Azure Terraform Virtual Vetwork 对等错误(对等两个现有 vnet)
Azure Terraform Virtual Vetwork Peering Error (peering two existing vnets)
目标:
创建一个 terraform 模块,它将对等两个跨区域的现有 vnet。
问题:当我执行 terraform apply 时,我收到此输出错误:
Error Output:
Error: network.VirtualNetworkPeeringsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PeeringRemoteVnetIsSameAsParentVnet" Message="RemoteNetwork property of the peering /subscriptions/[REDACTED]/ cannot reference parent virtual network of the peering." Details=[]
on main.tf line 12, in resource "azurerm_virtual_network_peering" "source-to-destination":
12: resource "azurerm_virtual_network_peering" "source-to-destination" {
Error Output:
network.VirtualNetworkPeeringsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PeeringRemoteVnetIsSameAsParentVnet" Message="RemoteNetwork property of the peering /subscriptions/[REDACTED]/ cannot reference parent virtual network of the peering." Details=[]
on main.tf line 25, in resource "azurerm_virtual_network_peering" "destination-to-source":
25: resource "azurerm_virtual_network_peering" "destination-to-source" {
想法:
这个想法是创建一个 terraform 模块,这样当我们团队的其他成员需要对等两个现有 vnet 时,他们可以传入 terraform.tfvars 文件并部署 vnet 对等互连。
研究:
以下是我一直关注的文档参考:
https://www.terraform.io/docs/providers/azurerm/r/virtual_network_peering.html
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering
尚未发现对等两个现有 vnet 的示例。
//见下面的代码
我的main.tf文件
##
# This will Peer two existing VNets across regions
##
provider "azurerm" {
version = ">=2.0.0"
features {}
subscription_id = var.subscription_id
}
# initiates source to destination peering between to existing vnets
resource "azurerm_virtual_network_peering" "source-to-destination" {
name = "peering-to-${var.destination_peer.virtual_network_name}"
resource_group_name = data.azurerm_virtual_network.existing_source_vnet.resource_group_name
virtual_network_name = data.azurerm_virtual_network.existing_source_vnet.name
remote_virtual_network_id = data.azurerm_virtual_network.existing_source_vnet.id
allow_virtual_network_access = var.allow_virtual_network_access
allow_forwarded_traffic = var.allow_forwarded_traffic
allow_gateway_transit = var.allow_gateway_transit
use_remote_gateways = var.use_remote_gateways
depends_on = [data.azurerm_virtual_network.existing_source_vnet]
}
# initiates destination to source peering between to existing vnets
resource "azurerm_virtual_network_peering" "destination-to-source" {
name = "peering-from-${var.source_peer.virtual_network_name}"
resource_group_name = data.azurerm_virtual_network.existing_destination_vnet.resource_group_name
virtual_network_name = data.azurerm_virtual_network.existing_destination_vnet.name
remote_virtual_network_id = data.azurerm_virtual_network.existing_destination_vnet.id
allow_virtual_network_access = var.allow_virtual_network_access
allow_forwarded_traffic = var.allow_forwarded_traffic
allow_gateway_transit = var.allow_gateway_transit
use_remote_gateways = var.use_remote_gateways
depends_on = [data.azurerm_virtual_network.existing_destination_vnet]
}
我的data.tf文件
##
# Existing Vnet Data
##
data "azurerm_virtual_network" "existing_source_vnet" {
resource_group_name = lookup(var.source_peer, "resource_group_name")
name = lookup(var.source_peer, "virtual_network_name")
}
data "azurerm_subnet" "src_subnet" {
name = lookup(var.source_peer, "name")
virtual_network_name = lookup(var.source_peer, "virtual_network_name")
resource_group_name = lookup(var.source_peer, "resource_group_name")
}
data "azurerm_virtual_network" "existing_destination_vnet" {
resource_group_name = lookup(var.destination_peer, "resource_group_name")
name = lookup(var.destination_peer, "virtual_network_name")
}
data "azurerm_subnet" "dtn_subnet" {
name = lookup(var.destination_peer, "name")
virtual_network_name = lookup(var.destination_peer, "virtual_network_name")
resource_group_name = lookup(var.destination_peer, "resource_group_name")
}
我的variables.tf文件
# This will Peer two existing VNets across regions
##
# Account Inputs
##
variable "subscription_id" {
type = string
}
##
# Input
##
variable "allow_gateway_transit" {
type = string
default = false
}
variable "use_remote_gateways" {
type = string
default = false
}
variable "allow_forwarded_traffic" {
type = string
default = false
}
variable "allow_virtual_network_access" {
type = string
default = true
}
variable "source_peer" {
type = object({
resource_group_name = string
virtual_network_name = string
remote_virtual_network_id = string
name = string
})
}
variable "destination_peer" {
