如何使用 terraform 在 azure 中的 vnet 子网部分设置 service_endpoints 和委托?

如何使用 terraform 在 azure 中的 vnet 子网部分设置 service_endpoints 和委托?

我有一个 terraform vnet、子网和 NSG 的工作块。

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "example-vn"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  address_space       = ["10.0.0.0/16"]
}

resource "azurerm_subnet" "example" {
  name                 = "example-sn"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]
  service_endpoints    = ["Microsoft.Storage"]
  delegation {
    name = "fs"
    service_delegation {
      name = "Microsoft.DBforPostgreSQL/flexibleServers"
      actions = [
        "Microsoft.Network/virtualNetworks/subnets/join/action",
      ]
    }
  }
}
resource "azurerm_private_dns_zone" "example" {
  name                = "example.postgres.database.azure.com"
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_private_dns_zone_virtual_network_link" "example" {
  name                  = "exampleVnetZone.com"
  private_dns_zone_name = azurerm_private_dns_zone.example.name
  virtual_network_id    = azurerm_virtual_network.example.id
  resource_group_name   = azurerm_resource_group.example.name
}

resource "azurerm_postgresql_flexible_server" "example" {
  name                   = "example-psqlflexibleserver2022"
  resource_group_name    = azurerm_resource_group.example.name
  location               = azurerm_resource_group.example.location
  version                = "13"
  delegated_subnet_id    = azurerm_subnet.example.id
  private_dns_zone_id    = azurerm_private_dns_zone.example.id
  administrator_login    = "postgres"
  administrator_password = "password@2020"
  zone                   = "1"

  storage_mb = 131072

  sku_name   = "GP_Standard_D2s_v3"
  depends_on = [azurerm_private_dns_zone_virtual_network_link.example]

}

但是我得到了在子网策略之前创建 nsg 的错误,因此更改了子网创建方式如下。

# Create Virtual Network
resource "azurerm_virtual_network" "aksvnet" {
  name                = "aks-network"
  location            = azurerm_resource_group.aks_rg.location
  resource_group_name = azurerm_resource_group.aks_rg.name
  address_space       = ["10.0.0.0/8"]

  subnet {
    name           = "aks-default-subnet"
    address_prefix = "10.240.0.0/16"
    security_group = azurerm_network_security_group.example.id
  }
  subnet {
    name           = "aks-postgres-subnet"
    address_prefix = "10.230.2.0/24"
    security_group = azurerm_network_security_group.example.id
    service_endpoints    = ["Microsoft.Storage"]
       delegation {
     name = "fs"
     service_delegation {
       name = "Microsoft.DBforPostgreSQL/flexibleServers"
       actions = [
         "Microsoft.Network/virtualNetworks/subnets/join/action",
       ]
     }
   }
  }

}

resource "azurerm_network_security_group" "example" {
  name                = "example-nsg"
  location            = azurerm_resource_group.aks_rg.location
  resource_group_name = azurerm_resource_group.aks_rg.name
  security_rule {
    name                       = "test123"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

但出现以下错误。

请建议如何修复该问题。

 Error: Unsupported argument
│   on 11-virtual-network.tf line 17, in resource "azurerm_virtual_network" "aksvnet":
│   17:     service_endpoints    = ["Microsoft.Storage"]
│ An argument named "service_endpoints" is not expected here.
│ Error: Unsupported block type
│   on 11-virtual-network.tf line 18, in resource "azurerm_virtual_network" "aksvnet":
│   18:        delegation {
│ Blocks of type "delegation" are not expected here.

即使采用以下方法,我仍然收到策略错误。

# Create Virtual Network
resource "azurerm_virtual_network" "aksvnet" {
  name                = "aks-network"
  location            = azurerm_resource_group.aks_rg.location
  resource_group_name = azurerm_resource_group.aks_rg.name
  address_space       = ["10.0.0.0/8"]

  subnet {
    name           = "aks-default-subnet"
    address_prefix = "10.240.0.0/16"
    security_group = azurerm_network_security_group.example.id
  }
}

resource "azurerm_network_security_group" "example" {
  name                = "example-nsg"
  location            = azurerm_resource_group.aks_rg.location
  resource_group_name = azurerm_resource_group.aks_rg.name
  security_rule {
    name                       = "test123"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

resource "azurerm_subnet_network_security_group_association" "example" {
  subnet_id                 = azurerm_subnet.example.id
  network_security_group_id = azurerm_network_security_group.example.id
}

resource "azurerm_subnet" "example" {

  virtual_network_name = azurerm_virtual_network.aksvnet.name
  name                 = "aks-postgres-subnet"
  resource_group_name  = azurerm_resource_group.aks_rg.name
  address_prefixes     = ["10.230.2.0/24"]
  service_endpoints    = ["Microsoft.Storage"]
  delegation {
    name = "fs"
    service_delegation {
      name = "Microsoft.DBforPostgreSQL/flexibleServers"
      actions = [
        "Microsoft.Network/virtualNetworks/subnets/join/action",
      ]
    }
  }
  depends_on = [azurerm_virtual_network.aksvnet, azurerm_network_security_group.example]
}

我收到如下错误。

er-delete-dev"): network.SubnetsClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error:

代码 =“RequestDisallowedByPolicy”消息 =“资源'aks-postgres-subnet'被策略禁止。策略标识符:'[{“policyAssignment”:{“name”:“Deny-Subnet-Without-Nsg”,“id”:“/providers/Microsoft.Management/managementGroups/QSFT-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg”},“policyDefinition”:{“name”:“子网应具有网络安全组”,“id”:“/providers/Microsoft.Management/managementGroups/QSFT/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg”}}]'。”目标 =“aks-postgres-subnet”附加信息 = [{“信息”:{“评估详细信息”:{“评估表达式”:[{“表达式”:“类型”,“表达式类型”:“字段”,“表达式值”:“Microsoft.Network/virtualNetworks/subnets”,“运算符”:“等于”,“路径”:“类型”,“结果”:“真”,“目标值”:“Microsoft.Network/virtualNetworks/subnets”},{“表达式”:“Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id”,“表达式类型”:“字段”,“运算符”:“存在”,“路径”:“properties.networkSecurityGr oup.id”,“result”:“True”,“targetValue”:“false”}]},“policyAssignmentDisplayName”:“Deny-Subnet-Without-Nsg”,“policyAssignmentId”:“/providers/Microsoft.Management/managementGroups/QSFT-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg”,“policyAssignmentName”:“Deny-Subnet-Without-Nsg”,“policyAssignmentScope”:“/providers/Microsoft.Management/managementGroups/QSFT-landingzones”,“policyDefinitionDisplayName”:“子网应该有一个网络安全组“,”policyDefinitionEffect“,”policyDefinitionId“,”/providers/Microsoft.Management/managementGroups/QSFT/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg“,”policyDefinitionName“,”Deny-Subnet-Without-Nsg“},”type“:“PolicyViolation”}] │ │ 使用 azurerm_subnet.example,│ 在 11-virtual-network.tf 第 37 行,在资源“azurerm_subnet” “example”中: │ 37:资源“azurerm_subnet” “example”{

答案1

检查文档- 如果您在azurerm_virtual_network资源内创建子网,则无法指定委派或服务端点。

我建议保留您的原始代码并解决策略创建排序问题。

相关内容