创建资源之前,我们可以在Terraform中匹配多个条件吗?

时间:2020-09-17 11:14:07

标签: terraform amazon-cloudformation terraform-provider-aws

我正在尝试将AWS CloudFormation脚本转换为Terraform,但是我在这里面临的问题是Cloudformation有一些称为条件的条件,我们可以在创建资源之前指定多个条件以进行匹配,但是我正努力在terraform中复制相同的条件。

ClodeFormation的示例代码:

Conditions:
    NACLDefaultPublicAllowed: !Equals [ !Ref NACLOpenByDefault, "true"]
    NACLDefaultPrivateOnly: !Equals [ !Ref NACLOpenByDefault, "false"]

    InboundSSHIsAllowed: !Equals [ !Ref AllowInboundSSH, "true"]
    InboundRDPIsAllowed: !Equals [ !Ref AllowInboundRDP, "true"]
    InboundVPNIsAllowed: !Equals [ !Ref AllowInboundVPN, "true"]

    OutboundHTTPIsAllowed: !Equals [ !Ref AllowOutboundHTTP, "true"]
    OutboundHTTPSIsAllowed: !Equals [ !Ref AllowOutboundHTTPS, "true"]

    HasRemoteHomeNetwork: !Not [ !Equals [ !Ref RemoteHomeNetworkCIDR, ""]]
    HasRemoteRepositories: !Not [ !Equals [ !Ref RemoteRepositoriesCIDR, ""]]
    
    AddMGMTInboundSSHRules: !And
        - !Condition HasRemoteHomeNetwork
        - !Condition NACLDefaultPrivateOnly
        - !Condition InboundSSHIsAllowed

    AddMGMTInboundRDPRules: !And
        - !Condition HasRemoteHomeNetwork
        - !Condition NACLDefaultPrivateOnly
        - !Condition InboundRDPIsAllowed

    AddMGMTInboundVPNRules: !And
        - !Condition HasRemoteHomeNetwork
        - !Condition NACLDefaultPrivateOnly
        - !Condition InboundVPNIsAllowed

    AddMGMTOutboundEphemeralRemoteHomeNetworkRules: !Or
        - !Condition AddMGMTInboundSSHRules
        - !Condition AddMGMTInboundVPNRules

    AddOutboundHTTPAnywhereRules: !And
        - !Condition OutboundHTTPIsAllowed
        - !Condition NACLDefaultPrivateOnly
    AddOutboundHTTPSAnywhereRules: !And
        - !Condition OutboundHTTPSIsAllowed
        - !Condition NACLDefaultPrivateOnly
    AddInboundEphemeralAnywhereRules: !Or
        - !Condition AddOutboundHTTPAnywhereRules
        - !Condition AddOutboundHTTPSAnywhereRules

    AddRemoteRepositoriesCIDR: !And
        - !Condition HasRemoteRepositories
        - !Condition NACLDefaultPrivateOnly

现在(当我在CloudFormation中)创建资源时,我可以直接使用:


rNACLEntryAllowOutboundHTTPfromPUBLtoRemoteRepositories:
        Type: "AWS::EC2::NetworkAclEntry"
        Condition: AddRemoteRepositoriesCIDR
        Properties:
         xxxx

rNACLEntryAllowOutboundHTTPSfromPUBLtoRemoteRepositories:
        Type: "AWS::EC2::NetworkAclEntry"
        Condition: HasRemoteHomeNetwork
        Properties:
        xxxx

and so on

如何在terraform中获得相同的结果?

1 个答案:

答案 0 :(得分:1)

在Terraform中,我们将这种条件表示为有条件地在资源的零个或一个实例之间进行选择。如果您想排除条件并像在CloudFormation中一样给它们命名,则可以将条件分配给named local values,如下所示:

variable "allow_inbound_ssh" {
  type = bool
}

variable "nacl_open_by_default" {
  type = bool
}

variable "remote_home_network_cidr" {
  type    = string
  default = null
}

locals {
  inbound_ssh_is_allowed    = var.allow_inbound_ssh
  nacl_default_private_only = !var.nacl_open_by_default
  has_remote_home_network   = var.remote_home_network_cidr != null

  add_management_inbound_ssh_rules = (
    local.has_remote_home_network &&
    local.nacl_default_private_only &&
    local.inbound_ssh_is_allowed
  )
}

然后可以将这些局部值用作每个资源中条件count表达式的一部分,如下所示:

# (I'm assuming that aws_network_acl_rule is the Terraform
# equivalent of CloudFormation's AWS::EC2::NetworkAclEntry,
# but I'm not sure.)
resource "aws_network_acl_rule" "example" {
  count = local.add_management_inbound_ssh_rules ? 1 : 0

  # ...
}

有了特殊的count自变量后,aws_network_acl_rule要么是单元素列表,要么是零元素列表,具体取决于local.add_management_inbound_ssh_rules的最终值。

相关问题
最新问题