Terraform azurerm 提供程序計數和 csvdecode

Question

我正在嘗試從 CSV 文件中填充 NSG 規則。

CSV 文件：

name,priority,direction,access,protocol,source_port_range,destination_port_range,destination_port_ranges,source_address_prefix,destination_address_prefix,resource_group_name,network_security_group_name
allowindatasubnet,600,inbound,allow,*,*,*,,192.168.3.0/24,*,resourcegroup1,networksecgroup1
allowinremote,700,inbound,allow,*,*,,"3389,22",192.168.1.128/27,*,resourcegroup1,networksecgroup1
denyinall,1000,inbound,deny,*,*,*,,*,*,resourcegroup1,networksecgroup1

.tf 文件：

locals {
  network_security_group_rules = csvdecode(file("/csvfile.csv"))
}

resource "azurerm_network_security_rule" "network_security_rule_WL1" {

  count = length(local.network_security_group_rules)

  name                        = local.network_security_group_rules[count.index].name
  priority                    = local.network_security_group_rules[count.index].priority
  direction                   = local.network_security_group_rules[count.index].direction
  access                      = local.network_security_group_rules[count.index].access
  protocol                    = local.network_security_group_rules[count.index].protocol
  source_port_range           = local.network_security_group_rules[count.index].source_port_range
  destination_port_range      = local.network_security_group_rules[count.index].destination_port_range
  destination_port_ranges     = [local.network_security_group_rules[count.index].destination_port_ranges]
  source_address_prefix       = local.network_security_group_rules[count.index].source_address_prefixyes
  destination_address_prefix  = local.network_security_group_rules[count.index].destination_address_prefix
  resource_group_name         = local.network_security_group_rules[count.index].resource_group_name
  network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name

}

如果沒有 nsg 規則資源塊中的destination_port_ranges屬性，這可以正常工作，但是當我添加它時，我得到一個錯誤：

Error: "destination_port_ranges": conflicts with destination_port_range

我知道我需要使用一個參數或另一個參數，但是任何人都可以幫助我使用語法或建議我可以進行的更改，以使我保持相同的 CSV 格式嗎？

我的配置對於為 destination_port_ranges 參數指定端口列表是否正確？

更新：我嘗試了以下朋友建議的方法，但這引發了同樣的異常。

destination_port_range      = local.network_security_group_rules[count.index].destination_port_range != "" ? local.network_security_group_rules[count.index].destination_port_range : null
destination_port_ranges     = local.network_security_group_rules[count.index].destination_port_ranges != "" ? split(",", local.network_security_group_rules[count.index].destination_port_ranges) : null

謝謝！

Answer 1

正如您所說，您只需要一個論點，而不是兩者。 如我所見，您的所有目標端口都是一個列表或字符* ，它表示一個范圍。 讓我們看看參數destination_port_ranges和destination_port_range的描述：

destination_port_range -（可選）目標端口或范圍。 Integer 或 0 到 65535 之間的范圍或 * 以匹配任何一個。 如果未指定destination_port_ranges，則這是必需的。

destination_port_ranges - （可選）目標端口或端口范圍列表。 如果未指定destination_port_range，則這是必需的。

您使用目標端口或端口范圍的列表，因此您只需在 csv 文件中為網絡安全規則設置參數destination_port_ranges 。

更新：

您可以為規則使用模塊，該模塊用於決定每個規則使用哪個屬性：

./main.tf

locals {
  network_security_group_rules = csvdecode(file("/csvfile.csv"))
}

module "rules" {
    source = "./modules/rules"

    count = length(local.network_security_group_rules)
    rule = local.network_security_group_rules[count.index]
}

./modules/rules/main.tf

variable "rule" {}

resource "azurerm_network_security_rule" "network_security_rule_WL1" {

  count = rule.destination_port_range == null ? 0 : 1

  name                        = local.network_security_group_rules[count.index].name
  priority                    = local.network_security_group_rules[count.index].priority
  direction                   = local.network_security_group_rules[count.index].direction
  access                      = local.network_security_group_rules[count.index].access
  protocol                    = local.network_security_group_rules[count.index].protocol
  source_port_range           = local.network_security_group_rules[count.index].source_port_range
  destination_port_range      = local.network_security_group_rules[count.index].destination_port_range
  source_address_prefix       = local.network_security_group_rules[count.index].source_address_prefixyes
  destination_address_prefix  = local.network_security_group_rules[count.index].destination_address_prefix
  resource_group_name         = local.network_security_group_rules[count.index].resource_group_name
  network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name

}

resource "azurerm_network_security_rule" "network_security_rule_WL1" {

  count = rule.destination_port_ranges == null ? 0 : 1

  name                        = local.network_security_group_rules[count.index].name
  priority                    = local.network_security_group_rules[count.index].priority
  direction                   = local.network_security_group_rules[count.index].direction
  access                      = local.network_security_group_rules[count.index].access
  protocol                    = local.network_security_group_rules[count.index].protocol
  source_port_range           = local.network_security_group_rules[count.index].source_port_range
  destination_port_ranges     = [local.network_security_group_rules[count.index].destination_port_ranges]
  source_address_prefix       = local.network_security_group_rules[count.index].source_address_prefixyes
  destination_address_prefix  = local.network_security_group_rules[count.index].destination_address_prefix
  resource_group_name         = local.network_security_group_rules[count.index].resource_group_name
  network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name

}

這樣，您不能創建具有兩個屬性而不是 null 的規則，我的意思是每個規則只能具有兩個屬性之一。