From 50681250a4795195f8eb861c6d85612eeb39eecf Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Tue, 27 Aug 2024 14:16:23 -0400 Subject: [PATCH 01/32] Initial ExpressRoute code --- azure_express_route/README.md | 0 azure_express_route/backend.tf | 8 +++ azure_express_route/data.tf | 2 + .../express_route_connection.tf | 29 +++++++++ azure_express_route/locals.tf | 4 ++ azure_express_route/main.tf | 43 ++++++++++++ azure_express_route/outputs.tf | 14 ++++ azure_express_route/provider.tf | 21 ++++++ .../variables-expressRoute-circuit-peering.tf | 64 ++++++++++++++++++ .../variables-expressRoute-circuit.tf | 62 ++++++++++++++++++ .../variables-expressRoute-connection.tf | 65 +++++++++++++++++++ azure_express_route/variables.tf | 15 +++++ 12 files changed, 327 insertions(+) create mode 100644 azure_express_route/README.md create mode 100644 azure_express_route/backend.tf create mode 100644 azure_express_route/data.tf create mode 100644 azure_express_route/express_route_connection.tf create mode 100644 azure_express_route/locals.tf create mode 100644 azure_express_route/main.tf create mode 100644 azure_express_route/outputs.tf create mode 100644 azure_express_route/provider.tf create mode 100644 azure_express_route/variables-expressRoute-circuit-peering.tf create mode 100644 azure_express_route/variables-expressRoute-circuit.tf create mode 100644 azure_express_route/variables-expressRoute-connection.tf create mode 100644 azure_express_route/variables.tf diff --git a/azure_express_route/README.md b/azure_express_route/README.md new file mode 100644 index 0000000..e69de29 diff --git a/azure_express_route/backend.tf b/azure_express_route/backend.tf new file mode 100644 index 0000000..0108bf7 --- /dev/null +++ b/azure_express_route/backend.tf @@ -0,0 +1,8 @@ +terraform { + backend "azurerm" { + resource_group_name = "BCGOV-MGD-FORGE-terraform" + storage_account_name = "bcgovmgdlforgetfstate" + container_name = "tfstate" + key = "azure-lz-core-expressroute-forge.tfstate" + } +} diff --git a/azure_express_route/data.tf b/azure_express_route/data.tf new file mode 100644 index 0000000..434dac2 --- /dev/null +++ b/azure_express_route/data.tf @@ -0,0 +1,2 @@ +# Get the current client configuration from the AzureRM provider +data "azurerm_client_config" "current" {} diff --git a/azure_express_route/express_route_connection.tf b/azure_express_route/express_route_connection.tf new file mode 100644 index 0000000..de215ea --- /dev/null +++ b/azure_express_route/express_route_connection.tf @@ -0,0 +1,29 @@ + +# IMPORTANT: The provider status of the Express Route Circuit must be set as provisioned while creating the Express Route Connection. +# resource "azurerm_express_route_connection" "this" { +# name = var.express_route_connection_name +# express_route_circuit_peering_id = azurerm_express_route_circuit_peering.this.id +# express_route_gateway_id = var.express_route_gateway_id +# authorization_key = var.authorization_key +# enable_internet_security = var.enable_internet_security +# express_route_gateway_bypass_enabled = var.express_route_gateway_bypass_enabled +# private_link_fast_path_enabled = var.private_link_fast_path_enabled +# routing_weight = var.routing_weight + +# dynamic "routing" { +# for_each = var.routing +# content { +# associated_route_table_id = routing.value.associated_route_table_id +# inbound_route_map_id = routing.value.inbound_route_map_id +# outbound_route_map_id = routing.value.outbound_route_map_id + +# dynamic "propagated_route_table" { +# for_each = routing.value.propagated_route_table +# content { +# labels = propagated_route_table.value.labels +# route_table_ids = propagated_route_table.value.route_table_ids +# } +# } +# } +# } +# } \ No newline at end of file diff --git a/azure_express_route/locals.tf b/azure_express_route/locals.tf new file mode 100644 index 0000000..9a5b485 --- /dev/null +++ b/azure_express_route/locals.tf @@ -0,0 +1,4 @@ +locals { + subscription_id_connectivity = coalesce(var.subscription_id_connectivity, local.subscription_id_management) + subscription_id_management = coalesce(var.subscription_id_management, data.azurerm_client_config.current.subscription_id) +} diff --git a/azure_express_route/main.tf b/azure_express_route/main.tf new file mode 100644 index 0000000..1d03cda --- /dev/null +++ b/azure_express_route/main.tf @@ -0,0 +1,43 @@ +resource "azurerm_resource_group" "this" { + name = var.resource_group_name + location = var.location +} + +resource "azurerm_express_route_circuit" "this" { + name = var.express_route_circuit_name + resource_group_name = azurerm_resource_group.this.name + location = azurerm_resource_group.this.location + service_provider_name = var.service_provider_name + peering_location = var.peering_location + bandwidth_in_mbps = var.bandwidth_in_mbps + allow_classic_operations = var.allow_classic_operations + + sku { + tier = var.sku.tier + family = var.sku.family + } + + tags = var.tags +} + +resource "azurerm_express_route_circuit_peering" "this" { + peering_type = var.peering_type + express_route_circuit_name = azurerm_express_route_circuit.this.name + resource_group_name = azurerm_resource_group.this.name + + vlan_id = var.vlan_id + primary_peer_address_prefix = var.primary_peer_address_prefix + secondary_peer_address_prefix = var.secondary_peer_address_prefix + ipv4_enabled = var.ipv4_enabled + + shared_key = var.shared_key + peer_asn = var.peer_asn + route_filter_id = var.route_filter_id + + microsoft_peering_config { + advertised_public_prefixes = var.microsoft_peering_config.advertised_public_prefixes + customer_asn = var.microsoft_peering_config.customer_asn + routing_registry_name = var.microsoft_peering_config.routing_registry_name + advertised_communities = var.microsoft_peering_config.advertised_communities + } +} diff --git a/azure_express_route/outputs.tf b/azure_express_route/outputs.tf new file mode 100644 index 0000000..295002b --- /dev/null +++ b/azure_express_route/outputs.tf @@ -0,0 +1,14 @@ +output "express_route_circuit_id" { + description = "The ID of the ExpressRoute Circuit." + value = azurerm_express_route_circuit.circuit.id +} + +output "service_provider_provisioning_state" { + description = "The provisioning state of the ExpressRoute Circuit Service Provider." + value = azurerm_express_route_circuit.circuit.service_provider_provisioning_state +} + +output "service_key" { + description = "The service key of the ExpressRoute Circuit." + value = azurerm_express_route_circuit.circuit.service_key +} \ No newline at end of file diff --git a/azure_express_route/provider.tf b/azure_express_route/provider.tf new file mode 100644 index 0000000..c0f60ef --- /dev/null +++ b/azure_express_route/provider.tf @@ -0,0 +1,21 @@ +terraform { + required_version = ">=1.8.0, < 2.0.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">=3.112.0, < 4.0.0" + } + + azapi = { + source = "azure/azapi" + } + } +} + +provider "azurerm" { + use_oidc = true + features {} + # NOTE: The assumption is that the pipeline will be using the Management subscription for the base provider + # The sub-modules will be using the subscription_id_connectivity +} diff --git a/azure_express_route/variables-expressRoute-circuit-peering.tf b/azure_express_route/variables-expressRoute-circuit-peering.tf new file mode 100644 index 0000000..55ef60f --- /dev/null +++ b/azure_express_route/variables-expressRoute-circuit-peering.tf @@ -0,0 +1,64 @@ +variable "peering_type" { + description = "(Required) The type of the ExpressRoute Circuit Peering." + type = string + + validation { + condition = contains(["AzurePublicPeering", "AzurePrivatePeering", "MicrosoftPeering"], var.peering_type) + error_message = "The peering type must be either AzurePublicPeering, AzurePrivatePeering or MicrosoftPeering." + } +} + +variable "vlan_id" { + description = "(Required) A valid VLAN ID to establish this peering on." + type = number +} + +variable "primary_peer_address_prefix" { + description = "(Optional) A /30 subnet for the primary link. Required when config for IPv4." + type = string +} + +variable "secondary_peer_address_prefix" { + description = "(Optional) A /30 subnet for the secondary link. Required when config for IPv4." + type = string +} + +variable "ipv4_enabled" { + description = "(Optional) A boolean value indicating whether the IPv4 peering is enabled." + type = bool + default = true +} + +variable "shared_key" { + description = "(Optional) The shared key. Can be a maximum of 25 characters." + type = string + default = null +} + +variable "peer_asn" { + description = "(Optional) The Either a 16-bit or a 32-bit ASN. Can either be public or private." + type = number + default = null +} + +variable "microsoft_peering_config" { + description = "(Optional) A microsoft_peering_config block as defined below." + type = object({ + advertised_public_prefixes = list(string) + customer_asn = optional(number) + routing_registry_name = optional(string) + advertised_communities = optional(list(string)) + }) + default = null +} + +variable "route_filter_id" { + description = "(Optional) The ID of the Route Filter. Only available when peering_type is set to MicrosoftPeering." + type = string + default = null + + validation { + condition = var.peering_type == "MicrosoftPeering" && var.route_filter_id == null + error_message = "The route_filter_id must be set when peering_type is set to MicrosoftPeering." + } +} \ No newline at end of file diff --git a/azure_express_route/variables-expressRoute-circuit.tf b/azure_express_route/variables-expressRoute-circuit.tf new file mode 100644 index 0000000..1723f10 --- /dev/null +++ b/azure_express_route/variables-expressRoute-circuit.tf @@ -0,0 +1,62 @@ +variable "express_route_circuit_name" { + description = "(Required) The name of the ExpressRoute circuit." + type = string +} + +variable "resource_group_name" { + description = "(Required) The name of the resource group in which to create the ExpressRoute circuit." + type = string +} + +variable "location" { + description = "(Required) Specifies the supported Azure location where the resource exists." + type = string +} + +variable "sku" { + description = "(Required) A sku block for the ExpressRoute circuit" + type = object({ + tier = string + family = string + }) + + validation { + condition = contains(["Basic", "Local", "Standard", "Premium"], var.sku.tier) + error_message = "The sku tier must be either Basic, Local, Standard or Premium." + } + + validation { + condition = contains(["MeteredData", "UnlimitedData"], var.sku.family) + error_message = "The sku family must be either MeteredData or UnlimitedData." + } +} + +variable "service_provider_name" { + description = "(Optional) The name of the ExpressRoute Service Provider." + type = string + default = null +} + +variable "peering_location" { + description = "(Optional) The name of the peering location and not the Azure resource location." + type = string + default = null +} + +variable "bandwidth_in_mbps" { + description = "(Optional) The bandwidth in Mbps of the circuit being created on the Service Provider." + type = number + default = null +} + +variable "allow_classic_operations" { + description = "(Optional) Allow the circuit to interact with classic (RDFE) resources." + type = bool + default = false +} + +variable "authorization_key" { + description = "(Optional) The authorization key. This can be used to set up an ExpressRoute Circuit with an ExpressRoute Port from another subscription." + type = string + default = null +} \ No newline at end of file diff --git a/azure_express_route/variables-expressRoute-connection.tf b/azure_express_route/variables-expressRoute-connection.tf new file mode 100644 index 0000000..448b877 --- /dev/null +++ b/azure_express_route/variables-expressRoute-connection.tf @@ -0,0 +1,65 @@ +variable "express_route_connection_name" { + description = "(Required) The name which should be used for this Express Route Connection." + type = string +} + +variable "express_route_gateway_id" { + description = "(Required) The ID of the Express Route Gateway to connect to." + type = string +} + +variable "authorization_key" { + description = "(Optional) The authorization key to establish the Express Route Connection." + type = string + default = null +} + +variable "enable_internet_security" { + description = "(Optional) Is Internet security enabled for this Express Route Connection?" + type = bool + default = null +} + +variable "express_route_gateway_bypass_enabled" { + description = "(Optional) Specified whether Fast Path is enabled for Virtual Wan Firewall Hub." + type = bool + default = false +} + +variable "private_link_fast_path_enabled" { + description = "(Optional) Bypass the Express Route gateway when accessing private-links. When enabled express_route_gateway_bypass_enabled must be set to true." + type = bool + default = false + + validation { + condition = ( + var.express_route_gateway_bypass_enabled == true && + var.private_link_fast_path_enabled == true) + error_message = "private_link_fast_path_enabled must be set to true when express_route_gateway_bypass_enabled is set to true." + } +} + +variable "routing" { + description = "(Optional) A routing block as defined below." + type = object({ + associated_route_table_id = optional(string) + inbound_route_map_id = optional(string) + outbound_route_map_id = optional(string) + propagated_route_table = optional(object({ + labels = optional(list(string)) + route_table_ids = optional(list(string)) + })) + }) + default = null +} + +variable "routing_weight" { + description = "(Optional) The weight added to routes learned from this connection." + type = number + default = 0 + + validation { + condition = var.routing_weight >= 0 && var.routing_weight <= 32000 + error_message = "routing_weight must be between 0 and 32000." + } +} \ No newline at end of file diff --git a/azure_express_route/variables.tf b/azure_express_route/variables.tf new file mode 100644 index 0000000..1fddd77 --- /dev/null +++ b/azure_express_route/variables.tf @@ -0,0 +1,15 @@ +variable "subscription_id_management" { + type = string + description = "Subscription ID to use for \"management\" resources." +} + +variable "subscription_id_connectivity" { + type = string + description = "Subscription ID to use for \"connectivity\" resources." +} + +variable "tags" { + type = map(string) + description = "A mapping of tags to assign to the resource." + default = null +} \ No newline at end of file From 38c49aaad2a135b90676b0f9de2582458d0105b4 Mon Sep 17 00:00:00 2001 From: Harsimran Singh Maan Date: Tue, 27 Aug 2024 11:38:40 -0700 Subject: [PATCH 02/32] fmt --- ipam/app-service/main.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ipam/app-service/main.tf b/ipam/app-service/main.tf index 742ab20..848b20a 100644 --- a/ipam/app-service/main.tf +++ b/ipam/app-service/main.tf @@ -89,10 +89,10 @@ resource "azurerm_service_plan" "ipam" { worker_count = 1 } resource "azurerm_linux_web_app" "ipam" { - name = var.appServiceName - resource_group_name = var.resourceGroupName - location = var.location - service_plan_id = azurerm_service_plan.ipam.id + name = var.appServiceName + resource_group_name = var.resourceGroupName + location = var.location + service_plan_id = azurerm_service_plan.ipam.id key_vault_reference_identity_id = var.managedIdentityId identity { type = "UserAssigned" @@ -105,7 +105,7 @@ resource "azurerm_linux_web_app" "ipam" { # scm_ip_restriction_default_action = "Allow" application_stack { docker_registry_url = local.acrUri - docker_image_name = local.runtime_image + docker_image_name = local.runtime_image } use_32_bit_worker = false } From e8e26c0e2798f77ae434725540b7abdbac23a771 Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Tue, 27 Aug 2024 14:35:32 -0400 Subject: [PATCH 03/32] Code migration --- .pre-commit-config.yaml | 21 ++++ azure_firewall/firewall_policy_rcg/README.md | 44 +++++++ azure_firewall/firewall_policy_rcg/data.tf | 7 ++ azure_firewall/firewall_policy_rcg/locals.tf | 0 azure_firewall/firewall_policy_rcg/main.tf | 110 ++++++++++++++++++ azure_firewall/firewall_policy_rcg/outputs.tf | 59 ++++++++++ .../firewall_policy_rcg/provider.tf | 17 +++ .../variables-firewall-policy.tf | 9 ++ .../variables-fwpolicy-rcg.tf | 72 ++++++++++++ .../firewall_policy_rcg/variables.tf | 4 + .../private_dns_resolver/README.md | 51 ++++++++ .../private_dns_resolver/data.tf | 2 + .../private_dns_resolver/locals.tf | 10 ++ .../private_dns_resolver/outputs.tf | 24 ++++ .../private_dns_resolver.tf | 6 + ...ate_dns_resolver_dns_forwarding_ruleset.tf | 8 ++ .../private_dns_resolver_forwarding_rule.tf | 20 ++++ .../private_dns_resolver_inbound_endpoint.tf | 11 ++ .../private_dns_resolver_outbound_endpoint.tf | 7 ++ .../private_dns_resolver/provider.tf | 17 +++ .../variables-private-dns-resolver.tf | 14 +++ .../private_dns_resolver/variables.tf | 15 +++ azure_private_dns/virtual_network/README.md | 59 ++++++++++ azure_private_dns/virtual_network/data.tf | 8 ++ azure_private_dns/virtual_network/ipam.tf | 6 + azure_private_dns/virtual_network/locals.tf | 3 + azure_private_dns/virtual_network/main.tf | 4 + azure_private_dns/virtual_network/outputs.tf | 24 ++++ azure_private_dns/virtual_network/provider.tf | 36 ++++++ .../virtual_network/variables.tf | 47 ++++++++ .../virtual_network/vhub_connection.tf | 5 + azure_private_dns/virtual_network/vnet.tf | 75 ++++++++++++ 32 files changed, 795 insertions(+) create mode 100644 .pre-commit-config.yaml create mode 100644 azure_firewall/firewall_policy_rcg/README.md create mode 100644 azure_firewall/firewall_policy_rcg/data.tf create mode 100644 azure_firewall/firewall_policy_rcg/locals.tf create mode 100644 azure_firewall/firewall_policy_rcg/main.tf create mode 100644 azure_firewall/firewall_policy_rcg/outputs.tf create mode 100644 azure_firewall/firewall_policy_rcg/provider.tf create mode 100644 azure_firewall/firewall_policy_rcg/variables-firewall-policy.tf create mode 100644 azure_firewall/firewall_policy_rcg/variables-fwpolicy-rcg.tf create mode 100644 azure_firewall/firewall_policy_rcg/variables.tf create mode 100644 azure_private_dns/private_dns_resolver/README.md create mode 100644 azure_private_dns/private_dns_resolver/data.tf create mode 100644 azure_private_dns/private_dns_resolver/locals.tf create mode 100644 azure_private_dns/private_dns_resolver/outputs.tf create mode 100644 azure_private_dns/private_dns_resolver/private_dns_resolver.tf create mode 100644 azure_private_dns/private_dns_resolver/private_dns_resolver_dns_forwarding_ruleset.tf create mode 100644 azure_private_dns/private_dns_resolver/private_dns_resolver_forwarding_rule.tf create mode 100644 azure_private_dns/private_dns_resolver/private_dns_resolver_inbound_endpoint.tf create mode 100644 azure_private_dns/private_dns_resolver/private_dns_resolver_outbound_endpoint.tf create mode 100644 azure_private_dns/private_dns_resolver/provider.tf create mode 100644 azure_private_dns/private_dns_resolver/variables-private-dns-resolver.tf create mode 100644 azure_private_dns/private_dns_resolver/variables.tf create mode 100644 azure_private_dns/virtual_network/README.md create mode 100644 azure_private_dns/virtual_network/data.tf create mode 100644 azure_private_dns/virtual_network/ipam.tf create mode 100644 azure_private_dns/virtual_network/locals.tf create mode 100644 azure_private_dns/virtual_network/main.tf create mode 100644 azure_private_dns/virtual_network/outputs.tf create mode 100644 azure_private_dns/virtual_network/provider.tf create mode 100644 azure_private_dns/virtual_network/variables.tf create mode 100644 azure_private_dns/virtual_network/vhub_connection.tf create mode 100644 azure_private_dns/virtual_network/vnet.tf diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..fc6d90c --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,21 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: mixed-line-ending + - id: check-yaml + - id: check-json + - id: check-added-large-files + - id: check-shebang-scripts-are-executable +- repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.92.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + hooks: + - id: terraform_fmt + args: + - --args=-recursive + - id: terraform_docs + args: + - --hook-config=--add-to-existing-file=true # Boolean. true or false + - --hook-config=--create-file-if-not-exist=true # Boolean. true or false diff --git a/azure_firewall/firewall_policy_rcg/README.md b/azure_firewall/firewall_policy_rcg/README.md new file mode 100644 index 0000000..51639e3 --- /dev/null +++ b/azure_firewall/firewall_policy_rcg/README.md @@ -0,0 +1,44 @@ +# firewall_policy_rcg + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >=1.8.0, < 2.0.0 | +| [azurerm](#requirement\_azurerm) | >=3.112.0, < 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | >=3.112.0, < 4.0.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_firewall_policy_rule_collection_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +| [azurerm_firewall_policy.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/firewall_policy) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [firewall\_policy\_name](#input\_firewall\_policy\_name) | The name of the Azure Firewall Policy. | `string` | n/a | yes | +| [firewall\_policy\_resource\_group\_name](#input\_firewall\_policy\_resource\_group\_name) | The name of the resource group in which the Azure Firewall Policy exists. | `string` | n/a | yes | +| [firewall\_policy\_rule\_collection\_group](#input\_firewall\_policy\_rule\_collection\_group) | The Azure Firewall Policy Rule Collection Group. | 
list(object({
    name     = string
    priority = number

    application_rule_collection = optional(list(object({
      name     = string
      action   = string
      priority = number
      rule = list(object({
        name        = string
        description = optional(string)
        protocols = optional(list(object({
          type = string
          port = number
        })))
        http_headers = optional(list(object({
          name  = string
          value = string
        })))
        source_addresses      = optional(list(string))
        source_ip_groups      = optional(list(string))
        destination_addresses = optional(list(string))
        destination_urls      = optional(list(string))
        destination_fqdns     = optional(list(string))
        destination_fqdn_tags = optional(list(string))
        terminate_tls         = optional(bool)
        web_categories        = optional(list(string))
      }))
    })))

    network_rule_collection = optional(list(object({
      name     = string
      action   = string
      priority = number

      rule = list(object({
