如何销毁或创建相互依赖的资源?例如,我想删除 AWS 网络防火墙,但无法删除它,因为它的端点已在路由表中使用,而且我也无法删除防火墙策略,因为附加到它的 RuleGroup 已在使用中。
如何在无需手动干预的情况下删除资源并通过手动干预创建资源?
resource "aws_networkfirewall_firewall_policy" "example" {
name = "Domains"
tags = {}
tags_all = {}
firewall_policy {
stateful_default_actions = [
"aws:alert_strict",
"aws:drop_established",
]
stateless_default_actions = [
"aws:forward_to_sfe",
]
stateless_fragment_default_actions = [
"aws:pass",
]
stateful_engine_options {
rule_order = "STRICT_ORDER"
}
stateful_rule_group_reference {
priority = 3
resource_arn = "arn:aws:network-firewall:ap-
southeast-2:123456789:stateful-rulegroup/example-TEST"
}
}
}
resource "aws_networkfirewall_firewall" "example" {
name = "NFWtf"
firewall_policy_arn = "arn:aws:network-firewall:ap-
southeast-2:1234567890:firewall-policy/nfw"
vpc_id = "vpc-ftyha9po1"
subnet_mapping {
subnet_id = "subnet-0022444rr138bc6"
}
tags = {
Tag1 = "Value1"
Tag2 = "Value2"
}
timeouts {
create = "40m"
update = "50m"
delete = "1h"
}
}
我该如何解决这个问题?
为了避免在 terraform 中出现此类情况,您可以使用 implicit 或 explicit 依赖项。当一个资源引用另一资源的属性时,就会创建隐式依赖关系,并且只有在创建资源后才能访问属性。这样 terraform 就知道创建和删除资源的确切顺序。因此,在您的情况下,您添加到问题中的代码块应修改为如下所示(请注意您的问题中缺少一个资源):
resource "aws_networkfirewall_firewall_policy" "example" {
name = "Domains"
tags = {}
tags_all = {}
firewall_policy {
stateful_default_actions = [
"aws:alert_strict",
"aws:drop_established",
]
stateless_default_actions = [
"aws:forward_to_sfe",
]
stateless_fragment_default_actions = [
"aws:pass",
]
stateful_engine_options {
rule_order = "STRICT_ORDER"
}
stateful_rule_group_reference {
priority = 3
resource_arn = aws_networkfirewall_rule_group.example.arn # this resource is missing from the question, so it's just a guess
}
}
}
resource "aws_networkfirewall_firewall" "example" {
name = "NFWtf"
firewall_policy_arn = aws_networkfirewall_firewall_policy.example.arn
vpc_id = "vpc-ftyha9po1"
subnet_mapping {
subnet_id = "subnet-0022444rr138bc6"
}
tags = {
Tag1 = "Value1"
Tag2 = "Value2"
}
timeouts {
create = "40m"
update = "50m"
delete = "1h"
}
}