Merge pull request #3 from Azure-Terraform/subnet_features

Subnet features

README.md

@@ -25,17 +25,17 @@ service-market-environment-location-product
 | names | Names to be applied to resources | `map(string)` | n/a | yes |
 | naming\_rules | naming conventions yaml file | `string` | n/a | yes |
 | resource\_group\_name | Resource group name | `string` | n/a | yes |
-| subnets | Subnet types and lists of CIDRs. format: { [0-9][0-9]-<subnet\_type> = cidr }) (increment from 01, cannot be reordered) | `map(list(string))` | `{}` | no |
+| subnets | Subnet types and lists of CIDRs, policies, endpoints and delegations | <pre>map(object({<br>                      cidrs = list(string)<br>                      enforce_private_link_endpoint_network_policies = bool<br>                      enforce_private_link_service_network_policies  = bool<br>                      service_endpoints                              = list(string)<br>                      delegations                                    = map(object({<br>                                                                          name    = string<br>                                                                          actions = list(string)<br>                                                                       }))<br>                }))</pre> | `{}` | no |
 | tags | Tags to be applied to resources | `map(string)` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| subnet | Map of subnet resources |
+| subnet | Map of subnet data objects |
 | subnet\_nsg\_ids | Map of subnet ids to associated network\_security\_group ids |
 | subnet\_nsg\_names | Map of subnet names to associated network\_security\_group names |
-| vnet | Virtual network resource |
+| vnet | Virtual network data object |
 <!--- END_TF_DOCS --->
 
 <br />

data_sources.tf

@@ -2,13 +2,13 @@ locals {
   naming_rules = yamldecode(var.naming_rules)
   subnet_types = local.naming_rules.subnetType.allowed_values
 
-  valid_subnet_input = [
-    for subnet in keys(var.subnets):
-      can(regex("^[0-9][0-9]-", subnet)) ? null : file("ERROR: var.subnets keys must begin with '[0-9][0-9]-'")
-  ]
+  #valid_subnet_input = [
+  #  for subnet in keys(var.subnets):
+  #    can(regex("^[0-9][0-9]-", subnet)) ? null : file("ERROR: var.subnets keys must begin with '[0-9][0-9]-'")
+  #]
 
   valid_subnet_type = [
     for subnet in keys(var.subnets):
-    (contains(keys(local.subnet_types), substr(subnet, 3, -1)) ? null : file("ERROR: invalid input value for reserved subnet type"))
+    (contains(keys(local.subnet_types), subnet) ? null : file("ERROR: invalid input value for reserved subnet type"))
   ]
 }

main.tf

@@ -6,54 +6,23 @@ resource "azurerm_virtual_network" "vnet" {
   tags                = var.tags
 }
 
-resource "azurerm_subnet" "subnet" {
-  count                = length(var.subnets)
-  name                 = "${substr(keys(var.subnets)[count.index], 3, -1)}-subnet"
-  resource_group_name  = var.resource_group_name
-  virtual_network_name = azurerm_virtual_network.vnet.name
-  address_prefixes     = values(var.subnets)[count.index]
-}
-
-resource "azurerm_subnet_network_security_group_association" "subnet_nsg" {
-  count                     = length(var.subnets)
-  subnet_id                 = azurerm_subnet.subnet.*.id[count.index]
-  network_security_group_id = azurerm_network_security_group.nsg.*.id[count.index]
-}
+module "subnet" {
+  source   = "./subnet"
+  for_each = var.subnets
 
-resource "azurerm_network_security_group" "nsg" {
-  count               = length(var.subnets)
-  name                = "${var.names.resource_group_type}-${var.names.product_name}-${substr(keys(var.subnets)[count.index], 3, -1)}-security-group"
-  location            = var.location
+  naming_rules        = var.naming_rules
   resource_group_name = var.resource_group_name
-  tags                = merge(var.tags, {subnet_type = lookup(local.subnet_types,substr(keys(var.subnets)[count.index], 3, -1))})
-}
+  location            = var.location
+  names               = var.names
+  tags                = var.tags
 
