处理自定义策略强制执行子网和 nsg 关联的项目。如果子网没有与之关联的 NSG,则无法预配。
使用 terraform 部署资源 - 资源组、VNET、NSG,在创建子网之前我创建了与子网关联的 NSG 作为 VNET 部署的一部分,部署了应用服务计划、Web 应用,然后尝试进行应用服务虚拟网络 swify 连接,但失败了因为缺少服务委托。
地形脚本
provider "azurerm" {
version = "=2.0.0"
skip_provider_registration = true
features {}
}
resource "azurerm_resource_group" "main" {
name = var.resourceGroupName
location = var.location
}
resource "azurerm_network_security_group" "main" {
name = var.nsgName
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
security_rule {
name = "test123"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "10.1.0.0/26"
}
tags = {
environment = "NonProduction"
}
}
data "azurerm_network_security_group" "main" {
name = azurerm_network_security_group.main.name
resource_group_name = azurerm_resource_group.main.name
}
resource "azurerm_virtual_network" "main" {
name = var.vNetName
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
address_space = ["10.1.0.0/16"]
dns_servers = ["10.1.0.4", "10.1.0.5"]
subnet {
name = var.subNetName
address_prefix = "10.1.0.0/26"
security_group = data.azurerm_network_security_group.main.id
}
tags = {
environment = "NonProduction"
}
}
resource "azurerm_app_service_plan" "main" {
name = var.appServicePlanName
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
sku {
tier = "Standard"
size = "S1"
}
}
resource "azurerm_app_service" "main" {
name = var.appServiceName
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
app_service_plan_id = azurerm_app_service_plan.main.id
https_only = true
}
data "azurerm_subnet" "main" {
name = var.subNetName
virtual_network_name = var.vNetName
resource_group_name = azurerm_resource_group.main.name
}
resource "azurerm_app_service_virtual_network_swift_connection" "main" {
app_service_id = azurerm_app_service.main.id
subnet_id = data.azurerm_subnet.main.id
}
我唯一不知道的是如何应用服务委托。如果在创建子网之前执行 NSG 的自定义策略不存在,我可以轻松完成此操作
地形脚本
resource "azurerm_resource_group" "test" {
name = "example-resources"
location = "uksouth"
}
resource "azurerm_virtual_network" "test" {
name = "acctestvnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
}
resource "azurerm_subnet" "test1" {
name = "acctestsubnet1"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefix = "10.0.1.0/24"
delegation {
name = "acctestdelegation"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
resource "azurerm_app_service_plan" "test" {
name = "acctestasp"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
sku {
tier = "Standard"
size = "S1"
}
}
resource "azurerm_app_service" "test" {
name = "acctestas"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
app_service_plan_id = azurerm_app_service_plan.test.id
}
resource "azurerm_app_service_virtual_network_swift_connection" "test" {
app_service_id = azurerm_app_service.test.id
subnet_id = azurerm_subnet.test1.id
}
如果需要,我可以在 tf config 下面使用来设置 NSG 关联
resource "azurerm_subnet_network_security_group_association" "example" {
subnet_id = azurerm_subnet.example.id
network_security_group_id = azurerm_network_security_group.example.id
}
但这种方法的问题是关联将在子网部署后发生,但由于自定义策略到位,tf apply 失败并出现策略违规错误
有什么方法可以在创建子网之前关联 NSG 并应用服务委托?
