应用程序网关和 API 管理的 InternalServerError - Azure/Terraform

Question

我正在尝试通过 Terraform 在 Azure 中部署基础设施，该基础设施由应用程序网关（WAF_v2 层）和后端的 API 管理组成。

运行将近 20 分钟后出现的错误如下：“错误：等待应用程序网关的创建：（名称“myAppGateway”/资源组“csj-hub-euw-chb-rg”）：代码 =“InternalServerError " Message="An error occurred." Details=[] "（有关更多详细信息，请参见下图）

以下是包含应用程序网关的文件：

module "agw_subnet" {
  source = "../modules/resources-blocks/subnet"

  subnet_name             = "agw_subnet"
  resource_group_name     = module.resource_group.name
  vnet_name               = module.vnet.name
  subnet_address_prefixes = ["10.22.1.0/24"]
}

resource "azurerm_web_application_firewall_policy" "exampleWAF" {
  name                = "example_wafpolicy_name"
  resource_group_name = module.resource_group.name
  location            = module.resource_group.location

  custom_rules {
    name      = "Rule1"
    priority  = 1
    rule_type = "MatchRule"

    match_conditions {
      match_variables {
        variable_name = "RemoteAddr"
      }

      operator           = "IPMatch"
      negation_condition = true
      match_values       = ["x.x.x.x"]
    }

    action = "Block"
  }

  policy_settings {
    enabled                     = true
    mode                        = "Prevention"
    request_body_check          = true
    file_upload_limit_in_mb     = 100
    max_request_body_size_in_kb = 128
  }

  managed_rules {
    managed_rule_set {
      type    = "OWASP"
      version = "3.2"
    }
  }
}

resource "azurerm_application_gateway" "app_gw" {
  name                = "myAppGateway"
  resource_group_name = module.resource_group.name
  location            = module.resource_group.location

  sku {
    name     = "WAF_v2"
    tier     = "WAF_v2"
    capacity = 2
  }

  gateway_ip_configuration {
    name      = "my-gateway-ip-configuration"
    subnet_id = module.agw_subnet.id
  }

  frontend_port {
    name = var.frontend_port_name
    port = 80
  }

  frontend_ip_configuration {
    name                 = var.frontend_ip_configuration_name
    public_ip_address_id = module.app_gw_pip.id
  }

  backend_address_pool {
    name = "devBackend"
    ip_addresses = ["10.22.40.19"] 
  }

  backend_http_settings {
    name                  = "devHttpSetting"
    cookie_based_affinity = "Disabled"
    port                  = 80
    protocol              = "Http"
    request_timeout       = 20
    host_name             = "xxxx.be"
    probe_name            = "apim-probe"
  }

  probe {
    interval                                  = 30
    name                                      = "apim-probe"
    path                                      = "/status-0123456789abcdef"
    protocol                                  = "Http"
    timeout                                   = 30
    unhealthy_threshold                       = 3
    pick_host_name_from_backend_http_settings = true
    match {
      body = ""
      status_code = [
        "200-399"
      ]
    }
  }

  http_listener {
    name                           = "devListener"
    frontend_ip_configuration_name = var.frontend_ip_configuration_name
    frontend_port_name             = var.frontend_port_name
    protocol                       = "Http"
    host_name                      = "xxxx.be"
    firewall_policy_id             =  azurerm_web_application_firewall_policy.exampleWAF.id
  }

  request_routing_rule {
    name                       = "devRule"
    rule_type                  = "Basic"
    priority                   = 25
    http_listener_name         = "devListener"
    backend_address_pool_name  = "devBackend"
    backend_http_settings_name = "devHttpSetting"
  }


  firewall_policy_id = var.firewall_policy_id ==""?null : var.firewall_policy_id

  dynamic "waf_configuration"  {
    for_each =  var.waf_configuration
      content{
            enabled                  = lookup(waf_configuration.value,"enabled",true)
            file_upload_limit_mb     = lookup(waf_configuration.value,"file_upload_limit_mb",30)
            firewall_mode            = lookup(waf_configuration.value,"firewall_mode","Prevention")
            max_request_body_size_kb = lookup(waf_configuration.value,"max_request_body_size_kb",128)
            request_body_check       = lookup(waf_configuration.value,"request_body_check",true)
            rule_set_type            = lookup(waf_configuration.value,"rule_set_type","OWASP")
            rule_set_version         = lookup(waf_configuration.value,"rule_set_version", "3.1")
      }
  }
}

资源组已经存在，因为我正在部署的基础架构 (App-GTW + APIM) 将是该资源组中包含的已创建基础架构的补充：

module "resource_group" {
  source = "../modules/resources/resource_group"

  resource_group_location = var.LOCATION
  resource_group_name     = local.resource_group_name
}

resource "azurerm_resource_group" "rg" {
  name     = var.resource_group_name
  location = var.resource_group_location
}

