问题[terraform](server)

我正在使用 Terraform 来管理 Github 组织。我们有一个标准的“通用存储库”模块，用于确保我们的存储库共享通用配置。我想添加对配置 GitHub 页面的支持，这需要对pages元素的支持，如下所示：

  pages {
    build_type = "legacy"
    cname = "example.com"
    source {
      branch = "master"
      path   = "/docs"
    }
  }

一切都是可选的。特别是，source只有在 时才是必需的build_type == "legacy" || build_type == null，整个pages块可以省略。我不知道如何进行source条件化，所以我最终将其拆分成两个dynamic块，如下所示：

  # There are two `dynamic "pages"` blocks here to account for the fact that `source` is only required
  # if `build_type` is "legacy". The `for_each` at the top of each block will only enable the block when
  # the necessary conditions are met.
  dynamic "pages" {

    # enable this block if `pages` is not null and `build_type` is "legacy" (or null)
    for_each = var.pages == null ? [] : var.pages.build_type == "legacy" || var.pages.build_type == null ? ["enabled"] : []

    content {
      source {
        branch = var.pages.source.branch
        path   = var.pages.source.path
      }

      cname      = var.pages.cname
      build_type = var.pages.build_type
    }
  }

  dynamic "pages" {

    # enable this block if `pages` is not null and `build_type` is "workflow"
    for_each = var.pages == null ? [] : var.pages.build_type == "workflow" ? ["enabled"] : []

    content {
      cname      = var.pages.cname
      build_type = var.pages.build_type
    }
  }

pages我在模块中定义变量如下：

variable "pages" {
  description = "Configuration for github pages"
  type = object({
    source = optional(object({
      branch = string
      path   = string
    }))
    build_type = optional(string, "legacy")
    cname      = optional(string)
  })
  default = null
}

有没有更好的方法来解决这个问题？

我发现了一些文档，允许我创建秘密并将其上传到 infisical，如下所示：https://registry.terraform.io/providers/Infisical/infisical/latest/docs/resources/secret，但我找不到任何关于从 infisical 读取秘密的信息。

这个想法是将敏感数据存储在 infisical 中，并通过客户端 ID/客户端密钥将 terraform 连接到它以检索密码等值，然后使用它们（infisical 也用于我使用的许多其他程序，因此将所有内容放在同一个地方很方便）

截至几个月前，Terraform 在将状态推送到后端（位于 S3 中）时，将有 10% 的时间失败。我必须清理掉留下的残渣，再次运行它，它就会过去。在这之前几年，它运行良好。提供者版本没有改变。环境没有改变。关于可能导致/加剧这种情况的任何想法？

module.task-definition.aws_ecs_task_definition.task-definition-default: Destroying... [id=workflow-api-production]
module.task-definition.aws_ecs_task_definition.task-definition-default: Destruction complete after 0s
module.task-definition.aws_ecs_task_definition.task-definition-default: Creating...
module.task-definition.aws_ecs_task_definition.task-definition-default: Creation complete after 0s [id=workflow-api-production]
module.load-balancer.module.service.aws_ecs_service.default: Modifying... [id=arn:aws:ecs:us-east-1:326764833890:service/internal-webserver-ssl/production-workflow-api]
module.load-balancer.module.service.aws_ecs_service.default: Modifications complete after 1s [id=arn:aws:ecs:us-east-1:326764833890:service/internal-webserver-ssl/production-workflow-api]
╷
│ Error: Failed to save state
│ 
│ Error saving state: failed to upload state: operation error S3: PutObject, failed to rewind transport stream for retry, request stream is not seekable
╵
╷
│ Error: Failed to persist state to backend
│ 
│ The error shown above has prevented Terraform from writing the updated state to the configured backend. To allow for recovery, the state has been written to the file "errored.tfstate" in the
│ current working directory.
│ 
│ Running "terraform apply" again at this point will create a forked state, making it harder to recover.
│ 
│ To retry writing this state, use the following command:
│     terraform state push errored.tfstate

我正在尝试循环 IAM 策略资源块中的字符串值以允许 rds IAM 身份验证。我的资源定义是：

  resource "aws_iam_policy" "rds_iam_authentication"{
  name    = "${title(var.environment)}RdsIamAuthentication"
  policy  = templatefile(
    "${path.module}/iam_policy.json",
    {
      aws_account_id        = data.aws_caller_identity.current.account_id
      region         = var.region
      environment           = var.environment
      iam_rds_pg_role_name  = var.iam_rds_pg_role_name
    }
  )
}

iam_rds_pg_role_namein的变量定义terraform.tfvars如下：

region                  = "eu-west-3"
environment             = "env_name"
iam_rds_pg_role_name    = ["read_only_role", "full_role"]
aws_account_id          = "1234567890"

IAM 策略模板文件为：

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "rds-db:connect"
          ],
          "Resource": [
            %{ for rds_role in iam_rds_pg_role_name ~}
              "arn:aws:rds-db:${region}:${aws_account_id}:dbuser:*/${rds_role}"
            %{ endfor ~}
          ]
      }
  ]
}

