[英]Azure private endpoints and Terraform
I'm trying to create a storage account with a private endpoint in an Azure subnet.我正在尝试在 Azure 子网中创建具有专用终结点的存储帐户。
I ran into an issue like this after terraform apply
:在
terraform apply
之后我遇到了这样的问题:
Error creating Private Endpoint "dev-pe" (Resource Group "privateendpoint-rg"): network.PrivateEndpointsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PrivateEndpointCannotBeCreatedInSubnetThatHasNetworkPoliciesEnabled" Message="Private endpoint /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privateendpoint-rg/providers/Microsoft.Network/privateEndpoints/dev-pe cannot be created in a subnet /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privateendpoint-rg/providers/Microsoft.Network/virtualNetworks/dev-vnet/subnets/dev-storage-subnet since it has private endpoint network policies enabled."
创建专用端点“dev-pe”(资源组“privateendpoint-rg”)时出错:network.PrivateEndpointsClient#CreateOrUpdate:发送请求失败:StatusCode=400 -- 原始错误:Code="PrivateEndpointCannotBeCreatedInSubnetThatHasNetworkPoliciesEnabled" Message="Private Endpoints/subscriptions/ 00000000-0000-0000-0000-0000000000000/resourceGroups/privateendpoint-rg/providers/Microsoft.Network/privateEndpoints/dev-pe 无法在子网中创建 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privateendpoint- rg/providers/Microsoft.Network/virtualNetworks/dev-vnet/subnets/dev-storage-subnet,因为它启用了专用端点网络策略。” Details=[]
详细信息=[]
As you can see below, I've set enforce_private_link_endpoint_network_policies = false
and played around with azurem_private_link_service
too.正如您在下面看到的,我设置了
enforce_private_link_endpoint_network_policies = false
并且也使用了azurem_private_link_service
。
Here's my code:这是我的代码:
resource "azurerm_resource_group" "example" {
name = "privateendpoint-rg"
location = var.location
tags = local.common_tags
}
resource "azurerm_virtual_network" "example" {
name = "${var.environment}-vnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tags = local.common_tags
}
resource "azurerm_subnet" "storage" {
name = "${var.environment}-storage-subnet"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefix = "10.0.1.0/24"
enforce_private_link_endpoint_network_policies = false
// enforce_private_link_service_network_policies = false
// service_endpoints = ["Microsoft.Storage"]
}
resource "random_integer" "sa_num" {
min = 10000
max = 99999
}
resource "azurerm_storage_account" "example" {
name = "${var.adoit_number}${lower(var.environment)}${random_integer.sa_num.result}"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
enable_https_traffic_only = true
tags = local.common_tags
}
resource "azurerm_storage_container" "example" {
name = "acctestcont"
storage_account_name = azurerm_storage_account.example.name
container_access_type = "private"
}
resource "azurerm_private_endpoint" "example" {
name = "${var.environment}-pe"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
subnet_id = azurerm_subnet.storage.id
private_service_connection {
name = "${var.environment}-psc"
is_manual_connection = false
private_connection_resource_id = azurerm_storage_account.example.id
subresource_names = ["blob"]
}
}
If I change enforce_private_link_endpoint_network_policies = true
I receive the following error:如果我更改
enforce_private_link_endpoint_network_policies = true
我收到以下错误:
Error creating Private Endpoint "dev-pe" (Resource Group "privateendpoint-rg"): network.PrivateEndpointsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="OperationNotAllowedOnKind" Message="The operation is not allowed on account kind Storage" Details=[]
创建专用端点“dev-pe”(资源组“privateendpoint-rg”)时出错:network.PrivateEndpointsClient#CreateOrUpdate:发送请求失败:StatusCode=400 -- 原始错误:Code="OperationNotAllowedOnKind" Message="不允许操作帐户类型存储“详细信息= []
OK, found it.好的,找到了。 If you want to connect a storage account to a private endpoint, the storage account has to of kind
StorageV2
which looks in the Terraform code as follows:如果要将存储帐户连接到私有端点,则存储帐户必须是
StorageV2
类型,它在 Terraform 代码中如下所示:
resource "azurerm_storage_account" "example" {
name = "${var.adoit_number}${lower(var.environment)}${random_integer.sa_num.result}"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_kind = "StorageV2"
account_tier = "Standard"
account_replication_type = "LRS"
enable_https_traffic_only = true
tags = local.common_tags
}
You have set enforce_private_link_endpoint_network_policies = false which enables the policy.您已设置 enforce_private_link_endpoint_network_policies = false 启用该策略。 This is why you are getting this error.
这就是您收到此错误的原因。
Setting enforce_private_link_endpoint_network_policies to true will Disable the policy, and setting it to false will Enable the policy.将 enforce_private_link_endpoint_network_policies 设置为true将禁用该策略,将其设置为false将启用该策略。 See https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet
请参阅https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.