Terraform and NREC: Part III - Dynamics¶
Last changed: 2023-05-25
Contents
This document builds on Terraform Part 1 and Part 2, and extends the code base to make it more dynamic. We also make use of more advanced functionality in Terraform such as output handling and local variables.
The goal with this document is to show how Terraform can be used to set up a real environment on NREC. We will create:
- An SSH key pair
- Four web servers running CentOS
- One database server running Ubuntu
- A volume that is attached to the database server
- Security groups that allow access to the different servers, as well as allowing the web servers to access the database server
The files used in this document can be downloaded:
Variables file¶
In order to keep the management of the Terraform infrastructure easy and intuitive, it is a good idea to consolidate definitions and variables into a single file or a small set of files. Terraform supports a concept of default values for variables, which can be overridden. In our example, we are opting for a single file that contains all variables, with default values, used throughout the code:
variables.tf¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 | # Variables
variable "region" {
}
variable "name" {
default = "myproject"
}
variable "ssh_public_key" {
default = "~/.ssh/id_rsa.pub"
}
variable "network" {
default = "IPv6"
}
variable "volume_size" {
default = 20
}
# Security group defaults
variable "allow_ssh_from_v6" {
type = list(string)
default = []
}
variable "allow_ssh_from_v4" {
type = list(string)
default = []
}
variable "allow_http_from_v6" {
type = list(string)
default = []
}
variable "allow_http_from_v4" {
type = list(string)
default = []
}
variable "allow_mysql_from_v6" {
type = list(string)
default = []
}
variable "allow_mysql_from_v4" {
type = list(string)
default = []
}
# Mapping between role and image
variable "role_image" {
type = map(string)
default = {
"web" = "GOLD CentOS 8"
"db" = "GOLD Ubuntu 21.04 LTS"
}
}
# Mapping between role and flavor
variable "role_flavor" {
type = map(string)
default = {
"web" = "m1.small"
"db" = "m1.medium"
}
}
# Mapping between role and number of instances (count)
variable "role_count" {
type = map(string)
default = {
"web" = 4
"db" = 1
}
}
|
Notice that the region variable (highlighted) is empty and doesn’t have a default value. For this reason, the region must always be specified in some way when running Terraform:
$ ~/terraform plan
var.region
Enter a value:
As shown above, when a default value isn’t specified in the code Terraform will ask for it interactively.
Also note that the allow_ssh_from_v6, allow_ssh_from_v4
etc. (highlighted) variables are empty lists. It is expected that we
specify these in the terraform.tfvars file, explained in the next
section.
Local variables file¶
Terraform supports specification of local variables that completes or overrides the variable set given in variables.tf. We can do this on command line:
terraform -var 'region=bgo'
This does not scale, however. Terraform has an option -var-file
that takes one argument, a variables file:
terraform -var-file <file>
An example file terraform.tfvars that
complements our variables.tf could look like this:
terraform.tfvars¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | # Region
region = "osl"
# This is needed to access the instance over ssh
allow_ssh_from_v6 = [
"2001:700:100:12::7/128",
"2001:700:100:118::67/128"
]
allow_ssh_from_v4 = [
"129.240.12.7/32",
"129.240.118.67/32"
]
# This is needed to access the instance over http
allow_http_from_v6 = [
"2001:700:200::/48",
"2001:700:100::/41"
]
allow_http_from_v4 = [
"129.177.0.0/16",
"129.240.0.0/16"
]
# This is needed to access the instance over the mysql port
allow_mysql_from_v6 = [
"2001:700:100:118::67/128"
]
allow_mysql_from_v4 = [
"129.240.118.67/32"
]
|
