Как создать несколько правил безопасности с помощью Terraform в Azure?
Я пытаюсь создать группу безопасности сети с несколькими правилами безопасности. Идея состоит в том, чтобы создать переменную списка (диапазонов портов) и интерполировать элементы списка в файле.tf. Приведенный ниже скрипт выдает ошибку "приоритет".
"Error: azurerm_network_security_group.k8hway: security_rule.0: invalid or unknown key: count"
Ниже приведен код Terraform:
resource "azurerm_network_security_group" "NSG" {
name = "NSG-Demo"
location = "${azurerm_resource_group.main.location}"
resource_group_name = "${azurerm_resource_group.main.name}"
security_rule {
count = "${length(var.inbound_port_ranges)}"
name = "sg-rule-${count.index}"
direction = "Inbound"
access = "Allow"
priority = "(100 * (${count.index} + 1))"
source_address_prefix = "*"
source_port_range = "*"
destination_address_prefix = "*"
destination_port_range = "${element(var.inbound_port_ranges, count.index)}"
protocol = "TCP"
}
}
4 ответа
Решение
Я не думаю, что свойства поддерживают количество, но ресурсы делают. Используйте правило группы безопасности сети:
resource "azurerm_network_security_rule" "test" {
count = "${length(var.inbound_port_ranges)}"
name = "sg-rule-${count.index}"
direction = "Inbound"
access = "Allow"
priority = "(100 * (${count.index} + 1))"
source_address_prefix = "*"
source_port_range = "*"
destination_address_prefix = "*"
destination_port_range = "${element(var.inbound_port_ranges, count.index)}"
protocol = "TCP"
}
Чтение:
https://www.terraform.io/docs/providers/azurerm/r/network_security_rule.html
# Create Network Security Group and rule
resource "azurerm_network_security_group" "mynsg" {
name = "networksg"
location = var.rgLocation
resource_group_name = var.rgName
security_rule {
name = "SSH"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "SSHnew"
priority = 1101
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "6666"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
Для тех, кто может захотеть использовать динамический блок вместо жестко заданных значений; Определите новую переменную terraform, например:
variable "security_rules" {
description = "A list of security rules to be created."
type = list(object({
name = string
priority = number
direction = string
...
}))
}
Затем на ресурсе:
resource "azurerm_network_security_group" "nsg" {
name = "example-nsg"
location = "example"
resource_group_name = "example"
dynamic "security_rule" {
for_each = { for sg in var.security_rules : sg.name => sg }
content {
name = each.value.name
priority = each.value.priority
direction = each.value.direction
...
}
...
}
}
Хотя ответ @4c74356b41 работает, но я предлагаю простое решение:
ОБНОВЛЯТЬ:
resource "azurerm_network_security_group" "nsg" {
name = "nsg"
location = "westeurope"
resource_group_name = "resorceGroup"
security_rule {
name = "allow-ssh"
priority = 500
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "allow-kibana-service"
priority = 400
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "allow-es-service"
priority = 300
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "9200-9300"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}