Fatal编程技术网
  • amazon-web-services/
  • Amazon web services 使用“for_each”创建的地形资源-在其他地形脚本中使用

Amazon web services 使用“for_each”创建的地形资源-在其他地形脚本中使用

amazon-web-services terraform

Amazon web services 使用“for_each”创建的地形资源-在其他地形脚本中使用,amazon-web-services,terraform,Amazon Web Services,Terraform,我有创建N个安全组的terraform脚本: variable "security_groups" { default = { "sg1" = "Security group 1" "sg2" = "Security group 2" } } resource "aws_security_group" "exa

我有创建N个安全组的terraform脚本:

variable "security_groups" {
    default     = {
        "sg1" = "Security group 1"
        "sg2" = "Security group 2"
    }
}

resource "aws_security_group" "example" {
    for_each = var.security_groups

    name                   = each.key
    description            = each.value

    vpc_id                 = aws_vpc.example.id
    revoke_rules_on_delete = false

    egress {
        from_port   = 0
        to_port     = 0
        protocol    = "-1"
        cidr_blocks = ["0.0.0.0/0"]
    }
}

resource "aws_iam_policy" "operator_policy" {
  name        = "${var.iam_prefix}-operator"
  path        = "/"
  description = "Policy for operator"
  policy      = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:AuthorizeSecurityGroupEgress",
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
          "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
          "ec2:RevokeSecurityGroupEgress",
          "ec2:RevokeSecurityGroupIngress",
        ]
        Effect = "Allow"
        Resource = [
          for sg in aws_security_group.example : sg.arn
        ],
      },
    ]
  })
}
…我还有另一个创建IAM策略的Terraform脚本

此安全组必须引用由资源部分中的第一个脚本创建的N个安全组:

resource "aws_iam_policy" "operator_policy" {
  name        = "${var.iam_prefix}-operator"
  path        = "/"
  description = "Policy for operator"
  policy      = <<-EOF
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
                    "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
                    "ec2:RevokeSecurityGroupEgress",
                    "ec2:RevokeSecurityGroupIngress"
                ],
                "Effect": "Allow",
                "Resource": [
                    "sg1 ARN",
                    "sgN ARN"
                ]
            }
        ]
    }
    EOF
}
是否可行?

您可以使用与和的组合:

您可以使用与和的组合:

与使用字符串模板生成JSON相比,使用生成整个值更为稳健,因为Terraform可以将参数作为普通表达式进行计算,并确保生成结果的有效JSON表示:

resource "aws_iam_policy" "operator_policy" {
  name        = "${var.iam_prefix}-operator"
  path        = "/"
  description = "Policy for operator"
  policy      = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:AuthorizeSecurityGroupEgress",
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
          "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
          "ec2:RevokeSecurityGroupEgress",
          "ec2:RevokeSecurityGroupIngress",
        ]
        Effect = "Allow"
        Resource = [
          "sg1 ARN",
          "sgN ARN",
        ]
      },
    ]
  })
}
除了保证结果始终是有效的JSON语法外,使用Terraform的表达式语言构建策略值还意味着您可以使用所有,包括从每个安全组读取arn属性:

variable "security_groups" {
    default     = {
        "sg1" = "Security group 1"
        "sg2" = "Security group 2"
    }
}

resource "aws_security_group" "example" {
    for_each = var.security_groups

    name                   = each.key
    description            = each.value

    vpc_id                 = aws_vpc.example.id
    revoke_rules_on_delete = false

    egress {
        from_port   = 0
        to_port     = 0
        protocol    = "-1"
        cidr_blocks = ["0.0.0.0/0"]
    }
}

resource "aws_iam_policy" "operator_policy" {
  name        = "${var.iam_prefix}-operator"
  path        = "/"
  description = "Policy for operator"
  policy      = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:AuthorizeSecurityGroupEgress",
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
          "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
          "ec2:RevokeSecurityGroupEgress",
          "ec2:RevokeSecurityGroupIngress",
        ]
        Effect = "Allow"
        Resource = [
          for sg in aws_security_group.example : sg.arn
        ],
      },
    ]
  })
}
与使用字符串模板生成JSON相比,使用生成整个值更为稳健,因为Terraform可以将参数作为普通表达式进行计算,并确保生成结果的有效JSON表示:

resource "aws_iam_policy" "operator_policy" {
  name        = "${var.iam_prefix}-operator"
  path        = "/"
  description = "Policy for operator"
  policy      = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:AuthorizeSecurityGroupEgress",
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
          "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
          "ec2:RevokeSecurityGroupEgress",
          "ec2:RevokeSecurityGroupIngress",
        ]
        Effect = "Allow"
        Resource = [
          "sg1 ARN",
          "sgN ARN",
        ]
      },
    ]
  })
}
除了保证结果始终是有效的JSON语法外,使用Terraform的表达式语言构建策略值还意味着您可以使用所有,包括从每个安全组读取arn属性:

variable "security_groups" {
    default     = {
        "sg1" = "Security group 1"
        "sg2" = "Security group 2"
    }
}

resource "aws_security_group" "example" {
    for_each = var.security_groups

    name                   = each.key
    description            = each.value

    vpc_id                 = aws_vpc.example.id
    revoke_rules_on_delete = false

    egress {
        from_port   = 0
        to_port     = 0
        protocol    = "-1"
        cidr_blocks = ["0.0.0.0/0"]
    }
}

resource "aws_iam_policy" "operator_policy" {
  name        = "${var.iam_prefix}-operator"
  path        = "/"
  description = "Policy for operator"
  policy      = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:AuthorizeSecurityGroupEgress",
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
          "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
          "ec2:RevokeSecurityGroupEgress",
          "ec2:RevokeSecurityGroupIngress",
        ]
        Effect = "Allow"
        Resource = [
          for sg in aws_security_group.example : sg.arn
        ],
      },
    ]
  })
}