Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kumarvna/terraform-azurerm-vnet

Terraform Module to create Azure Virtual Network resources.
https://github.com/kumarvna/terraform-azurerm-vnet

azure azure-networking azure-networksecuritygroups azure-vnet hcl2 networking nsg subnets terraform terraform-module

Last synced: 2 months ago
JSON representation

Terraform Module to create Azure Virtual Network resources.

Awesome Lists containing this project

README

        

# Azure Virtual Network Terraform Module

Terraform Module to create Azure virtual network with optional NSG, Service delegation, service endpoints, AzureFirewallSubnet and GatewaySubnet creation.

Type of resources are supported:

* [Virtual Network](https://www.terraform.io/docs/providers/azurerm/r/virtual_network.html)
* [Subnets](https://www.terraform.io/docs/providers/azurerm/r/subnet.html)
* [Subnet Service Delegation](https://www.terraform.io/docs/providers/azurerm/r/subnet.html#delegation)
* [Virtual Network service endpoints](https://www.terraform.io/docs/providers/azurerm/r/subnet.html#service_endpoints)
* [Private Link service/Endpoint network policies on Subnet](https://www.terraform.io/docs/providers/azurerm/r/subnet.html#enforce_private_link_endpoint_network_policies)
* [AzureNetwork DDoS Protection Plan](https://www.terraform.io/docs/providers/azurerm/r/network_ddos_protection_plan.html)
* [Network Watcher](https://www.terraform.io/docs/providers/azurerm/r/network_watcher.html)
* [Network Security Groups](https://www.terraform.io/docs/providers/azurerm/r/network_security_group.html)

## Module Usage

```hcl
# Azurerm provider configuration
provider "azurerm" {
features {}
}

module "vnet" {
source = "kumarvna/vnet/azurerm"
version = "2.3.0"

# By default, this module will not create a resource group, proivde the name here
# to use an existing resource group, specify the existing resource group name,
# and set the argument to `create_resource_group = true`. Location will be same as existing RG.
resource_group_name = "rg-shared-westeurope-02"
vnetwork_name = "vnet-shared-hub-westeurope-002"
location = "westeurope"
vnet_address_space = ["10.1.0.0/16"]
firewall_subnet_address_prefix = ["10.1.0.0/26"]
gateway_subnet_address_prefix = ["10.1.1.0/27"]
create_network_watcher = false

# Adding Standard DDoS Plan, and custom DNS servers (Optional)
create_ddos_plan = false

# Multiple Subnets, Service delegation, Service Endpoints, Network security groups
# These are default subnets with required configuration, check README.md for more details
# NSG association to be added automatically for all subnets listed here.
# First two address ranges from VNet Address space reserved for Gateway And Firewall Subnets.
# ex.: For 10.1.0.0/16 address space, usable address range start from 10.1.2.0/24 for all subnets.
# subnet name will be set as per Azure naming convention by defaut. expected value here is:
subnets = {
mgnt_subnet = {
subnet_name = "snet-management"
subnet_address_prefix = ["10.1.2.0/24"]

delegation = {
name = "testdelegation"
service_delegation = {
name = "Microsoft.ContainerInstance/containerGroups"
actions = ["Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action"]
}
}

nsg_inbound_rules = [
# [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix]
# To use defaults, use "" without adding any values.
["weballow", "100", "Inbound", "Allow", "Tcp", "80", "*", "0.0.0.0/0"],
["weballow1", "101", "Inbound", "Allow", "", "443", "*", ""],
["weballow2", "102", "Inbound", "Allow", "Tcp", "8080-8090", "*", ""],
]

nsg_outbound_rules = [
# [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix]
# To use defaults, use "" without adding any values.
["ntp_out", "103", "Outbound", "Allow", "Udp", "123", "", "0.0.0.0/0"],
]
}

dmz_subnet = {
subnet_name = "snet-appgateway"
subnet_address_prefix = ["10.1.3.0/24"]
service_endpoints = ["Microsoft.Storage"]

nsg_inbound_rules = [
# [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix]
# To use defaults, use "" without adding any values.
["weballow", "200", "Inbound", "Allow", "Tcp", "80", "*", ""],
["weballow1", "201", "Inbound", "Allow", "Tcp", "443", "AzureLoadBalancer", ""],
["weballow2", "202", "Inbound", "Allow", "Tcp", "9090", "VirtualNetwork", ""],
]

nsg_outbound_rules = [
# [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix]
# To use defaults, use "" without adding any values.
]
}

pvt_subnet = {
subnet_name = "snet-pvt"
subnet_address_prefix = ["10.1.4.0/24"]
service_endpoints = ["Microsoft.Storage"]
}
}

# Adding TAG's to your Azure resources (Required)
tags = {
ProjectName = "demo-internal"
Env = "dev"
Owner = "[email protected]"
BusinessUnit = "CORP"
ServiceClass = "Gold"
}
}
```

