ElasticSearch:使用 Terraform 提供安全组
ElasticSearch: Use terraform to provision security groups
在 AWS 控制台,我为 ElasticSearch 手动配置了以下安全规则。共有三个 VPC。中转网关连接它们。 ElasticSearch 安装在 VPC-A.
Type Protocol Port range Source
All traffic All All 40.10.0.0/16 (VPC-A)
All traffic All All 20.10.0.0/16 (VPC-B)
All traffic All All 30.10.0.0/16 (VPC-C)
Outbound rules:
Type Protocol Port range Destination
All traffic All All 0.0.0.0/0
但是,下面的 terraform 代码无法提供上述安全组。
resource "aws_security_group" "shared-elasticsearch-sg" {
name = var.name_sg
vpc_id = data.terraform_remote_state.vpc-A.outputs.vpc_id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [data.terraform_remote_state.vpc-A.outputs.vpc_cidr_block,
data.terraform_remote_state.vpc-B.outputs.vpc_cidr_block,
data.terraform_remote_state.vpc-C.outputs.vpc_cidr_block]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = var.name_sg
}
}
module "elasticsearch" {
source = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.24.1"
security_groups = [aws_security_group.shared-elasticsearch-sg.id,
data.terraform_remote_state.vpc-A.outputs.default_security_group_id]
vpc_id = data.terraform_remote_state.vpc-A.outputs.vpc_id
......
}
以上代码规定了以下安全规则:
Inbound rules:
Type Protocol Port range Source
All TCP TCP 0 - 65535 sg-0288988f38d2007be / shared-elasticSearch-sg
All TCP TCP 0 - 65535 sg-0893dfcdc1be34c63 / default
Outbound rules:
Type Protocol Port range Destination
All TCP TCP 0 - 65535 0.0.0.0/0
sg-0288988f38d2007be / shared-elasticSearch-sg 的安全规则
Type Protocol Port range Source
All traffic All All 40.10.0.0/16 (VPC-A)
All traffic All All 20.10.0.0/16 (VPC-B)
All traffic All All 30.10.0.0/16 (VPC-C)
Outbound rules:
Type Protocol Port range Destination
All traffic All All 0.0.0.0/0
terraform 代码配置的安全组不起作用。在VPC-B和VPC-C中,无法到达VPC-A的elasticsearch。如何正确编写 Terraform 代码以便它可以配置我手动创建的安全组?
我自己解决了这个问题。 ElasticSearch 模块存在限制/错误。我下载了模块,对安全组进行了更改。问题解决了。没有办法使用elasticsearch模块提供的安全组来provision我问题中说的安全组。
在 AWS 控制台,我为 ElasticSearch 手动配置了以下安全规则。共有三个 VPC。中转网关连接它们。 ElasticSearch 安装在 VPC-A.
Type Protocol Port range Source
All traffic All All 40.10.0.0/16 (VPC-A)
All traffic All All 20.10.0.0/16 (VPC-B)
All traffic All All 30.10.0.0/16 (VPC-C)
Outbound rules:
Type Protocol Port range Destination
All traffic All All 0.0.0.0/0
但是,下面的 terraform 代码无法提供上述安全组。
resource "aws_security_group" "shared-elasticsearch-sg" {
name = var.name_sg
vpc_id = data.terraform_remote_state.vpc-A.outputs.vpc_id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [data.terraform_remote_state.vpc-A.outputs.vpc_cidr_block,
data.terraform_remote_state.vpc-B.outputs.vpc_cidr_block,
data.terraform_remote_state.vpc-C.outputs.vpc_cidr_block]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = var.name_sg
}
}
module "elasticsearch" {
source = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.24.1"
security_groups = [aws_security_group.shared-elasticsearch-sg.id,
data.terraform_remote_state.vpc-A.outputs.default_security_group_id]
vpc_id = data.terraform_remote_state.vpc-A.outputs.vpc_id
......
}
以上代码规定了以下安全规则:
Inbound rules:
Type Protocol Port range Source
All TCP TCP 0 - 65535 sg-0288988f38d2007be / shared-elasticSearch-sg
All TCP TCP 0 - 65535 sg-0893dfcdc1be34c63 / default
Outbound rules:
Type Protocol Port range Destination
All TCP TCP 0 - 65535 0.0.0.0/0
sg-0288988f38d2007be / shared-elasticSearch-sg 的安全规则
Type Protocol Port range Source
All traffic All All 40.10.0.0/16 (VPC-A)
All traffic All All 20.10.0.0/16 (VPC-B)
All traffic All All 30.10.0.0/16 (VPC-C)
Outbound rules:
Type Protocol Port range Destination
All traffic All All 0.0.0.0/0
terraform 代码配置的安全组不起作用。在VPC-B和VPC-C中,无法到达VPC-A的elasticsearch。如何正确编写 Terraform 代码以便它可以配置我手动创建的安全组?
我自己解决了这个问题。 ElasticSearch 模块存在限制/错误。我下载了模块,对安全组进行了更改。问题解决了。没有办法使用elasticsearch模块提供的安全组来provision我问题中说的安全组。