terraform - 在创建资源之前，我们可以在 Terraform 中匹配多个条件吗？

Question

我正在尝试将 AWS CloudFormation 脚本转换为 Terraform，但我在这里面临的问题是 Cloudformation 有一个称为条件的东西，我们可以在创建资源之前指定多个条件来匹配，但我很难在 terraform 中复制相同的条件。

ClodeFormation的示例代码:

Conditions:
    NACLDefaultPublicAllowed: !Equals [ !Ref NACLOpenByDefault, "true"]
    NACLDefaultPrivateOnly: !Equals [ !Ref NACLOpenByDefault, "false"]

    InboundSSHIsAllowed: !Equals [ !Ref AllowInboundSSH, "true"]
    InboundRDPIsAllowed: !Equals [ !Ref AllowInboundRDP, "true"]
    InboundVPNIsAllowed: !Equals [ !Ref AllowInboundVPN, "true"]

    OutboundHTTPIsAllowed: !Equals [ !Ref AllowOutboundHTTP, "true"]
    OutboundHTTPSIsAllowed: !Equals [ !Ref AllowOutboundHTTPS, "true"]

    HasRemoteHomeNetwork: !Not [ !Equals [ !Ref RemoteHomeNetworkCIDR, ""]]
    HasRemoteRepositories: !Not [ !Equals [ !Ref RemoteRepositoriesCIDR, ""]]
    
    AddMGMTInboundSSHRules: !And
        - !Condition HasRemoteHomeNetwork
        - !Condition NACLDefaultPrivateOnly
        - !Condition InboundSSHIsAllowed

    AddMGMTInboundRDPRules: !And
        - !Condition HasRemoteHomeNetwork
        - !Condition NACLDefaultPrivateOnly
        - !Condition InboundRDPIsAllowed

    AddMGMTInboundVPNRules: !And
        - !Condition HasRemoteHomeNetwork
        - !Condition NACLDefaultPrivateOnly
        - !Condition InboundVPNIsAllowed

    AddMGMTOutboundEphemeralRemoteHomeNetworkRules: !Or
        - !Condition AddMGMTInboundSSHRules
        - !Condition AddMGMTInboundVPNRules

    AddOutboundHTTPAnywhereRules: !And
        - !Condition OutboundHTTPIsAllowed
        - !Condition NACLDefaultPrivateOnly
    AddOutboundHTTPSAnywhereRules: !And
        - !Condition OutboundHTTPSIsAllowed
        - !Condition NACLDefaultPrivateOnly
    AddInboundEphemeralAnywhereRules: !Or
        - !Condition AddOutboundHTTPAnywhereRules
        - !Condition AddOutboundHTTPSAnywhereRules

    AddRemoteRepositoriesCIDR: !And
        - !Condition HasRemoteRepositories
        - !Condition NACLDefaultPrivateOnly

现在，当我创建资源(在 CloudFormation 中)时，我可以直接使用:

rNACLEntryAllowOutboundHTTPfromPUBLtoRemoteRepositories:
        Type: "AWS::EC2::NetworkAclEntry"
        Condition: AddRemoteRepositoriesCIDR
        Properties:
         xxxx

rNACLEntryAllowOutboundHTTPSfromPUBLtoRemoteRepositories:
        Type: "AWS::EC2::NetworkAclEntry"
        Condition: HasRemoteHomeNetwork
        Properties:
        xxxx

and so on

如何在 terraform 中获得相同的结果？

Answer 1

在 Terraform 中，我们将这种条件表示为有条件地在零个或一个资源实例之间进行选择。如果您想像在 CloudFormation 中那样分解条件并给它们命名，那么您可以将条件分配给 named local values像这样:

variable "allow_inbound_ssh" {
  type = bool
}

variable "nacl_open_by_default" {
  type = bool
}

variable "remote_home_network_cidr" {
  type    = string
  default = null
}

locals {
  inbound_ssh_is_allowed    = var.allow_inbound_ssh
  nacl_default_private_only = !var.nacl_open_by_default
  has_remote_home_network   = var.remote_home_network_cidr != null

  add_management_inbound_ssh_rules = (
    local.has_remote_home_network &&
    local.nacl_default_private_only &&
    local.inbound_ssh_is_allowed
  )
}

然后，您可以使用这些本地值作为每个资源中的条件 count 表达式的一部分，如下所示:

# (I'm assuming that aws_network_acl_rule is the Terraform
# equivalent of CloudFormation's AWS::EC2::NetworkAclEntry,
# but I'm not sure.)
resource "aws_network_acl_rule" "example" {
  count = local.add_management_inbound_ssh_rules ? 1 : 0

  # ...
}

使用特殊的 count 参数后，aws_network_acl_rule 将是单元素列表或零元素列表，具体取决于 local 的最终值.add_management_inbound_ssh_rules。