[英]Terraform config isn't using output from other file for already created resource, instead tries to recreate it and fails (security group id)
In terraform/aws/global/vpc/security_groups.tf I have the below code to create my bastion security group, and the output.tf file as well which is below.在 terraform/aws/global/vpc/security_groups.tf 我有以下代码来创建我的堡垒安全组,以及 output.tf 文件,如下所示。 But in terraform/aws/layers/bastion/main.tf (code also below) I reference that security group as I need its security group ID to create my EC2 instance, the issue I have is that rather than getting the ID from the already existing security group created by the /vpc/security_groups.tf config it tries to create the whole security group and the run obviously fails because it already exists.
但是在 terraform/aws/layers/bastion/main.tf (代码也在下面)中,我引用了该安全组,因为我需要它的安全组 ID 来创建我的 EC2 实例,我遇到的问题是,而不是从已经由 /vpc/security_groups.tf 配置创建的现有安全组它尝试创建整个安全组并且运行显然失败,因为它已经存在。 How can I change my code to get the ID of the existing SG?
如何更改我的代码以获取现有 SG 的 ID? I don't want to create my SG in the same config file as my instance, some of my security groups are shared between different resources.
我不想在与我的实例相同的配置文件中创建我的 SG,我的一些安全组在不同资源之间共享。 I am using Terraform Cloud and VPC has its own workspace, so I assume this could actually be an issue with the states being different.. is there a work around for this?
我正在使用 Terraform 云和 VPC 有自己的工作区,所以我认为这实际上可能是状态不同的问题.. 有解决办法吗?
terraform/aws/global/vpc/security_groups.tf terraform/aws/global/vpc/security_groups.tf
provider "aws" {
region = "eu-west-1"
}
resource "aws_security_group" "bastion" {
name = "Bastion_Terraform"
description = "Bastion SSH access Terraform"
vpc_id = "vpc-12345"
ingress {
description = "Bastion SSH"
from_port = ##
to_port = ##
protocol = "##"
cidr_blocks = ["1.2.3.4/56"]
}
ingress {
description = "Bastion SSH"
from_port = ##
to_port = ##
protocol = "##"
cidr_blocks = ["1.2.3.4/0"]
}
egress {
description = "Access to "
from_port = ##
to_port = ##
protocol = "tcp"
security_groups = ["sg-12345"]
}
egress {
description = "Access to ##"
from_port = ##
to_port = ##
protocol = "tcp"
security_groups = ["sg-12345"]
}
tags = {
Name = "Bastion Terraform"
}
}
terraform/aws/global/vpc/outputs.tf terraform/aws/global/vpc/outputs.tf
output "bastion-sg" {
value = aws_security_group.bastion.id
}
terraform/aws/layers/bastion/main.tf terraform/aws/layers/bastion/main.tf
provider "aws" {
region = var.region
}
module "vpc" {
source = "../../global/vpc"
}
module "ec2-instance" {
source = "terraform-aws-modules/ec2-instance/aws"
name = "bastion"
instance_count = 1
ami = var.image_id
instance_type = var.instance_type
vpc_security_group_ids = ["${module.vpc.bastion-sg}"]
subnet_id = var.subnet
iam_instance_profile = var.iam_role
tags = {
Layer = "Bastion"
}
}
When you have a child module block like this in a TF module:当您在 TF 模块中有这样的子模块块时:
module "ec2-instance" {
source = "terraform-aws-modules/ec2-instance/aws"
name = "bastion"
instance_count = 1
ami = var.image_id
instance_type = var.instance_type
vpc_security_group_ids = ["${module.vpc.bastion-sg}"]
subnet_id = var.subnet
iam_instance_profile = var.iam_role
tags = {
Layer = "Bastion"
}
}
It doesn't just reference that child module, it instatiates a completely new instance of it unique only to the parent module and its state.它不只是引用该子模块,它创建了一个全新的实例,它仅对父模块及其 state 唯一。 Think of this not like an assignment or a pointer but the construction of a whole new instance of the module (using the module as a template) with all of its resources created again.
认为这不是赋值或指针,而是构建一个全新的模块实例(使用模块作为模板),并再次创建其所有资源。
You will need to either directly reference the outputs of the child module in the parent module that has its module block or you will need to use a terraform_remote_state data source or Terragrunt dependency to load the outputs from the state file.您将需要在具有其模块块的父模块中直接引用子模块的输出,或者您需要使用 terraform_remote_state 数据源或 Terragrunt 依赖项从 state 文件加载输出。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.