Amazon cloudformation terraform从vpc端点子网选项卡获取子网集成IP
流动就像 1.Amazon cloudformation terraform从vpc端点子网选项卡获取子网集成IP,amazon-cloudformation,terraform,amazon-vpc,terraform-provider-aws,Amazon Cloudformation,Terraform,Amazon Vpc,Terraform Provider Aws,流动就像 1.vpc-->vpc\u端点(com.amazonaws.us-east-1.transfer.server)-->[子网\u 1,子网\u 2] 2.net-->nlb-->目标组-->[子网ip\u 1,子网ip\u 2] 我正在创建一个NLB,目标组指向为“AWS transfers for sftp”创建的VPC端点com.amazonaws.us-east-1.transfer.server,但terraform不会返回与VPC端点集成的子网的IP 所以,目前我正在vpc端
vpc-->vpc\u端点(com.amazonaws.us-east-1.transfer.server)-->[子网\u 1,子网\u 2]net-->nlb-->目标组-->[子网ip\u 1,子网ip\u 2]com.amazonaws.us-east-1.transfer.serverresource "aws_eip" "nlb" {
count = length(var.public_subnet_ids)
vpc = true
}
resource "aws_lb" "network" {
name = "${var.service_name}-${var.env}-nlb"
load_balancer_type = "network"
dynamic subnet_mapping {
for_each = [for i in range(length(module.vpc.public_subnet_ids)) : {
subnet_id = var.public_subnet_ids[i]
allocation_id = aws_eip.nlb[i].id
}]
content {
subnet_id = subnet_mapping.value.subnet_id
allocation_id = subnet_mapping.value.allocation_id
}
}
}
resource "aws_lb_target_group" "target-group" {
name = "${var.service_name}-${var.env}-nlb-target-group"
port = 22
protocol = "TCP"
target_type = "ip"
vpc_id = var.vpc_id
}
// TODO need to add vpc endpoint subnet ip addresses manually to nlb target group as terraform doesn't export the subnet ip addresses
//resource "aws_lb_target_group_attachment" "vpc-endpoint" {
// count = length(var.public_subnet_ids)
// target_group_arn = aws_lb_target_group.target-group.arn
// target_id = this needs ip of subnets intgerated with vpc endpoint
// port = 22
//}
resource "aws_vpc_endpoint" "transfer" {
vpc_id = var.vpc_id
service_name = "com.amazonaws.${var.aws_region}.transfer.server"
vpc_endpoint_type = "Interface"
subnet_ids = var.public_subnet_ids
private_dns_enabled = true
}
resource "aws_transfer_server" "sftp" {
identity_provider_type = "API_GATEWAY"
endpoint_type = "VPC_ENDPOINT"
endpoint_details {
vpc_endpoint_id = aws_vpc_endpoint.transfer.id
}
url = aws_api_gateway_deployment.deploy.invoke_url
invocation_role = aws_iam_role.transfer-identity-provider-role.arn
logging_role = aws_iam_role.transfer-logging-role.arn
depends_on = [aws_vpc_endpoint.transfer]
}
dnsresource "aws_vpc_endpoint" "transfer" {
vpc_id = var.vpc_id
service_name = "com.amazonaws.${var.aws_region}.transfer.server"
vpc_endpoint_type = "Interface"
subnet_ids = var.public_subnet_ids
private_dns_enabled = true
}
data "dns_a_record_set" "endpoints" {
# dns_a_record_set.endpoints is a map from hostname to an object containing "addrs"
for_each = { for e in aws_vpc_endpoint.transfer.dns_entry : e.dns_name => e }
host = each.key
}
locals {
# Flatten the IP addresses down into a single set.
endpoint_ip_addrs = toset(flatten(dns_a_record_set.endpoints[*].addrs))
}
resource "aws_lb_target_group_attachment" "vpc-endpoint" {
for_each = local.endpoint_ip_addrs
target_group_arn = aws_lb_target_group.target-group.arn
target_id = each.value
port = 22
}
aws\u vpc\u endpointdns\u entry的好键。如果这是真的,则上述将产生错误,说明每个值不合适,除非您使用-target
逐步应用此值
aws\u vpc\u endpoint
的设计似乎不适合您在这里尝试的操作,因为它没有提供任何明确的指示,说明哪个主机名属于哪个子网,因此,没有足够的可用信息来构建映射或设置值,这些映射或设置值将具有配置中已知的键。可能值得考虑从等式中完全删除负载平衡器的替代方法,而只使用aws_vpc_endpoint祝你好运。你能编辑你的问题,把你写的地形代码包括进去吗?地形代码有效,没有错误。但是,我找不到一种方法来获得vpc端点子网集成的IP。您仍然应该包括一个,这样我们就可以看到您达到了什么程度。这就是您要问的:?没有ID不会有帮助,它必须是集成ips。问题是我使用NLB将SFTP服务器暴露给外部网络,并带有IP白名单。aws.amazon.com/sftp/faqs“Q:我可以过滤传入流量以访问我的sftp服务器的VPC端点吗?”。因此,在这种情况下,我无法删除NLB
## Data Section
data "aws_network_interface" "eni_0" {
id = "${aws_vpc_endpoint.transfer.network_interface.ids {0}"
}
data "aws_network_interface" "eni_1" {
id = "${aws_vpc_endpoint.transfer.network_interface.ids {1}"
}
## Resource Section
resource "aws_alb_target_group_attachment" "tg_att_0" {
target_group_arn = "$aws_lb_target_group.group.arn}"
target_id = "${data.aws_network_interface.eni_0.private_ips[0]}"
port = 22
}
resource "aws_alb_target_group_attachment" "tg_att_1" {
target_group_arn = "$aws_lb_target_group.group.arn}"
target_id = "${data.aws_network_interface.eni_1.private_ips[0]}"
port = 22
}