动态 IP 限制以添加 ip 地址、vnet 和服务标签 terraform azure

Dynamic IP Restriction to add ip addresses, vnet and service tag terraform azure

到目前为止,在前面主题的帮助下,我能够使用以下代码部署具有 IP 限制的应用程序服务:

变量

locals {
ip_address_list2 = [            {     
                  ip_add : "20.20.20.3/32",
                  subnet_id = null,
                  service_tag               = null,
                  prior : "140",
                  name = "test1"
            },
           {     
                  ip_add : "10.10.10.2/32",
                  subnet_id = null,
                  service_tag               = null,
                  prior : "141",
                  name = "test2"
            },
            {
                 ip_add : "0.0.0.0/0",
                 subnet_id = null,
                 service_tag               = "AppService"
                 prior : "142",
                 name = "Service_Tag"
            }]}

应用服务:

  site_config {
  dynamic "ip_restriction" {
for_each = local.ip_address_list2
  content {
    ip_address  = ip_restriction.value["ip_add"]
    action                    = "Allow"
    priority                  = ip_restriction.value["prior"]
    virtual_network_subnet_id = ip_restriction.value["subnet_id"]
    service_tag = ip_restriction.value["service_tag"]
    name = ip_restriction.value["name"]
  }}}

但是如果我为子网添加以下变量,我会收到错误消息:

        {
             ip_add : "0.0.0.0/0",
             subnet_id = azurerm_subnet.subnet.id,
             service_tag               = null
             prior : "143",
             name = "VirtualNetwork"
        }

Screenshot Error

Error: creating App Service "hook-service" (Resource Group "RG-DEV-TEST"): web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="BadRequest" Message="IpSecurityRestriction is invalid. Only IpAddress or VnetSubnetResourceId property must be specified." Details=[{"Message":"IpSecurityRestriction is invalid. Only IpAddress or VnetSubnetResourceId property must be specified."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"51021","Message":"IpSecurityRestriction is invalid. Only IpAddress or VnetSubnetResourceId property must be specified.","MessageTemplate":"{0} is invalid. {1}","Parameters":["IpSecurityRestriction","Only IpAddress or VnetSubnetResourceId property must be specified."]}}] │ │ with azurerm_app_service.hook-service, │ on main.tf line 474, in resource "azurerm_app_service" "hook-service": │ 474: resource "azurerm_app_service" "hook-service" {

注意:仅使用 terraform plan 即可完成验证而不会出错。只有在 terraform apply

之后才会出现错误

谢谢

您应该使用如下内容:

locals {
 ip_address_list = [            {     
                  ip_add : "20.20.20.3/32",
                  prior : "140",
                  name = "test1"
            },
           {     
                  ip_add : "10.10.10.2/32",
                  prior : "141",
                  name = "test2"
            }
 ]
ip_address_list2=[            {
                 subnet = "${data.azurerm_subnet.name.id}" ,
                 name = "test3"
                 prior ="143"
            }]
            }

那么你可以使用:

  site_config {
    dynamic "ip_restriction"{
      for_each=local.ip_address_list
      content{
        ip_address  = ip_restriction.value["ip_add"]
    action                    = "Allow"
    priority                  = ip_restriction.value["prior"]
    name = ip_restriction.value["name"]
      }
    }
dynamic "ip_restriction"  {
  for_each = local.ip_address_list2
  content{
    name = ip_restriction.value["name"]
    virtual_network_subnet_id = ip_restriction.value["subnet"]
    priority = ip_restriction.value["prior"]
  }
}
}

输出:

注意: 对于 IP_address 限制,您必须提供 ip_add 、优先权和姓名。但对于子网限制,您只需提供 subnet_id、优先级和名称。通过提供 service_tag 它会因同样的错误而出错。