This module is used to manage Azure Virtual Networks, Subnets and Peerings.
This module is composite and includes sub modules that can be used independently for pre-existing virtual networks. These sub modules are:
This module supports managing virtual networks and their associated subnets and peerings together or independently.
The module supports:
To use this module in your Terraform configuration, you'll need to provide values for the required variables.
This example shows the most basic usage of the module. It creates a new virtual network with subnets.
module "avm-res-network-virtualnetwork" {
source = "Azure/avm-res-network-virtualnetwork/azurerm"
address_spaces = ["10.0.0.0/16"]
location = "East US"
name = "myVNet"
resource_group_name = "myResourceGroup"
subnets = {
"subnet1" = {
name = "subnet1"
address_prefixes = ["10.0.0.0/24"]
}
"subnet2" = {
name = "subnet2"
address_prefixes = ["10.0.1.0/24"]
}
}
}This example shows how to create a subnet for a pre-existing virtual network using the subnet module.
module "avm-res-network-subnet" {
source = "Azure/avm-res-network-virtualnetwork/azurerm//modules/subnet"
virtual_network = {
resource_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet"
}
name = "subnet1"
address_prefixes = ["10.0.0.0/24"]
}The following requirements are needed by this module:
The following providers are used by this module:
The following resources are used by this module:
The following input variables are required:
Description: (Optional) The address spaces applied to the virtual network. You can supply more than one address space.
Type: set(string)
Description: (Optional) The location/region where the virtual network is created. Changing this forces a new resource to be created.
Type: string
Description: (Required) The name of the resource group where the resources will be deployed.
Type: string
The following input variables are optional (have default values):
Description: Specifies an AzureNetwork DDoS Protection Plan.
id: The ID of the DDoS Protection Plan. (Required)enable: Enables or disables the DDoS Protection Plan on the Virtual Network. (Required)Type:
object({
id = string
enable = bool
})Default: null
Description: A map of diagnostic settings to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
name - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.log_categories - (Optional) A set of log categories to send to the log analytics workspace. Defaults to [].log_groups - (Optional) A set of log groups to send to the log analytics workspace. Defaults to ["allLogs"].metric_categories - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to ["AllMetrics"].log_analytics_destination_type - (Optional) The destination type for the diagnostic setting. Possible values are Dedicated and AzureDiagnostics. Defaults to Dedicated.workspace_resource_id - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.storage_account_resource_id - (Optional) The resource ID of the storage account to send logs and metrics to.event_hub_authorization_rule_resource_id - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.event_hub_name - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.marketplace_partner_resource_id - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic LogsLogs.Type:
map(object({
name = optional(string, null)
log_categories = optional(set(string), [])
log_groups = optional(set(string), ["allLogs"])
metric_categories = optional(set(string), ["AllMetrics"])
log_analytics_destination_type = optional(string, "Dedicated")
workspace_resource_id = optional(string, null)
storage_account_resource_id = optional(string, null)
event_hub_authorization_rule_resource_id = optional(string, null)
event_hub_name = optional(string, null)
marketplace_partner_resource_id = optional(string, null)
}))Default: {}
Description: (Optional) Specifies a list of IP addresses representing DNS servers.
dns_servers: Set of IP addresses of DNS servers.Type:
object({
dns_servers = set(string)
})Default: null
Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetry.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: true
Description: (Optional) Controls the Resource Lock configuration for this resource. The following properties can be specified:
kind - (Required) The type of lock. Possible values are \"CanNotDelete\" and \"ReadOnly\".name - (Optional) The name of the lock. If not specified, a name will be generated based on the kind value. Changing this forces the creation of a new resource.Type:
object({
kind = string
name = optional(string, null)
})Default: null
Description: (Optional) The name of the virtual network to create. If null, existing_virtual_network must be supplied.
Type: string
Default: null
Description: (Optional) A map of virtual network peering configurations. Each entry specifies a remote virtual network by ID and includes settings for traffic forwarding, gateway transit, and remote gateways usage.
name: The name of the virtual network peering configuration.remote_virtual_network_resource_id: The resource ID of the remote virtual network.allow_forwarded_traffic: (Optional) Enables forwarded traffic between the virtual networks. Defaults to false.allow_gateway_transit: (Optional) Enables gateway transit for the virtual networks. Defaults to false.allow_virtual_network_access: (Optional) Enables access from the local virtual network to the remote virtual network. Defaults to true.use_remote_gateways: (Optional) Enables the use of remote gateways for the virtual networks. Defaults to false.create_reverse_peering: (Optional) Creates the reverse peering to form a complete peering.reverse_name: (Optional) If you have selected create_reverse_peering, then this name will be used for the reverse peer.reverse_allow_forwarded_traffic: (Optional) If you have selected create_reverse_peering, enables forwarded traffic between the virtual networks. Defaults to false.reverse_allow_gateway_transit: (Optional) If you have selected create_reverse_peering, enables gateway transit for the virtual networks. Defaults to false.reverse_allow_virtual_network_access: (Optional) If you have selected create_reverse_peering, enables access from the local virtual network to the remote virtual network. Defaults to true.reverse_use_remote_gateways: (Optional) If you have selected create_reverse_peering, enables the use of remote gateways for the virtual networks. Defaults to false.Type:
map(object({
name = string
remote_virtual_network_resource_id = string
allow_forwarded_traffic = optional(bool, false)
allow_gateway_transit = optional(bool, false)
allow_virtual_network_access = optional(bool, true)
use_remote_gateways = optional(bool, false)
create_reverse_peering = optional(bool, false)
reverse_name = optional(string)
reverse_allow_forwarded_traffic = optional(bool, false)
reverse_allow_gateway_transit = optional(bool, false)
reverse_allow_virtual_network_access = optional(bool, true)
reverse_use_remote_gateways = optional(bool, false)
}))Default: {}
Description: (Optional) A map of role assignments to create on the
role_definition_id_or_name - The ID or name of the role definition to assign to the principal.principal_id - The ID of the principal to assign the role to.description - (Optional) The description of the role assignment.skip_service_principal_aad_check - (Optional) If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.condition - (Optional) The condition which will be used to scope the role assignment.condition_version - (Optional) The version of the condition syntax. Leave as null if you are not using a condition, if you are then valid values are '2.0'.delegated_managed_identity_resource_id - (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.principal_type - (Optional) The type of the principal_id. Possible values are User, Group and ServicePrincipal. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.
