https://github.com/launchbynttdata/tf-azurerm-module_collection-security_group
https://github.com/launchbynttdata/tf-azurerm-module_collection-security_group
azure infrastructure-as-code platform-automation reference terraform
Last synced: 4 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/launchbynttdata/tf-azurerm-module_collection-security_group
- Owner: launchbynttdata
- License: apache-2.0
- Created: 2024-03-25T18:19:23.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2024-12-12T00:13:41.000Z (over 1 year ago)
- Last Synced: 2025-10-17T22:44:25.602Z (8 months ago)
- Topics: azure, infrastructure-as-code, platform-automation, reference, terraform
- Language: HCL
- Size: 266 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS
Awesome Lists containing this project
README
# tf-azurerm-module_collection-security_group
[](https://opensource.org/licenses/Apache-2.0)
[](https://creativecommons.org/licenses/by-nc-nd/4.0/)
## Overview
This module deployes network security group in Azure Cloud Platform.
## Pre-Commit hooks
[.pre-commit-config.yaml](.pre-commit-config.yaml) file defines certain `pre-commit` hooks that are relevant to terraform, golang and common linting tasks. There are no custom hooks added.
`commitlint` hook enforces commit message in certain format. The commit contains the following structural elements, to communicate intent to the consumers of your commit messages:
- **fix**: a commit of the type `fix` patches a bug in your codebase (this correlates with PATCH in Semantic Versioning).
- **feat**: a commit of the type `feat` introduces a new feature to the codebase (this correlates with MINOR in Semantic Versioning).
- **BREAKING CHANGE**: a commit that has a footer `BREAKING CHANGE:`, or appends a `!` after the type/scope, introduces a breaking API change (correlating with MAJOR in Semantic Versioning). A BREAKING CHANGE can be part of commits of any type.
footers other than BREAKING CHANGE: may be provided and follow a convention similar to git trailer format.
- **build**: a commit of the type `build` adds changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
- **chore**: a commit of the type `chore` adds changes that don't modify src or test files
- **ci**: a commit of the type `ci` adds changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
- **docs**: a commit of the type `docs` adds documentation only changes
- **perf**: a commit of the type `perf` adds code change that improves performance
- **refactor**: a commit of the type `refactor` adds code change that neither fixes a bug nor adds a feature
- **revert**: a commit of the type `revert` reverts a previous commit
- **style**: a commit of the type `style` adds code changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
- **test**: a commit of the type `test` adds missing tests or correcting existing tests
Base configuration used for this project is [commitlint-config-conventional (based on the Angular convention)](https://github.com/conventional-changelog/commitlint/tree/master/@commitlint/config-conventional#type-enum)
If you are a developer using vscode, [this](https://marketplace.visualstudio.com/items?itemName=joshbolduc.commitlint) plugin may be helpful.
`detect-secrets-hook` prevents new secrets from being introduced into the baseline. TODO: INSERT DOC LINK ABOUT HOOKS
In order for `pre-commit` hooks to work properly
- You need to have the pre-commit package manager installed. [Here](https://pre-commit.com/#install) are the installation instructions.
- `pre-commit` would install all the hooks when commit message is added by default except for `commitlint` hook. `commitlint` hook would need to be installed manually using the command below
```
pre-commit install --hook-type commit-msg
```
## To test the resource group module locally
1. For development/enhancements to this module locally, you'll need to install all of its components. This is controlled by the `configure` target in the project's [`Makefile`](./Makefile). Before you can run `configure`, familiarize yourself with the variables in the `Makefile` and ensure they're pointing to the right places.
```
make configure
```
This adds in several files and directories that are ignored by `git`. They expose many new Make targets.
2. _THIS STEP APPLIES ONLY TO MICROSOFT AZURE. IF YOU ARE USING A DIFFERENT PLATFORM PLEASE SKIP THIS STEP._ The first target you care about is `env`. This is the common interface for setting up environment variables. The values of the environment variables will be used to authenticate with cloud provider from local development workstation.
`make configure` command will bring down `azure_env.sh` file on local workstation. Devloper would need to modify this file, replace the environment variable values with relevant values.
These environment variables are used by `terratest` integration suit.
Service principle used for authentication(value of ARM_CLIENT_ID) should have below privileges on resource group within the subscription.
```
"Microsoft.Resources/subscriptions/resourceGroups/write"
"Microsoft.Resources/subscriptions/resourceGroups/read"
"Microsoft.Resources/subscriptions/resourceGroups/delete"
```
Then run this make target to set the environment variables on developer workstation.
```
make env
```
3. The first target you care about is `check`.
**Pre-requisites**
Before running this target it is important to ensure that, developer has created files mentioned below on local workstation under root directory of git repository that contains code for primitives/segments. Note that these files are `azure` specific. If primitive/segment under development uses any other cloud provider than azure, this section may not be relevant.
- A file named `provider.tf` with contents below
```
provider "azurerm" {
features {}
}
```
- A file named `terraform.tfvars` which contains key value pair of variables used.
