请帮助理解如何创建这样的东西?
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
dynamic "statement" {
for_each = var.assume_role_identities != [] ? [true] : []
content {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = var.assume_role_identities
}
}
}
dynamic "statement" {
for_each = var.assume_role_services != [] ? [true] : []
content {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = var.assume_role_services
}
}
}
}
这段代码的问题是,如果我不指定任何应该具有访问权限的角色或服务,则会退出并出现没有主体的错误。是否可以在动态块上设置一些计数条件?或者如何解决它?
问题说明:
问题是,如果我只想传递某个值,它将无法工作,因为它会形成一个空值 …
resource "google_service_account" "myaccount" {
account_id = "dev-foo-account"
}
resource "google_service_account_key" "mykey" {
service_account_id = google_service_account.myaccount.name
}
data "google_service_account_key" "mykey" {
name = google_service_account_key.mykey.name
public_key_type = "TYPE_X509_PEM_FILE"
}
如果我创建一个服务帐户和这样的密钥 - 之后如何获取密钥?
terraform output产量:
$ terraform output -json google_service_account_key
The output variable requested could not be found in the state
file. If you recently added this to your configuration, be
sure to run `terraform apply`, since the state won't be updated
with new output variables until that command is run.
我希望使用 tfsec 在 IaC 代码扫描中实施以下策略:
Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)
以下是我的自定义检查 .json 格式:
{
"checks":
[
{
"code": "CUS003",
"description": "Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)",
"requiredTypes":
[
"resource"
],
"requiredLabels":
[
"google_compute_firewall"
],
"severity": "WARNING",
"matchSpec":
{
"name": "CUS003_matchSpec_name",
"action": "and",
"predicateMatchSpec":
[
{
"name": "source_ranges",
"action": "contains",
"value": "0.0.0.0/0"
},
{
"name": "ports",
"action": "contains",
"value": "23"
}
]
},
"errorMessage": "[WARNING] GCP Firewall rule …我想知道在配置 GCE VM 时是否可以在 terraform 中指定关闭脚本
目前,我正在使用 GCE 来运行 GitHub Actions Runners,并且我想在虚拟机关闭时彻底取消注册运行器。
如果我决定迁移到抢占式虚拟机或托管实例组,这一点非常重要。对于后者,我计划实现一个云功能来根据需求缩小和扩大运行器实例。
我已成功使用启动脚本在 terraform 中配置我的虚拟机,因为该脚本有详细记录,但我看不到指定关闭脚本的方法。那可能吗?也许以某种方式使用元标记?
谢谢
我想知道是否可以通过 Terraform apply 在 Ec2 实例中安装和运行 Docker 容器。
I need to build about 30 pub sub topics in GCP, creating each module for a pub sub topic is a tedious process, is there any better way for handling it ?
module "a" {
source = ""
project_id = var.project_id
topic = var.a["topic_name"]
topic_labels = var.a["topic_labels"]
pull_subscriptions = [
{
name = var.a["pull_subscription_name"]
ack_deadline_seconds = var.a["ack_deadline_seconds"]
max_delivery_attempts = var.a["max_delivery_attempts"]
maximum_backoff = var.maximum_backoff
minimum_backoff = var.minimum_backoff
expiration_policy = var.expiration_policy
enable_message_ordering = true
}
]
}
module "b" {
source = …给定一个像这样的模块
\nmodule us-west-2 {\n count = "${local.environments[terraform.workspace] == "logging" ? true : false}"\n source = "./modules/flow_log"\n providers = {\n aws = aws.us-west-2\n }\n log_destination = module.nf_cis_benchmark.aws_s3_bucket_vpc_flow_log\n log_destination_type = "s3"\n traffic_type = "REJECT"\n depends_on = [ module.nf_cis_benchmark.raws_s3_bucket_vpc_flow_log_arn ]\n aws_vpc_ids = data.aws_vpcs.us-west-2.ids\n}\n\n我们如何根据返回值有条件地创建这个模块local.environments[terraform.workspace]?
预期:\n当用户运行时,terraform apply将根据所选工作区有条件地创建资源。
实际的:
\n330: count = length("${local.environments[terraform.workspace] == "logging" ? true : false}")\n\xe2\x94\x82 \xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\xe2\x94\x80\n\xe2\x94\x82 \xe2\x94\x82 local.environments is object with 9 attributes\n\xe2\x94\x82 \xe2\x94\x82 terraform.workspace is "nf-logging"\n\xe2\x94\x82 \n\xe2\x94\x82 Call to function "length" …我的计划文件以特定名称保存。我已经尝试
terraform plan planfilename.plan -out=tfplan
并显示了包含计划文件名的其他变体
我有gcp-organization-admins Cloud Identity 用户组,我想使用 Terraform 将新用户user-01@example.com添加为成员。
收到错误 -创建 GroupMembership 时出错:googleapi:收到 HTTP 响应代码 404。在此服务器上找不到请求的 URL 。/v1beta1/gcp-organization-admins@example.com/memberships?alt=json
任何人都可以建议如何解决这个问题。
仅供参考...作为一个测试,我能够使用 Terraform 模块创建新的 Cloud Identity 用户组并添加一些测试用户,没有任何问题https://github.com/terraform-google-modules/terraform-google-团体
#=====================
# terraform.tfvars
#=====================
org_admin_user = ["user-01@example.com"]
org_admin_group = "gcp-organization-admins@example.com"
#=========================================================
# add-member.tf (adds user to google group as a member)
#=========================================================
resource "google_cloud_identity_group_membership" "user-01" {
for_each = toset(var.org_admin_user)
provider = google-beta
group = var.org_admin_group
preferred_member_key {
id = each.key
}
roles {
name = "MEMBER"
}
}
我是 terraform 新手,想要更改网络上的子网,但遇到了一个奇怪的错误。\ngoogle 什么也没得到。这是我要输入的内容(更改 main.tf 和运行计划后)
\nterraform apply -replace="azurerm_subnet.subnet1"\nTerraform will perform the following actions:\n\n # module.network.azurerm_subnet.subnet[0] will be updated in-place\n ~ resource "azurerm_subnet" "subnet" {\n ~ address_prefixes = [\n - "10.0.2.0/24",\n + "10.0.4.0/24",\n ]\n id = \n "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/lab- \n resources/providers/Microsoft.Network/virtualNetworks/acctvnet/subnets/subnet1"\n name = "subnet1"\n # (7 unchanged attributes hidden)\n }\n\n Plan: 0 to add, 1 to change, 0 to destroy.\n\n Do you want to perform these actions?\n Terraform will perform the actions described above.\n Only 'yes' will be accepted to …