0

在这里,我一直在为现有的 terraform 脚本实现 terraform 模块。我在与 security_group_rules 的参数交互时遇到了一个问题。

问题是,在aws_security_group_rule中,我们有两个相互不兼容的参数,即source_security_group_idcidr_block 。我的意思是当我们使用其中一个时,我们不能使用另一个。

这是我的模块。

主文件

resource "aws_security_group_rule" "arvn" {
  count = length(var.security_group_rules)

  type              = var.security_group_rules[count.index].type
  from_port         = var.security_group_rules[count.index].from_port
  to_port           = var.security_group_rules[count.index].to_port
  protocol          = var.security_group_rules[count.index].protocol
  cidr_blocks       = var.security_group_rules[count.index].cidr_block
  description       = var.security_group_rules[count.index].description
  security_group_id = var.security_group_id
}

变量.tf

variable "security_group_id" {
  type = string
}

variable "security_group_rules" {
  type = list(object({
    type        = string
    from_port   = number
    to_port     = number
    protocol    = string
    cidr_block  = list(string)
    description = string
  }))
}

用法

sg.tf

module "security_group_ecsInstance" {
  source = "./modules/security_group"
  vpc_id = aws_vpc.arvn.id
  name = "${local.name}-ecsInstance"
}

module "sg_rules_instance" {
  source = "./modules/security_group_rules"
  security_group_id = module.security_group_instance.id
  security_group_rules = [
    { type = "ingress", from_port = 22, to_port = 22, protocol = "tcp", cidr_block = [var.vpc_cidr], description = "ssh"  },
{ type = "egress", from_port = 0, to_port = 65535, protocol = "-1", cidr_block = ["0.0.0.0/0"], description = ""  },
    { type = "ingress", from_port = 0, to_port = 65535, protocol = "tcp", cidr_block = [module.security_group_alb.id], description = "alb"  }
  ]
}

在此,正在创建前两个规则,最后一个规则由于无效的 cidr 块而失败。

但是,我知道这里的问题,如果有人帮助我创建可以在source_security_group_idcidr_block上工作的更灵活的模块,那就太好了,这样如果一个被使用,另一个应该会失明。

4

1 回答 1

1

您可以通过将资源参数设置为 来表示资源参数的动态缺失null。这意味着您可以定义一个接受两个参数的变量,只要其中一个为空。例如:

variable "security_group_rules" {
  type = list(object({
    type                     = string
    from_port                = number
    to_port                  = number
    protocol                 = string
    cidr_blocks              = list(string)
    source_security_group_id = string
    description              = string
  }))
}

resource "aws_security_group_rule" "arvn" {
  count = length(var.security_group_rules)

  type                     = var.security_group_rules[count.index].type
  from_port                = var.security_group_rules[count.index].from_port
  to_port                  = var.security_group_rules[count.index].to_port
  protocol                 = var.security_group_rules[count.index].protocol
  cidr_blocks              = var.security_group_rules[count.index].cidr_blocks
  description              = var.security_group_rules[count.index].description
  source_security_group_id = var.security_group_rules[count.index].source_security_group_id
  security_group_id        = var.security_group_id
}

调用模块时,调用者必须将cidr_blockor设置source_security_group_id为 null 以避免冲突错误:

module "sg_rules_instance" {
  source = "./modules/security_group_rules"

  security_group_id = module.security_group_instance.id
  security_group_rules = [
    {
      type                     = "ingress"
      from_port                = 22
      to_port                  = 22
      protocol                 = "tcp"
      cidr_blocks              = [var.vpc_cidr]
      source_security_group_id = null
      description              = "ssh"
    },
    {
      type                     = "egress"
      from_port                = 0
      to_port                  = 65535
      protocol                 = "-1"
      cidr_blocks              = ["0.0.0.0/0"]
      source_security_group_id = null
      description              = ""
    },
    {
      type                     = "ingress"
      from_port                = 0
      to_port                  = 65535
      protocol                 = "tcp"
      cidr_blocks              = null
      source_security_group_id = module.security_group_alb.id
      description              = "alb"
    },
  ]
}
于 2021-01-13T00:18:49.217 回答