Terraform azurerm 提供程序计数和 csvdecode
Terraform azurerm provider count and csvdecode
我正在尝试从 CSV 文件填充 NSG 规则。
CSV 文件:
name,priority,direction,access,protocol,source_port_range,destination_port_range,destination_port_ranges,source_address_prefix,destination_address_prefix,resource_group_name,network_security_group_name
allowindatasubnet,600,inbound,allow,*,*,*,,192.168.3.0/24,*,resourcegroup1,networksecgroup1
allowinremote,700,inbound,allow,*,*,,"3389,22",192.168.1.128/27,*,resourcegroup1,networksecgroup1
denyinall,1000,inbound,deny,*,*,*,,*,*,resourcegroup1,networksecgroup1
tf 文件:
locals {
network_security_group_rules = csvdecode(file("/csvfile.csv"))
}
resource "azurerm_network_security_rule" "network_security_rule_WL1" {
count = length(local.network_security_group_rules)
name = local.network_security_group_rules[count.index].name
priority = local.network_security_group_rules[count.index].priority
direction = local.network_security_group_rules[count.index].direction
access = local.network_security_group_rules[count.index].access
protocol = local.network_security_group_rules[count.index].protocol
source_port_range = local.network_security_group_rules[count.index].source_port_range
destination_port_range = local.network_security_group_rules[count.index].destination_port_range
destination_port_ranges = [local.network_security_group_rules[count.index].destination_port_ranges]
source_address_prefix = local.network_security_group_rules[count.index].source_address_prefixyes
destination_address_prefix = local.network_security_group_rules[count.index].destination_address_prefix
resource_group_name = local.network_security_group_rules[count.index].resource_group_name
network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name
}
在 nsg 规则资源块中没有 destination_port_ranges 属性的情况下工作正常,但是当我添加它时出现错误:
Error: "destination_port_ranges": conflicts with destination_port_range
我知道我需要使用一个参数或另一个参数,但是任何人都可以帮助我使用语法或建议我可以进行更改以保持相同的 CSV 格式吗?
另外,我的配置对于为 destination_port_ranges 参数指定端口列表是否正确?
更新:
我尝试了朋友建议的以下方法,但这引发了同样的异常。
destination_port_range = local.network_security_group_rules[count.index].destination_port_range != "" ? local.network_security_group_rules[count.index].destination_port_range : null
destination_port_ranges = local.network_security_group_rules[count.index].destination_port_ranges != "" ? split(",", local.network_security_group_rules[count.index].destination_port_ranges) : null
谢谢!
正如你所说,你只需要一个参数,不需要两个。如我所见,您所有的目标端口都是一个列表或字符 * ,它表示一个范围。让我们看看参数 destination_port_ranges 和 destination_port_range:
的描述
destination_port_range - (Optional) Destination Port or Range. Integer
or range between 0 and 65535 or * to match any. This is required if
destination_port_ranges is not specified.
destination_port_ranges - (Optional) List of destination ports or port
ranges. This is required if destination_port_range is not specified.
您使用目标端口或端口范围列表,因此您只需在 csv 文件中为网络安全规则设置参数 destination_port_ranges。
更新:
您可以为规则使用一个模块,该模块用于决定每个规则使用哪个属性:
./main.tf
locals {
network_security_group_rules = csvdecode(file("/csvfile.csv"))
}
module "rules" {
source = "./modules/rules"
count = length(local.network_security_group_rules)
rule = local.network_security_group_rules[count.index]
}
./modules/rules/main.tf
variable "rule" {}
resource "azurerm_network_security_rule" "network_security_rule_WL1" {
count = rule.destination_port_range == null ? 0 : 1
name = local.network_security_group_rules[count.index].name
priority = local.network_security_group_rules[count.index].priority
direction = local.network_security_group_rules[count.index].direction
access = local.network_security_group_rules[count.index].access
protocol = local.network_security_group_rules[count.index].protocol
source_port_range = local.network_security_group_rules[count.index].source_port_range
destination_port_range = local.network_security_group_rules[count.index].destination_port_range
source_address_prefix = local.network_security_group_rules[count.index].source_address_prefixyes
destination_address_prefix = local.network_security_group_rules[count.index].destination_address_prefix
resource_group_name = local.network_security_group_rules[count.index].resource_group_name
network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name
}
resource "azurerm_network_security_rule" "network_security_rule_WL1" {
count = rule.destination_port_ranges == null ? 0 : 1
name = local.network_security_group_rules[count.index].name
priority = local.network_security_group_rules[count.index].priority
direction = local.network_security_group_rules[count.index].direction
access = local.network_security_group_rules[count.index].access
protocol = local.network_security_group_rules[count.index].protocol
source_port_range = local.network_security_group_rules[count.index].source_port_range
destination_port_ranges = [local.network_security_group_rules[count.index].destination_port_ranges]
source_address_prefix = local.network_security_group_rules[count.index].source_address_prefixyes
destination_address_prefix = local.network_security_group_rules[count.index].destination_address_prefix
resource_group_name = local.network_security_group_rules[count.index].resource_group_name
network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name
