VNET 地址空间可以用于 NSG 源地址前缀吗？

Question

我希望允许来自所有本地子网（不包括对等子网）的流量通过 NSG。由于我只有一个地址空间，因此最直接的方法似乎是使用 VNET 的地址空间作为安全规则的源地址前缀。

resource "azurerm_resource_group" "west01-rg" {
  name     = "west01-rg"
  location = "West US"
}

resource "azurerm_virtual_network" "virtual-network" {
  name                = "west01-vnet"
  location            = "${azurerm_resource_group.west01-rg.location}"
  resource_group_name = "${azurerm_resource_group.west01-rg.name}"
  address_space       = ["10.10.20.0/21"]
}

resource "azurerm_subnet" "servers-subnet" {
  name                 = "ServersNet"
  resource_group_name  = "${azurerm_resource_group.west01-rg.name}"
  virtual_network_name = "${azurerm_virtual_network.virtual-network.name}"
  address_prefix       = "10.10.20.0/24"
}

resource "azurerm_network_security_group" "dc-nsg" {
  name                = "dc-nsg"
  location            = "${azurerm_resource_group.west01-rg.location}"
  resource_group_name = "${azurerm_resource_group.west01-rg.name}"

  security_rule {
    name                       = "AllowCidrSubnet"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "${azurerm_virtual_network.virtual-network.address_space}"
    destination_address_prefix = "*"
  }

  tags {
    environment = "Testing"
  }
}

根据文档，此值可以使用 CIDR 表示法。但是，我上面的示例导致错误

Error: azurerm_network_security_group.dc: security_rule.0.source_address_prefix must be a single value, not a list

如果我切换到 source_address_prefixes，它应该接受一个列表，我得到这个错误

Error: azurerm_network_security_group.dcx: security_rule.0.source_address_prefixes: should be a list

因此，该值似乎既是列表又不是列表。这应该工作吗？还是我应该换一种方式？

• Terraform v0.11.11
• provider.azurerm v1.21.0

Answer 1

在 0.12 之前的 Terraform 中，默认情况下每个变量都是字符串类型，如果您想使用列表或地图类型，则在传递变量时必须一致地使用该类型。这应该在 Terraform 0.12 中改变，因为 HCL2 对包括更多 complex type handling 在内的类型有更好的支持。

要解决您的问题，您需要对列表进行索引以返回单个元素，然后该元素将是一个字符串，或者您需要与您的列表类型保持一致。

所以这些都应该工作：

resource "azurerm_network_security_group" "dc-nsg" {
  name                = "dc-nsg"
  location            = "${azurerm_resource_group.west01-rg.location}"
  resource_group_name = "${azurerm_resource_group.west01-rg.name}"

  security_rule {
    name                       = "AllowCidrSubnet"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "${azurerm_virtual_network.virtual-network.address_space[0]}"
    destination_address_prefix = "*"
  }

  tags {
    environment = "Testing"
  }
}

或直接使用列表：

resource "azurerm_network_security_group" "dc-nsg" {
  name                = "dc-nsg"
  location            = "${azurerm_resource_group.west01-rg.location}"
  resource_group_name = "${azurerm_resource_group.west01-rg.name}"

  security_rule {
    name                       = "AllowCidrSubnet"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefixes    = ["${azurerm_virtual_network.virtual-network.address_space}"]
    destination_address_prefix = "*"
  }

  tags {
    environment = "Testing"
  }
}