在创建资源之前，我们可以在 Terraform 中匹配多个条件吗？

Posted 2023-03-24

【中文标题】在创建资源之前，我们可以在 Terraform 中匹配多个条件吗？

【英文标题】：Can we match multiple conditions in Terraform before creating a resource?

【发布时间】：2021-01-04 06:37:36

【问题描述】：

我正在尝试将 AWS CloudFormation 脚本转换为 Terraform，但我在这里面临的问题是 Cloudformation 有一些称为条件的东西，我们可以在创建资源之前指定多个条件来匹配，但我正在努力在 terraform 中复制相同的条件。

ClodeFormation 示例代码：

Conditions:
    NACLDefaultPublicAllowed: !Equals [ !Ref NACLOpenByDefault, "true"]
    NACLDefaultPrivateOnly: !Equals [ !Ref NACLOpenByDefault, "false"]

    InboundSSHIsAllowed: !Equals [ !Ref AllowInboundSSH, "true"]
    InboundRDPIsAllowed: !Equals [ !Ref AllowInboundRDP, "true"]
    Inbound***IsAllowed: !Equals [ !Ref AllowInbound***, "true"]

    OutboundHTTPIsAllowed: !Equals [ !Ref AllowOutboundHTTP, "true"]
    OutboundHTTPSIsAllowed: !Equals [ !Ref AllowOutboundHTTPS, "true"]

    HasRemoteHomeNetwork: !Not [ !Equals [ !Ref RemoteHomeNetworkCIDR, ""]]
    HasRemoteRepositories: !Not [ !Equals [ !Ref RemoteRepositoriesCIDR, ""]]
    
    AddMGMTInboundSSHRules: !And
        - !Condition HasRemoteHomeNetwork
        - !Condition NACLDefaultPrivateOnly
        - !Condition InboundSSHIsAllowed

    AddMGMTInboundRDPRules: !And
        - !Condition HasRemoteHomeNetwork
        - !Condition NACLDefaultPrivateOnly
        - !Condition InboundRDPIsAllowed

    AddMGMTInbound***Rules: !And
        - !Condition HasRemoteHomeNetwork
        - !Condition NACLDefaultPrivateOnly
        - !Condition Inbound***IsAllowed

    AddMGMTOutboundEphemeralRemoteHomeNetworkRules: !Or
        - !Condition AddMGMTInboundSSHRules
        - !Condition AddMGMTInbound***Rules

    AddOutboundHTTPAnywhereRules: !And
        - !Condition OutboundHTTPIsAllowed
        - !Condition NACLDefaultPrivateOnly
    AddOutboundHTTPSAnywhereRules: !And
        - !Condition OutboundHTTPSIsAllowed
        - !Condition NACLDefaultPrivateOnly
    AddInboundEphemeralAnywhereRules: !Or
        - !Condition AddOutboundHTTPAnywhereRules
        - !Condition AddOutboundHTTPSAnywhereRules

    AddRemoteRepositoriesCIDR: !And
        - !Condition HasRemoteRepositories
        - !Condition NACLDefaultPrivateOnly

现在当我创建资源（在 CloudFormation 中）时，我可以直接使用：

rNACLEntryAllowOutboundHTTPfromPUBLtoRemoteRepositories:
        Type: "AWS::EC2::NetworkAclEntry"
        Condition: AddRemoteRepositoriesCIDR
        Properties:
         xxxx

rNACLEntryAllowOutboundHTTPSfromPUBLtoRemoteRepositories:
        Type: "AWS::EC2::NetworkAclEntry"
        Condition: HasRemoteHomeNetwork
        Properties:
        xxxx

and so on

如何在 terraform 中获得相同的结果？

【参考方案1】：

在 Terraform 中，我们将这种条件表示为有条件地在资源的零个或一个实例之间进行选择。如果您想像在 CloudFormation 中那样考虑条件并为其命名，则可以将条件分配给 named local values，如下所示：

variable "allow_inbound_ssh" 
  type = bool


variable "nacl_open_by_default" 
  type = bool


variable "remote_home_network_cidr" 
  type    = string
  default = null


locals 
  inbound_ssh_is_allowed    = var.allow_inbound_ssh
  nacl_default_private_only = !var.nacl_open_by_default
  has_remote_home_network   = var.remote_home_network_cidr != null

  add_management_inbound_ssh_rules = (
    local.has_remote_home_network &&
    local.nacl_default_private_only &&
    local.inbound_ssh_is_allowed
  )

然后，您可以将这些本地值用作每个资源中条件 count 表达式的一部分，如下所示：

# (I'm assuming that aws_network_acl_rule is the Terraform
# equivalent of CloudFormation's AWS::EC2::NetworkAclEntry,
# but I'm not sure.)
resource "aws_network_acl_rule" "example" 
  count = local.add_management_inbound_ssh_rules ? 1 : 0

  # ...

有了这个特殊的 count 参数，aws_network_acl_rule 将是一个单元素列表或零元素列表，具体取决于 local.add_management_inbound_ssh_rules 的最终值。

【讨论】：

谢谢@Martin Atkins 我相信这个答案会解决我的问题，一旦我测试它我会接受答案:)