![](/img/trans.png)
[英]Azure Firewall: Most common Azure Firewall Policy Rule Collection Rules
[英]Terraform azurerm_firewall_policy_rule_collection_group not creating nat_rule collection
我在此资源的底部定义了 nat_rule_collection。 除 nat_rule_collection 之外的所有内容均已创建。 这里有什么错误可能导致这个吗? 我编辑了真实的目标地址,但真实的地址确实与公共负载均衡器 IP 匹配。
我知道该组指示出口,但我只是在那里尝试,我相信那只是一个 label。
resource "azurerm_firewall_policy_rule_collection_group" "policy" {
name = "AksEgressPolicyRuleCollectionGroup"
firewall_policy_id = azurerm_firewall_policy.policy.id
priority = 500
application_rule_collection {
name = "ApplicationRules"
priority = 500
action = "Allow"
rule {
name = "AllowMicrosoftFqdns"
source_addresses = ["*"]
destination_fqdns = [
"*.cdn.mscr.io",
"mcr.microsoft.com",
"*.data.mcr.microsoft.com",
"management.azure.com",
"login.microsoftonline.com",
"acs-mirror.azureedge.net",
"dc.services.visualstudio.com",
"*.opinsights.azure.com",
"*.oms.opinsights.azure.com",
"*.microsoftonline.com",
"*.monitoring.azure.com",
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowFqdnsForOsUpdates"
source_addresses = ["*"]
destination_fqdns = [
"download.opensuse.org",
"security.ubuntu.com",
"ntp.ubuntu.com",
"packages.microsoft.com",
"snapcraft.io"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowImagesFqdns"
source_addresses = ["*"]
destination_fqdns = [
"auth.docker.io",
"registry-1.docker.io",
"production.cloudflare.docker.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowBing"
source_addresses = ["*"]
destination_fqdns = [
"*.bing.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowGoogle"
source_addresses = ["*"]
destination_fqdns = [
"*.google.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowPublicPOrt80"
source_addresses = ["*"]
# destination_fqdns = [
# "*.google.com"
# ]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
}
network_rule_collection {
name = "NetworkRules"
priority = 400
action = "Allow"
rule {
name = "Time"
source_addresses = ["*"]
destination_ports = ["123"]
destination_addresses = ["*"]
protocols = ["UDP"]
}
rule {
name = "DNS"
source_addresses = ["*"]
destination_ports = ["53"]
destination_addresses = ["*"]
protocols = ["UDP"]
}
rule {
name = "ServiceTags"
source_addresses = ["*"]
destination_ports = ["*"]
destination_addresses = [
"AzureContainerRegistry",
"MicrosoftContainerRegistry",
"AzureActiveDirectory"
]
protocols = ["Any"]
}
rule {
name = "Internet"
source_addresses = ["*"]
destination_ports = ["*"]
destination_addresses = ["*"]
protocols = ["TCP"]
}
}
nat_rule_collection {
name = "nat_rule_collection1"
priority = 100
action = "Dnat"
rule {
name = "fw-public-web-port-80"
protocols = ["TCP"]
source_addresses = ["*"]
destination_address = "123.123.123.123"
destination_ports = ["80"]
translated_address = "10.9.0.1"
translated_port = "80"
}
}
lifecycle {
ignore_changes = [
application_rule_collection,
network_rule_collection,
nat_rule_collection
]
}
}
ignore_changes(属性名称列表) - 默认情况下,Terraform 检测真实基础设施 object 当前设置的任何差异,并计划更新远程 object 以匹配配置。
ignore_changes 功能旨在在创建资源时使用对未来可能更改的data
的引用,但不应在创建后影响所述资源。 因此,您在创建其他两条规则后应用natrule
代码。 Ingnore_changes 元参数指定 Terraform 在计划更新关联的远程 object 时应忽略的资源属性,因此这可能会阻止您创建 natrule
lifecycle {
ignore_changes = [ ]
}
有关更多信息,您可以参考此Terraform 文档
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.