Note that since these files are added in `gitignore` they would not be checked in into primitive/segment's git repo.
After creating these files, for running tests associated with the primitive/segment, run
```
make check
```
If `make check` target is successful, developer is good to commit the code to primitive/segment's git repo.
`make check` target
- runs `terraform commands` to `lint`,`validate` and `plan` terraform code.
- runs `conftests`. `conftests` make sure `policy` checks are successful.
- runs `terratest`. This is integration test suit.
- runs `opa` tests
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | <= 1.5.5 |
| [azurerm](#requirement\_azurerm) | >=3.77.0 |
## Providers
No providers.
## Modules
| Name | Source | Version |
|------|--------|---------|
| [nsg](#module\_nsg) | Azure/network-security-group/azurerm | 4.1.0 |
## Resources
No resources.
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [location](#input\_location) | (Required)Location (Azure Region) for the network security group. | `string` | n/a | yes |
| [security\_group\_name](#input\_security\_group\_name) | (Required)Network security group name | `string` | n/a | yes |
| [resource\_group\_name](#input\_resource\_group\_name) | (Required)Name of the resource group | `string` | n/a | yes |
| [tags](#input\_tags) | (Optional)The tags to associate with your network security group. | `map(string)` | `{}` | no |
| [custom\_rules](#input\_custom\_rules) | (Optional)Security rules for the network security group using this format name = [name, priority, direction, access, protocol, source\_port\_range, destination\_port\_range, source\_address\_prefix, destination\_address\_prefix, description] | `any` | `[]` | no |
| [destination\_address\_prefix](#input\_destination\_address\_prefix) | Destination address prefix to be applied to all predefined rules. list(string) only allowed one element (CIDR, `*`, source IP range or Tags). Example ["10.0.3.0/24"] or ["VirtualNetwork"] | `list(string)` |
[
"*"
]
| no |
| [destination\_address\_prefixes](#input\_destination\_address\_prefixes) | (Optional)Destination address prefix to be applied to all predefined rules. Example ["10.0.3.0/32","10.0.3.128/32"] | `list(string)` | `null` | no |
| [predefined\_rules](#input\_predefined\_rules) | (Optional)Predefined rules | `any` | `[]` | no |
| [rules](#input\_rules) | (Optional)Standard set of predefined rules | `map(any)` | {
"ActiveDirectory-AllowADDSWebServices": [
"Inbound",
"Allow",
"Tcp",
"*",
"9389",
"AllowADDSWebServices"
],
"ActiveDirectory-AllowADGCReplication": [
"Inbound",
"Allow",
"Tcp",
"*",
"3268",
"AllowADGCReplication"
],
"ActiveDirectory-AllowADGCReplicationSSL": [
"Inbound",
"Allow",
"Tcp",
"*",
"3269",
"AllowADGCReplicationSSL"
],
"ActiveDirectory-AllowADReplication": [
"Inbound",
"Allow",
"*",
"*",
"389",
"AllowADReplication"
],
"ActiveDirectory-AllowADReplicationSSL": [
"Inbound",
"Allow",
"*",
"*",
"636",
"AllowADReplicationSSL"
],
"ActiveDirectory-AllowADReplicationTrust": [
"Inbound",
"Allow",
"*",
"*",
"445",
"AllowADReplicationTrust"
],
"ActiveDirectory-AllowDFSGroupPolicy": [
"Inbound",
"Allow",
"Udp",
"*",
"138",
"AllowDFSGroupPolicy"
],
"ActiveDirectory-AllowDNS": [
"Inbound",
"Allow",
"*",
"*",
"53",
"AllowDNS"
],
"ActiveDirectory-AllowFileReplication": [
"Inbound",
"Allow",
"Tcp",
"*",
"5722",
"AllowFileReplication"
],
"ActiveDirectory-AllowKerberosAuthentication": [
"Inbound",
"Allow",
"*",
"*",
"88",
"AllowKerberosAuthentication"
],
"ActiveDirectory-AllowNETBIOSAuthentication": [
"Inbound",
"Allow",
"Udp",
"*",
"137",
"AllowNETBIOSAuthentication"
],
"ActiveDirectory-AllowNETBIOSReplication": [
"Inbound",
"Allow",
"Tcp",
"*",
"139",
