为"AzureMonitor“的DestinationAddressPrefix/DestinationAddressPrefixes创建Azure Terraform NSG规则时出错
为"AzureMonitor“的DestinationAddressPrefix/DestinationAddressPrefixes创建Azure Terraform NSG规则时出错
提问于 2021-05-26 10:18:04
编辑了新帖子以添加更多澄清:
在当前的架构中,我们运行ansible playbook (infrastructure.yml)来部署Azure中的基础设施。我们能够毫无问题地创建资源,包括许多其他NSG规则。
使用新的NSG规则,我们的terraform运行失败,并显示以下信息:
我有Azurerm版本:
provider "azurerm" {
version = "2.58.0"
...Terraform版本:
Terraform v0.13.4我可以通过Azure CLI命令创建相同的规则,如下所示:
az network nsg rule create -g 'MyGroup' --nsg-name 'MyNSG' -n 'AllowAzureMonitorOutbound' --priority 1200 --source-address-prefixes "*" --destination-address-prefixes AzureMonitor --destination-port-ranges 443 --direction Outbound --access Allow --protocol Tcp --description "AzureMonitor rule CLI creation."但我在通过Terraform创建NSG规则时遇到此错误:
**-- Original Error: Code="SecurityRuleParameterContainsUnsupportedValue" Message="Security rule parameter DestinationAddressPrefix for rule with Id /subscriptions/XXXXXXXXXXXXXX/resourceGroups/MyGroup/providers/Microsoft.Network/networkSecurityGroups/UMyNSG/securityRules/AllowAzureMonitorOutbound cannot specify existing VIRTUALNETWORK, INTERNET, AZURELOADBALANCER, '*' or system tags. Unsupported value used: AzureMonitor."** <-代码值和HashicoVault值->
terraform的代码片段:
resource "azurerm_network_security_group" "prx" {
name = "${var.prx_hosts.name}-NSG"
resource_group_name = azurerm_resource_group.MYPROJECT.name
location = var.location
dynamic "security_rule" {
for_each = var.prx_hosts.security_group.rules
content {
name = security_rule.value.name
description = security_rule.value.description
access = security_rule.value.access
direction = security_rule.value.direction
protocol = security_rule.value.protocol
priority = security_rule.value.priority
source_address_prefix = security_rule.value.source_address_prefixes == ["any"] ? "*" : null
source_address_prefixes = security_rule.value.source_address_prefixes == ["any"] ? null : tolist(security_rule.value.source_address_prefixes)
destination_address_prefix = security_rule.value.destination_address_prefixes == ["any"] ? "*" : null
destination_address_prefixes = security_rule.value.destination_address_prefixes == ["any"] ? null : tolist(security_rule.value.destination_address_prefixes)
source_port_range = security_rule.value.source_port_ranges == ["any"] ? "*" : null
source_port_ranges = security_rule.value.source_port_ranges == ["any"] ? null : tolist(security_rule.value.source_port_ranges)
destination_port_range = security_rule.value.destination_port_ranges == ["any"] ? "*" : null
destination_port_ranges = security_rule.value.destination_port_ranges == ["any"] ? null : tolist(security_rule.value.destination_port_ranges)
}
}
}我们传递给terraform的HashicoVault值如下:
"security_group": {
"name": "MY_PROJECT_NAME",
"rules": [
{
"access": "allow",
"description": "AzureMonitor rule CLI creation.",
"destination_address_prefixes": ["AzureMonitor"],
"destination_port_ranges": [
443
],
"direction": "Outbound",
"name": "AllowAzureMonitorOutbound",
"priority": 100,
"protocol": "TCP",
"source_address_prefixes": [
"any"
],
"source_port_ranges": [
"any"
]
}
]
}回答 1
Stack Overflow用户
发布于 2021-07-20 22:23:59
我在"AzureLoadBalancer“上也遇到了同样的问题--例如,它可以与"source_address_prefix”一起工作,但不能与"source_address_prefixes“一起工作--可能是提供者的bug。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/67697722
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号