type = object({
resource_group_name = string
virtual_network_name = string
remote_virtual_network_id = string
name = string
})
}
我的output.tf文件
##
# Output Of Virtual Network ID
##
output "virtual_network_id_src" {
value = data.azurerm_virtual_network.existing_source_vnet.id
}
output "subnet_id_src" {
value = data.azurerm_subnet.src_subnet.id
}
output "virtual_network_id_dtn" {
value = data.azurerm_virtual_network.existing_destination_vnet.id
}
output "subnet_id_dtn" {
value = data.azurerm_subnet.dtn_subnet.id
}
对于错误消息,这意味着您已将 remote_virtual_network_id = data.azurerm_virtual_network.existing_source_vnet.id 设置为 VNet 本身,而不是远程 VNet。您应该像这样设置远程 VNet remote_virtual_network_id = data.azurerm_virtual_network.existing_destination_vnet.id
# initiates source to destination peering between to existing vnets
resource "azurerm_virtual_network_peering" "source-to-destination" {
name = "peering-to-${var.destination_peer.virtual_network_name}"
resource_group_name = data.azurerm_virtual_network.existing_source_vnet.resource_group_name
virtual_network_name = data.azurerm_virtual_network.existing_source_vnet.name
remote_virtual_network_id = data.azurerm_virtual_network.existing_destination_vnet.id #change here
allow_virtual_network_access = var.allow_virtual_network_access
allow_forwarded_traffic = var.allow_forwarded_traffic
allow_gateway_transit = var.allow_gateway_transit
use_remote_gateways = var.use_remote_gateways
//depends_on = [data.azurerm_virtual_network.existing_source_vnet]
}
# initiates destination to source peering between to existing vnets
resource "azurerm_virtual_network_peering" "destination-to-source" {
name = "peering-from-${var.source_peer.virtual_network_name}"
resource_group_name = data.azurerm_virtual_network.existing_destination_vnet.resource_group_name
virtual_network_name = data.azurerm_virtual_network.existing_destination_vnet.name
remote_virtual_network_id = data.azurerm_virtual_network.existing_source_vnet.id #change here
allow_virtual_network_access = var.allow_virtual_network_access
allow_forwarded_traffic = var.allow_forwarded_traffic
allow_gateway_transit = var.allow_gateway_transit
use_remote_gateways = var.use_remote_gateways
//depends_on = [data.azurerm_virtual_network.existing_destination_vnet]
}
此外,VNet 对等互连在 VNet 级别工作,除非您想输出子网,否则无需在代码中声明现有子网。
目标: 创建一个 terraform 模块,它将对等两个跨区域的现有 vnet。
问题:当我执行 terraform apply 时,我收到此输出错误:
Error Output:
Error: network.VirtualNetworkPeeringsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PeeringRemoteVnetIsSameAsParentVnet" Message="RemoteNetwork property of the peering /subscriptions/[REDACTED]/ cannot reference parent virtual network of the peering." Details=[]
on main.tf line 12, in resource "azurerm_virtual_network_peering" "source-to-destination":
12: resource "azurerm_virtual_network_peering" "source-to-destination" {
Error Output:
network.VirtualNetworkPeeringsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PeeringRemoteVnetIsSameAsParentVnet" Message="RemoteNetwork property of the peering /subscriptions/[REDACTED]/ cannot reference parent virtual network of the peering." Details=[]
on main.tf line 25, in resource "azurerm_virtual_network_peering" "destination-to-source":
25: resource "azurerm_virtual_network_peering" "destination-to-source" {
想法: 这个想法是创建一个 terraform 模块,这样当我们团队的其他成员需要对等两个现有 vnet 时,他们可以传入 terraform.tfvars 文件并部署 vnet 对等互连。
研究: 以下是我一直关注的文档参考: https://www.terraform.io/docs/providers/azurerm/r/virtual_network_peering.html https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering
尚未发现对等两个现有 vnet 的示例。
//见下面的代码
我的main.tf文件
##
# This will Peer two existing VNets across regions
##
provider "azurerm" {
version = ">=2.0.0"
features {}
subscription_id = var.subscription_id
}
# initiates source to destination peering between to existing vnets
resource "azurerm_virtual_network_peering" "source-to-destination" {
name = "peering-to-${var.destination_peer.virtual_network_name}"
resource_group_name = data.azurerm_virtual_network.existing_source_vnet.resource_group_name
virtual_network_name = data.azurerm_virtual_network.existing_source_vnet.name
remote_virtual_network_id = data.azurerm_virtual_network.existing_source_vnet.id
allow_virtual_network_access = var.allow_virtual_network_access
allow_forwarded_traffic = var.allow_forwarded_traffic
allow_gateway_transit = var.allow_gateway_transit
use_remote_gateways = var.use_remote_gateways
depends_on = [data.azurerm_virtual_network.existing_source_vnet]
}
# initiates destination to source peering between to existing vnets
resource "azurerm_virtual_network_peering" "destination-to-source" {
name = "peering-from-${var.source_peer.virtual_network_name}"
resource_group_name = data.azurerm_virtual_network.existing_destination_vnet.resource_group_name
virtual_network_name = data.azurerm_virtual_network.existing_destination_vnet.name
remote_virtual_network_id = data.azurerm_virtual_network.existing_destination_vnet.id
allow_virtual_network_access = var.allow_virtual_network_access
allow_forwarded_traffic = var.allow_forwarded_traffic
allow_gateway_transit = var.allow_gateway_transit
use_remote_gateways = var.use_remote_gateways
depends_on = [data.azurerm_virtual_network.existing_destination_vnet]
}
我的data.tf文件
##
# Existing Vnet Data
##
data "azurerm_virtual_network" "existing_source_vnet" {
resource_group_name = lookup(var.source_peer, "resource_group_name")
name = lookup(var.source_peer, "virtual_network_name")
}
data "azurerm_subnet" "src_subnet" {
name = lookup(var.source_peer, "name")
virtual_network_name = lookup(var.source_peer, "virtual_network_name")
resource_group_name = lookup(var.source_peer, "resource_group_name")
}
data "azurerm_virtual_network" "existing_destination_vnet" {
resource_group_name = lookup(var.destination_peer, "resource_group_name")
name = lookup(var.destination_peer, "virtual_network_name")
}
data "azurerm_subnet" "dtn_subnet" {
name = lookup(var.destination_peer, "name")
virtual_network_name = lookup(var.destination_peer, "virtual_network_name")
resource_group_name = lookup(var.destination_peer, "resource_group_name")
}
我的variables.tf文件
# This will Peer two existing VNets across regions
##
# Account Inputs
##
variable "subscription_id" {
type = string
}
##
# Input
##
variable "allow_gateway_transit" {
type = string
default = false
}
variable "use_remote_gateways" {
type = string
default = false
}
variable "allow_forwarded_traffic" {
type = string
default = false
}
variable "allow_virtual_network_access" {
type = string
default = true
}
variable "source_peer" {
type = object({
resource_group_name = string
virtual_network_name = string
remote_virtual_network_id = string
name = string
})
}
variable "destination_peer" {
type = object({
resource_group_name = string
virtual_network_name = string
remote_virtual_network_id = string
name = string
})
}
我的output.tf文件
##
# Output Of Virtual Network ID
##
output "virtual_network_id_src" {
value = data.azurerm_virtual_network.existing_source_vnet.id
}
output "subnet_id_src" {
value = data.azurerm_subnet.src_subnet.id
}
output "virtual_network_id_dtn" {
value = data.azurerm_virtual_network.existing_destination_vnet.id
}
output "subnet_id_dtn" {
value = data.azurerm_subnet.dtn_subnet.id
}
对于错误消息,这意味着您已将 remote_virtual_network_id = data.azurerm_virtual_network.existing_source_vnet.id 设置为 VNet 本身,而不是远程 VNet。您应该像这样设置远程 VNet remote_virtual_network_id = data.azurerm_virtual_network.existing_destination_vnet.id
# initiates source to destination peering between to existing vnets
resource "azurerm_virtual_network_peering" "source-to-destination" {
name = "peering-to-${var.destination_peer.virtual_network_name}"
resource_group_name = data.azurerm_virtual_network.existing_source_vnet.resource_group_name
virtual_network_name = data.azurerm_virtual_network.existing_source_vnet.name
remote_virtual_network_id = data.azurerm_virtual_network.existing_destination_vnet.id #change here
allow_virtual_network_access = var.allow_virtual_network_access
allow_forwarded_traffic = var.allow_forwarded_traffic
allow_gateway_transit = var.allow_gateway_transit
use_remote_gateways = var.use_remote_gateways
//depends_on = [data.azurerm_virtual_network.existing_source_vnet]
}
# initiates destination to source peering between to existing vnets
resource "azurerm_virtual_network_peering" "destination-to-source" {
name = "peering-from-${var.source_peer.virtual_network_name}"
resource_group_name = data.azurerm_virtual_network.existing_destination_vnet.resource_group_name
virtual_network_name = data.azurerm_virtual_network.existing_destination_vnet.name
remote_virtual_network_id = data.azurerm_virtual_network.existing_source_vnet.id #change here
allow_virtual_network_access = var.allow_virtual_network_access
allow_forwarded_traffic = var.allow_forwarded_traffic
allow_gateway_transit = var.allow_gateway_transit
use_remote_gateways = var.use_remote_gateways
//depends_on = [data.azurerm_virtual_network.existing_destination_vnet]
}
此外,VNet 对等互连在 VNet 级别工作,除非您想输出子网,否则无需在代码中声明现有子网。