“master-sg-ingress-security-groups”变量需要定义安全组的问题。
resource "aws_security_group" "master_lb_sg" {
....
}
resource "aws_security_group" "worker_sg" {
......
}
########
####### list of port protocols and security groups to create ingress blocks for. Problem is that security groups to not exist at variable creation time.
########
variable "master-sg-ingress-security-groups" {
depends_on = [aws_security_group.master_lb_sg, aws_security_group.worker_sg]
description = "List of port numbers for specific security group. company bans allowing all ports and protocols. "
type = map(any)
default = {
"ingress1" = [80, 80, "TCP", aws_security_group.master_lb_sg],
"ingress2" = [443, 443, "TCP", aws_security_group.master_lb_sg],
"ingress3" = [3398,3398, "RDP", aws_security_group.bastion_host_sg],
....
"ingress4" = [1024, 1024, "UDP", aws_security_group.worker_sg]
}
}
#####
#### I want to iterate over the above list of security groups and create dynamic ingress rules but other security groups do not exist
####
resource "aws_security_group" "test" {
depends_on = [aws_security_group.master_lb_sg, aws_security_group.worker_sg]
provider = aws.region_master
name = "master-sg"
description = "security group for Jenkins master"
vpc_id = aws_vpc.vpc_master.id
dynamic "ingress" {
# this for_each is not identical to for_each in line 21
for_each = var.master-sg-ingress-security-groups
content {
from_port = ingress.value[0]
to_port = ingress.value[1]
protocol = ingress.value[2]
security_group = ingress[3]
}
}
}
我认为我必须为每个入口复制粘贴文本块
【问题讨论】:
-
你能澄清一下“公司禁止0,0,-1行”吗?此外,您的变量中不能有变量
aws_security_group.worker_sg。 -
是的,马辛。那是我的问题。有没有办法在变量中解决 aws_security_group.worker_sg 的问题???
标签: amazon-web-services terraform-provider-aws