![](/img/trans.png)
[英]invalid CIDR address in terraform aws_security_group resource with cidr_blocks from file
[英]"Invalid value for module argument" with list of CIDR blocks
我正在嘗試將多個規則添加到 cloudposse 安全組。 以下是相關代碼:
module "subnets" {
source = "cloudposse/dynamic-subnets/aws"
version = "0.39.8"
vpc_id = module.vpc.vpc_id
igw_id = module.vpc.igw_id
cidr_block = module.vpc.vpc_cidr_block
availability_zones = local.az_names
# nat_gateway_enabled = true
context = module.this.context
}
module "sg" {
source = "cloudposse/security-group/aws"
version = "0.4.3"
attributes = ["primary"]
rules = [
{
key = "HTTP"
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = module.subnets.public_subnet_cidrs
self = null
description = "Allow HTTP from IPs in our public subnets (which includes the ALB)"
},
{
key = "SSH"
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
self = null
description = "Allow SSH from all IPs"
}
]
vpc_id = module.vpc.vpc_id
context = module.this.context
}
這是失敗的:
錯誤:模塊參數的值無效給定的值不適合在.terraform/modules/project_module.sg/variables.tf:60,1-17 定義的子模塊變量“規則”:元素類型必須全部匹配才能轉換為列表.
問題是cidr_blocks
。 如果我用["0.0.0.0/0"]
替換第一個,它就可以工作。 我看到aws-dynamic-subnets
subnets 模塊中的 output 是aws_subnet.public.*.cidr_block
。 資源中cidr_blocks
變量的當前值為["172.16.96.0/19", "172.16.128.0/19"]
,這對我來說確實像是一個字符串列表。 當我打開terraform console
並詢問public_subnet_cidrs
的類型時,我得到了dynamic
。 我嘗試將 output 包裝在tolist()
中,並在第二個入口規則中向 cidr_blocks 數組添加一個空字符串(以創建相同長度的列表),但都沒有改變錯誤。
我已經成功地解決了這個問題,方法是為 HTTP 規則使用rule_matrix
,然后還為 SSH rules
使用單個規則字典定義規則,但這感覺相當hacky。
我究竟做錯了什么?
您可以使用rule_maps
,而不是rules
:
module "sg" {
source = "cloudposse/security-group/aws"
version = "0.4.3"
attributes = ["primary"]
rules_map = {
"HTTP" = [{
key = "HTTP"
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = module.subnets.public_subnet_cidrs
self = null
description = "Allow HTTP from IPs in our public subnets (which includes the ALB)"
}],
"SSH" = [{
key = "SSH"
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
self = null
description = "Allow SSH from all IPs"
}
]
}
vpc_id = module.vpc.vpc_id
context = module.this.context
}
這比同時使用rules
和rule_matrix
更簡潔。 另外我不確定為什么只使用rules
不起作用。 我猜它對cidr_blocks
做了一些內部處理,並期望它們是完全相同的類型(具有 3 個非空字符串元素的列表)。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.