如何使用 terraform 连接不同 VPC 中的副本 Postgres RDS 及其源?
How do I use terraform to connect a replica Postgres RDS and its Source in a different VPC?
我正在尝试设置一个开发环境:1x 私有子网,1x public 开发 VPC 中的子网;私有子网中的 Postgres RDS 实例;每个子网的资源都在自己的安全组中。源 RDS 实例位于生产 VPC 中。我已经创建了对等连接,每个 VPC 的 CIDR 都没有重叠。
我得到
Error: Error creating DB Instance: InvalidParameterCombination: The DB instance and EC2 security group are in different VPCs. The DB instance is in prod-vpc and the EC2 security group is in dev-vpc
这是我的地形定义。我还将其他对等方的相关 CIDR 添加到每个对等 VPC 的路由表中。源 RDS 和生产 VPC 都是在单独的进程中创建的,并且已经存在于此 terraform 进程之外。
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "2.77.0"
name = "dev-vpc"
cidr = "192.168.0.0/16"
azs = ["us-west-2a"]
enable_dns_hostnames = true
enable_dns_support = true
}
module "keypair" {
source = "git::https://github.com/rhythmictech/terraform-aws-secretsmanager-keypair"
name_prefix = "ec2-ssh"
description = "SSH keypair for instances"
}
resource "aws_security_group" "dev-sg-pub" {
vpc_id = module.vpc.vpc_id
ingress {
from_port = 5432 # testing
to_port = 5432 # testing
protocol = "tcp"
cidr_blocks = ["192.168.1.0/28","192.168.2.0/24"]
self = true
}
egress {
from_port = 5432 # testing
to_port = 5432 # testing
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "dev-sg-priv" {
vpc_id = module.vpc.vpc_id
ingress {
from_port = 5432 # testing
to_port = 5432 # testing
protocol = "tcp"
cidr_blocks = ["192.168.1.0/28", "192.168.2.0/24"]
security_groups = ["sg-xxxxxxxxxxxxxxx"] # the pub subnet's sg
self = true
}
egress {
from_port = 5432 # testing
to_port = 5432 # testing
protocol = "tcp"
cidr_blocks = ["192.168.1.0/28", "192.168.2.0/24"]
}
}
resource "aws_subnet" "dev-subnet-pub" {
vpc_id = module.vpc.vpc_id
cidr_block = "192.168.1.0/28"
tags = {
Name = "dev-subnet-pub"
Terraform = "true"
Environment = "dev"
}
}
resource "aws_subnet" "dev-subnet-priv" {
vpc_id = module.vpc.vpc_id
cidr_block = "192.168.2.0/24"
tags = {
Name = "dev-subnet-priv"
Terraform = "true"
Environment = "dev"
}
}
resource "aws_vpc_peering_connection" "dev-peer-conn" {
peer_vpc_id = "vpc-xxxxxxxxxxxxxxa"
vpc_id = module.vpc.vpc_id
auto_accept = true
}
resource "aws_db_instance" "dev-replica" {
name = "dev-replica"
identifier = "dev-replica"
replicate_source_db = "arn:aws:rds:us-west-2:9999999999:db:tf-xxxxxxxx"
instance_class = "db.t3.small"
apply_immediately = false
publicly_accessible = false
skip_final_snapshot = true
vpc_security_group_ids = [aws_security_group.dev-sg-priv.id, "sg-xxxxxxxxxxx"]
depends_on = [aws_vpc_peering_connection.dev-peer-conn]
}
你不能这样做。 SG 具有 VAC 范围,并且您的 RDS 必须使用它所在的 VPC 中的 SG。
由于您查看了 VPC,因此您只能在 aws_security_group.dev-sg-priv 中跨 VPC 引用 SG。
我正在尝试设置一个开发环境:1x 私有子网,1x public 开发 VPC 中的子网;私有子网中的 Postgres RDS 实例;每个子网的资源都在自己的安全组中。源 RDS 实例位于生产 VPC 中。我已经创建了对等连接,每个 VPC 的 CIDR 都没有重叠。
我得到
Error: Error creating DB Instance: InvalidParameterCombination: The DB instance and EC2 security group are in different VPCs. The DB instance is in prod-vpc and the EC2 security group is in dev-vpc
这是我的地形定义。我还将其他对等方的相关 CIDR 添加到每个对等 VPC 的路由表中。源 RDS 和生产 VPC 都是在单独的进程中创建的,并且已经存在于此 terraform 进程之外。
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "2.77.0"
name = "dev-vpc"
cidr = "192.168.0.0/16"
azs = ["us-west-2a"]
enable_dns_hostnames = true
enable_dns_support = true
}
module "keypair" {
source = "git::https://github.com/rhythmictech/terraform-aws-secretsmanager-keypair"
name_prefix = "ec2-ssh"
description = "SSH keypair for instances"
}
resource "aws_security_group" "dev-sg-pub" {
vpc_id = module.vpc.vpc_id
ingress {
from_port = 5432 # testing
to_port = 5432 # testing
protocol = "tcp"
cidr_blocks = ["192.168.1.0/28","192.168.2.0/24"]
self = true
}
egress {
from_port = 5432 # testing
to_port = 5432 # testing
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "dev-sg-priv" {
vpc_id = module.vpc.vpc_id
ingress {
from_port = 5432 # testing
to_port = 5432 # testing
protocol = "tcp"
cidr_blocks = ["192.168.1.0/28", "192.168.2.0/24"]
security_groups = ["sg-xxxxxxxxxxxxxxx"] # the pub subnet's sg
self = true
}
egress {
from_port = 5432 # testing
to_port = 5432 # testing
protocol = "tcp"
cidr_blocks = ["192.168.1.0/28", "192.168.2.0/24"]
}
}
resource "aws_subnet" "dev-subnet-pub" {
vpc_id = module.vpc.vpc_id
cidr_block = "192.168.1.0/28"
tags = {
Name = "dev-subnet-pub"
Terraform = "true"
Environment = "dev"
}
}
resource "aws_subnet" "dev-subnet-priv" {
vpc_id = module.vpc.vpc_id
cidr_block = "192.168.2.0/24"
tags = {
Name = "dev-subnet-priv"
Terraform = "true"
Environment = "dev"
}
}
resource "aws_vpc_peering_connection" "dev-peer-conn" {
peer_vpc_id = "vpc-xxxxxxxxxxxxxxa"
vpc_id = module.vpc.vpc_id
auto_accept = true
}
resource "aws_db_instance" "dev-replica" {
name = "dev-replica"
identifier = "dev-replica"
replicate_source_db = "arn:aws:rds:us-west-2:9999999999:db:tf-xxxxxxxx"
instance_class = "db.t3.small"
apply_immediately = false
publicly_accessible = false
skip_final_snapshot = true
vpc_security_group_ids = [aws_security_group.dev-sg-priv.id, "sg-xxxxxxxxxxx"]
depends_on = [aws_vpc_peering_connection.dev-peer-conn]
}
你不能这样做。 SG 具有 VAC 范围,并且您的 RDS 必须使用它所在的 VPC 中的 SG。
由于您查看了 VPC,因此您只能在 aws_security_group.dev-sg-priv 中跨 VPC 引用 SG。