terraform从vpc端点子网选项卡获取子网集成ips

Question

流程是这样的

1.vpc-->vpc_endpoint(com.amazonaws.us-east-1.transfer.server) --> [subnet_1, subnet_2]

2.net --> nlb --> targetgroups --> [subnet_ip_1, subnet_ip_2]

我正在创建具有指向VPC端点的目标组的网络负载均衡，这些VPC端点是为'AWS transfer for sftp‘com.amazonaws.us-east-1.transfer.server创建的，但terraform不返回与VPC端点集成的子网的ips

因此，目前我正在从vpc端点下的子网选项卡中手动复制ips。但是，我想使用terraform自动化这个完整的过程

任何帮助都将不胜感激

resource "aws_eip" "nlb" {
  count = length(var.public_subnet_ids)
  vpc   = true
}

resource "aws_lb" "network" {
  name               = "${var.service_name}-${var.env}-nlb"
  load_balancer_type = "network"

  dynamic subnet_mapping {
    for_each = [for i in range(length(module.vpc.public_subnet_ids)) : {
      subnet_id     = var.public_subnet_ids[i]
      allocation_id = aws_eip.nlb[i].id
    }]
    content {
      subnet_id     = subnet_mapping.value.subnet_id
      allocation_id = subnet_mapping.value.allocation_id
    }
  }
}

resource "aws_lb_target_group" "target-group" {
  name        = "${var.service_name}-${var.env}-nlb-target-group"
  port        = 22
  protocol    = "TCP"
  target_type = "ip"
  vpc_id      = var.vpc_id
}

// TODO need to add vpc endpoint subnet ip addresses manually to nlb target group as terraform doesn't export the subnet ip addresses
//resource "aws_lb_target_group_attachment" "vpc-endpoint" {
//  count = length(var.public_subnet_ids)
//  target_group_arn = aws_lb_target_group.target-group.arn
//  target_id        = this needs ip of subnets intgerated with vpc endpoint 
//  port             = 22
//}

resource "aws_vpc_endpoint" "transfer" {
  vpc_id              = var.vpc_id
  service_name        = "com.amazonaws.${var.aws_region}.transfer.server"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = var.public_subnet_ids
  private_dns_enabled = true
}

resource "aws_transfer_server" "sftp" {
  identity_provider_type = "API_GATEWAY"
  endpoint_type = "VPC_ENDPOINT"
  endpoint_details {
    vpc_endpoint_id = aws_vpc_endpoint.transfer.id
  }
  url = aws_api_gateway_deployment.deploy.invoke_url
  invocation_role = aws_iam_role.transfer-identity-provider-role.arn
  logging_role = aws_iam_role.transfer-logging-role.arn

  depends_on = [aws_vpc_endpoint.transfer]
}

Answer 1

从the docs上看，VPC端点似乎具有主机名而不是静态IP地址，这通常意味着主机名可能会引用多个IP地址，或者可能会随着时间的推移而变化。因此，您在这里想要做的事情可能是不可能的，或者至少可能不会随着时间的推移而保持可靠。

话虽如此，您也许能够在使用dns提供程序运行Terraform时获得与这些主机名对应的IP地址，只要这些主机名立即可用：

resource "aws_vpc_endpoint" "transfer" {
  vpc_id              = var.vpc_id
  service_name        = "com.amazonaws.${var.aws_region}.transfer.server"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = var.public_subnet_ids
  private_dns_enabled = true
}

data "dns_a_record_set" "endpoints" {
  # dns_a_record_set.endpoints is a map from hostname to an object containing "addrs"
  for_each = { for e in aws_vpc_endpoint.transfer.dns_entry : e.dns_name => e }

  host = each.key
}

locals {
  # Flatten the IP addresses down into a single set.
  endpoint_ip_addrs = toset(flatten(dns_a_record_set.endpoints[*].addrs))
}

resource "aws_lb_target_group_attachment" "vpc-endpoint" {
  for_each = local.endpoint_ip_addrs

  target_group_arn = aws_lb_target_group.target-group.arn
  target_id        = each.value
  port             = 22
}

不幸的是，我希望aws_vpc_endpoint的dns_entry属性中的主机名只有在apply之后才会知道，因此它们不是用于for_each的好键。如果这是真的，那么上面的错误将产生错误，指出for_each值是不适当的，除非您使用-target逐步应用它。

aws_vpc_endpoint的设计似乎不适合您在这里尝试做的事情，因为它没有提供任何明确的指示，说明哪个主机名属于哪个子网，因此没有足够的信息来构造映射或设置值，这些映射或设置值将具有配置中已知的关键字。可能值得考虑另一种方法，即从等式中完全删除负载均衡器，而只使用aws_vpc_endpoint提供的DNS主机名，因为考虑到资源类型的设计方式，这似乎是预期的用途。

Answer 2

尝试如下所示：

## Data Section
data "aws_network_interface" "eni_0" {
  id = "${aws_vpc_endpoint.transfer.network_interface.ids {0}"
}

  data "aws_network_interface" "eni_1" {
  id = "${aws_vpc_endpoint.transfer.network_interface.ids {1}"
}


## Resource Section
resource "aws_alb_target_group_attachment" "tg_att_0" {
  target_group_arn = "$aws_lb_target_group.group.arn}"
  target_id = "${data.aws_network_interface.eni_0.private_ips[0]}"
  port = 22
}

resource "aws_alb_target_group_attachment" "tg_att_1" {
  target_group_arn = "$aws_lb_target_group.group.arn}"
  target_id = "${data.aws_network_interface.eni_1.private_ips[0]}"
  port = 22
}

这确实起作用了，但是还没有时间优化代码。它允许您将NLB连接到VPC端点内部地址。

祝好运。