emm*_*dee 4 terraform terraform-provider-aws
地形信息:
如果我运行terraform plan或terraform apply针对现有堆栈,则没有任何待处理的更改,状态完全是最新的。
resource "aws_security_group" "sg_apps" {
name = "Custom apps ${var.env}"
description = "Custom apps ${var.env}"
vpc_id = data.terraform_remote_state.vpc.outputs.vpc_east_id
tags = {
Name = "Custom apps ${var.env} - TF"
}
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = [
data.terraform_remote_state.vpc.outputs.m-1a_cidr,
data.terraform_remote_state.vpc.outputs.m-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1a_cidr,
]
}
ingress {
from_port = 8800
to_port = 8808
protocol = "tcp"
cidr_blocks = [
data.terraform_remote_state.vpc.outputs.m-1a_cidr,
data.terraform_remote_state.vpc.outputs.m-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1a_cidr,
]
}
ingress {
from_port = 8503
to_port = 8503
protocol = "tcp"
cidr_blocks = [
data.terraform_remote_state.vpc.outputs.m-1a_cidr,
data.terraform_remote_state.vpc.outputs.m-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1a_cidr,
]
}
ingress {
from_port = 8889
to_port = 8889
protocol = "tcp"
cidr_blocks = [
data.terraform_remote_state.vpc.outputs.m-1a_cidr,
data.terraform_remote_state.vpc.outputs.m-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1a_cidr,
]
}
}
resource "aws_security_group" "sg_tlapps" {
name = "Custom apps ${var.env}"
description = "Custom apps ${var.env}"
vpc_id = data.terraform_remote_state.vpc.outputs.vpc_east_id
tags = {
Name = "Custom apps ${var.env} - TF"
}
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = [
data.terraform_remote_state.vpc.outputs.m-1a_cidr,
data.terraform_remote_state.vpc.outputs.m-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1a_cidr,
]
}
ingress {
from_port = 8800
to_port = 8808
protocol = "tcp"
cidr_blocks = [
data.terraform_remote_state.vpc.outputs.m-1a_cidr,
data.terraform_remote_state.vpc.outputs.m-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1a_cidr,
]
}
ingress {
from_port = 8503
to_port = 8503
protocol = "tcp"
cidr_blocks = [
data.terraform_remote_state.vpc.outputs.m-1a_cidr,
data.terraform_remote_state.vpc.outputs.m-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1a_cidr,
]
}
ingress {
from_port = 8889
to_port = 8889
protocol = "tcp"
cidr_blocks = [
data.terraform_remote_state.vpc.outputs.m-1a_cidr,
data.terraform_remote_state.vpc.outputs.m-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1a_cidr,
]
}
ingress {
from_port = 9200
to_port = 9200
protocol = "tcp"
cidr_blocks = [
data.terraform_remote_state.vpc.outputs.m-1a_cidr,
data.terraform_remote_state.vpc.outputs.m-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1a_cidr,
]
}
}
这对于非生产环境来说很好,但我真的不想在产品中破坏我的防火墙规则,以防任务中途失败或其他什么情况。我只是想在 sg 中添加一条规则。
# aws_security_group.sg_apps will be updated in-place
~ resource "aws_security_group" "sg_apps" {
arn = "arn:aws:ec2:us-east-1:xxxxx:security-group/sg-xxxxxxxx"
description = "Custom apps prod"
egress = []
id = "sg-xxxxxxxxx"
~ ingress = [
- {
- cidr_blocks = [
- "10.10.100.0/24",
- "10.10.200.0/24",
- "10.10.1.0/24",
- "10.10.0.0/24",
]
- description = ""
- from_port = 3306
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 3306
},
- {
- cidr_blocks = [
- "10.10.100.0/24",
- "10.10.200.0/24",
- "10.10.1.0/24",
- "10.10.0.0/24",
]
- description = ""
- from_port = 8503
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 8503
},
- {
- cidr_blocks = [
- "10.10.100.0/24",
- "10.10.200.0/24",
- "10.10.1.0/24",
- "10.10.0.0/24",
]
- description = ""
- from_port = 8800
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 8808
},
- {
- cidr_blocks = [
- "10.10.100.0/24",
- "10.10.200.0/24",
- "10.10.1.0/24",
- "10.10.0.0/24",
]
- description = ""
- from_port = 8889
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 8889
},
+ {
+ cidr_blocks = [
+ "10.10.100.0/24",
+ "10.10.200.0/24",
+ "10.10.1.0/24",
+ "10.10.0.0/24",
]
+ description = ""
+ from_port = 9200
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 9200
},
+ {
+ cidr_blocks = [
+ "10.10.100.0/24",
+ "10.10.200.0/24",
+ "10.10.1.0/24",
+ "10.10.0.0/24",
]
+ description = null
+ from_port = 3306
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 3306
},
+ {
+ cidr_blocks = [
+ "10.10.100.0/24",
+ "10.10.200.0/24",
+ "10.10.1.0/24",
+ "10.10.0.0/24",
]
+ description = null
+ from_port = 8503
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 8503
},
+ {
+ cidr_blocks = [
+ "10.10.100.0/24",
+ "10.10.200.0/24",
+ "10.10.1.0/24",
+ "10.10.0.0/24",
]
+ description = null
+ from_port = 8800
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 8808
},
+ {
+ cidr_blocks = [
+ "10.10.100.0/24",
+ "10.10.200.0/24",
+ "10.10.1.0/24",
+ "10.10.0.0/24",
]
+ description = null
+ from_port = 8889
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 8889
},
]
name = "Custom apps prod"
owner_id = "xxxxxxxxxx"
revoke_rules_on_delete = false
tags = {
"Name" = "Custom apps ${var.env} - TF"
}
vpc_id = "vpc-xxxxxxxxxxxxxxx"
timeouts {}
}
如果您将资源中的ingress和egress块转换aws_security_group为单独的aws_security_group_rule资源,则修改任何一个或多个其他规则时都不会重新创建规则。例如:
resource "aws_security_group_rule" "mysql" {
type = "ingress"
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = [
data.terraform_remote_state.vpc.outputs.m-1a_cidr,
data.terraform_remote_state.vpc.outputs.m-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1b_cidr,
data.terraform_remote_state.vpc.outputs.p-1a_cidr,
]
security_group_id = aws_security_group.sg_apps.id
}
将替换您的第一个入口块。
| 归档时间: |
|
| 查看次数: |
3906 次 |
| 最近记录: |