我想从 GKE 集群 Pod 访问我的 CloudSQL 实例。由于我正在设置,所以我需要携带与 Terraform 配置文件相关的所有 GCP。
按照本教程进行操作:https://cloud.google.com/sql/docs/mysql/quickstart-kubernetes-engine#gcloud_2
我被困在描述创建对等 vpc 连接的两个步骤中。
所以我的问题是以下两个命令的 Terraform 等效项是什么:
gcloud compute addresses create google-managed-services-default \
--global \
--purpose=VPC_PEERING \
--prefix-length=16 \
--description="peering range for Google" \
--network=default
和
gcloud services vpc-peerings connect \
--service=servicenetworking.googleapis.com \
--ranges=google-managed-services-default \
--network=default
我试图在https://registry.terraform.io/providers/hashicorp/google/latest/docs中找到它,但找不到合适的。
aws_security_group.jacobs_rds_security_group_tf当我运行 .Terraform 项目时,我的 Terraform 项目似乎总是就地修改此资源terraform apply。一切仍然有效,只是当我总是有一个额外的资源被修改时,即使它没有任何改变,它只会让调试变得奇怪。
我有2个安全组;1 用于我的 RDS 数据库,它将传入流量列入白名单,另一个用于任务,它附加到我的 ECS 和 Lambda 任务,以便它们可以访问此 RDS 数据库。任务安全组已列入 RDS 安全组白名单。
RDS 安全组 ( aws_security_group.jacobs_rds_security_group_tf) 是始终进行就地修改的组。下面是代码。
resource "aws_vpc" "jacobs_vpc_tf" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
}
resource "aws_security_group" "jacobs_task_security_group_tf"{
name = "jacobs_security_group for tasks"
description = "Connect Tasks to RDS"
vpc_id = aws_vpc.jacobs_vpc_tf.id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
egress {
from_port = 0
to_port = …目标:我想打印出 的敏感值foo_resource.name.sensitive_field。
最初我尝试创建一个输出:
\noutput "password" {\n value = foo_resource.name.sensitive_field\n}\n我得到了
\n Error: Output refers to sensitive values\n\xe2\x94\x82 \n\xe2\x94\x82 on main.tf line 186:\n\xe2\x94\x82 186: output "password" {\n\xe2\x94\x82 \n\xe2\x94\x82 To reduce the risk of accidentally exporting sensitive data that was intended to be only internal, Terraform requires that any root module output containing sensitive data be\n\xe2\x94\x82 explicitly marked as sensitive, to confirm your intent.\n\xe2\x94\x82 \n\xe2\x94\x82 If you do intend to export this data, annotate the …目前我正在 shell 命令下运行
@if [ -x "$$(command -v terraform)" ]; then \
echo "==> Checking terraform formatting of files"; \
(terraform validate ./test && echo "Terraform format check passed successfully") \
|| (echo "validation failed" && exit 1); \
else \
echo "No terraform command found"; \
exit 1; \
fi
在这里我不想初始化后端,但它似乎这样做了,我也看到错误为
? on test/policy.tf line 320:
? 320: module "service_admin_policy" {
?
? This module is not yet installed. Run "terraform init" to install all
? modules required by …对于初学者来说,我已经读过这个问题,但该解决方案相当老套,我希望使用新版本的 Terraform 可以有一种更优雅的方法来实现这一目标。
我有多个 IAM 政策文档,如下所示:
data "aws_iam_policy_document" "policy1" {
...
}
data "aws_iam_policy_document" "policy2" {
...
}
data "aws_iam_policy_document" "policy3" {
...
}
我正在尝试将它们合并到一个文档中source_policy_documents,如下所示:
data "aws_iam_policy_document" "combined" {
source_policy_documents = [
data.aws_iam_policy_document.policy1.json
data.aws_iam_policy_document.policy2.json
data.aws_iam_policy_document.policy3.json
]
}
我想提供“覆盖”变量,以允许用户排除每个文档被合并到最终策略中。
我是 Terraform 的新手 - 有没有一种简单的方法可以动态构建source_policy_documents或可以用来override_policy_documents获得我想要的东西?
谢谢!
我对 terraform 和 AWS 都是新手。我正在尝试设置enable_execute_command=true现有的 Fargate 服务,其角色和集群/服务/任务定义如下:
data "aws_iam_policy_document" "ecs_task_execution_role_base" {
version = "2012-10-17"
statement {
sid = ""
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
resource "aws_iam_policy" "ecs_exec_policy" {
name = "ecs_exec_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_role" "ecs_task_execution_role" {
name = var.ecs_task_execution_role_name
assume_role_policy …在GCP上,我尝试使用下面的 Terraform 代码运行Cloud Run服务“renderer”,在此代码中,我使用plus(连接“gcr.io/”、变量var.project_id和“/renderer:latest” +) :
resource "google_cloud_run_service" "renderer" {
name = "renderer"
location = "asia-northeast1"
template {
spec {
containers {
image = "gcr.io/" + var.project_id + "/renderer:latest" // Here
}
service_account_name = google_service_account.renderer_identity.email
}
}
traffic {
percent = 100
latest_revision = true
}
}
然后,当我应用上面的代码时,出现以下错误:
resource "google_cloud_run_service" "renderer" {
name = "renderer"
location = "asia-northeast1"
template {
spec {
containers {
image = "gcr.io/" + var.project_id + …google-cloud-platform terraform devops terraform-provider-gcp google-cloud-run
我需要迭代本地执行提供程序中的变量列表。那可能吗?
变量.tf:
variable "items" {
default = []
}
主要.tf:
resource "null_resource" "loop_list" {
provisioner "local-exec" {
interpreter = ["/bin/bash", "-c"]
command = <<EOF
for i in ${join(' ', var.items)}
print $i
done
EOF
}
}
我看到此错误“如果需要重复,请在值表达式后使用省略号 (...) 以启用按键分组。”
locals {
key_id = {
for x in var.security_rules :
"${x.type}" => x}
}
是否可以在该循环的嵌套中使用省略号,我该怎么做?
我正在尝试在 Terraform 模块中动态创建对象列表,因此我不需要对不必要的重复值进行硬编码。我在 Terraform 注册表上找到了一个模块,它是我正在做的事情的基础。该模块位于https://github.com/cloudposse/terraform-aws-sso。在模块“sso_account_assignments”的 Examples/complete/main.tf 中,它们为不同的 AWS 账户复制了 AdministratorAccess 权限集。我的问题是我有近 30 个帐户,我想在其中分配相同的权限集,但我不想在代码中重复条目,只是帐号不同。我对 Python 有丰富的经验,我用 Python 编写它的方式如下所示:
如果我用 Python 编写
account_list = ['11111111111', '22222222222', '33333333333']
account_assignments = []
for acct in account_list:
obj = {
"account": acct,
"permission_set_arn": "Some value......",
"permission_set_name": "AdministratorAccess",
"principal_type": "GROUP",
"principal_name": "Administrators"
}
account_assignments.append(obj)
print(account_assignments)
输出
[
{
"account":"11111111111",
"permission_set_arn":"Some value......",
"permission_set_name":"AdministratorAccess",
"principal_type":"GROUP",
"principal_name":"Administrators"
},
{
"account":"22222222222",
"permission_set_arn":"Some value......",
"permission_set_name":"AdministratorAccess",
"principal_type":"GROUP",
"principal_name":"Administrators"
},
{
"account":"33333333333",
"permission_set_arn":"Some value......",
"permission_set_name":"AdministratorAccess",
"principal_type":"GROUP",
"principal_name":"Administrators"
}
]
基本上,我无法弄清楚如何在 Terraform …