创建 ForwardingRule 时出错,在与转发规则相同的区域和 VPC 中需要保留和活动的子网

Error creating ForwardingRule, A reserved and active subnetwork is required in the same region and VPC as the forwarding rule

我正在尝试使用 terrafrom 创建区域负载平衡器,但我无法创建转发规则和区域 HTTP(s) 代理。

resource "google_compute_region_ssl_certificate" "ssl-crt" {
  project = "proyecto-pegachucho"
  name_prefix = "my-certificate-"
  region = var.lb_region
  private_key = file("lb_http/certificate/privateKey.key")
  certificate = file("lb_http/certificate/certificate.crt")

  lifecycle {
    create_before_destroy = true
  }
}

resource "google_compute_forwarding_rule" "lb-front-HTTP" {
  name                  = var.lb_front_name
  load_balancing_scheme = "INTERNAL_MANAGED"
  port_range            = var.lb_front_port_range
  target                = google_compute_region_target_http_proxy.lb-proxy-http.self_link
  region                = var.lb_region
  network               = var.lb_network
  subnetwork            = var.lb_subnetwork
  ip_address            = "10.10.30.5"
}

resource "google_compute_forwarding_rule" "lb-front-HTTPS" {
  name                  = "lb-https-front"
  port_range            = "443"
  load_balancing_scheme = "INTERNAL_MANAGED"
  ip_address            = "10.10.30.6"
  target                = google_compute_region_target_https_proxy.lb-proxy-https.self_link
  region                = var.lb_region
  network               = var.lb_network
  subnetwork            = var.lb_subnetwork
}


resource "google_compute_region_target_http_proxy" "lb-proxy-http" {
  name    = var.lb_proxy_name
  region  = var.lb_region
  project = "proyecto-pegachucho"
  url_map = google_compute_region_url_map.lb_url_map.self_link
}

resource "google_compute_region_target_https_proxy" "lb-proxy-https" {
  name             = "test-proxy"
  region           = var.lb_region
  project = "proyecto-pegachucho"
  url_map          = google_compute_region_url_map.lb_url_map.self_link
  ssl_certificates = [google_compute_region_ssl_certificate.ssl-crt.id]
}


resource "google_compute_region_url_map" "lb_url_map" {
  name            = var.url_map_name
  region          = var.lb_region
  default_service = google_compute_region_backend_service.lb-backend.self_link
}


resource "google_compute_region_backend_service" "lb-backend" {
  name                  = var.lb_backend_name
  region                = var.lb_region
  project = "proyecto-pegachucho"
  load_balancing_scheme = "INTERNAL_MANAGED"
  port_name             = var.lb_backend_port_name
  protocol              = var.lb_backend_protocol
  timeout_sec           = var.lb_backend_timeout
  health_checks         = [var.healthcheck_output]
  locality_lb_policy    = "ROUND_ROBIN"

  backend {
    group = var.ig_id
    balancing_mode = "UTILIZATION"
    capacity_scaler = 1.0
  }
}

这将引发以下错误:

Error: Error creating ForwardingRule: googleapi: Error 400: Invalid value for field 'resource.target': 'https://www.googleapis.com/compute/v1/projects/proyecto-pegachucho/regions/us-central1/targetHttpProxies/lb-proxy'. A reserved and active subnetwork is required in the same region and VPC as the forwarding rule., invalid

  on lb_http\lb_http.tf line 13, in resource "google_compute_forwarding_rule" "lb-front-HTTP":
  13: resource "google_compute_forwarding_rule" "lb-front-HTTP" {



Error: Error creating ForwardingRule: googleapi: Error 400: Invalid value for field 'resource.target': 'https://www.googleapis.com/compute/v1/projects/proyecto-pegachucho/regions/us-central1/targetHttpsProxies/test-proxy'. A reserved and active subnetwork is required in the same region and VPC as the forwarding rule., invalid

  on lb_http\lb_http.tf line 24, in resource "google_compute_forwarding_rule" "lb-front-HTTPS":
  24: resource "google_compute_forwarding_rule" "lb-front-HTTPS" {

我尝试使用 google 测试版提供商,但似乎我没有权限,而我对我的 Terraform 服务帐户拥有所有者权限。

Error: Error creating RegionSslCertificate: googleapi: Error 403: Required 'compute.regionSslCertificates.create' permission for 'projects/proyecto-pegachucho/regions/us-central1/sslCertificates/my-certificate-20210628014206664300000001', forbidden

  on lb_http\lb_http.tf line 1, in resource "google_compute_region_ssl_certificate" "ssl-crt":
   1: resource "google_compute_region_ssl_certificate" "ssl-crt" {



Error: Error creating RegionBackendService: googleapi: Error 403: Required 'compute.regionBackendServices.create' permission for 'projects/proyecto-pegachucho/regions/us-central1/backendServices/lb-backend'      
More details:
Reason: forbidden, Message: Required 'compute.regionBackendServices.create' permission for 'projects/proyecto-pegachucho/regions/us-central1/backendServices/lb-backend'
Reason: forbidden, Message: Required 'compute.healthChecks.useReadOnly' permission for 'projects/proyecto-pegachucho/global/healthChecks/hsbc-healthcheck-dev'
Reason: forbidden, Message: Required 'compute.instanceGroups.use' permission for 'projects/proyecto-pegachucho/zones/us-central1-b/instanceGroups/tomcats-ig'


  on lb_http\lb_http.tf line 59, in resource "google_compute_region_backend_service" "lb-backend":        
  59: resource "google_compute_region_backend_service" "lb-backend" {

在为内部 HTTP(S) 负载平衡器创建转发规则之前,您必须创建一个仅代理子网。您在其中使用内部 HTTP(S) 负载平衡器的虚拟专用网络 (VPC) 的每个区域都必须具有仅代理子网。

显示的错误消息在最后一句话中描述了它:

Error creating ForwardingRule: googleapi: Error 400: Invalid value for field 'resource.target': 'https://www.googleapis.com/compute/v1/projects/proyecto-pegachucho/regions/us-central1/targetHttpProxies/lb-proxy'. A reserved and active subnetwork is required in the same region and VPC as the forwarding rule.

要解决这个问题,您可以手动 create said proxy-only subnet through the gcloud compute networks subnets create command or use the terraform variant through google_compute_subnetwork where all the same fields are available, you can use the documentation in create 作为指导,然后将其全部侵入到 terraform。

请注意,这必须在为您的内部 HTTP(S) LB 创建转发规则之前完成

希望提供的解决方案对您有所帮助!