Hi am working terraform code where am creating eks cluster and rds with security group for rds ad cluster also in rds security group am using dynamic method create ingress in that some using cidr some of security group am able to create cidr am stuck at security groupa
variable.tf
variable "ingress_rules" {
default = {
"indian vpn ingress rule" = {
"description" = "India CIDR"
"from_port" = "1521"
"to_port" = "1521"
"protocol" = "tcp"
"cidr_blocks" = ["192.34.890.0/24"]
},
"eks node ingress rule" = {
"description" = "EKS Nodes SG"
"from_port" = "1521"
"to_port" = "1521"
"protocol" = "tcp"
"security_groups" = ["module.eks.worker_security_group_id"]
}
mani.tf
esource "aws_security_group" "rds_sg" {
name = "${var.cluster_name}-rds-sg"
vpc_id = var.vpc_id
dynamic "ingress" {
for_each = var.ingress_rules
content {
description = lookup(ingress.value, "description", null)
from_port = lookup(ingress.value, "from_port", null)
to_port = lookup(ingress.value, "to_port", null)
protocol = lookup(ingress.value, "protocol", null)
cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
security_groups = lookup(ingress.value, "security_groups", null)
}
}
How to define ["module.eks.worker_security_group_id"] in varibale tf my eks module define in main.tf
I think there is a misunderstanding on the differences between input variables and local variables here.
input variables, can have a default value if not value is provided but they must be static.
local variables can be dynamic.
So, for your case, since the "ingress_rules" has already been defined and it is not going to change, but it must be build dynamically, it would be better to build it inside the "locals" block.
locals {
ingress_rules = {
***
***
}
}
To access it, use local.ingress_rules
You can't do that. TF does not support dynamic variables. The only thing you can do is to use locals instead. In local variables you can use dynamic content.
Related
I'm trying to create the instances according to the following code -
resource "aws_instance" "ec2" {
ami = "ami-0fe0b2cf0e1f25c8a"
instance_type = var.ec2_instance_type
count = var.number_of_instances
tags = {
Name = "ec2_instance_${count.index}"
}
}
resource "aws_eip" "lb" {
vpc = true
count = var.number_of_instances
}
resource "aws_eip_association" "eic_assoc" {
instance_id = aws_instance.ec2[count.index].id
allocation_id = aws_eip.lb[count.index].id
count = var.number_of_instances
}
resource "aws_security_group" "allow_tls" {
name = "first-security-group-created-by-terraform"
count = var.number_of_instances
ingress {
from_port = var.security_group_port
to_port = var.security_group_port
protocol = var.security_group_protocol
cidr_blocks = ["${aws_eip.lb[count.index].public_ip}/32"]
}
}
And got the following error -
Error: creating Security Group (first-security-group-created-by-terraform): InvalidGroup.Duplicate: The security group 'first-security-group-created-by-terraform' already exists for VPC 'vpc-0fb3457c89d86e916'
Probably because this is not the right way to create the aws_security_group when there are multiple instances of eip and ec2.
What is the right way to do that?
You are creating multiple security groups, but giving them all exactly the same name. The name needs to be unique for each security group. You could fix it like this:
resource "aws_security_group" "allow_tls" {
count = var.number_of_instances
name = "first-security-group-created-by-terraform-${count.index}"
ingress {
from_port = var.security_group_port
to_port = var.security_group_port
protocol = var.security_group_protocol
cidr_blocks = ["${aws_eip.lb[count.index].public_ip}/32"]
}
}
One way to create a single security group with multiple ingress rules is to create the group without any ingress blocks, and then create the ingress rules separately:
resource "aws_security_group" "allow_tls" {
name = "first-security-group-created-by-terraform"
}
resource "aws_security_group_rule" "allow_tls_rules" {
count = var.number_of_instances
type = "ingress"
from_port = var.security_group_port
to_port = var.security_group_port
protocol = var.security_group_protocol
cidr_blocks = ["${aws_eip.lb[count.index].public_ip}/32"]
security_group_id = aws_security_group.allow_tls.id
}
I'm trying to update a terraform module to add a new security group, which will have an inbound rule populated with two managed prefix lists. The prefix lists are shared to my AWS account from a different account using AWS Resource Access Manager, however I have tried referencing prefix lists created within my own AWS account and am seeing the same error.
