我正在探索 Terraform,以便使用 panos_nat_rule_group 资源在帕洛阿尔托防火墙上自动创建 NAT 规则。
NAT 规则对于“已转换的数据包”有多个选项。我们可以翻译数据包的“源”和/或“目标”IP。此外,这些 IP 有多种翻译选项。
是否可以创建一个包含所有可能选项的变量,如下所示:
variable natRules {
description = "Variable for the NAT rules"
type = list(object({
name = string
description = string
audit_comment = string
original_packet = object({
source_zones = list(string)
destination_zone = string
destination_interface = string
service = string
source_addresses = list(string)
destination_addresses = list(string)
})
translated_packet = object({
source = object({
static_ip = object({
translated_address = string
bi_directional = bool
})
dynamic_ip_and_port = object({
translated_address = object({
translated_addresses = list(string)
})
interface_address = object({
interface = string
ip_address = string
})
})
dynamic_ip = object({
translated_addresses = list(string)
})
})
destination = object({
static_translation = object({
address = string
port = number
})
dynamic_translation = object({
address = string
port = number
distribution = string
})
})
})
}))
}
然后在“terraform.tfvars”中放置不同 NAT 规则的值,但仅填充特定规则所需的值。例如,如果我们只想将源 IP 转换为特定的静态 IP,以仅填充变量中必要的对象,并将其余对象留空。如果我们想再次进行另一次翻译以仅输入所需的值。
natRules = [
{
name = "Static-IP-Port"
description = "Test nat rule"
audit_comment = ""
original_packet = {
source_zones = ["Inside"]
destination_zone = "Outside"
destination_interface = "any"
service = "any"
source_addresses = ["any"]
destination_addresses = ["any"]
}
translated_packet = {
source = {
static_ip = {
translated_address = "10.1.1.1"
bi_directional = false
}
dynamic_ip_and_port = {
translated_address = {
translated_addresses = [""]
}
interface_address = {
interface = ""
ip_address = ""
}
}
dynamic_ip = {
translated_addresses = [""]
}
}
destination = {
static_translation = {
address = ""
port = null
}
dynamic_translation = {
address = ""
port = null
distribution = ""
}
}
}
},
{
name = "Dynamic-IP-Port"
description = "Test nat rule"
audit_comment = ""
original_packet = {
source_zones = ["Inside"]
destination_zone = "Outside"
destination_interface = "any"
service = "any"
source_addresses = ["any"]
destination_addresses = ["any"]
}
translated_packet = {
source = {
static_ip = {
translated_address = ""
bi_directional = false
}
dynamic_ip_and_port = {
translated_address = {
translated_addresses = [""]
}
interface_address = {
interface = "ethernet1/1"
ip_address = "11.11.11.1/24"
}
}
dynamic_ip = {
translated_addresses = [""]
}
}
destination = {
static_translation = {
address = ""
port = null
}
dynamic_translation = {
address = ""
port = null
distribution = ""
}
}
}
}
]
然后在 main.tf 中只有一个资源,它将检查设置了哪些变量,并基于此仅应用资源的该部分。可以实施什么样的条件检查?
resource "panos_nat_rule_group" "CreateNATRules" {
dynamic "rule" {
for_each = var.natRules
content {
name = rule.value.name
description = rule.value.description
audit_comment = rule.value.audit_comment
original_packet {
source_zones = rule.value.original_packet.source_zones
destination_zone = rule.value.original_packet.destination_zone
destination_interface = rule.value.original_packet.destination_interface
service = rule.value.original_packet.service
source_addresses = rule.value.original_packet.source_addresses
destination_addresses = rule.value.original_packet.destination_addresses
}
translated_packet {
source {
static_ip {
translated_address = rule.value.translated_packet.source.static_ip.translated_address
bi_directional = rule.value.translated_packet.source.static_ip.bi_directional
}
dynamic_ip_and_port {
interface_address {
interface = rule.value.translated_packet.source.dynamic_ip_and_port.interface_address.interface
ip_address = rule.value.translated_packet.source.dynamic_ip_and_port.interface_address.ip_address
}
}
dynamic_ip {
translated_addresses = rule.value.translated_packet.source.dynamic_ip.translated_addresses
}
}
destination {
}
}
}
}
lifecycle {
create_before_destroy = true
}
}