字符串列表的 Terraform 可选参数

Terraform Optional Parameter for List of String

尝试实现 Azure WAF policy and associate with http listener 代码工作正常,直到我尝试包含一个名为 http_listener_ids

的新可选参数

TF代码:

variable "http_listener_ids"{
  type = "list"
  description = "A list of HTTP Listener IDs from an azurerm_application_gateway"
  default = []
}



locals {  
  http_listener_ids ="${var.http_listener_ids}" == [] ? null: "${var.http_listener_ids}"
}
resource "azurerm_web_application_firewall_policy" "example" {
  name                = "example-wafpolicy"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  http_listener_ids   =  "${local.http_listener_ids}"

  custom_rules {
    name      = "Rule1"
    priority  = 1
    rule_type = "MatchRule"

    match_conditions {
      match_variables {
        variable_name = "RemoteAddr"
      }

      operator           = "IPMatch"
      negation_condition = false
      match_values       = ["192.168.1.0/24", "10.0.0.0/24"]
    }

    action = "Block"
  }

  custom_rules {
    name      = "Rule2"
    priority  = 2
    rule_type = "MatchRule"

    match_conditions {
      match_variables {
        variable_name = "RemoteAddr"
      }

      operator           = "IPMatch"
      negation_condition = false
      match_values       = ["192.168.1.0/24"]
    }

    match_conditions {
      match_variables {
        variable_name = "RequestHeaders"
        selector      = "UserAgent"
      }

      operator           = "Contains"
      negation_condition = false
      match_values       = ["Windows"]
    }

    action = "Block"
  }

  policy_settings {
    enabled                     = true
    mode                        = "Prevention"
    request_body_check          = true
    file_upload_limit_in_mb     = 100
    max_request_body_size_in_kb = 128
  }

  managed_rules {
    exclusion {
      match_variable          = "RequestHeaderNames"
      selector                = "x-company-secret-header"
      selector_match_operator = "Equals"
    }
    exclusion {
      match_variable          = "RequestCookieNames"
      selector                = "too-tasty"
      selector_match_operator = "EndsWith"
    }

    managed_rule_set {
      type    = "OWASP"
      version = "3.1"
      rule_group_override {
        rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
        disabled_rules = [
          "920300",
          "920440"
        ]
      }
    }
  }

}

我得到的错误是

Error: "http_listener_ids": this field cannot be set

我认为 http_listener_ids 属性 没有跳过,而是尝试分配 null 的值。所以我尝试实现动态块。但问题在于 http_listener_ids 是一个简单的字符串列表,而不是一个块本身。所以不确定在 content

里面放什么
    dynamic "http_listener_ids"{
    for_each = "${var.http_listener_ids}"
     content{
        ??
     }
   }

documentation for the azurerm_web_application_firewall_policy resource is out of date but http_listener_ids and path_based_rule_ids are read only now (as of v2.55.0) 所以你不能设置它们,只能将它们作为资源的一个属性来读取。

根据 recent GitHub PRhttp_listener_ids只读,无法设置。可能文档还没有更新。