## Create resource group

By default, this module will create a resource group and the name of the resource group to be given in an argument `resource_group_name`. If you want to use an existing resource group, specify the existing resource group name, and set the argument to `create_resource_group = false`.

> *If you are using an existing resource group, then this module uses the same resource group location to create all resources in this module.*

## Azure Network DDoS Protection Plan

By default, this module will not create a DDoS Protection Plan. You can enable/disable it by appending an argument `create_ddos_plan`. If you want to enable a DDoS protection plan using this module, set the argument `create_ddos_plan = true`.

## Custom DNS servers

This is an optional feature and only applicable if you are using your own DNS servers superseding default DNS services provided by Azure.Set the argument `dns_servers = ["4.4.4.4"]` to enable this option. For multiple DNS servers, set the argument `dns_servers = ["4.4.4.4", "8.8.8.8"]`

## Subnets

This module handles the following types of subnet creation:

* __Subnets__ - add, change, or delete of subnet supported. The subnet name and address range must be unique within the address space for the virtual network. A subnet may optionally have one or more service endpoints enabled for it. To enable a service endpoint for a service, select the service or services that you want to enable service endpoints for from the Services list. A subnet may optionally have one or more delegations enabled for it. Subnet delegation gives explicit permissions to the service to create service-specific resources in the subnet using a unique identifier during service deployment. To delegate for a service, select the service you want to delegate to from the Services list.

* __GatewaySubnet__ - Subnet to provision VPN Gateway or Express route Gateway. This can be created by setting up `gateway_subnet_address_prefix` argument with a valid address prefix. This subnet must have a name "GatewaySubnet" and the mask of at least /27

* __AzureFirewallSubnet__ - If added the Firewall module, this subnet is to deploys an Azure Firewall that will monitor all incoming and outgoing traffic. This can be created by setting up `firewall_subnet_address_prefix` argument with a valid address prefix. This subnet must have a name "AzureFirewallSubnet" and the mask of at least /26

It is also possible to add other routes to the associated route tables outside of this module. This module also creates network security groups for all subnets except Gateway and firewall subnets.

## Virtual Network service endpoints

Service Endpoints allows connecting certain platform services into virtual networks. With this option, Azure virtual machines can interact with Azure SQL and Azure Storage accounts, as if they’re part of the same virtual network, rather than Azure virtual machines accessing them over the public endpoint.

This module supports enabling the service endpoint of your choosing under the virtual network and with the specified subnet. The list of Service endpoints to associate with the subnet values include: `Microsoft.AzureActiveDirectory`, `Microsoft.AzureCosmosDB`, `Microsoft.ContainerRegistry`, `Microsoft.EventHub`, `Microsoft.KeyVault`, `Microsoft.ServiceBus`, `Microsoft.Sql`, `Microsoft.Storage` and `Microsoft.Web`.

```hcl
module "vnet" {
source = "kumarvna/vnet/azurerm"
version = "2.3.0"

# .... omitted

# Multiple Subnets, Service delegation, Service Endpoints
subnets = {
mgnt_subnet = {
subnet_name = "management"
subnet_address_prefix = "10.1.2.0/24"

service_endpoints = ["Microsoft.Storage"]
}
}

# ....omitted

}
```

## Subnet Service Delegation

Subnet delegation enables you to designate a specific subnet for an Azure PaaS service of your choice that needs to be injected into your virtual network. The Subnet delegation provides full control to manage the integration of Azure services into virtual networks.

This module supports enabling the service delegation of your choosing under the virtual network and with the specified subnet. For more information, check the [terraform resource documentation](https://www.terraform.io/docs/providers/azurerm/r/subnet.html#service_delegation).

```hcl
module "vnet" {
source = "kumarvna/vnet/azurerm"
version = "2.3.0"

# .... omitted

# Multiple Subnets, Service delegation, Service Endpoints
subnets = {
mgnt_subnet = {
subnet_name = "management"
subnet_address_prefix = "10.1.2.0/24"

delegation = {
name = "demodelegationcg"
service_delegation = {
name = "Microsoft.ContainerInstance/containerGroups"
actions = ["Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action"]
}
}
}
}

# ....omitted

}
```

## `private_endpoint_network_policies_enabled` - Private Link Endpoint on the subnet

Network policies, like network security groups (NSG), are not supported for Private Link Endpoints. In order to deploy a Private Link Endpoint on a given subnet, you must set the `private_endpoint_network_policies_enabled` attribute to `true`. This setting is only applicable for the Private Link Endpoint, for all other resources in the subnet access is controlled based via the Network Security Group which can be configured using the `azurerm_subnet_network_security_group_association` resource.

This module Enable or Disable network policies for the private link endpoint on the subnet. The default value is `false`. If you are enabling the Private Link Endpoints on the subnet you shouldn't use Private Link Services as it's conflicts.

```hcl
module "vnet" {
source = "kumarvna/vnet/azurerm"
version = "2.3.0"

# .... omitted

# Multiple Subnets, Service delegation, Service Endpoints
subnets = {
mgnt_subnet = {
subnet_name = "management"
subnet_address_prefix = "10.1.2.0/24"
private_endpoint_network_policies_enabled = true

}
}
}
}

# ....omitted

}
```

## `private_link_service_network_policies_enabled` - private link service on the subnet

In order to deploy a Private Link Service on a given subnet, you must set the `private_link_service_network_policies_enabled` attribute to `true`. This setting is only applicable for the Private Link Service, for all other resources in the subnet access is controlled based on the Network Security Group which can be configured using the `azurerm_subnet_network_security_group_association` resource.

This module Enable or Disable network policies for the private link service on the subnet. The default value is `false`. If you are enabling the Private Link service on the subnet then, you shouldn't use Private Link endpoints as it's conflicts.

```hcl
module "vnet" {
source = "kumarvna/vnet/azurerm"
version = "2.3.0"

# .... omitted

# Multiple Subnets, Service delegation, Service Endpoints
subnets = {
mgnt_subnet = {
subnet_name = "management"
subnet_address_prefix = "10.1.2.0/24"
private_link_service_network_policies_enabled = true

}
}
}
}

# ....omitted

}
```

## Network Watcher

This module handle the provision of Network Watcher resource by defining `create_network_watcher` variable. It will enable network watcher, flow logs and traffic analytics for all the subnets in the Virtual Network. Since Azure uses a specific naming standard on network watchers, It will create a resource group `NetworkWatcherRG` and adds the location specific resource.

## Network Security Groups

By default, the network security groups connected to Management and ApplicationGateway will only allow necessary traffic and block everything else (deny-all rule). Use `nsg_inbound_rules` and `nsg_outbound_rules` in this Terraform module to create a Network Security Group (NSG) for each subnet and allow it to add additional rules for inbound flows.

In the Source and Destination columns, `VirtualNetwork`, `AzureLoadBalancer`, and `Internet` are service tags, rather than IP addresses. In the protocol column, Any encompasses `TCP`, `UDP`, and `ICMP`. When creating a rule, you can specify `TCP`, `UDP`, `ICMP` or `*`. `0.0.0.0/0` in the Source and Destination columns represents all addresses.

