1

Terraform 资源aws_db_proxy有一个身份验证块列表作为参数。下面是 terraform文档中的一个示例。

每个身份验证块代表一个用户,每个用户都需要 Secrets Manager 中的密钥。我们的平台有四种不同的环境(dev、qa、cert、prod),我们不会在较低的环境中使用机密来节省成本。理想情况下,我会创建两个身份验证块列表,一个用于较低环境,一个用于较高环境。然后,在资源中,我可以根据环境选择合适的资源。

有没有办法将身份验证块列表传递给 aws_db_proxy 资源?

count我正在考虑的另一个解决方案是使用两个单独的 aws_db_proxy 配置,并使用元参数为每个环境使用适当的配置。但是,我认为这可能会有点混乱。

resource "aws_db_proxy" "example" {
  name                   = "example"
  debug_logging          = false
  engine_family          = "MYSQL"
  idle_client_timeout    = 1800
  require_tls            = true
  role_arn               = aws_iam_role.example.arn
  vpc_security_group_ids = [aws_security_group.example.id]
  vpc_subnet_ids         = [aws_subnet.example.id]

  auth {
    auth_scheme = "SECRETS"
    description = "user1"
    iam_auth    = "DISABLED"
    secret_arn  = aws_secretsmanager_secret.example1.arn
  }

  auth {
    auth_scheme = "SECRETS"
    description = "example2"
    iam_auth    = "DISABLED"
    secret_arn  = aws_secretsmanager_secret.example2.arn
  }

  auth {
    auth_scheme = "SECRETS"
    description = "example3"
    iam_auth    = "DISABLED"
    secret_arn  = aws_secretsmanager_secret.example3.arn
  }

  tags = {
    Name = "example"
    Key  = "value"
  }
}
4

2 回答 2

2

您可以使用动态块来动态创建auth块。

一个示例用法将取决于您如何aws_secretsmanager_secret为每个用户定义您的,但您也可以使其动态化。

下面是示例代码。我没有运行它,因为它的目的是展示使用 的概念dynamic blocks以及如何制作aws_secretsmanager_secret

# list of users
variable "proxy_users" {
    default = ["user1", "example2", "example3"]
}

# secret for each user
resource "aws_secretsmanager_secret" "mysecret" {
  for_each = toset(var.proxy_users) 

  name = "example${each.key}"

  # rest of attributes
}


resource "aws_db_proxy" "example" {
  name                   = "example"
  debug_logging          = false
  engine_family          = "MYSQL"
  idle_client_timeout    = 1800
  require_tls            = true
  role_arn               = aws_iam_role.example.arn
  vpc_security_group_ids = [aws_security_group.example.id]
  vpc_subnet_ids         = [aws_subnet.example.id]

  # create auth for each user 
  dynamic "auth" {

    for_each = var.proxy_users

    content {
        auth_scheme = "SECRETS"
        description = auth.key
        iam_auth    = "DISABLED"
        secret_arn  = aws_secretsmanager_secret.mysecret[auth.key].arn
    }
  }  

  tags = {
    Name = "example"
    Key  = "value"
  }
}
于 2021-01-08T04:43:51.660 回答
0

谢谢@Marcin

我有同样的问题,但我需要插入现有的秘密 arn。你真的有帮助

如果有人需要,我做了以下操作

    locals {
       secrets_list = [
       "db-credentials/${var.env-name}/user1",
       "db-credentials/${var.env-name}/user2",
       "db-credentials/${var.env-name}/user3"
  ]
}

data "aws_secretsmanager_secret" "rds_secrets" {
  for_each = toset(local.secrets_list)
  name = each.key
}

resource "aws_db_proxy" "rds_db_proxy" {
  name = "${var.env-name}-rds-proxy"
  engine_family = "MYSQL"
  idle_client_timeout = 900
  require_tls = true
   .
   .
   .
   .

  dynamic "auth" {
    for_each = local.secrets_list
    content {
      secret_arn  =  data.aws_secretsmanager_secret.rds_secrets[auth.value].arn
      auth_scheme = "SECRETS"
      iam_auth    = "REQUIRED"
    }
  }
}
于 2021-07-07T10:28:24.867 回答