        name                  = string
        description           = optional(string)
        protocols             = optional(list(string))
        destination_ports     = list(string)
        source_addresses      = optional(list(string))
        source_ip_groups      = optional(list(string))
        destination_addresses = optional(list(string))
        destination_ip_groups = optional(list(string))
        destination_fqdns     = optional(list(string))
      }))
    })))

    nat_rule_collection = optional(list(object({
      name     = string
      action   = string
      priority = number

      rule = object({
        name                = string
        description         = optional(string)
        protocols           = list(string)
        source_addresses    = optional(list(string))
        source_ip_groups    = optional(list(string))
        destination_address = optional(string)
        destination_ports   = optional(list(string))
        translated_address  = optional(string)
        translated_fqdn     = optional(string)
        translated_port     = string
      })
    })))
  }))
| `[]` | no | +| [subscription\_id\_connectivity](#input\_subscription\_id\_connectivity) | Subscription ID to use for "connectivity" resources. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [firewall\_policy\_id](#output\_firewall\_policy\_id) | n/a | +| [firewall\_policy\_rule\_collection\_group](#output\_firewall\_policy\_rule\_collection\_group) | n/a | + diff --git a/azure_firewall/firewall_policy_rcg/data.tf b/azure_firewall/firewall_policy_rcg/data.tf new file mode 100644 index 0000000..4d2447d --- /dev/null +++ b/azure_firewall/firewall_policy_rcg/data.tf @@ -0,0 +1,7 @@ +# Get the current client configuration from the AzureRM provider +data "azurerm_client_config" "current" {} + +data "azurerm_firewall_policy" "this" { + name = var.firewall_policy_name + resource_group_name = var.firewall_policy_resource_group_name +} diff --git a/azure_firewall/firewall_policy_rcg/locals.tf b/azure_firewall/firewall_policy_rcg/locals.tf new file mode 100644 index 0000000..e69de29 diff --git a/azure_firewall/firewall_policy_rcg/main.tf b/azure_firewall/firewall_policy_rcg/main.tf new file mode 100644 index 0000000..a6f5998 --- /dev/null +++ b/azure_firewall/firewall_policy_rcg/main.tf @@ -0,0 +1,110 @@ +resource "azurerm_firewall_policy_rule_collection_group" "this" { + for_each = { + for group in var.firewall_policy_rule_collection_group : group.name => group + } + + name = each.value.name + firewall_policy_id = data.azurerm_firewall_policy.this.id + priority = each.value.priority + + dynamic "application_rule_collection" { + for_each = each.value.application_rule_collection != null ? { + for application_rule_collection in each.value.application_rule_collection : application_rule_collection.name => application_rule_collection + } : {} + + content { + name = application_rule_collection.value.name + action = application_rule_collection.value.action + priority = application_rule_collection.value.priority + + dynamic "rule" { + for_each = application_rule_collection.value.rule + + content { + name = each.value.name + description = lookup(rule.value, "description", null) + + dynamic "protocols" { + for_each = rule.value.protocols + + content { + type = lookup(protocols.value, "type", "Https") + port = lookup(protocols.value, "port", 0) + } + } + + dynamic "http_headers" { + for_each = rule.value.http_headers != null ? [rule.value.http_headers] : [] + + content { + name = lookup(http_headers.value, "name", null) + value = lookup(http_headers.value, "value", null) + } + } + + source_addresses = lookup(rule.value, "source_addresses", null) + source_ip_groups = lookup(rule.value, "source_ip_groups", null) + destination_addresses = lookup(rule.value, "destination_addresses", null) + destination_urls = lookup(rule.value, "destination_urls", null) + destination_fqdns = lookup(rule.value, "destination_fqdns", null) + destination_fqdn_tags = lookup(rule.value, "destination_fqdn_tags", null) + terminate_tls = lookup(rule.value, "terminate_tls", null) + web_categories = lookup(rule.value, "web_categories", null) + } + } + } + } + + dynamic "network_rule_collection" { + for_each = each.value.network_rule_collection != null ? { + for network_rule_collection in each.value.network_rule_collection : network_rule_collection.name => network_rule_collection + } : {} + + content { + name = lookup(network_rule_collection.value, "name") + action = lookup(network_rule_collection.value, "action", "Deny") + priority = lookup(network_rule_collection.value, "priority", 100) + + dynamic "rule" { + for_each = network_rule_collection.value.rule + + content { + name = lookup(rule.value, "name") + description = lookup(rule.value, "description", null) + protocols = lookup(rule.value, "protocols", ["Any"]) + destination_ports = lookup(rule.value, "destination_ports", ["*"]) + source_addresses = lookup(rule.value, "source_addresses", []) + source_ip_groups = lookup(rule.value, "source_ip_groups", []) + destination_addresses = lookup(rule.value, "destination_addresses", []) + destination_ip_groups = lookup(rule.value, "destination_ip_groups", []) + destination_fqdns = lookup(rule.value, "destination_fqdns", []) + } + } + } + } + + dynamic "nat_rule_collection" { + for_each = each.value.nat_rule_collection != null ? { + for nat_rule_collection in each.value.nat_rule_collection : nat_rule_collection.name => nat_rule_collection + } : {} + + content { + name = nat_rule_collection.value.name + action = nat_rule_collection.value.action + priority = nat_rule_collection.value.priority + + rule { + name = nat_rule_collection.value.rule.name + description = nat_rule_collection.value.rule.description + protocols = nat_rule_collection.value.rule.protocols + source_addresses = nat_rule_collection.value.rule.source_addresses + source_ip_groups = nat_rule_collection.value.rule.source_ip_groups + destination_address = nat_rule_collection.value.rule.destination_address + destination_ports = nat_rule_collection.value.rule.destination_ports + translated_address = nat_rule_collection.value.rule.translated_address + translated_fqdn = nat_rule_collection.value.rule.translated_fqdn + translated_port = nat_rule_collection.value.rule.translated_port + } + } + } +} diff --git a/azure_firewall/firewall_policy_rcg/outputs.tf b/azure_firewall/firewall_policy_rcg/outputs.tf new file mode 100644 index 0000000..b9351c1 --- /dev/null +++ b/azure_firewall/firewall_policy_rcg/outputs.tf @@ -0,0 +1,59 @@ +output "firewall_policy_id" { + value = data.azurerm_firewall_policy.this.id +} + +output "firewall_policy_rule_collection_group" { + value = { + for idx, group in azurerm_firewall_policy_rule_collection_group.this : idx => { + name = group.name + priority = group.priority + + application_rule_collection = [ + for arc in group.application_rule_collection : { + name = arc.name + action = arc.action + priority = arc.priority + + rule = [ + for r in arc.rule : { + name = r.name + description = r.description + protocols = r.protocols + http_headers = r.http_headers + source_addresses = r.source_addresses + source_ip_groups = r.source_ip_groups + destination_addresses = r.destination_addresses + destination_urls = r.destination_urls + destination_fqdns = r.destination_fqdns + destination_fqdn_tags = r.destination_fqdn_tags + terminate_tls = r.terminate_tls + web_categories = r.web_categories + } + ] + } + ] + + network_rule_collection = [ + for nrc in group.network_rule_collection : { + name = nrc.name + action = nrc.action + priority = nrc.priority + + rule = [ + for r in nrc.rule : { + name = r.name + description = r.description + protocols = r.protocols + destination_ports = r.destination_ports + source_addresses = r.source_addresses + source_ip_groups = r.source_ip_groups + destination_addresses = r.destination_addresses + destination_ip_groups = r.destination_ip_groups + destination_fqdns = r.destination_fqdns + } + ] + } + ] + } + } +} diff --git a/azure_firewall/firewall_policy_rcg/provider.tf b/azure_firewall/firewall_policy_rcg/provider.tf new file mode 100644 index 0000000..60aedf2 --- /dev/null +++ b/azure_firewall/firewall_policy_rcg/provider.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">=1.8.0, < 2.0.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">=3.112.0, < 4.0.0" + } + } +} + +provider "azurerm" { + use_oidc = true + features {} + + subscription_id = var.subscription_id_connectivity +} diff --git a/azure_firewall/firewall_policy_rcg/variables-firewall-policy.tf b/azure_firewall/firewall_policy_rcg/variables-firewall-policy.tf new file mode 100644 index 0000000..3cbfa9a --- /dev/null +++ b/azure_firewall/firewall_policy_rcg/variables-firewall-policy.tf @@ -0,0 +1,9 @@ +variable "firewall_policy_name" { + description = "The name of the Azure Firewall Policy." + type = string +} + +variable "firewall_policy_resource_group_name" { + description = "The name of the resource group in which the Azure Firewall Policy exists." + type = string +} diff --git a/azure_firewall/firewall_policy_rcg/variables-fwpolicy-rcg.tf b/azure_firewall/firewall_policy_rcg/variables-fwpolicy-rcg.tf new file mode 100644 index 0000000..4671743 --- /dev/null +++ b/azure_firewall/firewall_policy_rcg/variables-fwpolicy-rcg.tf @@ -0,0 +1,72 @@ +# Firewall Policy Rule Collection Group +variable "firewall_policy_rule_collection_group" { + description = "The Azure Firewall Policy Rule Collection Group." + type = list(object({ + name = string + priority = number + + application_rule_collection = optional(list(object({ + name = string + action = string + priority = number + rule = list(object({ + name = string + description = optional(string) + protocols = optional(list(object({ + type = string + port = number + }))) + http_headers = optional(list(object({ + name = string + value = string + }))) + source_addresses = optional(list(string)) + source_ip_groups = optional(list(string)) + destination_addresses = optional(list(string)) + destination_urls = optional(list(string)) + destination_fqdns = optional(list(string)) + destination_fqdn_tags = optional(list(string)) + terminate_tls = optional(bool) + web_categories = optional(list(string)) + })) + }))) + + network_rule_collection = optional(list(object({ + name = string + action = string + priority = number + + rule = list(object({ + name = string + description = optional(string) + protocols = optional(list(string)) + destination_ports = list(string) + source_addresses = optional(list(string)) + source_ip_groups = optional(list(string)) + destination_addresses = optional(list(string)) + destination_ip_groups = optional(list(string)) + destination_fqdns = optional(list(string)) + })) + }))) + + nat_rule_collection = optional(list(object({ + name = string + action = string + priority = number + + rule = object({ + name = string + description = optional(string) + protocols = list(string) + source_addresses = optional(list(string)) + source_ip_groups = optional(list(string)) + destination_address = optional(string) + destination_ports = optional(list(string)) + translated_address = optional(string) + translated_fqdn = optional(string) + translated_port = string + }) + }))) + })) + default = [] +} diff --git a/azure_firewall/firewall_policy_rcg/variables.tf b/azure_firewall/firewall_policy_rcg/variables.tf new file mode 100644 index 0000000..d9024c6 --- /dev/null +++ b/azure_firewall/firewall_policy_rcg/variables.tf @@ -0,0 +1,4 @@ +variable "subscription_id_connectivity" { + type = string + description = "Subscription ID to use for \"connectivity\" resources." +} diff --git a/azure_private_dns/private_dns_resolver/README.md b/azure_private_dns/private_dns_resolver/README.md new file mode 100644 index 0000000..58ae755 --- /dev/null +++ b/azure_private_dns/private_dns_resolver/README.md @@ -0,0 +1,51 @@ +# private_dns_resolver + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >=1.8.0, < 2.0.0 | +| [azurerm](#requirement\_azurerm) | >=3.112.0, < 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | >=3.112.0, < 4.0.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_private_dns_resolver.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_resolver) | resource | +| [azurerm_private_dns_resolver_dns_forwarding_ruleset.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_resolver_dns_forwarding_ruleset) | resource | +| [azurerm_private_dns_resolver_forwarding_rule.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_resolver_forwarding_rule) | resource | +| [azurerm_private_dns_resolver_inbound_endpoint.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_resolver_inbound_endpoint) | resource | +| [azurerm_private_dns_resolver_outbound_endpoint.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_resolver_outbound_endpoint) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [location](#input\_location) | (Required) Azure region to deploy to. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [private\_dns\_resolver\_name](#input\_private\_dns\_resolver\_name) | (Required) Specifies the name which should be used for this Private DNS Resolver. | `string` | n/a | yes | +| [resource\_group\_name](#input\_resource\_group\_name) | (Required) Specifies the name of the Resource Group where the Private DNS Resolver should exist. | `string` | n/a | yes | +| [subscription\_id\_connectivity](#input\_subscription\_id\_connectivity) | (Required) Subscription ID to use for "connectivity" resources. | `string` | n/a | yes | +| [virtual\_network\_object](#input\_virtual\_network\_object) | (Required) The Virtual Network object that is linked to the Private DNS Resolver. | `any` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [private\_dns\_resolver](#output\_private\_dns\_resolver) | The ID of the Private DNS Resolver. | +| [private\_dns\_resolver\_dns\_forwarding\_ruleset](#output\_private\_dns\_resolver\_dns\_forwarding\_ruleset) | The ID of the Private DNS Resolver DNS Forwarding Ruleset. | +| [private\_dns\_resolver\_forwarding\_rule](#output\_private\_dns\_resolver\_forwarding\_rule) | The ID of the Private DNS Resolver Forwarding Rule. | +| [private\_dns\_resolver\_inbound\_endpoint](#output\_private\_dns\_resolver\_inbound\_endpoint) | The ID of the Private DNS Resolver Inbound Endpoint. | +| [private\_dns\_resolver\_outbound\_endpoint](#output\_private\_dns\_resolver\_outbound\_endpoint) | The ID of the Private DNS Resolver Outbound Endpoint. | + diff --git a/azure_private_dns/private_dns_resolver/data.tf b/azure_private_dns/private_dns_resolver/data.tf new file mode 100644 index 0000000..434dac2 --- /dev/null +++ b/azure_private_dns/private_dns_resolver/data.tf @@ -0,0 +1,2 @@ +# Get the current client configuration from the AzureRM provider +data "azurerm_client_config" "current" {} diff --git a/azure_private_dns/private_dns_resolver/locals.tf b/azure_private_dns/private_dns_resolver/locals.tf new file mode 100644 index 0000000..badfd31 --- /dev/null +++ b/azure_private_dns/private_dns_resolver/locals.tf @@ -0,0 +1,10 @@ +locals { + subnets = { + for subnet in var.virtual_network_object.subnet : subnet.name => merge( + subnet, { + first_available_ip = cidrhost(subnet.address_prefix, 4) + # This extracts the fourth IP address from the subnet address prefix, which is the first available IP address in the subnet (as Azure reserves the first three IP addresses in each subnet) + } + ) + } +} diff --git a/azure_private_dns/private_dns_resolver/outputs.tf b/azure_private_dns/private_dns_resolver/outputs.tf new file mode 100644 index 0000000..188656c --- /dev/null +++ b/azure_private_dns/private_dns_resolver/outputs.tf @@ -0,0 +1,24 @@ +output "private_dns_resolver" { + description = "The ID of the Private DNS Resolver." + value = azurerm_private_dns_resolver.this +} + +output "private_dns_resolver_inbound_endpoint" { + description = "The ID of the Private DNS Resolver Inbound Endpoint." + value = azurerm_private_dns_resolver_inbound_endpoint.this +} + +output "private_dns_resolver_outbound_endpoint" { + description = "The ID of the Private DNS Resolver Outbound Endpoint." + value = azurerm_private_dns_resolver_outbound_endpoint.this +} + +output "private_dns_resolver_dns_forwarding_ruleset" { + description = "The ID of the Private DNS Resolver DNS Forwarding Ruleset." + value = azurerm_private_dns_resolver_dns_forwarding_ruleset.this +} + +output "private_dns_resolver_forwarding_rule" { + description = "The ID of the Private DNS Resolver Forwarding Rule." + value = azurerm_private_dns_resolver_forwarding_rule.this +} diff --git a/azure_private_dns/private_dns_resolver/private_dns_resolver.tf b/azure_private_dns/private_dns_resolver/private_dns_resolver.tf new file mode 100644 index 0000000..cb0df65 --- /dev/null +++ b/azure_private_dns/private_dns_resolver/private_dns_resolver.tf @@ -0,0 +1,6 @@ +resource "azurerm_private_dns_resolver" "this" { + name = var.private_dns_resolver_name + resource_group_name = var.resource_group_name + location = var.location + virtual_network_id = var.virtual_network_object.id +} diff --git a/azure_private_dns/private_dns_resolver/private_dns_resolver_dns_forwarding_ruleset.tf b/azure_private_dns/private_dns_resolver/private_dns_resolver_dns_forwarding_ruleset.tf new file mode 100644 index 0000000..9a66e9a --- /dev/null +++ b/azure_private_dns/private_dns_resolver/private_dns_resolver_dns_forwarding_ruleset.tf @@ -0,0 +1,8 @@ +resource "azurerm_private_dns_resolver_dns_forwarding_ruleset" "this" { + name = "${var.private_dns_resolver_name}-dns-forwarding-ruleset" + resource_group_name = var.resource_group_name + location = var.location + private_dns_resolver_outbound_endpoint_ids = [ + azurerm_private_dns_resolver_outbound_endpoint.this.id + ] +} diff --git a/azure_private_dns/private_dns_resolver/private_dns_resolver_forwarding_rule.tf b/azure_private_dns/private_dns_resolver/private_dns_resolver_forwarding_rule.tf new file mode 100644 index 0000000..dd90034 --- /dev/null +++ b/azure_private_dns/private_dns_resolver/private_dns_resolver_forwarding_rule.tf @@ -0,0 +1,20 @@ +resource "azurerm_private_dns_resolver_forwarding_rule" "this" { + name = "privatedns-rule" + dns_forwarding_ruleset_id = azurerm_private_dns_resolver_dns_forwarding_ruleset.this.id + domain_name = "gov.bc.ca." + enabled = true + + target_dns_servers { + ip_address = "142.34.50.52" # On-premises DNS server IP address + port = 53 + } + + target_dns_servers { + ip_address = "142.34.208.8" # On-premises DNS server IP address + port = 53 + } + + # metadata = { + # key = "value" + # } +} diff --git a/azure_private_dns/private_dns_resolver/private_dns_resolver_inbound_endpoint.tf b/azure_private_dns/private_dns_resolver/private_dns_resolver_inbound_endpoint.tf new file mode 100644 index 0000000..bb97e45 --- /dev/null +++ b/azure_private_dns/private_dns_resolver/private_dns_resolver_inbound_endpoint.tf @@ -0,0 +1,11 @@ +resource "azurerm_private_dns_resolver_inbound_endpoint" "this" { + name = "${var.private_dns_resolver_name}-inbound-endpoint" + private_dns_resolver_id = azurerm_private_dns_resolver.this.id + location = azurerm_private_dns_resolver.this.location + + ip_configurations { + subnet_id = local.subnets["inbound_endpoint"].id + private_ip_address = local.subnets["inbound_endpoint"].first_available_ip + private_ip_allocation_method = "Static" + } +} diff --git a/azure_private_dns/private_dns_resolver/private_dns_resolver_outbound_endpoint.tf b/azure_private_dns/private_dns_resolver/private_dns_resolver_outbound_endpoint.tf new file mode 100644 index 0000000..7abf8c6 --- /dev/null +++ b/azure_private_dns/private_dns_resolver/private_dns_resolver_outbound_endpoint.tf @@ -0,0 +1,7 @@ +resource "azurerm_private_dns_resolver_outbound_endpoint" "this" { + name = "${var.private_dns_resolver_name}-outbound-endpoint" + private_dns_resolver_id = azurerm_private_dns_resolver.this.id + location = azurerm_private_dns_resolver.this.location + + subnet_id = local.subnets["outbound_endpoint"].id +} diff --git a/azure_private_dns/private_dns_resolver/provider.tf b/azure_private_dns/private_dns_resolver/provider.tf new file mode 100644 index 0000000..60aedf2 --- /dev/null +++ b/azure_private_dns/private_dns_resolver/provider.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">=1.8.0, < 2.0.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">=3.112.0, < 4.0.0" + } + } +} + +provider "azurerm" { + use_oidc = true + features {} + + subscription_id = var.subscription_id_connectivity +} diff --git a/azure_private_dns/private_dns_resolver/variables-private-dns-resolver.tf b/azure_private_dns/private_dns_resolver/variables-private-dns-resolver.tf new file mode 100644 index 0000000..19ad304 --- /dev/null +++ b/azure_private_dns/private_dns_resolver/variables-private-dns-resolver.tf @@ -0,0 +1,14 @@ +variable "private_dns_resolver_name" { + description = "(Required) Specifies the name which should be used for this Private DNS Resolver." + type = string +} + +variable "resource_group_name" { + description = "(Required) Specifies the name of the Resource Group where the Private DNS Resolver should exist." + type = string +} + +variable "virtual_network_object" { + description = "(Required) The Virtual Network object that is linked to the Private DNS Resolver." + type = any +} diff --git a/azure_private_dns/private_dns_resolver/variables.tf b/azure_private_dns/private_dns_resolver/variables.tf new file mode 100644 index 0000000..96227ff --- /dev/null +++ b/azure_private_dns/private_dns_resolver/variables.tf @@ -0,0 +1,15 @@ +# // MARK: Common Variables +variable "location" { + description = "(Required) Azure region to deploy to. Changing this forces a new resource to be created." + type = string + + validation { + condition = contains(["Canada Central", "canadacentral", "Canada East", "canadaeast"], var.location) + error_message = "ERROR: Only Canadian Azure Regions are allowed! Valid values for the variable \"location\" are: \"canadaeast\",\"canadacentral\"." + } +} + +variable "subscription_id_connectivity" { + description = "(Required) Subscription ID to use for \"connectivity\" resources." + type = string +} diff --git a/azure_private_dns/virtual_network/README.md b/azure_private_dns/virtual_network/README.md new file mode 100644 index 0000000..443948e --- /dev/null +++ b/azure_private_dns/virtual_network/README.md @@ -0,0 +1,59 @@ +# virtual_network + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >=1.8.0, < 2.0.0 | +| [azapi](#requirement\_azapi) | ~> 1.13 | +| [azureipam](#requirement\_azureipam) | 1.0.1 | +| [azurerm](#requirement\_azurerm) | >=3.112.0, < 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [azureipam](#provider\_azureipam) | 1.0.1 | +| [azurerm](#provider\_azurerm) | >=3.112.0, < 4.0.