首页 文章

如何保持使用Terraform aws_security_group DRY

提问于
浏览
1

我编写了一个简单的模块来配置变量AZ编号的AWS VPC . 它创建了路由表,网关,路由等,但是我无法将安全组保持为DRY,即在指定安全组时保持模块可重用 .

这是我能得到的最接近的:

varibles.tf:

variable "staging_security_groups" {
  type = "list"
  default = [ {
      "name" = "staging_ssh"
      "from port" = "22"
      "to port" = "22"
      "protocol" = "tcp"
      "cidrs" = "10.0.0.5/32,10.0.0.50/32,10.0.0.200/32"
      "description" = "Port 22"
  } ]
}

main.tf:

resource "aws_security_group" "this_security_group" {
  count = "${length(var.security_groups)}"

  name        = "${lookup(var.security_groups[count.index], "name")}"
  description = "${lookup(var.security_groups[count.index], "description")}"
  vpc_id      = "${aws_vpc.this_vpc.id}"

  ingress {
    from_port   = "${lookup(var.security_groups[count.index], "from port")}"
    to_port     = "${lookup(var.security_groups[count.index], "to port")}"
    protocol    = "${lookup(var.security_groups[count.index], "protocol")}"
    cidr_blocks = ["${split(",", lookup(var.security_groups[count.index], "cidrs"))}"]
  }

  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["0.0.0.0/0"]
  }

  tags {
    Name = "${lookup(var.security_groups[count.index], "name")}"
    environment = "${var.name}"
    terraform = "true"
  }
}

现在这很好,只要你想要的是每个端口创建一个安全组:)我真正需要的是一些方法来调用 ingress 变量 staging_security_groups[THE SECURITY GROUP].from_port 中有值的次数(请原谅 - up notation) .

terraform terraform-provider-aws

1 回答

  • 2

    您可以使用aws_security_group_rule而不是内联规则 . 然后,您可以创建一个这样的模块:

    module / sg / sg.tf

    resource "aws_security_group" "default" {
  name        = "${var.security_group_name}"
  description = "${var.security_group_name} group managed by Terraform"

  vpc_id = "${var.vpc_id}"
}

resource "aws_security_group_rule" "egress" {
  type              = "egress"
  from_port         = 0
  to_port           = 0
  protocol          = "-1"
  cidr_blocks       = ["0.0.0.0/0"]
  description       = "All egress traffic"
  security_group_id = "${aws_security_group.default.id}"
}

resource "aws_security_group_rule" "tcp" {
  count             = "${var.tcp_ports == "default_null" ? 0 : length(split(",", var.tcp_ports))}"
  type              = "ingress"
  from_port         = "${element(split(",", var.tcp_ports), count.index)}"
  to_port           = "${element(split(",", var.tcp_ports), count.index)}"
  protocol          = "tcp"
  cidr_blocks       = ["${var.cidrs}"]
  description       = ""
  security_group_id = "${aws_security_group.default.id}"
}

resource "aws_security_group_rule" "udp" {
  count             = "${var.udp_ports == "default_null" ? 0 : length(split(",", var.udp_ports))}"
  type              = "ingress"
  from_port         = "${element(split(",", var.udp_ports), count.index)}"
  to_port           = "${element(split(",", var.udp_ports), count.index)}"
  protocol          = "udp"
  cidr_blocks       = ["${var.cidrs}"]
  description       = ""
  security_group_id = "${aws_security_group.default.id}"
}

    modules / sg / variables.tf

    variable "tcp_ports" {
  default = "default_null"
}

variable "udp_ports" {
  default = "default_null"
}

variable "cidrs" {
  type = "list"
}

variable "security_group_name" {}

variable "vpc_id" {}

    使用main.tf中的模块

    module "sg1" {
  source              = "modules/sg"
  tcp_ports           = "22,80,443"
  cidrs               = ["10.0.0.5/32", "10.0.0.50/32", "10.0.0.200/32"]
  security_group_name = "SomeGroup"
  vpc_id              = "${aws_vpc.this_vpc.id}"
}

module "sg2" {
  source              = "modules/sg"
  tcp_ports           = "22,80,443"
  cidrs               = ["10.0.0.5/32", "10.0.0.50/32", "10.0.0.200/32"]
  security_group_name = "SomeOtherGroup"
  vpc_id              = "${aws_vpc.this_vpc.id}"
}

    参考文献:

    为什么可选地排除具有计数的资源看起来像这样(source):

    count             = "${var.udp_ports == "default_null" ? 0 : length(split(",", var.udp_ports))}"

    并且变量设置为:

    variable "udp_ports" {
  default = "default_null"
}
    回复于

相关问题