强制 NSG 与子网关联时,如何建立 App 服务虚拟网络 swift 连接

How to make App service virtual network swift connection when NSG association with subnet is mandatory

正在处理自定义策略强制执行子网和 nsg 关联的项目。如果子网没有与之关联的 NSG,则无法配置。

使用 terraform 部署资源 - 资源组、VNET、NSG,在创建子网之前,我创建了与子网关联的 NSG 作为 VNET 部署的一部分,部署了应用服务计划、Web 应用,然后尝试执行应用服务虚拟网络swify 连接但失败,因为缺少服务委托。

terraform 脚本

provider "azurerm" {
  version                    = "=2.0.0"
  skip_provider_registration = true
  features {}
}

resource "azurerm_resource_group" "main" {
  name     = var.resourceGroupName
  location = var.location
}

resource "azurerm_network_security_group" "main" {
  name                = var.nsgName
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  security_rule {
    name                       = "test123"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "443"
    source_address_prefix      = "*"
    destination_address_prefix = "10.1.0.0/26"
  }
  tags = {
    environment = "NonProduction"
  }
}
data "azurerm_network_security_group" "main" {
  name                = azurerm_network_security_group.main.name
  resource_group_name = azurerm_resource_group.main.name
}

resource "azurerm_virtual_network" "main" {
  name                = var.vNetName
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  address_space       = ["10.1.0.0/16"]
  dns_servers         = ["10.1.0.4", "10.1.0.5"]
  subnet {
    name           = var.subNetName
    address_prefix = "10.1.0.0/26"
    security_group = data.azurerm_network_security_group.main.id
  }
  tags = {
    environment = "NonProduction"
  }
}

resource "azurerm_app_service_plan" "main" {
  name                = var.appServicePlanName
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  sku {
    tier = "Standard"
    size = "S1"
  }
}
resource "azurerm_app_service" "main" {
  name                = var.appServiceName
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  app_service_plan_id = azurerm_app_service_plan.main.id
  https_only          = true
}
data "azurerm_subnet" "main" {
  name                 = var.subNetName
  virtual_network_name = var.vNetName
  resource_group_name  = azurerm_resource_group.main.name
}
resource "azurerm_app_service_virtual_network_swift_connection" "main" {
  app_service_id = azurerm_app_service.main.id
  subnet_id      = data.azurerm_subnet.main.id
}

我唯一想不通的是如何申请服务委托。如果在创建子网之前强制执行 NSG 的自定义策略不存在,我本可以轻松完成此操作

terraform 脚本

resource "azurerm_resource_group" "test" {
  name     = "example-resources"
  location = "uksouth"
}

resource "azurerm_virtual_network" "test" {
  name                = "acctestvnet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_subnet" "test1" {
  name                 = "acctestsubnet1"
  resource_group_name  = azurerm_resource_group.test.name
  virtual_network_name = azurerm_virtual_network.test.name
  address_prefix       = "10.0.1.0/24"

  delegation {
    name = "acctestdelegation"

    service_delegation {
      name    = "Microsoft.Web/serverFarms"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

resource "azurerm_app_service_plan" "test" {
  name                = "acctestasp"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name

  sku {
    tier = "Standard"
    size = "S1"
  }
}

resource "azurerm_app_service" "test" {
  name                = "acctestas"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
  app_service_plan_id = azurerm_app_service_plan.test.id
}

resource "azurerm_app_service_virtual_network_swift_connection" "test" {
  app_service_id = azurerm_app_service.test.id
  subnet_id      = azurerm_subnet.test1.id
}

如果需要,我可以使用下面的 tf config 来设置 NSG 关联

resource "azurerm_subnet_network_security_group_association" "example" {
  subnet_id                 = azurerm_subnet.example.id
  network_security_group_id = azurerm_network_security_group.example.id
}

但这种方法的问题是会发生关联post子网部署,但由于自定义策略已到位,tf 应用失败并出现策略违规错误

有什么方法可以在创建子网之前关联 NSG 并应用服务委托吗?

由于您的自定义策略要求 NSG 需要与子网创建时间关联或在子网创建之前关联。您必须使用 azurerm_virtual_network 块来创建子网和安全组。

在这种情况下,您可以在创建资源后使用 local-exec Provisioner to invoke a local executable CLI command

例子

resource "azurerm_virtual_network" "test" {
  name                = "acctestvnet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

 subnet {
   name = var.subnet
   address_prefix = "10.0.1.0/24"
   security_group = azurerm_network_security_group.main.id
 }

}

resource "azurerm_app_service" "test" {
  name                = "acctestas"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  app_service_plan_id = azurerm_app_service_plan.test.id

provisioner "local-exec" {
  command = "az webapp vnet-integration add --name ${azurerm_app_service.test.name} --resource-group ${azurerm_resource_group.main.name}  --vnet ${azurerm_virtual_network.test.name} --subnet ${var.subnet}"
  interpreter = ["PowerShell", "-command" ]
}

}

结果