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azureipam_reservation.private_dns_resolver](https://registry.terraform.io/providers/XtratusCloud/azureipam/1.0.1/docs/resources/reservation) | resource | +| [azurerm_network_security_group.inbound_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource | +| [azurerm_network_security_group.outbound_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource | +| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_virtual_hub_connection.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub_connection) | resource | +| [azurerm_virtual_network.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +| [azurerm_virtual_hub.vwan_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_hub) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [IPAM\_TOKEN](#input\_IPAM\_TOKEN) | (Required) The IPAM token to use for IP address management. | `string` | n/a | yes | +| [firewall\_private\_ip\_address](#input\_firewall\_private\_ip\_address) | (Required) Private IP address of the Azure Firewall to connect to. | `list(string)` | n/a | yes | +| [location](#input\_location) | (Required) Azure region to deploy to. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [private\_dns\_resolver\_virtual\_network\_name](#input\_private\_dns\_resolver\_virtual\_network\_name) | (Required) Name of the Virtual Network to deploy the Private DNS Resolver into. | `string` | n/a | yes | +| [private\_dns\_resource\_group\_name](#input\_private\_dns\_resource\_group\_name) | (Required) Name of the Resource Group to deploy the Private DNS Resolver into. | `string` | n/a | yes | +| [subscription\_id\_connectivity](#input\_subscription\_id\_connectivity) | (Required) Subscription ID to use for "connectivity" resources. | `string` | n/a | yes | +| [virtual\_wan\_hub\_name](#input\_virtual\_wan\_hub\_name) | (Required) Name of the Virtual WAN Hub to connect to. | `string` | n/a | yes | +| [virtual\_wan\_hub\_resource\_group](#input\_virtual\_wan\_hub\_resource\_group) | (Required) Resource Group of the Virtual WAN hub. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [private\_dns\_resolver\_cidr](#output\_private\_dns\_resolver\_cidr) | The CIDR block of the Private DNS Resolver | +| [resource\_group\_name](#output\_resource\_group\_name) | The Private DNS Resolver resource group name | +| [virtual\_hub\_connection](#output\_virtual\_hub\_connection) | The Private DNS Resolver virtual hub connection object | +| [virtual\_network](#output\_virtual\_network) | The Private DNS Resolver virtual network object | +| [virtual\_network\_id](#output\_virtual\_network\_id) | The Private DNS Resolver virtual network ID | + diff --git a/azure_private_dns/virtual_network/data.tf b/azure_private_dns/virtual_network/data.tf new file mode 100644 index 0000000..cee6b03 --- /dev/null +++ b/azure_private_dns/virtual_network/data.tf @@ -0,0 +1,8 @@ +# Get the current client configuration from the AzureRM provider +data "azurerm_client_config" "current" {} + +# NOTE: Data lookup for vWAN is used to get the address_prefix for the vWAN Hub, create a security rule for the vWAN Hub, and create a vHub connection +data "azurerm_virtual_hub" "vwan_hub" { + name = var.virtual_wan_hub_name + resource_group_name = var.virtual_wan_hub_resource_group +} diff --git a/azure_private_dns/virtual_network/ipam.tf b/azure_private_dns/virtual_network/ipam.tf new file mode 100644 index 0000000..0ee67cb --- /dev/null +++ b/azure_private_dns/virtual_network/ipam.tf @@ -0,0 +1,6 @@ +resource "azureipam_reservation" "private_dns_resolver" { + space = "bcgov-managed-lz-forge" + block = "bcgov-managed-lz-forge" + size = 23 # NOTE: Two /24 subnets are required for the Azure Private DNS Resolvers (https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview#virtual-network-restrictions) + description = "Azure Private DNS Resolvers" +} diff --git a/azure_private_dns/virtual_network/locals.tf b/azure_private_dns/virtual_network/locals.tf new file mode 100644 index 0000000..d555d86 --- /dev/null +++ b/azure_private_dns/virtual_network/locals.tf @@ -0,0 +1,3 @@ +locals { + +} diff --git a/azure_private_dns/virtual_network/main.tf b/azure_private_dns/virtual_network/main.tf new file mode 100644 index 0000000..64f2187 --- /dev/null +++ b/azure_private_dns/virtual_network/main.tf @@ -0,0 +1,4 @@ +resource "azurerm_resource_group" "this" { + name = var.private_dns_resource_group_name + location = var.location +} diff --git a/azure_private_dns/virtual_network/outputs.tf b/azure_private_dns/virtual_network/outputs.tf new file mode 100644 index 0000000..e711038 --- /dev/null +++ b/azure_private_dns/virtual_network/outputs.tf @@ -0,0 +1,24 @@ +output "private_dns_resolver_cidr" { + description = "The CIDR block of the Private DNS Resolver" + value = azureipam_reservation.private_dns_resolver.cidr +} + +output "virtual_network" { + description = "The Private DNS Resolver virtual network object" + value = azurerm_virtual_network.this +} + +output "virtual_network_id" { + description = "The Private DNS Resolver virtual network ID" + value = azurerm_virtual_network.this.id +} + +output "virtual_hub_connection" { + description = "The Private DNS Resolver virtual hub connection object" + value = azurerm_virtual_hub_connection.this +} + +output "resource_group_name" { + description = "The Private DNS Resolver resource group name" + value = azurerm_resource_group.this.name +} diff --git a/azure_private_dns/virtual_network/provider.tf b/azure_private_dns/virtual_network/provider.tf new file mode 100644 index 0000000..7a107e4 --- /dev/null +++ b/azure_private_dns/virtual_network/provider.tf @@ -0,0 +1,36 @@ +terraform { + required_version = ">=1.8.0, < 2.0.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">=3.112.0, < 4.0.0" + } + + azapi = { + source = "azure/azapi" + version = "~> 1.13" + } + + azureipam = { + source = "XtratusCloud/azureipam" + version = "1.0.1" + } + } +} + +provider "azurerm" { + use_oidc = true + features {} + + subscription_id = var.subscription_id_connectivity +} + +provider "azapi" { + skip_provider_registration = false +} + +provider "azureipam" { + api_url = "https://ipam-forge.azurewebsites.net" + token = var.IPAM_TOKEN +} diff --git a/azure_private_dns/virtual_network/variables.tf b/azure_private_dns/virtual_network/variables.tf new file mode 100644 index 0000000..710b891 --- /dev/null +++ b/azure_private_dns/virtual_network/variables.tf @@ -0,0 +1,47 @@ +variable "IPAM_TOKEN" { + description = "(Required) The IPAM token to use for IP address management." + type = string + sensitive = true + # az account get-access-token --resource api://8b672441-25f3-4a33-8336-d853c466a782 + # For local testing, add the IPAM token to an environment variable using: export TF_VAR_IPAM_TOKEN="" +} + +variable "subscription_id_connectivity" { + description = "(Required) Subscription ID to use for \"connectivity\" resources." + type = string +} + +variable "location" { + description = "(Required) Azure region to deploy to. Changing this forces a new resource to be created." + type = string + + validation { + condition = contains(["Canada Central", "canadacentral", "Canada East", "canadaeast"], var.location) + error_message = "ERROR: Only Canadian Azure Regions are allowed! Valid values for the variable \"location\" are: \"canadaeast\",\"canadacentral\"." + } +} + +variable "private_dns_resource_group_name" { + description = "(Required) Name of the Resource Group to deploy the Private DNS Resolver into." + type = string +} + +variable "virtual_wan_hub_name" { + description = "(Required) Name of the Virtual WAN Hub to connect to." + type = string +} + +variable "virtual_wan_hub_resource_group" { + description = "(Required) Resource Group of the Virtual WAN hub." + type = string +} + +variable "firewall_private_ip_address" { + description = "(Required) Private IP address of the Azure Firewall to connect to." + type = list(string) +} + +variable "private_dns_resolver_virtual_network_name" { + description = "(Required) Name of the Virtual Network to deploy the Private DNS Resolver into." + type = string +} diff --git a/azure_private_dns/virtual_network/vhub_connection.tf b/azure_private_dns/virtual_network/vhub_connection.tf new file mode 100644 index 0000000..ff401ee --- /dev/null +++ b/azure_private_dns/virtual_network/vhub_connection.tf @@ -0,0 +1,5 @@ +resource "azurerm_virtual_hub_connection" "this" { + name = "vhc-hub_to_privatedns-spoke" + virtual_hub_id = data.azurerm_virtual_hub.vwan_hub.id + remote_virtual_network_id = azurerm_virtual_network.this.id +} diff --git a/azure_private_dns/virtual_network/vnet.tf b/azure_private_dns/virtual_network/vnet.tf new file mode 100644 index 0000000..e0c4130 --- /dev/null +++ b/azure_private_dns/virtual_network/vnet.tf @@ -0,0 +1,75 @@ +resource "azurerm_network_security_group" "inbound_endpoint" { + name = "private_dns_inbound" + location = azurerm_resource_group.this.location + resource_group_name = azurerm_resource_group.this.name + + # Per the Microsoft documentation (https://learn.microsoft.com/en-us/azure/architecture/networking/guide/private-link-virtual-wan-dns-single-region-workload#azure-dns-private-resolver) + # The Network Security Group in the subnet for the DNS Private Resolver's inbound endpoint should only allow UDP traffic from its regional hub to port 53. You should block all other inbound and outbound traffic. + security_rule { + name = "AllowUdpFromRegionalHubVNet" + description = "Allow inbound UDP traffic from the regional hub to port 53" + priority = 110 + direction = "Inbound" + access = "Allow" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "53" + source_address_prefix = data.azurerm_virtual_hub.vwan_hub.address_prefix + destination_address_prefix = "VirtualNetwork" + } + + security_rule { + name = "DenyAllInbound" + description = "Block all other inbound traffic" + priority = 115 + direction = "Inbound" + access = "Deny" + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + security_rule { + name = "DenyAllOutbound" + description = "Block all other outbound traffic" + priority = 120 + direction = "Outbound" + access = "Deny" + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource "azurerm_network_security_group" "outbound_endpoint" { + name = "private_dns_outbound" + location = azurerm_resource_group.this.location + resource_group_name = azurerm_resource_group.this.name +} + +resource "azurerm_virtual_network" "this" { + name = var.private_dns_resolver_virtual_network_name + location = azurerm_resource_group.this.location + resource_group_name = azurerm_resource_group.this.name + address_space = [ + azureipam_reservation.private_dns_resolver.cidr + ] + dns_servers = var.firewall_private_ip_address + + # NOTE: We are using the cidrsubnet() function, and offsetting the bit position by 1, since the parent CIDR is /23 (and we need to split it into two /24s) + subnet { + name = "inbound_endpoint" + address_prefix = cidrsubnet(azureipam_reservation.private_dns_resolver.cidr, 1, 0) + security_group = azurerm_network_security_group.inbound_endpoint.id + } + + subnet { + name = "outbound_endpoint" + address_prefix = cidrsubnet(azureipam_reservation.private_dns_resolver.cidr, 1, 1) + security_group = azurerm_network_security_group.outbound_endpoint.id + } +} From 118253a63bf1ed7bb69a1605d32888453c01975a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 27 Aug 2024 18:41:13 +0000 Subject: [PATCH 04/32] terraform-docs: automated action --- azure_firewall/README.md | 25 +++++++++++++++++++++++++ azure_private_dns/README.md | 25 +++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 azure_firewall/README.md create mode 100644 azure_private_dns/README.md diff --git a/azure_firewall/README.md b/azure_firewall/README.md new file mode 100644 index 0000000..ef2fa69 --- /dev/null +++ b/azure_firewall/README.md @@ -0,0 +1,25 @@ + +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +No modules. + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/azure_private_dns/README.md b/azure_private_dns/README.md new file mode 100644 index 0000000..ef2fa69 --- /dev/null +++ b/azure_private_dns/README.md @@ -0,0 +1,25 @@ + +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +No modules. + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +No outputs. + \ No newline at end of file From 945879bc2c443f22bc6a51bf8d856ac4f62c9d6a Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Tue, 27 Aug 2024 16:19:48 -0400 Subject: [PATCH 05/32] Added variables for environment reference --- azure_private_dns/README.md | 2 +- azure_private_dns/virtual_network/README.md | 1 + azure_private_dns/virtual_network/ipam.tf | 4 ++-- azure_private_dns/virtual_network/locals.tf | 2 +- azure_private_dns/virtual_network/provider.tf | 2 +- azure_private_dns/virtual_network/variables.tf | 10 ++++++++++ 6 files changed, 16 insertions(+), 5 deletions(-) diff --git a/azure_private_dns/README.md b/azure_private_dns/README.md index ef2fa69..d236723 100644 --- a/azure_private_dns/README.md +++ b/azure_private_dns/README.md @@ -22,4 +22,4 @@ No inputs. ## Outputs No outputs. - \ No newline at end of file + diff --git a/azure_private_dns/virtual_network/README.md b/azure_private_dns/virtual_network/README.md index 443948e..332a8c0 100644 --- a/azure_private_dns/virtual_network/README.md +++ b/azure_private_dns/virtual_network/README.md @@ -39,6 +39,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [IPAM\_TOKEN](#input\_IPAM\_TOKEN) | (Required) The IPAM token to use for IP address management. | `string` | n/a | yes | +| [environment](#input\_environment) | This is either LIVE or FORGE. | `string` | n/a | yes | | [firewall\_private\_ip\_address](#input\_firewall\_private\_ip\_address) | (Required) Private IP address of the Azure Firewall to connect to. | `list(string)` | n/a | yes | | [location](#input\_location) | (Required) Azure region to deploy to. Changing this forces a new resource to be created. | `string` | n/a | yes | | [private\_dns\_resolver\_virtual\_network\_name](#input\_private\_dns\_resolver\_virtual\_network\_name) | (Required) Name of the Virtual Network to deploy the Private DNS Resolver into. | `string` | n/a | yes | diff --git a/azure_private_dns/virtual_network/ipam.tf b/azure_private_dns/virtual_network/ipam.tf index 0ee67cb..2b05f83 100644 --- a/azure_private_dns/virtual_network/ipam.tf +++ b/azure_private_dns/virtual_network/ipam.tf @@ -1,6 +1,6 @@ resource "azureipam_reservation" "private_dns_resolver" { - space = "bcgov-managed-lz-forge" - block = "bcgov-managed-lz-forge" + space = "bcgov-managed-lz-${lower(var.environment)}" + block = "bcgov-managed-lz-${lower(var.environment)}" size = 23 # NOTE: Two /24 subnets are required for the Azure Private DNS Resolvers (https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview#virtual-network-restrictions) description = "Azure Private DNS Resolvers" } diff --git a/azure_private_dns/virtual_network/locals.tf b/azure_private_dns/virtual_network/locals.tf index d555d86..e605460 100644 --- a/azure_private_dns/virtual_network/locals.tf +++ b/azure_private_dns/virtual_network/locals.tf @@ -1,3 +1,3 @@ locals { - + api_url = var.environment == "FORGE" ? "https://ipam-forge.azurewebsites.net" : "https://ipam-live.azurewebsites.net" } diff --git a/azure_private_dns/virtual_network/provider.tf b/azure_private_dns/virtual_network/provider.tf index 7a107e4..2b6ef80 100644 --- a/azure_private_dns/virtual_network/provider.tf +++ b/azure_private_dns/virtual_network/provider.tf @@ -31,6 +31,6 @@ provider "azapi" { } provider "azureipam" { - api_url = "https://ipam-forge.azurewebsites.net" + api_url = local.api_url token = var.IPAM_TOKEN } diff --git a/azure_private_dns/virtual_network/variables.tf b/azure_private_dns/virtual_network/variables.tf index 710b891..6abb9ad 100644 --- a/azure_private_dns/virtual_network/variables.tf +++ b/azure_private_dns/virtual_network/variables.tf @@ -6,6 +6,16 @@ variable "IPAM_TOKEN" { # For local testing, add the IPAM token to an environment variable using: export TF_VAR_IPAM_TOKEN="" } +variable "environment" { + description = "This is either LIVE or FORGE." + type = string + + validation { + condition = contains(["LIVE", "FORGE"], var.environment) + error_message = "ERROR: Only LIVE or FORGE are allowed for the variable \"environment\"." + } +} + variable "subscription_id_connectivity" { description = "(Required) Subscription ID to use for \"connectivity\" resources." type = string From b900cdbd28eb5721b81083eea99de0fcf6cc320b Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Fri, 6 Sep 2024 16:11:26 -0400 Subject: [PATCH 06/32] Additonal ExpressRoute code prep --- azure_express_route/README.md | 59 ++++++++++++ azure_express_route/express_route_circuit.tf | 23 +++++ .../express_route_circuit_peering.tf | 28 ++++++ .../express_route_connection.tf | 52 +++++----- azure_express_route/locals.tf | 8 ++ azure_express_route/main.tf | 41 +------- azure_express_route/outputs.tf | 27 +++++- azure_express_route/provider.tf | 2 +- .../variables-expressRoute-circuit-peering.tf | 96 +++++++------------ .../variables-expressRoute-circuit.tf | 75 ++++++--------- .../variables-expressRoute-connection.tf | 24 +++-- azure_express_route/variables.tf | 2 +- 12 files changed, 251 insertions(+), 186 deletions(-) create mode 100644 azure_express_route/express_route_circuit.tf create mode 100644 azure_express_route/express_route_circuit_peering.tf diff --git a/azure_express_route/README.md b/azure_express_route/README.md index e69de29..39b7d46 100644 --- a/azure_express_route/README.md +++ b/azure_express_route/README.md @@ -0,0 +1,59 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >=1.9.0, < 2.0.0 | +| [azurerm](#requirement\_azurerm) | >=3.112.0, < 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | 3.116.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_express_route_circuit.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_circuit) | resource | +| [azurerm_express_route_circuit_peering.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_circuit_peering) | resource | +| [azurerm_express_route_connection.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_connection) | resource | +| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [authorization\_key](#input\_authorization\_key) | (Optional) The authorization key to establish the Express Route Connection. | `string` | `null` | no | +| [circuit\_peering](#input\_circuit\_peering) | Express Route circuit peering configuration | 
list(object({
    peering_type                  = string
    express_route_circuit_name    = string
    vlan_id                       = number
    primary_peer_address_prefix   = optional(string)
    secondary_peer_address_prefix = optional(string)
    ipv4_enabled                  = optional(bool, true)
    shared_key                    = optional(string, null)
    peer_asn                      = optional(number, null)
    microsoft_peering_config = optional(object({
      advertised_public_prefixes = list(string)
      customer_asn               = optional(number, 0)
      routing_registry_name      = optional(string, "NONE")
      advertised_communities     = optional(list(string))
    }), null)
    ipv6 = optional(object({
      primary_peer_address_prefix   = string
      secondary_peer_address_prefix = string
      enabled                       = optional(bool, true)
      microsoft_peering = optional(object({
        advertised_public_prefixes = list(string)
        customer_asn               = optional(number, 0)
        routing_registry_name      = optional(string, "NONE")
        advertised_communities     = optional(list(string))
      }), null)
      route_filter_id = optional(string, null)
    }), null)
    route_filter_id = optional(string, null)
  }))
| `[]` | no | +| [enable\_internet\_security](#input\_enable\_internet\_security) | (Optional) Is Internet security enabled for this Express Route Connection? | `bool` | `null` | no | +| [express\_route\_circuit](#input\_express\_route\_circuit) | Express Route circuit configuration | 
list(object({
    express_route_circuit_name = string
    location                   = string
    sku = object({
      tier   = string
      family = string
    })
    service_provider_name    = optional(string, null)
    peering_location         = optional(string, null)
    bandwidth_in_mbps        = optional(number, null)
    allow_classic_operations = optional(bool, false)
    express_route_port_id    = optional(string, null)
    bandwidth_in_gbps        = optional(number, null)
    authorization_key        = optional(string, null)
  }))
| `[]` | no | +| [express\_route\_connection\_name](#input\_express\_route\_connection\_name) | (Required) The name which should be used for this Express Route Connection. | `string` | n/a | yes | +| [express\_route\_gateway\_bypass\_enabled](#input\_express\_route\_gateway\_bypass\_enabled) | (Optional) Specified whether Fast Path is enabled for Virtual Wan Firewall Hub. | `bool` | `false` | no | +| [express\_route\_gateway\_name](#input\_express\_route\_gateway\_name) | (Required) The name of the Express Route Gateway that this Express Route Connection connects with. | `string` | n/a | yes | +| [express\_route\_gateway\_resource\_group\_name](#input\_express\_route\_gateway\_resource\_group\_name) | (Required) The name of the Resource Group where the Express Route Gateway is located. | `string` | n/a | yes | +| [private\_link\_fast\_path\_enabled](#input\_private\_link\_fast\_path\_enabled) | (Optional) Bypass the Express Route gateway when accessing private-links. When enabled express\_route\_gateway\_bypass\_enabled must be set to true. | `bool` | `false` | no | +| [resource\_group\_location](#input\_resource\_group\_location) | (Required) Specifies the supported Azure location where the resource exists. | `string` | n/a | yes | +| [resource\_group\_name](#input\_resource\_group\_name) | (Required) The name of the resource group in which to create the ExpressRoute circuit. | `string` | n/a | yes | +| [routing](#input\_routing) | (Optional) A routing block as defined below. | 
object({
    associated_route_table_id = optional(string)
    inbound_route_map_id      = optional(string)
    outbound_route_map_id     = optional(string)
    propagated_route_table = optional(object({
      labels          = optional(list(string))
      route_table_ids = optional(list(string))
    }))
  })