Here, we specify the region and the addresses to be used for the security group. Since this file is named terraform.tfvars it will be automatically included when running terraform commands. If we were to name it as e.g. production.tfvars, we would need to specify which file to use on the command line, like this:
$ terraform plan -var-file production.tfvars
$ terraform apply -var-file production.tfvars
Read more about variables here: Terraform variables
Using variables¶
Terraform supports a variety of different variable types, and should be familiar to anyone who has used modern programming languages. We’re using string, list (array) and map (hash) variables. In this example, we have divided our original one-file setup into 3 files, in addition to the local variables file:
| main.tf | Our main file. |
| secgroup.tf | Since the security group definitions are rather verbose, we have separated these from the main file. |
| variables.tf | Variable definitions with default values. |
| terraform.tfvars | Local variables. |
We’ll take a look at main.tf. The first part, containing the SSH key pair resource, is as before but using variables:
main.tf¶
1 2 3 4 5 6 | # SSH key
resource "openstack_compute_keypair_v2" "keypair" {
region = var.region
name = "${terraform.workspace}-${var.name}"
public_key = file(var.ssh_public_key)
}
|
Next, we’ll look at our security groups in secgroup.tf. We now have three of them:
secgroup.tf¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | # Security group SSH + ICMP
resource "openstack_networking_secgroup_v2" "instance_ssh_access" {
region = var.region
name = "${terraform.workspace}-${var.name}-ssh"
description = "Security group for allowing SSH and ICMP access"
}
# Security group HTTP
resource "openstack_networking_secgroup_v2" "instance_web_access" {
region = var.region
name = "${terraform.workspace}-${var.name}-web"
description = "Security group for allowing HTTP access"
}
# Security group MySQL
resource "openstack_networking_secgroup_v2" "instance_db_access" {
region = var.region
name = "${terraform.workspace}-${var.name}-db"
description = "Security group for allowing MySQL access"
}
|
Since these are web and database serves, we create a security group for allowing HTTP for the web servers and port 3306 for the database server, in addition to allowing SSH and ICMP. The security group rules for SSH and ICMP are pretty much the same as before, but using variables:
secgroup.tf¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | # Allow ssh from IPv4 net
resource "openstack_networking_secgroup_rule_v2" "rule_ssh_access_ipv4" {
region = var.region
count = length(var.allow_ssh_from_v4)
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 22
port_range_max = 22
remote_ip_prefix = var.allow_ssh_from_v4[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_ssh_access.id
}
# Allow ssh from IPv6 net
resource "openstack_networking_secgroup_rule_v2" "rule_ssh_access_ipv6" {
region = var.region
count = length(var.allow_ssh_from_v6)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 22
port_range_max = 22
remote_ip_prefix = var.allow_ssh_from_v6[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_ssh_access.id
}
# Allow icmp from IPv4 net
resource "openstack_networking_secgroup_rule_v2" "rule_icmp_access_ipv4" {
region = var.region
count = length(var.allow_ssh_from_v4)
direction = "ingress"
ethertype = "IPv4"
protocol = "icmp"
remote_ip_prefix = var.allow_ssh_from_v4[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_ssh_access.id
}
# Allow icmp from IPv6 net
resource "openstack_networking_secgroup_rule_v2" "rule_icmp_access_ipv6" {
region = var.region
count = length(var.allow_ssh_from_v6)
direction = "ingress"
ethertype = "IPv6"
protocol = "ipv6-icmp"
remote_ip_prefix = var.allow_ssh_from_v6[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_ssh_access.id
}
|
Notice that we now use implicit iteration over the number of entries listed in the “allow_from” variables, which are empty lists in variables.tf but are properly defined in terraform.tfvars.
