堆栈内存溢出
  简体   繁体   English

Azure 私有端点和 Terraform

[英]Azure private endpoints and Terraform

 原文  2020-03-18 08:44:21       azure/ terraform

问题描述

I'm trying to create a storage account with a private endpoint in an Azure subnet.我正在尝试在 Azure 子网中创建具有专用终结点的存储帐户。

I ran into an issue like this after terraform apply :terraform apply之后我遇到了这样的问题:

Error creating Private Endpoint "dev-pe" (Resource Group "privateendpoint-rg"): network.PrivateEndpointsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PrivateEndpointCannotBeCreatedInSubnetThatHasNetworkPoliciesEnabled" Message="Private endpoint /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privateendpoint-rg/providers/Microsoft.Network/privateEndpoints/dev-pe cannot be created in a subnet /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privateendpoint-rg/providers/Microsoft.Network/virtualNetworks/dev-vnet/subnets/dev-storage-subnet since it has private endpoint network policies enabled."创建专用端点“dev-pe”(资源组“privateendpoint-rg”)时出错:network.PrivateEndpointsClient#CreateOrUpdate:发送请求失败:StatusCode=400 -- 原始错误:Code="PrivateEndpointCannotBeCreatedInSubnetThatHasNetworkPoliciesEnabled" Message="Private Endpoints/subscriptions/ 00000000-0000-0000-0000-0000000000000/resourceGroups/privateendpoint-rg/providers/Microsoft.Network/privateEndpoints/dev-pe 无法在子网中创建 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privateendpoint- rg/providers/Microsoft.Network/virtualNetworks/dev-vnet/subnets/dev-storage-subnet,因为它启用了专用端点网络策略。” Details=[]详细信息=[]

As you can see below, I've set enforce_private_link_endpoint_network_policies = false and played around with azurem_private_link_service too.正如您在下面看到的,我设置了enforce_private_link_endpoint_network_policies = false并且也使用了azurem_private_link_service

Here's my code:这是我的代码:

resource "azurerm_resource_group" "example" {
  name     = "privateendpoint-rg"
  location = var.location
  tags     = local.common_tags
}

resource "azurerm_virtual_network" "example" {
  name                = "${var.environment}-vnet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tags                = local.common_tags
}

resource "azurerm_subnet" "storage" {
  name                                           = "${var.environment}-storage-subnet"
  resource_group_name                            = azurerm_resource_group.example.name
  virtual_network_name                           = azurerm_virtual_network.example.name
  address_prefix                                 = "10.0.1.0/24"
  enforce_private_link_endpoint_network_policies = false
  // enforce_private_link_service_network_policies = false
  // service_endpoints                              = ["Microsoft.Storage"]
}  

resource "random_integer" "sa_num" {
  min = 10000
  max = 99999
}

resource "azurerm_storage_account" "example" {
  name                     = "${var.adoit_number}${lower(var.environment)}${random_integer.sa_num.result}"
  resource_group_name       = azurerm_resource_group.example.name
  location                  = azurerm_resource_group.example.location
  account_tier              = "Standard"
  account_replication_type  = "LRS"
  enable_https_traffic_only = true
  tags                      = local.common_tags
}

resource "azurerm_storage_container" "example" {
  name                  = "acctestcont"
  storage_account_name  = azurerm_storage_account.example.name
  container_access_type = "private"
}

resource "azurerm_private_endpoint" "example" {
  name                = "${var.environment}-pe"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  subnet_id           = azurerm_subnet.storage.id

  private_service_connection {
    name                           = "${var.environment}-psc"
    is_manual_connection           = false
    private_connection_resource_id = azurerm_storage_account.example.id
    subresource_names              = ["blob"]
  }

}

If I change enforce_private_link_endpoint_network_policies = true I receive the following error:如果我更改enforce_private_link_endpoint_network_policies = true我收到以下错误:

Error creating Private Endpoint "dev-pe" (Resource Group "privateendpoint-rg"): network.PrivateEndpointsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="OperationNotAllowedOnKind" Message="The operation is not allowed on account kind Storage" Details=[]创建专用端点“dev-pe”(资源组“privateendpoint-rg”)时出错:network.PrivateEndpointsClient#CreateOrUpdate:发送请求失败:StatusCode=400 -- 原始错误:Code="OperationNotAllowedOnKind" Message="不允许操作帐户类型存储“详细信息= []

2 个解决方案

解决方案1
 5 已采纳  2020-03-18 12:26:21

OK, found it.好的,找到了。 If you want to connect a storage account to a private endpoint, the storage account has to of kind StorageV2 which looks in the Terraform code as follows:如果要将存储帐户连接到私有端点,则存储帐户必须是StorageV2类型,它在 Terraform 代码中如下所示:

resource "azurerm_storage_account" "example" {
  name                     = "${var.adoit_number}${lower(var.environment)}${random_integer.sa_num.result}"
  resource_group_name       = azurerm_resource_group.example.name
  location                  = azurerm_resource_group.example.location
  account_kind              = "StorageV2"
  account_tier              = "Standard"
  account_replication_type  = "LRS"
  enable_https_traffic_only = true
  tags                      = local.common_tags
}

解决方案2
 0  2022-08-10 08:10:23

You have set enforce_private_link_endpoint_network_policies = false which enables the policy.您已设置 enforce_private_link_endpoint_network_policies = false 启用该策略。 This is why you are getting this error.这就是您收到此错误的原因。

Setting enforce_private_link_endpoint_network_policies to true will Disable the policy, and setting it to false will Enable the policy.将 enforce_private_link_endpoint_network_policies 设置为true禁用该策略,将其设置为false启用该策略。 See https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet请参阅https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 Terraform 为 Azure 数据工厂配置托管专用端点? - Provisioning Azure Data Factory with Managed private endpoints using Terraform? Azure 私有端点 - Azure Private Endpoints Azure 服务端点和私有端点 - Azure Service Endpoints together with Private Endpoints 如何在 Terraform 中为 2 个存储帐户创建专用端点 - How to create Private Endpoints for 2 storage accounts in Terraform 跨 Azure 订阅使用私有端点 - Using private endpoints across Azure Subscription 是否有必要为 Azure 中的 PaaS 服务的私有端点创建私有 DNS 区域? - Is it necessary to create a private DNS zone for private endpoints to PaaS services in Azure? 在使用 terraform 的 azure 部署中找不到私钥 - private key not found in azure deployment using terraform 如何使用专用端点在 terraform azure 中为 redis 实施? - How to implement in terraform azure for redis with private endpoint? Terraform私有Azure负载均衡器问题 - Terraform private azure load balancer issue azure 上的 terraform - 创建具有私有连接的密钥库 - terraform on azure - create keyvault with private connection
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM