字符串列表的 Terraform 可选参数
Terraform Optional Parameter for List of String
尝试实现 Azure WAF policy and associate with http listener 代码工作正常,直到我尝试包含一个名为 http_listener_ids
的新可选参数
TF代码:
variable "http_listener_ids"{
type = "list"
description = "A list of HTTP Listener IDs from an azurerm_application_gateway"
default = []
}
locals {
http_listener_ids ="${var.http_listener_ids}" == [] ? null: "${var.http_listener_ids}"
}
resource "azurerm_web_application_firewall_policy" "example" {
name = "example-wafpolicy"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
http_listener_ids = "${local.http_listener_ids}"
custom_rules {
name = "Rule1"
priority = 1
rule_type = "MatchRule"
match_conditions {
match_variables {
variable_name = "RemoteAddr"
}
operator = "IPMatch"
negation_condition = false
match_values = ["192.168.1.0/24", "10.0.0.0/24"]
}
action = "Block"
}
custom_rules {
name = "Rule2"
priority = 2
rule_type = "MatchRule"
match_conditions {
match_variables {
variable_name = "RemoteAddr"
}
operator = "IPMatch"
negation_condition = false
match_values = ["192.168.1.0/24"]
}
match_conditions {
match_variables {
variable_name = "RequestHeaders"
selector = "UserAgent"
}
operator = "Contains"
negation_condition = false
match_values = ["Windows"]
}
action = "Block"
}
policy_settings {
enabled = true
mode = "Prevention"
request_body_check = true
file_upload_limit_in_mb = 100
max_request_body_size_in_kb = 128
}
managed_rules {
exclusion {
match_variable = "RequestHeaderNames"
selector = "x-company-secret-header"
selector_match_operator = "Equals"
}
exclusion {
match_variable = "RequestCookieNames"
selector = "too-tasty"
selector_match_operator = "EndsWith"
}
managed_rule_set {
type = "OWASP"
version = "3.1"
rule_group_override {
rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
disabled_rules = [
"920300",
"920440"
]
}
}
}
}
我得到的错误是
Error: "http_listener_ids": this field cannot be set
我认为 http_listener_ids 属性 没有跳过,而是尝试分配 null 的值。所以我尝试实现动态块。但问题在于 http_listener_ids 是一个简单的字符串列表,而不是一个块本身。所以不确定在 content
里面放什么
dynamic "http_listener_ids"{
for_each = "${var.http_listener_ids}"
content{
??
}
}
documentation for the azurerm_web_application_firewall_policy resource is out of date but http_listener_ids and path_based_rule_ids are read only now (as of v2.55.0) 所以你不能设置它们,只能将它们作为资源的一个属性来读取。
根据 recent GitHub PR,http_listener_ids 是 只读,无法设置。可能文档还没有更新。
尝试实现 Azure WAF policy and associate with http listener 代码工作正常,直到我尝试包含一个名为 http_listener_ids
TF代码:
variable "http_listener_ids"{
type = "list"
description = "A list of HTTP Listener IDs from an azurerm_application_gateway"
default = []
}
locals {
http_listener_ids ="${var.http_listener_ids}" == [] ? null: "${var.http_listener_ids}"
}
resource "azurerm_web_application_firewall_policy" "example" {
name = "example-wafpolicy"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
http_listener_ids = "${local.http_listener_ids}"
custom_rules {
name = "Rule1"
priority = 1
rule_type = "MatchRule"
match_conditions {
match_variables {
variable_name = "RemoteAddr"
}
operator = "IPMatch"
negation_condition = false
match_values = ["192.168.1.0/24", "10.0.0.0/24"]
}
action = "Block"
}
custom_rules {
name = "Rule2"
priority = 2
rule_type = "MatchRule"
match_conditions {
match_variables {
variable_name = "RemoteAddr"
}
operator = "IPMatch"
negation_condition = false
match_values = ["192.168.1.0/24"]
}
match_conditions {
match_variables {
variable_name = "RequestHeaders"
selector = "UserAgent"
}
operator = "Contains"
negation_condition = false
match_values = ["Windows"]
}
action = "Block"
}
policy_settings {
enabled = true
mode = "Prevention"
request_body_check = true
file_upload_limit_in_mb = 100
max_request_body_size_in_kb = 128
}
managed_rules {
exclusion {
match_variable = "RequestHeaderNames"
selector = "x-company-secret-header"
selector_match_operator = "Equals"
}
exclusion {
match_variable = "RequestCookieNames"
selector = "too-tasty"
selector_match_operator = "EndsWith"
}
managed_rule_set {
type = "OWASP"
version = "3.1"
rule_group_override {
rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
disabled_rules = [
"920300",
"920440"
]
}
}
}
}
我得到的错误是
Error: "http_listener_ids": this field cannot be set
我认为 http_listener_ids 属性 没有跳过,而是尝试分配 null 的值。所以我尝试实现动态块。但问题在于 http_listener_ids 是一个简单的字符串列表,而不是一个块本身。所以不确定在 content
dynamic "http_listener_ids"{
for_each = "${var.http_listener_ids}"
content{
??
}
}
documentation for the azurerm_web_application_firewall_policy resource is out of date but http_listener_ids and path_based_rule_ids are read only now (as of v2.55.0) 所以你不能设置它们,只能将它们作为资源的一个属性来读取。
根据 recent GitHub PR,http_listener_ids 是 只读,无法设置。可能文档还没有更新。