我有三个子模块和一个用于ssm修补的父模块。其中一个模块与其他模块(RHEL(不同,它永远不需要更改,因此子模块的编写方式不同。
我将我的基线审批规则编写为一个动态对象,并为该对象准备了变量。
resource "aws_ssm_patch_baseline" "baseline" {
name = format("%s-%s-%s-baseline", var.patch_baseline_label, var.env, lower(local.operating_system))
description = var.description
operating_system = local.operating_system
approved_patches = var.approved_patches
rejected_patches = var.rejected_patches
approved_patches_compliance_level = var.compliance_level
dynamic "approval_rule" {
for_each = var.baseline_approval_rules
content {
approve_after_days = approval_rule.value.approve_after_days
compliance_level = approval_rule.value.compliance_level
enable_non_security = approval_rule.value.enable_non_security
# patch filter values : https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-patch-properties.html
dynamic "patch_filter" {
for_each = approval_rule.value.patch_baseline_filters
content {
key = patch_filter.value.name
values = patch_filter.value.values
}
}
}
}
tags = merge(var.tags, { Name = format("%s-%s-%s", var.patch_baseline_label, var.env, lower(local.operating_system)) })
}
审批规则的变量是这样写的:
variable "baseline_approval_rules" {
description = "list of approval rules defined in the patch baseline (Max 10 rules). For compliance_level, it means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED."
type = list(object({
approve_after_days : number
compliance_level : string
enable_non_security : bool
patch_baseline_filters : list(object({
name : string
values : list(string)
}))
}))
default = [
{
approve_after_days = 0
// The compliance level of a patch will default to unspecified if a patch isn't applied
compliance_level = "CRITICAL"
enable_non_security = false
patch_baseline_filters = [
{
name = "PRODUCT"
values = ["RedhatEnterpriseLinux6.10", "RedhatEnterpriseLinux6.5", "RedhatEnterpriseLinux6.6", "RedhatEnterpriseLinux6.7", "RedhatEnterpriseLinux6.8", "RedhatEnterpriseLinux6.9", "RedhatEnterpriseLinux7", "RedhatEnterpriseLinux7.0", "RedhatEnterpriseLinux7.1", "RedhatEnterpriseLinux7.2", "RedhatEnterpriseLinux7.3", "RedhatEnterpriseLinux7.4", "RedhatEnterpriseLinux7.5", "RedhatEnterpriseLinux7.6", "RedhatEnterpriseLinux7.7", "RedhatEnterpriseLinux7.8", "RedhatEnterpriseLinux8", "RedhatEnterpriseLinux8.0", "RedhatEnterpriseLinux8.1", "RedhatEnterpriseLinux8.2"]
},
{
name = "CLASSIFICATION"
values = ["Security"]
},
{
name = "SEVERITY"
values = ["Critical"]
}
]
}
]
}
在父模块中,我想要一个生成基线审批规则映射的输出。。类似的东西
[
{
name = "product",
valueFrom = <VALUE FROM PRODUCT IN patch_baseline_filters >,
{
name = "severity",
valueFrom = <VALUE FROM SEVERITY IN patch_baseline_filters>,
{
name = <etc>,
valueFrom = <ETC>
}
]
我尝试使用zipmap和sort等函数将值输出到映射中,但没有成功。
谢谢!
编辑:
整个RHEL资源输出如下所示:
+ entire_rhel_resource = [
+ {
+ approval_rule = [
+ {
+ approve_after_days = 0
+ approve_until_date = null
+ compliance_level = "CRITICAL"
+ enable_non_security = false
+ patch_filter = [
+ {
+ key = "PRODUCT"
+ values = [
+ "RedhatEnterpriseLinux6.10",
+ "RedhatEnterpriseLinux6.5",
+ "RedhatEnterpriseLinux6.6",
+ "RedhatEnterpriseLinux6.7",
+ "RedhatEnterpriseLinux6.8",
+ "RedhatEnterpriseLinux6.9",
+ "RedhatEnterpriseLinux7",
+ "RedhatEnterpriseLinux7.0",
+ "RedhatEnterpriseLinux7.1",
+ "RedhatEnterpriseLinux7.2",
+ "RedhatEnterpriseLinux7.3",
+ "RedhatEnterpriseLinux7.4",
+ "RedhatEnterpriseLinux7.5",
+ "RedhatEnterpriseLinux7.6",
+ "RedhatEnterpriseLinux7.7",
+ "RedhatEnterpriseLinux7.8",
+ "RedhatEnterpriseLinux8",
+ "RedhatEnterpriseLinux8.0",
+ "RedhatEnterpriseLinux8.1",
+ "RedhatEnterpriseLinux8.2",
]
},
+ {
+ key = "CLASSIFICATION"
+ values = [
+ "Security",
]
},
+ {
+ key = "SEVERITY"
+ values = [
+ "Critical",
]
},
]
},
]
+ approved_patches = null
+ approved_patches_compliance_level = "UNSPECIFIED"
+ approved_patches_enable_non_security = null
+ arn = (known after apply)
+ description = "RedHat Enterprise Linux Default Patch Baseline"
+ global_filter = []
+ id = (known after apply)
+ name = "SENSITIVEredhat_enterprise_linux-baseline"
+ operating_system = "REDHAT_ENTERPRISE_LINUX"
+ rejected_patches = null
+ rejected_patches_action = (known after apply)
+ source = []
+ tags = {
+ "Name" = "SENSITIVEredhat_enterprise_linux"
+ "owner" = "SENSITIVE"
+ "team" = "SENSITIVE"
+ "terraform" = "true"
}
+ tags_all = {
+ "Name" = "SENSITIVEredhat_enterprise_linux"
+ "owner" = "SENSITIVE"
+ "team" = "SENSITIVE"
+ "terraform" = "true"
}
},
]
以下是我能想到的最好的:
output "rhel_server_types" {
description = "types of patches applied for rhel systems"
value = [for i in aws_ssm_patch_baseline.baseline.approval_rule[0].patch_filter : {
name = lower(i.key)
valueFrom = i.values
}]
}