针对DestinationAddressPrefix/DestinationAddressPrefixes的Azure Terraform NSG规则创建错误为“0”;AzureMonitor“;
编辑新帖子以添加更多说明: 在当前架构中,我们运行ansible playbook(infrastructure.yml)在Azure中部署基础设施。 我们能够毫无问题地创建资源,包括许多其他NSG规则 使用新的NSG规则,我们的terraform运行失败,以下信息如下: 我的Azurerm版本为:针对DestinationAddressPrefix/DestinationAddressPrefixes的Azure Terraform NSG规则创建错误为“0”;AzureMonitor“;,terraform,azure-nsg,Terraform,Azure Nsg,编辑新帖子以添加更多说明: 在当前架构中,我们运行ansible playbook(infrastructure.yml)在Azure中部署基础设施。 我们能够毫无问题地创建资源,包括许多其他NSG规则 使用新的NSG规则,我们的terraform运行失败,以下信息如下: 我的Azurerm版本为: provider "azurerm" { version = "2.58.0" ... 地形版本: Terraform v0.13.4 我可以通过
provider "azurerm" {
version = "2.58.0"
...
Terraform v0.13.4
az network nsg rule create -g 'MyGroup' --nsg-name 'MyNSG' -n 'AllowAzureMonitorOutbound' --priority 1200 --source-address-prefixes "*" --destination-address-prefixes AzureMonitor --destination-port-ranges 443 --direction Outbound --access Allow --protocol Tcp --description "AzureMonitor rule CLI creation."
**-- Original Error: Code="SecurityRuleParameterContainsUnsupportedValue" Message="Security rule parameter DestinationAddressPrefix for rule with Id /subscriptions/XXXXXXXXXXXXXX/resourceGroups/MyGroup/providers/Microsoft.Network/networkSecurityGroups/UMyNSG/securityRules/AllowAzureMonitorOutbound cannot specify existing VIRTUALNETWORK, INTERNET, AZURELOADBALANCER, '*' or system tags. Unsupported value used: AzureMonitor."**
resource "azurerm_network_security_group" "prx" {
name = "${var.prx_hosts.name}-NSG"
resource_group_name = azurerm_resource_group.MYPROJECT.name
location = var.location
dynamic "security_rule" {
for_each = var.prx_hosts.security_group.rules
content {
name = security_rule.value.name
description = security_rule.value.description
access = security_rule.value.access
direction = security_rule.value.direction
protocol = security_rule.value.protocol
priority = security_rule.value.priority
source_address_prefix = security_rule.value.source_address_prefixes == ["any"] ? "*" : null
source_address_prefixes = security_rule.value.source_address_prefixes == ["any"] ? null : tolist(security_rule.value.source_address_prefixes)
destination_address_prefix = security_rule.value.destination_address_prefixes == ["any"] ? "*" : null
destination_address_prefixes = security_rule.value.destination_address_prefixes == ["any"] ? null : tolist(security_rule.value.destination_address_prefixes)
source_port_range = security_rule.value.source_port_ranges == ["any"] ? "*" : null
source_port_ranges = security_rule.value.source_port_ranges == ["any"] ? null : tolist(security_rule.value.source_port_ranges)
destination_port_range = security_rule.value.destination_port_ranges == ["any"] ? "*" : null
destination_port_ranges = security_rule.value.destination_port_ranges == ["any"] ? null : tolist(security_rule.value.destination_port_ranges)
}
}
}
"security_group": {
"name": "MY_PROJECT_NAME",
"rules": [
{
"access": "allow",
"description": "AzureMonitor rule CLI creation.",
"destination_address_prefixes": ["AzureMonitor"],
"destination_port_ranges": [
443
],
"direction": "Outbound",
"name": "AllowAzureMonitorOutbound",
"priority": 100,
"protocol": "TCP",
"source_address_prefixes": [
"any"
],
"source_port_ranges": [
"any"
]
}
]
}
你能提供更多关于你用来尝试和部署它的代码的信息吗?@KedMardemootoo试图为这个问题添加更多信息。谢谢。我需要花更多的时间来研究它,希望其他人能早点发现。您提到,它与其他NSG规则一起使用,但与“新”规则不一起使用。有什么区别?旧规则不是模板,但这条规则是?它失败了,因为“目的地地址前缀”:“AzureMonitor”Terraform不接受“AzureMonitor”作为目的地地址前缀。我在问题中也包含了原始错误。所以,如果你创建一个没有参数化的简单NSG,只使用静态值,它能工作吗?例如,使用与上述相同的值