你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
快速入门:创建 Azure 防火墙和 IP 组 - Terraform
在本快速入门中,你将使用 Terraform 部署 Azure 防火墙,其中包含在网络规则和应用程序规则中使用的示例 IP 组。 IP 组是顶级资源,可用于定义 IP 地址、范围与子网并将其组合到单个对象中。 IP 组对于管理 Azure 防火墙规则中的 IP 地址很有用。 可以手动输入 IP 地址,或者从文件导入。
使用 Terraform 可以定义、预览和部署云基础结构。 使用 Terraform 时,请使用 HCL 语法来创建配置文件。 利用 HCL 语法,可指定 Azure 这样的云提供程序和构成云基础结构的元素。 创建配置文件后,请创建一个执行计划,利用该计划,可在部署基础结构更改之前先预览这些更改。 验证了更改后,请应用该执行计划以部署基础结构。
在本文中,学习如何:
- 使用 random_pet 创建一个随机值(要在资源组名称中使用)
- 使用 azurerm_resource_group 创建 Azure 资源组
- 使用 random_password 为 Windows VM 创建一个随机密码
- 使用 random_string 创建随机值(用作存储名称)
- 使用 azurerm_public_ip 创建 Azure 公共 IP
- 使用 azurerm_storage_account 创建存储帐户
- 使用 azurerm_firewall_policy 创建 Azure 防火墙策略
- 使用 azurerm_firewall_policy_rule_collection_group 创建 Azure 防火墙策略规则集合组
- 使用 azurerm_firewall 创建 Azure 防火墙
- 使用 azurerm_ip_group 创建 Azure IP 组
- 使用 azurerm_virtual_network 创建 Azure 虚拟网络
- 使用 azurerm_subnet 创建三个 Azure 子网
- 使用 azurerm_network_interface 创建网络接口
- 使用 azurerm_network_security_group 创建网络安全组(以包含网络安全规则列表)
- 使用 azurerm_network_interface_security_group_association 在网络接口和网络安全组之间创建关联
- 使用 azurerm_linux_virtual_machine 创建 Azure Linux 虚拟机
- 使用 azurerm_route_table 创建路由表
- 使用 azurerm_subnet_route_table_association 在路由表和子网之间创建关联
- 创建 AzAPI 资源 azapi_resource。
- 创建 AzAPI 资源以使用 azapi_resource_action 生成 SSH 密钥对。
先决条件
实现 Terraform 代码
注意
本文中的示例代码位于 Azure Terraform GitHub 存储库中。 你可以查看包含当前和以前 Terraform 版本的测试结果的日志文件。
有关更多示例,请参阅演示如何使用 Terraform 管理 Azure 资源的文章和示例代码
创建用于测试和运行示例 Terraform 代码的目录,并将其设为当前目录。
创建名为
providers.tf的文件并插入下列代码:terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "~>3.0" } random = { source = "hashicorp/random" version = "~>3.0" } azapi = { source = "azure/azapi" version = "~>1.5" } } } provider "azurerm" { features {} }创建名为
ssh.tf的文件并插入下列代码:resource "random_pet" "ssh_key_name" { prefix = "ssh" separator = "" } resource "azapi_resource_action" "ssh_public_key_gen" { type = "Microsoft.Compute/sshPublicKeys@2022-11-01" resource_id = azapi_resource.ssh_public_key.id action = "generateKeyPair" method = "POST" response_export_values = ["publicKey", "privateKey"] } resource "azapi_resource" "ssh_public_key" { type = "Microsoft.Compute/sshPublicKeys@2022-11-01" name = random_pet.ssh_key_name.id location = azurerm_resource_group.rg.location parent_id = azurerm_resource_group.rg.id } output "key_data" { value = azapi_resource_action.ssh_public_key_gen.output.publicKey }创建名为
main.tf的文件并插入下列代码:resource "random_pet" "rg_name" { prefix = var.resource_group_name_prefix } resource "random_string" "storage_account_name" { length = 8 lower = true numeric = false special = false upper = false } resource "random_password" "password" { length = 20 min_lower = 1 min_upper = 1 min_numeric = 1 min_special = 1 special = true } resource "azurerm_resource_group" "rg" { name = random_pet.rg_name.id location = var.resource_group_location } resource "azurerm_public_ip" "pip_azfw" { name = "pip-azfw" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name allocation_method = "Static" sku = "Standard" } resource "azurerm_storage_account" "sa" { name = random_string.storage_account_name.result resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location account_tier = "Standard" account_replication_type = "LRS" account_kind = "StorageV2" } resource "azurerm_firewall_policy" "azfw_policy" { name = "azfw-policy" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location sku = var.firewall_sku_tier threat_intelligence_mode = "Alert" } resource "azurerm_firewall_policy_rule_collection_group" "prcg" { name = "prcg" firewall_policy_id = azurerm_firewall_policy.azfw_policy.id priority = 300 application_rule_collection { name = "app-rule-collection-1" priority = 101 action = "Allow" rule { name = "someAppRule" protocols { type = "Https" port = 443 } destination_fqdns = ["*bing.com"] source_ip_groups = [azurerm_ip_group.ip_group_1.id] } } network_rule_collection { name = "net-rule-collection-1" priority = 200 action = "Allow" rule { name = "someNetRule" protocols = ["TCP", "UDP", "ICMP"] source_ip_groups = [azurerm_ip_group.ip_group_1.id] destination_ip_groups = [azurerm_ip_group.ip_group_2.id] destination_ports = ["90"] } } } resource "azurerm_firewall" "fw" { name = "azfw" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name sku_name = "AZFW_VNet" sku_tier = var.firewall_sku_tier ip_configuration { name = "azfw-ipconfig" subnet_id = azurerm_subnet.azfw_subnet.id public_ip_address_id = azurerm_public_ip.pip_azfw.id } firewall_policy_id = azurerm_firewall_policy.azfw_policy.id } resource "azurerm_ip_group" "ip_group_1" { name = "ip-group_1" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location cidrs = ["13.73.64.64/26", "13.73.208.128/25", "52.126.194.0/23"] } resource "azurerm_ip_group" "ip_group_2" { name = "ip_group_2" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location cidrs = ["12.0.0.0/24", "13.9.0.0/24"] } resource "azurerm_virtual_network" "azfw_vnet" { name = "azfw-vnet" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name address_space = ["10.10.0.0/16"] } resource "azurerm_subnet" "azfw_subnet" { name = "AzureFirewallSubnet" resource_group_name = azurerm_resource_group.rg.name virtual_network_name = azurerm_virtual_network.azfw_vnet.name address_prefixes = ["10.10.0.0/26"] } resource "azurerm_subnet" "server_subnet" { name = "subnet-server" resource_group_name = azurerm_resource_group.rg.name virtual_network_name = azurerm_virtual_network.azfw_vnet.name address_prefixes = ["10.10.1.0/24"] } resource "azurerm_subnet" "jump_subnet" { name = "subnet-jump" resource_group_name = azurerm_resource_group.rg.name virtual_network_name = azurerm_virtual_network.azfw_vnet.name address_prefixes = ["10.10.2.0/24"] } resource "azurerm_public_ip" "vm_jump_pip" { name = "pip-jump" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name allocation_method = "Static" sku = "Standard" } resource "azurerm_network_interface" "vm_server_nic" { name = "nic-server" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name ip_configuration { name = "ipconfig-workload" subnet_id = azurerm_subnet.server_subnet.id private_ip_address_allocation = "Dynamic" } } resource "azurerm_network_interface" "vm_jump_nic" { name = "nic-jump" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name ip_configuration { name = "ipconfig-jump" subnet_id = azurerm_subnet.jump_subnet.id private_ip_address_allocation = "Dynamic" public_ip_address_id = azurerm_public_ip.vm_jump_pip.id } } resource "azurerm_network_security_group" "vm_server_nsg" { name = "nsg-server" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name } resource "azurerm_network_security_group" "vm_jump_nsg" { name = "nsg-jump" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name security_rule { name = "Allow-SSH" priority = 1000 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "22" source_address_prefix = "*" destination_address_prefix = "*" } } resource "azurerm_network_interface_security_group_association" "vm_server_nsg_association" { network_interface_id = azurerm_network_interface.vm_server_nic.id network_security_group_id = azurerm_network_security_group.vm_server_nsg.id } resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { network_interface_id = azurerm_network_interface.vm_jump_nic.id network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id } resource "azurerm_linux_virtual_machine" "vm_server" { name = "server-vm" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location size = var.virtual_machine_size admin_username = var.admin_username admin_ssh_key { username = var.admin_username public_key = azapi_resource_action.ssh_public_key_gen.output.publicKey } network_interface_ids = [azurerm_network_interface.vm_server_nic.id] os_disk { caching = "ReadWrite" storage_account_type = "Standard_LRS" } source_image_reference { publisher = "Canonical" offer = "UbuntuServer" sku = "18.04-LTS" version = "latest" } boot_diagnostics { storage_account_uri = azurerm_storage_account.sa.primary_blob_endpoint } } resource "azurerm_linux_virtual_machine" "vm_jump" { name = "jump-vm" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location size = var.virtual_machine_size network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] admin_username = var.admin_username os_disk { caching = "ReadWrite" storage_account_type = "Standard_LRS" } admin_ssh_key { username = var.admin_username public_key = azapi_resource_action.ssh_public_key_gen.output.publicKey } source_image_reference { publisher = "Canonical" offer = "UbuntuServer" sku = "18.04-LTS" version = "latest" } boot_diagnostics { storage_account_uri = azurerm_storage_account.sa.primary_blob_endpoint } computer_name = "JumpBox" } resource "azurerm_route_table" "rt" { name = "rt-azfw-eus" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name disable_bgp_route_propagation = false route { name = "azfwDefaultRoute" address_prefix = "0.0.0.0/0" next_hop_type = "VirtualAppliance" next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration[0].private_ip_address } } resource "azurerm_subnet_route_table_association" "server_subnet_rt_association" { subnet_id = azurerm_subnet.server_subnet.id route_table_id = azurerm_route_table.rt.id }创建名为
variables.tf的文件并插入下列代码:variable "resource_group_location" { type = string description = "Location for all resources." default = "eastus" } variable "resource_group_name_prefix" { type = string description = "Prefix for the Resource Group Name that's combined with a random id so name is unique in your Azure subcription." default = "rg" } variable "firewall_sku_tier" { type = string description = "Firewall SKU." default = "Premium" # Valid values are Standard and Premium validation { condition = contains(["Standard", "Premium"], var.firewall_sku_tier) error_message = "The SKU must be one of the following: Standard, Premium" } } variable "virtual_machine_size" { type = string description = "Size of the virtual machine." default = "Standard_D2_v3" } variable "admin_username" { type = string description = "Value of the admin username." default = "azureuser" }创建名为
outputs.tf的文件并插入下列代码:output "resource_group_name" { value = azurerm_resource_group.rg.name } output "firewall_name" { value = azurerm_firewall.fw.name }
初始化 Terraform
运行 terraform init,将 Terraform 部署进行初始化。 此命令将下载管理 Azure 资源所需的 Azure 提供程序。
terraform init -upgrade
要点:
- 参数
-upgrade可将必要的提供程序插件升级到符合配置版本约束的最新版本。
创建 Terraform 执行计划
运行 terraform plan 以创建执行计划。
terraform plan -out main.tfplan
要点:
terraform plan命令将创建一个执行计划,但不会执行它。 它会确定创建配置文件中指定的配置需要执行哪些操作。 此模式允许你在对实际资源进行任何更改之前验证执行计划是否符合预期。- 使用可选
-out参数可以为计划指定输出文件。 使用-out参数可以确保所查看的计划与所应用的计划完全一致。
应用 Terraform 执行计划
运行 terraform apply,将执行计划应用到云基础结构。
terraform apply main.tfplan
要点:
- 示例
terraform apply命令假设你先前运行了terraform plan -out main.tfplan。 - 如果为
-out参数指定了不同的文件名,请在对terraform apply的调用中使用该相同文件名。 - 如果未使用
-out参数,请调用不带任何参数的terraform apply。
验证结果
获取 Azure 资源组名称。
resource_group_name=$(terraform output -raw resource_group_name)运行 az network ip-group list 以显示两个新的 IP 组。
az network ip-group list --resource-group $resource_group_name
清理资源
不再需要通过 Terraform 创建的资源时,请执行以下步骤:
运行 terraform plan 并指定
destroy标志。terraform plan -destroy -out main.destroy.tfplan要点:
terraform plan命令将创建一个执行计划,但不会执行它。 它会确定创建配置文件中指定的配置需要执行哪些操作。 此模式允许你在对实际资源进行任何更改之前验证执行计划是否符合预期。- 使用可选
-out参数可以为计划指定输出文件。 使用-out参数可以确保所查看的计划与所应用的计划完全一致。
运行 terraform apply 以应用执行计划。
terraform apply main.destroy.tfplan
Azure 上的 Terraform 故障排除
排查在 Azure 上使用 Terraform 时遇到的常见问题