还已经创建了将托管 App-GTW 的 Su.net 的虚拟网络（请注意，.NET_ADDRESS SPACE 是 10.22.0.0/21）：

module "vnet" {
  source = "../modules/resources/vnet"

  vnet_name               = local.vnet_name
  resource_group_name     = module.resource_group.name
  resource_group_location = module.resource_group.location
  vnet_address_space      = [var.VNET_ADDRESS_SPACE]

  log_analytics_workspace_id = module.log_analytics_workspace.id
  enable_diagnostic_setting  = true
}
resource "azurerm_virtual_network" "vnet" {
  name                = var.vnet_name
  location            = var.resource_group_location
  resource_group_name = var.resource_group_name
  address_space       = var.vnet_address_space
}

resource "azurerm_subnet" "subnet" {
  name                                           = var.subnet_name
  resource_group_name                            = var.resource_group_name
  virtual_network_name                           = var.vnet_name
  address_prefixes                               = var.subnet_address_prefixes
  service_endpoints                              = var.service_endpoints
  enforce_private_link_endpoint_network_policies = var.enforce_private_link_endpoint_network_policies

  dynamic "delegation" {
    for_each = var.service_delegation == null ? [] : [1]
    content {
      name = "${var.subnet_name}-delegation"
      service_delegation {
        name    = var.service_delegation
        actions = var.delegation_actions
      }
    }
  }
}

因此，回顾一下，我正在尝试部署一个以 APIM 作为后端的 App-GTW。 承载 App-GTW 的 .NET 已经存在，包含 App-GTW 的资源组已经存在，APIM 也已经存在。

另请注意，相对于 App-GTW，APIM 在不同的 .NET 中，换句话说，App-GTW 在 .NET-A（示例名称）中，而 APIM 在 .NET-B 中，两者.NET 通过虚拟网络对等连接在一起。

我花了很多时间阅读文档试图找出解决方案，但我仍然有这个错误，所以我会请求你的帮助。

谢谢！

显然，如果我在部署 App-GTW 时使用新的 .NET 创建一个新的资源组，而不是使用已经存在的资源组和 .NET，我不会收到此错误。

但问题是我必须使用已经存在的资源组和 .NET。

Answer 1

我试图在我的环境中重现相同的内容：

resource "azurerm_web_application_firewall_policy" "example" {
  name                = "example_wafpolicy_name"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name

  custom_rules {
    name      = "Rule1"
    priority  = 1
    rule_type = "MatchRule"

    match_conditions {
      match_variables {
        variable_name = "RemoteAddr"
      }

      operator           = "IPMatch"
      negation_condition = true
      match_values       = ["x.x.x.x"]
    }

    action = "Block"
  }

  policy_settings {
    ....
  }

  managed_rules {
    managed_rule_set {
      .....
    }
  }
}

resource "azurerm_application_gateway" "app_gateway" {
  name                = "myAppGateway"
  location            = data.azurerm_resource_group.example.location
   resource_group_name = data.azurerm_resource_group.example.name

  sku {
    name     = "WAF_v2"
    tier     = "WAF_v2"
    capacity = 2
  }

  gateway_ip_configuration {
    name      = "my-gateway-ip-configuration"
    subnet_id = module.agw_subnet.id
  }

  frontend_port {
    name = var.frontend_port_name
    port = 80
  }

  frontend_ip_configuration {
    name                 = var.frontend_ip_configuration_name
    public_ip_address_id = module.app_gw_pip.id
  }

  backend_address_pool {
    name = "devBackend"
    ip_addresses = ["10.22.40.19"] 
  }

  backend_http_settings {
    name                  = "devHttpSetting"
    cookie_based_affinity = "Disabled"
    port                  = 80
    protocol              = "Http"
    request_timeout       = 20
    host_name             = "xxxx.be"
    probe_name            = "apim-probe"
  }

  probe {
    interval                                  = 30
    name                                      = "apim-probe"
    path                                      = "/status-0123456789abcdef"
    protocol                                  = "Http"
    timeout                                   = 30
    unhealthy_threshold                       = 3
    pick_host_name_from_backend_http_settings = true
    match {
      body = ""
      status_code = [
        "200-399"
      ]
    }
  }

  http_listener {
    name                           = "devListener"
    frontend_ip_configuration_name = var.frontend_ip_configuration_name
    frontend_port_name             = var.frontend_port_name
    protocol                       = "Http"
    host_name                      = "xxxx.be"
    firewall_policy_id             =  azurerm_web_application_firewall_policy.exampleWAF.id
  }

  request_routing_rule {
    name                       = "devRule"
    rule_type                  = "Basic"
    priority                   = 25
    http_listener_name         = "devListener"
    backend_address_pool_name  = "devBackend"
    backend_http_settings_name = "devHttpSetting"
  }

 ............

我遇到了一些并行错误：

请注意：

要在后端与私有资源通信，应用程序网关和 API 管理必须与资源在同一个 virtual.network 中。

为此，为您的资源设置一个 virtual.network。 从该解决方案中，它为应用程序网关和 API 管理创建 su.net。

请参阅使用 Azure 应用程序网关和 Azure API 管理保护 API - Azure 参考架构 | 微软学习。