我想创建 2 个 VPC 安全组。
一个用于 VPC 的堡垒主机,一个用于私有子网。
# BASTION #
resource "aws_security_group" "VPC-BastionSG" {
name = "VPC-BastionSG"
description = "The sec group for the Bastion instance"
vpc_id = "aws_vpc.VPC.id"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["my.super.ip/32"]
}
egress {
# Access to the Private subnet from the bastion host[ssh]
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PrivateSG.id}"]
}
egress {
# Access to the Private subnet from the bastion host[jenkins]
from_port = 8686
to_port = 8686
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PrivateSG.id}"]
}
tags = {
Name = "VPC-BastionSG"
}
}
# PRIVATE #
resource "aws_security_group" "VPC-PrivateSG" {
name = "VPC-PrivateSG"
description = "The sec group for the private subnet"
vpc_id = "aws_vpc.VPC.id"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-BastionSG.id}"]
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PublicSG.id}"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PublicSG.id}"]
}
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PublicSG.id}"]
}
ingress {
from_port = 8686
to_port = 8686
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-BastionSG.id}"]
}
ingress {
# ALL TRAFFIC from the same subnet
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
egress {
# ALL TRAFFIC to outside world
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "VPC-PrivateSG"
}
}
当我terraform plan
它时,返回此错误:
**`Error configuring: 1 error(s) occurred:
* Cycle: aws_security_group.VPC-BastionSG, aws_security_group.VPC-PrivateSG`**
如果我从 PrivateSG 注释掉堡垒 SG 的入口规则,则计划执行良好。
另外,如果我从堡垒SG注释掉PrivateSG的出口规则,它也可以很好地执行。
用于构建具有公有/私有子网和堡垒主机的 VPC 的 AWS 场景 2 描述了我尝试设置的架构。
我通过 AWS 控制台配置了完全相同的设置,它运行良好。
为什么Terraform不接受它?是否有其他方法可以将堡垒安全组与专用安全组连接?
编辑
据我了解,两个秒组之间有一个循环引用,即使它在 AWS 中是有效的,也需要以某种方式中断。
因此,我想允许来自堡垒秒组的所有出站流量 (0.0.0.0/0),而不是将其指定给各个安全组。
它会产生不良的安全影响吗?
Terraform 尝试为其正在处理的文件夹中定义的所有资源构建依赖链。这样做使它能够确定是否需要按特定顺序构建东西,并且对于它的工作方式非常关键。
您的示例将失败,因为您有一个循环依赖项(正如 Terraform 有用地指出的那样),其中每个安全组都依赖于已经创建的另一个安全组。
有时这些问题可能很难解决,可能意味着您需要重新考虑要执行的操作(如您所提到的,一种选择是简单地允许所有出口流量从堡垒主机传出,并且仅限制私有实例上的入口流量),但在这种情况下,您可以选择将aws_security_group_rule
资源与aws_security_group
资源结合使用。
这意味着我们可以首先定义没有规则的空安全组,然后我们可以将其用作为组创建的安全组规则的目标。
一个简单的示例可能如下所示:
resource "aws_security_group" "bastion" {
name = "bastion"
description = "Bastion security group"
}
resource "aws_security_group_rule" "bastion-to-private-ssh-egress" {
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
security_group_id = "${aws_security_group.bastion.id}"
source_security_group_id = "${aws_security_group.private.id}"
}
resource "aws_security_group" "private" {
name = "private"
description = "Private security group"
}
resource "aws_security_group_rule" "private-from-bastion-ssh-ingress" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
security_group_id = "${aws_security_group.private.id}"
source_security_group_id = "${aws_security_group.bastion.id}"
}
现在,Terraform 可以看到依赖关系链说必须在这些安全组规则中的任何一个之前创建这两个安全组,因为它们都依赖于已经创建的组。