我们正在使用terraform创建ecr存储库。我为每个用户创建了repos。我正试图附加政策。我无法在资源中使用回购。
我们正在使用terraform创建ecr存储库。我为每个用户创建了repos。我正试图附加政策。我无法在资源中使用回购。
tfvars文件
app_ecr_repo = [
{ name = "project-1" },
{ name = "project-2" }
]每一个都使用两个回购名称
module "ecr" {
source = "../../modules/ecr"
# Common
default_tags = var.default_tags
# ECR
for_each = { for repos in var.app_ecr_repo : join("-", [repos.name]) => repos }
ecr_respositories = [
{
repo_name = each.value.name
lifecycle_policy_file = "ecr_policy_01_tagged.json"
image_tag_mutability = "IMMUTABLE"
image_scanning_enabled = true
}
]
}如何在此处附加ecr存储库名称
resource "aws_ecr_repository_policy" "repo_policy" {
repository = module.ecr.name
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "new policy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
]
}
]
}
EOF
}这是根模块。他把aws_ecr_repository的资源
############################################################################################################
弹性集装箱登记处(ECR)
############################################################################################################
resource "aws_ecr_repository" "this" {
count = length(var.ecr_respositories) > 0 ? length(var.ecr_respositories) : 0
name = lookup(var.ecr_respositories[count.index], "repo_name", null)
image_tag_mutability = lookup(var.ecr_respositories[count.index], "image_tag_mutability", var.image_tag_mutability)
image_scanning_configuration {
scan_on_push = lookup(var.ecr_respositories[count.index], "image_scanning_enabled", var.image_scanning_enabled)
}
tags = merge(
{
"Name" = lookup(var.ecr_respositories[count.index], "repo_name", null)
},
var.tags,
var.default_tags
)
}
############################################################################################################
# ECR Lifecycle Policy
############################################################################################################
locals {
ecr_respositories_with_policy = [
for repo in var.ecr_respositories :
repo
if lookup(repo, "lifecycle_policy_file", null) != null
]
}
resource "aws_ecr_lifecycle_policy" "this" {
count = length(local.ecr_respositories_with_policy) > 0 ? length(local.ecr_respositories_with_policy) : 0
policy = file("${path.cwd}/ecr_lifecycle_policy/${local.ecr_respositories_with_policy[count.index].lifecycle_policy_file}")
repository = local.ecr_respositories_with_policy[count.index].repo_name
depends_on = [aws_ecr_repository.this]
}回答 1
Stack Overflow用户
发布于 2022-06-18 20:56:40
为了能够访问使用模块创建的资源的属性,子模块必须定义一个输出1。访问子模块输出2与不使用模块定义的输出有一点不同。因此,在子模块代码中,必须添加以下内容:
output "ecr_name" {
description = "ECR repository name."
value = aws_ecr_repository.this.name
}由于该模块是通过使用for_each元参数调用的,因此在策略中,您可以这样说:
resource "aws_ecr_repository_policy" "repo_policy" {
for_each = { for repos in var.app_ecr_repo : join("-", [repos.name]) => repos }
repository = module.ecr[each.key].ecr_name
.
.
.
}参考模块实例在第3节中进行了描述。
编辑
子模块使用count元参数,根模块使用for_each元参数。因此,很难在模块的输出和aws_ecr_repository_policy资源所需的输入之间进行映射,并使其成为动态的。唯一可行的办法是:
( a)硬编码用模块(例如,repository = module.ecr["project-1"].ecr_name[count.index] )创建的资源的键值,以及设置为count = length(module.ecr["project-1"].ecr_name)的count元参数。对于project-2来说,这将不得不重复。
( b)硬编码输出的索引值,并使用相同的for_each,即for_each = { for repos in var.app_ecr_repo : join("-", [repos.name]) => repos }和repository = module.ecr[each.key].ecr_name[0]
第二种情况更好一些,但这只是因为当前在模块调用中传递了一个包含一个元素的列表:
ecr_respositories = [
{
repo_name = each.value.name
image_tag_mutability = "IMMUTABLE"
image_scanning_enabled = true
}
]如果增加元素的数量,则解决方案将无法工作,并且必须有多个aws_ecr_repository_policy资源实例。此外,可以将资源添加到模块本身,以帮助避免这些麻烦。
解决方案1
在根模块中,添加以下内容:
resource "aws_ecr_repository_policy" "repo_policy" {
for_each = { for repos in var.app_ecr_repo : join("-", [repos.name]) => repos }
repository = module.ecr[each.key].ecr_name[0]
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "new policy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
]
}
]
}
EOF
}解决方案2
在子模块中,添加以下代码:
resource "aws_ecr_repository_policy" "repo_policy" {
count = length(var.ecr_respositories) > 0 ? length(var.ecr_respositories) : 0
repository = aws_ecr_repository.this[count.index].name
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "new policy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
]
}
]
}
EOF
}https://stackoverflow.com/questions/72671904
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号