Terraform azurerm 提供程序计数和 csvdecode

Question

我正在尝试从 CSV 文件填充 NSG 规则。

CSV 文件：

name,priority,direction,access,protocol,source_port_range,destination_port_range,destination_port_ranges,source_address_prefix,destination_address_prefix,resource_group_name,network_security_group_name
allowindatasubnet,600,inbound,allow,*,*,*,,192.168.3.0/24,*,resourcegroup1,networksecgroup1
allowinremote,700,inbound,allow,*,*,,"3389,22",192.168.1.128/27,*,resourcegroup1,networksecgroup1
denyinall,1000,inbound,deny,*,*,*,,*,*,resourcegroup1,networksecgroup1

tf 文件：

locals {
  network_security_group_rules = csvdecode(file("/csvfile.csv"))
}

resource "azurerm_network_security_rule" "network_security_rule_WL1" {

  count = length(local.network_security_group_rules)

  name                        = local.network_security_group_rules[count.index].name
  priority                    = local.network_security_group_rules[count.index].priority
  direction                   = local.network_security_group_rules[count.index].direction
  access                      = local.network_security_group_rules[count.index].access
  protocol                    = local.network_security_group_rules[count.index].protocol
  source_port_range           = local.network_security_group_rules[count.index].source_port_range
  destination_port_range      = local.network_security_group_rules[count.index].destination_port_range
  destination_port_ranges     = [local.network_security_group_rules[count.index].destination_port_ranges]
  source_address_prefix       = local.network_security_group_rules[count.index].source_address_prefixyes
  destination_address_prefix  = local.network_security_group_rules[count.index].destination_address_prefix
  resource_group_name         = local.network_security_group_rules[count.index].resource_group_name
  network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name

}

如果没有 nsg 规则资源块中的 destination_port_ranges 属性，这可以正常工作，但是当我添加它时，我得到一个错误：

Error: "destination_port_ranges": conflicts with destination_port_range

我知道我需要使用一个或另一个参数，但谁能帮助我使用语法或建议我可以进行的更改以使我保持相同的 CSV 格式？

对于为 destination_port_ranges 参数指定端口列表，我的配置是否正确？

更新： 我尝试了朋友建议的以下方法，但这引发了同样的异常。

destination_port_range      = local.network_security_group_rules[count.index].destination_port_range != "" ? local.network_security_group_rules[count.index].destination_port_range : null
destination_port_ranges     = local.network_security_group_rules[count.index].destination_port_ranges != "" ? split(",", local.network_security_group_rules[count.index].destination_port_ranges) : null

谢谢！

Answer 1

正如你所说，你只需要一个参数，而不是两个。如我所见，您的所有目标端口都是一个列表或字符*，它表示一个范围。我们来看看参数destination_port_ranges和destination_port_range的描述：

destination_port_range - （可选）目标端口或范围。整数 或 0 到 65535 之间的范围或 * 以匹配任何值。这是必需的，如果 未指定destination_port_ranges。

destination_port_ranges - （可选）目标端口或端口列表 范围。如果未指定destination_port_range，则这是必需的。

您使用目标端口或端口范围的列表，因此您只需在 csv 文件中为网络安全规则设置参数destination_port_ranges。

更新：

您可以为规则使用一个模块，该模块用于决定每个规则使用哪个属性：

./main.tf

locals {
  network_security_group_rules = csvdecode(file("/csvfile.csv"))
}

module "rules" {
    source = "./modules/rules"

    count = length(local.network_security_group_rules)
    rule = local.network_security_group_rules[count.index]
}

./modules/rules/main.tf

variable "rule" {}

resource "azurerm_network_security_rule" "network_security_rule_WL1" {

  count = rule.destination_port_range == null ? 0 : 1

  name                        = local.network_security_group_rules[count.index].name
  priority                    = local.network_security_group_rules[count.index].priority
  direction                   = local.network_security_group_rules[count.index].direction
  access                      = local.network_security_group_rules[count.index].access
  protocol                    = local.network_security_group_rules[count.index].protocol
  source_port_range           = local.network_security_group_rules[count.index].source_port_range
  destination_port_range      = local.network_security_group_rules[count.index].destination_port_range
  source_address_prefix       = local.network_security_group_rules[count.index].source_address_prefixyes
  destination_address_prefix  = local.network_security_group_rules[count.index].destination_address_prefix
  resource_group_name         = local.network_security_group_rules[count.index].resource_group_name
  network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name

}

resource "azurerm_network_security_rule" "network_security_rule_WL1" {

  count = rule.destination_port_ranges == null ? 0 : 1

  name                        = local.network_security_group_rules[count.index].name
  priority                    = local.network_security_group_rules[count.index].priority
  direction                   = local.network_security_group_rules[count.index].direction
  access                      = local.network_security_group_rules[count.index].access
  protocol                    = local.network_security_group_rules[count.index].protocol
  source_port_range           = local.network_security_group_rules[count.index].source_port_range
  destination_port_ranges     = [local.network_security_group_rules[count.index].destination_port_ranges]
  source_address_prefix       = local.network_security_group_rules[count.index].source_address_prefixyes
  destination_address_prefix  = local.network_security_group_rules[count.index].destination_address_prefix
  resource_group_name         = local.network_security_group_rules[count.index].resource_group_name
  network_security_group_name = local.network_security_group_rules[count.index].network_security_group_name

}

这样，你不能创建两个属性都不为空的规则，我的意思是每个规则只能有两个属性之一。