尝试使用 Terraform 创建 AWS VPC 安全组时出现循环错误 [英] Cycle error when trying to create AWS VPC security groups using Terraform
问题描述
我想创建 2 个 VPC 安全组.
I want to create 2 VPC security groups.
一个用于 VPC 的堡垒主机,一个用于私有子网.
One for the Bastion host of the VPC and one for the Private subnet.
# BASTION #
resource "aws_security_group" "VPC-BastionSG" {
name = "VPC-BastionSG"
description = "The sec group for the Bastion instance"
vpc_id = "aws_vpc.VPC.id"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["my.super.ip/32"]
}
egress {
# Access to the Private subnet from the bastion host[ssh]
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PrivateSG.id}"]
}
egress {
# Access to the Private subnet from the bastion host[jenkins]
from_port = 8686
to_port = 8686
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PrivateSG.id}"]
}
tags = {
Name = "VPC-BastionSG"
}
}
# PRIVATE #
resource "aws_security_group" "VPC-PrivateSG" {
name = "VPC-PrivateSG"
description = "The sec group for the private subnet"
vpc_id = "aws_vpc.VPC.id"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-BastionSG.id}"]
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PublicSG.id}"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PublicSG.id}"]
}
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PublicSG.id}"]
}
ingress {
from_port = 8686
to_port = 8686
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-BastionSG.id}"]
}
ingress {
# ALL TRAFFIC from the same subnet
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
egress {
# ALL TRAFFIC to outside world
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "VPC-PrivateSG"
}
}
当我 terraform plan 时,返回此错误:
When I terraform plan it, this error is returned:
**`Error configuring: 1 error(s) occurred:
* Cycle: aws_security_group.VPC-BastionSG, aws_security_group.VPC-PrivateSG`**
如果我从 PrivateSG 中注释掉 BastionSG 的入口规则,则计划执行良好.
If I comment out the ingress rules for the BastionSG from the PrivateSG the plan executes fine.
此外,如果我从 BastionSG 中注释掉 PrivateSG 的出口规则,它也可以正常执行.
Also, if I comment out the egress rules for the PrivateSG from the BastionSG it also executes fine.
用于构建具有公共/私有子网的 VPC 和Bastion 主机 描述了我正在尝试设置的架构.
The AWS Scenario 2 for building a VPC with Public/Private subnets and Bastion host describes the architecture I am trying to setup.
我通过 AWS 控制台配置了完全相同的设置,并且运行良好.
I have the exact same settings configured via the AWS console and it plays fine.
为什么 Terraform 不接受它?还有其他方法可以将 Bastion 安全组与 Private 安全组连接起来吗?
Why isn't Terraform accepting it? Is there another way to connect the Bastion security group with the Private security group?
编辑
据我了解,两个 sec 组之间存在一个循环引用,即使在 AWS 中它是有效的,它也需要以某种方式中断.
As I understand there is a circular reference between the two sec groups that somehow needs to break even though in AWS it is valid.
因此,我考虑允许来自 Bastion sec 组的所有出站流量 (0.0.0.0/0),而不是将其指定给各个安全组.
So, I thought of allowing all outbound traffic (0.0.0.0/0) from the Bastion sec group and not specifying it to individual security groups.
它会对安全产生不良影响吗?
Would it have a bad security impact?
推荐答案
Terraform 尝试为它正在处理的文件夹中定义的所有资源构建依赖链.这样做可以让它确定是否需要按特定顺序构建事物,并且对于它如何工作非常关键.
Terraform attempts to build a dependency chain for all of the resources defined in the folder that it is working on. Doing this enables it to work out if it needs to build things in a specific order and is pretty key to how it all works.
您的示例将失败,因为您有一个循环依赖(正如 Terraform 有用地指出的那样),其中每个安全组都依赖于已经创建的另一个.
Your example is going to fail because you have a cyclic dependency (as Terraform helpfully points out) where each security group is dependent on the other one being created already.
有时这些问题可能很难解决,这可能意味着您需要重新考虑您正在尝试做什么(正如您所提到的,一种选择是简单地允许所有出口流量从堡垒主机流出,并且只限制入口流量在私有实例上),但在这种情况下,您可以选择使用 aws_security_group_rule 资源与 aws_security_group 资源.
Sometimes these can be tricky to solve and may mean you need to rethink what you're trying to do (as you mention, one option would be to simply allow all egress traffic out from the bastion host and only restrict the ingress traffic on the private instances) but in this case you have the option of using the aws_security_group_rule resource in combination with the aws_security_group resource.
这意味着我们可以首先定义其中没有规则的空安全组,然后我们可以将其用作我们为这些组创建的安全组规则的目标.
This means we can define empty security groups with no rules in them at first which we can then use as targets for the security group rules we create for the groups.
一个简单的例子可能看起来像这样:
A quick example might look something like this:
resource "aws_security_group" "bastion" {
name = "bastion"
description = "Bastion security group"
}
resource "aws_security_group_rule" "bastion-to-private-ssh-egress" {
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
security_group_id = "${aws_security_group.bastion.id}"
source_security_group_id = "${aws_security_group.private.id}"
}
resource "aws_security_group" "private" {
name = "private"
description = "Private security group"
}
resource "aws_security_group_rule" "private-from-bastion-ssh-ingress" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
security_group_id = "${aws_security_group.private.id}"
source_security_group_id = "${aws_security_group.bastion.id}"
}
现在,Terraform 可以看到依赖链表明必须在其中任何一个安全组规则之前创建两个安全组,因为它们都依赖于已经创建的组.
Now, Terraform can see that the dependency chain says that both security groups must be created before either of those security group rules as both of them are dependent on the groups already having been created.
这篇关于尝试使用 Terraform 创建 AWS VPC 安全组时出现循环错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
