Terraform (AWS)使用循环逻辑动态创建私有acl
Terraform (AWS)使用循环逻辑动态创建私有acl
提问于 2020-07-08 16:11:57
我正在创建一个terraform模块来自动创建VPC,在每个AZ中都有一个公共和私有子网可供该地区使用。我成功地为公共子网创建了一个NACL,允许80,443,22入站和出站,方法是将它们作为输入(规则映射)。
Public_acl_rule的地形块:
resource "aws_network_acl" "public_acl" {
vpc_id = aws_vpc.main_vpc.id
subnet_ids = aws_subnet.public_subnet[*].id
tags = {
Name = "${var.cluster_name}_public_nacl"
environment = var.cluster_name
}
}
resource "aws_network_acl_rule" "public_inbound_acl_rule" {
count = var.create_public_acl && length(aws_subnet.public_subnet) > 0 ? length(var.public_inbound_acl_rules) : 0
network_acl_id = aws_network_acl.public_acl.id
egress = false
protocol = var.public_inbound_acl_rules[count.index]["protocol"]
rule_action = var.public_inbound_acl_rules[count.index]["rule_action"]
rule_number = var.public_inbound_acl_rules[count.index]["rule_number"]
from_port = lookup(var.public_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.public_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.public_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.public_inbound_acl_rules[count.index], "icmp_type", null)
cidr_block = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null)
}
resource "aws_network_acl_rule" "public_outbound_acl_rule" {
count = var.create_public_acl && length(aws_subnet.public_subnet) > 0 ? length(var.public_outbound_acl_rules) : 0
network_acl_id = aws_network_acl.public_acl.id
egress = true
protocol = var.public_outbound_acl_rules[count.index]["protocol"]
rule_action = var.public_outbound_acl_rules[count.index]["rule_action"]
rule_number = var.public_outbound_acl_rules[count.index]["rule_number"]
from_port = lookup(var.public_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.public_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.public_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.public_outbound_acl_rules[count.index], "icmp_type", null)
cidr_block = lookup(var.public_outbound_acl_rules[count.index], "cidr_block", null)
}
我尝试了下面的带有内联块的aws_network_acl来在public_cidr块上迭代:
resource "aws_network_acl" "private_acl" { vpc_id = aws_vpc.main_vpc.id subnet_ids = aws_subnet.private_subnet[*].id for_each = aws_subnet.private_subnet ingress { count = length(var.private_inbound_acl_rules) protocol = var.private_inbound_acl_rules[count.index]["protocol"]
rule_action = var.private_inbound_acl_rules[count.index]["rule_action"] rule_number = var.private_inbound_acl_rules[count.index]["rule_number"] from_port = lookup(var.private_inbound_acl_rules[count.index], "from_port", null) to_port = lookup(var.private_inbound_acl_rules[count.index],
"to_port", null) cidr_block = aws_subnet.public_subnet.cidr_block } tags = { Name = "${var.cluster_name}_private_nacl" environment = var.cluster_name } }
正如计数中提到的那样,cidr_block正在请求private_inbound_acl_rule的引用。
对于如何动态地输入公共cidr_block作为源,以及如何将私用氯化钠的acl规则作为用户输入,有什么想法吗?是否有可能做到这一点?请分享一些想法。
Stack Overflow用户
发布于 2020-07-09 07:26:00
通过稍微改变用例,我已经解决了我所面临的问题。用途酶的修改:
- 在公共cidr_block范围上迭代以创建私有子网的NACL规则。
- 若要动态获取ssh的规则,则需要启用db连接并根据条件创建规则。
我通过以下代码实现了同样的目标:
## This rule is the enable ssh from public subnet to private subnet##
resource "aws_network_acl_rule" "private_inbound_ssh_rule" {
network_acl_id = aws_network_acl.private_acl.id
for_each = var.enable_private_ssh ? toset(aws_subnet.public_subnet[*].cidr_block) : []
egress = false
protocol = var.private_inbound_ssh_rules["protocol"]
rule_action = var.private_inbound_ssh_rules["rule_action"]
rule_number = var.private_inbound_ssh_rules["rule_number"]+tonumber(substr(each.value, 5, 1))
from_port = lookup(var.private_inbound_ssh_rules, "from_port", null)
to_port = lookup(var.private_inbound_ssh_rules, "to_port", null)
cidr_block = each.value
}
## This rule is the enable db connection from public subnet to private subnet##
resource "aws_network_acl_rule" "private_inbound_mysql_rule" {
network_acl_id = aws_network_acl.private_acl.id
for_each = var.enable_private_mysql? toset(aws_subnet.public_subnet[*].cidr_block) : []
egress = false
protocol = var.private_inbound_mysql_rules["protocol"]
rule_action = var.private_inbound_mysql_rules["rule_action"]
rule_number = var.private_inbound_mysql_rules["rule_number"]+tonumber(substr(each.value,5,1))
from_port = lookup(var.private_inbound_mysql_rules, "from_port", null)
to_port = lookup(var.private_inbound_mysql_rules, "to_port", null)
cidr_block = each.value
}
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/62799006
复制相关文章
相似问题
腾讯云开发者