| `null` | no | +| [routing\_weight](#input\_routing\_weight) | (Optional) The routing weight associated to the Express Route Connection. | `number` | `0` | no | +| [subscription\_id\_connectivity](#input\_subscription\_id\_connectivity) | Subscription ID to use for "connectivity" resources. | `string` | n/a | yes | +| [subscription\_id\_management](#input\_subscription\_id\_management) | Subscription ID to use for "management" resources. | `string` | n/a | yes | +| [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [express\_route\_circuit\_id](#output\_express\_route\_circuit\_id) | The ID of the ExpressRoute Circuit. | +| [express\_route\_circuit\_peering\_id](#output\_express\_route\_circuit\_peering\_id) | The ID of the ExpressRoute Circuit Peering. | +| [express\_route\_connection\_id](#output\_express\_route\_connection\_id) | The ID of the ExpressRoute Connection. | +| [service\_key](#output\_service\_key) | The service key of the ExpressRoute Circuit. | +| [service\_provider\_provisioning\_state](#output\_service\_provider\_provisioning\_state) | The provisioning state of the ExpressRoute Circuit Service Provider. | + diff --git a/azure_express_route/express_route_circuit.tf b/azure_express_route/express_route_circuit.tf new file mode 100644 index 0000000..ada2eef --- /dev/null +++ b/azure_express_route/express_route_circuit.tf @@ -0,0 +1,23 @@ +resource "azurerm_express_route_circuit" "this" { + for_each = { for circuit in var.express_route_circuit : circuit.express_route_circuit_name => circuit } + + name = each.value.express_route_circuit_name + resource_group_name = azurerm_resource_group.this.name + location = each.value.location + + sku { + tier = each.value.sku.tier + family = each.value.sku.family + } + + service_provider_name = each.value.service_provider_name + peering_location = each.value.peering_location + bandwidth_in_mbps = each.value.bandwidth_in_mbps + allow_classic_operations = each.value.allow_classic_operations + + express_route_port_id = each.value.express_route_port_id + bandwidth_in_gbps = each.value.bandwidth_in_gbps + + authorization_key = each.value.authorization_key + tags = var.tags +} diff --git a/azure_express_route/express_route_circuit_peering.tf b/azure_express_route/express_route_circuit_peering.tf new file mode 100644 index 0000000..495791c --- /dev/null +++ b/azure_express_route/express_route_circuit_peering.tf @@ -0,0 +1,28 @@ +resource "azurerm_express_route_circuit_peering" "this" { + depends_on = [azurerm_express_route_circuit.this] + + for_each = { for peering in var.circuit_peering : peering.peering_type => peering } + + peering_type = each.value.peering_type + express_route_circuit_name = each.value.express_route_circuit_name + resource_group_name = azurerm_resource_group.this.name + + vlan_id = each.value.vlan_id + primary_peer_address_prefix = each.value.primary_peer_address_prefix + secondary_peer_address_prefix = each.value.secondary_peer_address_prefix + ipv4_enabled = each.value.ipv4_enabled + + shared_key = each.value.shared_key + peer_asn = each.value.peer_asn + route_filter_id = each.value.route_filter_id + + dynamic "microsoft_peering_config" { + for_each = each.value.microsoft_peering_config != null ? [each.value.microsoft_peering_config] : [] + content { + advertised_public_prefixes = microsoft_peering_config.advertised_public_prefixes + customer_asn = microsoft_peering_config.customer_asn + routing_registry_name = microsoft_peering_config.routing_registry_name + advertised_communities = microsoft_peering_config.advertised_communities + } + } +} diff --git a/azure_express_route/express_route_connection.tf b/azure_express_route/express_route_connection.tf index de215ea..e3e88b3 100644 --- a/azure_express_route/express_route_connection.tf +++ b/azure_express_route/express_route_connection.tf @@ -1,29 +1,31 @@ # IMPORTANT: The provider status of the Express Route Circuit must be set as provisioned while creating the Express Route Connection. -# resource "azurerm_express_route_connection" "this" { -# name = var.express_route_connection_name -# express_route_circuit_peering_id = azurerm_express_route_circuit_peering.this.id -# express_route_gateway_id = var.express_route_gateway_id -# authorization_key = var.authorization_key -# enable_internet_security = var.enable_internet_security -# express_route_gateway_bypass_enabled = var.express_route_gateway_bypass_enabled -# private_link_fast_path_enabled = var.private_link_fast_path_enabled -# routing_weight = var.routing_weight +resource "azurerm_express_route_connection" "this" { + depends_on = [ # Depends_on not required durring real execution, since the Connection code will not be executed until the Circuit is provisioned. + azurerm_express_route_circuit.this, + azurerm_express_route_circuit_peering.this + ] -# dynamic "routing" { -# for_each = var.routing -# content { -# associated_route_table_id = routing.value.associated_route_table_id -# inbound_route_map_id = routing.value.inbound_route_map_id -# outbound_route_map_id = routing.value.outbound_route_map_id + name = var.express_route_connection_name + express_route_circuit_peering_id = local.express_route_circuit_peering_id + express_route_gateway_id = local.express_route_gateway_id + authorization_key = var.authorization_key + enable_internet_security = var.enable_internet_security + express_route_gateway_bypass_enabled = var.express_route_gateway_bypass_enabled + private_link_fast_path_enabled = var.private_link_fast_path_enabled + routing_weight = var.routing_weight -# dynamic "propagated_route_table" { -# for_each = routing.value.propagated_route_table -# content { -# labels = propagated_route_table.value.labels -# route_table_ids = propagated_route_table.value.route_table_ids -# } -# } -# } -# } -# } \ No newline at end of file + dynamic "routing" { + for_each = var.routing != null ? [var.routing] : [] + content { + associated_route_table_id = routing.value.associated_route_table_id + inbound_route_map_id = routing.value.inbound_route_map_id + outbound_route_map_id = routing.value.outbound_route_map_id + + propagated_route_table { + labels = try(routing.value.propagated_route_table.labels, []) + route_table_ids = try(routing.value.propagated_route_table.route_table_ids, []) + } + } + } +} diff --git a/azure_express_route/locals.tf b/azure_express_route/locals.tf index 9a5b485..a7c9b59 100644 --- a/azure_express_route/locals.tf +++ b/azure_express_route/locals.tf @@ -1,4 +1,12 @@ locals { subscription_id_connectivity = coalesce(var.subscription_id_connectivity, local.subscription_id_management) subscription_id_management = coalesce(var.subscription_id_management, data.azurerm_client_config.current.subscription_id) + + express_route_circuit_peering_id = format("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/expressRouteCircuits/%s/peerings/%s", + local.subscription_id_connectivity, var.resource_group_name, var.express_route_circuit[0].express_route_circuit_name, var.circuit_peering[0].peering_type + ) + + express_route_gateway_id = format("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/expressRouteGateways/%s", + local.subscription_id_connectivity, var.express_route_gateway_resource_group_name, var.express_route_gateway_name + ) } diff --git a/azure_express_route/main.tf b/azure_express_route/main.tf index 1d03cda..fbf61a3 100644 --- a/azure_express_route/main.tf +++ b/azure_express_route/main.tf @@ -1,43 +1,4 @@ resource "azurerm_resource_group" "this" { name = var.resource_group_name - location = var.location -} - -resource "azurerm_express_route_circuit" "this" { - name = var.express_route_circuit_name - resource_group_name = azurerm_resource_group.this.name - location = azurerm_resource_group.this.location - service_provider_name = var.service_provider_name - peering_location = var.peering_location - bandwidth_in_mbps = var.bandwidth_in_mbps - allow_classic_operations = var.allow_classic_operations - - sku { - tier = var.sku.tier - family = var.sku.family - } - - tags = var.tags -} - -resource "azurerm_express_route_circuit_peering" "this" { - peering_type = var.peering_type - express_route_circuit_name = azurerm_express_route_circuit.this.name - resource_group_name = azurerm_resource_group.this.name - - vlan_id = var.vlan_id - primary_peer_address_prefix = var.primary_peer_address_prefix - secondary_peer_address_prefix = var.secondary_peer_address_prefix - ipv4_enabled = var.ipv4_enabled - - shared_key = var.shared_key - peer_asn = var.peer_asn - route_filter_id = var.route_filter_id - - microsoft_peering_config { - advertised_public_prefixes = var.microsoft_peering_config.advertised_public_prefixes - customer_asn = var.microsoft_peering_config.customer_asn - routing_registry_name = var.microsoft_peering_config.routing_registry_name - advertised_communities = var.microsoft_peering_config.advertised_communities - } + location = var.resource_group_location } diff --git a/azure_express_route/outputs.tf b/azure_express_route/outputs.tf index 295002b..4ca533a 100644 --- a/azure_express_route/outputs.tf +++ b/azure_express_route/outputs.tf @@ -1,14 +1,33 @@ output "express_route_circuit_id" { description = "The ID of the ExpressRoute Circuit." - value = azurerm_express_route_circuit.circuit.id + value = { + for key, id in azurerm_express_route_circuit.this : key => id.id + } } output "service_provider_provisioning_state" { description = "The provisioning state of the ExpressRoute Circuit Service Provider." - value = azurerm_express_route_circuit.circuit.service_provider_provisioning_state + value = { + for key, state in azurerm_express_route_circuit.this : key => state.service_provider_provisioning_state + } } output "service_key" { description = "The service key of the ExpressRoute Circuit." - value = azurerm_express_route_circuit.circuit.service_key -} \ No newline at end of file + value = { + for key, service_key in azurerm_express_route_circuit.this : key => service_key.service_key + } + sensitive = true +} + +output "express_route_circuit_peering_id" { + description = "The ID of the ExpressRoute Circuit Peering." + value = { + for key, id in azurerm_express_route_circuit_peering.this : key => id.id + } +} + +output "express_route_connection_id" { + description = "The ID of the ExpressRoute Connection." + value = azurerm_express_route_connection.this.id +} diff --git a/azure_express_route/provider.tf b/azure_express_route/provider.tf index c0f60ef..b8cb8a3 100644 --- a/azure_express_route/provider.tf +++ b/azure_express_route/provider.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">=1.8.0, < 2.0.0" + required_version = ">=1.9.0, < 2.0.0" required_providers { azurerm = { diff --git a/azure_express_route/variables-expressRoute-circuit-peering.tf b/azure_express_route/variables-expressRoute-circuit-peering.tf index 55ef60f..b0cc7f9 100644 --- a/azure_express_route/variables-expressRoute-circuit-peering.tf +++ b/azure_express_route/variables-expressRoute-circuit-peering.tf @@ -1,64 +1,40 @@ -variable "peering_type" { - description = "(Required) The type of the ExpressRoute Circuit Peering." - type = string +variable "circuit_peering" { + description = "Express Route circuit peering configuration" + type = list(object({ + peering_type = string + express_route_circuit_name = string + vlan_id = number + primary_peer_address_prefix = optional(string) + secondary_peer_address_prefix = optional(string) + ipv4_enabled = optional(bool, true) + shared_key = optional(string, null) + peer_asn = optional(number, null) + microsoft_peering_config = optional(object({ + advertised_public_prefixes = list(string) + customer_asn = optional(number, 0) + routing_registry_name = optional(string, "NONE") + advertised_communities = optional(list(string)) + }), null) + ipv6 = optional(object({ + primary_peer_address_prefix = string + secondary_peer_address_prefix = string + enabled = optional(bool, true) + microsoft_peering = optional(object({ + advertised_public_prefixes = list(string) + customer_asn = optional(number, 0) + routing_registry_name = optional(string, "NONE") + advertised_communities = optional(list(string)) + }), null) + route_filter_id = optional(string, null) + }), null) + route_filter_id = optional(string, null) + })) + default = [] validation { - condition = contains(["AzurePublicPeering", "AzurePrivatePeering", "MicrosoftPeering"], var.peering_type) - error_message = "The peering type must be either AzurePublicPeering, AzurePrivatePeering or MicrosoftPeering." + condition = alltrue([ + for peering in var.circuit_peering : contains(["AzurePrivatePeering", "AzurePublicPeering", "MicrosoftPeering"], peering.peering_type) + ]) + error_message = "The sku tier must be either Basic, Local, Standard or Premium." } } - -variable "vlan_id" { - description = "(Required) A valid VLAN ID to establish this peering on." - type = number -} - -variable "primary_peer_address_prefix" { - description = "(Optional) A /30 subnet for the primary link. Required when config for IPv4." - type = string -} - -variable "secondary_peer_address_prefix" { - description = "(Optional) A /30 subnet for the secondary link. Required when config for IPv4." - type = string -} - -variable "ipv4_enabled" { - description = "(Optional) A boolean value indicating whether the IPv4 peering is enabled." - type = bool - default = true -} - -variable "shared_key" { - description = "(Optional) The shared key. Can be a maximum of 25 characters." - type = string - default = null -} - -variable "peer_asn" { - description = "(Optional) The Either a 16-bit or a 32-bit ASN. Can either be public or private." - type = number - default = null -} - -variable "microsoft_peering_config" { - description = "(Optional) A microsoft_peering_config block as defined below." - type = object({ - advertised_public_prefixes = list(string) - customer_asn = optional(number) - routing_registry_name = optional(string) - advertised_communities = optional(list(string)) - }) - default = null -} - -variable "route_filter_id" { - description = "(Optional) The ID of the Route Filter. Only available when peering_type is set to MicrosoftPeering." - type = string - default = null - - validation { - condition = var.peering_type == "MicrosoftPeering" && var.route_filter_id == null - error_message = "The route_filter_id must be set when peering_type is set to MicrosoftPeering." - } -} \ No newline at end of file diff --git a/azure_express_route/variables-expressRoute-circuit.tf b/azure_express_route/variables-expressRoute-circuit.tf index 1723f10..25fe062 100644 --- a/azure_express_route/variables-expressRoute-circuit.tf +++ b/azure_express_route/variables-expressRoute-circuit.tf @@ -1,62 +1,43 @@ -variable "express_route_circuit_name" { - description = "(Required) The name of the ExpressRoute circuit." - type = string -} - -variable "resource_group_name" { - description = "(Required) The name of the resource group in which to create the ExpressRoute circuit." - type = string -} - -variable "location" { - description = "(Required) Specifies the supported Azure location where the resource exists." - type = string -} - -variable "sku" { - description = "(Required) A sku block for the ExpressRoute circuit" - type = object({ - tier = string - family = string - }) +variable "express_route_circuit" { + description = "Express Route circuit configuration" + type = list(object({ + express_route_circuit_name = string + location = string + sku = object({ + tier = string + family = string + }) + service_provider_name = optional(string, null) + peering_location = optional(string, null) + bandwidth_in_mbps = optional(number, null) + allow_classic_operations = optional(bool, false) + express_route_port_id = optional(string, null) + bandwidth_in_gbps = optional(number, null) + authorization_key = optional(string, null) + })) + default = [] validation { - condition = contains(["Basic", "Local", "Standard", "Premium"], var.sku.tier) + condition = alltrue([ + for circuit in var.express_route_circuit : contains(["Basic", "Local", "Standard", "Premium"], circuit.sku.tier) + ]) error_message = "The sku tier must be either Basic, Local, Standard or Premium." } validation { - condition = contains(["MeteredData", "UnlimitedData"], var.sku.family) + condition = alltrue([ + for circuit in var.express_route_circuit : contains(["MeteredData", "UnlimitedData"], circuit.sku.family) + ]) error_message = "The sku family must be either MeteredData or UnlimitedData." } } -variable "service_provider_name" { - description = "(Optional) The name of the ExpressRoute Service Provider." +variable "resource_group_name" { + description = "(Required) The name of the resource group in which to create the ExpressRoute circuit." type = string - default = null } -variable "peering_location" { - description = "(Optional) The name of the peering location and not the Azure resource location." +variable "resource_group_location" { + description = "(Required) Specifies the supported Azure location where the resource exists." type = string - default = null -} - -variable "bandwidth_in_mbps" { - description = "(Optional) The bandwidth in Mbps of the circuit being created on the Service Provider." - type = number - default = null -} - -variable "allow_classic_operations" { - description = "(Optional) Allow the circuit to interact with classic (RDFE) resources." - type = bool - default = false } - -variable "authorization_key" { - description = "(Optional) The authorization key. This can be used to set up an ExpressRoute Circuit with an ExpressRoute Port from another subscription." - type = string - default = null -} \ No newline at end of file diff --git a/azure_express_route/variables-expressRoute-connection.tf b/azure_express_route/variables-expressRoute-connection.tf index 448b877..d67cf5f 100644 --- a/azure_express_route/variables-expressRoute-connection.tf +++ b/azure_express_route/variables-expressRoute-connection.tf @@ -1,10 +1,15 @@ -variable "express_route_connection_name" { - description = "(Required) The name which should be used for this Express Route Connection." +variable "express_route_gateway_resource_group_name" { + description = "(Required) The name of the Resource Group where the Express Route Gateway is located." + type = string +} + +variable "express_route_gateway_name" { + description = "(Required) The name of the Express Route Gateway that this Express Route Connection connects with." type = string } -variable "express_route_gateway_id" { - description = "(Required) The ID of the Express Route Gateway to connect to." +variable "express_route_connection_name" { + description = "(Required) The name which should be used for this Express Route Connection." type = string } @@ -33,8 +38,11 @@ variable "private_link_fast_path_enabled" { validation { condition = ( - var.express_route_gateway_bypass_enabled == true && - var.private_link_fast_path_enabled == true) + (var.express_route_gateway_bypass_enabled == true && + var.private_link_fast_path_enabled == true) || + (var.express_route_gateway_bypass_enabled == false && + var.private_link_fast_path_enabled == false) + ) error_message = "private_link_fast_path_enabled must be set to true when express_route_gateway_bypass_enabled is set to true." } } @@ -54,7 +62,7 @@ variable "routing" { } variable "routing_weight" { - description = "(Optional) The weight added to routes learned from this connection." + description = "(Optional) The routing weight associated to the Express Route Connection." type = number default = 0 @@ -62,4 +70,4 @@ variable "routing_weight" { condition = var.routing_weight >= 0 && var.routing_weight <= 32000 error_message = "routing_weight must be between 0 and 32000." } -} \ No newline at end of file +} diff --git a/azure_express_route/variables.tf b/azure_express_route/variables.tf index 1fddd77..c7309ab 100644 --- a/azure_express_route/variables.tf +++ b/azure_express_route/variables.tf @@ -12,4 +12,4 @@ variable "tags" { type = map(string) description = "A mapping of tags to assign to the resource." default = null -} \ No newline at end of file +} From a507a83e4e7024c93cbf4839f57ec039189fa15b Mon Sep 17 00:00:00 2001 From: Warren Uniewski Date: Thu, 29 Aug 2024 16:59:09 -0700 Subject: [PATCH 07/32] fix budget field names --- terraform-azure-lz-project-set/main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform-azure-lz-project-set/main.tf b/terraform-azure-lz-project-set/main.tf index 818dd65..8aeade3 100644 --- a/terraform-azure-lz-project-set/main.tf +++ b/terraform-azure-lz-project-set/main.tf @@ -62,7 +62,7 @@ module "lz_vending" { } } : {} - # budget_enabled = each.value.budget_amount > 0 + budget_enabled = each.value.budget_amount > 0 # "/subscriptions/60e89f81-a15c-4d7a-9be3-c3795a33a277/providers/Microsoft.Consumption/budgets/registry" # / Api Version "2021-10-01"): PUT @@ -80,7 +80,7 @@ module "lz_vending" { # -------------------------------------------------------------------------------- # Disable budgets for now due to RBAC access denied above - budget_enabled = false + # budget_enabled = false budgets = each.value.budget_amount > 0 ? { registry = { @@ -94,14 +94,14 @@ module "lz_vending" { operator = "GreaterThan" threshold = 80 threshold_type = "Actual" - contact_groups = ["Owner"] + contact_roles = ["Owner"] } budgetexceeded = { enabled = true operator = "GreaterThan" threshold = 100 threshold_type = "Forecasted" - contact_groups = ["Owner"] + contact_roles = ["Owner"] } } } From c581bd74e92e8ca6f145642f19e0337b93f4bafc Mon Sep 17 00:00:00 2001 From: Warren Uniewski Date: Fri, 30 Aug 2024 08:25:56 -0700 Subject: [PATCH 08/32] remove workaround --- terraform-azure-lz-project-set/main.tf | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/terraform-azure-lz-project-set/main.tf b/terraform-azure-lz-project-set/main.tf index 8aeade3..f8e85ad 100644 --- a/terraform-azure-lz-project-set/main.tf +++ b/terraform-azure-lz-project-set/main.tf @@ -62,26 +62,9 @@ module "lz_vending" { } } : {} + # create budgets for each subscription budget_enabled = each.value.budget_amount > 0 - # "/subscriptions/60e89f81-a15c-4d7a-9be3-c3795a33a277/providers/Microsoft.Consumption/budgets/registry" - # / Api Version "2021-10-01"): PUT - # https://management.azure.com/subscriptions/60e89f81-a15c-4d7a-9be3-c3795a33a277/providers/Microsoft.Consumption/budgets/registry - # -------------------------------------------------------------------------------- - # RESPONSE 401: 401 Unauthorized - # ERROR CODE: RBACAccessDenied - # -------------------------------------------------------------------------------- - # { - # "error": { - # "code": "RBACAccessDenied", - # "message": "The client does not have authorization to perform action. Request ID: d97e8d78-6829-42f3-b0a8-671f1eb4da7e" - # } - # } - # -------------------------------------------------------------------------------- - - # Disable budgets for now due to RBAC access denied above - # budget_enabled = false - budgets = each.value.budget_amount > 0 ? { registry = { amount = each.value.budget_amount From 893745dde67a409ddf2026a4b5b47e3cf4d2134d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 6 Sep 2024 20:23:23 +0000 Subject: [PATCH 09/32] terraform-docs: automated action --- azure_express_route/README.md | 60 +++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/azure_express_route/README.md b/azure_express_route/README.md index 39b7d46..091ba1a 100644 --- a/azure_express_route/README.md +++ b/azure_express_route/README.md @@ -57,3 +57,63 @@ No modules. | [service\_key](#output\_service\_key) | The service key of the ExpressRoute Circuit. | | [service\_provider\_provisioning\_state](#output\_service\_provider\_provisioning\_state) | The provisioning state of the ExpressRoute Circuit Service Provider. | + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >=1.9.0, < 2.0.0 | +| [azurerm](#requirement\_azurerm) | >=3.112.0, < 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | >=3.112.0, < 4.0.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_express_route_circuit.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_circuit) | resource | +| [azurerm_express_route_circuit_peering.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_circuit_peering) | resource | +| [azurerm_express_route_connection.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_connection) | resource | +| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [authorization\_key](#input\_authorization\_key) | (Optional) The authorization key to establish the Express Route Connection. | `string` | `null` | no | +| [circuit\_peering](#input\_circuit\_peering) | Express Route circuit peering configuration | 
