'Terraform azurerm_firewall_policy_rule_collection_group not creating nat_rule collection
I have nat_rule_collection defined at the bottom of this resource. Everything is created except that nat_rule_collection. Is there any mistake here that could cause this? I redacted the real destination address, but the real one one does match the public load balancer IP.
I know that the group indicates egress but I am just trying it there, and I believe that is just a label.
resource "azurerm_firewall_policy_rule_collection_group" "policy" {
name = "AksEgressPolicyRuleCollectionGroup"
firewall_policy_id = azurerm_firewall_policy.policy.id
priority = 500
application_rule_collection {
name = "ApplicationRules"
priority = 500
action = "Allow"
rule {
name = "AllowMicrosoftFqdns"
source_addresses = ["*"]
destination_fqdns = [
"*.cdn.mscr.io",
"mcr.microsoft.com",
"*.data.mcr.microsoft.com",
"management.azure.com",
"login.microsoftonline.com",
"acs-mirror.azureedge.net",
"dc.services.visualstudio.com",
"*.opinsights.azure.com",
"*.oms.opinsights.azure.com",
"*.microsoftonline.com",
"*.monitoring.azure.com",
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowFqdnsForOsUpdates"
source_addresses = ["*"]
destination_fqdns = [
"download.opensuse.org",
"security.ubuntu.com",
"ntp.ubuntu.com",
"packages.microsoft.com",
"snapcraft.io"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowImagesFqdns"
source_addresses = ["*"]
destination_fqdns = [
"auth.docker.io",
"registry-1.docker.io",
"production.cloudflare.docker.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowBing"
source_addresses = ["*"]
destination_fqdns = [
"*.bing.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowGoogle"
source_addresses = ["*"]
destination_fqdns = [
"*.google.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowPublicPOrt80"
source_addresses = ["*"]
# destination_fqdns = [
# "*.google.com"
# ]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
}
network_rule_collection {
name = "NetworkRules"
priority = 400
action = "Allow"
rule {
name = "Time"
source_addresses = ["*"]
destination_ports = ["123"]
destination_addresses = ["*"]
protocols = ["UDP"]
}
rule {
name = "DNS"
source_addresses = ["*"]
destination_ports = ["53"]
destination_addresses = ["*"]
protocols = ["UDP"]
}
rule {
name = "ServiceTags"
source_addresses = ["*"]
destination_ports = ["*"]
destination_addresses = [
"AzureContainerRegistry",
"MicrosoftContainerRegistry",
"AzureActiveDirectory"
]
protocols = ["Any"]
}
rule {
name = "Internet"
source_addresses = ["*"]
destination_ports = ["*"]
destination_addresses = ["*"]
protocols = ["TCP"]
}
}
nat_rule_collection {
name = "nat_rule_collection1"
priority = 100
action = "Dnat"
rule {
name = "fw-public-web-port-80"
protocols = ["TCP"]
source_addresses = ["*"]
destination_address = "123.123.123.123"
destination_ports = ["80"]
translated_address = "10.9.0.1"
translated_port = "80"
}
}
lifecycle {
ignore_changes = [
application_rule_collection,
network_rule_collection,
nat_rule_collection
]
}
}
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|