我希望我的 lambda 调用 API,这需要一个 API 令牌。我想将 API 令牌放入 lambda 环境变量中。我怎样才能让 terraform 做到这一点?还是我以错误的方式接近这个?
我正在实现一个安全组模块,以便它将通过获取和过滤 cidr 和 source_security_group_id 创建安全组规则来创建安全组规则。
当前模块配置。
resource "aws_security_group" "this" {
name = var.name
description = var.description
vpc_id = var.vpc_id
revoke_rules_on_delete = var.revoke_rules_on_delete
}
## CIDR Rule
resource "aws_security_group_rule" "cidr_rule" {
count = length(var.security_group_rules)
type = var.security_group_rules[count.index].type
from_port = var.security_group_rules[count.index].from_port
to_port = var.security_group_rules[count.index].to_port
protocol = var.security_group_rules[count.index].protocol
cidr_blocks = var.security_group_rules[count.index].cidr_block
description = var.security_group_rules[count.index].description
security_group_id = aws_security_group.this.id
}
## Source_security_group_id Rule
resource "aws_security_group_rule" "source_sg_id_rule" {
count = length(var.security_group_rules)
type = var.security_group_rules[count.index].type
from_port = var.security_group_rules[count.index].from_port
to_port = var.security_group_rules[count.index].to_port
protocol = var.security_group_rules[count.index].protocol
source_security_group_id = …我正在尝试创建一个sg terraform plan.
我希望特定SG的所有实例都允许它们之间的所有通信,因此我将SG本身添加到入口规则中,如下所示:
resource "aws_security_group" "rancher-server-sg" {
vpc_id = "${aws_vpc.rancher-vpc.id}"
name = "rancher-server-sg"
description = "security group for rancher server"
ingress {
from_port = 0
to_port = 0
protocol = -1
security_groups = ["${aws_security_group.rancher-server-sg.id}"]
}
但是在跑步时terraform plan,我得到:
terraform plan
但是,在terraform plan控制台中,我可以在入站规则中添加SG名称,我看到我可以添加组本身(即自引用).
这是为什么?
编辑:也试过这个没有成功:
amazon-web-services terraform aws-security-group terraform-provider-aws
我是 Terraform 的新手。我正在使用 Terraform 编写 AWS 脚本。执行Terraform Destroy时出现错误。Terraform 脚本是
resource "aws_rds_cluster" "aurora-cluster-ci" {
cluster_identifier = "aurora-cluster-ci"
engine = "aurora-mysql"
availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
database_name = "${var.rds_dbname}"
master_username = "${var.rds_username}"
master_password = "${var.rds_password}"
backup_retention_period = 5
engine_version = "5.7.16"
preferred_backup_window = "07:00-09:00"
apply_immediately = true
final_snapshot_identifier = "ci-aurora-cluster-backup"
skip_final_snapshot = true
}
Terraform Destroy抛出错误“aws_rds_cluster.aurora-cluster-ci:需要最终快照时需要 RDS Cluster FinalSnapshotIdentifier”
我的脚本中有“final_snapshot_identifier”键。
amazon-web-services amazon-rds terraform terraform-provider-aws
我正在尝试使用带有 Terraform 的 AWS 启动模板构建 AWS EC2 redhat 实例。
我可以通过调用 Terraform 的资源来创建启动模板aws_launch_template。我的问题是如何使用 Terraform 使用创建的启动模板构建 EC2 服务器?
我应该调用什么 Terraform aws 提供程序资源?
非常感谢您的帮助!
templates amazon-ec2 amazon-web-services terraform terraform-provider-aws
我想使用 terraform ecs_service 创建和部署集群,但我无法这样做。我的terraform applys 总是在 IAM 角色上失败,我不太清楚。具体来说,错误信息是:
InvalidParametersException:无法代入角色并验证指定的 targetGroupArn。请验证传递的 ECS 服务角色是否具有适当的权限。
我发现:
iam_role在 ecs_service 中指定时,ECS 抱怨我需要使用服务相关角色。iam_role在 ecs_service 中发表评论时,ECS 抱怨所担任的角色无法验证 targetGroupArn。我的 terraform 跨越了一堆文件。我把感觉像下面的相关部分。尽管我已经看到发布了一些类似的问题,但没有一个为我提供解决上述困境的可行解决方案。
## ALB
resource "aws_alb" "frankly_internal_alb" {
name = "frankly-internal-alb"
internal = false
security_groups = ["${aws_security_group.frankly_internal_alb_sg.id}"]
subnets = ["${aws_subnet.frankly_public_subnet_a.id}", "${aws_subnet.frankly_public_subnet_b.id}"]
}
resource "aws_alb_listener" "frankly_alb_listener" {
load_balancer_arn = "${aws_alb.frankly_internal_alb.arn}"
port = "8080"
protocol = "HTTP"
default_action {
target_group_arn = "${aws_alb_target_group.frankly_internal_target_group.arn}"
type = "forward"
}
}
## Target Group
resource …我有一个 ALB,它当前将流量路由到多个 url。如果我们需要执行维护,我希望能够将流量路由到静态 S3 站点。然后我们将显示一个静态的“维护”页面而不是我们的登录页面。
我创建了一个 CloudFront 分配,允许使用 SSL 证书加载 S3 站点,但我不确定如何连接该分配以将所有流量发送到 S3 维护站点。
这是我正在使用的 Terraform ALB 侦听器。我可以指定我的CloudFront的分布arn在target_group并将它路由所有流量的静态网站?
