[英]conflicting issue for aws_security_group_rule attributes cidr_blocks and source_security_group_id
下面是本地sg_rules
輸出,我正在檢查cidr_blocks
和security_group_id
變量的值。 一次,其中一個值將是
"security_group_id" = tostring(null)
要么
"cidr blocks" = tolist([])
當地人輸出:
sg_rules = {
"testsg_1-ingress-1521-tcp-10.80.0.10/32" => {
"cidr blocks" = tolist(["10.80.0.10/32",])
"description" = "1521 tcp ingress"
"from_port" = 1521
"protocol" = "tcp"
"security_group_id" = tostring(null)
"sg_name" = "testsg_1"
"to_port" = 1521
"type" = "ingress"
},
"testsg_2-ingress-1524-tcp-sg-23423439" => {
"cidr blocks" = tolist([])
"description" = "1524 tcp ingress"
"from_port" = 1524
"protocol" = "tcp"
"security_group_id" = "sg-23423439"
"sg_name" = "testsg_2"
"to_port" = 1524
"type" = "ingress"
}
}
在如下所示的aws_security_group_rule
資源中使用上述本地資源會出現沖突錯誤,即cidr_blocks
和source_security_group_id
不應同時存在。
resource "aws_security_group_rule" "tcp_cidr_blocks" {
for_each = { for key, sg_rule in local.sg_rules : key => sg_rule }
type = each.value.type
from_port = each.value.from_port
to_port = each.value.to_port
cidr_blocks = each.value.cidr_blocks
source_security_group_id = each.value.security_group_id
protocol = each.value.protocol
security_group_id = aws_security_group.security_groups.id
}
我期望的是一次輸入中的任何一個都為空,因此它不應該沖突並且一次使用cidr_blocks
或source_security_group_id
。
錯誤:
Error: Conflicting configuration arguments\n\n with
module.sg.aws_security_group_ru1e.tcp_cidr_blocks[\"testsg_2-ingress-1524-tcp-sg-23423439\"],\n on sg/main.tf line 30, in resource
\"aws_security_group_rule\" \"tcp_cidr_blocks\" : \n 30:
source_security_group_id
= each.value.security_group_id\n\n\"security_group_id\":
conflicts with cidr_blocks\n",
當前代碼存在一些問題,其中一個是=>
,它在 Terraform 中不是有效語法:
第二個是顯式轉換為類型,例如tolist(["10.80.0.10/32",])
和tostring(null)
。 如果局部變量sg_rules
固定為如下所示:
sg_rules = {
"testsg_1-ingress-1521-tcp-10.80.0.10/32" = {
"cidr_blocks" = ["10.80.0.10/32", ] # <---- list instead of type casting
"description" = "1521 tcp ingress"
"from_port" = 1521
"protocol" = "tcp"
"security_group_id" = "" # <---- empty string instead of type casting
"sg_name" = "testsg_1"
"to_port" = 1521
"type" = "ingress"
},
"testsg_2-ingress-1524-tcp-sg-23423439" = {
"cidr_blocks" = [""] # <---- empty list of strings instead of type casting
"description" = "1524 tcp ingress"
"from_port" = 1524
"protocol" = "tcp"
"security_group_id" = "sg-23423439"
"sg_name" = "testsg_2"
"to_port" = 1524
"type" = "ingress"
}
}
在該更改之后,在您的代碼中使用三元運算符將導致terraform plan
工作:
resource "aws_security_group_rule" "tcp_cidr_blocks" {
for_each = local.sg_rules
type = each.value.type
from_port = each.value.from_port
to_port = each.value.to_port
cidr_blocks = each.value.cidr_blocks != [""] ? each.value.cidr_blocks : null
source_security_group_id = each.value.security_group_id != "" ? each.value.security_group_id : null
protocol = each.value.protocol
security_group_id = aws_security_group.security_groups.id
}
將cidr_blocks
或source_security_group_id
設置為null
將告訴 terraform 將其視為缺少參數,這意味着它不會抱怨參數沖突。
您示例中的第二個對象具有:
"cidr blocks" = tolist([])
"security_group_id" = "sg-23423439"
一個空列表不是空的,所以對於這個對象,兩個參數都是一次性設置的。
如果您將 CIDR 塊屬性設置為tolist(null)
,那么該參數將具有空值,這可能允許此驗證規則通過。
此驗證規則由hashicorp/aws
提供程序在其aws_security_group_rule
實現中實施,因此它將如何解釋這些情況取決於提供程序中邏輯的編寫方式——提供程序可能會選擇將空列表視為與未設置——但是資源參數的 null 值始終完全等同於將其保留為未設置,因此確保其中至少一個確實為 null 是配置它的最可靠方法,無論提供程序插件如何,它都應該有效實施的。
您可以通過使用三元運算符檢查 security_group_id 或 cidr_blocks 值是否存在來修復此錯誤。 如果其中之一存在,則您可以將其分配給 aws_security_group_rule 資源中的相應參數。
例如,您可以使用以下代碼:
resource "aws_security_group_rule" "tcp_cidr_blocks" {
for_each = { for key, sg_rule in local.sg_rules : key => sg_rule }
type = each.value.type
from_port = each.value.from_port
to_port = each.value.to_port
cidr_blocks = each.value.security_group_id != null ? [] : each.value.cidr_blocks
source_security_group_id = each.value.security_group_id != null ? each.value.security_group_id : null
protocol = each.value.protocol
security_group_id = aws_security_group.security_groups.id
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.