我们正在使用Terraform创建ECR存储库。我创建了每个使用的存储库。我正在尝试附加政策。我无法在资源中使用回购
我们正在使用Terraform创建ECR存储库。我创建了每个使用的存储库。我正在尝试附加政策。我无法使用
这是
app_ecr_repo = [
{ name = "project-1" },
{ name = "project-2" }
]
每个回购名称
module "ecr" {
source = "../../modules/ecr"
# Common
default_tags = var.default_tags
# ECR
for_each = { for repos in var.app_ecr_repo : join("-", [repos.name]) => repos }
ecr_respositories = [
{
repo_name = each.value.name
lifecycle_policy_file = "ecr_policy_01_tagged.json"
image_tag_mutability = "IMMUTABLE"
image_scanning_enabled = true
}
]
}
如何连接ECR存储库名称,
resource "aws_ecr_repository_policy" "repo_policy" {
repository = module.ecr.name
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "new policy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
]
}
]
}
EOF
}
根模块。他通过了AWS_ECR_REPOSITORITION的资源
####################################### ########################################## ###############
弹性容器注册表(ECR)
################### ########################################## ##############################
resource "aws_ecr_repository" "this" {
count = length(var.ecr_respositories) > 0 ? length(var.ecr_respositories) : 0
name = lookup(var.ecr_respositories[count.index], "repo_name", null)
image_tag_mutability = lookup(var.ecr_respositories[count.index], "image_tag_mutability", var.image_tag_mutability)
image_scanning_configuration {
scan_on_push = lookup(var.ecr_respositories[count.index], "image_scanning_enabled", var.image_scanning_enabled)
}
tags = merge(
{
"Name" = lookup(var.ecr_respositories[count.index], "repo_name", null)
},
var.tags,
var.default_tags
)
}
############################################################################################################
# ECR Lifecycle Policy
############################################################################################################
locals {
ecr_respositories_with_policy = [
for repo in var.ecr_respositories :
repo
if lookup(repo, "lifecycle_policy_file", null) != null
]
}
resource "aws_ecr_lifecycle_policy" "this" {
count = length(local.ecr_respositories_with_policy) > 0 ? length(local.ecr_respositories_with_policy) : 0
policy = file("${path.cwd}/ecr_lifecycle_policy/${local.ecr_respositories_with_policy[count.index].lifecycle_policy_file}")
repository = local.ecr_respositories_with_policy[count.index].repo_name
depends_on = [aws_ecr_repository.this]
}
we are creating ecr repository using terraform. i created repos using for each. i am trying to attach policy. i am unable to use repo in resource
tfvars file
app_ecr_repo = [
{ name = "project-1" },
{ name = "project-2" }
]
using for each we are taking two repo names
module "ecr" {
source = "../../modules/ecr"
# Common
default_tags = var.default_tags
# ECR
for_each = { for repos in var.app_ecr_repo : join("-", [repos.name]) => repos }
ecr_respositories = [
{
repo_name = each.value.name
lifecycle_policy_file = "ecr_policy_01_tagged.json"
image_tag_mutability = "IMMUTABLE"
image_scanning_enabled = true
}
]
}
how to attach ecr repository name here
resource "aws_ecr_repository_policy" "repo_policy" {
repository = module.ecr.name
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "new policy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
]
}
]
}
EOF
}
This is root module. He we passed resources for aws_ecr_repository
############################################################################################################
Elastic Container Registry (ECR)
############################################################################################################
resource "aws_ecr_repository" "this" {
count = length(var.ecr_respositories) > 0 ? length(var.ecr_respositories) : 0
name = lookup(var.ecr_respositories[count.index], "repo_name", null)
image_tag_mutability = lookup(var.ecr_respositories[count.index], "image_tag_mutability", var.image_tag_mutability)
image_scanning_configuration {
scan_on_push = lookup(var.ecr_respositories[count.index], "image_scanning_enabled", var.image_scanning_enabled)
