Terraform - Azure-firewall_netwrok_rules_collection 使用 ipgroups 循环
Terraform - Azure-firewall_netwrok_rules_collection loop with ipgroups
首先,我在 Azure 上使用 Terraform
我正在尝试使用一些 azurerm_firewall_network_rule_collection 部署 Azure 防火墙。
我希望能够执行一个循环来部署包含多个规则循环的多个规则集合。
在这些规则中,我想调用一些 source/destination 地址,并在需要时调用一些 ipgroups。
今天,使用我的代码,我能够部署多个包含不同规则的规则集合。遗憾的是,我的代码仅适用于 IP 地址或 cidr,我希望能够调用一些 ipgroups(terraform 允许)。
这是我的 main.tf 规则集合代码
resource "azurerm_firewall_network_rule_collection" "hub_fw_rules_allow" {
count = length(var.network_rules)
azure_firewall_name = join(" " , module.Create-AzureRmFirewall.fw_name)
resource_group_name = module.Get-AzureRmResourceGroup-hub.rg_name
name = var.network_rule_names[count.index]
priority = element(var.network_rule_priorities, count.index)
action = element(var.network_rule_actions, count.index)
dynamic "rule" {
for_each = var.network_rules[count.index]
content {
name = rule.value.name
description = lookup(rule.value, "description", null)
source_addresses = lookup(rule.value, "source_addresses", null)
source_ip_groups = lookup(rule.value, "source_ip_groups" , null)
destination_addresses = lookup(rule.value, "destination_addresses", null)
destination_ip_groups = lookup(rule.value, "destination_ip_groups", null)
destination_ports = lookup(rule.value, "destination_ports", null)
protocols = lookup(rule.value, "protocols", null)
}
}
}
这是我的规则的 tfvars 文件(值是为我的测试随机设置的)
network_rule_names = ["network_rule_1", "network_rule_2"]
network_rule_priorities = [101 , 102]
network_rule_actions = ["Allow", "Deny"]
network_rules = [
[
{
name = "network_rule_1_rule_1"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [11]
protocols = ["TCP", "UDP"]
},
{
name = "network_rule_1_rule_2"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [12]
protocols = ["TCP", "UDP"]
}
],
[
{
name = "network_rule_2_rule_1"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [21]
protocols = ["TCP",]
},
{
name = "network_rule_2_rule_2"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [22]
protocols = ["TCP", "UDP"]
}
]
]
我的变量文件如下所示:
variable "network_rules"{
type = list#(any)
}
variable "fw_name"{}
variable "hub_fw_rules_allow_name"{}
variable "priority"{}
variable "network_rule_names" {
type = list(string)
default = [""]
}
variable "network_rule_priorities" {
type = list(number)
default = [101]
}
variable "network_rule_actions" {
type = list(string)
default = ["Deny"]
}
因此,使用此代码,一切正常,terraform 将部署 2 个规则集合,每个规则集合包含 2 个规则,我只需打开新的“{}”即可快速创建新规则。 (如果您有改进的想法,我们将不胜感激)
那么问题是什么?
我想为某些规则使用一些 ip 组,我希望能够使用 ipgroups 或 ips。这就是为什么我有这一行: source_ip_groups = lookup(rule.value, "source_ip_groups", null) 在我的主文件中。
我希望能够在我的 tfvars 文件中执行此规则:
{
name = "network_rule_2_rule_ipgroup"
source_ip_groups = ["/subscriptions/xx-xx-xx/resourceGroups/rgp-xx-xxx/providers/Microsoft.Network/ipGroups/ipgr-name-xx"]
destination_ip_groups = ["/subscriptions/xx-xx-xx/resourceGroups/rgp-xx-xxx/providers/Microsoft.Network/ipGroups/other-ipgr-name-xx"]
destination_ports = [22]
protocols = ["TCP", "UDP"]
}
当我这样做时,我的 tfvars 文件上的所有 network_rules 块都出现错误:The given value is not valid for variable "network_rules ": 所有列表元素必须具有相同的类型。
那里我不知道我能做什么,我试图改变我调用我的 ip 组 id 的方式,使用元素函数,同样的错误...
我也尝试通过删除引号或“[]”来“玩”标点符号...
我想保留我的循环,因为我要创建很多规则。
如果您对我如何为我的规则调用 ID 有想法,那就太好了。
谢谢大家!!
