强制 NSG 与子网关联时,如何建立 App 服务虚拟网络 swift 连接
How to make App service virtual network swift connection when NSG association with subnet is mandatory
正在处理自定义策略强制执行子网和 nsg 关联的项目。如果子网没有与之关联的 NSG,则无法配置。
使用 terraform 部署资源 - 资源组、VNET、NSG,在创建子网之前,我创建了与子网关联的 NSG 作为 VNET 部署的一部分,部署了应用服务计划、Web 应用,然后尝试执行应用服务虚拟网络swify 连接但失败,因为缺少服务委托。
terraform 脚本
provider "azurerm" {
version = "=2.0.0"
skip_provider_registration = true
features {}
}
resource "azurerm_resource_group" "main" {
name = var.resourceGroupName
location = var.location
}
resource "azurerm_network_security_group" "main" {
name = var.nsgName
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
security_rule {
name = "test123"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "10.1.0.0/26"
}
tags = {
environment = "NonProduction"
}
}
data "azurerm_network_security_group" "main" {
name = azurerm_network_security_group.main.name
resource_group_name = azurerm_resource_group.main.name
}
resource "azurerm_virtual_network" "main" {
name = var.vNetName
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
address_space = ["10.1.0.0/16"]
dns_servers = ["10.1.0.4", "10.1.0.5"]
subnet {
name = var.subNetName
address_prefix = "10.1.0.0/26"
security_group = data.azurerm_network_security_group.main.id
}
tags = {
environment = "NonProduction"
}
}
resource "azurerm_app_service_plan" "main" {
name = var.appServicePlanName
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
sku {
tier = "Standard"
size = "S1"
}
}
resource "azurerm_app_service" "main" {
name = var.appServiceName
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
app_service_plan_id = azurerm_app_service_plan.main.id
https_only = true
}
data "azurerm_subnet" "main" {
name = var.subNetName
virtual_network_name = var.vNetName
resource_group_name = azurerm_resource_group.main.name
}
resource "azurerm_app_service_virtual_network_swift_connection" "main" {
app_service_id = azurerm_app_service.main.id
subnet_id = data.azurerm_subnet.main.id
}
我唯一想不通的是如何申请服务委托。如果在创建子网之前强制执行 NSG 的自定义策略不存在,我本可以轻松完成此操作
terraform 脚本
resource "azurerm_resource_group" "test" {
name = "example-resources"
location = "uksouth"
}
resource "azurerm_virtual_network" "test" {
name = "acctestvnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
}
resource "azurerm_subnet" "test1" {
name = "acctestsubnet1"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefix = "10.0.1.0/24"
delegation {
name = "acctestdelegation"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
resource "azurerm_app_service_plan" "test" {
name = "acctestasp"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
sku {
tier = "Standard"
size = "S1"
}
}
resource "azurerm_app_service" "test" {
name = "acctestas"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
app_service_plan_id = azurerm_app_service_plan.test.id
}
resource "azurerm_app_service_virtual_network_swift_connection" "test" {
app_service_id = azurerm_app_service.test.id
subnet_id = azurerm_subnet.test1.id
}
如果需要,我可以使用下面的 tf config 来设置 NSG 关联
resource "azurerm_subnet_network_security_group_association" "example" {
subnet_id = azurerm_subnet.example.id
network_security_group_id = azurerm_network_security_group.example.id
}
但这种方法的问题是会发生关联post子网部署,但由于自定义策略已到位,tf 应用失败并出现策略违规错误
有什么方法可以在创建子网之前关联 NSG 并应用服务委托吗?
