Terraform 使用配置块列表作为参数
Terraform use a list of configuration blocks as an argument
Terraform 资源 aws_db_proxy 将 auth 块列表作为参数。下面是来自 terraform documentation.
的示例
每个 auth 块代表一个用户,每个用户都需要 Secrets Manager 中的一个秘密。我们的平台有四种不同的环境(dev、qa、cert、prod),我们不在较低的环境中使用秘密来节省成本。理想情况下,我会创建两个 auth 块列表,一个用于下层环境,一个用于上层环境。然后,在资源中我可以根据环境选择合适的。
有没有办法将 auth 块列表传递给 aws_db_proxy 资源?
我想到的另一个解决方案是使用两个单独的 aws_db_proxy 配置,并使用 count 元参数为每个环境使用适当的配置。但是,我认为这可能会有点混乱。
resource "aws_db_proxy" "example" {
name = "example"
debug_logging = false
engine_family = "MYSQL"
idle_client_timeout = 1800
require_tls = true
role_arn = aws_iam_role.example.arn
vpc_security_group_ids = [aws_security_group.example.id]
vpc_subnet_ids = [aws_subnet.example.id]
auth {
auth_scheme = "SECRETS"
description = "user1"
iam_auth = "DISABLED"
secret_arn = aws_secretsmanager_secret.example1.arn
}
auth {
auth_scheme = "SECRETS"
description = "example2"
iam_auth = "DISABLED"
secret_arn = aws_secretsmanager_secret.example2.arn
}
auth {
auth_scheme = "SECRETS"
description = "example3"
iam_auth = "DISABLED"
secret_arn = aws_secretsmanager_secret.example3.arn
}
tags = {
Name = "example"
Key = "value"
}
}
您可以使用 dynamic blocks 动态创建 auth 块。
示例用法取决于您如何为每个用户定义 aws_secretsmanager_secret,但您也可以使其动态化。
下面是示例代码。我没有 运行 它,因为它的目的是 展示使用 dynamic blocks 的概念 以及如何使 aws_secretsmanager_secret:
# list of users
variable "proxy_users" {
default = ["user1", "example2", "example3"]
}
# secret for each user
resource "aws_secretsmanager_secret" "mysecret" {
for_each = toset(var.proxy_users)
name = "example${each.key}"
# rest of attributes
}
resource "aws_db_proxy" "example" {
name = "example"
debug_logging = false
engine_family = "MYSQL"
idle_client_timeout = 1800
require_tls = true
role_arn = aws_iam_role.example.arn
vpc_security_group_ids = [aws_security_group.example.id]
vpc_subnet_ids = [aws_subnet.example.id]
# create auth for each user
dynamic "auth" {
for_each = var.proxy_users
content {
auth_scheme = "SECRETS"
description = auth.key
iam_auth = "DISABLED"
secret_arn = aws_secretsmanager_secret.mysecret[auth.key].arn
}
}
tags = {
Name = "example"
Key = "value"
}
}
谢谢@Marcin
我遇到了同样的问题,但我需要插入现有的机密 arn。你真的很有帮助
如果有人需要,我做了以下
locals {
secrets_list = [
"db-credentials/${var.env-name}/user1",
"db-credentials/${var.env-name}/user2",
"db-credentials/${var.env-name}/user3"
]
}
data "aws_secretsmanager_secret" "rds_secrets" {
for_each = toset(local.secrets_list)
name = each.key
}
resource "aws_db_proxy" "rds_db_proxy" {
name = "${var.env-name}-rds-proxy"
engine_family = "MYSQL"
idle_client_timeout = 900
require_tls = true
.
.
.
.
dynamic "auth" {
for_each = local.secrets_list
content {
secret_arn = data.aws_secretsmanager_secret.rds_secrets[auth.value].arn
auth_scheme = "SECRETS"
iam_auth = "REQUIRED"
}
}
}
Terraform 资源 aws_db_proxy 将 auth 块列表作为参数。下面是来自 terraform documentation.
每个 auth 块代表一个用户,每个用户都需要 Secrets Manager 中的一个秘密。我们的平台有四种不同的环境(dev、qa、cert、prod),我们不在较低的环境中使用秘密来节省成本。理想情况下,我会创建两个 auth 块列表,一个用于下层环境,一个用于上层环境。然后,在资源中我可以根据环境选择合适的。
有没有办法将 auth 块列表传递给 aws_db_proxy 资源?
我想到的另一个解决方案是使用两个单独的 aws_db_proxy 配置,并使用 count 元参数为每个环境使用适当的配置。但是,我认为这可能会有点混乱。
resource "aws_db_proxy" "example" {
name = "example"
debug_logging = false
engine_family = "MYSQL"
idle_client_timeout = 1800
require_tls = true
role_arn = aws_iam_role.example.arn
vpc_security_group_ids = [aws_security_group.example.id]
vpc_subnet_ids = [aws_subnet.example.id]
auth {
auth_scheme = "SECRETS"
description = "user1"
iam_auth = "DISABLED"
secret_arn = aws_secretsmanager_secret.example1.arn
}
auth {
auth_scheme = "SECRETS"
description = "example2"
iam_auth = "DISABLED"
secret_arn = aws_secretsmanager_secret.example2.arn
}
auth {
auth_scheme = "SECRETS"
description = "example3"
iam_auth = "DISABLED"
secret_arn = aws_secretsmanager_secret.example3.arn
}
tags = {
Name = "example"
Key = "value"
}
}
您可以使用 dynamic blocks 动态创建 auth 块。
示例用法取决于您如何为每个用户定义 aws_secretsmanager_secret,但您也可以使其动态化。
下面是示例代码。我没有 运行 它,因为它的目的是 展示使用 dynamic blocks 的概念 以及如何使 aws_secretsmanager_secret:
# list of users
variable "proxy_users" {
default = ["user1", "example2", "example3"]
}
# secret for each user
resource "aws_secretsmanager_secret" "mysecret" {
for_each = toset(var.proxy_users)
name = "example${each.key}"
# rest of attributes
}
resource "aws_db_proxy" "example" {
name = "example"
debug_logging = false
engine_family = "MYSQL"
idle_client_timeout = 1800
require_tls = true
role_arn = aws_iam_role.example.arn
vpc_security_group_ids = [aws_security_group.example.id]
vpc_subnet_ids = [aws_subnet.example.id]
# create auth for each user
dynamic "auth" {
for_each = var.proxy_users
content {
auth_scheme = "SECRETS"
description = auth.key
iam_auth = "DISABLED"
secret_arn = aws_secretsmanager_secret.mysecret[auth.key].arn
}
}
tags = {
Name = "example"
Key = "value"
}
}
谢谢@Marcin
我遇到了同样的问题,但我需要插入现有的机密 arn。你真的很有帮助
如果有人需要,我做了以下
locals {
secrets_list = [
"db-credentials/${var.env-name}/user1",
"db-credentials/${var.env-name}/user2",
"db-credentials/${var.env-name}/user3"
]
}
data "aws_secretsmanager_secret" "rds_secrets" {
for_each = toset(local.secrets_list)
name = each.key
}
resource "aws_db_proxy" "rds_db_proxy" {
name = "${var.env-name}-rds-proxy"
engine_family = "MYSQL"
idle_client_timeout = 900
require_tls = true
.
.
.
.
dynamic "auth" {
for_each = local.secrets_list
content {
secret_arn = data.aws_secretsmanager_secret.rds_secrets[auth.value].arn
auth_scheme = "SECRETS"
iam_auth = "REQUIRED"
}
}
}