直接的方法是为变量"network_rules"定义same type元素。
network_rules = [
[
{
name = "network_rule_1_rule_1"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [11]
protocols = ["TCP", "UDP"]
source_ip_groups = []
destination_ip_groups = []
},
{
name = "network_rule_1_rule_2"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [12]
protocols = ["TCP", "UDP"]
source_ip_groups = []
destination_ip_groups = []
}
],
[
{
name = "network_rule_2_rule_1"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [21]
protocols = ["TCP",]
source_ip_groups = []
destination_ip_groups = []
},
{
name = "network_rule_2_rule_2"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [22]
protocols = ["TCP", "UDP"]
source_ip_groups = []
destination_ip_groups = []
},
{
name = "network_rule_2_rule_ipgroup"
source_addresses = []
destination_addresses = []
destination_ports = [22]
protocols = ["TCP", "UDP"]
source_ip_groups = ["/subscriptions/xxx/resourceGroups/xxxRG/providers/Microsoft.Network/ipGroups/xxx"]
destination_ip_groups = ["/subscriptions/xxx/resourceGroups/xxxRG/providers/Microsoft.Network/ipGroups/ipgxxx"]
}
]
]
首先,我在 Azure 上使用 Terraform
我正在尝试使用一些 azurerm_firewall_network_rule_collection 部署 Azure 防火墙。
我希望能够执行一个循环来部署包含多个规则循环的多个规则集合。
在这些规则中,我想调用一些 source/destination 地址,并在需要时调用一些 ipgroups。
今天,使用我的代码,我能够部署多个包含不同规则的规则集合。遗憾的是,我的代码仅适用于 IP 地址或 cidr,我希望能够调用一些 ipgroups(terraform 允许)。
这是我的 main.tf 规则集合代码
resource "azurerm_firewall_network_rule_collection" "hub_fw_rules_allow" {
count = length(var.network_rules)
azure_firewall_name = join(" " , module.Create-AzureRmFirewall.fw_name)
resource_group_name = module.Get-AzureRmResourceGroup-hub.rg_name
name = var.network_rule_names[count.index]
priority = element(var.network_rule_priorities, count.index)
action = element(var.network_rule_actions, count.index)
dynamic "rule" {
for_each = var.network_rules[count.index]
content {
name = rule.value.name
description = lookup(rule.value, "description", null)
source_addresses = lookup(rule.value, "source_addresses", null)
source_ip_groups = lookup(rule.value, "source_ip_groups" , null)
destination_addresses = lookup(rule.value, "destination_addresses", null)
destination_ip_groups = lookup(rule.value, "destination_ip_groups", null)
destination_ports = lookup(rule.value, "destination_ports", null)
protocols = lookup(rule.value, "protocols", null)
}
}
}
这是我的规则的 tfvars 文件(值是为我的测试随机设置的)
network_rule_names = ["network_rule_1", "network_rule_2"]
network_rule_priorities = [101 , 102]
network_rule_actions = ["Allow", "Deny"]
network_rules = [
[
{
name = "network_rule_1_rule_1"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [11]
protocols = ["TCP", "UDP"]
},
{
name = "network_rule_1_rule_2"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [12]
protocols = ["TCP", "UDP"]
}
],
[
{
name = "network_rule_2_rule_1"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [21]
protocols = ["TCP",]
},
{
name = "network_rule_2_rule_2"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [22]
protocols = ["TCP", "UDP"]
}
]
]
我的变量文件如下所示:
variable "network_rules"{
type = list#(any)
}
variable "fw_name"{}
variable "hub_fw_rules_allow_name"{}
variable "priority"{}
variable "network_rule_names" {
type = list(string)
default = [""]
}
variable "network_rule_priorities" {
type = list(number)
default = [101]
}
variable "network_rule_actions" {
type = list(string)
default = ["Deny"]
}
因此,使用此代码,一切正常,terraform 将部署 2 个规则集合,每个规则集合包含 2 个规则,我只需打开新的“{}”即可快速创建新规则。 (如果您有改进的想法,我们将不胜感激)
那么问题是什么?
我想为某些规则使用一些 ip 组,我希望能够使用 ipgroups 或 ips。这就是为什么我有这一行: source_ip_groups = lookup(rule.value, "source_ip_groups", null) 在我的主文件中。
我希望能够在我的 tfvars 文件中执行此规则:
{
name = "network_rule_2_rule_ipgroup"
source_ip_groups = ["/subscriptions/xx-xx-xx/resourceGroups/rgp-xx-xxx/providers/Microsoft.Network/ipGroups/ipgr-name-xx"]
destination_ip_groups = ["/subscriptions/xx-xx-xx/resourceGroups/rgp-xx-xxx/providers/Microsoft.Network/ipGroups/other-ipgr-name-xx"]
destination_ports = [22]
protocols = ["TCP", "UDP"]
}
当我这样做时,我的 tfvars 文件上的所有 network_rules 块都出现错误:The given value is not valid for variable "network_rules ": 所有列表元素必须具有相同的类型。
那里我不知道我能做什么,我试图改变我调用我的 ip 组 id 的方式,使用元素函数,同样的错误...
我也尝试通过删除引号或“[]”来“玩”标点符号...
我想保留我的循环,因为我要创建很多规则。
如果您对我如何为我的规则调用 ID 有想法,那就太好了。
谢谢大家!!
直接的方法是为变量"network_rules"定义same type元素。
network_rules = [
[
{
name = "network_rule_1_rule_1"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [11]
protocols = ["TCP", "UDP"]
source_ip_groups = []
destination_ip_groups = []
},
{
name = "network_rule_1_rule_2"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [12]
protocols = ["TCP", "UDP"]
source_ip_groups = []
destination_ip_groups = []
}
],
[
{
name = "network_rule_2_rule_1"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [21]
protocols = ["TCP",]
source_ip_groups = []
destination_ip_groups = []
},
{
name = "network_rule_2_rule_2"
source_addresses = ["10.1.0.0/16"]
destination_addresses = ["10.8.8.8", "8.10.4.4"]
destination_ports = [22]
protocols = ["TCP", "UDP"]
source_ip_groups = []
destination_ip_groups = []
},
{
name = "network_rule_2_rule_ipgroup"
source_addresses = []
destination_addresses = []
destination_ports = [22]
protocols = ["TCP", "UDP"]
source_ip_groups = ["/subscriptions/xxx/resourceGroups/xxxRG/providers/Microsoft.Network/ipGroups/xxx"]
destination_ip_groups = ["/subscriptions/xxx/resourceGroups/xxxRG/providers/Microsoft.Network/ipGroups/ipgxxx"]
}
]
]