}
这样就不能创建两个属性都不为空的规则,我的意思是每个规则只能有两个属性之一。
我正在尝试从 CSV 文件填充 NSG 规则。
CSV 文件:
name,priority,direction,access,protocol,source_port_range,destination_port_range,destination_port_ranges,source_address_prefix,destination_address_prefix,resource_group_name,network_security_group_name
allowindatasubnet,600,inbound,allow,*,*,*,,192.168.3.0/24,*,resourcegroup1,networksecgroup1
allowinremote,700,inbound,allow,*,*,,"3389,22",192.168.1.128/27,*,resourcegroup1,networksecgroup1
denyinall,1000,inbound,deny,*,*,*,,*,*,resourcegroup1,networksecgroup1
tf 文件:
locals {
network_security_group_rules = csvdecode(file("/csvfile.csv"))
}
resource "azurerm_network_security_rule" "network_security_rule_WL1" {
count = length(local.network_security_group_rules)
name = local.network_security_group_rules[count.index].name
priority = local.network_security_group_rules[count.index].priority
direction = local.network_security_group_rules[count.index].direction
access = local.network_security_group_rules[count.index].access
protocol = local.network_security_group_rules[count.index].protocol
source_port_range = local.network_security_group_rules[count.index].source_port_range
destination_port_range = local.network_security_group_rules[count.index].destination_port_range
destination_port_ranges = [local.network_security_group_rules[count.index].destination_port_ranges]
source_address_prefix = local.network_security_group_rules[count.index].source_address_prefixyes
destination_address_prefix = local.network_security_group_rules[count.index].destination_address_prefix
resource_group_name = local.network_security_group_rules[count.index].resource_group_name
network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name
}
在 nsg 规则资源块中没有 destination_port_ranges 属性的情况下工作正常,但是当我添加它时出现错误:
Error: "destination_port_ranges": conflicts with destination_port_range
我知道我需要使用一个参数或另一个参数,但是任何人都可以帮助我使用语法或建议我可以进行更改以保持相同的 CSV 格式吗?
另外,我的配置对于为 destination_port_ranges 参数指定端口列表是否正确?
更新: 我尝试了朋友建议的以下方法,但这引发了同样的异常。
destination_port_range = local.network_security_group_rules[count.index].destination_port_range != "" ? local.network_security_group_rules[count.index].destination_port_range : null
destination_port_ranges = local.network_security_group_rules[count.index].destination_port_ranges != "" ? split(",", local.network_security_group_rules[count.index].destination_port_ranges) : null
谢谢!
正如你所说,你只需要一个参数,不需要两个。如我所见,您所有的目标端口都是一个列表或字符 * ,它表示一个范围。让我们看看参数 destination_port_ranges 和 destination_port_range:
destination_port_range - (Optional) Destination Port or Range. Integer or range between 0 and 65535 or * to match any. This is required if destination_port_ranges is not specified.
destination_port_ranges - (Optional) List of destination ports or port ranges. This is required if destination_port_range is not specified.
您使用目标端口或端口范围列表,因此您只需在 csv 文件中为网络安全规则设置参数 destination_port_ranges。
更新:
您可以为规则使用一个模块,该模块用于决定每个规则使用哪个属性:
./main.tf
locals {
network_security_group_rules = csvdecode(file("/csvfile.csv"))
}
module "rules" {
source = "./modules/rules"
count = length(local.network_security_group_rules)
rule = local.network_security_group_rules[count.index]
}
./modules/rules/main.tf
variable "rule" {}
resource "azurerm_network_security_rule" "network_security_rule_WL1" {
count = rule.destination_port_range == null ? 0 : 1
name = local.network_security_group_rules[count.index].name
priority = local.network_security_group_rules[count.index].priority
direction = local.network_security_group_rules[count.index].direction
access = local.network_security_group_rules[count.index].access
protocol = local.network_security_group_rules[count.index].protocol
source_port_range = local.network_security_group_rules[count.index].source_port_range
destination_port_range = local.network_security_group_rules[count.index].destination_port_range
source_address_prefix = local.network_security_group_rules[count.index].source_address_prefixyes
destination_address_prefix = local.network_security_group_rules[count.index].destination_address_prefix
resource_group_name = local.network_security_group_rules[count.index].resource_group_name
network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name
}
resource "azurerm_network_security_rule" "network_security_rule_WL1" {
count = rule.destination_port_ranges == null ? 0 : 1
name = local.network_security_group_rules[count.index].name
priority = local.network_security_group_rules[count.index].priority
direction = local.network_security_group_rules[count.index].direction
access = local.network_security_group_rules[count.index].access
protocol = local.network_security_group_rules[count.index].protocol
source_port_range = local.network_security_group_rules[count.index].source_port_range
destination_port_ranges = [local.network_security_group_rules[count.index].destination_port_ranges]
source_address_prefix = local.network_security_group_rules[count.index].source_address_prefixyes
destination_address_prefix = local.network_security_group_rules[count.index].destination_address_prefix
resource_group_name = local.network_security_group_rules[count.index].resource_group_name
network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name
}
这样就不能创建两个属性都不为空的规则,我的意思是每个规则只能有两个属性之一。