Terraform (AWS)使用循环逻辑动态创建私有acl
Terraform (AWS)使用循环逻辑动态创建私有acl
提问于 2020-07-08 16:11:57
我正在创建一个terraform模块来自动创建VPC,在每个AZ中都有一个公共和私有子网可供该地区使用。我成功地为公共子网创建了一个NACL,允许80,443,22入站和出站,方法是将它们作为输入(规则映射)。
Public_acl_rule的地形块:
resource "aws_network_acl" "public_acl" {
vpc_id = aws_vpc.main_vpc.id
subnet_ids = aws_subnet.public_subnet[*].id
tags = {
Name = "${var.cluster_name}_public_nacl"
environment = var.cluster_name
}
}
resource "aws_network_acl_rule" "public_inbound_acl_rule" {
count = var.create_public_acl && length(aws_subnet.public_subnet) > 0 ? length(var.public_inbound_acl_rules) : 0
network_acl_id = aws_network_acl.public_acl.id
egress = false
protocol = var.public_inbound_acl_rules[count.index]["protocol"]
rule_action = var.public_inbound_acl_rules[count.index]["rule_action"]
rule_number = var.public_inbound_acl_rules[count.index]["rule_number"]
from_port = lookup(var.public_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.public_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.public_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.public_inbound_acl_rules[count.index], "icmp_type", null)
cidr_block = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null)
}
resource "aws_network_acl_rule" "public_outbound_acl_rule" {
count = var.create_public_acl && length(aws_subnet.public_subnet) > 0 ? length(var.public_outbound_acl_rules) : 0
network_acl_id = aws_network_acl.public_acl.id
egress = true
protocol = var.public_outbound_acl_rules[count.index]["protocol"]
rule_action = var.public_outbound_acl_rules[count.index]["rule_action"]
rule_number = var.public_outbound_acl_rules[count.index]["rule_number"]
from_port = lookup(var.public_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.public_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.public_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.public_outbound_acl_rules[count.index], "icmp_type", null)
cidr_block = lookup(var.public_outbound_acl_rules[count.index], "cidr_block", null)
}
我尝试了下面的带有内联块的aws_network_acl来在public_cidr块上迭代:
resource "aws_network_acl" "private_acl" { vpc_id = aws_vpc.main_vpc.id subnet_ids = aws_subnet.private_subnet[*].id for_each = aws_subnet.private_subnet ingress { count = length(var.private_inbound_acl_rules) protocol = var.private_inbound_acl_rules[count.index]["protocol"]
rule_action = var.private_inbound_acl_rules[count.index]["rule_action"] rule_number = var.private_inbound_acl_rules[count.index]["rule_number"] from_port = lookup(var.private_inbound_acl_rules[count.index], "from_port", null) to_port = lookup(var.private_inbound_acl_rules[count.index],
"to_port", null) cidr_block = aws_subnet.public_subnet.cidr_block } tags = { Name = "${var.cluster_name}_private_nacl" environment = var.cluster_name } }
正如计数中提到的那样,cidr_block正在请求private_inbound_acl_rule的引用。
对于如何动态地输入公共cidr_block作为源,以及如何将私用氯化钠的acl规则作为用户输入,有什么想法吗?是否有可能做到这一点?请分享一些想法。
回答 2
Stack Overflow用户
发布于 2020-07-09 07:26:00
通过稍微改变用例,我已经解决了我所面临的问题。用途酶的修改:
- 在公共cidr_block范围上迭代以创建私有子网的NACL规则。
- 若要动态获取ssh的规则,则需要启用db连接并根据条件创建规则。
我通过以下代码实现了同样的目标:
## This rule is the enable ssh from public subnet to private subnet##
resource "aws_network_acl_rule" "private_inbound_ssh_rule" {
network_acl_id = aws_network_acl.private_acl.id
for_each = var.enable_private_ssh ? toset(aws_subnet.public_subnet[*].cidr_block) : []
egress = false
protocol = var.private_inbound_ssh_rules["protocol"]
rule_action = var.private_inbound_ssh_rules["rule_action"]
rule_number = var.private_inbound_ssh_rules["rule_number"]+tonumber(substr(each.value, 5, 1))
from_port = lookup(var.private_inbound_ssh_rules, "from_port", null)
to_port = lookup(var.private_inbound_ssh_rules, "to_port", null)
cidr_block = each.value
}
## This rule is the enable db connection from public subnet to private subnet##
resource "aws_network_acl_rule" "private_inbound_mysql_rule" {
network_acl_id = aws_network_acl.private_acl.id
for_each = var.enable_private_mysql? toset(aws_subnet.public_subnet[*].cidr_block) : []
egress = false
protocol = var.private_inbound_mysql_rules["protocol"]
rule_action = var.private_inbound_mysql_rules["rule_action"]
rule_number = var.private_inbound_mysql_rules["rule_number"]+tonumber(substr(each.value,5,1))
from_port = lookup(var.private_inbound_mysql_rules, "from_port", null)
to_port = lookup(var.private_inbound_mysql_rules, "to_port", null)
cidr_block = each.value
}
Stack Overflow用户
发布于 2020-09-16 11:59:26
从Terraform0.12开始,您可以使用动态嵌套块。
locals {
nacl_rules = [
{ port : 22, rule_num : 100, cidr : "0.0.0.0/0" },
{ port : 80, rule_num : 110, cidr : "0.0.0.0/0" },
{ port : 443, rule_num : 120, cidr : "0.0.0.0/0" }
]
}
resource "aws_network_acl" "public_tier" {
vpc_id = aws_vpc.my_vpc.id
subnet_ids = [for s in aws_subnet.public : s.id]
dynamic "ingress" {
for_each = [for rule_obj in local.nacl_rules : {
port = rule_obj.port
rule_no = rule_obj.rule_num
cidr_block = rule_obj.cidr
}]
content {
protocol = "tcp"
rule_no = ingress.value["rule_no"]
action = "allow"
cidr_block = ingress.value["cidr_block"]
from_port = ingress.value["port"]
to_port = ingress.value["port"]
}
}
dynamic "egress" {
for_each = [for rule_obj in local.nacl_rules : {
port = rule_obj.port
rule_no = rule_obj.rule_num
cidr_block = rule_obj.cidr
}]
content {
protocol = "tcp"
rule_no = egress.value["rule_no"]
action = "allow"
cidr_block = egress.value["cidr_block"]
from_port = egress.value["port"]
to_port = egress.value["port"]
}
}
tags = {
Name = "my-nacl"
}
}请注意,您可能需要在下面添加egress块:
egress{
protocol = "tcp"
rule_no = 300
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 1024
to_port = 65535
}如前所述,这里
要启用到实例上运行的服务的连接,关联的网络ACL必须允许服务侦听的端口上的入站通信量,以及允许来自临时端口的出站通信量。当客户端连接到服务器时,来自临时端口范围(1024-65535)的随机端口将成为客户端的源端口。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/62799006
复制相关文章
相似问题
腾讯云开发者
