我正试图改变WAF ACL和相关规则。我正在研究的terraform堆栈在DEV,QA和PROD中是相同的,差异都是使用不同的变量处理的。所以我的想法是在变量中存储CIDR列表,并自动为每个变量创建ALLOW规则。我有限的知识让我放慢了速度。它完美地创造了ipsets,但规则和ACL抱怨,
variable cloud_allowed_cidr_list = {type="list" default=["1.2.3.4/32","4.3.2.1/32"]}
resource "aws_waf_ipset" "ipset" {
count = "${length(var.cloud_allowed_cidr_list)}"
name = "ipset-${count.index}"
ip_set_descriptors {
type = "IPV4"
value = "${element(var.cloud_allowed_cidr_list, count.index)}"
}
}
resource "aws_waf_rule" "matchIPrule" {
count = "${length(var.cloud_allowed_cidr_list)}"
depends_on = ["aws_waf_ipset.ipset"]
name = "matchMancIPrule${count.index}"
metric_name = "matchMancIPrule${count.index}"
predicates {
data_id = "${aws_waf_ipset.ipset.*.id}"
negated = false
type = "IPMatch"
}
}
resource "aws_waf_web_acl" "waf_acl" {
depends_on = ["aws_waf_ipset.ipset", "aws_waf_rule.matchIPrule"]
name = "mancACL${count.index}"
metric_name = "mancACL${count.index}"
default_action {
type = "BLOCK"
}
rules {
action {
type = "ALLOW"
}
priority = "${count.index}"
rule_id = "${aws_waf_rule.matchIPrule.id}"
type = "REGULAR"
}
}
当我意识到规则有多个谓词,并且ACL有多个规则时它崩溃了......你如何动态创建它?如果有人有类似事情的例子,我将非常感激。
答案 0 :(得分:0)
从0.12版本开始,您现在可以使用动态块来做到这一点。
无需使用count来遍历数组。
"request": [
{
"title": "Google Custom Search - 4250859801761",
"totalResults": "0",
"searchTerms": "4250859801761",
"count": 10,
"inputEncoding": "utf8",
"outputEncoding": "utf8",
"safe": "off",
"cx": "017576662512468239146:omuauf_lfve"
}
]
},
"searchInformation": {
"searchTime": 0.519547,
"formattedSearchTime": "0.52",
"totalResults": "0",
"formattedTotalResults": "0"
}
}