Question 299614 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – AWS and terraform looping through remote state with for_each for cidr_blocks

I’m having trouble getting the correct syntax from the examples out on the net. I have a remote state file which I’m reading in like so:

data "terraform_remote_state" vpc {
    backend = "s3"
    config = {
        region         = "eu-west-1"
        bucket         = "some-terraform-bucket"
        key            = "some-vpc-state.tfstate"
    }
}

from that I have the values in the remote state file of

....
private_subnets_cidr_blocks 
value   
0   "20.10.8.0/24"
1   "20.10.9.0/24"
2   "20.10.10.0/24"
type    
0   "list"
1   "string"
....

I’m trying to add these to a security group ingress with cidr_block

module "security_group" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "~> 5.0"

  name        = "${var.name}-${var.environment}-redis"
  description = "Redis example security group"
  vpc_id      = data.terraform_remote_state.vpc.outputs.vpc_id
  count = length(data.terraform_remote_state.vpc.outputs.elasticache_subnets_cidr_blocks)
  # ingress
  ingress_with_cidr_blocks = [
    {
      **for_each = data.terraform_remote_state.vpc.outputs.private_subnets_cidr_blocks**
      from_port   = 6379
      to_port     = 6379
      protocol    = "tcp"
      description = "Redis access from within VPC"
      **cidir_blocks = [each.value]**
    }
  ]

  tags = local.default_tags
}

But this throws the error:

The given value is not suitable for module.security_group.var.ingress_with_cidr_blocks declared at .terraform/modules/security_group/variables.tf:85,1-36: element 0: element "cidir_blocks": string required.

Can anyone show me how to do this properly please.

I’m hoping to output a string of values like so:

cidr_blocks = "20.10.8.0/24, 20.10.9.0/24,20.10.10.0/24"

and I think Terraform will process that

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    So thanks to marko-e for pointing me in the right direction I needed to use ingress_cidr_blocks and ingress_rules to build this rule! There's a list of pre-defined ports that can be used this way that can be found here:

    ingress_rules

    module "security_group" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "~> 5.0"

  name        = "${var.name}-${var.environment}-redis"
  description = "Redis example security group"
  vpc_id      = data.terraform_remote_state.vpc.outputs.vpc_id

  use_name_prefix = false

  # ingress

  ingress_cidr_blocks = data.terraform_remote_state.vpc.outputs.private_subnets_cidr_blocks
  ingress_ipv6_cidr_blocks = data.terraform_remote_state.vpc.outputs.private_subnets_ipv6_cidr_blocks
  ingress_rules = ["redis-tcp"]


  tags = local.default_tags
}

  2. 0

    Since all the CIDR ranges will have all the same ports, I think you want the ingress_cidr_blocks argument. This argument means that all the ingress rules will have the same ports open but for different CIDR ranges. So you are looking for something like (depending on the value the output provides):

    module "security_group" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "~> 5.0"

  name        = "${var.name}-${var.environment}-redis"
  description = "Redis example security group"
  vpc_id      = data.terraform_remote_state.vpc.outputs.vpc_id
  count = length(data.terraform_remote_state.vpc.outputs.elasticache_subnets_cidr_blocks)
  # ingress
  ingress_cidr_blocks = data.terraform_remote_state.vpc.outputs.private_subnets_cidr_blocks
  ingress_with_cidr_blocks = [
    from_port   = 6379
    to_port     = 6379
    protocol    = "tcp"
    description = "Redis access from within VPC"
  ]

  tags = local.default_tags
}

    I think you can even drop the count meta-argument here, unless you want three different security groups.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search