如何在 azure 上使用 terraform 为现有子网创建 NSG

Question

我正在引用现有子网，如下所示，但我希望创建一个 NSG 并将其附加到子网。它给了我错误。

引用和添加NSG的代码如下：

data "azurerm_subnet" "tf-sn-erx-app" {
  name                 = "${var.subnet_app_name}"
  virtual_network_name = "${data.azurerm_virtual_network.tf-vn-erx.name}"
  resource_group_name  = "${data.azurerm_resource_group.tf-rg-erx-external.name}"
  security_group       = "${azurerm_network_security_group.tf-nsg-erx-application.id}"
}

data "azurerm_subnet" "tf-sn-erx-sql" {
  name                 = "${var.subnet_sql_name}"
  virtual_network_name = "${data.azurerm_virtual_network.tf-vn-erx.name}"
  resource_group_name  = "${data.azurerm_resource_group.tf-rg-erx-external.name}"
  security_group       = "${azurerm_network_security_group.tf-nsg-erx-sql.id}"
}
resource "azurerm_network_security_group" "tf-nsg-erx-application" {
  name                = "${var.application_nsg}"
  location            = "${data.azurerm_resource_group.tf-rg-erx-external.location}"
  resource_group_name = "${data.azurerm_resource_group.tf-rg-erx-external.name}"
}
resource "azurerm_network_security_rule" "tf-nsr-erx-application-5985" {
  name                        = "Open Port 5985"
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "5985"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${data.azurerm_resource_group.tf-rg-erx-external.name}"
  network_security_group_name = "${azurerm_network_security_group.tf-nsg-erx-application.name}"
}
resource "azurerm_network_security_rule" "tf-nsr-erx-application-5986" {
  name                        = "Open Port 5986"
  priority                    = 101
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "5986"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${data.azurerm_resource_group.tf-rg-erx-external.name}"
  network_security_group_name = "${azurerm_network_security_group.tf-nsg-erx-application.name}"
}

但是，当我运行 terraform 时，会报告以下错误。

Error: data.azurerm_subnet.tf-sn-erx-app: : invalid or unknown key: security_group
Error: data.azurerm_subnet.tf-sn-erx-sql: : invalid or unknown key: security_group

有什么问题？

Answer 1

正如@BMW 所说，数据azurerm_subnet 中没有属性security_group。如果要将 NSG 关联到现有子网，可以使用 azurerm_subnet_network_security_group_association 来实现。只需使用数据 azurerm_subnet 来引用您现有的子网并为其创建 NSG 或使用现有的。

Answer 2

数据源azurerm_subnet中没有security_group的key

Argument Reference
name - (Required) Specifies the name of the Subnet.
virtual_network_name - (Required) Specifies the name of the Virtual Network this Subnet is located within.
resource_group_name - (Required) Specifies the name of the resource group the Virtual Network is located in.

https://www.terraform.io/docs/providers/azurerm/d/subnet.html

Answer 3

我通过下面的代码让它工作了：

resource "azurerm_network_interface" "tf-ni-erx-mkconn" {
 count                     = 3
 name                      = "${var.mkconn_base_hostname}${format("%02d",count.index+1)}-nic01"
 location                  = "${data.azurerm_resource_group.tf-rg-erx-external.location}"
 resource_group_name       = "${data.azurerm_resource_group.tf-rg-erx-external.name}"
 network_security_group_id = "${azurerm_network_security_group.tf-nsg-erx-application.id}"