安全组应该能够与其他安全组通信
Security groups should be able to communicate to other security groups
我公司要求我在安全组入口规则中明确指定所有允许的端口和协议。我想要一长串端口协议和安全组以允许 ingress/egress for
from_port, to_port, protocol, security_group_that_port_protocol_restriction_applies_to
以下示例存在问题,即“master-sg-ingress-security-groups”变量需要定义安全组。
resource "aws_security_group" "master_lb_sg" {
....
}
resource "aws_security_group" "worker_sg" {
......
}
########
####### list of port protocols and security groups to create ingress blocks for. Problem is that security groups to not exist at variable creation time.
########
variable "master-sg-ingress-security-groups" {
depends_on = [aws_security_group.master_lb_sg, aws_security_group.worker_sg]
description = "List of port numbers for specific security group. company bans allowing all ports and protocols. "
type = map(any)
default = {
"ingress1" = [80, 80, "TCP", aws_security_group.master_lb_sg],
"ingress2" = [443, 443, "TCP", aws_security_group.master_lb_sg],
"ingress3" = [3398,3398, "RDP", aws_security_group.bastion_host_sg],
....
"ingress4" = [1024, 1024, "UDP", aws_security_group.worker_sg]
}
}
#####
#### I want to iterate over the above list of security groups and create dynamic ingress rules but other security groups do not exist
####
resource "aws_security_group" "test" {
depends_on = [aws_security_group.master_lb_sg, aws_security_group.worker_sg]
provider = aws.region_master
name = "master-sg"
description = "security group for Jenkins master"
vpc_id = aws_vpc.vpc_master.id
dynamic "ingress" {
# this for_each is not identical to for_each in line 21
for_each = var.master-sg-ingress-security-groups
content {
from_port = ingress.value[0]
to_port = ingress.value[1]
protocol = ingress.value[2]
security_group = ingress[3]
}
}
}
我想我必须为每个入口复制粘贴文本块
Is there a way to get around the problem of aws_security_group.worker_sg in a variable
遗憾的是不是来自 TF 本身。当您 运行 您的脚本时,变量必须 完全定义 。但是您可以将 master-sg-ingress-security-groups 修改为 local 变量。这样您就可以构建包含其他变量的地图。
因此,完全取决于您的用例,您可能有一个名为 base-master-sg-ingress-security-groups 的基本变量,然后在 locals 中构建一个包含对其他现有 SG 的引用的最终映射。
或者,您可以将您的 TF 脚本拆分 为两部分。第一个将部署核心 SG 并输出它们的 ID。然后这些 ID 将用作第二部分的输入变量,第二部分将部署引用核心的 SG。
我公司要求我在安全组入口规则中明确指定所有允许的端口和协议。我想要一长串端口协议和安全组以允许 ingress/egress for
from_port, to_port, protocol, security_group_that_port_protocol_restriction_applies_to
以下示例存在问题,即“master-sg-ingress-security-groups”变量需要定义安全组。
resource "aws_security_group" "master_lb_sg" {
....
}
resource "aws_security_group" "worker_sg" {
......
}
########
####### list of port protocols and security groups to create ingress blocks for. Problem is that security groups to not exist at variable creation time.
########
variable "master-sg-ingress-security-groups" {
depends_on = [aws_security_group.master_lb_sg, aws_security_group.worker_sg]
description = "List of port numbers for specific security group. company bans allowing all ports and protocols. "
type = map(any)
default = {
"ingress1" = [80, 80, "TCP", aws_security_group.master_lb_sg],
"ingress2" = [443, 443, "TCP", aws_security_group.master_lb_sg],
"ingress3" = [3398,3398, "RDP", aws_security_group.bastion_host_sg],
....
"ingress4" = [1024, 1024, "UDP", aws_security_group.worker_sg]
}
}
#####
#### I want to iterate over the above list of security groups and create dynamic ingress rules but other security groups do not exist
####
resource "aws_security_group" "test" {
depends_on = [aws_security_group.master_lb_sg, aws_security_group.worker_sg]
provider = aws.region_master
name = "master-sg"
description = "security group for Jenkins master"
vpc_id = aws_vpc.vpc_master.id
dynamic "ingress" {
# this for_each is not identical to for_each in line 21
for_each = var.master-sg-ingress-security-groups
content {
from_port = ingress.value[0]
to_port = ingress.value[1]
protocol = ingress.value[2]
security_group = ingress[3]
}
}
}
我想我必须为每个入口复制粘贴文本块
Is there a way to get around the problem of aws_security_group.worker_sg in a variable
遗憾的是不是来自 TF 本身。当您 运行 您的脚本时,变量必须 完全定义 。但是您可以将 master-sg-ingress-security-groups 修改为 local 变量。这样您就可以构建包含其他变量的地图。
因此,完全取决于您的用例,您可能有一个名为 base-master-sg-ingress-security-groups 的基本变量,然后在 locals 中构建一个包含对其他现有 SG 的引用的最终映射。
或者,您可以将您的 TF 脚本拆分 为两部分。第一个将部署核心 SG 并输出它们的 ID。然后这些 ID 将用作第二部分的输入变量,第二部分将部署引用核心的 SG。