Amazon web services 如何让Terraform根据用户所在的帐户抛出特定的错误消息?
我有一个terraform模块,可以执行域委派。对于多个变量,针对硬编码值进行一些验证,以检查用户是否使用了有效输入,例如:Amazon web services 如何让Terraform根据用户所在的帐户抛出特定的错误消息?,amazon-web-services,terraform,terraform-provider-aws,Amazon Web Services,Terraform,Terraform Provider Aws,我有一个terraform模块,可以执行域委派。对于多个变量,针对硬编码值进行一些验证,以检查用户是否使用了有效输入,例如: resource "null_resource" "validate_region" { count = contains(local.regions, var.region) == true ? 0 : "Please provide a valid AWS region. E.g. (us-west-2)" } 将local.regions硬编码,将var.re
resource "null_resource" "validate_region" {
count = contains(local.regions, var.region) == true ? 0 : "Please provide a valid AWS region. E.g. (us-west-2)"
}
将local.regions
硬编码,将var.region
作为用户设置变量。上述代码的工作原理是,当用户将变量设置错误时,会抛出如下错误:
Error: Incorrect value type
on .terraform/foo/main.tf line 46, in resource "null_resource" "validate_region":
46: count = contains(local.regions, var.region) == true ? 0 : "Please provide a valid AWS region. E.g. (us-west-2)"
Invalid expression value: a number is required.
data "aws_caller_identity" "account" {}
resource "null_resource" "validate_account" {
count = data.aws_caller_identity.account.account_id == var.primary_account_id ? 0 : "Please check that you are using the AWS creds for the primary account for this domain."
}
data "aws_route53_zone" "primary" {
name = local.primary_name
}
provider "aws" {
region = "eu-west-1"
allowed_account_ids = ["123456789012"]
}
我现在需要验证用户当前使用的AWS帐户是否正确。在这种情况下,由用户在其变量中设置正确帐户的帐户id,我的代码需要提取运行模块的帐户的帐户id,并将其与用户的变量进行比较。我试过这样的方法:
Error: Incorrect value type
on .terraform/foo/main.tf line 46, in resource "null_resource" "validate_region":
46: count = contains(local.regions, var.region) == true ? 0 : "Please provide a valid AWS region. E.g. (us-west-2)"
Invalid expression value: a number is required.
data "aws_caller_identity" "account" {}
resource "null_resource" "validate_account" {
count = data.aws_caller_identity.account.account_id == var.primary_account_id ? 0 : "Please check that you are using the AWS creds for the primary account for this domain."
}
data "aws_route53_zone" "primary" {
name = local.primary_name
}
provider "aws" {
region = "eu-west-1"
allowed_account_ids = ["123456789012"]
}
对“{data.aws\u caller\u identity.account.account\u id==var.primary\u account\u id}”进行各种语法更改?0
努力让逻辑正常工作,但运气不佳。我希望它像区域验证一样抛出一个错误,它将显示我编写的错误消息。相反(取决于语法),对于正确的帐户,它将按预期工作,并抛出一个错误:对于不正确的帐户,找不到匹配的Route53Zone
错误,或者它将抛出一个完全不同的错误,可能是因为语法把事情搞砸了
我怎样才能让它工作?有可能吗?我发现这个区块:
data "aws_route53_zone" "primary" {
name = local.primary_name
}
在帐户验证资源块之前正在运行。添加一个取决于这样的:
data "aws_route53_zone" "primary" {
name = local.primary_name
depends_on = [null_resource.validate_account,
]
}
这一切都很好。这里的另一个选项应该可以简化您正在做的事情,就是设置区域和帐户约束,以便Terraform将自动使用正确的区域,并且在凭据不适用于正确的帐户时失败
您可以在aws
provider块中定义此选项。示例可能如下所示:
Error: Incorrect value type
on .terraform/foo/main.tf line 46, in resource "null_resource" "validate_region":
46: count = contains(local.regions, var.region) == true ? 0 : "Please provide a valid AWS region. E.g. (us-west-2)"
Invalid expression value: a number is required.
data "aws_caller_identity" "account" {}
resource "null_resource" "validate_account" {
count = data.aws_caller_identity.account.account_id == var.primary_account_id ? 0 : "Please check that you are using the AWS creds for the primary account for this domain."
}
data "aws_route53_zone" "primary" {
name = local.primary_name
}
provider "aws" {
region = "eu-west-1"
allowed_account_ids = ["123456789012"]
}
现在,如果您尝试为其他AWS帐户使用凭据,则Terraform将在计划阶段失败:
Error: AWS Account ID not allowed: 234567890123
谢谢,这是非常有用的信息!它对我正在使用的模块不起作用,因为“正确”的帐户会根据使用它的人和其他一些因素而变化,但如果不是这样,那么这将是一个方便的解决方案