[英]Terraform resources created with `for_each` - use in other Terraform scripts
我有创建 N 个安全组的 terraform 脚本:
variable "security_groups" {
default = {
"sg1" = "Security group 1"
"sg2" = "Security group 2"
}
}
resource "aws_security_group" "example" {
for_each = var.security_groups
name = each.key
description = each.value
vpc_id = aws_vpc.example.id
revoke_rules_on_delete = false
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
..我还有另一个创建 IAM 策略的 Terraform 脚本,
这个必须引用资源部分中第一个脚本创建的 N 个安全组:
resource "aws_iam_policy" "operator_policy" {
name = "${var.iam_prefix}-operator"
path = "/"
description = "Policy for operator"
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Effect": "Allow",
"Resource": [
"sg1 ARN",
"sgN ARN"
]
}
]
}
EOF
}
以某种方式可行吗?
您可以将jsonencode与values和 spat 表达式结合使用:
resource "aws_iam_policy" "operator_policy" {
name = "${var.iam_prefix}-operator"
path = "/"
description = "Policy for operator"
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Effect": "Allow",
"Resource": ${jsonencode(values(aws_security_group.example)[*].arn)}
}
]
}
EOF
}
Rather than using string templates to generate JSON, it's more robust to generate the entire value using the jsonencode
function , because then Terraform can evaluate the argument as a normal expression and be sure to generate a valid JSON representation of the result:
resource "aws_iam_policy" "operator_policy" {
name = "${var.iam_prefix}-operator"
path = "/"
description = "Policy for operator"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
]
Effect = "Allow"
Resource = [
"sg1 ARN",
"sgN ARN",
]
},
]
})
}
除了保证结果始终是有效的 JSON 语法外,使用 Terraform 的表达式语言来构建您的策略值还意味着您可以使用Terraform 的所有表达式运算符,包括从每个安全组读取arn
属性for
表达式:
resource "aws_iam_policy" "operator_policy" {
name = "${var.iam_prefix}-operator"
path = "/"
description = "Policy for operator"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
]
Effect = "Allow"
Resource = [
for sg in aws_security_group.example : sg.arn
],
},
]
})
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.