Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for network security group injection #205

Merged
merged 1 commit into from
Nov 28, 2022
Merged

Add support for network security group injection #205

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -432,6 +432,7 @@ Originally created by [David Tesar](http://github.com/dtzar)
| <a name="input_nb_data_disk"></a> [nb\_data\_disk](#input\_nb\_data\_disk) | (Optional) Number of the data disks attached to each virtual machine. | `number` | `0` | no |
| <a name="input_nb_instances"></a> [nb\_instances](#input\_nb\_instances) | Specify the number of vm instances. | `number` | `1` | no |
| <a name="input_nb_public_ip"></a> [nb\_public\_ip](#input\_nb\_public\_ip) | Number of public IPs to assign corresponding to one IP per vm. Set to 0 to not assign any public IP addresses. | `number` | `1` | no |
| <a name="input_network_security_group"></a> [network\_security\_group](#input\_network\_security\_group) | The network security group we'd like to bind with virtual machine. Set this variable will disable the creation of `azurerm_network_security_group` and `azurerm_network_security_rule` resources. | <pre>object({<br> id = string<br> })</pre> | `null` | no |
| <a name="input_os_profile_secrets"></a> [os\_profile\_secrets](#input\_os\_profile\_secrets) | Specifies a list of certificates to be installed on the VM, each list item is a map with the keys source\_vault\_id, certificate\_url and certificate\_store. | `list(map(string))` | `[]` | no |
| <a name="input_public_ip_dns"></a> [public\_ip\_dns](#input\_public\_ip\_dns) | Optional globally unique per datacenter region domain name label to apply to each public ip address. e.g. thisvar.varlocation.cloudapp.azure.com where you specify only thisvar here. This is an array of names which will pair up sequentially to the number of public ips defined in var.nb\_public\_ip. One name or empty string is required for every public ip. If no public ip is desired, then set this to an array with a single empty string. | `list(string)` | <pre>[<br> null<br>]</pre> | no |
| <a name="input_public_ip_sku"></a> [public\_ip\_sku](#input\_public\_ip\_sku) | Defines the SKU of the Public IP. Accepted values are Basic and Standard. Defaults to Basic. | `string` | `"Basic"` | no |
Expand Down Expand Up @@ -462,7 +463,7 @@ Originally created by [David Tesar](http://github.com/dtzar)
| <a name="output_network_interface_ids"></a> [network\_interface\_ids](#output\_network\_interface\_ids) | ids of the vm nics provisoned. |
| <a name="output_network_interface_private_ip"></a> [network\_interface\_private\_ip](#output\_network\_interface\_private\_ip) | private ip addresses of the vm nics |
| <a name="output_network_security_group_id"></a> [network\_security\_group\_id](#output\_network\_security\_group\_id) | id of the security group provisioned |
| <a name="output_network_security_group_name"></a> [network\_security\_group\_name](#output\_network\_security\_group\_name) | name of the security group provisioned |
| <a name="output_network_security_group_name"></a> [network\_security\_group\_name](#output\_network\_security\_group\_name) | name of the security group provisioned, empty if no security group was created. |
| <a name="output_public_ip_address"></a> [public\_ip\_address](#output\_public\_ip\_address) | The actual ip address allocated for the resource. |
| <a name="output_public_ip_dns_name"></a> [public\_ip\_dns\_name](#output\_public\_ip\_dns\_name) | fqdn to connect to the first vm provisioned. |
| <a name="output_public_ip_id"></a> [public\_ip\_id](#output\_public\_ip\_id) | id of the public ip address provisoned. |
Expand Down
24 changes: 24 additions & 0 deletions examples/complete/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,27 @@ module "debianservers" {
]
}

resource "azurerm_network_security_group" "external_nsg" {
location = var.location_alt
name = "${azurerm_resource_group.test.name}-nsg"
resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_network_security_rule" "vm" {
access = "Allow"
direction = "Inbound"
name = "allow_remote_in_all"
network_security_group_name = azurerm_network_security_group.external_nsg.name
priority = 101
protocol = "Tcp"
resource_group_name = azurerm_resource_group.test.name
description = "Allow remote protocol in from all locations"
destination_address_prefix = "*"
destination_port_range = "22"
source_address_prefix = "${local.public_ip}/32"
source_port_range = "*"
}

