如何保持 Terraform aws_security_group DRY 的使用

How to Keep Usage of Terraform aws_security_group DRY

我编写了一个简单的模块来配置可变 AZ 编号的 AWS VPC。它创建路由表、网关、路由等,但我无法保持安全组部分干燥,即在指定安全组时保持模块可重用。

这是我能得到的最接近的:

varibles.tf:

variable "staging_security_groups" {
  type = "list"
  default = [ {
      "name" = "staging_ssh"
      "from port" = "22"
      "to port" = "22"
      "protocol" = "tcp"
      "cidrs" = "10.0.0.5/32,10.0.0.50/32,10.0.0.200/32"
      "description" = "Port 22"
  } ]
}

main.tf:

resource "aws_security_group" "this_security_group" {
  count = "${length(var.security_groups)}"

  name        = "${lookup(var.security_groups[count.index], "name")}"
  description = "${lookup(var.security_groups[count.index], "description")}"
  vpc_id      = "${aws_vpc.this_vpc.id}"

  ingress {
    from_port   = "${lookup(var.security_groups[count.index], "from port")}"
    to_port     = "${lookup(var.security_groups[count.index], "to port")}"
    protocol    = "${lookup(var.security_groups[count.index], "protocol")}"
    cidr_blocks = ["${split(",", lookup(var.security_groups[count.index], "cidrs"))}"]
  }

  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["0.0.0.0/0"]
  }

  tags {
    Name = "${lookup(var.security_groups[count.index], "name")}"
    environment = "${var.name}"
    terraform = "true"
  }
}

现在这很好,只要你想要的是为每个端口创建一个安全组:)我真正需要的是某种调用[=13=的方法]变量中有值的次数staging_security_groups[THE SECURITY GROUP].from_port(请原谅虚构的符号)。

您可以考虑使用 aws_security_group_rule 而不是内联规则。然后你可以像这样创建一个模块:

module/sg/sg.tf

resource "aws_security_group" "default" {
  name        = "${var.security_group_name}"
  description = "${var.security_group_name} group managed by Terraform"

  vpc_id = "${var.vpc_id}"
}

resource "aws_security_group_rule" "egress" {
  type              = "egress"
  from_port         = 0
  to_port           = 0
  protocol          = "-1"
  cidr_blocks       = ["0.0.0.0/0"]
  description       = "All egress traffic"
  security_group_id = "${aws_security_group.default.id}"
}

resource "aws_security_group_rule" "tcp" {
  count             = "${var.tcp_ports == "default_null" ? 0 : length(split(",", var.tcp_ports))}"
  type              = "ingress"
  from_port         = "${element(split(",", var.tcp_ports), count.index)}"
  to_port           = "${element(split(",", var.tcp_ports), count.index)}"
  protocol          = "tcp"
  cidr_blocks       = ["${var.cidrs}"]
  description       = ""
  security_group_id = "${aws_security_group.default.id}"
}

resource "aws_security_group_rule" "udp" {
  count             = "${var.udp_ports == "default_null" ? 0 : length(split(",", var.udp_ports))}"
  type              = "ingress"
  from_port         = "${element(split(",", var.udp_ports), count.index)}"
  to_port           = "${element(split(",", var.udp_ports), count.index)}"
  protocol          = "udp"
  cidr_blocks       = ["${var.cidrs}"]
  description       = ""
  security_group_id = "${aws_security_group.default.id}"
}

modules/sg/variables.tf

variable "tcp_ports" {
  default = "default_null"
}

variable "udp_ports" {
  default = "default_null"
}

variable "cidrs" {
  type = "list"
}

variable "security_group_name" {}

variable "vpc_id" {}

在您的main.tf

中使用模块 
module "sg1" {
  source              = "modules/sg"
  tcp_ports           = "22,80,443"
  cidrs               = ["10.0.0.5/32", "10.0.0.50/32", "10.0.0.200/32"]
  security_group_name = "SomeGroup"
  vpc_id              = "${aws_vpc.this_vpc.id}"
}

module "sg2" {
  source              = "modules/sg"
  tcp_ports           = "22,80,443"
  cidrs               = ["10.0.0.5/32", "10.0.0.50/32", "10.0.0.200/32"]
  security_group_name = "SomeOtherGroup"
  vpc_id              = "${aws_vpc.this_vpc.id}"
}

参考文献:

为什么有选择地排除具有计数的资源看起来像这样(source):

count             = "${var.udp_ports == "default_null" ? 0 : length(split(",", var.udp_ports))}"

并将变量设置为:

variable "udp_ports" {
  default = "default_null"
}

我设法创建了您可以使用的非常简单但动态的安全组模块。这里的想法是能够添加您想要的任何端口,并向该端口添加您喜欢的任何范围的 ips。您甚至可以从模块中删除出口,因为它将默认创建,或者遵循我在入口中使用的想法,以便您拥有精细的出口规则(如果您愿意的话)。

module/sg/sg.tf 

  data "aws_subnet_ids" "selected" {
  vpc_id = "${var.data_vpc_id}"
}

resource "aws_security_group" "main" {
  name        = "${var.sg_name}-sg"
  vpc_id      = "${var.data_vpc_id}"
  description = "Managed by Terraform"
  ingress     = ["${var.ingress}"]

  lifecycle {
    create_before_destroy = true
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

module/sg/vars.tf

variable "sg_name" {}

variable "data_vpc_id" {}

variable "ingress" {
  type    = "list"
  default = []
}

入口变量需要是类型 list。如果您手动调用 vpc id,则不需要模块中的数据位,我从存储在 s3 中的 terraform 状态调用我的 vpc_id。

main.tf 

module "aws_security_group" {
  source = "module/sg/"

  sg_name     = "name_of_sg"
  data_vpc_id = "${data.terraform_remote_state.vpc.vpc_id}"

  ingress = [
    {
      from_port   = 22
      to_port     = 22
      protocol    = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
      description = "Managed by Terraform"
    },
    {
      from_port   = 0
      to_port     = 100
      protocol    = "tcp"
      cidr_blocks = ["10.10.10.10/32"]
      description = "Managed by Terraform"
    },
    {
      from_port   = 2222
      to_port     = 2222
      protocol    = "tcp"
      cidr_blocks = ["100.100.100.0/24"]
      description = "Managed by Terraform"
    },
  ]
}

您可以添加任意数量的入口块,我只有 3 个用于测试目的。希望这会有所帮助。
注意:很多资源都可以遵循这个思路,比如RDS,需要在参数组甚至标签中指定参数。干杯

不确定在写 Brandon Miller's 答案时是否可用,但请避免按顺序循环计数。因此,如果您添加或删除一个端口,它将导致重建它之后的所有规则,因为它们依赖于更改的计数索引。使用 for_each 循环要好得多。确保为此使用集合而不是列表,例如

variable "tcp_ports" {
  default = [ ]
  # or maybe default = [ "22", "443" ]
  type = set(string)
}

resource "aws_security_group_rule" "tcp" {
  for_each                 = var.tcp_ports
  description              = "Allow ${var.cdir} to connect to TCP port ${each.key}"
  type                     = "ingress"
  from_port                = each.key
  to_port                  = each.key
  protocol                 = "tcp"
  cidr_blocks              = var.cdir
  security_group_id = aws_security_group.default.id
}

现在您可以添加和删除端口,而不会产生不必要的创建和销毁

你不能出于任何原因将数据从列表更改为集合,只需将其包装起来即可,例如

toset(var.tcp_ports)

或使用本地程序相应地处理您的数据。您也可以使用地图