问题描述
我正在尝试从 CSV 文件填充 NSG 规则。
CSV 文件:
name,priority,direction,access,protocol,source_port_range,destination_port_range,destination_port_ranges,source_address_prefix,destination_address_prefix,resource_group_name,network_security_group_name
allowindatasubnet,600,inbound,allow,*,192.168.3.0/24,resourcegroup1,networksecgroup1
allowinremote,700,"3389,22",192.168.1.128/27,networksecgroup1
denyinall,1000,deny,networksecgroup1
tf 文件:
locals {
network_security_group_rules = csvdecode(file("/csvfile.csv"))
}
resource "azurerm_network_security_rule" "network_security_rule_WL1" {
count = length(local.network_security_group_rules)
name = local.network_security_group_rules[count.index].name
priority = local.network_security_group_rules[count.index].priority
direction = local.network_security_group_rules[count.index].direction
access = local.network_security_group_rules[count.index].access
protocol = local.network_security_group_rules[count.index].protocol
source_port_range = local.network_security_group_rules[count.index].source_port_range
destination_port_range = local.network_security_group_rules[count.index].destination_port_range
destination_port_ranges = [local.network_security_group_rules[count.index].destination_port_ranges]
source_address_prefix = local.network_security_group_rules[count.index].source_address_prefixyes
destination_address_prefix = local.network_security_group_rules[count.index].destination_address_prefix
resource_group_name = local.network_security_group_rules[count.index].resource_group_name
network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name
}
这在 nsg 规则资源块中没有 destination_port_ranges 属性的情况下工作正常,但是当我添加它时出现错误:
Error: "destination_port_ranges": conflicts with destination_port_range
我知道我需要使用一个或另一个参数,但谁能帮助我使用语法或建议我可以进行的更改以允许我保持相同的 CSV 格式?
我的配置是否也正确为 destination_port_ranges 参数指定了端口列表?
更新: 我尝试了以下朋友建议的方法,但这引发了同样的异常。
destination_port_range = local.network_security_group_rules[count.index].destination_port_range != "" ? local.network_security_group_rules[count.index].destination_port_range : null
destination_port_ranges = local.network_security_group_rules[count.index].destination_port_ranges != "" ? split(",",local.network_security_group_rules[count.index].destination_port_ranges) : null
谢谢!
解决方法
正如您所说,您只需要一个参数,而不是两个。如我所见,您的所有目标端口都是一个列表或字符 *
,它表示一个范围。让我们看看参数 destination_port_ranges
和 destination_port_range
的描述:
destination_port_range -(可选)目标端口或范围。整数 或介于 0 和 65535 之间的范围或 * 以匹配任何。这是必需的,如果 未指定目标端口范围。
destination_port_ranges -(可选)目标端口或端口列表 范围。如果未指定 destination_port_range,则这是必需的。
您使用目标端口或端口范围列表,因此您只需在 csv 文件中为网络安全规则设置参数 destination_port_ranges
。
更新:
您可以为规则使用一个模块,该模块用于决定每个规则使用哪个属性:
./main.tf
locals {
network_security_group_rules = csvdecode(file("/csvfile.csv"))
}
module "rules" {
source = "./modules/rules"
count = length(local.network_security_group_rules)
rule = local.network_security_group_rules[count.index]
}
./modules/rules/main.tf
variable "rule" {}
resource "azurerm_network_security_rule" "network_security_rule_WL1" {
count = rule.destination_port_range == null ? 0 : 1
name = local.network_security_group_rules[count.index].name
priority = local.network_security_group_rules[count.index].priority
direction = local.network_security_group_rules[count.index].direction
access = local.network_security_group_rules[count.index].access
protocol = local.network_security_group_rules[count.index].protocol
source_port_range = local.network_security_group_rules[count.index].source_port_range
destination_port_range = local.network_security_group_rules[count.index].destination_port_range
source_address_prefix = local.network_security_group_rules[count.index].source_address_prefixyes
destination_address_prefix = local.network_security_group_rules[count.index].destination_address_prefix
resource_group_name = local.network_security_group_rules[count.index].resource_group_name
network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name
}
resource "azurerm_network_security_rule" "network_security_rule_WL1" {
count = rule.destination_port_ranges == null ? 0 : 1
name = local.network_security_group_rules[count.index].name
priority = local.network_security_group_rules[count.index].priority
direction = local.network_security_group_rules[count.index].direction
access = local.network_security_group_rules[count.index].access
protocol = local.network_security_group_rules[count.index].protocol
source_port_range = local.network_security_group_rules[count.index].source_port_range
destination_port_ranges = [local.network_security_group_rules[count.index].destination_port_ranges]
source_address_prefix = local.network_security_group_rules[count.index].source_address_prefixyes
destination_address_prefix = local.network_security_group_rules[count.index].destination_address_prefix
resource_group_name = local.network_security_group_rules[count.index].resource_group_name
network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name
}
这样,你就不能创建两个属性都不为空的规则,我的意思是每个规则只能有两个属性之一。