list(object({
    peering_type                  = string
    express_route_circuit_name    = string
    vlan_id                       = number
    primary_peer_address_prefix   = optional(string)
    secondary_peer_address_prefix = optional(string)
    ipv4_enabled                  = optional(bool, true)
    shared_key                    = optional(string, null)
    peer_asn                      = optional(number, null)
    microsoft_peering_config = optional(object({
      advertised_public_prefixes = list(string)
      customer_asn               = optional(number, 0)
      routing_registry_name      = optional(string, "NONE")
      advertised_communities     = optional(list(string))
    }), null)
    ipv6 = optional(object({
      primary_peer_address_prefix   = string
      secondary_peer_address_prefix = string
      enabled                       = optional(bool, true)
      microsoft_peering = optional(object({
        advertised_public_prefixes = list(string)
        customer_asn               = optional(number, 0)
        routing_registry_name      = optional(string, "NONE")
        advertised_communities     = optional(list(string))
      }), null)
      route_filter_id = optional(string, null)
    }), null)
    route_filter_id = optional(string, null)
  }))
| `[]` | no | +| [enable\_internet\_security](#input\_enable\_internet\_security) | (Optional) Is Internet security enabled for this Express Route Connection? | `bool` | `null` | no | +| [express\_route\_circuit](#input\_express\_route\_circuit) | Express Route circuit configuration | 
list(object({
    express_route_circuit_name = string
    location                   = string
    sku = object({
      tier   = string
      family = string
    })
    service_provider_name    = optional(string, null)
    peering_location         = optional(string, null)
    bandwidth_in_mbps        = optional(number, null)
    allow_classic_operations = optional(bool, false)
    express_route_port_id    = optional(string, null)
    bandwidth_in_gbps        = optional(number, null)
    authorization_key        = optional(string, null)
  }))
| `[]` | no | +| [express\_route\_connection\_name](#input\_express\_route\_connection\_name) | (Required) The name which should be used for this Express Route Connection. | `string` | n/a | yes | +| [express\_route\_gateway\_bypass\_enabled](#input\_express\_route\_gateway\_bypass\_enabled) | (Optional) Specified whether Fast Path is enabled for Virtual Wan Firewall Hub. | `bool` | `false` | no | +| [express\_route\_gateway\_name](#input\_express\_route\_gateway\_name) | (Required) The name of the Express Route Gateway that this Express Route Connection connects with. | `string` | n/a | yes | +| [express\_route\_gateway\_resource\_group\_name](#input\_express\_route\_gateway\_resource\_group\_name) | (Required) The name of the Resource Group where the Express Route Gateway is located. | `string` | n/a | yes | +| [private\_link\_fast\_path\_enabled](#input\_private\_link\_fast\_path\_enabled) | (Optional) Bypass the Express Route gateway when accessing private-links. When enabled express\_route\_gateway\_bypass\_enabled must be set to true. | `bool` | `false` | no | +| [resource\_group\_location](#input\_resource\_group\_location) | (Required) Specifies the supported Azure location where the resource exists. | `string` | n/a | yes | +| [resource\_group\_name](#input\_resource\_group\_name) | (Required) The name of the resource group in which to create the ExpressRoute circuit. | `string` | n/a | yes | +| [routing](#input\_routing) | (Optional) A routing block as defined below. | 
object({
    associated_route_table_id = optional(string)
    inbound_route_map_id      = optional(string)
    outbound_route_map_id     = optional(string)
    propagated_route_table = optional(object({
      labels          = optional(list(string))
      route_table_ids = optional(list(string))
    }))
  })
| `null` | no | +| [routing\_weight](#input\_routing\_weight) | (Optional) The routing weight associated to the Express Route Connection. | `number` | `0` | no | +| [subscription\_id\_connectivity](#input\_subscription\_id\_connectivity) | Subscription ID to use for "connectivity" resources. | `string` | n/a | yes | +| [subscription\_id\_management](#input\_subscription\_id\_management) | Subscription ID to use for "management" resources. | `string` | n/a | yes | +| [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [express\_route\_circuit\_id](#output\_express\_route\_circuit\_id) | The ID of the ExpressRoute Circuit. | +| [express\_route\_circuit\_peering\_id](#output\_express\_route\_circuit\_peering\_id) | The ID of the ExpressRoute Circuit Peering. | +| [express\_route\_connection\_id](#output\_express\_route\_connection\_id) | The ID of the ExpressRoute Connection. | +| [service\_key](#output\_service\_key) | The service key of the ExpressRoute Circuit. | +| [service\_provider\_provisioning\_state](#output\_service\_provider\_provisioning\_state) | The provisioning state of the ExpressRoute Circuit Service Provider. | + \ No newline at end of file From 0f23e566c9eb5ce924d0bc76aaa5626fd6a65df3 Mon Sep 17 00:00:00 2001 From: Warren Uniewski Date: Thu, 29 Aug 2024 16:59:09 -0700 Subject: [PATCH 10/32] fix budget field names --- terraform-azure-lz-project-set/main.tf | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/terraform-azure-lz-project-set/main.tf b/terraform-azure-lz-project-set/main.tf index f8e85ad..8aeade3 100644 --- a/terraform-azure-lz-project-set/main.tf +++ b/terraform-azure-lz-project-set/main.tf @@ -62,9 +62,26 @@ module "lz_vending" { } } : {} - # create budgets for each subscription budget_enabled = each.value.budget_amount > 0 + # "/subscriptions/60e89f81-a15c-4d7a-9be3-c3795a33a277/providers/Microsoft.Consumption/budgets/registry" + # / Api Version "2021-10-01"): PUT + # https://management.azure.com/subscriptions/60e89f81-a15c-4d7a-9be3-c3795a33a277/providers/Microsoft.Consumption/budgets/registry + # -------------------------------------------------------------------------------- + # RESPONSE 401: 401 Unauthorized + # ERROR CODE: RBACAccessDenied + # -------------------------------------------------------------------------------- + # { + # "error": { + # "code": "RBACAccessDenied", + # "message": "The client does not have authorization to perform action. Request ID: d97e8d78-6829-42f3-b0a8-671f1eb4da7e" + # } + # } + # -------------------------------------------------------------------------------- + + # Disable budgets for now due to RBAC access denied above + # budget_enabled = false + budgets = each.value.budget_amount > 0 ? { registry = { amount = each.value.budget_amount From dd52a2e0b2546d8eef8b1368bb194efcd821e200 Mon Sep 17 00:00:00 2001 From: Warren Uniewski Date: Fri, 30 Aug 2024 08:25:56 -0700 Subject: [PATCH 11/32] remove workaround --- terraform-azure-lz-project-set/main.tf | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/terraform-azure-lz-project-set/main.tf b/terraform-azure-lz-project-set/main.tf index 8aeade3..f8e85ad 100644 --- a/terraform-azure-lz-project-set/main.tf +++ b/terraform-azure-lz-project-set/main.tf @@ -62,26 +62,9 @@ module "lz_vending" { } } : {} + # create budgets for each subscription budget_enabled = each.value.budget_amount > 0 - # "/subscriptions/60e89f81-a15c-4d7a-9be3-c3795a33a277/providers/Microsoft.Consumption/budgets/registry" - # / Api Version "2021-10-01"): PUT - # https://management.azure.com/subscriptions/60e89f81-a15c-4d7a-9be3-c3795a33a277/providers/Microsoft.Consumption/budgets/registry - # -------------------------------------------------------------------------------- - # RESPONSE 401: 401 Unauthorized - # ERROR CODE: RBACAccessDenied - # -------------------------------------------------------------------------------- - # { - # "error": { - # "code": "RBACAccessDenied", - # "message": "The client does not have authorization to perform action. Request ID: d97e8d78-6829-42f3-b0a8-671f1eb4da7e" - # } - # } - # -------------------------------------------------------------------------------- - - # Disable budgets for now due to RBAC access denied above - # budget_enabled = false - budgets = each.value.budget_amount > 0 ? { registry = { amount = each.value.budget_amount From 0169494a70d2e21eb17fd9e25fa5c4fa022d4623 Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Mon, 9 Sep 2024 14:48:23 -0400 Subject: [PATCH 12/32] Express Route module code --- azure_express_route/README.md | 19 ++-- .../express_route_circuit/data.tf | 2 + .../express_route_circuit.tf | 0 .../express_route_circuit/locals.tf | 4 + .../express_route_circuit/main.tf | 4 + .../express_route_circuit/outputs.tf | 26 ++++++ .../express_route_circuit/provider.tf | 22 +++++ .../variables-expressRoute-circuit.tf | 43 +++++++++ .../express_route_circuit/variables.tf | 15 ++++ .../express_route_circuit_peering/data.tf | 2 + .../express_route_circuit_peering.tf | 5 +- .../express_route_circuit_peering/locals.tf | 8 ++ .../express_route_circuit_peering/main.tf | 0 .../express_route_circuit_peering/outputs.tf | 6 ++ .../express_route_circuit_peering/provider.tf | 22 +++++ .../variables-expressRoute-circuit-peering.tf | 40 +++++++++ .../variables.tf | 20 +++++ .../express_route_connection/data.tf | 2 + .../express_route_connection.tf | 5 -- .../express_route_connection/locals.tf | 12 +++ .../express_route_connection/main.tf | 0 .../express_route_connection/outputs.tf | 4 + .../express_route_connection/provider.tf | 22 +++++ .../variables-expressRoute-connection.tf | 88 +++++++++++++++++++ .../express_route_connection/variables.tf | 15 ++++ azure_express_route/locals.tf | 8 -- azure_express_route/main.tf | 48 +++++++++- azure_express_route/outputs.tf | 24 ++--- .../variables-expressRoute-connection.tf | 15 ++++ 29 files changed, 438 insertions(+), 43 deletions(-) create mode 100644 azure_express_route/express_route_circuit/data.tf rename azure_express_route/{ => express_route_circuit}/express_route_circuit.tf (100%) create mode 100644 azure_express_route/express_route_circuit/locals.tf create mode 100644 azure_express_route/express_route_circuit/main.tf create mode 100644 azure_express_route/express_route_circuit/outputs.tf create mode 100644 azure_express_route/express_route_circuit/provider.tf create mode 100644 azure_express_route/express_route_circuit/variables-expressRoute-circuit.tf create mode 100644 azure_express_route/express_route_circuit/variables.tf create mode 100644 azure_express_route/express_route_circuit_peering/data.tf rename azure_express_route/{ => express_route_circuit_peering}/express_route_circuit_peering.tf (85%) create mode 100644 azure_express_route/express_route_circuit_peering/locals.tf create mode 100644 azure_express_route/express_route_circuit_peering/main.tf create mode 100644 azure_express_route/express_route_circuit_peering/outputs.tf create mode 100644 azure_express_route/express_route_circuit_peering/provider.tf create mode 100644 azure_express_route/express_route_circuit_peering/variables-expressRoute-circuit-peering.tf create mode 100644 azure_express_route/express_route_circuit_peering/variables.tf create mode 100644 azure_express_route/express_route_connection/data.tf rename azure_express_route/{ => express_route_connection}/express_route_connection.tf (84%) create mode 100644 azure_express_route/express_route_connection/locals.tf create mode 100644 azure_express_route/express_route_connection/main.tf create mode 100644 azure_express_route/express_route_connection/outputs.tf create mode 100644 azure_express_route/express_route_connection/provider.tf create mode 100644 azure_express_route/express_route_connection/variables-expressRoute-connection.tf create mode 100644 azure_express_route/express_route_connection/variables.tf diff --git a/azure_express_route/README.md b/azure_express_route/README.md index 091ba1a..814fd10 100644 --- a/azure_express_route/README.md +++ b/azure_express_route/README.md @@ -10,20 +10,20 @@ | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | 3.116.0 | +| [azurerm](#provider\_azurerm) | >=3.112.0, < 4.0.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [express\_route\_circuit](#module\_express\_route\_circuit) | ./express_route_circuit | n/a | +| [express\_route\_connection](#module\_express\_route\_connection) | ./express_route_connection | n/a | +| [express\_route\_peering](#module\_express\_route\_peering) | ./express_route_circuit_peering | n/a | ## Resources | Name | Type | |------|------| -| [azurerm_express_route_circuit.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_circuit) | resource | -| [azurerm_express_route_circuit_peering.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_circuit_peering) | resource | -| [azurerm_express_route_connection.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_connection) | resource | -| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | ## Inputs @@ -32,8 +32,11 @@ No modules. |------|-------------|------|---------|:--------:| | [authorization\_key](#input\_authorization\_key) | (Optional) The authorization key to establish the Express Route Connection. | `string` | `null` | no | | [circuit\_peering](#input\_circuit\_peering) | Express Route circuit peering configuration | 
list(object({
    peering_type                  = string
    express_route_circuit_name    = string
    vlan_id                       = number
    primary_peer_address_prefix   = optional(string)
    secondary_peer_address_prefix = optional(string)
    ipv4_enabled                  = optional(bool, true)
    shared_key                    = optional(string, null)
    peer_asn                      = optional(number, null)
    microsoft_peering_config = optional(object({
      advertised_public_prefixes = list(string)
      customer_asn               = optional(number, 0)
      routing_registry_name      = optional(string, "NONE")
      advertised_communities     = optional(list(string))
    }), null)
    ipv6 = optional(object({
      primary_peer_address_prefix   = string
      secondary_peer_address_prefix = string
      enabled                       = optional(bool, true)
      microsoft_peering = optional(object({
        advertised_public_prefixes = list(string)
        customer_asn               = optional(number, 0)
        routing_registry_name      = optional(string, "NONE")
        advertised_communities     = optional(list(string))
      }), null)
      route_filter_id = optional(string, null)
    }), null)
    route_filter_id = optional(string, null)
  }))
| `[]` | no | +| [circuit\_peering\_type](#input\_circuit\_peering\_type) | (Required) The type of the Express Route Circuit Peering. | `string` | n/a | yes | | [enable\_internet\_security](#input\_enable\_internet\_security) | (Optional) Is Internet security enabled for this Express Route Connection? | `bool` | `null` | no | | [express\_route\_circuit](#input\_express\_route\_circuit) | Express Route circuit configuration | 
list(object({
    express_route_circuit_name = string
    location                   = string
    sku = object({
      tier   = string
      family = string
    })
    service_provider_name    = optional(string, null)
    peering_location         = optional(string, null)
    bandwidth_in_mbps        = optional(number, null)
    allow_classic_operations = optional(bool, false)
    express_route_port_id    = optional(string, null)
    bandwidth_in_gbps        = optional(number, null)
    authorization_key        = optional(string, null)
  }))
| `[]` | no | +| [express\_route\_circuit\_name](#input\_express\_route\_circuit\_name) | (Required) The name of the Express Route Circuit that this Express Route Connection connects with. | `string` | n/a | yes | +| [express\_route\_circuit\_resource\_group\_name](#input\_express\_route\_circuit\_resource\_group\_name) | (Required) The name of the Resource Group where the Express Route circuit is located. | `string` | n/a | yes | | [express\_route\_connection\_name](#input\_express\_route\_connection\_name) | (Required) The name which should be used for this Express Route Connection. | `string` | n/a | yes | | [express\_route\_gateway\_bypass\_enabled](#input\_express\_route\_gateway\_bypass\_enabled) | (Optional) Specified whether Fast Path is enabled for Virtual Wan Firewall Hub. | `bool` | `false` | no | | [express\_route\_gateway\_name](#input\_express\_route\_gateway\_name) | (Required) The name of the Express Route Gateway that this Express Route Connection connects with. | `string` | n/a | yes | @@ -51,9 +54,9 @@ No modules. | Name | Description | |------|-------------| +| [circuit\_peering\_id](#output\_circuit\_peering\_id) | The ID of the ExpressRoute Circuit Peering. | +| [connection\_id](#output\_connection\_id) | The ID of the ExpressRoute Connection. | | [express\_route\_circuit\_id](#output\_express\_route\_circuit\_id) | The ID of the ExpressRoute Circuit. | -| [express\_route\_circuit\_peering\_id](#output\_express\_route\_circuit\_peering\_id) | The ID of the ExpressRoute Circuit Peering. | -| [express\_route\_connection\_id](#output\_express\_route\_connection\_id) | The ID of the ExpressRoute Connection. | | [service\_key](#output\_service\_key) | The service key of the ExpressRoute Circuit. | | [service\_provider\_provisioning\_state](#output\_service\_provider\_provisioning\_state) | The provisioning state of the ExpressRoute Circuit Service Provider. | diff --git a/azure_express_route/express_route_circuit/data.tf b/azure_express_route/express_route_circuit/data.tf new file mode 100644 index 0000000..434dac2 --- /dev/null +++ b/azure_express_route/express_route_circuit/data.tf @@ -0,0 +1,2 @@ +# Get the current client configuration from the AzureRM provider +data "azurerm_client_config" "current" {} diff --git a/azure_express_route/express_route_circuit.tf b/azure_express_route/express_route_circuit/express_route_circuit.tf similarity index 100% rename from azure_express_route/express_route_circuit.tf rename to azure_express_route/express_route_circuit/express_route_circuit.tf diff --git a/azure_express_route/express_route_circuit/locals.tf b/azure_express_route/express_route_circuit/locals.tf new file mode 100644 index 0000000..9a5b485 --- /dev/null +++ b/azure_express_route/express_route_circuit/locals.tf @@ -0,0 +1,4 @@ +locals { + subscription_id_connectivity = coalesce(var.subscription_id_connectivity, local.subscription_id_management) + subscription_id_management = coalesce(var.subscription_id_management, data.azurerm_client_config.current.subscription_id) +} diff --git a/azure_express_route/express_route_circuit/main.tf b/azure_express_route/express_route_circuit/main.tf new file mode 100644 index 0000000..fbf61a3 --- /dev/null +++ b/azure_express_route/express_route_circuit/main.tf @@ -0,0 +1,4 @@ +resource "azurerm_resource_group" "this" { + name = var.resource_group_name + location = var.resource_group_location +} diff --git a/azure_express_route/express_route_circuit/outputs.tf b/azure_express_route/express_route_circuit/outputs.tf new file mode 100644 index 0000000..abe822a --- /dev/null +++ b/azure_express_route/express_route_circuit/outputs.tf @@ -0,0 +1,26 @@ +output "resource_group_name" { + description = "The name of the Resource Group." + value = azurerm_resource_group.this.name +} + +output "express_route_circuit_id" { + description = "The ID of the ExpressRoute Circuit." + value = { + for key, id in azurerm_express_route_circuit.this : key => id.id + } +} + +output "service_provider_provisioning_state" { + description = "The provisioning state of the ExpressRoute Circuit Service Provider." + value = { + for key, state in azurerm_express_route_circuit.this : key => state.service_provider_provisioning_state + } +} + +output "service_key" { + description = "The service key of the ExpressRoute Circuit." + value = { + for key, service_key in azurerm_express_route_circuit.this : key => service_key.service_key + } + sensitive = true +} diff --git a/azure_express_route/express_route_circuit/provider.tf b/azure_express_route/express_route_circuit/provider.tf new file mode 100644 index 0000000..e53b1c5 --- /dev/null +++ b/azure_express_route/express_route_circuit/provider.tf @@ -0,0 +1,22 @@ +# terraform { +# required_version = ">=1.9.0, < 2.0.0" + +# required_providers { +# azurerm = { +# source = "hashicorp/azurerm" +# version = ">=3.112.0, < 4.0.0" +# } + +# azapi = { +# source = "azure/azapi" +# } +# } +# } + +provider "azurerm" { + use_oidc = true + features {} + # NOTE: The assumption is that the pipeline will be using the Management subscription for the base provider + # The sub-modules will be using the subscription_id_connectivity + subscription_id = var.subscription_id_connectivity +} diff --git a/azure_express_route/express_route_circuit/variables-expressRoute-circuit.tf b/azure_express_route/express_route_circuit/variables-expressRoute-circuit.tf new file mode 100644 index 0000000..25fe062 --- /dev/null +++ b/azure_express_route/express_route_circuit/variables-expressRoute-circuit.tf @@ -0,0 +1,43 @@ +variable "express_route_circuit" { + description = "Express Route circuit configuration" + type = list(object({ + express_route_circuit_name = string + location = string + sku = object({ + tier = string + family = string + }) + service_provider_name = optional(string, null) + peering_location = optional(string, null) + bandwidth_in_mbps = optional(number, null) + allow_classic_operations = optional(bool, false) + express_route_port_id = optional(string, null) + bandwidth_in_gbps = optional(number, null) + authorization_key = optional(string, null) + })) + default = [] + + validation { + condition = alltrue([ + for circuit in var.express_route_circuit : contains(["Basic", "Local", "Standard", "Premium"], circuit.sku.tier) + ]) + error_message = "The sku tier must be either Basic, Local, Standard or Premium." + } + + validation { + condition = alltrue([ + for circuit in var.express_route_circuit : contains(["MeteredData", "UnlimitedData"], circuit.sku.family) + ]) + error_message = "The sku family must be either MeteredData or UnlimitedData." + } +} + +variable "resource_group_name" { + description = "(Required) The name of the resource group in which to create the ExpressRoute circuit." + type = string +} + +variable "resource_group_location" { + description = "(Required) Specifies the supported Azure location where the resource exists." + type = string +} diff --git a/azure_express_route/express_route_circuit/variables.tf b/azure_express_route/express_route_circuit/variables.tf new file mode 100644 index 0000000..c7309ab --- /dev/null +++ b/azure_express_route/express_route_circuit/variables.tf @@ -0,0 +1,15 @@ +variable "subscription_id_management" { + type = string + description = "Subscription ID to use for \"management\" resources." +} + +variable "subscription_id_connectivity" { + type = string + description = "Subscription ID to use for \"connectivity\" resources." +} + +variable "tags" { + type = map(string) + description = "A mapping of tags to assign to the resource." + default = null +} diff --git a/azure_express_route/express_route_circuit_peering/data.tf b/azure_express_route/express_route_circuit_peering/data.tf new file mode 100644 index 0000000..434dac2 --- /dev/null +++ b/azure_express_route/express_route_circuit_peering/data.tf @@ -0,0 +1,2 @@ +# Get the current client configuration from the AzureRM provider +data "azurerm_client_config" "current" {} diff --git a/azure_express_route/express_route_circuit_peering.tf b/azure_express_route/express_route_circuit_peering/express_route_circuit_peering.tf similarity index 85% rename from azure_express_route/express_route_circuit_peering.tf rename to azure_express_route/express_route_circuit_peering/express_route_circuit_peering.tf index 495791c..fe2261a 100644 --- a/azure_express_route/express_route_circuit_peering.tf +++ b/azure_express_route/express_route_circuit_peering/express_route_circuit_peering.tf @@ -1,11 +1,10 @@ +# IMPORTANT: The provider status of the Express Route Circuit must be set as provisioned while creating the Express Route circuit peering. resource "azurerm_express_route_circuit_peering" "this" { - depends_on = [azurerm_express_route_circuit.this] - for_each = { for peering in var.circuit_peering : peering.peering_type => peering } peering_type = each.value.peering_type express_route_circuit_name = each.value.express_route_circuit_name - resource_group_name = azurerm_resource_group.this.name + resource_group_name = var.resource_group_name vlan_id = each.value.vlan_id primary_peer_address_prefix = each.value.primary_peer_address_prefix diff --git a/azure_express_route/express_route_circuit_peering/locals.tf b/azure_express_route/express_route_circuit_peering/locals.tf new file mode 100644 index 0000000..d363753 --- /dev/null +++ b/azure_express_route/express_route_circuit_peering/locals.tf @@ -0,0 +1,8 @@ +locals { + subscription_id_connectivity = coalesce(var.subscription_id_connectivity, local.subscription_id_management) + subscription_id_management = coalesce(var.subscription_id_management, data.azurerm_client_config.current.subscription_id) + + express_route_circuit_peering_id = format("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/expressRouteCircuits/%s/peerings/%s", + local.subscription_id_connectivity, var.resource_group_name, var.circuit_peering[0].express_route_circuit_name, var.circuit_peering[0].peering_type + ) +} diff --git a/azure_express_route/express_route_circuit_peering/main.tf b/azure_express_route/express_route_circuit_peering/main.tf new file mode 100644 index 0000000..e69de29 diff --git a/azure_express_route/express_route_circuit_peering/outputs.tf b/azure_express_route/express_route_circuit_peering/outputs.tf new file mode 100644 index 0000000..29b8fae --- /dev/null +++ b/azure_express_route/express_route_circuit_peering/outputs.tf @@ -0,0 +1,6 @@ +output "express_route_circuit_peering_id" { + description = "The ID of the ExpressRoute Circuit Peering." + value = { + for key, id in azurerm_express_route_circuit_peering.this : key => id.id + } +} diff --git a/azure_express_route/express_route_circuit_peering/provider.tf b/azure_express_route/express_route_circuit_peering/provider.tf new file mode 100644 index 0000000..e53b1c5 --- /dev/null +++ b/azure_express_route/express_route_circuit_peering/provider.tf @@ -0,0 +1,22 @@ +# terraform { +# required_version = ">=1.9.0, < 2.0.0" + +# required_providers { +# azurerm = { +# source = "hashicorp/azurerm" +# version = ">=3.112.0, < 4.0.0" +# } + +# azapi = { +# source = "azure/azapi" +# } +# } +# } + +provider "azurerm" { + use_oidc = true + features {} + # NOTE: The assumption is that the pipeline will be using the Management subscription for the base provider + # The sub-modules will be using the subscription_id_connectivity + subscription_id = var.subscription_id_connectivity +} diff --git a/azure_express_route/express_route_circuit_peering/variables-expressRoute-circuit-peering.tf b/azure_express_route/express_route_circuit_peering/variables-expressRoute-circuit-peering.tf new file mode 100644 index 0000000..b0cc7f9 --- /dev/null +++ b/azure_express_route/express_route_circuit_peering/variables-expressRoute-circuit-peering.tf @@ -0,0 +1,40 @@ +variable "circuit_peering" { + description = "Express Route circuit peering configuration" + type = list(object({ + peering_type = string + express_route_circuit_name = string + vlan_id = number + primary_peer_address_prefix = optional(string) + secondary_peer_address_prefix = optional(string) + ipv4_enabled = optional(bool, true) + shared_key = optional(string, null) + peer_asn = optional(number, null) + microsoft_peering_config = optional(object({ + advertised_public_prefixes = list(string) + customer_asn = optional(number, 0) + routing_registry_name = optional(string, "NONE") + advertised_communities = optional(list(string)) + }), null) + ipv6 = optional(object({ + primary_peer_address_prefix = string + secondary_peer_address_prefix = string + enabled = optional(bool, true) + microsoft_peering = optional(object({ + advertised_public_prefixes = list(string) + customer_asn = optional(number, 0) + routing_registry_name = optional(string, "NONE") + advertised_communities = optional(list(string)) + }), null) + route_filter_id = optional(string, null) + }), null) + route_filter_id = optional(string, null) + })) + default = [] + + validation { + condition = alltrue([ + for peering in var.circuit_peering : contains(["AzurePrivatePeering", "AzurePublicPeering", "MicrosoftPeering"], peering.peering_type) + ]) + error_message = "The sku tier must be either Basic, Local, Standard or Premium." + } +} diff --git a/azure_express_route/express_route_circuit_peering/variables.tf b/azure_express_route/express_route_circuit_peering/variables.tf new file mode 100644 index 0000000..2f005a5 --- /dev/null +++ b/azure_express_route/express_route_circuit_peering/variables.tf @@ -0,0 +1,20 @@ +variable "subscription_id_management" { + type = string + description = "Subscription ID to use for \"management\" resources." +} + +variable "subscription_id_connectivity" { + type = string + description = "Subscription ID to use for \"connectivity\" resources." +} + +variable "resource_group_name" { + description = "(Required) The name of the resource group in which to create the ExpressRoute circuit." + type = string +} + +variable "tags" { + type = map(string) + description = "A mapping of tags to assign to the resource." + default = null +} diff --git a/azure_express_route/express_route_connection/data.tf b/azure_express_route/express_route_connection/data.tf new file mode 100644 index 0000000..434dac2 --- /dev/null +++ b/azure_express_route/express_route_connection/data.tf @@ -0,0 +1,2 @@ +# Get the current client configuration from the AzureRM provider +data "azurerm_client_config" "current" {} diff --git a/azure_express_route/express_route_connection.tf b/azure_express_route/express_route_connection/express_route_connection.tf similarity index 84% rename from azure_express_route/express_route_connection.tf rename to azure_express_route/express_route_connection/express_route_connection.tf index e3e88b3..c5838b0 100644 --- a/azure_express_route/express_route_connection.tf +++ b/azure_express_route/express_route_connection/express_route_connection.tf @@ -1,11 +1,6 @@ # IMPORTANT: The provider status of the Express Route Circuit must be set as provisioned while creating the Express Route Connection. resource "azurerm_express_route_connection" "this" { - depends_on = [ # Depends_on not required durring real execution, since the Connection code will not be executed until the Circuit is provisioned. - azurerm_express_route_circuit.this, - azurerm_express_route_circuit_peering.this - ] - name = var.express_route_connection_name express_route_circuit_peering_id = local.express_route_circuit_peering_id express_route_gateway_id = local.express_route_gateway_id diff --git a/azure_express_route/express_route_connection/locals.tf b/azure_express_route/express_route_connection/locals.tf new file mode 100644 index 0000000..fb134f3 --- /dev/null +++ b/azure_express_route/express_route_connection/locals.tf @@ -0,0 +1,12 @@ +locals { + subscription_id_connectivity = coalesce(var.subscription_id_connectivity, local.subscription_id_management) + subscription_id_management = coalesce(var.subscription_id_management, data.azurerm_client_config.current.subscription_id) + + express_route_circuit_peering_id = format("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/expressRouteCircuits/%s/peerings/%s", + local.subscription_id_connectivity, var.express_route_circuit_resource_group_name, var.express_route_circuit_name, var.circuit_peering_type + ) + + express_route_gateway_id = format("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/expressRouteGateways/%s", + local.subscription_id_connectivity, var.express_route_gateway_resource_group_name, var.express_route_gateway_name + ) +} diff --git a/azure_express_route/express_route_connection/main.tf b/azure_express_route/express_route_connection/main.tf new file mode 100644 index 0000000..e69de29 diff --git a/azure_express_route/express_route_connection/outputs.tf b/azure_express_route/express_route_connection/outputs.tf new file mode 100644 index 0000000..9470b60 --- /dev/null +++ b/azure_express_route/express_route_connection/outputs.tf @@ -0,0 +1,4 @@ +output "express_route_connection_id" { + description = "The ID of the ExpressRoute Connection." + value = azurerm_express_route_connection.this.id +} diff --git a/azure_express_route/express_route_connection/provider.tf b/azure_express_route/express_route_connection/provider.tf new file mode 100644 index 0000000..e53b1c5 --- /dev/null +++ b/azure_express_route/express_route_connection/provider.tf @@ -0,0 +1,22 @@ +# terraform { +# required_version = ">=1.9.0, < 2.0.0" + +# required_providers { +# azurerm = { +# source = "hashicorp/azurerm" +# version = ">=3.112.0, < 4.0.0" +# } + +# azapi = { +# source = "azure/azapi" +# } +# } +# } + +provider "azurerm" { + use_oidc = true + features {} + # NOTE: The assumption is that the pipeline will be using the Management subscription for the base provider + # The sub-modules will be using the subscription_id_connectivity + subscription_id = var.subscription_id_connectivity +} diff --git a/azure_express_route/express_route_connection/variables-expressRoute-connection.tf b/azure_express_route/express_route_connection/variables-expressRoute-connection.tf new file mode 100644 index 0000000..34a30a4 --- /dev/null +++ b/azure_express_route/express_route_connection/variables-expressRoute-connection.tf @@ -0,0 +1,88 @@ +variable "express_route_gateway_resource_group_name" { + description = "(Required) The name of the Resource Group where the Express Route Gateway is located." + type = string +} + +variable "express_route_circuit_resource_group_name" { + description = "(Required) The name of the Resource Group where the Express Route circuit is located." + type = string +} + +variable "express_route_circuit_name" { + description = "(Required) The name of the Express Route Circuit that this Express Route Connection connects with." + type = string +} + +variable "express_route_gateway_name" { + description = "(Required) The name of the Express Route Gateway that this Express Route Connection connects with." + type = string +} + +variable "circuit_peering_type" { + description = "(Required) The type of the Express Route Circuit Peering." + type = string +} + +variable "express_route_connection_name" { + description = "(Required) The name which should be used for this Express Route Connection." + type = string +} + +variable "authorization_key" { + description = "(Optional) The authorization key to establish the Express Route Connection." + type = string + default = null +} + +variable "enable_internet_security" { + description = "(Optional) Is Internet security enabled for this Express Route Connection?" + type = bool + default = null +} + +variable "express_route_gateway_bypass_enabled" { + description = "(Optional) Specified whether Fast Path is enabled for Virtual Wan Firewall Hub." + type = bool + default = false +} + +variable "private_link_fast_path_enabled" { + description = "(Optional) Bypass the Express Route gateway when accessing private-links. When enabled express_route_gateway_bypass_enabled must be set to true." + type = bool + default = false + + validation { + condition = ( + (var.express_route_gateway_bypass_enabled == true && + var.private_link_fast_path_enabled == true) || + (var.express_route_gateway_bypass_enabled == false && + var.private_link_fast_path_enabled == false) + ) + error_message = "private_link_fast_path_enabled must be set to true when express_route_gateway_bypass_enabled is set to true." + } +} + +variable "routing" { + description = "(Optional) A routing block as defined below." + type = object({ + associated_route_table_id = optional(string) + inbound_route_map_id = optional(string) + outbound_route_map_id = optional(string) + propagated_route_table = optional(object({ + labels = optional(list(string)) + route_table_ids = optional(list(string)) + })) + }) + default = null +} + +variable "routing_weight" { + description = "(Optional) The routing weight associated to the Express Route Connection." + type = number + default = 0 + + validation { + condition = var.routing_weight >= 0 && var.routing_weight <= 32000 + error_message = "routing_weight must be between 0 and 32000." + } +} diff --git a/azure_express_route/express_route_connection/variables.tf b/azure_express_route/express_route_connection/variables.tf new file mode 100644 index 0000000..c7309ab --- /dev/null +++ b/azure_express_route/express_route_connection/variables.tf @@ -0,0 +1,15 @@ +variable "subscription_id_management" { + type = string + description = "Subscription ID to use for \"management\" resources." +} + +variable "subscription_id_connectivity" { + type = string + description = "Subscription ID to use for \"connectivity\" resources." +} + +variable "tags" { + type = map(string) + description = "A mapping of tags to assign to the resource." + default = null +} diff --git a/azure_express_route/locals.tf b/azure_express_route/locals.tf index a7c9b59..9a5b485 100644 --- a/azure_express_route/locals.tf +++ b/azure_express_route/locals.tf @@ -1,12 +1,4 @@ locals { subscription_id_connectivity = coalesce(var.subscription_id_connectivity, local.subscription_id_management) subscription_id_management = coalesce(var.subscription_id_management, data.azurerm_client_config.current.subscription_id) - - express_route_circuit_peering_id = format("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/expressRouteCircuits/%s/peerings/%s", - local.subscription_id_connectivity, var.resource_group_name, var.express_route_circuit[0].express_route_circuit_name, var.circuit_peering[0].peering_type - ) - - express_route_gateway_id = format("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/expressRouteGateways/%s", - local.subscription_id_connectivity, var.express_route_gateway_resource_group_name, var.express_route_gateway_name - ) } diff --git a/azure_express_route/main.tf b/azure_express_route/main.tf index fbf61a3..cec2a0c 100644 --- a/azure_express_route/main.tf +++ b/azure_express_route/main.tf @@ -1,4 +1,46 @@ -resource "azurerm_resource_group" "this" { - name = var.resource_group_name - location = var.resource_group_location +module "express_route_circuit" { + source = "./express_route_circuit" + + subscription_id_connectivity = var.subscription_id_connectivity + subscription_id_management = var.subscription_id_management + + resource_group_name = var.resource_group_name + resource_group_location = var.resource_group_location + + express_route_circuit = var.express_route_circuit + + tags = var.tags +} + +module "express_route_peering" { + source = "./express_route_circuit_peering" + + subscription_id_connectivity = var.subscription_id_connectivity + subscription_id_management = var.subscription_id_management + + resource_group_name = module.express_route_circuit.resource_group_name + circuit_peering = var.circuit_peering +} + +# IMPORTANT: The provider status of the Express Route Circuit must be set as provisioned while creating the Express Route Connection. +module "express_route_connection" { + source = "./express_route_connection" + + subscription_id_connectivity = var.subscription_id_connectivity + subscription_id_management = var.subscription_id_management + + express_route_gateway_resource_group_name = var.express_route_gateway_resource_group_name + express_route_circuit_resource_group_name = module.express_route_circuit.resource_group_name + + express_route_gateway_name = var.express_route_gateway_name + express_route_connection_name = var.express_route_connection_name + + express_route_circuit_name = var.express_route_circuit_name + circuit_peering_type = var.circuit_peering_type + + enable_internet_security = var.enable_internet_security + express_route_gateway_bypass_enabled = var.express_route_gateway_bypass_enabled + private_link_fast_path_enabled = var.private_link_fast_path_enabled + routing_weight = var.routing_weight + routing = var.routing } diff --git a/azure_express_route/outputs.tf b/azure_express_route/outputs.tf index 4ca533a..df9d99b 100644 --- a/azure_express_route/outputs.tf +++ b/azure_express_route/outputs.tf @@ -1,33 +1,25 @@ output "express_route_circuit_id" { description = "The ID of the ExpressRoute Circuit." - value = { - for key, id in azurerm_express_route_circuit.this : key => id.id - } + value = module.express_route_circuit.express_route_circuit_id } output "service_provider_provisioning_state" { description = "The provisioning state of the ExpressRoute Circuit Service Provider." - value = { - for key, state in azurerm_express_route_circuit.this : key => state.service_provider_provisioning_state - } + value = module.express_route_circuit.service_provider_provisioning_state } output "service_key" { description = "The service key of the ExpressRoute Circuit." - value = { - for key, service_key in azurerm_express_route_circuit.this : key => service_key.service_key - } - sensitive = true + value = module.express_route_circuit.service_key + sensitive = true } -output "express_route_circuit_peering_id" { +output "circuit_peering_id" { description = "The ID of the ExpressRoute Circuit Peering." - value = { - for key, id in azurerm_express_route_circuit_peering.this : key => id.id - } + value = module.express_route_peering.express_route_circuit_peering_id } -output "express_route_connection_id" { +output "connection_id" { description = "The ID of the ExpressRoute Connection." - value = azurerm_express_route_connection.this.id + value = module.express_route_connection.express_route_connection_id } diff --git a/azure_express_route/variables-expressRoute-connection.tf b/azure_express_route/variables-expressRoute-connection.tf index d67cf5f..ac3cf61 100644 --- a/azure_express_route/variables-expressRoute-connection.tf +++ b/azure_express_route/variables-expressRoute-connection.tf @@ -8,11 +8,26 @@ variable "express_route_gateway_name" { type = string } +variable "express_route_circuit_resource_group_name" { + description = "(Required) The name of the Resource Group where the Express Route circuit is located." + type = string +} + +variable "express_route_circuit_name" { + description = "(Required) The name of the Express Route Circuit that this Express Route Connection connects with." + type = string +} + variable "express_route_connection_name" { description = "(Required) The name which should be used for this Express Route Connection." type = string } +variable "circuit_peering_type" { + description = "(Required) The type of the Express Route Circuit Peering." + type = string +} + variable "authorization_key" { description = "(Optional) The authorization key to establish the Express Route Connection." type = string From 9cdd4a863b77f0891e7da56a01bf29061eeff1ba Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 9 Sep 2024 18:52:57 +0000 Subject: [PATCH 13/32] terraform-docs: automated action --- azure_express_route/README.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/azure_express_route/README.md b/azure_express_route/README.md index 814fd10..65e7bad 100644 --- a/azure_express_route/README.md +++ b/azure_express_route/README.md @@ -77,16 +77,16 @@ ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [express\_route\_circuit](#module\_express\_route\_circuit) | ./express_route_circuit | n/a | +| [express\_route\_connection](#module\_express\_route\_connection) | ./express_route_connection | n/a | +| [express\_route\_peering](#module\_express\_route\_peering) | ./express_route_circuit_peering | n/a | ## Resources | Name | Type | |------|------| -| [azurerm_express_route_circuit.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_circuit) | resource | -| [azurerm_express_route_circuit_peering.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_circuit_peering) | resource | -| [azurerm_express_route_connection.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_connection) | resource | -| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | ## Inputs @@ -95,8 +95,11 @@ No modules. |------|-------------|------|---------|:--------:| | [authorization\_key](#input\_authorization\_key) | (Optional) The authorization key to establish the Express Route Connection. | `string` | `null` | no | | [circuit\_peering](#input\_circuit\_peering) | Express Route circuit peering configuration | 
