azure - Azure NSG 资源上的 Terraform 嵌套 For 循环

Question

您好，我一直在尝试找出如何获取此资源:

resource "azurerm_subnet_network_security_group_association" "example" {
  subnet_id                 = azurerm_subnet.example.id
  network_security_group_id = azurerm_network_security_group.example.id
}

逐步浏览我的两张 map ，一张位于 NSGS，另一张位于子网。

这是子网资源代码:

resource "azurerm_subnet" "one_subnet" {
  for_each             = var.subnets
  resource_group_name  = data.azurerm_resource_group.one_rg.name
  virtual_network_name = azurerm_virtual_network.one_vnet.name
  name                 = each.value["name"]
  address_prefixes     = each.value["address_prefixes"]
}

子网变量文件:

variable "subnets" {
  type = map(any)
}

子网 TFVar

subnets = {
  subnet_1 = {
    name             = "virtual-subnet"
    address_prefixes = ["10.13.1.0/24"]
  }
  subnet_2 = {
    name             = "virtual-subnet"
    address_prefixes = ["10.13.2.0/24"]
  }
  subnet_3 = {
    name             = "virtual-subnet"
    address_prefixes = ["10.13.3.0/24"]
  }
}

核供应国集团代码:

resource "azurerm_network_security_group" "one_nsgs" {
  for_each            = var.one_nsgs
  name                = each.value["name"]
  location            = data.azurerm_resource_group.one_rg.location
  resource_group_name = data.azurerm_resource_group.one_rg.name

  security_rule {}
}

NSG 变量文件

variable "one_nsgs" {
  type = map(any)
}

NSG Tfvars

one_nsgs = {
  devwebnsg = {
    name = "DevWebNSG"
  }
  devapinsg = {
    name = "DevApiNSG"
  }
  devjobsnsg = {
    name = "DevNSG"
  }
}

我尝试将两个变量映射组合成本地文件中的嵌套映射，然后将其传递给绑定(bind) NSG 资源。但发生的情况是，绑定(bind) NSG 资源需要资源的 ID，而不是名称，这只能通过将资源 block 传递到 NSG 绑定(bind)资源中来实现。

我还在 NSG 绑定(bind)资源上尝试过此操作:

resource "azurerm_subnet_network_security_group_association" "bind_nsg_to_subnet" {
  for_each      = { for entry in local.combined_nsg_and_subnet: "${entry.subnet}.${entry.nsg}" => entry }
  subnet_id                 = each.value.subnet.id
  network_security_group_id = each.value.nsg.id
}

这查看我的本地文件映射

 # Nested loop over both lists, and flatten the result.
  combined_nsg_and_subnet = distinct(flatten([
    for subnet in var.subnets["name"] : [
      for nsg in var.one_nsgs["name"] : {
        subnet = subnet
        nsg    = nsg
      }
    ]
  ]))

但是资源的Id并不是这样传递的。

Answer 1

如果您确实想在本地 map 中组合 azurerm_subnet 和 azurerm_network_security_group 并将其用作 ID，则必须使用具有 ID 的资源属性，而不是变量。

例如:

combined_nsg_and_subnet = flatten([
  for subnet in azurerm_subnet.one_subnet : [
    for nsg in azurerm_network_security_group.one_nsgs : {
      subnet_id = subnet.id
      nsg_id    = nsg.id
    }
  ]
])

resource "azurerm_subnet_network_security_group_association" "bind_nsg_to_subnet" {
  for_each = { for entry in local.combined_nsg_and_subnet: "${entry.subnet_id}.${entry.nsg_id}" => entry }
  
  subnet_id                 = each.value.subnet_id
  network_security_group_id = each.value.nsg_id
}