Below is the terraform I am using:
resource "aws_security_group" "akamai_sg" {
name = "akamai-pl-sg"
description = "Manage access from Akamai to ${var.environment} alb"
vpc_id = var.vpc_id
tags = merge(var.common_tags, tomap({ "Name" = "akamai-pl-sg" }))
revoke_rules_on_delete = true
}
resource "aws_security_group_rule" "akamai_to_internal_alb" {
for_each = toset(var.domains_inc_akamai)
type = "ingress"
description = "Allow Akamai into ${var.environment}${var.domain_name_suffix}-alb"
from_port = var.alb_listener_port
to_port = var.alb_listener_port
protocol = "tcp"
security_group_id = aws_security_group.akamai_sg.id
prefix_list_ids = [data.aws_prefix_list.akamai-site-shield.id, data.aws_prefix_list.akamai-staging.id]
}
data "aws_prefix_list" "akamai-site-shield" {
filter {
name = "prefix-list-id"
values = ["pl-xxxxxxxxxx"]
}
}
data "aws_prefix_list" "akamai-staging" {
filter {
name = "prefix-list-id"
values = ["pl-xxxxxxxxxx"]
}
}
The terraform error I am revieving reads:
"Error: no matching prefix list found; the prefix list ID or name may be invalid or not exist in the current region"
Is anyone able to help, or see where I am going wrong?
Thanks in advance.
Would not be the following possible?
data "aws_vpc_endpoint" "s3" {
vpc_id = aws_vpc.foo.id
service_name = "com.amazonaws.us-west-2.s3"
}
data "aws_prefix_list" "s3" {
prefix_list_id = aws_vpc_endpoint.s3.prefix_list_id
}
It seems the solution is to use:
data "aws_ec2_managed_prefix_list" "example" {
filter {
name = "prefix-list-name"
values = ["my-prefix-list"]
}
}
I am still new on Terraform.
I am trying to create a single security group rule in order to whitelist a single IP, onto a set of existing security groups returned by data source "aws_security_groups".
data "aws_security_groups" "test" {
filter {
name = "group-name"
values = ["*VPN*"]
}
}
resource "aws_security_group_rule" "this" {
type = "ingress"
security_group_id = ["for id in data.aws_security_groups.test.ids : id"] //need to get from aws_security_groups datasource
from_port = 1
to_port = 1
protocol = -1
}
however I could not get it right, the tricky part is with the "security_group_id"
can please suggest any methods without using external modules? thanks.
ids is a list. So you can use for_each:
resource "aws_security_group_rule" "this" {
for_each = toset(data.aws_security_groups.test.ids)
type = "ingress"
security_group_id = each.key
from_port = 1
to_port = 1
protocol = -1
}
My terraform script is as follow: eveything in VPC
resource "aws_security_group" "cacheSecurityGroup" {
name = "${var.devname}-${var.namespace}-${var.stage}-RedisCache-SecurityGroup"
vpc_id = var.vpc.vpc_id
tags = var.default_tags
ingress {
protocol = "tcp"
from_port = 6379
to_port = 6379
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
egress {
protocol = "-1"
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_elasticache_parameter_group" "usagemonitorCacheParameterGroup" {
name = "${var.devname}${var.namespace}${var.stage}-usagemonitor-cache-parameterGroup"
family = "redis6.x"
}
resource "aws_elasticache_subnet_group" "redis_subnet_group" {
name = "${var.devname}${var.namespace}${var.stage}-usagemonitor-cache-subnetGroup"
subnet_ids = var.vpc.database_subnets
}
resource "aws_elasticache_replication_group" "replication_group_usagemonitor" {
replication_group_id = "${var.devname}${var.namespace}${var.stage}-usagemonitor-cache"
replication_group_description = "Replication group for Usagemonitor"
node_type = "cache.t2.micro"
number_cache_clusters = 2
parameter_group_name = aws_elasticache_parameter_group.usagemonitorCacheParameterGroup.name
subnet_group_name = aws_elasticache_subnet_group.redis_subnet_group.name
#security_group_names = [aws_elasticache_security_group.bar.name]
automatic_failover_enabled = true
at_rest_encryption_enabled = true
port = 6379
}
if i uncomment the line
#security_group_names = [aws_elasticache_security_group.bar.name]
am getting
i get following error:
Error: Error creating Elasticache Replication Group: InvalidParameterCombination: Use of cache security groups is not permitted along with cache subnet group and/or security group Ids.
