如何避免 RDS 实例和安全组模块中的循环错误
How can I avoid a Cycle error in my module for an RDS instance and security group
我正在编写一个 Terraform 模块来配置 RDS 数据库实例及其关联的安全组以控制入站连接。我遇到的问题 运行 是安全组资源需要数据库端口作为参数,而数据库实例资源需要安全组 ID 作为参数。因此循环错误。
resource "aws_security_group" "this" {
name = "${local.name}-inbound"
description = "Allow inbound traffic from customer instances and management"
vpc_id = "${var.vpc_id}"
ingress {
from_port = "${aws_db_instance.this.port}"
to_port = "${aws_db_instance.this.port}"
protocol = 6
security_groups = ["${var.ingress_sg_ids}"]
}
}
resource "aws_db_instance" "this" {
allocated_storage = "${var.storage_size}"
storage_type = "${var.storage_type}"
engine = "${var.db_engine}"
engine_version = "${var.db_engine_version}"
instance_class = "${var.instance_type}"
identifier_prefix = "${local.name}-"
name = "${var.env}_${var.workspace}"
username = "${var.root_username}"
password = "${random_id.root_password.b64}"
db_subnet_group_name = "${aws_db_subnet_group.this.name}"
parameter_group_name = "${var.param_group_name}"
backup_retention_period = "${var.backup_retention_period}"
copy_tags_to_snapshot = true
kms_key_id = "${aws_kms_key.this.arn}"
storage_encrypted = true
skip_final_snapshot = "${var.skip_final_snapshot}"
vpc_security_group_ids = ["${aws_security_group.this.id}"]
}
报错信息如下:
* Cycle: module.rds.aws_db_instance.this, module.rds.aws_security_group.this
为了创建 aws_db_instance,您没有通过任何特定端口。因此,默认端口 (3306) 将用于创建此实例。因此,您可以直接使用默认端口 (3306)
,而不是在安全组中引用 rds 实例
ingress {
from_port = "3306"
to_port = "3306"
protocol = 6
security_groups = ["${var.ingress_sg_ids}"]
}
你有一个循环依赖,因为你的实例依赖于你的安全组,其 in-line 规则依赖于你的实例。作为解决方法,您可以使用 aws_security_group_rule 资源:
resource "aws_security_group_rule" "db_ingress_sgr" {
type = "ingress"
security_group_id = "${aws_security_group.this.id}"
from_port = "${aws_db_instance.this.port}"
to_port = "${aws_db_instance.this.port}"
protocol = 6
source_security_group_id = "${var.ingress_sg_ids}"
}
Terraform 将创建(空)安全组,然后是您的 RDS 实例,然后是安全组规则。
注意这样你一次只能定义一个source_security_group_id,所以检查你的ingress_sg_ids变量的类型。
注(来自the docs):
At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.
我正在编写一个 Terraform 模块来配置 RDS 数据库实例及其关联的安全组以控制入站连接。我遇到的问题 运行 是安全组资源需要数据库端口作为参数,而数据库实例资源需要安全组 ID 作为参数。因此循环错误。
resource "aws_security_group" "this" {
name = "${local.name}-inbound"
description = "Allow inbound traffic from customer instances and management"
vpc_id = "${var.vpc_id}"
ingress {
from_port = "${aws_db_instance.this.port}"
to_port = "${aws_db_instance.this.port}"
protocol = 6
security_groups = ["${var.ingress_sg_ids}"]
}
}
resource "aws_db_instance" "this" {
allocated_storage = "${var.storage_size}"
storage_type = "${var.storage_type}"
engine = "${var.db_engine}"
engine_version = "${var.db_engine_version}"
instance_class = "${var.instance_type}"
identifier_prefix = "${local.name}-"
name = "${var.env}_${var.workspace}"
username = "${var.root_username}"
password = "${random_id.root_password.b64}"
db_subnet_group_name = "${aws_db_subnet_group.this.name}"
parameter_group_name = "${var.param_group_name}"
backup_retention_period = "${var.backup_retention_period}"
copy_tags_to_snapshot = true
kms_key_id = "${aws_kms_key.this.arn}"
storage_encrypted = true
skip_final_snapshot = "${var.skip_final_snapshot}"
vpc_security_group_ids = ["${aws_security_group.this.id}"]
}
报错信息如下:
* Cycle: module.rds.aws_db_instance.this, module.rds.aws_security_group.this
为了创建 aws_db_instance,您没有通过任何特定端口。因此,默认端口 (3306) 将用于创建此实例。因此,您可以直接使用默认端口 (3306)
,而不是在安全组中引用 rds 实例ingress {
from_port = "3306"
to_port = "3306"
protocol = 6
security_groups = ["${var.ingress_sg_ids}"]
}
你有一个循环依赖,因为你的实例依赖于你的安全组,其 in-line 规则依赖于你的实例。作为解决方法,您可以使用 aws_security_group_rule 资源:
resource "aws_security_group_rule" "db_ingress_sgr" {
type = "ingress"
security_group_id = "${aws_security_group.this.id}"
from_port = "${aws_db_instance.this.port}"
to_port = "${aws_db_instance.this.port}"
protocol = 6
source_security_group_id = "${var.ingress_sg_ids}"
}
Terraform 将创建(空)安全组,然后是您的 RDS 实例,然后是安全组规则。
注意这样你一次只能定义一个source_security_group_id,所以检查你的ingress_sg_ids变量的类型。
注(来自the docs):
At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.