或者我可以简单地将我的 S3arn与允许 ALB 访问以获取存储桶对象的 S3 策略链接起来吗?
resource "aws_alb_listener" "ssl_alb_httpslistener" {
load_balancer_arn = "${aws_alb.alb_lis.arn}"
port = "443"
protocol = "HTTPS"
ssl_policy = "Sec-TLS"
certificate_arn = "${var.ssl_cert_arn}"
default_action {
target_group_arn = "${data.terraform_remote_state.php.target_arn}"
type = "forward"
}
}
我希望我可以将通过 ALB 的流量从target_group. 好奇这是否是解决此问题的最佳方法。
load-balancing amazon-s3 static-site terraform terraform-provider-aws
使用 Terraform 0.12,我在 S3 存储桶中创建了一个静态网站:
...
resource "aws_s3_bucket" "www" {
bucket = "example.com"
acl = "public-read"
policy = <<-POLICY
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::example.com/*"]
}]
}
POLICY
website {
index_document = "index.html"
error_document = "404.html"
}
tags = {
Environment = var.environment
Terraform = "true"
}
}
resource "aws_route53_zone" "main" {
name = "example.com"
tags = {
Environment = var.environment
Terraform = "true"
}
}
resource "aws_route53_record" "main-ns" {
zone_id …问题的解决方案或解决方法。
如果 Firehose 是提前单独创建的,则下面的 Terraform API Gateway 与 Firehose 的集成有效。
resource "aws_api_gateway_integration" "click_put" {
rest_api_id = data.aws_api_gateway_rest_api.mysfit.id
resource_id = aws_api_gateway_resource.click.id
type = "AWS"
uri = "arn:aws:apigateway:${var.REGION}:firehose:action/PutRecord"
credentials = aws_iam_role.api_click.arn
http_method = aws_api_gateway_method.click_put.http_method
integration_http_method = "POST"
request_parameters = {
"integration.request.header.Content-Type" = "'application/x-amz-json-1.1'"
}
passthrough_behavior = "NEVER"
request_templates = {
"application/json" = <<EOF
{
"DeliveryStreamName": "${local.firehose_name}",
"Record": {
"Data": "$util.base64Encode($input.json('$'))"
}
}
EOF
}
}
...
resource "aws_api_gateway_integration_response" "click_put" {
rest_api_id = data.aws_api_gateway_rest_api.mysfit.id
resource_id = aws_api_gateway_resource.click.id
http_method = aws_api_gateway_method.click_put.http_method
status_code …amazon-web-services terraform-provider-aws amazon-kinesis-firehose amazon-api-gateway
我尝试创建一个具有多个入站规则的AWS安全组,通常我们需要在sg中多个入口来实现多个入站规则。我没有单独创建多个入口规则,而是尝试创建一个入口列表,以便我可以轻松地为不同的应用程序重用该模块。
全氟FB,
模块/sg/sg.tf >>
resource "aws_security_group" "ec2_security_groups" {
name = var.name_security_groups
vpc_id = var.vpc_id
}
模块/sg/rules.tf >>
resource "aws_security_group_rule" "ingress_rules" {
count = lenght(var.ingress_rules)
type = "ingress"
from_port = var.ingress_rules[count.index][0]
to_port = var.ingress_rules[count.index][1]
protocol = var.ingress_rules[count.index][2]
cidr_blocks = var.ingress_rules[count.index][3]
description = var.ingress_rules[count.index][4]
security_group_id = aws_security_group.ec2_security_groups.id
}
模块/sg/variable.tf >>
variable "vpc_id" {
}
variable "name_security_groups" {
}
variable "ingress_rules" {
type = list(string)
}
在应用程序文件夹中,
应用程序/dev/sg.tf >>
module "sg_test" {
source = "../modules/sg"
vpc_id = "vpc-xxxxxxxxx"
name_security_groups = "sg_test"
ingress_rules = …terraform ×8
amazon-ec2 ×1
amazon-ecs ×1
amazon-iam ×1
amazon-rds ×1
amazon-s3 ×1
aws-lambda ×1
hcl ×1
static-site ×1
templates ×1