容器注册表的Azure Terraform模块-在清空白色名单IP列表以完成清零时,动态块不会删除IP地址

myzjeezk  于 2022-11-17  发布在  其他
关注(0)|答案(1)|浏览(227)

我已经为Azure容器注册表编写了一个terraform模块**(ACR)**.我希望可以选择使ACR公开或仅对选定网络可用,并在这两种网络之间切换.选定网络是指特定子网或IP已列入白名单.如果未提供子网或IP列表,则ACR将是公开得.否则,这是我在www.example.com文件中定义IP列表和子网列表的方式variables.tf:

variable "allowed_subnet_ids" {
  type        = list(string)
  description = "List of subnet IDs to be allowed to access the ACR"
}

variable "allowed_ips" {
  type        = list(string)
  description = "White list IP addresses"
}

variable "public_network_access_enabled"{
  type = bool
  description = "(Optional) Whether public network access is allowed for the container registry. Defaults to true."
}

我已通过在www.example.com中使用动态块将network_rule_set属性设置为可选main.tf如下所示:

resource "azurerm_container_registry" "this" {
  name                = local.acr_name
  resource_group_name = var.resource_group_name
  location            = var.location
  sku                 = var.sku
  admin_enabled       = var.admin_enabled    

  public_network_access_enabled = var.public_network_access_enabled
  dynamic "network_rule_set" {
    for_each = (length(var.allowed_ips) != 0 || length(var.allowed_subnet_ids) != 0) ? [1] : []
    content {
        default_action  = "Deny"
        dynamic "virtual_network" { 
            for_each = var.allowed_subnet_ids
            content {
                action = "Allow"
                subnet_id = virtual_network.value
            }
        }
        dynamic "ip_rule" { 
            for_each =  var.allowed_ips 
            content {
                action = "Allow"
                ip_range = ip_rule.value
            }
        }
    }
}

Network_rule_set允许将ACR中的IP和子网列入白色名单,并通过使用如上所示的动态块使其可选地成为公共或私有。为了提供变量值,我使用了terraform.tfvars,如下所示:

env                  = "sdbx"
application_id       = "appid"
resource_group_name  = "rg-sbx"
role = "public"
location = "westeurope"
allowed_ips = [ "84.x.x.x", "51.x.x.x"] 
# allowed_ips = []
allowed_subnet_ids = []
public_network_access_enabled = true

问题是:但有一个严重的问题。如果我们有一个要列入白色名单的IP列表,它将工作。如果我们稍后决定从该列表中删除IP或更改它们,但该列表仍然不是空的,它将按预期工作。但如果您使用一个IP列表(非空列表)启动ACR,稍后您决定清空它,如

allowed_ips = []

它将跳过阻止,并且不会删除这些IP!有人对此有任何解决方案吗?我希望阻止能够在Azure门户中显示的公共网络和选定网络之间切换。换句话说,我希望动态阻止能够在我将allowed_ips替换为空列表时将IP列表收缩为零,并通过这种方式使我的ACR公共。

在下面的图像中,您可以看到网络应该如何在两种状态之间切换,这是我的最终目标:
ACR可用于选定的网络和白色名单中的IP:

当未提供allopwed_ips或allowed_subnet_ids时,公开可用的ACR应使其成为公共ACR:

为了完整起见,这里是我的terraform提供者和规范:

terraform {
  required_version = ">= 1.0.0"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">=3.0.0"
    }
  }
}

provider "azurerm" {
  features {}
}
Azure

1条答案

按热度按时间
hlswsv35

hlswsv351#

为了在ACR公开可用或仅对选定网络可用时在网络之间切换,我们需要为network_rule_set保留一个条件。详细代码如下。
通过允许所有网络x1c 0d1x创建ACR

Step1:这里是我添加的最新代码****main.tf文件如下:

provider  "azurerm" {
    features {}
    }
    resource  "azurerm_container_registry"  "acr_name" {
    name  =  "acrswarna"
    resource_group_name  =  var.resource_group_name
    location  =  var.location
    sku  =  var.sku
    admin_enabled  =  var.admin_enabled
    // Disable this code block for allowed ip network - Begin
    network_rule_set {
    default_action  =  "Allow"
    }
    // Disable this code block for allowed ip network - End
    dynamic  "network_rule_set" {
    for_each =  (length(var.allowed_ips) != 0 || length(var.allowed_subnet_ids) != 0) ? [1] : []
    content {
    default_action =  "Deny"
    dynamic  "virtual_network" {
    for_each = var.allowed_subnet_ids
    content {
    action =  "Allow"
    subnet_id =  virtual_network.value
    }
    }
    dynamic  "ip_rule" {
    for_each = var.allowed_ips
    content {
    action =  "Allow"
    ip_range =  ip_rule.value
    }}}}}

变量tf文件为

variable "allowed_subnet_ids" {
  type        = list(string)
  description = "List of subnet IDs to be allowed to access the ACR"
}

variable "allowed_ips" {
  type        = list(string)
  description = "White list IP addresses"
}

variable "public_network_access_enabled"{
  type = bool
  description = "(Optional) Whether public network access is allowed for the container registry. Defaults to true."
} 
variable "admin_enabled"{
  type = bool
  description = "(Optional) Whether public network access is allowed for the container registry. Defaults to true."
}
variable "sku" {
  type        = string
  description = "SKU"
}
variable "resource_group_name" {
  type        = string
  description = "resource_group_name"
}
variable "location" {
  type        = string
  description = "location"
}

地形.tfvar文件代码

env                  = "sdbx"
    application_id       = "appid"
    resource_group_name  = "rg-swarna"
    role = "public"
    location = "westeurope"
    //Disable/ Enable the allowed ips when ever need if it was empty All Network will allow and if any ips its allowed only required range
    //allowed_ips = ["84.1.2.3", "51.3.4.2"] 
    allowed_ips = []
    allowed_subnet_ids = []
    admin_enabled = true
    sku="Premium"
    public_network_access_enabled = true

步骤2:执行下列命令

terraform plan -var-file .\terraform.tfvars
   terraform apply -var-file .\terraform.tfvars -auto-approve

第3步:在Azure门户上应用Terraform后,我们可以看到ACR,

第4步:使用选定的IP范围更新代码并重新运行terraform代码要在上完成的更改替换terraform.tfvars中的以下代码

//Disable/ Enable the allowed ips when ever need if it was empty All Network will allow and if any ips its allowed only required range
allowed_ips = ["84.1.2.3", "51.3.4.2"]
//allowed_ips  =  []

主tf文件-替换以下代码

# // Disable this code block  for allowed ip network - Begin
#  network_rule_set {
#   default_action = "Allow"
#  }
#  // Disable this code block  for allowed ip network - End

重复步骤2以下是实施后门户网站的输出。使用选定的IP范围

回滚过程将所有网络保留为默认值,并在门户上删除以上IP范围

要在上完成的更改替换terraform.tfvars中的以下代码

//Disable/ Enable the allowed ips when ever need if it was empty All Network will allow and if any ips its allowed only required range
//allowed_ips = ["84.1.2.3", "51.3.4.2"]
allowed_ips  =  []

main.tf文件-替换以下代码

// Disable this code block  for allowed ip network - Begin
 network_rule_set {
  default_action = "Allow"
 }
// Disable this code block  for allowed ip network - End

重复步骤2
输出

Terraform应用后,您可以看到所有网络的流量路由,并删除门户上的相应IP地址。

赞(0)分享  回复(0)举报  2022-11-17
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com