module "debianservers2" {
source = "../.."
vm_hostname = "${random_id.ip_dns.hex}-d2"
Expand All @@ -130,6 +151,9 @@ module "debianservers2" {
public_ip_sku = "Standard"
ssh_key = ""
ssh_key_values = [file("${path.module}/monica_id_rsa.pub")]
network_security_group = {
id = azurerm_network_security_group.external_nsg.id
}
# To test `var.zone` please uncomment the line below.
# zone = "2"
}
Expand Down
32 changes: 32 additions & 0 deletions examples/complete/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,14 @@ output "debian2_availability_set_id" {
value = module.debianservers2.availability_set_id
}

output "debian2_nsg_id" {
value = module.debianservers2.network_security_group_id
}

output "debian2_nsg_name" {
value = module.debianservers2.network_security_group_name
}

output "debian2_vm_names" {
value = module.debianservers2.vm_names
}
Expand All @@ -14,6 +22,14 @@ output "debian_ip_address" {
value = module.debianservers.public_ip_address
}

output "debian_nsg_id" {
value = module.debianservers.network_security_group_id
}

output "debian_nsg_name" {
value = module.debianservers.network_security_group_name
}

output "debian_vm_names" {
value = module.debianservers.vm_names
}
Expand Down Expand Up @@ -52,6 +68,14 @@ output "ubuntu_ip_address" {
value = module.ubuntuservers.public_ip_address
}

output "ubuntu_nsg_id" {
value = module.ubuntuservers.network_security_group_id
}

output "ubuntu_nsg_name" {
value = module.ubuntuservers.network_security_group_name
}

output "ubuntu_vm_names" {
value = module.ubuntuservers.vm_names
}
Expand Down Expand Up @@ -99,6 +123,14 @@ output "windows_ip_address" {
value = module.windowsservers.public_ip_address
}

output "windows_nsg_id" {
value = module.windowsservers.network_security_group_id
}

output "windows_nsg_name" {
value = module.windowsservers.network_security_group_name
}

output "windows_vm_admin_password" {
sensitive = true
value = local.admin_password
Expand Down
17 changes: 14 additions & 3 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,20 +287,31 @@ data "azurerm_public_ip" "vm" {
depends_on = [azurerm_virtual_machine.vm_linux, azurerm_virtual_machine.vm_windows]
}

moved {
from = azurerm_network_security_group.vm
to = azurerm_network_security_group.vm[0]
}

resource "azurerm_network_security_group" "vm" {
count = var.network_security_group == null ? 1 : 0

location = local.location
name = "${var.vm_hostname}-nsg"
resource_group_name = var.resource_group_name
tags = var.tags
}

locals {
network_security_group_id = var.network_security_group == null ? azurerm_network_security_group.vm[0].id : var.network_security_group.id
}

resource "azurerm_network_security_rule" "vm" {
count = var.remote_port != "" ? 1 : 0
count = var.network_security_group == null && var.remote_port != "" ? 1 : 0

access = "Allow"
direction = "Inbound"
name = "allow_remote_${coalesce(var.remote_port, module.os.calculated_remote_port)}_in_all"
network_security_group_name = azurerm_network_security_group.vm.name
network_security_group_name = azurerm_network_security_group.vm[0].name
priority = 101
protocol = "Tcp"
resource_group_name = var.resource_group_name
Expand Down Expand Up @@ -332,5 +343,5 @@ resource "azurerm_network_interface_security_group_association" "test" {
count = var.nb_instances

network_interface_id = azurerm_network_interface.vm[count.index].id
network_security_group_id = azurerm_network_security_group.vm.id
network_security_group_id = local.network_security_group_id
}
6 changes: 3 additions & 3 deletions outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,12 @@ output "network_interface_private_ip" {

output "network_security_group_id" {
description = "id of the security group provisioned"
value = azurerm_network_security_group.vm.id
value = local.network_security_group_id
}

output "network_security_group_name" {
description = "name of the security group provisioned"
value = azurerm_network_security_group.vm.name
description = "name of the security group provisioned, empty if no security group was created."
value = join("", concat(azurerm_network_security_group.vm[*].name, [""]))
}

output "public_ip_address" {
Expand Down
12 changes: 12 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,18 @@ variable "nb_public_ip" {
default = 1
}

variable "network_security_group" {
description = "The network security group we'd like to bind with virtual machine. Set this variable will disable the creation of `azurerm_network_security_group` and `azurerm_network_security_rule` resources."
type = object({
id = string
})
default = null
validation {
condition = var.network_security_group == null ? true : var.network_security_group.id != null
error_message = "When `var.network_security_group` is not `null`, `var.network_security_group.id` is required."
}
}

variable "os_profile_secrets" {
description = "Specifies a list of certificates to be installed on the VM, each list item is a map with the keys source_vault_id, certificate_url and certificate_store."
type = list(map(string))
Expand Down