-resource "azurerm_network_security_rule" "deny_all_inbound" {
-  count                       = length(var.subnets)
-  name                        = "DenyAllInbound"
-  priority                    = 4096
-  direction                   = "Inbound"
-  access                      = "Deny"
-  protocol                    = "*"
-  source_port_range           = "*"
-  destination_port_range      = "*"
-  source_address_prefix       = "*"
-  destination_address_prefix  = "*"
-  resource_group_name         = var.resource_group_name
-  network_security_group_name = azurerm_network_security_group.nsg.*.name[count.index]
-}
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  subnet_type          = each.key
+  cidrs                = each.value.cidrs
+
+  enforce_private_link_endpoint_network_policies = each.value.enforce_private_link_endpoint_network_policies
+  enforce_private_link_service_network_policies  = each.value.enforce_private_link_service_network_policies
 
-resource "azurerm_network_security_rule" "deny_all_outbound" {
-  count                       = length(var.subnets)
-  name                        = "DenyAllOutbound"
-  priority                    = 4096
-  direction                   = "Outbound"
-  access                      = "Deny"
-  protocol                    = "*"
-  source_port_range           = "*"
-  destination_port_range      = "*"
-  source_address_prefix       = "*"
-  destination_address_prefix  = "*"
-  resource_group_name         = var.resource_group_name
-  network_security_group_name = azurerm_network_security_group.nsg.*.name[count.index]
+  service_endpoints = each.value.service_endpoints
+  delegations       = each.value.delegations
 }

output.tf

@@ -1,28 +1,28 @@
 output "vnet" {
-  description  = "Virtual network resource"
+  description  = "Virtual network data object"
   value        = azurerm_virtual_network.vnet
 }
 
 output "subnet" {
-  description = "Map of subnet resources"
+  description = "Map of subnet data objects"
   value       = zipmap(
-    [for subnet in azurerm_subnet.subnet: subnet.name],
-    [for subnet in azurerm_subnet.subnet: subnet]
+    [for subnet in module.subnet: subnet.name],
+    [for subnet in module.subnet: subnet.subnet]
   )
 }
 
 output "subnet_nsg_ids" {
   description = "Map of subnet ids to associated network_security_group ids"
   value       =  zipmap(
-    [for subnet in azurerm_subnet.subnet: subnet.id],
-    [for nsg in azurerm_network_security_group.nsg: nsg.id]
+    [for subnet in module.subnet: subnet.id],
+    [for subnet in module.subnet: subnet.nsg_id]
   )
 }
 
 output "subnet_nsg_names" {
   description = "Map of subnet names to associated network_security_group names"
   value       =  zipmap(
-    [for subnet in azurerm_subnet.subnet: subnet.name],
-    [for nsg in azurerm_network_security_group.nsg: nsg.name]
+    [for subnet in module.subnet: subnet.name],
+    [for subnet in module.subnet: subnet.nsg_name]
   )
-}
+}

subnet/README.md

@@ -11,21 +11,20 @@ This module will create a new subnet in a pre-existing Azure Virtual Network.
 | Name | Version |
 |------|---------|
 | azurerm | n/a |
-| http | n/a |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:-----:|
+| cidrs | CIDRs for subnet | `list(string)` | n/a | yes |
 | delegations | delegation blocks for services | <pre>map(object({<br>                  name    = string<br>                  actions = list(string)<br>                }))</pre> | `{}` | no |
 | enforce\_private\_link\_endpoint\_network\_policies | enable network policies for the private link endpoint on the subnet | `bool` | `false` | no |
 | enforce\_private\_link\_service\_network\_policies | enable network policies for the private link service on the subnet | `bool` | `false` | no |
 | location | Azure Region | `string` | n/a | yes |
 | names | names to be applied to resources | `map(string)` | n/a | yes |
-| naming\_conventions\_yaml\_url | url for naming conventions yaml file | `string` | `"https://raw.githubusercontent.com/openrba/python-azure-naming/master/custom.yaml"` | no |
+| naming\_rules | naming conventions yaml file | `string` | n/a | yes |
 | resource\_group\_name | Resource group name | `string` | n/a | yes |
 | service\_endpoints | service endpoints to associate with the subnet | `list(string)` | `[]` | no |
-| subnet\_cidr | CIDR for subnet | `string` | n/a | yes |
 | subnet\_type | subnet type | `string` | n/a | yes |
 | tags | tags to be applied to resources | `map(string)` | n/a | yes |
 | virtual\_network\_name | virtual network name | `string` | n/a | yes |
@@ -38,6 +37,7 @@ This module will create a new subnet in a pre-existing Azure Virtual Network.
 | name | subnet name |
 | nsg\_id | network security group id |
 | nsg\_name | network security group name |
+| subnet | subnet data object |
 <!--- END_TF_DOCS --->
 
