Terraform解耦安全组依赖性 [英] Terraform decouple Security Group dependency

问题描述

这已通过 Terraform v0.12.9

我通常将安全组和安全组规则作为单独的资源进行管理，如以下示例所示:

I generally manage security groups and security group rules as separate resources, as in the below example:

resource "aws_security_group" "this" {
  count       = var.create ? 1 : 0
  name_prefix = "${var.security_group_name}_"
  vpc_id      = var.vpc_id

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_security_group_rule" "ingress_rules" {
  count                     = var.create ? length(var.inbound_security_group_ids) : 0

  security_group_id         = aws_security_group.this[0].id
  type                      = "ingress"

  from_port                 = var.from_port
  to_port                   = var.to_port
  protocol                  = "tcp"
  source_security_group_id  = var.inbound_security_group_ids[count.index]
}

其实现如下所示:

module "test_module" {
  source                     = "../path/to/module/"

  create                     = true
  vpc_id                     = "vpc-xxxxxx"
  security_group_name        = "${var.service_name}-db"
  from_port                  = 1234
  to_port                    = 1234
  inbound_security_group_ids = [
    module.service.security_group_id_one,
    module.service.security_group_id_two
  ]
}

问题

如果未创建module.service的输出，我希望它能够正常工作.在那种情况下，我期望length(var.inbound_security_group_ids)应该评估为0，从而导致安全组规则无法创建

I want this to work if the outputs from the module.service aren't created. In that scenario my expectation is that length(var.inbound_security_group_ids) should evaluate to 0 resulting in the security group rules not being created

实际上发生的是，当未创建module.service时，length(var.inbound_security_group_ids)的计算结果为2.大概是因为这是两个空白字符串["", ""]

What actually happens is that length(var.inbound_security_group_ids) evaluates to 2 when module.service isn't created. This is presumably because it is an array of two blank strings ["", ""]

根据 Terraform文档我可以使用compact函数，可从数组中删除空字符串.

According to the Terraform documentation I can handle this with the compact function, which removes empty strings from an array.

resource "aws_security_group_rule" "ingress_rules" {
  count                     = var.create ? length(compact(var.inbound_security_group_ids)) : 0

  security_group_id         = aws_security_group.this[0].id
  type                      = "ingress"

  from_port                 = var.from_port
  to_port                   = var.to_port
  protocol                  = "tcp"
  source_security_group_id  = var.inbound_security_group_ids[count.index]
}

但是，与此有关的问题是Terraform无法确定plan，因为它直到apply-time才知道var.inbound_security_group_ids的计算结果.这是错误消息(针对上下文):

The problem with this, however, is that Terraform is unable to determine the plan because it doesn't know what var.inbound_security_group_ids evaluates to until apply-time. This is the error message (for context):

"count"值取决于无法确定的资源属性 直到应用，Terraform才能预测将创建多少个实例. 要解决此问题，请使用-target参数首先仅应用 计数所依赖的资源.

The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the resources that the count depends on.

问题

是否可以像这样解除安全组的耦合，以便即使source_security_group_id属性没有值也仍然可以创建该安全组?

Is it possible to decouple a security group like this so that it will still be created even when the source_security_group_id attribute has no values?

推荐答案

使用Terraform中可能为空的列表或集合通常要比使用可能未设置的单个值(由于与之相关的原因)更容易您已经观察到:它将值的设置与实际值分开，这样即使值本身未知，也可以知道该值的存在.

It's often easier to work with lists or sets that might be empty in Terraform than to work with individual values that might not be set, for a reason related to what you've observed: it separates whether the value is set from what the value actually is, so that the presence of the value can be known even if the value itself isn't known.

在这种情况下，您可以通过更改从service模块返回安全组ID的方式来解决该问题，从而使每个输出都是安全组ID的 list 而不是单个字符串，可能是有效的安全组ID或空字符串:

In this case, you might approach that by changing how you return the security group ids from your service module, so that each of those outputs is a list of security group ids rather than a single string that might be either a valid security group id or an empty string:

module "test_module" {
  source                     = "../path/to/module/"

  create                     = true
  vpc_id                     = "vpc-xxxxxx"
  security_group_name        = "${var.service_name}-db"
  from_port                  = 1234
  to_port                    = 1234
  inbound_security_group_ids = concat(
    module.service.security_group_ids_one,
    module.service.security_group_ids_two,
  )
}

如果已知security_group_ids_one或security_group_ids_two是空列表，则concat将完全忽略它.如果启用了 ，则可以将它们安排为具有一个值未知的元素的已知列表，因此length(var.inbound_security_group_ids)在所有情况下仍将具有已知值.

If either security_group_ids_one or security_group_ids_two is known to be an empty list then concat will ignore it entirely. If they are enabled then you can arrange for them to be a known list with one element whose value is unknown, and thus length(var.inbound_security_group_ids) will still have a known value in all cases.

这篇关于Terraform解耦安全组依赖性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！