Amazon web services Terraform将变量指定给照明块
我使用aws提供程序。对于每个安全组,我为ssh指定相同的规则。如何将其提取到变量并分配给aws_security_group.ingress列表 我期待什么:Amazon web services Terraform将变量指定给照明块,amazon-web-services,terraform,hcl,Amazon Web Services,Terraform,Hcl,我使用aws提供程序。对于每个安全组,我为ssh指定相同的规则。如何将其提取到变量并分配给aws_security_group.ingress列表 我期待什么: variable "ssh_ingress" { default = { from_port = 22 protocol = "tcp" to_port = 22 description = "SSH for administration."
variable "ssh_ingress" {
default = {
from_port = 22
protocol = "tcp"
to_port = 22
description = "SSH for administration."
}
}
您可以使用“将规则添加到现有安全组”
例如:
variable "ssh_ingress" {
default = {
from_port = 22
protocol = "tcp"
to_port = 22
description = "SSH for administration."
}
}
resource "aws_security_group" "main" {
name = "allow_tls"
description = "Allow TLS inbound traffic"
vpc_id = data.aws_vpc.main.id
}
resource "aws_security_group_rule" "default" {
type = "ingress"
from_port = 0
to_port = 0
protocol = -1
self = true
security_group_id = aws_security_group.main.id
}
resource "aws_security_group_rule" "example" {
type = "ingress"
from_port = var.ssh_ingress.from_port
to_port = var.ssh_ingress.to_port
protocol = var.ssh_ingress.protocol
cidr_blocks = ["10.0.0.0/11"]
security_group_id = aws_security_group.main.id
}
具有多个内联入口规则的备选方案
resource "aws_security_group" "main" {
name = "allow_tls"
description = "Allow TLS inbound traffic"
vpc_id = data.aws_vpc.main.id
ingress {
from_port = 0
protocol = "-1"
to_port = 0
self = true
}
ingress {
from_port = var.ssh_ingress.from_port
to_port = var.ssh_ingress.to_port
protocol = var.ssh_ingress.protocol
cidr_blocks = ["10.0.0.0/11"]
}
}
您可以通过引用变量的属性写出一个
ingres
块:
variable "ssh_ingress" {
type = object({
from_port = number
to_port = number
protocol = string
description = string
})
default = {
from_port = 22
protocol = "tcp"
to_port = 22
description = "SSH for administration."
}
}
resource "aws_security_group" "main" {
ingress {
from_port = var.ssh_ingress.from_port
protocol = var.ssh_ingress.protocol
to_port = var.ssh_ingress.to_port
description = var.ssh_ingress.description
}
}
入口
块本身是一个静态结构,而不是一个值。可以用动态值填充其参数,但不能动态生成参数本身。Terraform在认为配置有效之前验证所有预期参数是否存在
但是,Terraform认为这样的块中的值
null
等同于省略参数,因此,例如,如果模块的调用者要设置description=null
,然后AWS提供商将以完全相同的方式看到这一点,就像完全省略了说明
参数一样。谢谢,但是AWS\u security\u group doc页面上的这个注释呢。内联入口规则不会被覆盖吗Terraform目前提供了一个独立的安全组规则资源(单个入口或出口规则)和一个在线定义入口和出口规则的安全组资源。此时,您不能将具有内嵌规则的安全组与任何安全组规则资源一起使用。这样做将导致规则设置冲突,并将覆盖规则。
@Belenot你说得不对。它将部署,但最好不要冒险。然后,您可以将所有规则分离或使用多个内联规则。我会更新答案。
variable "ssh_ingress" {
type = object({
from_port = number
to_port = number
protocol = string
description = string
})
default = {
from_port = 22
protocol = "tcp"
to_port = 22
description = "SSH for administration."
}
}
resource "aws_security_group" "main" {
ingress {
from_port = var.ssh_ingress.from_port
protocol = var.ssh_ingress.protocol
to_port = var.ssh_ingress.to_port
description = var.ssh_ingress.description
}
}