引用Terraform中的其他模块资源

Question

我在Terraform Cloud git项目中具有这样的层次结构：

├── aws
│   ├── flavors
│   │   └── main.tf
│   ├── main.tf
│   ├── security-rules
│   │   └── sec-rule1
│   │       └── main.tf
│   └── vms
│   │   └── vm1
│   │       └── main.tf
└── main.tf

所有主要main.tf文件都包含带有子文件夹的模块定义：

/main.tf：

terraform {
  required_version = "~> 0.12.0"

  backend "remote" {
    hostname = "app.terraform.io"    
    organization = "foo"

    workspaces {
      name = "bar"
    }
  }
  required_providers {
    openstack = "~> 1.24.0"
  }
}

module "aws" {
  source = "./aws"
}

/aws/main.tf：

module "security-rules" {
  source = "./security-rules"
}

module "flavors" {
  source = "./flavors"
}

module "vms" {
  source = "./vms"
}

/aws/security-rules/main-tf：

module "sec-rule1" {
  source = "./sec-rule1"
}

/aws/vms/main-tf：

module "vm1" {
  source = "./vm1"
}

然后我定义了此安全规则。

/aws/security-rules/sec-rule1/main-tf：

resource "openstack_compute_secgroup_v2" "sec-rule1" {
  name        = "sec-rule1"
  description = "Allow web port"
  rule {
    from_port   = 80
    to_port     = 80
    ip_protocol = "tcp"
    cidr        = "0.0.0.0/0"
  }
  lifecycle {
            prevent_destroy = false
    }
}

我想从一个或多个VM引用它，但是我不知道如何通过资源ID（或名称）引用它。我使用纯名称而不是引用。

/aws/vms/vm1/main-tf：

resource "openstack_blockstorage_volume_v3" "vm1_volume" {
  name     = "vm1_volume"
  size     = 30
  image_id = "foo-bar"
}

resource "openstack_compute_instance_v2" "vm1_instance" {
  name        = "vm1_instance"
  flavor_name = "foo-bar"
  key_pair    = "foo-bar keypair"
  image_name  = "Ubuntu Server 18.04 LTS Bionic"
  block_device {
    uuid                  = "${openstack_blockstorage_volume_v3.vm1_volume.id}"
    source_type           = "volume"
    destination_type      = "volume"
    boot_index            = 0
    delete_on_termination = false
  }

  network {
    name = "SEG-tenant-net"
  }

  security_groups = ["default", "sec-rule1"]
  config_drive    = true
}

resource "openstack_networking_floatingip_v2" "vm1_fip" {
  pool = "foo-bar"
}

resource "openstack_compute_floatingip_associate_v2" "vm1_fip" {
  floating_ip = "${openstack_networking_floatingip_v2.vm1_fip.address}"
  instance_id = "${openstack_compute_instance_v2.vm1_instance.id}"
}

我想使用通过名称或ID引用的安全规则（以及更多内容），因为这样会更加一致。此外，当我创建新的安全规则并同时创建虚拟机时，Terraform OpenStack提供程序会毫无错误地对其进行计划，但是在应用该规则时，会产生错误，因为首先创建了虚拟机，但尚未创建该虚拟机新的安全规则。

我该怎么做？

Answer 1

您应该为sec_rule_allow_web_name和sec-rule1模块输出security-rules，然后将security-rules模块的输出设置为vm1的输入和vms模块。这样，您可以使vm1模块与security-rules的输出（称为Dependency Inversion）保持依赖性。

提供的输出和输入在正确的模块中定义，aws/main.tf变为

module "security-rules" {
  source = "./security-rules"
}

module "flavors" {
  source = "./flavors"
}

module "vms" {
  source = "./vms"

  security_rule_name = module.security-rules.sec_rule_allow_web_name
}