*You cannot remove the default rules, but you can override them by creating rules with higher priorities.*

```hcl
module "vnet" {
source = "kumarvna/vnet/azurerm"
version = "2.3.0"

# .... omitted

# Multiple Subnets, Service delegation, Service Endpoints
subnets = {
mgnt_subnet = {
subnet_name = "management"
subnet_address_prefix = ["10.1.2.0/24"]

nsg_inbound_rules = [
# [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix]
# To use defaults, use "" without adding any values.
["weballow", "100", "Inbound", "Allow", "Tcp", "80", "*", "", "http_80"],
["weballow1", "101", "Inbound", "Allow", "Tcp", "443", "AzureLoadBalancer", "", "https_443"],
["weballow2", "102", "Inbound", "Allow", "Tcp", "9090", "VirtualNetwork", "", "http_9090"],
]

nsg_outbound_rules = [
# [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix]
# To use defaults, use "" without adding any values.
["ntp_out", "103", "Outbound", "Allow", "Udp", "123", "", "0.0.0.0/0", ""],
]
}
}
}
```

## Recommended naming and tagging conventions

Applying tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name `Environment` and the value `Production` to all the resources in production.
For recommendations on how to implement a tagging strategy, see Resource naming and tagging decision guide.

>__Important__ :
Tag names are case-insensitive for operations. A tag with a tag name, regardless of the casing, is updated or retrieved. However, the resource provider might keep the casing you provide for the tag name. You'll see that casing in cost reports. __Tag values are case-sensitive.__

An effective naming convention assembles resource names by using important resource information as parts of a resource's name. For example, using these [recommended naming conventions](https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging#example-names), a public IP resource for a production SharePoint workload is named like this: `pip-sharepoint-prod-westus-001`.

## Requirements

| Name | Version |
|------|---------|
| terraform | >= 1.1.9 |
| azurerm | >= 3.28.0 |

## Providers

| Name | Version |
|------|---------|
| azurerm | >= 3.28.0 |

## Inputs

Name | Description | Type | Default
---- | ----------- | ---- | -------
`create_resource_group` | Whether to create resource group and use it for all networking resources | string | `"false"`
`resource_group_name` | The name of the resource group in which resources are created | string | `""`
`location`|The location of the resource group in which resources are created| string | `""`
`vnetwork_name`|The name of the virtual network| string | `""`
`vnet_address_space`|Virtual Network address space to be used |list|`[]`
`create_ddos_plan` | Controls if DDoS protection plan should be created | string | `"false"`
`ddos_plan_name`|Name of Azure Network DDoS protection plan| string | `""`
`dns_servers` | List of DNS servers to use for virtual network | list |`[]`
`create_network_watcher`|Controls if Network Watcher resources should be created for the Azure subscription |string|`"true"`
`subnets`|For each subnet, create an object that contain fields|object|`{}`
`subnet_name`|A name of subnets inside virtual network| object |`{}`
`subnet_address_prefix`|A list of subnets address prefixes inside virtual network| list |`{}`
`gateway_subnet_address_prefix`|The address prefix to use for the gateway subnet|list|`null`
`firewall_subnet_address_prefix`|The address prefix to use for the Firewall subnet|list|`[]`
`delegation`|defines a subnet delegation feature. takes an object as described in the following example|object|`{}`
`service_endpoints`|service endpoints for the virtual subnet|object|`{}`
`nsg_inbound_rule`|network security groups settings - a NSG is always created for each subnet|object|`{}`
`nsg_outbound_rule`|network security groups settings - a NSG is always created for each subnet|object|`{}`
`tags`|A map of tags to add to all resources|map|`{}`

## Outputs

Name | Description
---- | -----------
`resource_group_name` | The name of the resource group in which resources are created
`resource_group_id` | The id of the resource group in which resources are created
`resource_group_location`| The location of the resource group in which resources are created
`virtual_network_name` | The name of the virtual network.
`virtual_network_id` |The virtual NetworkConfiguration ID.
`virtual_network_address_space` | List of address spaces that are used the virtual network.
`subnet_ids` | List of IDs of subnets
`subnet_address_prefixes` | List of address prefix for subnets
`network_security_group_ids`|List of Network security groups and ids
`ddos_protection_plan` | Azure Network DDoS protection plan
`network_watcher_id` | ID of Network Watcher

## Resource Graph

![Resource Graph](graph.png)

## Authors

Originally created by [Kumaraswamy Vithanala](mailto:[email protected])

## Other resources

* [Virtual network documentation (Azure Documentation)](https://docs.microsoft.com/en-us/azure/virtual-network/)
* [Terraform AzureRM Provider Documentation](https://www.terraform.io/docs/providers/azurerm/index.html)