我收到一条错误消息

错误：“policy”包含无效的 JSON：数组元素后的字符“”无效

我非常确定问题与 json 编码有关，但是当尝试jsonencode像下面这样在 json 中定义 arn 时，错误仍然存​​在：

%{ for rds_role in iam_rds_pg_role_name ~}
    jsonencode("arn:aws:rds-db:${region}:${aws_account_id}:dbuser:*/${rds_role}")}
%{ endfor ~}

希望有人能解释我所缺少的内容或有人为我指明正确的方向。

提前致谢

我正在尝试从 DataDog 提供程序创建许多资源。我希望为每种资源定义尽可能少的内容。对于许多属性来说，都有一些合理的默认值。我很难决定如何处理监视器阈值，特别是有些阈值可能是可选的。

resource "datadog_monitor" "monitor" {
  for_each = {
    faulty_deploy = {
      message    = "A deployment failed."
      name       = "Deployment Failure"
      query      = "someLongQuery"
      type       = "alert"
      thresholds = {critical = "0"}
    }
  }

  message            = each.value["message"]
  query              = each.value["query"]
  name               = each.value["name"]
  type               = each.value["type"]
  escalation_message = coalesce(each.value["escalation_message"], "")
  evaluation_delay   = coalesce(each.value["evaluation_delay"], "0")
  include_tags       = coalesce(each.value["include_tags"],"true")
  
  dynamic "monitor_thresholds" {
    for_each = each.value["thresholds"]
    iterator = threshold
    content {
      # Dynamically adding these properties is the issue.
      "${threshold.key}" = threshold.value
    }
  }

  # These and more would use coalesce to set defaults.
  new_group_delay      = "60"
  notify_audit         = "false"
  on_missing_data      = "default"
  priority             = "0"
  renotify_interval    = "0"
  renotify_occurrences = "0"
  require_full_window  = "false"
  tags                 = []
  timeout_h            = "0"
}

考虑到某些阈值可能已设置，也可能未设置，如何以这种方式添加动态属性？它们是否应该始终以0or 的形式存在""，并且可以选择性地被覆盖？

我希望能够在计划中看到数据资源（如政策文档）的 JSON。目前，这些类型的资源仅在应用期间“呈现”。

我想知道在运行terraform apply.

这是我的代码：

data "aws_iam_policy_document" "my_policy" {
  statement {
    sid = "S3"
    effect = "Allow"
    actions = ["s3:*"]
    resources = [
      aws_s3_bucket.some-bucket.arn,
      "arn:aws:s3:::another-bucket/*",
      "arn:aws:s3:::another-bucket/"
    ]
  }
  statement {
    sid = "CloudWatch"
    effect = "Allow"
    actions = ["logs:*"]
    resources = [
      aws_cloudwatch_log_group.some_lambda.arn,
      "arn:aws:logs:us-east-1:123456789123:log-group:/some/log/group:*",
      "arn:aws:logs:us-east-1:123456789123:log-group:/some/log/group"
    ]
  }
}

我不明白为什么 Terraform 要删除 json 策略。在其他情况下，当在应用期间读取数据时，计划显示 json 策略被删除并添加到同一计划中，但它没有发生，Terraform 只是删除它。

这是政策：

data "aws_iam_policy_document" "my_policy" {
  statement {
    sid = "S3"
    effect = "Allow"
    actions = ["s3:*"]
    resources = [
      aws_s3_bucket.some-bucket.arn,
      "arn:aws:s3:::another-bucket/*",
      "arn:aws:s3:::another-bucket/"
    ]
  }
  statement {
    sid = "CloudWatch"
    effect = "Allow"
    actions = ["logs:*"]
    resources = [
      aws_cloudwatch_log_group.some_lambda.arn,
      "arn:aws:logs:us-east-1:123456789123:log-group:/some/log/group:*",
      "arn:aws:logs:us-east-1:123456789123:log-group:/some/log/group"
    ]
  }
}

这是计划：

  # data.aws_iam_policy_document.my_policy will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "my_policy"  {
      ~ id      = "123456789" -> (known after apply)
      ~ json    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = "s3:*"
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::another-bucket/*",
                          - "arn:aws:s3:::another-bucket/",
                        ]
                      - Sid      = "S3"
                    },
                  - {
                      - Action   = "logs:*"
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:logs:us-east-1:123456789123:log-group:/some/log/group:*",
                          - "arn:aws:logs:us-east-1:123456789123:log-group:/some/log/group",
                        ]
                      - Sid      = "CloudWatch"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
      - version = "2012-10-17" -> null

      ~ statement {
          - not_actions   = [] -> null
          - not_resources = [] -> null
          ~ resources     = [
              + "arn:aws:s3:::some-bucket/",
                # (2 unchanged elements hidden)
            ]
            # (3 unchanged attributes hidden)
        }
      ~ statement {
          - not_actions   = [] -> null
          - not_resources = [] -> null
            # (4 unchanged attributes hidden)
        }
    }

