It is common to want to apply the same configuration to several sites or to make a common change to a set of sites from a single location in order to avoid having to manually modify each site one by one, especially if these changes need to be made regularly.
In this article, we will present two examples based on different attributes of a resource ogo_shield_site. The method presented here can be extended to any attribute of a Terraform resource.
The scenario is therefore as follows:
Declare a variable describing the object you want to apply to a set of sites and assign it a default value
Add this object to the configuration of sites that need to share the same configuration
To find out the type of attributes, refer to the documentation for the resource in question: https://registry.terraform.io/providers/OGOSecurity/ogo/latest/docs/resources/shield_site#nestedatt--ip_exceptions
Using a variable to define the cluster UID
In this example, we will globally define the UID of a cluster that we want to use on each site. We declare a variable cluster_uid_euw1 of type string that we will assign to the attribute cluster_uid of each site. In the example below, the cluster UID is 802448cf-e2f9-40eb-b0d8-2983e018a0f4:
# Define variable with default cluster UID to used in sites definition
variable "cluster_uid_euw1" {
type = string
description = "Default Cluster ID where sites will be provisioned"
default = "802448cf-e2f9-40eb-b0d8-2983e018a0f4"
}
resource "ogo_shield_site" "foo_example_com" {
domain_name = "foo.example.com"
cluster_uid = var.cluster_uid_euw1
origin_server = "172.18.1.10"
}
resource "ogo_shield_site" "bar_example_com" {
domain_name = "bar.example.com"
cluster_uid = var.cluster_uid_euw1
origin_server = "172.18.1.11"
}
Note that the UID used here is a dummy UID. Cluster UIDs can be retrieved from the datasource ogo_shield_clusters.
If sites need to be migrated from one cluster to another, it will be enough to simply change the value of the variable cluster_uid_euw1 to the UID of the new cluster and restart a Terraform deployment.
However, be aware that modifying certain attributes, such as the cluster_uid, may result in the re-creation of a site.
Define the same list of IP exceptions across multiple sites
In the following example we want to create an exception on several sites for a list of IPs so that they are not analyzed by the brain.
We have therefore declared a variable common_ips_exception in which we define the prototype of our ip_exceptions attribute (comment and ip of type string) with the value of the list of IPs in exception that we wish to apply to our sites in the rest of the configuration:
# List of common IPs exception to apply to a set of sites
variable "common_ips_exception" {
type = list(object({comment = string, ip = string}))
default = [
{
comment = "Alice Home IPv4"
ip = "131.220.78.219/32"
},
{
comment = "Bob Home IPv4"
ip = "131.220.78.220/32"
},
{
comment = "John Home IPv6"
ip = "fded:b552:6f7e:fc6f::/64"
},
]
}
resource "ogo_shield_site" "foo_example_com" {
domain_name = "foo.example.com"
cluster_uid = var.cluster_uid
origin_server = "172.18.1.10"
ip_exceptions = distinct(concat(var.common_ips_exception,
[
{
comment = "Alice Home IPv4"
ip = "131.220.78.219/32"
},
{
comment = "Office IPv6"
ip = "fded:b552:6f7e:ad5e::/64"
},
]))
}
resource "ogo_shield_site" "bar_example_com" {
domain_name = "bar.example.com"
cluster_uid = var.cluster_uid
origin_server = "172.18.1.11"
ip_exceptions = var.common_ips_exception
}
Since the site foo.example.com already has an exception list of IPs that we do not want to overwrite but supplement, we concatenate our new list with the existing one using the Terraform function concat() and remove any duplicates using the Terraform distinct() function .
In the case of the site bar.example.com, if a list of IPs exceptions already exists, it will be replaced by the one defined in our variable common_ips_exception.