search

azurenoops / terraform-azurerm-overlays-workload-spoke

Terraform module overlay to create SCCA compliant Workload Spoke based on the Microsoft Azure Hub-Spoke Architecture using with Azure NoOps.
MIT License
0 stars 0 forks source link

Subnet NSG rules don't allow * for Source Address Prefix or Destination Address Prefix #14

Closed sstjean closed 1 year ago

sstjean commented 1 year ago

Is there an existing issue for this?

Greenfield/Brownfield provisioning

brownfield

Terraform Version

1.4.6

Module Version

2.0.3

AzureRM Provider Version

3.60.0

Affected Resource(s)/Data Source(s)

azurerm_network_security_group.nsg

Terraform Configuration Files

module "mod_dmz_spoke" {
  source  = "azurenoops/overlays-workload-spoke/azurerm"
  version = ">= 2.0.0"

  # By default, this module will create a resource group. 
  # To use an existing resource group, specify the existing resource group name, 
  # and set the argument to `create_resource_group = false`. Location will be same as existing RG.
  create_resource_group            = var.create_resource_group
  custom_spoke_resource_group_name = var.custom_dmz_resource_group_name

  location           = "eastus"
  deploy_environment = var.deploy_environment
  org_name           = var.org_name
  environment        = var.environment
  workload_name      = var.wl_name

  # Collect Hub network details for peering.
  hub_virtual_network_id          = var.hub_virtual_network_id
  hub_firewall_private_ip_address = var.hub_firewall_private_ip_address
  hub_storage_account_id          = var.hub_storage_account_id

  # (Required) Log Analytics information for Azure monitoring and flow logs. 
  # The log_analytics_logs_retention_in_days values range between 30 and 730
  log_analytics_workspace_id           = var.hub_managmement_logging_log_analytics_id
  log_analytics_customer_id            = var.hub_managmement_logging_workspace_id
  log_analytics_logs_retention_in_days = 30

  # Provide valid VNet CIDR Address space for the DMZ virtual network.    
  virtual_network_address_space = var.wl_vnet_address_space # (Required)  Spoke Virtual Network Parameters

  # (Required) Specify if you are deploying the DMZ VNet to the same subscription as the Hub VNet
  is_spoke_deployed_to_same_hub_subscription = var.is_wl_spoke_deployed_to_same_hub_subscription

  # (Required) Definition of Subnets, Service delegation, Service Endpoints, Network security groups to be created
  # This list includes the Default subnet.  If not specified, no Subnets will be added to the VNet
  # Check README.md for more details
  # Route_table and NSG association to be added automatically for all subnets listed here.
  # subnet name will be set as per Azure naming convention by defaut. expected value here is: <App or project name>
  spoke_subnets = var.wl_subnets

  # Enable Flow Logs
  # By default, this will enable the traffic analytics flow logs for all subnets.
  enable_traffic_analytics = var.enable_traffic_analytics

  # By default, forced tunneling is disabled for the DMZ spoke.
  # If you want to enable forced tunneling from the DMZ VNet to the Hub VNet via the DMZ spoke route table, 
  # set `enable_forced_tunneling = true`.
  enable_forced_tunneling_on_route_table = var.enable_forced_tunneling_on_wl_route_table

  # Private DNS Zone Settings
  # By default, Azure NoOps will create Private DNS Zones for Logging in Hub VNet.
  # If you want to create additional Private DNS Zones, 
  # then add them into the list of private_dns_zones to be created.
  # else, remove the private_dns_zones argument.
  private_dns_zones = var.wl_private_dns_zones

  # Peering
  # By default, Azure NoOps will create peering between the Hub and the DMZ spoke.
  # Since is using a gateway, set the argument to `use_source_remote_spoke_gateway = true`, to enable gateway traffic.   
  use_source_remote_spoke_gateway = var.use_source_remote_spoke_gateway

