Amazon-Web-Services
Terraform:將多個安全組附加到 EC2 實例
如何在創建 EC2 時附加多個安全組?我已經模組化如下:
**networking/main.tf** # Web Server Security Group resource "aws_security_group" "web_sg" { name = "web_sg" description = "This security group will control the private Web Servers" vpc_id = aws_vpc.perf_vpc.id egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } # Load Balancer Security Group resource "aws_security_group" "alb_sg" { name = "alb_sg" description = " This secruity group is for Application Load Balancer" vpc_id = aws_vpc.perf_vpc.id egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } resource "aws_security_group" "perf_pvt_sg" { name = "perf_pvt_sg" description = "Aptean_Base-Perf_Pvt" vpc_id = aws_vpc.perf_vpc.id depends_on = [aws_security_group.bastion_sg] ingress { description = "kaspersky" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["10.176.0.35/32"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } **networking/outputs.tf** output "perf_pvt_sg" { value = aws_security_group.perf_pvt_sg.id } output "web_sg" { value = aws_security_group.web_sg.id } output "alb_sg" { value = aws_security_group.alb_sg.id } **root/main.tf** # Deploy Web Servers module "web_servers" { source = "./web_servers" keyname = module.domain_controllers.key_name public_key_path = var.public_key_path web_count = var.web_count web_inst_type = var.web_inst_type pvtsubnets = module.networking.private_subnets webserver_sg = [ module.networking.web_sg, module.networking.perf_pvt_sg, module.networking.alb_sg ] }一切都很好,按預期創建,terraform 輸出也顯示資源,但所有 EC2 實例(在這種情況下,我只是指向 Web 伺服器)都附加了預設安全組。我確實看到,創建了所有其他安全組雖然沒有附加。我也嘗試將 web_sg 切換為 id 和 name 屬性:
web_sg = [ module.networking.web_sg.id, module.networking.perf_pvt_sg.id, module.networking.alb_sg.id ]這會引發錯誤(*.id 和 *.name 的錯誤相同):
Error: Unsupported attribute on main.tf line 46, in module "web_servers": 46: module.networking.web_sg.name, |---------------- | module.networking.web_sg is "sg-008001301c71877a9" This value does not have any attributes. Error: Unsupported attribute on main.tf line 47, in module "web_servers": 47: module.networking.perf_pvt_sg.name, |---------------- | module.networking.perf_pvt_sg is "sg-0a50f754aceaae6cd" This value does not have any attributes. Error: Unsupported attribute on main.tf line 48, in module "web_servers": 48: module.networking.alb_sg.name |---------------- | module.networking.alb_sg is "sg-05c898e0b6873c411" This value does not have any attributes.我究竟做錯了什麼?
AWS 控制台:
編輯1: web_servers/main.tf
#Web Server resource "aws_instance" "web" { count = var.web_count ami = data.aws_ami.server_ami.id ebs_optimized = true instance_type = var.web_inst_type subnet_id = element(var.pvtsubnets, count.index) credit_specification { cpu_credits = "standard" } root_block_device { volume_type = "gp2" volume_size = 80 encrypted = true kms_key_id = "1d9ef127-cc8f-4dda-9bdf-abdad498ea6f" } ebs_block_device { device_name = "/dev/sdf" volume_type = "gp2" volume_size = 40 encrypted = true kms_key_id = "1d9ef127-cc8f-4dda-9bdf-abdad498ea6f" } tags = { Name = "PerformanceWeb0${count.index + 1}" } }web_servers/variables.tf
variable "keyname" {} variable "public_key_path" {} variable "web_count" {} variable "web_inst_type" {} variable "pvtsubnets" { type = list(string) } variable "webserver_sg" {}
整理好了。不確定這是否是唯一的方法。當我查看程式碼時,似乎因為我在 web_servers 模組中註釋了vpc_security_group_ids,它採用了 VPC 預設安全組。做了一些改動如下:
web_servers/main.tf
#Web_servers resource "aws_instance" "web" { count = var.web_count ami = data.aws_ami.server_ami.id ebs_optimized = true instance_type = var.web_inst_type subnet_id = element(var.pvtsubnets, count.index) vpc_security_group_ids = [ var.web_sg, var.perf_pvt_sg, var.alb_traffic_sg ]web_servers/variable.tf
variable "web_sg" {} variable "perf_pvt_sg" {} variable "alb_traffic_sg" {}根/main.tf
#Deploy Web Servers module "web_servers" { source = "./web_servers" keyname = module.domain_controllers.key_name public_key_path = var.public_key_path web_count = var.web_count web_inst_type = var.web_inst_type pvtsubnets = module.networking.private_subnets web_sg = module.networking.web_sg perf_pvt_sg = module.networking.perf_pvt_sg alb_traffic_sg = module.networking.alb_traffic_sg }期望的輸出
