我试图在Terraform中生成安全组规则,作为入口块提供给aws_security_group。我不与aws_security_group_rule,因为我希望模块是灵活的,如果做self源等。
示例提取私有子网cidr_block和规则描述作为可用分区。
简化的例子:我实际上是从Terraform状态等。
环境起程拓殖v1.0.8
地图列表
locals {
subnets = [
{
availability_zone = "us-east-1a"
cidr_block = "10.0.0.0/23"
},
{
availability_zone = "us-east-1b"
cidr_block = "10.0.2.0/23"
},
{
availability_zone = "us-east-1c"
cidr_block = "10.0.4.0/23"
}
]
}
预期结果
地图列表
[
{
description = "us-east-1a"
type = "ingress"
from_port = "0"
to_port = "0"
protocol = "-1"
cidr_blocks = ["10.0.0.0/23"]
ipv6_cidr_blocks = []
prefix_list_ids = []
security_groups = []
self = false
},
{
description = "us-east-1b"
type = "ingress"
from_port = "0"
to_port = "0"
protocol = "-1"
cidr_blocks = ["10.0.2.0/23"]
ipv6_cidr_blocks = []
prefix_list_ids = []
security_groups = []
self = false
},
{
description = "us-east-1c"
type = "ingress"
from_port = "0"
to_port = "0"
protocol = "-1"
cidr_blocks = ["10.0.4.0/23"]
ipv6_cidr_blocks = []
prefix_list_ids = []
security_groups = []
self = false
}
]
无工作草案(Need help here)
ingress_rules = flatten([
for subnets, values in local.subnets : [
for key in values: {
description = key.availability_zone
type = "ingress"
from_port = "0"
to_port = "0"
protocol = "-1"
cidr_blocks = [key.cidr_block]
ipv6_cidr_blocks = []
prefix_list_ids = []
security_groups = []
self = false
}
]
])
你的for太多了。应该是:
ingress_rules = [
for subnets, values in local.subnets : {
description = values.availability_zone
type = "ingress"
from_port = "0"
to_port = "0"
protocol = "-1"
cidr_blocks = [values.cidr_block]
ipv6_cidr_blocks = []
prefix_list_ids = []
security_groups = []
self = false
}
]
AWS安全组规则生成示例
基于@Marcin help的示例
VPC和远端WAN IP访问
access_lists.tfvars
access_lists = {
office = {
hq = "102.55.22.34/32"
},
remote = {
first_last = "12.32.211.243/32"
}
}
local.tf
locals {
cidr_list_office = var.access_lists.office
cidr_list_remote = var.access_lists.remote
public_access_cidrs = merge(
local.cidr_list_office,
local.cidr_list_remote
)
ingress_rule_vpc = [
{
description = "vpc - Managed by Terraform"
type = "ingress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [data.terraform_remote_state.network.outputs.vpc.cidr_block]
ipv6_cidr_blocks = []
prefix_list_ids = []
security_groups = []
self = false
}
]
ingress_rules_public = [
for desc, cidr in local.public_access_cidrs : {
description = "${desc} - Managed by Terraform"
type = "ingress"
from_port = "0"
to_port = "0"
protocol = "-1"
cidr_blocks = [cidr]
ipv6_cidr_blocks = []
prefix_list_ids = []
security_groups = []
self = false
}
]
ingress_rules = concat(local.ingress_rule_vpc, local.ingress_rules_public)
}
EFS (2 Options)
嵌套for_each调用。可以添加更多的tfvar,然后在本地设置sg规则映射到egress_rules.xyz/ingress_rules.xyz
efs.tfvars
efs = {
jenkins = {
encrypted = "false"
performance_mode = "generalPurpose"
throughput_mode = "bursting"
throughput_in_mibps = "0"
}
}
本地。tf(选项1 -专用子网)
locals {
# Allow all Private Subnets
jenkins_ingress_rules = [
for subnets, values in data.terraform_remote_state.network.outputs.subnets.private : {
description = values.availability_zone
type = "ingress"
from_port = "0"
to_port = "0"
protocol = "-1"
cidr_blocks = [values.cidr_block]
ipv6_cidr_blocks = []
prefix_list_ids = []
security_groups = []
self = false
}
]
# VPC Private Subnets Only
jenkins_egress_rules = [
{
description = "Managed by Terraform"
type = "egress"
from_port = "0"
to_port = "0"
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = []
prefix_list_ids = []
security_groups = []
self = false
}
]
egress_rules = {
jenkins = local.jenkins_egress_rules
}
ingress_rules = {
jenkins = local.jenkins_ingress_rules
}
}
本地。tf(选项2 -自源)
locals {
# Self sourced security group. Have to be in the SG for access.
jenkins_ingress_rules = [
{
description = "Managed by Terraform"
from_port = 0
to_port = 0
protocol = "-1"
self = true
cidr_blocks = []
ipv6_cidr_blocks = []
prefix_list_ids = []
security_groups = []
}
]
# VPC Private Subnets Only
jenkins_egress_rules = [
{
description = "Managed by Terraform"
type = "egress"
from_port = "0"
to_port = "0"
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = []
prefix_list_ids = []
security_groups = []
self = false
}
]
egress_rules = {
jenkins = local.jenkins_egress_rules
}
ingress_rules = {
jenkins = local.jenkins_ingress_rules
}
}
main.tf
module "security_groups" {
for_each = var.efs
base_aws_tags = module.aws_tags.aws_tags
name_suffix = "efs-${each.key}"
egress_rules = lookup(local.egress_rules, each.key)
ingress_rules = lookup(local.ingress_rules, each.key)
source = "../../../modules/security_group"
vpc = data.terraform_remote_state.network.outputs.vpc
}
希望这能帮助到其他人!- =沛