我如何安全地从内联安全组规则迁移到Terraform中的Securate_group_rule资源

问题描述 投票:0回答:1

i最初将我的安全组设置为内联规则,但现在意识到这有很多问题。我想迁移安全组以对规则使用单独的资源,但是,当我这样做时,它将删除现有规则并重新创建它们。由于安全规则取决于安全组,因此我什至无法首先添加新规则,然后删除旧规则。

我如何在不临时删除所有规则的情况下迁移安全组?

Edit:

看另一种情况,似乎只有在将规则分为自己的资源的同时更改一个或多个规则的CIDR块时,才会发生这种情况。

,但是,如果我只是在不更改规则的情况下将其拆分出来的情况下,我不知道如何更新状态。该计划显示了创建的新规则,但是令人耳目一新,没有办法导入它们,当我尝试运行时,我会得到:

Error: [WARN] A duplicate Security Group rule was found on (sg-XXX). This may be a side effect of a now-fixed Terraform issue causing two security groups with identical attributes but different source_security_group_ids to overwrite each other in the state. See https://github.com/hashicorp/terraform/pull/2376 for more information and instructions for recovery. Error message: the specified rule "peer: 10.XX.XX.XX/27, TCP, from port: XX, to port: XX, ALLOW" already exists on ../modules/security-group/main.tf line 51, in resource "aws_security_group_rule" "XXX": 51: resource aws_security_group_rule XXX {

I使用
terraform terraform-provider-aws
1个回答
0
投票
块解决了这一点。

示例:

原始状态:

resource "aws_security_group" "my_sg" { ... ingress { from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } }

I添加了新资源,删除了内联规则并添加了导入块:

resource "aws_security_group" "my_sg" {
   ...
}

resource "aws_vpc_security_group_ingress_rule" "my_ipv4" {
  security_group_id = aws_security_group.my_sg.id

  ip_protocol = "tcp"
  from_port   = 443
  to_port     = 443
  cidr_ipv4   = "0.0.0.0/0"
}

resource "aws_vpc_security_group_egress_rule" "my_ipv4" {
  security_group_id = aws_security_group.my_sg.id

  ip_protocol = "-1"
  cidr_ipv4   = "0.0.0.0/0"
}


import {
  id = "sgr-12345..."
  to = aws_vpc_security_group_ingress_rule.my_ipv4
}


import {
  id = "sgr-67890..."
  to = aws_vpc_security_group_egress_rule.my_ipv4
}

现在您可以做任何更改。然后,您可以删除导入块。


最新问题
© www.soinside.com 2019 - 2024. All rights reserved.