Let’s take a look at the security group rules defined for HTTP and MySQL access:
secgroup.tf¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | # Allow HTTP from IPv4 net
resource "openstack_networking_secgroup_rule_v2" "rule_http_access_ipv4" {
region = var.region
count = length(var.allow_http_from_v4)
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 80
port_range_max = 80
remote_ip_prefix = var.allow_http_from_v4[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_web_access.id
}
# Allow HTTP from IPv6 net
resource "openstack_networking_secgroup_rule_v2" "rule_http_access_ipv6" {
region = var.region
count = length(var.allow_http_from_v6)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 80
port_range_max = 80
remote_ip_prefix = var.allow_http_from_v6[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_web_access.id
}
# Allow MySQL from IPv4 net
resource "openstack_networking_secgroup_rule_v2" "rule_mysql_access_ipv4" {
region = var.region
count = length(var.allow_mysql_from_v4)
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 3306
port_range_max = 3306
remote_ip_prefix = var.allow_mysql_from_v4[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_db_access.id
}
# Allow MYSQL from IPv6 net
resource "openstack_networking_secgroup_rule_v2" "rule_mysql_access_ipv6" {
region = var.region
count = length(var.allow_mysql_from_v6)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 3306
port_range_max = 3306
remote_ip_prefix = var.allow_mysql_from_v6[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_db_access.id
}
|
The resource definition for the HTTP access, as well as the first two resource definitions for MySQL access, follows the same logic as that of the SSH and ICMP rules. The last two MySQL rules are different:
secgroup.tf¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | # Allow MYSQL from web servers (IPv4)
resource "openstack_networking_secgroup_rule_v2" "rule_mysql_from_web_access_ipv4" {
region = var.region
count = 1
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 3306
port_range_max = 3306
remote_group_id = openstack_networking_secgroup_v2.instance_web_access.id
security_group_id = openstack_networking_secgroup_v2.instance_db_access.id
}
# Allow MYSQL from web servers (IPv6)
resource "openstack_networking_secgroup_rule_v2" "rule_mysql_from_web_access_ipv6" {
region = var.region
count = 1
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 3306
port_range_max = 3306
remote_group_id = openstack_networking_secgroup_v2.instance_web_access.id
security_group_id = openstack_networking_secgroup_v2.instance_db_access.id
}
|
Here, we use rather advanced functionality for security groups in
Openstack. We can allow IP addresses from other security groups
(source groups) access by specifying remote_group_id rather than
remote_ip_prefix. It is possible to achieve the same using
remote_ip_prefix, however it is less elegant [1].
We’ll circle back to main.tf:
main.tf¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 | # Web servers
resource "openstack_compute_instance_v2" "web_instance" {
region = var.region
count = lookup(var.role_count, "web", 0)
name = "${var.region}-web-${count.index}"
image_name = lookup(var.role_image, "web", "unknown")
flavor_name = lookup(var.role_flavor, "web", "unknown")
key_pair = "${terraform.workspace}-${var.name}"
security_groups = [
"default",
"${terraform.workspace}-${var.name}-ssh",
"${terraform.workspace}-${var.name}-web",
]
network {
name = "IPv6"
}
lifecycle {
ignore_changes = [image_name]
}
depends_on = [
openstack_networking_secgroup_v2.instance_ssh_access,
openstack_networking_secgroup_v2.instance_web_access,
]
}
# Database servers
resource "openstack_compute_instance_v2" "db_instance" {
region = var.region
count = lookup(var.role_count, "db", 0)
name = "${var.region}-db-${count.index}"
image_name = lookup(var.role_image, "db", "unknown")
flavor_name = lookup(var.role_flavor, "db", "unknown")
key_pair = "${terraform.workspace}-${var.name}"
security_groups = [
"default",
"${terraform.workspace}-${var.name}-ssh",
"${terraform.workspace}-${var.name}-db",
]
network {
name = "IPv6"
}
lifecycle {
ignore_changes = [image_name]
}
depends_on = [
openstack_networking_secgroup_v2.instance_ssh_access,
openstack_networking_secgroup_v2.instance_db_access,
]
}
|
We now define two different instance resources. One for web servers and one for the database server. They use different values defined in variables.tf for image, flavor etc. Lastly, we define a volume resource and attach this volume to the database server:
main.tf¶
1 2 3 4 5 6 7 8 9 10 11 | # Volume
resource "openstack_blockstorage_volume_v2" "volume" {
name = "database"
size = var.volume_size
}
# Attach volume
resource "openstack_compute_volume_attach_v2" "attach_vol" {
instance_id = openstack_compute_instance_v2.db_instance[0].id
volume_id = openstack_blockstorage_volume_v2.volume.id
}
|
Making changes¶
Terraform maintains the state of the infrastructure it manages in the workspace directory. It is possible to make simple changes just by updating and applying the code. If we wanted to scale down the number of web servers from 4 to 2, we would change this line in variables.tf:
variables.tf¶
1 2 3 4 5 6 7 8 | # Mapping between role and number of instances (count)
variable "role_count" {
type = map(string)
default = {
"web" = 4
"db" = 1
}
}
|
After changing the count from 4 to 2 here (the highlighted
line), we can run terraform plan:
$ terraform plan
...
