是否可以使用VNET地址空间作为NSG源地址前缀？

Question

我想让流量通过NSG从所有本地子网(不包括对等子网)。由于我只有一个地址空间，因此似乎最直接的方法是使用VNET的address_space作为安全规则的source_address_prefix。

resource "azurerm_resource_group" "west01-rg" {
  name     = "west01-rg"
  location = "West US"
}

resource "azurerm_virtual_network" "virtual-network" {
  name                = "west01-vnet"
  location            = "${azurerm_resource_group.west01-rg.location}"
  resource_group_name = "${azurerm_resource_group.west01-rg.name}"
  address_space       = ["10.10.20.0/21"]
}

resource "azurerm_subnet" "servers-subnet" {
  name                 = "ServersNet"
  resource_group_name  = "${azurerm_resource_group.west01-rg.name}"
  virtual_network_name = "${azurerm_virtual_network.virtual-network.name}"
  address_prefix       = "10.10.20.0/24"
}

resource "azurerm_network_security_group" "dc-nsg" {
  name                = "dc-nsg"
  location            = "${azurerm_resource_group.west01-rg.location}"
  resource_group_name = "${azurerm_resource_group.west01-rg.name}"

  security_rule {
    name                       = "AllowCidrSubnet"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "${azurerm_virtual_network.virtual-network.address_space}"
    destination_address_prefix = "*"
  }

  tags {
    environment = "Testing"
  }
}

根据文档，这个值可以用CIDR符号表示。但是，上面的示例将导致错误。

Error: azurerm_network_security_group.dc: security_rule.0.source_address_prefix must be a single value, not a list

如果切换到应该接受列表的source_address_prefixes，则会得到以下错误

Error: azurerm_network_security_group.dcx: security_rule.0.source_address_prefixes: should be a list

因此，这个值似乎既是一个列表，也不是一个列表。这个能行吗？还是我该换一种方式去做？

• Terraform诉0.11.11
• provider.azurerm v1.21.0

Answer 1

在TerraformPre0.12中，默认情况下每个变量都是字符串类型，如果要使用列表或映射类型，则必须在传递变量时始终使用该类型。在Terraform0.12中，这种情况应该会发生变化，因为HCL2更好地支持类型，包括更多的复杂类型处理。

为了解决您的问题，您需要对列表进行索引以返回一个元素，这将是一个字符串，或者您需要与您的列表类型保持一致。

所以这两种方法中的任何一种都应该有效：

resource "azurerm_network_security_group" "dc-nsg" {
  name                = "dc-nsg"
  location            = "${azurerm_resource_group.west01-rg.location}"
  resource_group_name = "${azurerm_resource_group.west01-rg.name}"

  security_rule {
    name                       = "AllowCidrSubnet"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "${azurerm_virtual_network.virtual-network.address_space[0]}"
    destination_address_prefix = "*"
  }

  tags {
    environment = "Testing"
  }
}

或直接使用列表：

resource "azurerm_network_security_group" "dc-nsg" {
  name                = "dc-nsg"
  location            = "${azurerm_resource_group.west01-rg.location}"
  resource_group_name = "${azurerm_resource_group.west01-rg.name}"

  security_rule {
    name                       = "AllowCidrSubnet"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefixes    = ["${azurerm_virtual_network.virtual-network.address_space}"]
    destination_address_prefix = "*"
  }

  tags {
    environment = "Testing"
  }
}