Terraform AWS 安全组自参考

Terraform AWS Security group self reference

我正在使用 Terraform 进行 AWS 资源配置。我需要自我参考"mySG"。从 Terraform 文档我可以使用

 ingress {
          from_port = 0
          to_port = 0
          protocol = -1
          self = true
      }

但是不同的协议呢?使用控制台有以下可用的历史入站规则:

      Type      Protocol         PortRange      Source
1. All TCP      TCP             0-65535         mySG 
2. All UDP       UDP              0-65535         mySG 
3. Custom TCP    TCP             1856            mySG

(是否需要第三次输入?考虑所有端口的第一次输入) 上述入口规则是否处理所有 3 个条目?如果不是,terraform 语法应该是什么。

您可以通过分别使用资源 aws_security_group 和 aws_security_group_rule 从规则中拆分 sec 组来实现自引用组。这样做,结合您的 3 个现有规则,将大致像这样的地形:

resource "aws_security_group" "sec_group" {
  name   = "sec_group"
  vpc_id = "${local.vpc_id}"
}

resource "aws_security_group_rule" "sec_group_allow_tcp" {
  type              = "ingress"
  from_port         = 0 // first part of port range 
  to_port           = 65535 // second part of port range
  protocol          = "tcp" // Protocol, could be "tcp" "udp" etc. 
  security_group_id = "${aws_security_group.sec_group.id}" // Which group to attach it to
  source_security_group_id = "${aws_security_group.sec_group.id}" // Which group to specify as source
}

resource "aws_security_group_rule" "sec_group_allow_udp" {
  type              = "ingress"
  from_port         = 0 // first part of port range 
  to_port           = 65535 // second part of port range
  protocol          = "udp" // Protocol, could be "tcp" "udp" etc. 
  security_group_id = "${aws_security_group.sec_group.id}" // Which group to attach it to
  source_security_group_id = "${aws_security_group.sec_group.id}" // Which group to specify as source
}

resource "aws_security_group_rule" "sec_group_allow_1865" {
  type              = "ingress"
  from_port         = 1865 // first part of port range 
  to_port           = 1865 // second part of port range
  protocol          = "tcp" // Protocol, could be "tcp" "udp" etc. 
  security_group_id = "${aws_security_group.sec_group.id}" // Which group to attach it to
  source_security_group_id = "${aws_security_group.sec_group.id}" // Which group to specify as source
}

请注意,该规则采用协议类型,来自 port/to 端口(用于范围)和可选的 source_security_group_id 以指定