如何正确将防火墙规则传递给 google-terraform-network 模块?

如何正确将防火墙规则传递给 google-terraform-network 模块?

我想使用该google-terraform-network模块创建一个网络。另外,我想将我制定的防火墙规则作为参数传递给模块,以便创建的网络包含这两条规则。

当我直接通过防火墙规则时,即:

firewall_rules = [google_compute_firewall.allow_ssh, google_compute_firewall.allow_http]

我收到以下错误:The given value is not suitable for module.vpc.module.firewall_rules.var.rules declared at .terraform/modules/vpc/modules/firewall-rules/variables.tf:27,1-17: element 0: attribute "log_config": object required.

另一方面,当我传递时self_link,即:

firewall_rules = [google_compute_firewall.allow_ssh.self_link, google_compute_firewall.allow_http.self_link]

我收到许多以下形式的错误:

 Error: Invalid function argument
│   on .terraform/modules/vpc/main.tf line 70, in locals:
│   70:       deny                    = lookup(f, "deny", [])
│ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.

完整的内容如下main.tf

provider "google" {
  project = var.project
  region  = var.region
  zone    = var.zone
}

// firewall rule to allow ssh
resource "google_compute_firewall" "allow_ssh" {
  name    = "allow-ssh"
  network = var.network_name

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  source_ranges = ["0.0.0.0/0"]
}

// firewall rule to allow http
resource "google_compute_firewall" "allow_http" {
  name    = "allow-http"
  network = var.network_name

  allow {
    protocol = "tcp"
    ports    = ["80"]
  }

  source_ranges = [""]
}

module "vpc" {
    source  = "terraform-google-modules/network/google"
    version = "~> 7.0"

    project_id   = var.project
    network_name = var.network_name
    routing_mode = "GLOBAL"

    subnets = [
        {
            subnet_name   = var.subnet_name
            subnet_ip     = var.subnet_ip
            subnet_region = var.region
        },
    ]

    firewall_rules = [google_compute_firewall.allow_ssh.self_link, google_compute_firewall.allow_http.self_link]
}

答案1

好的,我找到了解决方案。该firewall_rules参数要求遵循特定结构的对象列表。添加以下变量并将其分配给参数firewall_rules可解决问题:

variable "rules" {
    description = "List of rule definitions"
    default     = [
        {
        name                    = "allow-ssh-ingress"
        direction               = "INGRESS"
        ranges                  = ["0.0.0.0/0"]
        allow = [{
            protocol = "tcp"
            ports    = ["22"]
        }]
        deny = []
        log_config = {
            metadata = "INCLUDE_ALL_METADATA"
        }
        },

        {
            name                    = "allow-http-ingress"
            direction               = "INGRESS"
            ranges                  = ["0.0.0.0/0"]
            allow = [{
                protocol = "tcp"
                ports    = ["80"]
            }]
            deny = []
            log_config = {
                metadata = "INCLUDE_ALL_METADATA"
            }
        }
    ]

    type = list(object({
        name                    = string
        description             = optional(string)
        direction               = optional(string)
        priority                = optional(number)
        ranges                  = optional(list(string))
        source_tags             = optional(list(string))
        source_service_accounts = optional(list(string))
        target_tags             = optional(list(string))
        target_service_accounts = optional(list(string))
        allow = optional(list(object({
            protocol = string
            ports    = optional(list(string))
        })))
        deny = optional(list(object({
            protocol = string
            ports    = optional(list(string))
        })))
        log_config = optional(object({
            metadata = string
        }))
    }))
}

然后:

firewall_rules = var.rules

相关内容