search

aztfmod / terraform-azurerm-caf-virtual-network

Azure Virtual Network module for Cloud Adoption Framework for Azure landing zones
MIT License
9 stars 23 forks source link

readme

READ ME

Thanks for your interest in Cloud Adoption Framework for Azure landing zones on Terraform. This module is now deprecated and no longer maintained.

As part of Cloud Adoption Framework landing zones for Terraform, we have migrated to a single module model, which you can find here: https://github.com/aztfmod/terraform-azurerm-caf and on the Terraform registry: https://registry.terraform.io/modules/aztfmod/caf/azurerm

In Terraform 0.13 you can now call directly submodules easily with the following syntax:

module "caf_virtual_network" {
  source  = "aztfmod/caf/azurerm//modules/networking/virtual_network"
  version = "0.4.18"
  # insert the 8 required variables here
}

VScodespaces Gitter

Creates a virtual network with associated subnets, network security groups, analytics

Creates a virtual network with:

Reference the module to a specific version (recommended):

module "virtual_network" {
  source  = "aztfmod/caf-virtual-network/azurerm"
  version = "0.x.y"

  convention              = local.convention
  resource_group_name     = azurerm_resource_group.rg_test.name
  prefix                  = local.prefix
  location                = local.location
  networking_object       = local.vnet_config
  tags                    = local.tags
  diagnostics_map         = module.diags_test.diagnostics_map
  log_analytics_workspace = module.la_test
  diagnostics_settings    = local.vnet_config.diagnostics
  ddos_id                 = azurerm_network_ddos_protection_plan.ddos_protection_plan.id

}

Requirements

No requirements.

Providers

Name Version
azurecaf n/a
azurerm n/a

Inputs

Name Description Type Default Required
convention (Required) Naming convention method to use any n/a yes
ddos_id (Optional) ID of the DDoS protection plan if exists string "" no
diagnostics_map (Required) contains the SA and EH details for operations diagnostics any n/a yes
diagnostics_settings (Required) configuration object describing the diagnostics any n/a yes
location (Required) Specifies the Azure location to deploy the resource. Changing this forces a new resource to be created. string n/a yes
log_analytics_workspace (Required) contains the log analytics workspace details for operations diagnostics any n/a yes
max_length (Optional) You can speficy a maximum length to the name of the resource string "60" no
netwatcher (Optional) is a map with two attributes: name, rg who describes the name and rg where the netwatcher was already deployed map {} no
networking_object (Required) configuration object describing the networking configuration, as described in README any n/a yes
postfix (Optional) You can use a postfix to the name of the resource string "" no
prefix (Optional) You can use a prefix to the name of the resource string "" no
resource_group_name (Required) Name of the resource group where to create the resource. Changing this forces a new resource to be created. string n/a yes
tags (Required) map of tags for the deployment any n/a yes

Outputs

Name Description
nsg_obj Returns the complete set of NSG objects created in the virtual network
nsg_vnet Returns a map of nsg from the virtual network:
- key = nsg name
- value = nsg id
subnet_ids_map Returns all the subnets objects in the Virtual Network. As a map of keys, ID
vnet For a Vnet, returns:
-vnet_name
- vnet_adress_space
- vnet_id
- vnet_dns
vnet_obj Virtual network object
vnet_subnets Returns a map of subnets from the virtual network:
- key = subnet name
- value = subnet ID

Parameters

diagnostics_settings

(Required) Map with the diagnostics settings for virtual network deployment. See the required structure in the following example or in the diagnostics module documentation.

variable "diagnostics_settings" {
 description = "(Required) Map with the diagnostics settings for public virtual network deployment"
}