Note: only set
skip_service_principal_aad_checkto true if you are assigning a role to a service principal.
Type:
map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
}))Default: {}
Description: (Optional) A map of subnets to create
address_prefixes - (Required) The address prefixes to use for the subnet.
enforce_private_link_endpoint_network_policies -
enforce_private_link_service_network_policies -
name - (Required) The name of the subnet. Changing this forces a new resource to be created.
default_outbound_access_enabled - (Optional) Whether to allow internet access from the subnet. Defaults to false.
private_endpoint_network_policies - (Optional) Enable or Disable network policies for the private endpoint on the subnet. Possible values are Disabled, Enabled, NetworkSecurityGroupEnabled and RouteTableEnabled. Defaults to Enabled.
private_link_service_network_policies_enabled - (Optional) Enable or Disable network policies for the private link service on the subnet. Setting this to true will Enable the policy and setting this to false will Disable the policy. Defaults to true.
service_endpoint_policies - (Optional) The map of objects with IDs of Service Endpoint Policies to associate with the subnet.
service_endpoints - (Optional) The list of Service endpoints to associate with the subnet. Possible values include: Microsoft.AzureActiveDirectory, Microsoft.AzureCosmosDB, Microsoft.ContainerRegistry, Microsoft.EventHub, Microsoft.KeyVault, Microsoft.ServiceBus, Microsoft.Sql, Microsoft.Storage, Microsoft.Storage.Global and Microsoft.Web.
delegation supports the following:
name - (Required) A name for this delegation.
nat_gateway supports the following:
id - (Optional) The ID of the NAT Gateway which should be associated with the Subnet. Changing this forces a new resource to be created.
network_security_group supports the following:
id - (Optional) The ID of the Network Security Group which should be associated with the Subnet. Changing this forces a new association to be created.
route_table supports the following:
id - (Optional) The ID of the Route Table which should be associated with the Subnet. Changing this forces a new association to be created.
timeouts supports the following:
create - (Defaults to 30 minutes) Used when creating the Subnet.
delete - (Defaults to 30 minutes) Used when deleting the Subnet.
read - (Defaults to 5 minutes) Used when retrieving the Subnet.
update - (Defaults to 30 minutes) Used when updating the Subnet.
role_assignments supports the following:
role_definition_id_or_name - The ID or name of the role definition to assign to the principal.
principal_id - The ID of the principal to assign the role to.
description - (Optional) The description of the role assignment.
skip_service_principal_aad_check - (Optional) If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
condition - (Optional) The condition which will be used to scope the role assignment.
condition_version - (Optional) The version of the condition syntax. Leave as null if you are not using a condition, if you are then valid values are '2.0'.
delegated_managed_identity_resource_id - (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.
principal_type - (Optional) The type of the principal_id. Possible values are User, Group and ServicePrincipal. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.
Type:
map(object({
address_prefixes = list(string)
name = string
nat_gateway = optional(object({
id = string
}))
network_security_group = optional(object({
id = string
}))
private_endpoint_network_policies = optional(string, "Enabled")
private_link_service_network_policies_enabled = optional(bool, true)
route_table = optional(object({
id = string
}))
service_endpoint_policies = optional(map(object({
id = string
})))
service_endpoints = optional(set(string))
default_outbound_access_enabled = optional(bool, false)
delegation = optional(list(object({
name = string
service_delegation = object({
name = string
})
})))
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
}))
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})))
}))Default: {}
Description: (Optional) Subscription ID passed in by an external process. If this is not supplied, then the configuration either needs to include the subscription ID, or needs to be supplied properties to create the subscription.
Type: string
Default: null
Description: (Optional) Tags of the resource.
Type: map(string)
Default: null
The following outputs are exported:
Description: The resource name of the virtual network.
Description: Information about the peerings created in the module.
Please refer to the peering module documentation for details of the outputs
Description: The Azure Virtual Network resource. This will be null if an existing vnet is supplied.
Description: The resource ID of the virtual network.
Description: Information about the subnets created in the module.
Please refer to the subnet module documentation for details of the outputs.
The following Modules are called:
Source: ./modules/peering
Version:
Source: ./modules/subnet
Version:
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.