terraform/env/res/main.tf:
resource "aws_security_group" "allow_all" {
name = "allow_all"
description = "Allow all inbound traffic"
vpc_id = "${aws_vpc.main.id}"
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
terraform/mod/sec/main.tf:
resource aws_elb " elb" {
name = "elb-example"
subnets = ["${data.aws_subnet_ids.all.ids}"]
security_groups = ["${aws_security_group.allow_all.id}"] // SG
internal = false
listener = [
{
instance_port = "80"
instance_protocol = "HTTP"
lb_port = …这是一个新手问题,但我刚刚开始使用 Terraform / Terragrunt 进行 GCP 配置,我发现获取 GCP 凭据的工作流程非常混乱。我来自只使用 AWS,在那里获取凭证并在 AWS CLI 中配置它们非常简单。
基本上,Google Cloud Provider 文档指出您应该provider像这样定义一个块:
provider "google" {
credentials = "${file("account.json")}"
project = "my-project-id"
region = "us-central1"
zone = "us-central1-c"
}
该credentials字段显示我(显然)必须生成一个服务帐户,并在我的文件系统上的某处保留一个 JSON。
但是,如果我运行该命令gcloud auth application-default login,则会生成一个位于~/.config/gcloud/application_default_credentials.json;的令牌。或者我也可以使用gcloud auth login <my-username>. 从那里我可以使用gcloud命令从命令行访问 Google API(这也是 Terraform 在幕后所做的)。
那么为什么 Terraform 提供程序需要服务帐户的 JSON 文件呢?为什么不能只使用gcloudCLI 工具已经在使用的凭据?
顺便说一句,如果我将 Terraform 配置为指向该application_default_credentials.json文件,则会出现以下错误:
正在初始化模块...
正在初始化后端...
错误:无法获取现有工作区:查询 Cloud Storage 失败:获取 …
google-cloud-platform terraform terragrunt terraform-provider-gcp
我们将最新批准的 AMI 存储在 AWS 参数存储中。使用 Terraform 创建新实例时,我想以编程方式获取此 AMI ID。我有一个命令来提取 AMI ID,但我不确定如何将它与 Terraform 一起使用。
这是我用来提取 AMI ID 的命令:
$(aws ssm get-parameter --name /path/to/ami --query 'Parameter.Value' --output text)
这是我的 Terraform 脚本:
resource "aws_instance" "nginx" {
ami = "ami-c58c1dd3" # pull value from parameter store
instance_type = "t2.micro"
#key_name = "${var.key_name}"
provisioner "remote-exec" {
inline = [
"sudo yum install nginx -y",
"sudo service nginx start"
]
}
}
如何使用命令在 Terraform 脚本中提取 AMI ID?
我正在编写用于为 AWS StepFunctions 创建 IAM 角色的 terraform。应该是什么价值主要 在assume_role_policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "stepfunctions.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
我收到错误
错误:创建 IAM 角色 my_utility_sfn 时出错:MalformedPolicyDocument:策略中的委托人无效:“SERVICE”:“stepfunctions.amazonaws.com”
我正在使用 Terraform 来启动我的云环境。
似乎即使是很小的配置更改也会影响幕后的许多资源。
例如,在我创建 AWS 实例的情况下 - 一个小的更改将导致所有实例的自动生成:
-/+ aws_instance.DC (new resource required)
id: "i-075deb0aaa57c2d" => <computed> (forces new resource) <----- How can we avoid that?
ami: "ami-01e306baaaa0a6f65" => "ami-01e306baaaa0a6f65"
arn: "arn:aws:ec2:ap-southeast-2:857671114786:instance/i-075deb0aaa57c2d" => <computed>
associate_public_ip_address: "false" => <computed>
availability_zone: "ap-southeast-2a" => <computed>
.
.
我的问题特别与作为提供者的 AWS 相关:
我们如何避免每次破坏/创建资源?
也许是 Terraform 中的相关标志?
相关主题:
Terraform > ipv6_address_count: "" => "0"(强制新资源)
编辑:
深入了解计划输出,其中一项资源似乎发生了变化:
security_groups.#: "0" => "1" (forces new resource)
security_groups.837544107: "" => "sg-0892062659392afa9" (forces new resource) …我的简单 terraform 文件是:
provider "aws" {
region = "region"
access_key = "key"
secret_key = "secret_key"
}
terraform {
backend "s3" {
# Replace this with your bucket name!
bucket = "great-name-terraform-state-2"
key = "global/s3/terraform.tfstate"
region = "eu-central-1"
# Replace this with your DynamoDB table name!
dynamodb_table = "great-name-locks-2"
encrypt = true
}
}
resource "aws_s3_bucket" "terraform_state" {
bucket = "great-name-terraform-state-2"
# Enable versioning so we can see the full revision history of our
# state files
versioning {
enabled = …有没有办法有条件地添加statement块aws_iam_policy_document?我正在寻找类似的东西:
data "aws_iam_policy_document" "policy" {
statement {
sid = "PolicyAlways"
...
}
if (var.enable_optional_policy) {
statement {
sid = "PolicySometimes"
...
}
}
}
我们有 cronjob 和 shell 脚本,我们希望在使用 terraform 创建实例时将它们复制或上传到 aws ec2 实例。
我们尝试了
provisioner "file" {
source = "abc.sh"
destination = "/home/ec2-user/basic2.sh"
}
data "template_file" "userdata_line" {
template = <<EOF
#!/bin/bash
mkdir /home/ec2-user/files2
cd /home/ec2-user/files2
sudo touch basic2.sh
sudo chmod 777 basic2.sh
base64 basic.sh |base64 -d >basic2.sh
EOF
}
尝试了所有选项,但没有一个工作。
你能帮忙或建议吗?
我是 terraform 的新手,长期以来一直在这方面苦苦挣扎。
我想将 EFS 与 fargate 一起使用,但在任务开始时出现此错误:
ResourceInitializationError: failed to invoke EFS utils commands to set up EFS volumes: stderr: Failed to resolve "fs-xxxxx.efs.eu-west-1.amazonaws.com" - check that your file system ID is correct
我已经检查了文件系统 ID,它是正确的...我如何获得有关此错误的更多信息?它可能与安全组有关吗?
这是我与 terraform 一起使用的代码,我为两个可用区使用了两个挂载点:
resource "aws_efs_file_system" "efs_apache" {
}
resource "aws_efs_mount_target" "efs-mount" {
count = 2
file_system_id = aws_efs_file_system.efs_apache.id
subnet_id = sort(var.subnet_ids)[count.index]
security_groups = [aws_security_group.efs.id]
}
resource "aws_efs_access_point" "efs-access-point" {
file_system_id = aws_efs_file_system.efs_apache.id
}
resource "aws_security_group" "efs" {
name = "${var.name}-efs-sg"
description = "Allow traffic from self"
vpc_id …amazon-web-services terraform amazon-efs aws-fargate terraform-provider-aws
我正在尝试从 terraform 0.12 升级到 0.13。
当我运行时,它似乎没有任何特定的语法问题terraform 0.13upgrade。
只version.tf添加了一个文件
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ }
+ }
+ required_version = ">= 0.13"
+}
当我跑步时,terraform plan我得到了
Error: Could not load plugin
Plugin reinitialization required. Please run "terraform init".
Plugins are external binaries that Terraform uses to access and manipulate
resources. The configuration provided requires plugins which can't be located,
don't satisfy the version constraints, or are otherwise …