创建转发规则时出错，需要在与转发规则相同的区域和 VPC 中保留且活动的子网

Question

我正在尝试使用 terrafrom 创建区域负载均衡器，但无法创建转发规则和区域 http(s) 代理。

\n

resource "google_compute_region_ssl_certificate" "ssl-crt" {\n  project = "proyecto-pegachucho"\n  name_prefix = "my-certificate-"\n  region = var.lb_region\n  private_key = file("lb_http/certificate/privateKey.key")\n  certificate = file("lb_http/certificate/certificate.crt")\n\n  lifecycle {\n    create_before_destroy = true\n  }\n}\n\nresource "google_compute_forwarding_rule" "lb-front-HTTP" {\n  name                  = var.lb_front_name\n  load_balancing_scheme = "INTERNAL_MANAGED"\n  port_range            = var.lb_front_port_range\n  target                = google_compute_region_target_http_proxy.lb-proxy-http.self_link\n  region                = var.lb_region\n  network               = var.lb_network\n  subnetwork            = var.lb_subnetwork\n  ip_address            = "10.10.30.5"\n}\n\nresource "google_compute_forwarding_rule" "lb-front-HTTPS" {\n  name                  = "lb-https-front"\n  port_range            = "443"\n  load_balancing_scheme = "INTERNAL_MANAGED"\n  ip_address            = "10.10.30.6"\n  target                = google_compute_region_target_https_proxy.lb-proxy-https.self_link\n  region                = var.lb_region\n  network               = var.lb_network\n  subnetwork            = var.lb_subnetwork\n}\n\n\nresource "google_compute_region_target_http_proxy" "lb-proxy-http" {\n  name    = var.lb_proxy_name\n  region  = var.lb_region\n  project = "proyecto-pegachucho"\n  url_map = google_compute_region_url_map.lb_url_map.self_link\n}\n\nresource "google_compute_region_target_https_proxy" "lb-proxy-https" {\n  name             = "test-proxy"\n  region           = var.lb_region\n  project = "proyecto-pegachucho"\n  url_map          = google_compute_region_url_map.lb_url_map.self_link\n  ssl_certificates = [google_compute_region_ssl_certificate.ssl-crt.id]\n}\n\n\nresource "google_compute_region_url_map" "lb_url_map" {\n  name            = var.url_map_name\n  region          = var.lb_region\n  default_service = google_compute_region_backend_service.lb-backend.self_link\n}\n\n\nresource "google_compute_region_backend_service" "lb-backend" {\n  name                  = var.lb_backend_name\n  region                = var.lb_region\n  project = "proyecto-pegachucho"\n  load_balancing_scheme = "INTERNAL_MANAGED"\n  port_name             = var.lb_backend_port_name\n  protocol              = var.lb_backend_protocol\n  timeout_sec           = var.lb_backend_timeout\n  health_checks         = [var.healthcheck_output]\n  locality_lb_policy    = "ROUND_ROBIN"\n\n  backend {\n    group = var.ig_id\n    balancing_mode = "UTILIZATION"\n    capacity_scaler = 1.0\n  }\n}\n

\n

这会引发以下错误：

\n

Error: Error creating ForwardingRule: googleapi: Error 400: Invalid value for field 'resource.target': 'https://www.googleapis.com/compute/v1/projects/proyecto-pegachucho/regions/us-central1/targetHttpProxies/lb-proxy'. A reserved and active subnetwork is required in the same region and VPC as the forwarding rule., invalid\n\n  on lb_http\\lb_http.tf line 13, in resource "google_compute_forwarding_rule" "lb-front-HTTP":\n  13: resource "google_compute_forwarding_rule" "lb-front-HTTP" {\n\n\n\nError: Error creating ForwardingRule: googleapi: Error 400: Invalid value for field 'resource.target': 'https://www.googleapis.com/compute/v1/projects/proyecto-pegachucho/regions/us-central1/targetHttpsProxies/test-proxy'. A reserved and active subnetwork is required in the same region and VPC as the forwarding rule., invalid\n\n  on lb_http\\lb_http.tf line 24, in resource "google_compute_forwarding_rule" "lb-front-HTTPS":\n  24: resource "google_compute_forwarding_rule" "lb-front-HTTPS" {\n

\n

我尝试使用 google beta 提供程序，但似乎我没有 \xc2\xb4t 权限，而我对我的 terraform 服务帐户拥有所有者权限。

\n

Error: Error creating RegionSslCertificate: googleapi: Error 403: Required 'compute.regionSslCertificates.create' permission for 'projects/proyecto-pegachucho/regions/us-central1/sslCertificates/my-certificate-20210628014206664300000001', forbidden\n\n  on lb_http\\lb_http.tf line 1, in resource "google_compute_region_ssl_certificate" "ssl-crt":\n   1: resource "google_compute_region_ssl_certificate" "ssl-crt" {\n\n\n\nError: Error creating RegionBackendService: googleapi: Error 403: Required 'compute.regionBackendServices.create' permission for 'projects/proyecto-pegachucho/regions/us-central1/backendServices/lb-backend'      \nMore details:\nReason: forbidden, Message: Required 'compute.regionBackendServices.create' permission for 'projects/proyecto-pegachucho/regions/us-central1/backendServices/lb-backend'\nReason: forbidden, Message: Required 'compute.healthChecks.useReadOnly' permission for 'projects/proyecto-pegachucho/global/healthChecks/hsbc-healthcheck-dev'\nReason: forbidden, Message: Required 'compute.instanceGroups.use' permission for 'projects/proyecto-pegachucho/zones/us-central1-b/instanceGroups/tomcats-ig'\n\n\n  on lb_http\\lb_http.tf line 59, in resource "google_compute_region_backend_service" "lb-backend":        \n  59: resource "google_compute_region_backend_service" "lb-backend" {\n

\n

Answer 1

在为内部 HTTP(S) 负载均衡器创建转发规则之前，您必须创建仅代理子网。您使用内部 HTTP(S) 负载均衡器的虚拟专用网络 (VPC) 的每个区域都必须具有仅代理子网。

显示的错误消息在最后一句中对此进行了描述：

Error creating ForwardingRule: googleapi: Error 400: Invalid value for field 'resource.target': 'https://www.googleapis.com/compute/v1/projects/proyecto-pegachucho/regions/us-central1/targetHttpProxies/lb-proxy'. A reserved and active subnetwork is required in the same region and VPC as the forwarding rule.

要解决此问题，您可以通过gcloud 计算网络子网创建命令手动创建仅代理子网，或者通过google_compute_subnetwork使用 terraform 变体，其中所有相同的字段都可用，您可以使用创建中的文档作为指南，然后侵入它一切都到了地形上。

请注意，必须在为内部 HTTP(S) LB 创建转发规则之前完成此操作

希望提供的解决方案能够对您有所帮助！