NOTE: This module follows the semantic versioning and versions prior to 1.0.0 should be consider pre-release versions. This is the Network Security Group resource module for the Azure Verified Modules library. This module deploys a Azure Network Security Group and give availability to manage rules. It leverages the AzureRM provider and sets a number of initial defaults to minimize the overall inputs for simple configurations.
The following requirements are needed by this module:
The following providers are used by this module:
The following resources are used by this module:
The following input variables are required:
Description: (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
Type: string
Description: (Required) Specifies the name of the network security group. Changing this forces a new resource to be created.
Type: string
Description: (Required) The name of the resource group in which to create the network security group. Changing this forces a new resource to be created.
Type: string
The following input variables are optional (have default values):
Description: A map of diagnostic settings to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
name - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.log_categories - (Optional) A set of log categories to send to the log analytics workspace. Defaults to [].log_groups - (Optional) A set of log groups to send to the log analytics workspace. Defaults to ["allLogs"].metric_categories - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to ["AllMetrics"].log_analytics_destination_type - (Optional) The destination type for the diagnostic setting. Possible values are Dedicated and AzureDiagnostics. Defaults to Dedicated.workspace_resource_id - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.storage_account_resource_id - (Optional) The resource ID of the storage account to send logs and metrics to.event_hub_authorization_rule_resource_id - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.event_hub_name - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.marketplace_partner_resource_id - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic LogsLogs.Type:
map(object({
name = optional(string, null)
log_categories = optional(set(string), [])
log_groups = optional(set(string), ["allLogs"])
metric_categories = optional(set(string), ["AllMetrics"])
log_analytics_destination_type = optional(string, "Dedicated")
workspace_resource_id = optional(string, null)
storage_account_resource_id = optional(string, null)
event_hub_authorization_rule_resource_id = optional(string, null)
event_hub_name = optional(string, null)
marketplace_partner_resource_id = optional(string, null)
}))Default: {}
Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: true
Description: Controls the Resource Lock configuration for this resource. The following properties can be specified:
kind - (Required) The type of lock. Possible values are \"CanNotDelete\" and \"ReadOnly\".name - (Optional) The name of the lock. If not specified, a name will be generated based on the kind value. Changing this forces the creation of a new resource.Type:
object({
kind = string
name = optional(string, null)
})Default: null
Description: A map of role assignments to create on this resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
role_definition_id_or_name - The ID or name of the role definition to assign to the principal.principal_id - The ID of the principal to assign the role to.description - The description of the role assignment.skip_service_principal_aad_check - If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.condition - The condition which will be used to scope the role assignment.condition_version - The version of the condition syntax. Valid values are '2.0'.principal_type - (Optional) The type of the principal_id. Possible values are User, Group and ServicePrincipal. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.Note: only set
skip_service_principal_aad_checkto true if you are assigning a role to a service principal.
Type:
map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
}))Default: {}
Description: - access - (Required) Specifies whether network traffic is allowed or denied. Possible values are Allow and Deny.
name - (Required) Name of the network security rule to be created.description - (Optional) A description for this rule. Restricted to 140 characters.destination_address_prefix - (Optional) CIDR or destination IP range or * to match any IP. Tags such as VirtualNetwork, AzureLoadBalancer and Internet can also be used. Besides, it also supports all available Service Tags like ‘Sql.WestEurope‘, ‘Storage.EastUS‘, etc. You can list the available service tags with the CLI: ```shell az network list-service-tags --location westcentralus
destination_address_prefixes - (Optional) List of destination address prefixes. Tags may not be used. This is required if destination_address_prefix is not specified.destination_application_security_group_ids - (Optional) A List of destination Application Security Group IDsdestination_port_range - (Optional) Destination Port or Range. Integer or range between 0 and 65535 or * to match any. This is required if destination_port_ranges is not specified.destination_port_ranges - (Optional) List of destination ports or port ranges. This is required if destination_port_range is not specified.direction - (Required) The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are Inbound and Outbound.name - (Required) The name of the security rule. This needs to be unique across all Rules in the Network Security Group. Changing this forces a new resource to be created.priority - (Required) Specifies the priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.protocol - (Required) Network protocol this rule applies to. Possible values include Tcp, Udp, Icmp, Esp, Ah or * (which matches all).resource_group_name - (Required) The name of the resource group in which to create the Network Security Rule. Changing this forces a new resource to be created.source_address_prefix - (Optional) CIDR or source IP range or * to match any IP. Tags such as VirtualNetwork, AzureLoadBalancer and Internet can also be used. This is required if source_address_prefixes is not specified.source_address_prefixes - (Optional) List of source address prefixes. Tags may not be used. This is required if source_address_prefix is not specified.source_application_security_group_ids - (Optional) A List of source Application Security Group IDssource_port_range - (Optional) Source Port or Range. Integer or range between 0 and 65535 or * to match any. This is required if source_port_ranges is not specified.source_port_ranges - (Optional) List of source ports or port ranges. This is required if source_port_range is not specified.
timeouts block supports the following:
create - (Defaults to 30 minutes) Used when creating the Network Security Rule.delete - (Defaults to 30 minutes) Used when deleting the Network Security Rule.read - (Defaults to 5 minutes) Used when retrieving the Network Security Rule.update - (Defaults to 30 minutes) Used when updating the Network Security Rule.Type:
map(object({
access = string
name = string
description = optional(string)
destination_address_prefix = optional(string)
destination_address_prefixes = optional(set(string))
destination_application_security_group_ids = optional(set(string))
destination_port_range = optional(string)
destination_port_ranges = optional(set(string))
direction = string
priority = number
protocol = string
source_address_prefix = optional(string)
source_address_prefixes = optional(set(string))
source_application_security_group_ids = optional(set(string))
source_port_range = optional(string)
source_port_ranges = optional(set(string))
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
}))
}))Default: {}
Description: (Optional) A mapping of tags to assign to the resource.
Type: map(string)
Default: null
Description: - create - (Defaults to 30 minutes) Used when creating the Network Security Group.
delete - (Defaults to 30 minutes) Used when deleting the Network Security Group.read - (Defaults to 5 minutes) Used when retrieving the Network Security Group.update - (Defaults to 30 minutes) Used when updating the Network Security Group.Type:
object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
})Default: null
The following outputs are exported:
Description: The name of the Network Security Group resource
Description: The Network Security Group resource
Description: The id of the Network Security Group resource
No modules.
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.