1 - 为什么 Terraform 想要消除这个 json 策略？

2 -not_actions和not_resources是可选的。我以为它不会出现在计划中。这是正常的吗？

我有一个 Terraform 代码库，它部署了一个私有 EKS 集群、一个堡垒主机和其他 AWS 服务。我还在 Terraform 中添加了一些安全组。其中一个安全组允许从我的家庭 IP 到堡垒主机的入站流量，以便我可以通过 SSH 连接到该节点。这个安全组被称为bastionSG，它也可以正常工作。

但是，最初我无法从堡垒主机运行 kubectl，这是我用来针对 EKS 集群节点执行 kubernetes 开发的节点。原因是我的 EKS 集群是私有的，只允许来自同一 VPC 中的节点的通信，我需要添加一个安全组，允许从我的堡垒主机到cluster control plane我的安全组 bastionSG 所在的通信。

所以我现在的例程是一旦 Terraform 部署了所有内容，然后我找到自动生成的 EKS 安全组，并bastionSG通过 AWS 控制台 (UI) 将我的作为入站规则添加到它，如下图所示。

我不想通过 UI 执行此操作，因为我已经在使用 Terraform 来部署我的整个基础架构。

我知道我可以像这样查询现有的安全组

data "aws_security_group" "selectedSG" {
  id = var.security_group_id
}

在这种情况下，假设selectedSG是一旦 terraform 完成应用过程后由 EKS 创建的安全组。然后我想bastionSG向它添加一个入站规则，而不会覆盖它自动添加的其他规则。

更新：> EKS 节点组

resource "aws_eks_node_group" "flmd_node_group" {
  cluster_name    = var.cluster_name
  node_group_name = var.node_group_name
  node_role_arn   = var.node_pool_role_arn
  subnet_ids      = [var.flmd_private_subnet_id]
  instance_types = ["t2.small"]

  scaling_config {
    desired_size = 3
    max_size     = 3
    min_size     = 3
  }

  update_config {
    max_unavailable = 1
  }

  remote_access {
    ec2_ssh_key = "MyPemFile"
    source_security_group_ids = [
      var.allow_tls_id,
      var.allow_http_id, 
      var.allow_ssh_id,
      var.bastionSG_id
     ]
  }

  tags = {
    "Name" = "flmd-eks-node"
  }
}

如上所示，EKS 节点组中包含 bastionSG 安全组。我希望允许从我的堡垒主机连接到 EKS 控制平面。

EKS 集群

resource "aws_eks_cluster" "flmd_cluster" {
  name     = var.cluster_name
  role_arn = var.role_arn

  vpc_config {
    subnet_ids =[var.flmd_private_subnet_id, var.flmd_public_subnet_id, var.flmd_public_subnet_2_id]
    endpoint_private_access = true
    endpoint_public_access = false
    security_group_ids = [ var.bastionSG_id]
  }
}

bastionSG_id是下面创建的安全组的输出，它作为变量传递到上面的代码中。

BastionSG 安全组

resource "aws_security_group" "bastionSG" {
  name        = "Home to bastion"
  description = "Allow SSH - Home to Bastion"
  vpc_id      = var.vpc_id

  ingress {
    description      = "Home to bastion"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = [<MY HOME IP address>]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  tags = {
    Name = "Home to bastion"
  }
}

鉴于 Terraform 的这段伪代码：

resource "null_resource" {
    provisioner "local-exec" {
        command = "echo hello"
        interpreter = local.os == "Windows" ? ["PowerShell", "-Command"] : ["bash"]
}

我如何让它在 Windows 上的 Powershell 和 Linux 上的 bash 中运行？

我需要帮助从 gitlab 存储库中获取 terraform 模块，其中包含多个模块，如 ec2、vpc 等。我在模块 repo 中有两个分支 - 开发和主。我尝试了以下所有方法，但出现错误。我正在采购类似下面的东西。我只需要 ssh，不需要 https。

source = "git::ssh://[email protected]:repo_name/modules.git//ec2?ref=develop"
"git::ssh://[email protected]:repo_name/modules.git//ec2?ref=develop"
"git::ssh://[email protected]:repo_name/modules.git/ec2?ref=develop"
"git::ssh://[email protected]:repo_name/modules/ec2?ref=develop"
"git::ssh://[email protected]:repo_name/modules//ec2?ref=develop"
"git::ssh://[email protected]/repo_name/modules//ec2?ref=develop"
"git::ssh://[email protected]:repo_name/modules.git//ec2"
"git::ssh://[email protected]:repo_name/modules.git?ref=ec2"
"git::ssh://[email protected]:repo_name/modules.git?ref=develop//ec2"
"git::ssh://[email protected]:repo_name/modules.git/develop/ec2"
"git::ssh://[email protected]:repo_name/modules.git//ec2?ref=develop"
"git::ssh://[email protected]:repo_name/modules.git/develop/ec2"
"git::ssh://[email protected]:repo_name/modules/ec2?ref=develop"
"git::ssh://[email protected]:repo_name/modules//ec2"

这是我得到的错误

│ 
│ Module "ec2" (declared at compute/main.tf line 1)
│ has invalid source address
│ "git::ssh://[email protected]:repo_name/modules//ec2": Terraform
│ cannot detect a supported external module source type for