由于您的自定义策略要求 NSG 需要与子网创建时间关联或在子网创建之前关联。您必须使用 azurerm_virtual_network 块来创建子网和安全组。
在这种情况下,您可以在创建资源后使用 local-exec Provisioner to invoke a local executable CLI command。
例子
resource "azurerm_virtual_network" "test" {
name = "acctestvnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
subnet {
name = var.subnet
address_prefix = "10.0.1.0/24"
security_group = azurerm_network_security_group.main.id
}
}
resource "azurerm_app_service" "test" {
name = "acctestas"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
app_service_plan_id = azurerm_app_service_plan.test.id
provisioner "local-exec" {
command = "az webapp vnet-integration add --name ${azurerm_app_service.test.name} --resource-group ${azurerm_resource_group.main.name} --vnet ${azurerm_virtual_network.test.name} --subnet ${var.subnet}"
interpreter = ["PowerShell", "-command" ]
}
}
结果
正在处理自定义策略强制执行子网和 nsg 关联的项目。如果子网没有与之关联的 NSG,则无法配置。
使用 terraform 部署资源 - 资源组、VNET、NSG,在创建子网之前,我创建了与子网关联的 NSG 作为 VNET 部署的一部分,部署了应用服务计划、Web 应用,然后尝试执行应用服务虚拟网络swify 连接但失败,因为缺少服务委托。
terraform 脚本
provider "azurerm" {
version = "=2.0.0"
skip_provider_registration = true
features {}
}
resource "azurerm_resource_group" "main" {
name = var.resourceGroupName
location = var.location
}
resource "azurerm_network_security_group" "main" {
name = var.nsgName
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
security_rule {
name = "test123"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "10.1.0.0/26"
}
tags = {
environment = "NonProduction"
}
}
data "azurerm_network_security_group" "main" {
name = azurerm_network_security_group.main.name
resource_group_name = azurerm_resource_group.main.name
}
resource "azurerm_virtual_network" "main" {
name = var.vNetName
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
address_space = ["10.1.0.0/16"]
dns_servers = ["10.1.0.4", "10.1.0.5"]
subnet {
name = var.subNetName
address_prefix = "10.1.0.0/26"
security_group = data.azurerm_network_security_group.main.id
}
tags = {
environment = "NonProduction"
}
}
resource "azurerm_app_service_plan" "main" {
name = var.appServicePlanName
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
sku {
tier = "Standard"
size = "S1"
}
}
resource "azurerm_app_service" "main" {
name = var.appServiceName
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
app_service_plan_id = azurerm_app_service_plan.main.id
https_only = true
}
data "azurerm_subnet" "main" {
name = var.subNetName
virtual_network_name = var.vNetName
resource_group_name = azurerm_resource_group.main.name
}
resource "azurerm_app_service_virtual_network_swift_connection" "main" {
app_service_id = azurerm_app_service.main.id
subnet_id = data.azurerm_subnet.main.id
}
我唯一想不通的是如何申请服务委托。如果在创建子网之前强制执行 NSG 的自定义策略不存在,我本可以轻松完成此操作
terraform 脚本
resource "azurerm_resource_group" "test" {
name = "example-resources"
location = "uksouth"
}
resource "azurerm_virtual_network" "test" {
name = "acctestvnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
}
resource "azurerm_subnet" "test1" {
name = "acctestsubnet1"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefix = "10.0.1.0/24"
delegation {
name = "acctestdelegation"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
resource "azurerm_app_service_plan" "test" {
name = "acctestasp"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
sku {
tier = "Standard"
size = "S1"
}
}
resource "azurerm_app_service" "test" {
name = "acctestas"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
app_service_plan_id = azurerm_app_service_plan.test.id
}
resource "azurerm_app_service_virtual_network_swift_connection" "test" {
app_service_id = azurerm_app_service.test.id
subnet_id = azurerm_subnet.test1.id
}
如果需要,我可以使用下面的 tf config 来设置 NSG 关联
resource "azurerm_subnet_network_security_group_association" "example" {
subnet_id = azurerm_subnet.example.id
network_security_group_id = azurerm_network_security_group.example.id
}
但这种方法的问题是会发生关联post子网部署,但由于自定义策略已到位,tf 应用失败并出现策略违规错误
有什么方法可以在创建子网之前关联 NSG 并应用服务委托吗?
由于您的自定义策略要求 NSG 需要与子网创建时间关联或在子网创建之前关联。您必须使用 azurerm_virtual_network 块来创建子网和安全组。
在这种情况下,您可以在创建资源后使用 local-exec Provisioner to invoke a local executable CLI command。
例子
resource "azurerm_virtual_network" "test" {
name = "acctestvnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
subnet {
name = var.subnet
address_prefix = "10.0.1.0/24"
security_group = azurerm_network_security_group.main.id
}
}
resource "azurerm_app_service" "test" {
name = "acctestas"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
app_service_plan_id = azurerm_app_service_plan.test.id
provisioner "local-exec" {
command = "az webapp vnet-integration add --name ${azurerm_app_service.test.name} --resource-group ${azurerm_resource_group.main.name} --vnet ${azurerm_virtual_network.test.name} --subnet ${var.subnet}"
interpreter = ["PowerShell", "-command" ]
}
}
结果