status code: 400, request id: 4e70e86d-b868-45b3-a1d2-88ab652dc85e
i read that we dont have to use aws_elasticache_security_group if all resources are inside VPC. What the correct way to assign security groups to aws_elasticache_replication_group ??? usinf subnets??? how ???
I do something like this, I believe this is the best way to assign required configuration:
resource "aws_security_group" "redis" {
name_prefix = "${var.name_prefix}-redis-"
vpc_id = var.vpc_id
lifecycle {
create_before_destroy = true
}
}
resource "aws_elasticache_replication_group" "redis" {
...
engine = "redis"
subnet_group_name = aws_elasticache_subnet_group.redis.name
security_group_ids = concat(var.security_group_ids, [aws_security_group.redis.id])
}
Your subnet group basically includes all private or public subnets from your VPC where the elasticache replication group is going to be created.
In general, use security group ids instead of names.
I have written a terraform module that definitely works and if you interested it is available under with examples https://github.com/umotif-public/terraform-aws-elasticache-redis.
In my terraform configuration file, I define my resource like so:
resource "google_compute_instance" "test" {
...
count = 2
}
What I now want is to create load balancer, that will balance between two instances of my google compute instance. Unfortunatelly, I could not find in documentation anything relative to this task. It seems like google_compute_target_pool or google_compute_lb_ip_ranges have nothing to do with my problem.
You would have to use 'forwarding rules' as indicated on this terraform document. To use load balancing and protocol forwarding, you must create a forwarding rule that directs traffic to specific target instances. The use on Cloud Platform of forwarding rules you can find here.
In common cases you can use something like the following:
resource "google_compute_instance" "test" {
name = "nlb-node${count.index}"
zone = "europe-west3-b"
machine_type = "f1-micro"
count = 2
boot_disk {
auto_delete = true
initialize_params {
image = "ubuntu-os-cloud/ubuntu-1604-lts"
size = 10
type = "pd-ssd"
}
}
network_interface {
subnetwork = "default"
access_config {
nat_ip = ""
}
}
service_account {
scopes = ["userinfo-email", "compute-ro", "storage-ro"]
}
}
resource "google_compute_http_health_check" "nlb-hc" {
name = "nlb-health-checks"
request_path = "/"
port = 80
check_interval_sec = 10
timeout_sec = 3
}
resource "google_compute_target_pool" "nlb-target-pool" {
name = "nlb-target-pool"
session_affinity = "NONE"
region = "europe-west3"
instances = [
"${google_compute_instance.test.*.self_link}"
]
health_checks = [
"${google_compute_http_health_check.nlb-hc.name}"
]
}
resource "google_compute_forwarding_rule" "network-load-balancer" {
name = "nlb-test"
region = "europe-west3"
target = "${google_compute_target_pool.nlb-target-pool.self_link}"
port_range = "80"
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
}
You can get load balancer external ip via ${google_compute_forwarding_rule.network-load-balancer.ip_address}
// output.tf
output "network_load_balancer_ip" {
value = "${google_compute_forwarding_rule.network-load-balancer.ip_address}"
}