Amazon web services 使用“for_each”创建的地形资源-在其他地形脚本中使用
我有创建N个安全组的terraform脚本:Amazon web services 使用“for_each”创建的地形资源-在其他地形脚本中使用,amazon-web-services,terraform,Amazon Web Services,Terraform,我有创建N个安全组的terraform脚本: variable "security_groups" { default = { "sg1" = "Security group 1" "sg2" = "Security group 2" } } resource "aws_security_group" "exa
variable "security_groups" {
default = {
"sg1" = "Security group 1"
"sg2" = "Security group 2"
}
}
resource "aws_security_group" "example" {
for_each = var.security_groups
name = each.key
description = each.value
vpc_id = aws_vpc.example.id
revoke_rules_on_delete = false
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_iam_policy" "operator_policy" {
name = "${var.iam_prefix}-operator"
path = "/"
description = "Policy for operator"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
]
Effect = "Allow"
Resource = [
for sg in aws_security_group.example : sg.arn
],
},
]
})
}
…我还有另一个创建IAM策略的Terraform脚本
此安全组必须引用由资源部分中的第一个脚本创建的N个安全组:
resource "aws_iam_policy" "operator_policy" {
name = "${var.iam_prefix}-operator"
path = "/"
description = "Policy for operator"
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Effect": "Allow",
"Resource": [
"sg1 ARN",
"sgN ARN"
]
}
]
}
EOF
}
是否可行?您可以使用与和的组合:
您可以使用与和的组合:
与使用字符串模板生成JSON相比,使用生成整个值更为稳健,因为Terraform可以将参数作为普通表达式进行计算,并确保生成结果的有效JSON表示:
resource "aws_iam_policy" "operator_policy" {
name = "${var.iam_prefix}-operator"
path = "/"
description = "Policy for operator"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
]
Effect = "Allow"
Resource = [
"sg1 ARN",
"sgN ARN",
]
},
]
})
}
除了保证结果始终是有效的JSON语法外,使用Terraform的表达式语言构建策略值还意味着您可以使用所有,包括从每个安全组读取arn属性:
variable "security_groups" {
default = {
"sg1" = "Security group 1"
"sg2" = "Security group 2"
}
}
resource "aws_security_group" "example" {
for_each = var.security_groups
name = each.key
description = each.value
vpc_id = aws_vpc.example.id
revoke_rules_on_delete = false
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_iam_policy" "operator_policy" {
name = "${var.iam_prefix}-operator"
path = "/"
description = "Policy for operator"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
]
Effect = "Allow"
Resource = [
for sg in aws_security_group.example : sg.arn
],
},
]
})
}
与使用字符串模板生成JSON相比,使用生成整个值更为稳健,因为Terraform可以将参数作为普通表达式进行计算,并确保生成结果的有效JSON表示:
resource "aws_iam_policy" "operator_policy" {
name = "${var.iam_prefix}-operator"
path = "/"
description = "Policy for operator"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
]
Effect = "Allow"
Resource = [
"sg1 ARN",
"sgN ARN",
]
},
]
})
}
除了保证结果始终是有效的JSON语法外,使用Terraform的表达式语言构建策略值还意味着您可以使用所有,包括从每个安全组读取arn属性:
variable "security_groups" {
default = {
"sg1" = "Security group 1"
"sg2" = "Security group 2"
}
}
resource "aws_security_group" "example" {
for_each = var.security_groups
name = each.key
description = each.value
vpc_id = aws_vpc.example.id
revoke_rules_on_delete = false
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_iam_policy" "operator_policy" {
name = "${var.iam_prefix}-operator"
path = "/"
description = "Policy for operator"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
]
Effect = "Allow"
Resource = [
for sg in aws_security_group.example : sg.arn
],
},
]
})
}