Example

diagnostics_settings = {
    log = [
                # ["Category name",  "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
                ["VMProtectionAlerts", true, true, 60],
        ]
    metric = [
                #["Category name",  "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
                  ["AllMetrics", true, true, 60],
    ]
}

networking_object

(Required) Configuration object describing the networking configuration. The object has 3 mandatory sections as follow:

vnet

input type optional comment
name string mandatory name of the virtul network to be created
address_space list optional address speace for the subnet
dns list optional if not provided,uses the default Azure DNS

specialsubnets

input type optional comment
subnet_key_name object mandatory specialsubnets is use to create specific subnets where you dont want default NSG to be created, for instance AzureFirewallSubnet must be created via this object. (see below for example)

subnets

For each subnet, create an object that contain the following fields (see example below)

input type optional comment
name object mandatory name of the virtual subnet
nsg_name object mandatory name of the nsg ruleset
cidr object mandatory CIDR block for the virtual subnet
service_endpoints object mandatory service endpoints for the virtual subnet
nsg object optional network security groups settings - a NSG is always created for each subnet - this section will tune the NSG entries for inbound and outbound flows.
delegation object optional defines a subnet delegation feature. takes an object as described in the following example.

The following sections are optional:

netwatcher

If this object is defined, it will enable network watcher, flow logs and traffic analytics for all the subnets in the Virtual Network. The configuration object is as follow:

input type optional comment
create bool mandatory determines if network watcher should be created or should be used from a previous deployment.
/!\ If set to false, the netwatcher optional variable must be set.
name string mandatory name of the network watcher to be created
flow_logs_settings object mandatory specifies the configuration for flow logs according to the following object structure:
enabled = (bool)
retention = (bool)
period = (integer)
traffic_analytics_settings object mandatory specifies if traffic analytics should be enabled. If enabled, we use the settings defined in the virtual network settings (log_analytics_workspace).

The following networking_object shows an example of composition:

Sample of network configuration object below
  networking_object = {
        vnet = {
            name                = "sg1-vnet-dmz"
            address_space       = ["10.101.4.0/22"]     # 10.100.4.0 - 10.100.7.255
           dns                 = ["192.168.0.16", "192.168.0.64"]
        }
        specialsubnets     = {
                AzureFirewallSubnet = {
                name                = "AzureFirewallSubnet"
                cidr                = ["10.101.4.0/25"]
               }
            }
        subnets = {
            Subnet_1        = {
                name                = "Active_Directory"
                cidr                = ["10.101.4.128/27"]
                service_endpoints   = []
                nsg_inbound         = [
                    # {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" },
                    ["LDAP-t", "100", "Inbound", "Allow", "*", "*", "389", "*", "*"],
                    ["RPC-EPM", "102", "Inbound", "Allow", "tcp", "*", "135", "*", "*"],
                    ["SMB-In", "103", "Inbound", "Allow", "tcp", "*", "445", "*", "*"],
                ]
                nsg_outbound        = []
                delegation          = {
                    name = "acctestdelegation1"
                    service_delegation = {
                    name    = "Microsoft.ContainerInstance/containerGroups"
                    actions = ["Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action"]
                    }
                }
            }
            Subnet_2             = {
                name                = "SQL_Servers"
                cidr                = ["10.101.4.160/27"]
                service_endpoints   = []
                nsg_inbound         = [
                    ["SQL", "100", "Inbound", "Allow", "tcp", "*", "1433", "*", "*"],
                ]
                nsg_outbound        = []
            }
            Subnet_3       = {
                name                = "Network_Monitoring"
                cidr                = ["10.101.4.192/27"]
                service_endpoints   = ["Microsoft.EventHub"]
                nsg_inbound         = [
                    # ["Test", "101", "Inbound", "Allow", "tcp", "*", "1643", "*", "*"],
                ]
                nsg_outbound        = []
            }
        }
        netwatcher = {
            create = true
            #create the network watcher for a subscription and for the location of the vnet
            name   = "nwtest"
            #name of the network watcher to be created

            flow_logs_settings = {
                enabled = true
                retention = true
                period = 7
            }

            traffic_analytics_settings = {
                enabled = true
            }
        }
}