在 NSG 创建过程中不能混合复数和单数?
can't mix plural and singluar during NSG creation?
您好,我想知道是否有人有这方面的经验。我正在尝试提出一个标准的 NSG 模块,并将 NSG 规则作为参数 tfvar 文件传入,并创建它。
这是我的NSGrule.tf
resource "azurerm_network_security_rule" "nsgrule" {
for_each = var.network_security_rules
name = each.value.name
description = each.value.description
priority = each.value.priority
direction = each.value.direction
access = each.value.access
protocol = each.value.protocol
source_port_range = each.value.source_port_range
destination_port_range = each.value.destination_port_range
source_address_prefix = each.value.source_address_prefix
destination_address_prefix = each.value.destination_address_prefix
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.nsg.name
}
这是我的参数文件
network_security_rules = {
IN-syslogProxy = {
name = "IN-syslogProxy"
description = "NSS appliance to syslog proxy"
priority = 120
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "514"
source_address_prefix = "172.19.16.6"
destination_address_prefix = "172.19.16.4"
}
}
所以它适用于单个 IP 和单个端口,但是多端口或多个 IP 呢?说如果我们有另一个规则
OUT-InternetServices = {
name = "OUT-InternetServices"
description = "Allows traffic for outgoing to the Internet - until Firewalls in place - use with Caution"
priority = 560
direction = "Outbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_ranges = ["80","443"]
source_address_prefix = "*"
destination_address_prefix = "Internet"
}
它会失败,首先,它期望 destination_port_range 而不是 destination_port_range。
第二,["80","443"]是一个列表值,我不认为地图类型可以有列表的值。
创建 NSG 时如何混用复数和单数?感谢任何帮助
在这种情况下,您可以为变量 network_security_rules 提供更多参数。
resource "azurerm_network_security_rule" "nsgrule" {
for_each = var.network_security_rules
name = each.value.name
description = each.value.description
priority = each.value.priority
direction = each.value.direction
access = each.value.access
protocol = each.value.protocol
source_port_range = each.value.source_port_range
destination_port_range = each.value.destination_port_range
source_address_prefix = each.value.source_address_prefix
destination_address_prefix = each.value.destination_address_prefix
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.nsg.name
source_port_ranges = each.value.source_port_ranges
destination_port_ranges = each.value.destination_port_ranges
source_address_prefixes = each.value.source_address_prefixes
destination_address_prefixes = each.value.destination_address_prefixes
}
如果您不指定参数值,您可以在参数值中设置 null。
network_security_rules = {
IN-syslogProxy = {
name = "IN-syslogProxy"
description = "NSS appliance to syslog proxy"
priority = 120
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
source_port_ranges = null
destination_port_range = "514"
destination_port_ranges = null
source_address_prefix = "172.19.16.6"
source_address_prefixes = null
destination_address_prefix = "172.19.16.4"
destination_address_prefixes = null
},
OUT-InternetServices = {
name = "OUT-InternetServices"
description = "Allows traffic for outgoing to the Internet - until Firewalls in place - use with Caution"
priority = 560
direction = "Outbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
source_port_ranges = null
destination_port_range = null
destination_port_ranges = ["80","443"]
source_address_prefix = "*"
source_address_prefixes = null
destination_address_prefix = "Internet"
destination_address_prefixes = null
}
}
variable "network_security_rules" {
type = map(object({
name = string
description = string
priority = string
direction = string
access = string
protocol = string
source_port_range = string
source_port_ranges = list(string)
destination_port_range = string
destination_port_ranges = list(string)
source_address_prefix = string
source_address_prefixes = list(string)
destination_address_prefix = string
destination_address_prefixes = list(string)
}))
}
您好,我想知道是否有人有这方面的经验。我正在尝试提出一个标准的 NSG 模块,并将 NSG 规则作为参数 tfvar 文件传入,并创建它。
这是我的NSGrule.tf
resource "azurerm_network_security_rule" "nsgrule" {
for_each = var.network_security_rules
name = each.value.name
description = each.value.description
priority = each.value.priority
direction = each.value.direction
access = each.value.access
protocol = each.value.protocol
source_port_range = each.value.source_port_range
destination_port_range = each.value.destination_port_range
source_address_prefix = each.value.source_address_prefix
destination_address_prefix = each.value.destination_address_prefix
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.nsg.name
}
这是我的参数文件
network_security_rules = {
IN-syslogProxy = {
name = "IN-syslogProxy"
description = "NSS appliance to syslog proxy"
priority = 120
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "514"
source_address_prefix = "172.19.16.6"
destination_address_prefix = "172.19.16.4"
}
}
所以它适用于单个 IP 和单个端口,但是多端口或多个 IP 呢?说如果我们有另一个规则
OUT-InternetServices = {
name = "OUT-InternetServices"
description = "Allows traffic for outgoing to the Internet - until Firewalls in place - use with Caution"
priority = 560
direction = "Outbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_ranges = ["80","443"]
source_address_prefix = "*"
destination_address_prefix = "Internet"
}
它会失败,首先,它期望 destination_port_range 而不是 destination_port_range。 第二,["80","443"]是一个列表值,我不认为地图类型可以有列表的值。
创建 NSG 时如何混用复数和单数?感谢任何帮助
在这种情况下,您可以为变量 network_security_rules 提供更多参数。
resource "azurerm_network_security_rule" "nsgrule" {
for_each = var.network_security_rules
name = each.value.name
description = each.value.description
priority = each.value.priority
direction = each.value.direction
access = each.value.access
protocol = each.value.protocol
source_port_range = each.value.source_port_range
destination_port_range = each.value.destination_port_range
source_address_prefix = each.value.source_address_prefix
destination_address_prefix = each.value.destination_address_prefix
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.nsg.name
source_port_ranges = each.value.source_port_ranges
destination_port_ranges = each.value.destination_port_ranges
source_address_prefixes = each.value.source_address_prefixes
destination_address_prefixes = each.value.destination_address_prefixes
}
如果您不指定参数值,您可以在参数值中设置 null。
network_security_rules = {
IN-syslogProxy = {
name = "IN-syslogProxy"
description = "NSS appliance to syslog proxy"
priority = 120
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
source_port_ranges = null
destination_port_range = "514"
destination_port_ranges = null
source_address_prefix = "172.19.16.6"
source_address_prefixes = null
destination_address_prefix = "172.19.16.4"
destination_address_prefixes = null
},
OUT-InternetServices = {
name = "OUT-InternetServices"
description = "Allows traffic for outgoing to the Internet - until Firewalls in place - use with Caution"
priority = 560
direction = "Outbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
source_port_ranges = null
destination_port_range = null
destination_port_ranges = ["80","443"]
source_address_prefix = "*"
source_address_prefixes = null
destination_address_prefix = "Internet"
destination_address_prefixes = null
}
}
variable "network_security_rules" {
type = map(object({
name = string
description = string
priority = string
direction = string
access = string
protocol = string
source_port_range = string
source_port_ranges = list(string)
destination_port_range = string
destination_port_ranges = list(string)
source_address_prefix = string
source_address_prefixes = list(string)
destination_address_prefix = string
destination_address_prefixes = list(string)
}))
}