Terraform azurerm_firewall_policy_rule_collection_group 未创建 nat_rule 集合
Terraform azurerm_firewall_policy_rule_collection_group not creating nat_rule collection
我在此资源的底部定义了 nat_rule_collection。除了 nat_rule_collection 之外,一切都已创建。这里有什么错误可能导致这个吗?我编辑了真实的目标地址,但真实的地址确实匹配 public 负载均衡器 IP。
我知道该组指示出口,但我只是在那里尝试,我相信这只是一个标签。
resource "azurerm_firewall_policy_rule_collection_group" "policy" {
name = "AksEgressPolicyRuleCollectionGroup"
firewall_policy_id = azurerm_firewall_policy.policy.id
priority = 500
application_rule_collection {
name = "ApplicationRules"
priority = 500
action = "Allow"
rule {
name = "AllowMicrosoftFqdns"
source_addresses = ["*"]
destination_fqdns = [
"*.cdn.mscr.io",
"mcr.microsoft.com",
"*.data.mcr.microsoft.com",
"management.azure.com",
"login.microsoftonline.com",
"acs-mirror.azureedge.net",
"dc.services.visualstudio.com",
"*.opinsights.azure.com",
"*.oms.opinsights.azure.com",
"*.microsoftonline.com",
"*.monitoring.azure.com",
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowFqdnsForOsUpdates"
source_addresses = ["*"]
destination_fqdns = [
"download.opensuse.org",
"security.ubuntu.com",
"ntp.ubuntu.com",
"packages.microsoft.com",
"snapcraft.io"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowImagesFqdns"
source_addresses = ["*"]
destination_fqdns = [
"auth.docker.io",
"registry-1.docker.io",
"production.cloudflare.docker.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowBing"
source_addresses = ["*"]
destination_fqdns = [
"*.bing.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowGoogle"
source_addresses = ["*"]
destination_fqdns = [
"*.google.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowPublicPOrt80"
source_addresses = ["*"]
# destination_fqdns = [
# "*.google.com"
# ]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
}
network_rule_collection {
name = "NetworkRules"
priority = 400
action = "Allow"
rule {
name = "Time"
source_addresses = ["*"]
destination_ports = ["123"]
destination_addresses = ["*"]
protocols = ["UDP"]
}
rule {
name = "DNS"
source_addresses = ["*"]
destination_ports = ["53"]
destination_addresses = ["*"]
protocols = ["UDP"]
}
rule {
name = "ServiceTags"
source_addresses = ["*"]
destination_ports = ["*"]
destination_addresses = [
"AzureContainerRegistry",
"MicrosoftContainerRegistry",
"AzureActiveDirectory"
]
protocols = ["Any"]
}
rule {
name = "Internet"
source_addresses = ["*"]
destination_ports = ["*"]
destination_addresses = ["*"]
protocols = ["TCP"]
}
}
nat_rule_collection {
name = "nat_rule_collection1"
priority = 100
action = "Dnat"
rule {
name = "fw-public-web-port-80"
protocols = ["TCP"]
source_addresses = ["*"]
destination_address = "123.123.123.123"
destination_ports = ["80"]
translated_address = "10.9.0.1"
translated_port = "80"
}
}
lifecycle {
ignore_changes = [
application_rule_collection,
network_rule_collection,
nat_rule_collection
]
}
}
ignore_changes(属性名称列表) - 默认情况下,Terraform 会检测当前设置中的任何差异真正的基础结构对象并计划更新远程对象以匹配配置。
ignore_changes 功能旨在在创建资源时使用对 data 的引用,该资源将来可能会发生变化,[=21] =]但创建后不应影响所述资源。
因此,您在创建其他两条规则后应用 natrule 代码。 Ingnore_changes meta-argument 指定 Terraform 在计划更新关联的远程对象时应忽略的资源属性,因此这可能会阻止您创建 natrule
lifecycle {
ignore_changes = [ ]
}
更多信息你可以参考这个Terraform Document
我在此资源的底部定义了 nat_rule_collection。除了 nat_rule_collection 之外,一切都已创建。这里有什么错误可能导致这个吗?我编辑了真实的目标地址,但真实的地址确实匹配 public 负载均衡器 IP。
我知道该组指示出口,但我只是在那里尝试,我相信这只是一个标签。
resource "azurerm_firewall_policy_rule_collection_group" "policy" {
name = "AksEgressPolicyRuleCollectionGroup"
firewall_policy_id = azurerm_firewall_policy.policy.id
priority = 500
application_rule_collection {
name = "ApplicationRules"
priority = 500
action = "Allow"
rule {
name = "AllowMicrosoftFqdns"
source_addresses = ["*"]
destination_fqdns = [
"*.cdn.mscr.io",
"mcr.microsoft.com",
"*.data.mcr.microsoft.com",
"management.azure.com",
"login.microsoftonline.com",
"acs-mirror.azureedge.net",
"dc.services.visualstudio.com",
"*.opinsights.azure.com",
"*.oms.opinsights.azure.com",
"*.microsoftonline.com",
"*.monitoring.azure.com",
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowFqdnsForOsUpdates"
source_addresses = ["*"]
destination_fqdns = [
"download.opensuse.org",
"security.ubuntu.com",
"ntp.ubuntu.com",
"packages.microsoft.com",
"snapcraft.io"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowImagesFqdns"
source_addresses = ["*"]
destination_fqdns = [
"auth.docker.io",
"registry-1.docker.io",
"production.cloudflare.docker.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowBing"
source_addresses = ["*"]
destination_fqdns = [
"*.bing.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowGoogle"
source_addresses = ["*"]
destination_fqdns = [
"*.google.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowPublicPOrt80"
source_addresses = ["*"]
# destination_fqdns = [
# "*.google.com"
# ]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
}
network_rule_collection {
name = "NetworkRules"
priority = 400
action = "Allow"
rule {
name = "Time"
source_addresses = ["*"]
destination_ports = ["123"]
destination_addresses = ["*"]
protocols = ["UDP"]
}
rule {
name = "DNS"
source_addresses = ["*"]
destination_ports = ["53"]
destination_addresses = ["*"]
protocols = ["UDP"]
}
rule {
name = "ServiceTags"
source_addresses = ["*"]
destination_ports = ["*"]
destination_addresses = [
"AzureContainerRegistry",
"MicrosoftContainerRegistry",
"AzureActiveDirectory"
]
protocols = ["Any"]
}
rule {
name = "Internet"
source_addresses = ["*"]
destination_ports = ["*"]
destination_addresses = ["*"]
protocols = ["TCP"]
}
}
nat_rule_collection {
name = "nat_rule_collection1"
priority = 100
action = "Dnat"
rule {
name = "fw-public-web-port-80"
protocols = ["TCP"]
source_addresses = ["*"]
destination_address = "123.123.123.123"
destination_ports = ["80"]
translated_address = "10.9.0.1"
translated_port = "80"
}
}
lifecycle {
ignore_changes = [
application_rule_collection,
network_rule_collection,
nat_rule_collection
]
}
}
ignore_changes(属性名称列表) - 默认情况下,Terraform 会检测当前设置中的任何差异真正的基础结构对象并计划更新远程对象以匹配配置。
ignore_changes 功能旨在在创建资源时使用对 data 的引用,该资源将来可能会发生变化,[=21] =]但创建后不应影响所述资源。
因此,您在创建其他两条规则后应用 natrule 代码。 Ingnore_changes meta-argument 指定 Terraform 在计划更新关联的远程对象时应忽略的资源属性,因此这可能会阻止您创建 natrule
lifecycle {
ignore_changes = [ ]
}
更多信息你可以参考这个Terraform Document