list(object({
    peering_type                  = string
    express_route_circuit_name    = string
    vlan_id                       = number
    primary_peer_address_prefix   = optional(string)
    secondary_peer_address_prefix = optional(string)
    ipv4_enabled                  = optional(bool, true)
    shared_key                    = optional(string, null)
    peer_asn                      = optional(number, null)
    microsoft_peering_config = optional(object({
      advertised_public_prefixes = list(string)
      customer_asn               = optional(number, 0)
      routing_registry_name      = optional(string, "NONE")
      advertised_communities     = optional(list(string))
    }), null)
    ipv6 = optional(object({
      primary_peer_address_prefix   = string
      secondary_peer_address_prefix = string
      enabled                       = optional(bool, true)
      microsoft_peering = optional(object({
        advertised_public_prefixes = list(string)
        customer_asn               = optional(number, 0)
        routing_registry_name      = optional(string, "NONE")
        advertised_communities     = optional(list(string))
      }), null)
      route_filter_id = optional(string, null)
    }), null)
    route_filter_id = optional(string, null)
  }))
| `[]` | no | +| [circuit\_peering\_type](#input\_circuit\_peering\_type) | (Required) The type of the Express Route Circuit Peering. | `string` | n/a | yes | | [enable\_internet\_security](#input\_enable\_internet\_security) | (Optional) Is Internet security enabled for this Express Route Connection? | `bool` | `null` | no | | [express\_route\_circuit](#input\_express\_route\_circuit) | Express Route circuit configuration | 
list(object({
    express_route_circuit_name = string
    location                   = string
    sku = object({
      tier   = string
      family = string
    })
    service_provider_name    = optional(string, null)
    peering_location         = optional(string, null)
    bandwidth_in_mbps        = optional(number, null)
    allow_classic_operations = optional(bool, false)
    express_route_port_id    = optional(string, null)
    bandwidth_in_gbps        = optional(number, null)
    authorization_key        = optional(string, null)
  }))
| `[]` | no | +| [express\_route\_circuit\_name](#input\_express\_route\_circuit\_name) | (Required) The name of the Express Route Circuit that this Express Route Connection connects with. | `string` | n/a | yes | +| [express\_route\_circuit\_resource\_group\_name](#input\_express\_route\_circuit\_resource\_group\_name) | (Required) The name of the Resource Group where the Express Route circuit is located. | `string` | n/a | yes | | [express\_route\_connection\_name](#input\_express\_route\_connection\_name) | (Required) The name which should be used for this Express Route Connection. | `string` | n/a | yes | | [express\_route\_gateway\_bypass\_enabled](#input\_express\_route\_gateway\_bypass\_enabled) | (Optional) Specified whether Fast Path is enabled for Virtual Wan Firewall Hub. | `bool` | `false` | no | | [express\_route\_gateway\_name](#input\_express\_route\_gateway\_name) | (Required) The name of the Express Route Gateway that this Express Route Connection connects with. | `string` | n/a | yes | @@ -114,9 +117,9 @@ No modules. | Name | Description | |------|-------------| +| [circuit\_peering\_id](#output\_circuit\_peering\_id) | The ID of the ExpressRoute Circuit Peering. | +| [connection\_id](#output\_connection\_id) | The ID of the ExpressRoute Connection. | | [express\_route\_circuit\_id](#output\_express\_route\_circuit\_id) | The ID of the ExpressRoute Circuit. | -| [express\_route\_circuit\_peering\_id](#output\_express\_route\_circuit\_peering\_id) | The ID of the ExpressRoute Circuit Peering. | -| [express\_route\_connection\_id](#output\_express\_route\_connection\_id) | The ID of the ExpressRoute Connection. | | [service\_key](#output\_service\_key) | The service key of the ExpressRoute Circuit. | | [service\_provider\_provisioning\_state](#output\_service\_provider\_provisioning\_state) | The provisioning state of the ExpressRoute Circuit Service Provider. | \ No newline at end of file From 90e158b90f7528f3c649ba6e884b84a31d9c2b27 Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Mon, 9 Sep 2024 15:28:11 -0400 Subject: [PATCH 14/32] Removed execution code (will be from azure-lz-core --- azure_express_route/README.md | 2 +- azure_express_route/backend.tf | 8 -- azure_express_route/data.tf | 2 - .../express_route_circuit/README.md | 45 ++++++++++ .../express_route_circuit_peering/README.md | 40 +++++++++ .../express_route_connection/README.md | 50 +++++++++++ azure_express_route/locals.tf | 4 - azure_express_route/main.tf | 46 ---------- azure_express_route/outputs.tf | 25 ------ azure_express_route/provider.tf | 21 ----- .../variables-expressRoute-circuit-peering.tf | 40 --------- .../variables-expressRoute-circuit.tf | 43 --------- .../variables-expressRoute-connection.tf | 88 ------------------- azure_express_route/variables.tf | 15 ---- 14 files changed, 136 insertions(+), 293 deletions(-) delete mode 100644 azure_express_route/backend.tf delete mode 100644 azure_express_route/data.tf create mode 100644 azure_express_route/express_route_circuit/README.md create mode 100644 azure_express_route/express_route_circuit_peering/README.md create mode 100644 azure_express_route/express_route_connection/README.md delete mode 100644 azure_express_route/locals.tf delete mode 100644 azure_express_route/main.tf delete mode 100644 azure_express_route/outputs.tf delete mode 100644 azure_express_route/provider.tf delete mode 100644 azure_express_route/variables-expressRoute-circuit-peering.tf delete mode 100644 azure_express_route/variables-expressRoute-circuit.tf delete mode 100644 azure_express_route/variables-expressRoute-connection.tf delete mode 100644 azure_express_route/variables.tf diff --git a/azure_express_route/README.md b/azure_express_route/README.md index 65e7bad..cd59b68 100644 --- a/azure_express_route/README.md +++ b/azure_express_route/README.md @@ -122,4 +122,4 @@ | [express\_route\_circuit\_id](#output\_express\_route\_circuit\_id) | The ID of the ExpressRoute Circuit. | | [service\_key](#output\_service\_key) | The service key of the ExpressRoute Circuit. | | [service\_provider\_provisioning\_state](#output\_service\_provider\_provisioning\_state) | The provisioning state of the ExpressRoute Circuit Service Provider. | - \ No newline at end of file + diff --git a/azure_express_route/backend.tf b/azure_express_route/backend.tf deleted file mode 100644 index 0108bf7..0000000 --- a/azure_express_route/backend.tf +++ /dev/null @@ -1,8 +0,0 @@ -terraform { - backend "azurerm" { - resource_group_name = "BCGOV-MGD-FORGE-terraform" - storage_account_name = "bcgovmgdlforgetfstate" - container_name = "tfstate" - key = "azure-lz-core-expressroute-forge.tfstate" - } -} diff --git a/azure_express_route/data.tf b/azure_express_route/data.tf deleted file mode 100644 index 434dac2..0000000 --- a/azure_express_route/data.tf +++ /dev/null @@ -1,2 +0,0 @@ -# Get the current client configuration from the AzureRM provider -data "azurerm_client_config" "current" {} diff --git a/azure_express_route/express_route_circuit/README.md b/azure_express_route/express_route_circuit/README.md new file mode 100644 index 0000000..71e1d25 --- /dev/null +++ b/azure_express_route/express_route_circuit/README.md @@ -0,0 +1,45 @@ +# express_route_circuit + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_express_route_circuit.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_circuit) | resource | +| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [express\_route\_circuit](#input\_express\_route\_circuit) | Express Route circuit configuration | 
list(object({
    express_route_circuit_name = string
    location                   = string
    sku = object({
      tier   = string
      family = string
    })
    service_provider_name    = optional(string, null)
    peering_location         = optional(string, null)
    bandwidth_in_mbps        = optional(number, null)
    allow_classic_operations = optional(bool, false)
    express_route_port_id    = optional(string, null)
    bandwidth_in_gbps        = optional(number, null)
    authorization_key        = optional(string, null)
  }))
| `[]` | no | +| [resource\_group\_location](#input\_resource\_group\_location) | (Required) Specifies the supported Azure location where the resource exists. | `string` | n/a | yes | +| [resource\_group\_name](#input\_resource\_group\_name) | (Required) The name of the resource group in which to create the ExpressRoute circuit. | `string` | n/a | yes | +| [subscription\_id\_connectivity](#input\_subscription\_id\_connectivity) | Subscription ID to use for "connectivity" resources. | `string` | n/a | yes | +| [subscription\_id\_management](#input\_subscription\_id\_management) | Subscription ID to use for "management" resources. | `string` | n/a | yes | +| [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [express\_route\_circuit\_id](#output\_express\_route\_circuit\_id) | The ID of the ExpressRoute Circuit. | +| [resource\_group\_name](#output\_resource\_group\_name) | The name of the Resource Group. | +| [service\_key](#output\_service\_key) | The service key of the ExpressRoute Circuit. | +| [service\_provider\_provisioning\_state](#output\_service\_provider\_provisioning\_state) | The provisioning state of the ExpressRoute Circuit Service Provider. | + diff --git a/azure_express_route/express_route_circuit_peering/README.md b/azure_express_route/express_route_circuit_peering/README.md new file mode 100644 index 0000000..774ce93 --- /dev/null +++ b/azure_express_route/express_route_circuit_peering/README.md @@ -0,0 +1,40 @@ +# express_route_circuit_peering + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_express_route_circuit_peering.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_circuit_peering) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [circuit\_peering](#input\_circuit\_peering) | Express Route circuit peering configuration | 
list(object({
    peering_type                  = string
    express_route_circuit_name    = string
    vlan_id                       = number
    primary_peer_address_prefix   = optional(string)
    secondary_peer_address_prefix = optional(string)
    ipv4_enabled                  = optional(bool, true)
    shared_key                    = optional(string, null)
    peer_asn                      = optional(number, null)
    microsoft_peering_config = optional(object({
      advertised_public_prefixes = list(string)
      customer_asn               = optional(number, 0)
      routing_registry_name      = optional(string, "NONE")
      advertised_communities     = optional(list(string))
    }), null)
    ipv6 = optional(object({
      primary_peer_address_prefix   = string
      secondary_peer_address_prefix = string
      enabled                       = optional(bool, true)
      microsoft_peering = optional(object({
        advertised_public_prefixes = list(string)
        customer_asn               = optional(number, 0)
        routing_registry_name      = optional(string, "NONE")
        advertised_communities     = optional(list(string))
      }), null)
      route_filter_id = optional(string, null)
    }), null)
    route_filter_id = optional(string, null)
  }))
| `[]` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | (Required) The name of the resource group in which to create the ExpressRoute circuit. | `string` | n/a | yes | +| [subscription\_id\_connectivity](#input\_subscription\_id\_connectivity) | Subscription ID to use for "connectivity" resources. | `string` | n/a | yes | +| [subscription\_id\_management](#input\_subscription\_id\_management) | Subscription ID to use for "management" resources. | `string` | n/a | yes | +| [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [express\_route\_circuit\_peering\_id](#output\_express\_route\_circuit\_peering\_id) | The ID of the ExpressRoute Circuit Peering. | + diff --git a/azure_express_route/express_route_connection/README.md b/azure_express_route/express_route_connection/README.md new file mode 100644 index 0000000..06f6659 --- /dev/null +++ b/azure_express_route/express_route_connection/README.md @@ -0,0 +1,50 @@ +# express_route_connection + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_express_route_connection.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_connection) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [authorization\_key](#input\_authorization\_key) | (Optional) The authorization key to establish the Express Route Connection. | `string` | `null` | no | +| [circuit\_peering\_type](#input\_circuit\_peering\_type) | (Required) The type of the Express Route Circuit Peering. | `string` | n/a | yes | +| [enable\_internet\_security](#input\_enable\_internet\_security) | (Optional) Is Internet security enabled for this Express Route Connection? | `bool` | `null` | no | +| [express\_route\_circuit\_name](#input\_express\_route\_circuit\_name) | (Required) The name of the Express Route Circuit that this Express Route Connection connects with. | `string` | n/a | yes | +| [express\_route\_circuit\_resource\_group\_name](#input\_express\_route\_circuit\_resource\_group\_name) | (Required) The name of the Resource Group where the Express Route circuit is located. | `string` | n/a | yes | +| [express\_route\_connection\_name](#input\_express\_route\_connection\_name) | (Required) The name which should be used for this Express Route Connection. | `string` | n/a | yes | +| [express\_route\_gateway\_bypass\_enabled](#input\_express\_route\_gateway\_bypass\_enabled) | (Optional) Specified whether Fast Path is enabled for Virtual Wan Firewall Hub. | `bool` | `false` | no | +| [express\_route\_gateway\_name](#input\_express\_route\_gateway\_name) | (Required) The name of the Express Route Gateway that this Express Route Connection connects with. | `string` | n/a | yes | +| [express\_route\_gateway\_resource\_group\_name](#input\_express\_route\_gateway\_resource\_group\_name) | (Required) The name of the Resource Group where the Express Route Gateway is located. | `string` | n/a | yes | +| [private\_link\_fast\_path\_enabled](#input\_private\_link\_fast\_path\_enabled) | (Optional) Bypass the Express Route gateway when accessing private-links. When enabled express\_route\_gateway\_bypass\_enabled must be set to true. | `bool` | `false` | no | +| [routing](#input\_routing) | (Optional) A routing block as defined below. | 
object({
    associated_route_table_id = optional(string)
    inbound_route_map_id      = optional(string)
    outbound_route_map_id     = optional(string)
    propagated_route_table = optional(object({
      labels          = optional(list(string))
      route_table_ids = optional(list(string))
    }))
  })
| `null` | no | +| [routing\_weight](#input\_routing\_weight) | (Optional) The routing weight associated to the Express Route Connection. | `number` | `0` | no | +| [subscription\_id\_connectivity](#input\_subscription\_id\_connectivity) | Subscription ID to use for "connectivity" resources. | `string` | n/a | yes | +| [subscription\_id\_management](#input\_subscription\_id\_management) | Subscription ID to use for "management" resources. | `string` | n/a | yes | +| [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [express\_route\_connection\_id](#output\_express\_route\_connection\_id) | The ID of the ExpressRoute Connection. | + diff --git a/azure_express_route/locals.tf b/azure_express_route/locals.tf deleted file mode 100644 index 9a5b485..0000000 --- a/azure_express_route/locals.tf +++ /dev/null @@ -1,4 +0,0 @@ -locals { - subscription_id_connectivity = coalesce(var.subscription_id_connectivity, local.subscription_id_management) - subscription_id_management = coalesce(var.subscription_id_management, data.azurerm_client_config.current.subscription_id) -} diff --git a/azure_express_route/main.tf b/azure_express_route/main.tf deleted file mode 100644 index cec2a0c..0000000 --- a/azure_express_route/main.tf +++ /dev/null @@ -1,46 +0,0 @@ -module "express_route_circuit" { - source = "./express_route_circuit" - - subscription_id_connectivity = var.subscription_id_connectivity - subscription_id_management = var.subscription_id_management - - resource_group_name = var.resource_group_name - resource_group_location = var.resource_group_location - - express_route_circuit = var.express_route_circuit - - tags = var.tags -} - -module "express_route_peering" { - source = "./express_route_circuit_peering" - - subscription_id_connectivity = var.subscription_id_connectivity - subscription_id_management = var.subscription_id_management - - resource_group_name = module.express_route_circuit.resource_group_name - circuit_peering = var.circuit_peering -} - -# IMPORTANT: The provider status of the Express Route Circuit must be set as provisioned while creating the Express Route Connection. -module "express_route_connection" { - source = "./express_route_connection" - - subscription_id_connectivity = var.subscription_id_connectivity - subscription_id_management = var.subscription_id_management - - express_route_gateway_resource_group_name = var.express_route_gateway_resource_group_name - express_route_circuit_resource_group_name = module.express_route_circuit.resource_group_name - - express_route_gateway_name = var.express_route_gateway_name - express_route_connection_name = var.express_route_connection_name - - express_route_circuit_name = var.express_route_circuit_name - circuit_peering_type = var.circuit_peering_type - - enable_internet_security = var.enable_internet_security - express_route_gateway_bypass_enabled = var.express_route_gateway_bypass_enabled - private_link_fast_path_enabled = var.private_link_fast_path_enabled - routing_weight = var.routing_weight - routing = var.routing -} diff --git a/azure_express_route/outputs.tf b/azure_express_route/outputs.tf deleted file mode 100644 index df9d99b..0000000 --- a/azure_express_route/outputs.tf +++ /dev/null @@ -1,25 +0,0 @@ -output "express_route_circuit_id" { - description = "The ID of the ExpressRoute Circuit." - value = module.express_route_circuit.express_route_circuit_id -} - -output "service_provider_provisioning_state" { - description = "The provisioning state of the ExpressRoute Circuit Service Provider." - value = module.express_route_circuit.service_provider_provisioning_state -} - -output "service_key" { - description = "The service key of the ExpressRoute Circuit." - value = module.express_route_circuit.service_key - sensitive = true -} - -output "circuit_peering_id" { - description = "The ID of the ExpressRoute Circuit Peering." - value = module.express_route_peering.express_route_circuit_peering_id -} - -output "connection_id" { - description = "The ID of the ExpressRoute Connection." - value = module.express_route_connection.express_route_connection_id -} diff --git a/azure_express_route/provider.tf b/azure_express_route/provider.tf deleted file mode 100644 index b8cb8a3..0000000 --- a/azure_express_route/provider.tf +++ /dev/null @@ -1,21 +0,0 @@ -terraform { - required_version = ">=1.9.0, < 2.0.0" - - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = ">=3.112.0, < 4.0.0" - } - - azapi = { - source = "azure/azapi" - } - } -} - -provider "azurerm" { - use_oidc = true - features {} - # NOTE: The assumption is that the pipeline will be using the Management subscription for the base provider - # The sub-modules will be using the subscription_id_connectivity -} diff --git a/azure_express_route/variables-expressRoute-circuit-peering.tf b/azure_express_route/variables-expressRoute-circuit-peering.tf deleted file mode 100644 index b0cc7f9..0000000 --- a/azure_express_route/variables-expressRoute-circuit-peering.tf +++ /dev/null @@ -1,40 +0,0 @@ -variable "circuit_peering" { - description = "Express Route circuit peering configuration" - type = list(object({ - peering_type = string - express_route_circuit_name = string - vlan_id = number - primary_peer_address_prefix = optional(string) - secondary_peer_address_prefix = optional(string) - ipv4_enabled = optional(bool, true) - shared_key = optional(string, null) - peer_asn = optional(number, null) - microsoft_peering_config = optional(object({ - advertised_public_prefixes = list(string) - customer_asn = optional(number, 0) - routing_registry_name = optional(string, "NONE") - advertised_communities = optional(list(string)) - }), null) - ipv6 = optional(object({ - primary_peer_address_prefix = string - secondary_peer_address_prefix = string - enabled = optional(bool, true) - microsoft_peering = optional(object({ - advertised_public_prefixes = list(string) - customer_asn = optional(number, 0) - routing_registry_name = optional(string, "NONE") - advertised_communities = optional(list(string)) - }), null) - route_filter_id = optional(string, null) - }), null) - route_filter_id = optional(string, null) - })) - default = [] - - validation { - condition = alltrue([ - for peering in var.circuit_peering : contains(["AzurePrivatePeering", "AzurePublicPeering", "MicrosoftPeering"], peering.peering_type) - ]) - error_message = "The sku tier must be either Basic, Local, Standard or Premium." - } -} diff --git a/azure_express_route/variables-expressRoute-circuit.tf b/azure_express_route/variables-expressRoute-circuit.tf deleted file mode 100644 index 25fe062..0000000 --- a/azure_express_route/variables-expressRoute-circuit.tf +++ /dev/null @@ -1,43 +0,0 @@ -variable "express_route_circuit" { - description = "Express Route