 <br />

subnet/data_sources.tf

@@ -1,14 +1,6 @@
-data "http" "naming_rules" {
-  url = var.naming_conventions_yaml_url
-
-  request_headers = {
-    Accept = "application/yaml"
-  }
-}
-
 locals {
-  naming_rules = yamldecode(data.http.naming_rules.body)
+  naming_rules = yamldecode(var.naming_rules)
   subnet_types = local.naming_rules.subnetType.allowed_values
 
   valid_subnet_type = (contains(keys(local.subnet_types), var.subnet_type) ? null : file("ERROR: invalid input value for reserved subnet type"))
-}
+}

subnet/main.tf

@@ -2,7 +2,7 @@ resource "azurerm_subnet" "subnet" {
   name                 = "${var.subnet_type}-subnet"
   resource_group_name  = var.resource_group_name
   virtual_network_name = var.virtual_network_name
-  address_prefix       = var.subnet_cidr
+  address_prefixes     = var.cidrs
 
   enforce_private_link_endpoint_network_policies = var.enforce_private_link_endpoint_network_policies
   enforce_private_link_service_network_policies  = var.enforce_private_link_service_network_policies
@@ -59,4 +59,4 @@ resource "azurerm_network_security_rule" "deny_all_outbound" {
   destination_address_prefix  = "*"
   resource_group_name         = var.resource_group_name
   network_security_group_name = azurerm_network_security_group.nsg.name
-}
+}

subnet/output.tf

@@ -16,4 +16,9 @@ output "nsg_id" {
 output "nsg_name" {
   description = "network security group name"
   value       = azurerm_network_security_group.nsg.name
-}
+}
+
+output "subnet" {
+  description = "subnet data object"
+  value       = azurerm_subnet.subnet
+}

subnet/variables.tf

@@ -1,7 +1,6 @@
-variable "naming_conventions_yaml_url" {
-  description = "url for naming conventions yaml file"
+variable "naming_rules" {
+  description = "naming conventions yaml file"
   type        = string
-  default     = "https://raw.githubusercontent.com/openrba/python-azure-naming/master/custom.yaml" 
 }
 
 variable "resource_group_name"{
@@ -35,9 +34,9 @@ variable "subnet_type" {
   type        = string
 }
 
-variable "subnet_cidr"{
-  description = "CIDR for subnet"
-  type        = string
+variable "cidrs" {
+  description = "CIDRs for subnet"
+  type        = list(string)
 }
 
 # Subnet Options

variables.tf

@@ -30,7 +30,16 @@ variable "address_space" {
 }
 
 variable "subnets" {
-  description = "Subnet types and lists of CIDRs. format: { [0-9][0-9]-<subnet_type> = cidr }) (increment from 01, cannot be reordered)"
-  type        = map(list(string))
+  description = "Subnet types and lists of CIDRs, policies, endpoints and delegations"
+  type        = map(object({
+                      cidrs = list(string)
+                      enforce_private_link_endpoint_network_policies = bool
+                      enforce_private_link_service_network_policies  = bool
+                      service_endpoints                              = list(string)
+                      delegations                                    = map(object({
+                                                                          name    = string
+                                                                          actions = list(string)
+                                                                       }))
+                }))
   default     = {}
-}
+}

versions.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.12.10"
+  required_version = ">= 0.13.0"
 
   required_providers {
     azurerm = ">= 2.0.0"