带有CIDR块列表的“模块参数的无效值”

Question

我正在尝试向cloudposse 安全组添加多个规则。以下是相关代码：

module "subnets" {
  source = "cloudposse/dynamic-subnets/aws"
  version = "0.39.8"

  vpc_id              = module.vpc.vpc_id
  igw_id              = module.vpc.igw_id
  cidr_block          = module.vpc.vpc_cidr_block
  availability_zones  = local.az_names
  # nat_gateway_enabled = true

  context = module.this.context
}

module "sg" {
  source = "cloudposse/security-group/aws"
  version = "0.4.3"

  attributes = ["primary"]

  rules = [
    {
      key         = "HTTP"
      type        = "ingress"
      from_port   = 80
      to_port     = 80
      protocol    = "tcp"
      cidr_blocks = module.subnets.public_subnet_cidrs
      self        = null
      description = "Allow HTTP from IPs in our public subnets (which includes the ALB)"
    },
    {
      key         = "SSH"
      type        = "ingress"
      from_port   = 22
      to_port     = 22
      protocol    = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
      self        = null
      description = "Allow SSH from all IPs"
    }
  ]

  vpc_id  = module.vpc.vpc_id
  context = module.this.context
}

这在以下方面是失败的：

错误:模块参数的值无效给定的值不适合子模块变量“规则”，在.terraform/modules/project_module.sg/variables.tf:60,1-17:元素类型中定义的“规则”必须全部匹配以便转换为list。

问题是cidr_blocks。如果我用["0.0.0.0/0"]替换第一个，它就能工作。我看到模块是aws_subnet.public.*.cidr_block。资源中cidr_blocks变量的当前值是["172.16.96.0/19", "172.16.128.0/19"]，在我看来，它确实像一个字符串列表。当我打开terraform console并询问public_subnet_cidrs的类型时，我只得到dynamic。我尝试用tolist()包装输出，并在第二个入口规则中向cidr_blocks数组中添加一个空字符串(以创建相同长度的列表)，但两者都没有更改错误。

我已经成功地解决了这个问题，方法是为HTTP规则使用一个rule_matrix，然后为SSH规则使用一个规则字典来定义rules，但这感觉相当麻烦。

我做错了什么？

Answer 1

您可以使用rule_maps，而不是rules

module "sg" {
  source = "cloudposse/security-group/aws"
  version = "0.4.3"

  attributes = ["primary"]

  rules_map = {
        "HTTP" = [{
          key         = "HTTP"
          type        = "ingress"
          from_port   = 80
          to_port     = 80
          protocol    = "tcp"
          cidr_blocks = module.subnets.public_subnet_cidrs
          self        = null
          description = "Allow HTTP from IPs in our public subnets (which includes the ALB)"
        }],
       "SSH" = [{
          key         = "SSH"
          type        = "ingress"
          from_port   = 22
          to_port     = 22
          protocol    = "tcp"
          cidr_blocks = ["0.0.0.0/0"]
          self        = null
          description = "Allow SSH from all IPs"
        }
      ]
    }

  vpc_id  = module.vpc.vpc_id
  context = module.this.context
}

这比使用rules和rule_matrix要干净一些。此外，我也不知道为什么仅仅使用rules不起作用。我猜它对cidr_blocks做了一些内部处理，并期望它们是完全相同的类型(list有3个非空字符串元素)。