Plan: 0 to add, 0 to change, 2 to destroy.
...
Applying this with terraform apply will then destroy two of the
web servers. Similarly, if we were to increase the web server count
from 4 to 5, Terraform would add a new web server.
Complete example¶
A complete listing of the example files used in this document is provided below.
main.tf¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 | # Define required providers
terraform {
required_version = ">= 1.0"
required_providers {
openstack = {
source = "terraform-provider-openstack/openstack"
}
}
}
# Configure the OpenStack Provider
# Empty means using environment variables "OS_*". More info:
# https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs
provider "openstack" {}
# SSH key
resource "openstack_compute_keypair_v2" "keypair" {
region = var.region
name = "${terraform.workspace}-${var.name}"
public_key = file(var.ssh_public_key)
}
# Web servers
resource "openstack_compute_instance_v2" "web_instance" {
region = var.region
count = lookup(var.role_count, "web", 0)
name = "${var.region}-web-${count.index}"
image_name = lookup(var.role_image, "web", "unknown")
flavor_name = lookup(var.role_flavor, "web", "unknown")
key_pair = "${terraform.workspace}-${var.name}"
security_groups = [
"default",
"${terraform.workspace}-${var.name}-ssh",
"${terraform.workspace}-${var.name}-web",
]
network {
name = "IPv6"
}
lifecycle {
ignore_changes = [image_name]
}
depends_on = [
openstack_networking_secgroup_v2.instance_ssh_access,
openstack_networking_secgroup_v2.instance_web_access,
]
}
# Database servers
resource "openstack_compute_instance_v2" "db_instance" {
region = var.region
count = lookup(var.role_count, "db", 0)
name = "${var.region}-db-${count.index}"
image_name = lookup(var.role_image, "db", "unknown")
flavor_name = lookup(var.role_flavor, "db", "unknown")
key_pair = "${terraform.workspace}-${var.name}"
security_groups = [
"default",
"${terraform.workspace}-${var.name}-ssh",
"${terraform.workspace}-${var.name}-db",
]
network {
name = "IPv6"
}
lifecycle {
ignore_changes = [image_name]
}
depends_on = [
openstack_networking_secgroup_v2.instance_ssh_access,
openstack_networking_secgroup_v2.instance_db_access,
]
}
# Volume
resource "openstack_blockstorage_volume_v2" "volume" {
name = "database"
size = var.volume_size
}
# Attach volume
resource "openstack_compute_volume_attach_v2" "attach_vol" {
instance_id = openstack_compute_instance_v2.db_instance[0].id
volume_id = openstack_blockstorage_volume_v2.volume.id
}
|
secgroup.tf¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 | # Security group SSH + ICMP
resource "openstack_networking_secgroup_v2" "instance_ssh_access" {
region = var.region
name = "${terraform.workspace}-${var.name}-ssh"
description = "Security group for allowing SSH and ICMP access"
}
# Security group HTTP
resource "openstack_networking_secgroup_v2" "instance_web_access" {
region = var.region
name = "${terraform.workspace}-${var.name}-web"
description = "Security group for allowing HTTP access"
}
# Security group MySQL
resource "openstack_networking_secgroup_v2" "instance_db_access" {
region = var.region
name = "${terraform.workspace}-${var.name}-db"
description = "Security group for allowing MySQL access"
}
# Allow ssh from IPv4 net
resource "openstack_networking_secgroup_rule_v2" "rule_ssh_access_ipv4" {
region = var.region
count = length(var.allow_ssh_from_v4)
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 22
port_range_max = 22
remote_ip_prefix = var.allow_ssh_from_v4[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_ssh_access.id
}
# Allow ssh from IPv6 net
resource "openstack_networking_secgroup_rule_v2" "rule_ssh_access_ipv6" {
region = var.region
count = length(var.allow_ssh_from_v6)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 22
port_range_max = 22
remote_ip_prefix = var.allow_ssh_from_v6[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_ssh_access.id
}
# Allow icmp from IPv4 net
resource "openstack_networking_secgroup_rule_v2" "rule_icmp_access_ipv4" {
