堆栈内存溢出
  繁体   English   中英

使用“for_each”创建的 Terraform 资源 - 在其他 Terraform 脚本中使用

[英]Terraform resources created with `for_each` - use in other Terraform scripts

 原文  2020-12-06 11:11:44       amazon-web-services/ terraform

问题描述

我有创建 N 个安全组的 terraform 脚本:

variable "security_groups" {
    default     = {
        "sg1" = "Security group 1"
        "sg2" = "Security group 2"
    }
}

resource "aws_security_group" "example" {
    for_each = var.security_groups

    name                   = each.key
    description            = each.value

    vpc_id                 = aws_vpc.example.id
    revoke_rules_on_delete = false

    egress {
        from_port   = 0
        to_port     = 0
        protocol    = "-1"
        cidr_blocks = ["0.0.0.0/0"]
    }
}

..我还有另一个创建 IAM 策略的 Terraform 脚本,

这个必须引用资源部分中第一个脚本创建的 N 个安全组:

resource "aws_iam_policy" "operator_policy" {
  name        = "${var.iam_prefix}-operator"
  path        = "/"
  description = "Policy for operator"
  policy      = <<-EOF
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
                    "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
                    "ec2:RevokeSecurityGroupEgress",
                    "ec2:RevokeSecurityGroupIngress"
                ],
                "Effect": "Allow",
                "Resource": [
                    "sg1 ARN",
                    "sgN ARN"
                ]
            }
        ]
    }
    EOF
}

以某种方式可行吗?

2 个解决方案

解决方案1
 2 已采纳  2020-12-06 11:29:00

您可以将jsonencodevalues和 spat 表达式结合使用:

resource "aws_iam_policy" "operator_policy" {
  name        = "${var.iam_prefix}-operator"
  path        = "/"
  description = "Policy for operator"
  policy      = <<-EOF
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
                    "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
                    "ec2:RevokeSecurityGroupEgress",
                    "ec2:RevokeSecurityGroupIngress"
                ],
                "Effect": "Allow",
                "Resource": ${jsonencode(values(aws_security_group.example)[*].arn)}
            }
        ]
    }
    EOF
}

解决方案2
 2  2020-12-07 22:59:59

Rather than using string templates to generate JSON, it's more robust to generate the entire value using the jsonencode function , because then Terraform can evaluate the argument as a normal expression and be sure to generate a valid JSON representation of the result:

resource "aws_iam_policy" "operator_policy" {
  name        = "${var.iam_prefix}-operator"
  path        = "/"
  description = "Policy for operator"
  policy      = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:AuthorizeSecurityGroupEgress",
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
          "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
          "ec2:RevokeSecurityGroupEgress",
          "ec2:RevokeSecurityGroupIngress",
        ]
        Effect = "Allow"
        Resource = [
          "sg1 ARN",
          "sgN ARN",
        ]
      },
    ]
  })
}

除了保证结果始终是有效的 JSON 语法外,使用 Terraform 的表达式语言来构建您的策略值还意味着您可以使用Terraform 的所有表达式运算符,包括从每个安全组读取arn属性for表达式

resource "aws_iam_policy" "operator_policy" {
  name        = "${var.iam_prefix}-operator"
  path        = "/"
  description = "Policy for operator"
  policy      = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:AuthorizeSecurityGroupEgress",
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
          "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
          "ec2:RevokeSecurityGroupEgress",
          "ec2:RevokeSecurityGroupIngress",
        ]
        Effect = "Allow"
        Resource = [
          for sg in aws_security_group.example : sg.arn
        ],
      },
    ]
  })
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 terraform 中引用使用 for_each 创建的资源 Terraform:在另一个资源中引用在 for_each 中创建的资源 Terraform - 如何在对象列表上使用 for_each 循环来创建资源 访问其他for循环中for_each创建的所有资源Terraform 在 for_each 和 for 在 terraform 中使用索引 Terraform for_each 用例 使用 Terraform for_each 创建动态资源 如何在地形中使用'depends_on'和'for_each'? Terraform 循环与 for_each 在 Terraform 中,如何使用 for_each 并操作创建的每个资源?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM