I am trying to create a azure app gateway using terraform and my code looks like below:
main.tf
# Create Application Gateway
resource "azurerm_application_gateway" "app_gateway" {
name = var.name
resource_group_name = var.appg_name
location = var.appg_location
.
.
.
# backend_address_pool {
# name = var.backend_address_pool_name
# }
dynamic "backend_address_pool" {
for_each = var.backend_pools
content {
name = backend_pools.value["name"]
fqdns = backend_pools.value["fqdns"]
ip_addresses = backend_pools.value["ip_addresses"]
}
}
backend_http_settings {
name = var.http_setting_name
cookie_based_affinity = var.cookie_based_affinity
path = var.backend_http_settings_path
port = var.http_setting_port
protocol = var.http_setting_protocol
request_timeout = var.http_setting_request_time_out_value
}
.
.
.
}
And here's my variables.tf - only backend_pools is mentioned here of all the variables
variable "backend_pools" {
type = list(map(string))
}
And this is my terraform.tfvars
backend_pools = [
{
name = "pool1"
fqdns = "fqdns1"
ip_addresses = "10.0.0.0"
},
{
name = "pool2"
fqdns = "fqdns2"
ip_addresses = "10.0.0.0"
},
{
name = "pool3"
fqdns = "fqdns3"
ip_addresses = "10.0.0.0"
},
]
What I am worried about is, according to the terraform docs it is mentioned that the data types of both fqdns and ip_addresses are list, then how can I change my variables.tf and terraform.tfvars and also main.tf which contain the dynamic block accordingly.
What I want to do is, create multiple backend pools and pass the values using a variable file or is it possible to create a json file with multiple backend pool and pass it to the backend_pools parameter?
Can someone please help me on this?
First, there is a mistake in your Terraform code:
dynamic "backend_address_pool" {
for_each = var.backend_pools
content {
name = backend_pools.value["name"]
fqdns = backend_pools.value["fqdns"]
ip_addresses = backend_pools.value["ip_addresses"]
}
}
When you use the for_each loop, it should be:
dynamic "backend_address_pool" {
for_each = var.backend_pools
content {
name = each.value["name"]
fqdns = each.value["fqdns"]
ip_addresses = each.value["ip_addresses"]
}
}
When you use the list in the for_each loop, you can try to change the type like this:
for_each = toset(var.backend_pools)
But the better way is to use the map, so you can change your variables like this:
backend_pools = {
pool1 = {
fqdns = "fqdns1"
ip_addresses = "10.0.0.0"
},
pool2 = {
fqdns = "fqdns2"
ip_addresses = "10.0.0.0"
},
pool3 = {
fqdns = "fqdns3"
ip_addresses = "10.0.0.0"
}
}
Then your dynamic block will look like this:
dynamic "backend_address_pool" {
for_each = var.backend_pools
content {
name = each.key
fqdns = each.value["fqdns"]
ip_addresses = each.value["ip_addresses"]
}
}
Related
I have the following list of objects defined as a local:
agw_configs = [
{
env = "dev"
function = "events"
backend_pool_fqdn = "dev.servicebus.windows.net"
cookie_based_affinity = "Enabled"
https_listener_hostname = "ingestiondev.co.uk"
},
{
env = "test"
function = "events"
backend_pool_fqdn = "test.servicebus.windows.net"
cookie_based_affinity = "Enabled"
https_listener_hostname = "ingestiontest.co.uk"
}
]
I now want to use multiple dynamic blocks within an Azure application gateway resource to create various settings for each environment. However I cannot figure out how to do this and keep getting undeclared resource errors. Here is my current config:
resource "azurerm_application_gateway" "application_gateway" {
name = local.application_gateway_name
resource_group_name = var.resource_group_name
location = var.location
sku {
name = var.sku.size
tier = var.sku.tier
capacity = var.sku.capacity
}
...
dynamic "backend_address_pool" {
for_each = local.agw_configs
content {
name = "${var.region}-${agw_configs.value.env}-${agw_configs.value.function}-beap"
fqdns = [agw_configs.value.backend_pool_fqdn]
}
}
Feels like i am almost there but not sure where I am going wrong
See an example that it works:
1/ Define the variable - with the
variable "backend_pools" {
type = map(string({
fqdn = string
ip_addresses = string
}))
#Define default value
default = {
"Pool1" = {
fqdns = "fqdns1"
ip_addresses = "10.0.0.0"
}
"pool2" = {
fqdns = "fqdns1"
ip_addresses = "10.10.0.0"
}
Then you can use the var from dynamic block into your azurerm_application_gateway block:
dynamic "backend_address_pool" {
for_each = var.backend_pools
content {
fqdns = backend_address_pool.value.fqdn
ip_addresses = backend_address_pool.value.ip_addresses
}
}
I have seen some codes with same intention but somehow I couldnt make it work.
I have two different modules,
subnet - Where I'm creating two subnets where subnet name is provided in tfvars
nsg - Where I'm creating two nsg where nsg name is provided in tfvars
And I output the created subnet id's and nsg_ids to my main.tf from both module
What I'm trying to do is to associate each subnets to each nsg's like
subnet1 to nsg1
subnet2 to nsg2
Main.tf
module "nsg" {
source = "./Modules/NSGConfig"
nsglist = var.nsglist
resource_group_name = azurerm_resource_group.resource_group.name
location = azurerm_resource_group.resource_group.location
nsg = tomap(
{
for k, subnet_id in module.SUBNETS.subnet_ids : k =>
{
subnet_id = subnet_id
}
}
)
}
NSG.tf (only including association part)
resource "azurerm_subnet_network_security_group_association" "nsg_association" {
for_each=var.nsg
subnet_id = each.value.subnet_id
network_security_group_id = azurerm_network_security_group.nsg[*].nsg_id #wont work
}
variable.tf (NSG module)
variable "nsg" {
type = map(object({
subnet_id = string
}))
}
I tried to nest the for (in main.tf) to include the output from nsgid but failed.
Ps. I'm really new to terraform
Main.tfvars
RGlocation = "westus"
RGname = "TEST-RG1-TERRAFORM"
VNETname = "TEST-VNET-TERRAFORM"
address_space = "10.0.0.0/16"
Subnetlist = {
"s1" = { name = "TESTSUBNET1-TERRAFORM", address = "10.0.1.0/24" },
"s2" = { name = "TESTSUBNET2-TERRAFORM", address = "10.0.2.0/24" },
"s3" = { name = "TESTSUBNET3-TERRAFORM", address = "10.0.3.0/24" }
}
niclist = {
"s1" = { name = "TESTNIC1-TERRAFORM" },
"s2" = { name = "TESTNIC2-TERRAFORM" },
"s3" = { name = "TESTNIC3-TERRAFORM" }
}
nsglist = {
"s1" = { name = "TESTNSG1-TERRAFORM" },
"s2" = { name = "TESTNSG1-TERRAFORM" },
"s3" = { name = "TESTNSG1-TERRAFORM" }
}
--- Update 2
Module output from the subnet module and NSG module is as below
Outputs:
nsg_id = tomap({
"s1" = "./resourceGroups/TEST-RG1-TERRAFORM/providers/Microsoft.Network/networkSecurityGroups/TESTNSG1-TERRAFORM"
"s2" = "./resourceGroups/TEST-RG1-TERRAFORM/providers/Microsoft.Network/networkSecurityGroups/TESTNSG1-TERRAFORM"
"s3" = "./resourceGroups/TEST-RG1-TERRAFORM/providers/Microsoft.Network/networkSecurityGroups/TESTNSG1-TERRAFORM"
})
sub_id = tomap({
"s1" = "./resourceGroups/TEST-RG1-TERRAFORM/providers/Microsoft.Network/virtualNetworks/SACHIN-TEST-VNET-TERRAFORM/subnets/TESTSUBNET1-TERRAFORM"
"s2" = "./resourceGroups/TEST-RG1-TERRAFORM/providers/Microsoft.Network/virtualNetworks/SACHIN-TEST-VNET-TERRAFORM/subnets/TESTSUBNET2-TERRAFORM"
"s3" = "./resourceGroups/TEST-RG1-TERRAFORM/providers/Microsoft.Network/virtualNetworks/SACHIN-TEST-VNET-TERRAFORM/subnets/TESTSUBNET3-TERRAFORM"
})
I'm trying to parametrize the creation of a NLB, and provision in the same plan the necessary public subnets.
The subnets are specified as a variable of the plan:
variable "nlb_public_subnets" {
type = list(object({
name = string
network_number = number
availability_zone = string
elastic_ip = string
}))
default = [
{
name = "sftp_sub_A"
network_number = 1
availability_zone = "eu-west-1a"
elastic_ip = "X.Y.Z.T"
},
{
name = "sftp_sub_B"
network_number = 2
availability_zone = "eu-west-1b"
elastic_ip = "XX.YY.ZZ.TT"
}
]
}
variable "common_tags" {
description = "A map containing the common tags to apply to all resources"
type = map(string)
default = {}
}
locals {
vpc_id = "dummy"
base_cidr = "10.85.23.0/24"
publicSubnets = { for s in var.nlb_public_subnets :
s.name => {
name = s.name
cidr_block = cidrsubnet(var.base_public_subnet_cidr_block, 6,
s.network_number )
availability_zone = s.availability_zone
elastic_ip = s.elastic_ip
}
}
}
I'm specifying a name, a network number (to compute the cidr block), an availability zone, and an elastic IP to map to when creating the NLB.
Here I'm creating the subnets:
#Comment added after solution was given
#This will result in a Map indexed by subnet.name provided in var.nlb_public_subnets
resource "aws_subnet" "sftp_nlb_subnets" {
for_each = { for subnet in local.publicSubnets :
subnet.name => subnet
}
cidr_block = each.value.cidr_block
vpc_id = local.vpc_id
availability_zone = each.value.availability_zone
tags = {
Name = each.key
Visibility = "public"
Purpose = "NLB"
}
}
Now I need to create my NLB, and this is where I'm struggling on how to associate the freshly created subnets with the Elastic IP provided in the configuration:
resource "aws_lb" "sftp" {
name = var.name
internal = false
load_balancer_type = "network"
subnets = [for subnet in aws_subnet.sftp_nlb_subnets: subnet.id]
enable_deletion_protection = true
tags = merge(var.common_tags,{
Name=var.name
})
dynamic "subnet_mapping" {
for_each = aws_subnet.sftp_nlb_subnets
content {
subnet_id = subnet_mapping.value.id
allocation_id = ????Help???
}
}
}
Could I somehow look up the configuration object with the help of the subnet name in the tags?
UPDATE1
Updated the dynamic block, as it had a typo.
UPDATE2
#tmatilai nailed the answer!
Here's the modified aws_lb block:
#
#This will result in a Map indexed by subnet.name provided in var.nlb_public_subnets
data "aws_eip" "nlb" {
for_each = local.publicSubnets
public_ip = each.value.elastic_ip
}
resource "aws_lb" "sftp" {
name = var.name
internal = false
load_balancer_type = "network"
subnets = [for subnet in aws_subnet.sftp_nlb_subnets : subnet.id]
enable_deletion_protection = true
tags = merge(var.common_tags, {
Name = var.name
})
dynamic "subnet_mapping" {
#subnet_mapping.key will contain subnet.name, so we can use it to access the Map data.aws_eip.nlb (also indexed by subnet.name) to get the eip allocation_id
for_each = aws_subnet.sftp_nlb_subnets
content {
subnet_id = subnet_mapping.value.id
allocation_id = data.aws_eip.nlb[subnet_mapping.key].id
}
}
}
The trick is to realize that both aws_subnet.sftp_nlb_subnets and data.aws_eip.nlb are a Map, indexed by the key of local.publicSubnets. This allows us to use this common key (the subnet name) in the map aws_subnet.sftp to look up information in the data (data.aws_eip.nlb) obtained from the original input, local.publicSubnets.
Thanks. This is a neat trick.
Passing the IP address of the elastic IPs sounds strange. If you create the EIPs elsewhere, why not pass the (allocation) ID of them instead?
But with this setup, you can get the allocation ID with the aws_eip data source:
data "aws_eip" "nlb" {
for_each = local.publicSubnets
public_ip = each.value.elastic_ip
}
resource "aws_lb" "sftp" {
# ...
dynamic "subnet_mapping" {
for_each = aws_subnet.sftp_nlb_subnets
content {
subnet_id = subnet_mapping.value.id
allocation_id = data.aws_eip.nlb[subnet_mapping.key].id
}
}
}
But maybe it would make more sense to create the EIPs also here. For example something like this:
resource "aws_eip" "nlb" {
for_each = local.publicSubnets
vpc = true
}
resource "aws_lb" "sftp" {
# ...
dynamic "subnet_mapping" {
for_each = aws_subnet.sftp_nlb_subnets
content {
subnet_id = subnet_mapping.value.id
allocation_id = aws_eip.nlb[subnet_mapping.key].id
}
}
}
I am attempting to use a dynamic block to define multiple ip_rules and virtual_network exceptions in one resource. For some reason, when I attempt to use a variable as my for_each loop, it says the following errors.
variable "vnet_subnet_ids" {
description = "List of strings that are VNet Subnet IDs to whitelist."
type = list(string)
default = [
"/subscriptions/${subscription_id}/resourceGroups/${rg_name}/providers/Microsoft.Network/virtualNetworks/nonprod-vnet-gp-kubernetes/subnets/pods_pub_subnet_01",
"/subscriptions/${subscription_id}/resourceGroups/${rg_name}/providers/Microsoft.Network/virtualNetworks/nonprod-vnet-gp-kubernetes/subnets/pods_pub_subnet_02",
]
sensitive = false
}
resource "azurerm_container_registry" "devops" {
name = var.acr_name
resource_group_name = var.rg_name
location = var.rg_location
sku = var.acr_sku
admin_enabled = false
georeplication_locations = var.acr_geo_rep_locations
network_rule_set {
default_action = "Deny"
dynamic "ip_rule" {
for_each = [1]
content {
action = "Allow"
ip_range = "xxx.xxx.xxx.xxx/32"
}
}
#dynamic "ip_rule" {
# for_each = var.acr_ip_rules
# content {
# action = "Allow"
# ip_range = ip_rule.value
# }
#}
dynamic "virtual_network" {
for_each = var.vnet_subnet_ids
content {
action = "Allow"
subnet_id = virtual_network.value
}
}
tags = var.company_tags
}
However, I get the following error:
│ Error: Argument or block definition required
│
│ On ../../modules/azure/acr/main.tf line 41: An argument or block definition is required here.
╵
The part with the ip_rule works, but the virtual_network part does not. I do not understand why.
There seems to be an open bug related to this. I can't test this at the moment, but see if this variation works for you:
variable "acr_name" { default = "acr_name" }
variable "rg_location" { default = "rg_location" }
variable "acr_sku" { default = "acr_sku" }
variable "subscription_id" { default = "subscription_id" }
variable "rg_name" { default = "rg_name" }
variable "acr_geo_rep_locations" { default = "acr_geo_rep_locations" }
variable "company_tags" { default = "company_tags" }
variable "acr_ip_rules" { default = ["1", "2"]}
variable "vnet_subnet_ids" { default = ["1", "2"]}
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.79.1"
}
}
}
provider "azurerm" {
features {}
}
locals {
allowed_ips = [for ip in var.acr_ip_rules : {
action = "Allow",
ip_range = ip
}]
allowed_virtual_networks = [for sub in var.vnet_subnet_ids : {
action = "Allow",
subnet_id = sub
}]
}
resource "azurerm_container_registry" "devops" {
name = var.acr_name
resource_group_name = var.rg_name
location = var.rg_location
sku = var.acr_sku
admin_enabled = false
georeplication_locations = var.acr_geo_rep_locations
network_rule_set {
default_action = "Deny"
ip_rule = local.allowed_ips
virtual_network = local.allowed_virtual_networks
}
tags = var.company_tags
}
Turns out I'm missing a }. So, I'm on to new errors listed here
https://github.com/hashicorp/terraform/issues/22340
I would like to dynamically create some subnets and route tables from a .tfvars file, and then link each subnet to the associated route table if specified.
Here is my .tfvars file:
vnet_spoke_object = {
specialsubnets = {
Subnet_1 = {
name = "test1"
cidr = ["10.0.0.0/28"]
route = "route1"
}
Subnet_2 = {
name = "test2"
cidr = ["10.0.0.16/28"]
route = "route2"
}
Subnet_3 = {
name = "test3"
cidr = ["10.0.0.32/28"]
}
}
}
route_table = {
route1 = {
name = "route1"
disable_bgp_route_propagation = true
route_entries = {
re1 = {
name = "rt-rfc-10-28"
prefix = "10.0.0.0/28"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = "10.0.0.10"
}
}
}
route2 = {
name = "route2"
disable_bgp_route_propagation = true
route_entries = {
re1 = {
name = "rt-rfc-10-28"
prefix = "10.0.0.16/28"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = "10.0.0.10"
}
}
}
}
...and here is my build script:
provider "azurerm" {
version = "2.18.0"
features{}
}
variable "ARM_LOCATION" {
default = "uksouth"
}
variable "ARM_SUBSCRIPTION_ID" {
default = "asdf-b31e023c78b8"
}
variable "vnet_spoke_object" {}
variable "route_table" {}
module "names" {
source = "./nbs-azure-naming-standard"
env = "dev"
location = var.ARM_LOCATION
subId = var.ARM_SUBSCRIPTION_ID
}
resource "azurerm_resource_group" "test" {
name = "${module.names.standard["resource-group"]}-vnet"
location = var.ARM_LOCATION
}
resource "azurerm_virtual_network" "test" {
name = "${module.names.standard["virtual-network"]}-test"
location = var.ARM_LOCATION
resource_group_name = azurerm_resource_group.test.name
address_space = ["10.0.0.0/16"]
}
resource "azurerm_subnet" "test" {
for_each = var.vnet_spoke_object.specialsubnets
name = "${module.names.standard["subnet"]}-${each.value.name}"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefixes = each.value.cidr
}
resource "azurerm_route_table" "test" {
for_each = var.route_table
name = "${module.names.standard["route-table"]}-${each.value.name}"
location = var.ARM_LOCATION
resource_group_name = azurerm_resource_group.test.name
disable_bgp_route_propagation = each.value.disable_bgp_route_propagation
dynamic "route" {
for_each = each.value.route_entries
content {
name = route.value.name
address_prefix = route.value.prefix
next_hop_type = route.value.next_hop_type
next_hop_in_ip_address = contains(keys(route.value), "next_hop_in_ip_address") ? route.value.next_hop_in_ip_address: null
}
}
}
That part works fine in creating the vnet/subnet/route resources, but the problem I face is to dynamically link each subnet to the route table listed in the .tfvars. Not all the subnets will have a route table associated with it, thus it will need to only run IF the key/value route is listed.
resource "azurerm_subnet_route_table_association" "test" {
for_each = {
for key, value in var.vnet_spoke_object.specialsubnets:
key => value
if value.route != null
}
lifecycle {
ignore_changes = [
subnet_id
]
}
subnet_id = azurerm_subnet.test[each.key].id
route_table_id = azurerm_route_table.test[each.key].id
}
The error I face with the above code is:
Error: Unsupported attribute
on main.tf line 65, in resource "azurerm_subnet_route_table_association" "test":
65: if value.route != null
This object does not have an attribute named "route".
I have tried various ways with no success, and I'm at a loss here and would appreciate any guidance posisble.
Based on your scenario, I'm guessing vnet_spoke_object in input looks like this:
vnet_spoke_object = {
specialsubnets = {
subnetA = {
cidr = "..."
}
subnetB = {
cidr = "..."
route = "..."
}
}
}
The problem with that is that a missing route entry doesn't resolve to null, it causes a panic or crash. You'd need to write your input like this (with explicit nulls):
vnet_spoke_object = {
specialsubnets = {
subnetA = {
cidr = "..."
route = null
}
subnetB = {
cidr = "..."
route = "..."
}
}
}
Or lookup route by name and provide a null default in your for map generator expression like this:
for_each = {
for key, value in var.vnet_spoke_object.specialsubnets:
key => value
if lookup(value, "route", null) != null
}