我想創建2個VPC安全組。嘗試使用Terraform創建AWS VPC安全組時出現循環錯誤
一個用於VPC的Bastion主機,另一個用於Private子網。
# BASTION #
resource "aws_security_group" "VPC-BastionSG" {
name = "VPC-BastionSG"
description = "The sec group for the Bastion instance"
vpc_id = "aws_vpc.VPC.id"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["my.super.ip/32"]
}
egress {
# Access to the Private subnet from the bastion host[ssh]
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PrivateSG.id}"]
}
egress {
# Access to the Private subnet from the bastion host[jenkins]
from_port = 8686
to_port = 8686
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PrivateSG.id}"]
}
tags = {
Name = "VPC-BastionSG"
}
}
# PRIVATE #
resource "aws_security_group" "VPC-PrivateSG" {
name = "VPC-PrivateSG"
description = "The sec group for the private subnet"
vpc_id = "aws_vpc.VPC.id"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-BastionSG.id}"]
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PublicSG.id}"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PublicSG.id}"]
}
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-PublicSG.id}"]
}
ingress {
from_port = 8686
to_port = 8686
protocol = "tcp"
security_groups = ["${aws_security_group.VPC-BastionSG.id}"]
}
ingress {
# ALL TRAFFIC from the same subnet
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
egress {
# ALL TRAFFIC to outside world
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "VPC-PrivateSG"
}
}
當我terraform plan
它,返回此錯誤:
**`Error configuring: 1 error(s) occurred:
* Cycle: aws_security_group.VPC-BastionSG, aws_security_group.VPC-PrivateSG`**
如果我註釋掉入口規則從PrivateSG的BastionSG計劃執行罰款。
此外,如果我從BastionSG註釋出PrivateSG的出口規則,它也會執行正常。
AWS Scenario 2 for building a VPC with Public/Private subnets and Bastion host描述了我嘗試設置的體系結構。
我有通過AWS控制檯配置的完全相同的設置,它播放良好。
爲什麼Terraform不接受它? 是否有另一種方法將Bastion安全組與私人安全組連接?
EDIT
據我所知有不知何故需要打破即使在AWS它是有效的兩個秒組之間的循環引用。
所以,我想允許來自Bastion sec組的所有出站流量(0.0.0.0/0),而不是將它指定給單個安全組。
它會對安全造成不良影響嗎?
terraform GitHub存在一個問題,它描述了相互依賴的安全組。線程末端的推薦解決方案是否適用於您的案例? https://github.com/hashicorp/terraform/issues/539 – jbird
謝謝你指出@jbird。我用CIDR塊代替它,它不再抱怨。但我更喜歡ydaetskcoR的答案,因爲我想要有清晰的描述性代碼。 –