Fatal编程技术网

Amazon web services Terraform将变量指定给照明块

amazon-web-services terraform

Amazon web services Terraform将变量指定给照明块,amazon-web-services,terraform,hcl,Amazon Web Services,Terraform,Hcl,我使用aws提供程序。对于每个安全组,我为ssh指定相同的规则。如何将其提取到变量并分配给aws_security_group.ingress列表 我期待什么: variable "ssh_ingress" { default = { from_port = 22 protocol = "tcp" to_port = 22 description = "SSH for administration."

我使用aws提供程序。对于每个安全组,我为ssh指定相同的规则。如何将其提取到变量并分配给aws_security_group.ingress列表

我期待什么:

variable "ssh_ingress" {
  default = {
    from_port = 22
    protocol = "tcp"
    to_port = 22
    description = "SSH for administration."
  }
}
您可以使用“将规则添加到现有安全组”

例如:

variable "ssh_ingress" {
  default = {
    from_port = 22
    protocol = "tcp"
    to_port = 22
    description = "SSH for administration."
  }
}

resource "aws_security_group" "main" {
  name        = "allow_tls"
  description = "Allow TLS inbound traffic"
  vpc_id      = data.aws_vpc.main.id
}

resource "aws_security_group_rule" "default" {
  type              = "ingress"
  from_port         = 0
  to_port           = 0
  protocol          = -1
  self              = true
  security_group_id = aws_security_group.main.id
}

resource "aws_security_group_rule" "example" {
  type              = "ingress"
  from_port         = var.ssh_ingress.from_port
  to_port           = var.ssh_ingress.to_port
  protocol          = var.ssh_ingress.protocol
  cidr_blocks       = ["10.0.0.0/11"]
  security_group_id = aws_security_group.main.id
}
具有多个内联入口规则的备选方案

resource "aws_security_group" "main" {
  name        = "allow_tls"
  description = "Allow TLS inbound traffic"
  vpc_id      = data.aws_vpc.main.id
  
  ingress {
    from_port = 0
    protocol = "-1"
    to_port = 0
    self = true
  }
  
 ingress {
   from_port         = var.ssh_ingress.from_port
   to_port           = var.ssh_ingress.to_port
   protocol          = var.ssh_ingress.protocol
   cidr_blocks       = ["10.0.0.0/11"]
  }
  
}
您可以通过引用变量的属性写出一个
ingres
块:

variable "ssh_ingress" {
  type = object({
    from_port   = number
    to_port     = number
    protocol    = string
    description = string
  })

  default = {
    from_port = 22
    protocol = "tcp"
    to_port = 22
    description = "SSH for administration."
  }
}

resource "aws_security_group" "main" {
  ingress {
    from_port   = var.ssh_ingress.from_port
    protocol    = var.ssh_ingress.protocol
    to_port     = var.ssh_ingress.to_port
    description = var.ssh_ingress.description
  }
}

入口
块本身是一个静态结构,而不是一个值。可以用动态值填充其参数,但不能动态生成参数本身。Terraform在认为配置有效之前验证所有预期参数是否存在

但是,Terraform认为这样的块中的值
null
等同于省略参数,因此,例如,如果模块的调用者要设置
description=null
,然后AWS提供商将以完全相同的方式看到这一点,就像完全省略了
说明
参数一样。

谢谢,但是AWS\u security\u group doc页面上的这个注释呢。内联入口规则不会被覆盖吗
Terraform目前提供了一个独立的安全组规则资源(单个入口或出口规则)和一个在线定义入口和出口规则的安全组资源。此时,您不能将具有内嵌规则的安全组与任何安全组规则资源一起使用。这样做将导致规则设置冲突,并将覆盖规则。
@Belenot你说得不对。它将部署,但最好不要冒险。然后,您可以将所有规则分离或使用多个内联规则。我会更新答案。 
variable "ssh_ingress" {
  type = object({
    from_port   = number
    to_port     = number
    protocol    = string
    description = string
  })

  default = {
    from_port = 22
    protocol = "tcp"
    to_port = 22
    description = "SSH for administration."
  }
}

resource "aws_security_group" "main" {
  ingress {
    from_port   = var.ssh_ingress.from_port
    protocol    = var.ssh_ingress.protocol
    to_port     = var.ssh_ingress.to_port
    description = var.ssh_ingress.description
  }
}