尝试使用Terraform创建AWS VPC安全组时出现循环错误 [英] Cycle error when trying to create AWS VPC security groups using Terraform
问题描述
我想创建2个VPC安全组.
I want to create 2 VPC security groups.
一个用于VPC的堡垒主机,另一个用于专用子网.
One for the Bastion host of the VPC and one for the Private subnet.
# BASTION #
resource "aws_security_group" "VPC-BastionSG" {
name = "VPC-BastionSG"
description = "The sec group for the Bastion instance"
vpc_id = "aws_vpc.VPC.id"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["my.super.ip/32"]
}
egress {
# Access to the Private subnet from the bastion host[ssh]
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PrivateSG.id}"]
}
egress {
# Access to the Private subnet from the bastion host[jenkins]
from_port = 8686
to_port = 8686
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PrivateSG.id}"]
}
tags = {
Name = "VPC-BastionSG"
}
}
# PRIVATE #
resource "aws_security_group" "VPC-PrivateSG" {
name = "VPC-PrivateSG"
description = "The sec group for the private subnet"
vpc_id = "aws_vpc.VPC.id"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-BastionSG.id}"]
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PublicSG.id}"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PublicSG.id}"]
}
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PublicSG.id}"]
}
ingress {
from_port = 8686
to_port = 8686
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-BastionSG.id}"]
}
ingress {
# ALL TRAFFIC from the same subnet
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
egress {
# ALL TRAFFIC to outside world
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "VPC-PrivateSG"
}
}
当我对地形计划进行 时,将返回此错误:
When I terraform plan it, this error is returned:
**`Error configuring: 1 error(s) occurred:
* Cycle: aws_security_group.VPC-BastionSG, aws_security_group.VPC-PrivateSG`**
如果我从PrivateSG中注释掉了BastionSG的进入规则,则该计划可以很好地执行.
If I comment out the ingress rules for the BastionSG from the PrivateSG the plan executes fine.
此外,如果我从BastionSG中注释出PrivateSG的出口规则,它也可以正常执行.
Also, if I comment out the egress rules for the PrivateSG from the BastionSG it also executes fine.
AWS方案2,用于使用公共/专用子网和堡垒主机介绍了我要设置的体系结构.
The AWS Scenario 2 for building a VPC with Public/Private subnets and Bastion host describes the architecture I am trying to setup.
我具有通过AWS控制台配置的完全相同的设置,并且运行正常.
I have the exact same settings configured via the AWS console and it plays fine.
为什么Terraform不接受它?还有其他方法可以将堡垒安全组与私有安全组连接起来吗?
Why isn't Terraform accepting it? Is there another way to connect the Bastion security group with the Private security group?
编辑
据我了解,尽管在AWS中有效,但在两个秒组之间有一个循环引用需要以某种方式打破.
As I understand there is a circular reference between the two sec groups that somehow needs to break even though in AWS it is valid.
因此,我想到了允许来自堡垒秒组的所有出站流量(0.0.0.0/0),而不是将其指定给各个安全组.
So, I thought of allowing all outbound traffic (0.0.0.0/0) from the Bastion sec group and not specifying it to individual security groups.
是否会对安全造成不良影响?
Would it have a bad security impact?
推荐答案
Terraform尝试为其正在使用的文件夹中定义的所有资源建立依赖关系链.这样一来,它就可以确定是否需要按特定顺序构建事物,这对于它们的全部工作方式至关重要.
Terraform attempts to build a dependency chain for all of the resources defined in the folder that it is working on. Doing this enables it to work out if it needs to build things in a specific order and is pretty key to how it all works.
很显然,您的示例将失败,因为您具有周期性的依赖关系(正如Terraform指出的那样),其中每个安全组都依赖于已经创建的另一个安全组.
Obviously, your example is going to fail because you have a cyclic dependency (as Terraform helpfully points out) where each security group is dependent on the other one being created already.
有时候这些可能很难解决,可能意味着您需要重新考虑您要尝试做的事情(如您所提到的,一种选择是简单地允许所有从堡垒主机流出的出口流量,并且仅限制入口流量(在私有实例上)),但在这种情况下,您可以选择使用 aws_security_group_rule 资源与 aws_security_group 资源.
Sometimes these can be tricky to solve and may mean you need to rethink what you're trying to do (as you mention, one option would be to simply allow all egress traffic out from the bastion host and only restrict the ingress traffic on the private instances) but in this case you have the option of using the aws_security_group_rule resource in combination with the aws_security_group resource.
这意味着我们可以首先定义没有规则的空安全组,然后将其用作为这些组创建的安全组规则的目标.
This means we can define empty security groups with no rules in them at first which we can then use as targets for the security group rules we create for the groups.
一个简单的示例可能看起来像这样:
A quick example might look something like this:
resource "aws_security_group" "bastion" {
name = "bastion"
description = "Bastion security group"
}
resource "aws_security_group_rule" "bastion-to-private-ssh-egress" {
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
security_group_id = "${aws_security_group.bastion.id}"
source_security_group_id = "${aws_security_group.private.id}"
}
resource "aws_security_group" "private" {
name = "private"
description = "Private security group"
}
resource "aws_security_group_rule" "private-from-bastion-ssh-ingress" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
security_group_id = "${aws_security_group.private.id}"
source_security_group_id = "${aws_security_group.bastion.id}"
}
现在,Terraform可以看到依赖链表明,必须在两个安全组规则中的任何一个之前创建两个安全组,因为它们都依赖于已创建的组.
Now, Terraform can see that the dependency chain says that both security groups must be created before either of those security group rules as both of them are dependent on the groups already having been created.
这篇关于尝试使用Terraform创建AWS VPC安全组时出现循环错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
