aws_security_group 入口块使用动态块

Question

i think I should be able to do something like this. but the map of ports, protocal, and cidrs is wrong... how do I make a map of lists and interate over the map.

variable "master-sg-ingress-ports" {
  //depends_on [aws_security_group.master-lb-sg, aws_security_group.worker-sg]
  description = "List of port numbers for specific security group"
  type        = map(any)

  //  format should be [ sg1 =  [from_port, to_port, protocol, from_ip_cidr] ]  ]
  default     = [ "ingress1" =  [80, 80, "TCP", "0.0.0/0"],
                  "ingress2" =  [80, 80, "TCP", "::0/0"],
                  "ingress3" =  [443, 80, "TCP", "0.0.0.0/0"],
                  "ingress4" =  [443, 80, "TCP", "::0/0"],
                  "ingress5 "=  [0, 0, "-1", "172.30.0.0/16"],]
}

resource "aws_security_group" "master_sg" {
  depends_on  = [aws_security_group.master_lb_sg, aws_security_group.worker_sg]
  provider    = aws.region_master
  name        = "master-sg"
  description = "security group for Jenkins master"
  vpc_id      = aws_vpc.vpc_master.id


  dynamic "ingress" {
    # this for_each is not identical to for_each in line 21
    for_each = toset(var.master-sg-ingress-ports) # iterator can be (need to be) configured
    iterator = it                                 # set the name of the iterator, which can be any name, but "each" (!!)
    content {
      from_port   = it[0].value
      to_port     = it[1].value
      protocol    = it[2].value
      cidr_blocks = [it[3].value]
    }
  }
}

terraform init is giving me the following with a underline under ingress1

The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.
╷
│ Error: Invalid default value for variable
│ 
│   on security_groups.tf line 64, in variable "master-sg-ingress-ports":
│   64:   default     = [ "ingress1" =  [80, 80, "TCP", "0.0.0/0"],
│   65:                   "ingress2" =  [80, 80, "TCP", "::0/0"],
│   66:                   "ingress3" =  [443, 80, "TCP", "0.0.0.0/0"],
│   67:                   "ingress4" =  [443, 80, "TCP", "::0/0"],
│   68:                   "ingress5 "=  [0, 0, "-1", "172.30.0.0/16"],].
╵```

Answer 1

The correct default value is a map , not a list of maps as you have now. So it should be:

variable "master-sg-ingress-ports" {
 
  description = "List of port numbers for specific security group"
  type        = map(any)

  default     = { "ingress1" =  [80, 80, "TCP", "0.0.0.0/0"],
                  "ingress2" =  [80, 80, "TCP", "::/0"],
                  "ingress3" =  [443, 80, "TCP", "0.0.0.0/0"],
                  "ingress4" =  [443, 80, "TCP", "::/0"],
                  "ingress5 "=  [0, 0, "-1", "172.30.0.0/16"]}
}

Update for master_sg :

resource "aws_security_group" "master_sg" {
 # depends_on  = [aws_security_group.master_lb_sg, aws_security_group.worker_sg]
 # provider    = aws.region_master
  name        = "master-sg"
  description = "security group for Jenkins master"
  vpc_id      = data.aws_vpc.default.id


  dynamic "ingress" {
    # this for_each is not identical to for_each in line 21
    for_each = var.master-sg-ingress-ports 
    content {
      from_port   = ingress.value[0]
      to_port     = ingress.value[1]
      protocol    = ingress.value[2]
      cidr_blocks = [ingress.value[3]]
    }
  }
}