在动态块内对多个块进行 Terraform？

Question

我正在尝试为 aws_wafv2_web_acl 资源创建一个模块，但我不知道如何在动态块中添加多个“excluded_rule”块。这可能吗？这是资源：

resource "aws_wafv2_web_acl" "web-acl" {


  name        = var.name
  description = ""
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  dynamic "rule" {
    for_each = var.rules
    content {
        name     = rule.value["name"]
        priority = rule.value["priority"]

        override_action {
          count {}
        }

        statement {
          managed_rule_group_statement {
            name        = rule.value["name"]
            vendor_name = "AWS"

            excluded_rule {              
              name = "excluded rule"
            }

          }
        }

        visibility_config {
          cloudwatch_metrics_enabled = false
          sampled_requests_enabled   = false
          metric_name                = rule.value["name"]

        }
    }
  }
  visibility_config {
      cloudwatch_metrics_enabled = false
      sampled_requests_enabled   = false
      metric_name                = "webaclmetric"
  }
}

这里是被传递的变量：

  name = "test"
  rules = [
    {"name": "AWSManagedRulesLinuxRuleSet", "priority": 0, "exclusions": "LFI_QUERYARGUMENTS,LFI_URIPATH"},
    {"name": "AWSManagedRulesWindowsRuleSet", "priority": 1, "exclusions": "PowerShellCommands_Set1_QUERYARGUMENTS"}
  ]

Answer 1

这是可能的。你可能想看看我为 WafV2 web acl 编写的 terraform 模块 -> https://github.com/umotif-public/terraform-aws-waf-webaclv2

回到你的问题，你可以用下面的块来解决它：

dynamic "excluded_rule" {
  for_each = length(lookup(managed_rule_group_statement.value, "excluded_rule", {})) == 0 ? [] : toset(lookup(managed_rule_group_statement.value, "excluded_rule"))
  content {
    name = excluded_rule.value
  }
}

然后您可以将以下内容传递到您的模块中

managed_rule_group_statement = {
  name        = "AWSManagedRulesCommonRuleSet"
  vendor_name = "AWS"
  excluded_rule = [
    "SizeRestrictions_QUERYSTRING",
    "SizeRestrictions_BODY",
    "GenericRFI_QUERYARGUMENTS"
  ]
}