"AllowNETBIOSReplication"
],
"ActiveDirectory-AllowPasswordChangeKerberes": [
"Inbound",
"Allow",
"*",
"*",
"464",
"AllowPasswordChangeKerberes"
],
"ActiveDirectory-AllowRPCReplication": [
"Inbound",
"Allow",
"Tcp",
"*",
"135",
"AllowRPCReplication"
],
"ActiveDirectory-AllowSMTPReplication": [
"Inbound",
"Allow",
"Tcp",
"*",
"25",
"AllowSMTPReplication"
],
"ActiveDirectory-AllowWindowsTime": [
"Inbound",
"Allow",
"Udp",
"*",
"123",
"AllowWindowsTime"
],
"Cassandra": [
"Inbound",
"Allow",
"Tcp",
"*",
"9042",
"Cassandra"
],
"Cassandra-JMX": [
"Inbound",
"Allow",
"Tcp",
"*",
"7199",
"Cassandra-JMX"
],
"Cassandra-Thrift": [
"Inbound",
"Allow",
"Tcp",
"*",
"9160",
"Cassandra-Thrift"
],
"CouchDB": [
"Inbound",
"Allow",
"Tcp",
"*",
"5984",
"CouchDB"
],
"CouchDB-HTTPS": [
"Inbound",
"Allow",
"Tcp",
"*",
"6984",
"CouchDB-HTTPS"
],
"DNS-TCP": [
"Inbound",
"Allow",
"Tcp",
"*",
"53",
"DNS-TCP"
],
"DNS-UDP": [
"Inbound",
"Allow",
"Udp",
"*",
"53",
"DNS-UDP"
],
"DynamicPorts": [
"Inbound",
"Allow",
"Tcp",
"*",
"49152-65535",
"DynamicPorts"
],
"ElasticSearch": [
"Inbound",
"Allow",
"Tcp",
"*",
"9200-9300",
"ElasticSearch"
],
"FTP": [
"Inbound",
"Allow",
"Tcp",
"*",
"21",
"FTP"
],
"HTTP": [
"Inbound",
"Allow",
"Tcp",
"*",
"80",
"HTTP"
],
"HTTPS": [
"Inbound",
"Allow",
"Tcp",
"*",
"443",
"HTTPS"
],
"IMAP": [
"Inbound",
"Allow",
"Tcp",
"*",
"143",
"IMAP"
],
"IMAPS": [
"Inbound",
"Allow",
"Tcp",
"*",
"993",
"IMAPS"
],
"Kestrel": [
"Inbound",
"Allow",
"Tcp",
"*",
"22133",
"Kestrel"
],
"LDAP": [
"Inbound",
"Allow",
"Tcp",
"*",
"389",
"LDAP"
],
"MSSQL": [
"Inbound",
"Allow",
"Tcp",
"*",
"1433",
"MSSQL"
],
"Memcached": [
"Inbound",
"Allow",
"Tcp",
"*",
"11211",
"Memcached"
],
"MongoDB": [
"Inbound",
"Allow",
"Tcp",
"*",
"27017",
"MongoDB"
],
"MySQL": [
"Inbound",
"Allow",
"Tcp",
"*",
"3306",
"MySQL"
],
"Neo4J": [
"Inbound",
"Allow",
"Tcp",
"*",
"7474",
"Neo4J"
],
"POP3": [
"Inbound",
"Allow",
"Tcp",
"*",
"110",
"POP3"
],
"POP3S": [
"Inbound",
"Allow",
"Tcp",
"*",
"995",
"POP3S"
],
"PostgreSQL": [
"Inbound",
"Allow",
"Tcp",
"*",
"5432",
"PostgreSQL"
],
"RDP": [
"Inbound",
"Allow",
"Tcp",
"*",
"3389",
"RDP"
],
"RabbitMQ": [
"Inbound",
"Allow",
"Tcp",
"*",
"5672",
"RabbitMQ"
],
"Redis": [
"Inbound",
"Allow",
"Tcp",
"*",
"6379",
"Redis"
],
"Riak": [
"Inbound",
"Allow",
"Tcp",
"*",
"8093",
"Riak"
],
"Riak-JMX": [
"Inbound",
"Allow",
"Tcp",
"*",
"8985",
"Riak-JMX"
],
"SMTP": [
"Inbound",
"Allow",
"Tcp",
"*",
"25",
"SMTP"
],
"SMTPS": [
"Inbound",
"Allow",
"Tcp",
"*",
"465",
"SMTPS"
],
"SSH": [
"Inbound",
"Allow",
"Tcp",
"*",
"22",
"SSH"
],
"WinRM": [
"Inbound",
"Allow",
"Tcp",
"*",
"5986",
"WinRM"
]
} | no |
| [source\_address\_prefix](#input\_source\_address\_prefix) | (Optional)Source address prefix to be applied to all predefined rules. list(string) only allowed one element (CIDR, `*`, source IP range or Tags). Example ["10.0.3.0/24"] or ["VirtualNetwork"] | `list(string)` | [
"*"
]
| no |
| [source\_address\_prefixes](#input\_source\_address\_prefixes) | (Optional)Source address prefix to be applied to all predefined rules. Example ["10.0.3.0/32","10.0.3.128/32"] | `list(string)` | `null` | no |
| [use\_for\_each](#input\_use\_for\_each) | (Optional)Choose wheter to use 'for\_each' as iteration technic to generate the rules, defaults to false so we will use 'count' for compatibilty with previous module versions, but prefered method is 'for\_each' | `bool` | `false` | no |
## Outputs
| Name | Description |
|------|-------------|
| [network\_security\_group\_id](#output\_network\_security\_group\_id) | The id of newly created network security group |
| [network\_security\_group\_name](#output\_network\_security\_group\_name) | The name of newly created network security group |