}
tags = merge(
{
"Name" = lookup(var.ecr_respositories[count.index], "repo_name", null)
},
var.tags,
var.default_tags
)
}
############################################################################################################
# ECR Lifecycle Policy
############################################################################################################
locals {
ecr_respositories_with_policy = [
for repo in var.ecr_respositories :
repo
if lookup(repo, "lifecycle_policy_file", null) != null
]
}
resource "aws_ecr_lifecycle_policy" "this" {
count = length(local.ecr_respositories_with_policy) > 0 ? length(local.ecr_respositories_with_policy) : 0
policy = file("${path.cwd}/ecr_lifecycle_policy/${local.ecr_respositories_with_policy[count.index].lifecycle_policy_file}")
repository = local.ecr_respositories_with_policy[count.index].repo_name
depends_on = [aws_ecr_repository.this]
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
为了能够访问使用模块创建的资源的属性,子模块必须具有定义的输出[1]。与无需使用模块定义的输出相比,访问子模块输出[2]有所不同。因此,在“儿童模块代码”中,您必须添加以下内容:
由于使用
for_eachmeta-argument调用模块,因此在策略中,您会说类似:参考模块实例在[3]中描述。
编辑
子模块正在使用
countmeta-argument,而根模块使用for_eachmeta-argument。因此,很难在模块的输出和aws_ecr_repository_policy资源中所需的输入之间进行映射,并使其动态。唯一可以使用的方法是:a)用模块创建的资源的密钥值进行硬编码,例如,
repository = module.ecr [“ project-1”]。ecr_name [count.index] ,以及countmeta-argument设置为count = length(module.ecr [“ project-1”]。ECR_NAME)。对于project-2,必须重复这一点。b)硬编码输出的索引值,并使用相同的
for_each,即)=&gt; repos} 和repository = module.ecr [every.key] .ecr_name [0]第二种情况有点好,但仅因为在模块调用当前列表中的列表中,元素将通过:
如果要增加元素的数量,则解决方案将不起作用,并且必须有多个实例的
aws_ecr_repository_policy_policy_policyresource。此外,可以将资源添加到模块本身中,这可以帮助避免这些头痛。解决方案1
在根模块中,添加以下内容:
解决方案2
在子模块中,添加以下代码:
[1] https://www.terraform.io/language/language/values/values/outputs#declaring-anput-anput-anput-anput-anput-value-value
[2] https:/ /语言/值/输出#访问-Child-Module-Outputs
[3] https://www.terraform.io/language/meta-arguments/for_each#referring-to-instances
In order to be able to access the attributes of the resources created using modules, the child module has to have an output defined [1]. Accessing the child module output [2] is a bit different compared to outputs defined without using modules. So, in the child module code, you would have to add the following:
Since the module was invoked by using the
for_eachmeta-argument, in the policy, you would say something like:Referring to module instances is described in [3].
EDIT
The child module is using the
countmeta-argument and the root module is usingfor_eachmeta-argument. Because of that, it is hard to map between the output of the module and the input required in theaws_ecr_repository_policyresource and make it dynamic. The only way this could work is:a) Hardcoding the value of the key for the resource created with the module, e.g.,
repository = module.ecr["project-1"].ecr_name[count.index], along with thecountmeta-argument set tocount = length(module.ecr["project-1"].ecr_name). This would have to be repeated forproject-2.b) Hardcoding the value of the index for the output and using the same
for_each, i.e.,for_each = { for repos in var.app_ecr_repo : join("-", [repos.name]) => repos }and therepository = module.ecr[each.key].ecr_name[0]The second case is a bit better, but only because in the module call currently a list with one element gets passed:
If the number of elements would be increased, the solution would not work and there would have to be multiple instances of
aws_ecr_repository_policyresource. Additionally, the resource could be added to the module itself which could help avoiding these headaches.Solution 1
In the root module, add this:
Solution 2
In the child module, add the following code:
[1] https://www.terraform.io/language/values/outputs#declaring-an-output-value
[2] https://www.terraform.io/language/values/outputs#accessing-child-module-outputs
[3] https://www.terraform.io/language/meta-arguments/for_each#referring-to-instances