region = var.region
count = length(var.allow_ssh_from_v4)
direction = "ingress"
ethertype = "IPv4"
protocol = "icmp"
remote_ip_prefix = var.allow_ssh_from_v4[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_ssh_access.id
}
# Allow icmp from IPv6 net
resource "openstack_networking_secgroup_rule_v2" "rule_icmp_access_ipv6" {
region = var.region
count = length(var.allow_ssh_from_v6)
direction = "ingress"
ethertype = "IPv6"
protocol = "ipv6-icmp"
remote_ip_prefix = var.allow_ssh_from_v6[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_ssh_access.id
}
# Allow HTTP from IPv4 net
resource "openstack_networking_secgroup_rule_v2" "rule_http_access_ipv4" {
region = var.region
count = length(var.allow_http_from_v4)
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 80
port_range_max = 80
remote_ip_prefix = var.allow_http_from_v4[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_web_access.id
}
# Allow HTTP from IPv6 net
resource "openstack_networking_secgroup_rule_v2" "rule_http_access_ipv6" {
region = var.region
count = length(var.allow_http_from_v6)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 80
port_range_max = 80
remote_ip_prefix = var.allow_http_from_v6[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_web_access.id
}
# Allow MySQL from IPv4 net
resource "openstack_networking_secgroup_rule_v2" "rule_mysql_access_ipv4" {
region = var.region
count = length(var.allow_mysql_from_v4)
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 3306
port_range_max = 3306
remote_ip_prefix = var.allow_mysql_from_v4[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_db_access.id
}
# Allow MYSQL from IPv6 net
resource "openstack_networking_secgroup_rule_v2" "rule_mysql_access_ipv6" {
region = var.region
count = length(var.allow_mysql_from_v6)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 3306
port_range_max = 3306
remote_ip_prefix = var.allow_mysql_from_v6[count.index]
security_group_id = openstack_networking_secgroup_v2.instance_db_access.id
}
# Allow MYSQL from web servers (IPv4)
resource "openstack_networking_secgroup_rule_v2" "rule_mysql_from_web_access_ipv4" {
region = var.region
count = 1
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 3306
port_range_max = 3306
remote_group_id = openstack_networking_secgroup_v2.instance_web_access.id
security_group_id = openstack_networking_secgroup_v2.instance_db_access.id
}
# Allow MYSQL from web servers (IPv6)
resource "openstack_networking_secgroup_rule_v2" "rule_mysql_from_web_access_ipv6" {
region = var.region
count = 1
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 3306
port_range_max = 3306
remote_group_id = openstack_networking_secgroup_v2.instance_web_access.id
security_group_id = openstack_networking_secgroup_v2.instance_db_access.id
}
|
variables.tf¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 | # Variables
variable "region" {
}
variable "name" {
default = "myproject"
}
variable "ssh_public_key" {
default = "~/.ssh/id_rsa.pub"
}
variable "network" {
default = "IPv6"
}
variable "volume_size" {
default = 20
}
# Security group defaults
variable "allow_ssh_from_v6" {
type = list(string)
default = []
}
variable "allow_ssh_from_v4" {
type = list(string)
default = []
}
variable "allow_http_from_v6" {
type = list(string)
default = []
}
variable "allow_http_from_v4" {
type = list(string)
default = []
}
variable "allow_mysql_from_v6" {
type = list(string)
default = []
}
variable "allow_mysql_from_v4" {
type = list(string)
default = []
}
# Mapping between role and image
variable "role_image" {
type = map(string)
default = {
"web" = "GOLD CentOS 8"
"db" = "GOLD Ubuntu 21.04 LTS"
}
}
# Mapping between role and flavor
variable "role_flavor" {
type = map(string)
default = {
"web" = "m1.small"
"db" = "m1.medium"
}
}
# Mapping between role and number of instances (count)
variable "role_count" {
type = map(string)
default = {
"web" = 4
"db" = 1
}
}
|
Footnotes
| [1] | An alternative way to dynamically add access for the web servers,
by using secgroup alternative¶
|