[英]How to pass the EC2 instance ID created by an aws_instance resource into a file and place it inside an EC2 instance using Terraform?
[英]Terraform - Use security group ID created in separate file for EC2 instance creation
我已經使用這個模塊在 AWS VPC 中創建了一個安全組。 如何在單獨的文件中引用由此創建的資源? 我在同一個 repo 的單獨目錄中創建我們的堡壘實例。
我的堡壘配置如下所示,使用 Terraform EC2 模塊,如果我硬編碼 vpc 安全組 ID,它就可以工作,但我希望它能夠直接從創建安全組時獲取它,因為這可能會在未來發生變化..
terraform/aws/layers/bastion/main.tf
provider "aws" {
region = var.region
}
module "ec2-instance" {
source = "terraform-aws-modules/ec2-instance/aws"
name = "bastion"
instance_count. = 1
ami = var.image_id
instance_type = var.instance_type
vpc_security_group_ids = ["${}"]
subnet_id = var.subnet
iam_instance_profile = "aws-example-ec2-role"
tags = {
Layer = "Bastion"
}
}
這就是我創建安全組的方式: terraform/aws/global/vpc/bastion_sg.tf
module "bastion-sg" {
source = "terraform-aws-modules/security-group/aws"
name = "Bastion"
description = "Bastion example group"
vpc_id = "vpc-12345"
ingress_with_cidr_blocks = [
{
from_port = ##
to_port = ##
protocol = "##"
description = "Bastion SSH"
cidr_blocks = "1.2.3.4/5"
},
{
from_port = ##
to_port = ##
protocol = "##"
description = "Bastion SSH"
cidr_blocks = "1.2.3.4/5"
}
]
egress_with_source_security_group_id = [
{
from_port = ##
to_port = ##
protocol = "##"
description = "Access to default server security group"
source_security_group_id = "sg-12345"
},
{
from_port = ##
to_port = ##
protocol = "##"
description = "Access to db"
source_security_group_id = "sg-12345"
}
]
}
我是否需要將安全組 ID output 設置到由 bastion_sg.tf 創建的 outputs.tf 中,然后才能在 bastion/main.tf 中引用它,如下所示?
module "bastion_sg"
source "../../global/vpc"
然后以某種方式將 ID 傳遞到 vpc_security_group_id =?
我不會使用 terraform-aws-modules。 我會直接使用 aws_security_group 和 aws_security_group_rules 等 aws 提供程序資源。 由於 Terraform 0.12,這些單資源模塊沒有任何好處,只是增加了復雜性。
這是一個示例,說明您的代碼可以使用直接的 aws 提供程序資源並且沒有多余的模塊:
provider "aws" {
region = var.region
}
resource "aws_instance" "bastion" {
name = "bastion"
ami = var.image_id
instance_type = var.instance_type
vpc_security_group_ids = [aws_security_group.bastion.id]
subnet_id = var.subnet
iam_instance_profile = "aws-example-ec2-role"
tags = {
Layer = "Bastion"
}
}
resource "aws_security_group" "bastion_from_ssh" {
name = "Bastion"
description = "Bastion example group"
vpc_id = "vpc-12345"
}
resource "aws_security_group_rule" "allow_ssh" {
type = "ingress"
from_port = ##
to_port = ##
protocol = "##"
description = "Bastion SSH"
cidr_blocks = ["1.2.3.4/5"]
}
resource "aws_security_group_rule" "bastion_to_db" {
type = "egress"
from_port = ##
to_port = ##
protocol = "##"
description = "Access to default server security group"
source_security_group_id = "sg-12345"
}
output "security_group_id" {
value = aws_security_group.bastion_from_ssh.id
}
示例:在另一個模塊中引用 output:
module "bastion" {
source = "path/to/dir/with/code/above"
// ... any variables it needs
}
resource "aws_security_group" "app_server" {
name = "AppServer"
description = "App Server group"
vpc_id = "vpc-12345"
}
resource "aws_security_group_rule" "allow_ssh_to_app_server" {
security_group_id = module.bastion.security_group_id
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
description = "SSH to App Server"
source_security_group_id = aws_security_group.app_server.id
}
resource "aws_security_group_rule" "allow_ssh_from_bastion" {
security_group_id = aws_security_group.app_server.id
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
description = "SSH from Bastion"
source_security_group_id = module.bastion.security_group_id
}
從您正在使用的模塊文檔中,這些是輸出。
module.bastion-sg.this_security_group_id
所以你的terraform/aws/layers/bastion/main.tf
文件看起來像:
provider "aws" {
region = var.region
}
module "ec2-instance" {
source = "terraform-aws-modules/ec2-instance/aws"
name = "bastion"
instance_count. = 1
ami = var.image_id
instance_type = var.instance_type
vpc_security_group_ids = [module.bastion-sg.this_security_group_id]
subnet_id = var.subnet
iam_instance_profile = "aws-example-ec2-role"
tags = {
Layer = "Bastion"
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.