  # By default, this will apply resource locks to all resources created by this module.
  # To disable resource locks, set the argument to `enable_resource_locks = false`.
  enable_resource_locks = var.enable_resource_locks

  # Tags
  add_tags = local.workload_resources_tags # Tags to be applied to all resources

}

tfvars variables values

required = {
  org_name           = "test"
  deploy_environment = "dev"
  environment        = "public"
  metadata_host      = "management.azure.com"
}

location      = "eastus"
workload_name = "test"

dmz_subscription_id             = "<<fill in>>"
hub_virtual_network_resource_id = "<<fill in>"
hub_firewall_private_ip_address = "10.0.100.4"
hub_storage_account_resource_id = "<<fill in>>"
log_analytics_workspace_resource_id = "<<fill in>>"
log_analytics_workspace_id          = "<<fill in>>"

####################################################
#
#    DMZ Transport Spoke
#
####################################################

dmz_vnet_address_space = ["10.2.0.0/24"]
dmz_vnet_subnets = {
  default = {
    name                                       = "dmz"
    address_prefixes                           = ["10.2.0.0/27"]
    service_endpoints                          = ["Microsoft.Storage", "Microsoft.KeyVault"]
    private_endpoint_network_policies_enabled  = false
    private_endpoint_service_endpoints_enabled = true
    nsg_subnet_inbound_rules = [
      ["allow-code-x-55555-to-proxy", "Allow access to port 5555", 100, "Inbound", "Allow", "*", ["5555"], ["*"], ["*"]],
      ["allow-code-x-5321-to-proxy", "Allow access to port 5321", 200, "Inbound", "Allow", "*", ["5321"], ["*"], ["*"]],
      ["allow-code-x-4444-to-proxy", "Allow access to port 4444", 300, "Inbound", "Allow", "*", ["4444"], ["*"], ["*"]],
    ]

    nsg_subnet_outbound_rules = []
  }
}

Debug Output/Panic Output

Error: creating/updating Network Security Group: (Name "ssj-eus-codex-dev-default-nsg" / Resource Group "ssj-eus-codex-dev-rg"): network.SecurityGroupsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="SecurityRuleParameterContainsUnsupportedValue" Message="Security rule parameter SourceAddressPrefix for rule with Id /subscriptions/c24647bf-0c86-4408-8d29-6a67262a2701/resourceGroups/ssj-eus-codex-dev-rg/providers/Microsoft.Network/networkSecurityGroups/ssj-eus-codex-dev-default-nsg/securityRules/allow-code-x-55555-to-proxy cannot specify existing VIRTUALNETWORK, INTERNET, AZURELOADBALANCER, '*' or system tags. Unsupported value used: *." Details=[]
│
│   with module.dmz_spoke.module.mod_dmz_spoke.azurerm_network_security_group.nsg["default"],
│   on .terraform/modules/dmz_spoke.mod_dmz_spoke/resources.workload.spoke.nsg.tf line 4, in resource "azurerm_network_security_group" "nsg":
│    4: resource "azurerm_network_security_group" "nsg" {
│

Expected Behaviour

The NSG should have created the rules successfully using the * for the source and destination addresses.

Actual Behaviour

The error above is thrown and the NSG rule is not updated.

Steps to Reproduce

Placing ["*"] in the source_address_prefixes or destination_address_prefixes location for the Inbound or Outbound NSG rules in a Subnet will cause this problem.

["allow-code-x-4444-to-proxy", "Allow access to port 4444", 300, "Inbound", "Allow", "*", ["4444"], ["*"], ["*"]]

The problem is that the Workload Spoke NSG module, lines 21 & 22 call azurerm_network_security_group's rule creation but only uses the source_address_prefixes and destination_address_prefixes parameters. These can't take the , only source_address_prefix and destination_address_prefix can take and that's not available in the NoOps version.

Important Factoids

No response

References

AzureRM Network Security Group Docs has the info needed to fix this.