2
votes

I am trying to convert an AWS CloudFormation script to Terraform but the problem I am facing here is Cloudformation has something called conditions were we can specify multiple conditions to match before creating a resource but I am struggling to replicate the same in terraform.

Example code of ClodeFormation:

Conditions:
    NACLDefaultPublicAllowed: !Equals [ !Ref NACLOpenByDefault, "true"]
    NACLDefaultPrivateOnly: !Equals [ !Ref NACLOpenByDefault, "false"]

    InboundSSHIsAllowed: !Equals [ !Ref AllowInboundSSH, "true"]
    InboundRDPIsAllowed: !Equals [ !Ref AllowInboundRDP, "true"]
    InboundVPNIsAllowed: !Equals [ !Ref AllowInboundVPN, "true"]

    OutboundHTTPIsAllowed: !Equals [ !Ref AllowOutboundHTTP, "true"]
    OutboundHTTPSIsAllowed: !Equals [ !Ref AllowOutboundHTTPS, "true"]

    HasRemoteHomeNetwork: !Not [ !Equals [ !Ref RemoteHomeNetworkCIDR, ""]]
    HasRemoteRepositories: !Not [ !Equals [ !Ref RemoteRepositoriesCIDR, ""]]
    
    AddMGMTInboundSSHRules: !And
        - !Condition HasRemoteHomeNetwork
        - !Condition NACLDefaultPrivateOnly
        - !Condition InboundSSHIsAllowed

    AddMGMTInboundRDPRules: !And
        - !Condition HasRemoteHomeNetwork
        - !Condition NACLDefaultPrivateOnly
        - !Condition InboundRDPIsAllowed

    AddMGMTInboundVPNRules: !And
        - !Condition HasRemoteHomeNetwork
        - !Condition NACLDefaultPrivateOnly
        - !Condition InboundVPNIsAllowed

    AddMGMTOutboundEphemeralRemoteHomeNetworkRules: !Or
        - !Condition AddMGMTInboundSSHRules
        - !Condition AddMGMTInboundVPNRules

    AddOutboundHTTPAnywhereRules: !And
        - !Condition OutboundHTTPIsAllowed
        - !Condition NACLDefaultPrivateOnly
    AddOutboundHTTPSAnywhereRules: !And
        - !Condition OutboundHTTPSIsAllowed
        - !Condition NACLDefaultPrivateOnly
    AddInboundEphemeralAnywhereRules: !Or
        - !Condition AddOutboundHTTPAnywhereRules
        - !Condition AddOutboundHTTPSAnywhereRules

    AddRemoteRepositoriesCIDR: !And
        - !Condition HasRemoteRepositories
        - !Condition NACLDefaultPrivateOnly

now when I create a resource(in CloudFormation) I can directly use:


rNACLEntryAllowOutboundHTTPfromPUBLtoRemoteRepositories:
        Type: "AWS::EC2::NetworkAclEntry"
        Condition: AddRemoteRepositoriesCIDR
        Properties:
         xxxx

rNACLEntryAllowOutboundHTTPSfromPUBLtoRemoteRepositories:
        Type: "AWS::EC2::NetworkAclEntry"
        Condition: HasRemoteHomeNetwork
        Properties:
        xxxx

and so on

How can I get the same result in terraform?

1

1 Answers

2
votes

In Terraform we represent this sort of condition as conditionally choosing between zero or one instances of a resource. If you want to factor out the conditions and give them names like you did in CloudFormation then you can assign the conditions to named local values like this:

variable "allow_inbound_ssh" {
  type = bool
}

variable "nacl_open_by_default" {
  type = bool
}

variable "remote_home_network_cidr" {
  type    = string
  default = null
}

locals {
  inbound_ssh_is_allowed    = var.allow_inbound_ssh
  nacl_default_private_only = !var.nacl_open_by_default
  has_remote_home_network   = var.remote_home_network_cidr != null

  add_management_inbound_ssh_rules = (
    local.has_remote_home_network &&
    local.nacl_default_private_only &&
    local.inbound_ssh_is_allowed
  )
}

You can then use these local values as part of the conditional count expression in each resource, like this:

# (I'm assuming that aws_network_acl_rule is the Terraform
# equivalent of CloudFormation's AWS::EC2::NetworkAclEntry,
# but I'm not sure.)
resource "aws_network_acl_rule" "example" {
  count = local.add_management_inbound_ssh_rules ? 1 : 0

  # ...
}

With that special count argument in place, aws_network_acl_rule will either be a single-element list or a zero-element list depending on the final value of local.add_management_inbound_ssh_rules.