i最初将我的安全组设置为内联规则,但现在意识到这有很多问题。我想迁移安全组以对规则使用单独的资源,但是,当我这样做时,它将删除现有规则并重新创建它们。由于安全规则取决于安全组,因此我什至无法首先添加新规则,然后删除旧规则。
我如何在不临时删除所有规则的情况下迁移安全组?Edit:
看另一种情况,似乎只有在将规则分为自己的资源的同时更改一个或多个规则的CIDR块时,才会发生这种情况。
,但是,如果我只是在不更改规则的情况下将其拆分出来的情况下,我不知道如何更新状态。该计划显示了创建的新规则,但是令人耳目一新,没有办法导入它们,当我尝试运行时,我会得到:
Error: [WARN] A duplicate Security Group rule was found on (sg-XXX). This may be
a side effect of a now-fixed Terraform issue causing two security groups with
identical attributes but different source_security_group_ids to overwrite each
other in the state. See https://github.com/hashicorp/terraform/pull/2376 for more
information and instructions for recovery. Error message: the specified rule "peer: 10.XX.XX.XX/27, TCP, from port: XX, to port: XX, ALLOW" already exists
on ../modules/security-group/main.tf line 51, in resource "aws_security_group_rule" "XXX":
51: resource aws_security_group_rule XXX {
I使用
示例:
原始状态:resource "aws_security_group" "my_sg" {
...
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
I添加了新资源,删除了内联规则并添加了导入块:
resource "aws_security_group" "my_sg" {
...
}
resource "aws_vpc_security_group_ingress_rule" "my_ipv4" {
security_group_id = aws_security_group.my_sg.id
ip_protocol = "tcp"
from_port = 443
to_port = 443
cidr_ipv4 = "0.0.0.0/0"
}
resource "aws_vpc_security_group_egress_rule" "my_ipv4" {
security_group_id = aws_security_group.my_sg.id
ip_protocol = "-1"
cidr_ipv4 = "0.0.0.0/0"
}
import {
id = "sgr-12345..."
to = aws_vpc_security_group_ingress_rule.my_ipv4
}
import {
id = "sgr-67890..."
to = aws_vpc_security_group_egress_rule.my_ipv4
}
现在您可以做任何更改。然后,您可以删除导入块。