我有一个 terraform vnet、子网和 NSG 的工作块。
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "example-vn"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
address_space = ["10.0.0.0/16"]
}
resource "azurerm_subnet" "example" {
name = "example-sn"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.2.0/24"]
service_endpoints = ["Microsoft.Storage"]
delegation {
name = "fs"
service_delegation {
name = "Microsoft.DBforPostgreSQL/flexibleServers"
actions = [
"Microsoft.Network/virtualNetworks/subnets/join/action",
]
}
}
}
resource "azurerm_private_dns_zone" "example" {
name = "example.postgres.database.azure.com"
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "example" {
name = "exampleVnetZone.com"
private_dns_zone_name = azurerm_private_dns_zone.example.name
virtual_network_id = azurerm_virtual_network.example.id
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_postgresql_flexible_server" "example" {
name = "example-psqlflexibleserver2022"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "13"
delegated_subnet_id = azurerm_subnet.example.id
private_dns_zone_id = azurerm_private_dns_zone.example.id
administrator_login = "postgres"
administrator_password = "password@2020"
zone = "1"
storage_mb = 131072
sku_name = "GP_Standard_D2s_v3"
depends_on = [azurerm_private_dns_zone_virtual_network_link.example]
}
但是我得到了在子网策略之前创建 nsg 的错误,因此更改了子网创建方式如下。
# Create Virtual Network
resource "azurerm_virtual_network" "aksvnet" {
name = "aks-network"
location = azurerm_resource_group.aks_rg.location
resource_group_name = azurerm_resource_group.aks_rg.name
address_space = ["10.0.0.0/8"]
subnet {
name = "aks-default-subnet"
address_prefix = "10.240.0.0/16"
security_group = azurerm_network_security_group.example.id
}
subnet {
name = "aks-postgres-subnet"
address_prefix = "10.230.2.0/24"
security_group = azurerm_network_security_group.example.id
service_endpoints = ["Microsoft.Storage"]
delegation {
name = "fs"
service_delegation {
name = "Microsoft.DBforPostgreSQL/flexibleServers"
actions = [
"Microsoft.Network/virtualNetworks/subnets/join/action",
]
}
}
}
}
resource "azurerm_network_security_group" "example" {
name = "example-nsg"
location = azurerm_resource_group.aks_rg.location
resource_group_name = azurerm_resource_group.aks_rg.name
security_rule {
name = "test123"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
但出现以下错误。
请建议如何修复该问题。
Error: Unsupported argument │ │ on 11-virtual-network.tf line 17, in resource "azurerm_virtual_network" "aksvnet": │ 17: service_endpoints = ["Microsoft.Storage"] │ │ An argument named "service_endpoints" is not expected here. ╵ ╷ │ Error: Unsupported block type │ │ on 11-virtual-network.tf line 18, in resource "azurerm_virtual_network" "aksvnet": │ 18: delegation { │ │ Blocks of type "delegation" are not expected here.
即使采用以下方法,我仍然收到策略错误。
# Create Virtual Network
resource "azurerm_virtual_network" "aksvnet" {
name = "aks-network"
location = azurerm_resource_group.aks_rg.location
resource_group_name = azurerm_resource_group.aks_rg.name
address_space = ["10.0.0.0/8"]
subnet {
name = "aks-default-subnet"
address_prefix = "10.240.0.0/16"
security_group = azurerm_network_security_group.example.id
}
}
resource "azurerm_network_security_group" "example" {
name = "example-nsg"
location = azurerm_resource_group.aks_rg.location
resource_group_name = azurerm_resource_group.aks_rg.name
security_rule {
name = "test123"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
resource "azurerm_subnet_network_security_group_association" "example" {
subnet_id = azurerm_subnet.example.id
network_security_group_id = azurerm_network_security_group.example.id
}
resource "azurerm_subnet" "example" {
virtual_network_name = azurerm_virtual_network.aksvnet.name
name = "aks-postgres-subnet"
resource_group_name = azurerm_resource_group.aks_rg.name
address_prefixes = ["10.230.2.0/24"]
service_endpoints = ["Microsoft.Storage"]
delegation {
name = "fs"
service_delegation {
name = "Microsoft.DBforPostgreSQL/flexibleServers"
actions = [
"Microsoft.Network/virtualNetworks/subnets/join/action",
]
}
}
depends_on = [azurerm_virtual_network.aksvnet, azurerm_network_security_group.example]
}
我收到如下错误。
er-delete-dev"): network.SubnetsClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error:
代码 =“RequestDisallowedByPolicy”消息 =“资源'aks-postgres-subnet'被策略禁止。策略标识符:'[{“policyAssignment”:{“name”:“Deny-Subnet-Without-Nsg”,“id”:“/providers/Microsoft.Management/managementGroups/QSFT-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg”},“policyDefinition”:{“name”:“子网应具有网络安全组”,“id”:“/providers/Microsoft.Management/managementGroups/QSFT/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg”}}]'。”目标 =“aks-postgres-subnet”附加信息 = [{“信息”:{“评估详细信息”:{“评估表达式”:[{“表达式”:“类型”,“表达式类型”:“字段”,“表达式值”:“Microsoft.Network/virtualNetworks/subnets”,“运算符”:“等于”,“路径”:“类型”,“结果”:“真”,“目标值”:“Microsoft.Network/virtualNetworks/subnets”},{“表达式”:“Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id”,“表达式类型”:“字段”,“运算符”:“存在”,“路径”:“properties.networkSecurityGr oup.id”,“result”:“True”,“targetValue”:“false”}]},“policyAssignmentDisplayName”:“Deny-Subnet-Without-Nsg”,“policyAssignmentId”:“/providers/Microsoft.Management/managementGroups/QSFT-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg”,“policyAssignmentName”:“Deny-Subnet-Without-Nsg”,“policyAssignmentScope”:“/providers/Microsoft.Management/managementGroups/QSFT-landingzones”,“policyDefinitionDisplayName”:“子网应该有一个网络安全组“,”policyDefinitionEffect“,”policyDefinitionId“,”/providers/Microsoft.Management/managementGroups/QSFT/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg“,”policyDefinitionName“,”Deny-Subnet-Without-Nsg“},”type“:“PolicyViolation”}] │ │ 使用 azurerm_subnet.example,│ 在 11-virtual-network.tf 第 37 行,在资源“azurerm_subnet” “example”中: │ 37:资源“azurerm_subnet” “example”{
答案1
检查文档- 如果您在azurerm_virtual_network
资源内创建子网,则无法指定委派或服务端点。
我建议保留您的原始代码并解决策略创建排序问题。