circuit configuration" - type = list(object({ - express_route_circuit_name = string - location = string - sku = object({ - tier = string - family = string - }) - service_provider_name = optional(string, null) - peering_location = optional(string, null) - bandwidth_in_mbps = optional(number, null) - allow_classic_operations = optional(bool, false) - express_route_port_id = optional(string, null) - bandwidth_in_gbps = optional(number, null) - authorization_key = optional(string, null) - })) - default = [] - - validation { - condition = alltrue([ - for circuit in var.express_route_circuit : contains(["Basic", "Local", "Standard", "Premium"], circuit.sku.tier) - ]) - error_message = "The sku tier must be either Basic, Local, Standard or Premium." - } - - validation { - condition = alltrue([ - for circuit in var.express_route_circuit : contains(["MeteredData", "UnlimitedData"], circuit.sku.family) - ]) - error_message = "The sku family must be either MeteredData or UnlimitedData." - } -} - -variable "resource_group_name" { - description = "(Required) The name of the resource group in which to create the ExpressRoute circuit." - type = string -} - -variable "resource_group_location" { - description = "(Required) Specifies the supported Azure location where the resource exists." - type = string -} diff --git a/azure_express_route/variables-expressRoute-connection.tf b/azure_express_route/variables-expressRoute-connection.tf deleted file mode 100644 index ac3cf61..0000000 --- a/azure_express_route/variables-expressRoute-connection.tf +++ /dev/null @@ -1,88 +0,0 @@ -variable "express_route_gateway_resource_group_name" { - description = "(Required) The name of the Resource Group where the Express Route Gateway is located." - type = string -} - -variable "express_route_gateway_name" { - description = "(Required) The name of the Express Route Gateway that this Express Route Connection connects with." - type = string -} - -variable "express_route_circuit_resource_group_name" { - description = "(Required) The name of the Resource Group where the Express Route circuit is located." - type = string -} - -variable "express_route_circuit_name" { - description = "(Required) The name of the Express Route Circuit that this Express Route Connection connects with." - type = string -} - -variable "express_route_connection_name" { - description = "(Required) The name which should be used for this Express Route Connection." - type = string -} - -variable "circuit_peering_type" { - description = "(Required) The type of the Express Route Circuit Peering." - type = string -} - -variable "authorization_key" { - description = "(Optional) The authorization key to establish the Express Route Connection." - type = string - default = null -} - -variable "enable_internet_security" { - description = "(Optional) Is Internet security enabled for this Express Route Connection?" - type = bool - default = null -} - -variable "express_route_gateway_bypass_enabled" { - description = "(Optional) Specified whether Fast Path is enabled for Virtual Wan Firewall Hub." - type = bool - default = false -} - -variable "private_link_fast_path_enabled" { - description = "(Optional) Bypass the Express Route gateway when accessing private-links. When enabled express_route_gateway_bypass_enabled must be set to true." - type = bool - default = false - - validation { - condition = ( - (var.express_route_gateway_bypass_enabled == true && - var.private_link_fast_path_enabled == true) || - (var.express_route_gateway_bypass_enabled == false && - var.private_link_fast_path_enabled == false) - ) - error_message = "private_link_fast_path_enabled must be set to true when express_route_gateway_bypass_enabled is set to true." - } -} - -variable "routing" { - description = "(Optional) A routing block as defined below." - type = object({ - associated_route_table_id = optional(string) - inbound_route_map_id = optional(string) - outbound_route_map_id = optional(string) - propagated_route_table = optional(object({ - labels = optional(list(string)) - route_table_ids = optional(list(string)) - })) - }) - default = null -} - -variable "routing_weight" { - description = "(Optional) The routing weight associated to the Express Route Connection." - type = number - default = 0 - - validation { - condition = var.routing_weight >= 0 && var.routing_weight <= 32000 - error_message = "routing_weight must be between 0 and 32000." - } -} diff --git a/azure_express_route/variables.tf b/azure_express_route/variables.tf deleted file mode 100644 index c7309ab..0000000 --- a/azure_express_route/variables.tf +++ /dev/null @@ -1,15 +0,0 @@ -variable "subscription_id_management" { - type = string - description = "Subscription ID to use for \"management\" resources." -} - -variable "subscription_id_connectivity" { - type = string - description = "Subscription ID to use for \"connectivity\" resources." -} - -variable "tags" { - type = map(string) - description = "A mapping of tags to assign to the resource." - default = null -} From a4cd42bacb07f1cb00949c5ad295519885b72315 Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Mon, 9 Sep 2024 15:29:23 -0400 Subject: [PATCH 15/32] PreCommit README updates --- .github/README.md | 2 +- .gitignore | 4 +- README.md | 2 +- azure_firewall/README.md | 2 +- ipam/README.md | 2 +- ipam/managed-identity/README.md | 2 +- terraform-azure-lz-project-set/README.md | 48 ++++++++++++++++++++++++ 7 files changed, 55 insertions(+), 7 deletions(-) diff --git a/.github/README.md b/.github/README.md index ef2fa69..d236723 100644 --- a/.github/README.md +++ b/.github/README.md @@ -22,4 +22,4 @@ No inputs. ## Outputs No outputs. - \ No newline at end of file + diff --git a/.gitignore b/.gitignore index 5abfb8f..2b3c9e1 100644 --- a/.gitignore +++ b/.gitignore @@ -10,8 +10,8 @@ crash.log crash.*.log # Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject # to change depending on the environment. *.tfvars *.tfvars.json diff --git a/README.md b/README.md index bdf2641..938fea7 100644 --- a/README.md +++ b/README.md @@ -26,4 +26,4 @@ No inputs. ## Outputs No outputs. - \ No newline at end of file + diff --git a/azure_firewall/README.md b/azure_firewall/README.md index ef2fa69..d236723 100644 --- a/azure_firewall/README.md +++ b/azure_firewall/README.md @@ -22,4 +22,4 @@ No inputs. ## Outputs No outputs. - \ No newline at end of file + diff --git a/ipam/README.md b/ipam/README.md index ef2fa69..d236723 100644 --- a/ipam/README.md +++ b/ipam/README.md @@ -22,4 +22,4 @@ No inputs. ## Outputs No outputs. - \ No newline at end of file + diff --git a/ipam/managed-identity/README.md b/ipam/managed-identity/README.md index 7d113c8..4d6034b 100644 --- a/ipam/managed-identity/README.md +++ b/ipam/managed-identity/README.md @@ -22,7 +22,6 @@ No modules. | [azurerm_role_assignment.contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | [azurerm_role_assignment.managed-identity-operator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | [azurerm_user_assigned_identity.ipam](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | -| [azurerm_resource_group.ipam](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_role_definition.contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source | | [azurerm_role_definition.managed-identity-operator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source | | [azurerm_subscription.ipam](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | @@ -33,6 +32,7 @@ No modules. |------|-------------|------|---------|:--------:| | [location](#input\_location) | n/a | `string` | n/a | yes | | [managedIdentityName](#input\_managedIdentityName) | n/a | `string` | n/a | yes | +| [resourceGroupId](#input\_resourceGroupId) | n/a | `string` | n/a | yes | | [resourceGroupName](#input\_resourceGroupName) | n/a | `string` | n/a | yes | ## Outputs diff --git a/terraform-azure-lz-project-set/README.md b/terraform-azure-lz-project-set/README.md index c1163fa..40c5da9 100644 --- a/terraform-azure-lz-project-set/README.md +++ b/terraform-azure-lz-project-set/README.md @@ -54,3 +54,51 @@ For each environment, the module will create a subscription, a network resource | [management\_group\_id](#output\_management\_group\_id) | The management group ID for the project set. | | [subscription\_ids](#output\_subscription\_ids) | The subscription IDs of each landing zone created. | + +## Requirements + +| Name | Version | +|------|---------| +| [azapi](#requirement\_azapi) | >= 1.13.1 | +| [azurerm](#requirement\_azurerm) | >= 3.109.0 | + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | >= 3.109.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [lz\_vending](#module\_lz\_vending) | Azure/lz-vending/azurerm | 4.1.3 | + +## Resources + +| Name | Type | +|------|------| +| [azurerm_management_group.project_set](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | +| [azurerm_management_group.landing_zones](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [common\_tags](#input\_common\_tags) | Common tags to apply to all resources | `map(string)` | 
{
  "deployedBy": "Terraform"
}
| no | +| [license\_plate](#input\_license\_plate) | The license plate identifier for the project | `string` | n/a | yes | +| [lz\_management\_group\_id](#input\_lz\_management\_group\_id) | The ID of the management group for landing zones | `string` | n/a | yes | +| [primary\_location](#input\_primary\_location) | The primary location for resources | `string` | `"canadacentral"` | no | +| [project\_set\_name](#input\_project\_set\_name) | The name of the project set | `string` | n/a | yes | +| [secondary\_location](#input\_secondary\_location) | The secondary location for resources | `string` | `"canadaeast"` | no | +| [subscription\_billing\_scope](#input\_subscription\_billing\_scope) | The billing scope for the subscription | `string` | n/a | yes | +| [subscriptions](#input\_subscriptions) | Configuration details for each subscription | 
map(object({
    name : string
    display_name : string
    budget_amount : optional(number, 0)
    network : object({
      enabled : bool
      address_space : list(string)
      dns_servers : optional(list(string))
    })
    tags : optional(map(string), {})
  }))
| n/a | yes | +| [vwan\_hub\_resource\_id](#input\_vwan\_hub\_resource\_id) | The resource ID for the virtual WAN hub | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [management\_group\_id](#output\_management\_group\_id) | The management group ID for the project set. | +| [subscription\_ids](#output\_subscription\_ids) | The subscription IDs of each landing zone created. | + From d08ac9574dfc70b3177dabd9638631d0a9c3e2f4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 9 Sep 2024 19:30:41 +0000 Subject: [PATCH 16/32] terraform-docs: automated action --- azure_express_route/README.md | 49 +++++------------------------------ azure_firewall/README.md | 1 - 2 files changed, 6 insertions(+), 44 deletions(-) diff --git a/azure_express_route/README.md b/azure_express_route/README.md index cd59b68..459520d 100644 --- a/azure_express_route/README.md +++ b/azure_express_route/README.md @@ -64,62 +64,25 @@ ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >=1.9.0, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | >=3.112.0, < 4.0.0 | +No requirements. ## Providers -| Name | Version | -|------|---------| -| [azurerm](#provider\_azurerm) | >=3.112.0, < 4.0.0 | +No providers. ## Modules -| Name | Source | Version | -|------|--------|---------| -| [express\_route\_circuit](#module\_express\_route\_circuit) | ./express_route_circuit | n/a | -| [express\_route\_connection](#module\_express\_route\_connection) | ./express_route_connection | n/a | -| [express\_route\_peering](#module\_express\_route\_peering) | ./express_route_circuit_peering | n/a | +No modules. ## Resources -| Name | Type | -|------|------| -| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +No resources. ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [authorization\_key](#input\_authorization\_key) | (Optional) The authorization key to establish the Express Route Connection. | `string` | `null` | no | -| [circuit\_peering](#input\_circuit\_peering) | Express Route circuit peering configuration | 
list(object({
    peering_type                  = string
    express_route_circuit_name    = string
    vlan_id                       = number
    primary_peer_address_prefix   = optional(string)
    secondary_peer_address_prefix = optional(string)
    ipv4_enabled                  = optional(bool, true)
    shared_key                    = optional(string, null)
    peer_asn                      = optional(number, null)
    microsoft_peering_config = optional(object({
      advertised_public_prefixes = list(string)
      customer_asn               = optional(number, 0)
      routing_registry_name      = optional(string, "NONE")
      advertised_communities     = optional(list(string))
    }), null)
    ipv6 = optional(object({
      primary_peer_address_prefix   = string
      secondary_peer_address_prefix = string
      enabled                       = optional(bool, true)
      microsoft_peering = optional(object({
        advertised_public_prefixes = list(string)
        customer_asn               = optional(number, 0)
        routing_registry_name      = optional(string, "NONE")
        advertised_communities     = optional(list(string))
      }), null)
      route_filter_id = optional(string, null)
    }), null)
    route_filter_id = optional(string, null)
  }))
| `[]` | no | -| [circuit\_peering\_type](#input\_circuit\_peering\_type) | (Required) The type of the Express Route Circuit Peering. | `string` | n/a | yes | -| [enable\_internet\_security](#input\_enable\_internet\_security) | (Optional) Is Internet security enabled for this Express Route Connection? | `bool` | `null` | no | -| [express\_route\_circuit](#input\_express\_route\_circuit) | Express Route circuit configuration | 
list(object({
    express_route_circuit_name = string
    location                   = string
    sku = object({
      tier   = string
      family = string
    })
    service_provider_name    = optional(string, null)
    peering_location         = optional(string, null)
    bandwidth_in_mbps        = optional(number, null)
    allow_classic_operations = optional(bool, false)
    express_route_port_id    = optional(string, null)
    bandwidth_in_gbps        = optional(number, null)
    authorization_key        = optional(string, null)
  }))
| `[]` | no | -| [express\_route\_circuit\_name](#input\_express\_route\_circuit\_name) | (Required) The name of the Express Route Circuit that this Express Route Connection connects with. | `string` | n/a | yes | -| [express\_route\_circuit\_resource\_group\_name](#input\_express\_route\_circuit\_resource\_group\_name) | (Required) The name of the Resource Group where the Express Route circuit is located. | `string` | n/a | yes | -| [express\_route\_connection\_name](#input\_express\_route\_connection\_name) | (Required) The name which should be used for this Express Route Connection. | `string` | n/a | yes | -| [express\_route\_gateway\_bypass\_enabled](#input\_express\_route\_gateway\_bypass\_enabled) | (Optional) Specified whether Fast Path is enabled for Virtual Wan Firewall Hub. | `bool` | `false` | no | -| [express\_route\_gateway\_name](#input\_express\_route\_gateway\_name) | (Required) The name of the Express Route Gateway that this Express Route Connection connects with. | `string` | n/a | yes | -| [express\_route\_gateway\_resource\_group\_name](#input\_express\_route\_gateway\_resource\_group\_name) | (Required) The name of the Resource Group where the Express Route Gateway is located. | `string` | n/a | yes | -| [private\_link\_fast\_path\_enabled](#input\_private\_link\_fast\_path\_enabled) | (Optional) Bypass the Express Route gateway when accessing private-links. When enabled express\_route\_gateway\_bypass\_enabled must be set to true. | `bool` | `false` | no | -| [resource\_group\_location](#input\_resource\_group\_location) | (Required) Specifies the supported Azure location where the resource exists. | `string` | n/a | yes | -| [resource\_group\_name](#input\_resource\_group\_name) | (Required) The name of the resource group in which to create the ExpressRoute circuit. | `string` | n/a | yes | -| [routing](#input\_routing) | (Optional) A routing block as defined below. | 
object({
    associated_route_table_id = optional(string)
    inbound_route_map_id      = optional(string)
    outbound_route_map_id     = optional(string)
    propagated_route_table = optional(object({
      labels          = optional(list(string))
      route_table_ids = optional(list(string))
    }))
  })
| `null` | no | -| [routing\_weight](#input\_routing\_weight) | (Optional) The routing weight associated to the Express Route Connection. | `number` | `0` | no | -| [subscription\_id\_connectivity](#input\_subscription\_id\_connectivity) | Subscription ID to use for "connectivity" resources. | `string` | n/a | yes | -| [subscription\_id\_management](#input\_subscription\_id\_management) | Subscription ID to use for "management" resources. | `string` | n/a | yes | -| [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `null` | no | +No inputs. ## Outputs -| Name | Description | -|------|-------------| -| [circuit\_peering\_id](#output\_circuit\_peering\_id) | The ID of the ExpressRoute Circuit Peering. | -| [connection\_id](#output\_connection\_id) | The ID of the ExpressRoute Connection. | -| [express\_route\_circuit\_id](#output\_express\_route\_circuit\_id) | The ID of the ExpressRoute Circuit. | -| [service\_key](#output\_service\_key) | The service key of the ExpressRoute Circuit. | -| [service\_provider\_provisioning\_state](#output\_service\_provider\_provisioning\_state) | The provisioning state of the ExpressRoute Circuit Service Provider. | +No outputs. diff --git a/azure_firewall/README.md b/azure_firewall/README.md index 2fb5cdd..d236723 100644 --- a/azure_firewall/README.md +++ b/azure_firewall/README.md @@ -22,5 +22,4 @@ No inputs. ## Outputs No outputs. - From 4fff7aa962948294eea830ba0989d16b49d0536b Mon Sep 17 00:00:00 2001 From: Warren Uniewski Date: Tue, 8 Oct 2024 09:43:05 -0700 Subject: [PATCH 17/32] Fix budget field name (#15) * update subscriptions var for budget * terraform-docs: automated action --------- Co-authored-by: github-actions[bot] --- terraform-azure-lz-project-set/README.md | 2 +- terraform-azure-lz-project-set/main.tf | 2 +- terraform-azure-lz-project-set/variables.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform-azure-lz-project-set/README.md b/terraform-azure-lz-project-set/README.md index d372ba1..7fa3b65 100644 --- a/terraform-azure-lz-project-set/README.md +++ b/terraform-azure-lz-project-set/README.md @@ -45,7 +45,7 @@ For each environment, the module will create a subscription, a network resource | [project\_set\_name](#input\_project\_set\_name) | The name of the project set | `string` | n/a | yes | | [secondary\_location](#input\_secondary\_location) | The secondary location for resources | `string` | `"canadaeast"` | no | | [subscription\_billing\_scope](#input\_subscription\_billing\_scope) | The billing scope for the subscription | `string` | n/a | yes | -| [subscriptions](#input\_subscriptions) | Configuration details for each subscription | 
map(object({
    name : string
    display_name : string
    budget_amount : optional(number, 0)
    network : object({
      enabled : bool
      address_space : list(string)
      dns_servers : optional(list(string))
    })
    tags : optional(map(string), {})
  }))
| n/a | yes | +| [subscriptions](#input\_subscriptions) | Configuration details for each subscription | 
map(object({
    name : string
    display_name : string
    budget : optional(number, 0)
    network : object({
      enabled : bool
      address_space : list(string)
      dns_servers : optional(list(string))
    })
    tags : optional(map(string), {})
  }))
| n/a | yes | | [vwan\_hub\_resource\_id](#input\_vwan\_hub\_resource\_id) | The resource ID for the virtual WAN hub | `string` | n/a | yes | ## Outputs diff --git a/terraform-azure-lz-project-set/main.tf b/terraform-azure-lz-project-set/main.tf index e7c82ce..6c098f6 100644 --- a/terraform-azure-lz-project-set/main.tf +++ b/terraform-azure-lz-project-set/main.tf @@ -68,7 +68,7 @@ module "lz_vending" { resource "azurerm_consumption_budget_subscription" "subscription_budget" { for_each = { for k, v in var.subscriptions : k => v - if v.budget > 1.00 + if v.budget >= 1.00 } name = "budget-for-${var.license_plate}-${each.value.name}-from-product-registry" diff --git a/terraform-azure-lz-project-set/variables.tf b/terraform-azure-lz-project-set/variables.tf index 9654d0b..2639a05 100644 --- a/terraform-azure-lz-project-set/variables.tf +++ b/terraform-azure-lz-project-set/variables.tf @@ -44,7 +44,7 @@ variable "subscriptions" { type = map(object({ name : string display_name : string - budget_amount : optional(number, 0) + budget : optional(number, 0) network : object({ enabled : bool address_space : list(string) From 75459926490e1c55303559e0ce8c556b9bbcbc1b Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Wed, 25 Sep 2024 13:56:44 -0400 Subject: [PATCH 18/32] Added Name and Secret_ID outputs --- azure_key_vault/key_vault_certificate/outputs.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/azure_key_vault/key_vault_certificate/outputs.tf b/azure_key_vault/key_vault_certificate/outputs.tf index d4f6031..7e47edd 100644 --- a/azure_key_vault/key_vault_certificate/outputs.tf +++ b/azure_key_vault/key_vault_certificate/outputs.tf @@ -1,3 +1,8 @@ +output "key_vault_certificate_name" { + description = "The name of the Key Vault Certificate." + value = azurerm_key_vault_certificate.this.name +} + output "key_vault_certificate_id" { description = "The ID of the Key Vault Certificate." value = azurerm_key_vault_certificate.this.id @@ -7,3 +12,9 @@ output "key_vault_certificate_thumbprint" { description = "The thumbprint of the Key Vault Certificate." value = azurerm_key_vault_certificate.this.thumbprint } + +output "key_vault_secret_id" { + description = "The ID of the Key Vault Secret." + value = azurerm_key_vault_certificate.this.secret_id + sensitive = true +} \ No newline at end of file From 87d0ca64f53482dc45b218edd0856c72dee586a8 Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Fri, 4 Oct 2024 16:37:21 -0400 Subject: [PATCH 19/32] Updated private_ip_ranges default value to null --- azure_firewall/firewall_policy/variables-firewall-policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure_firewall/firewall_policy/variables-firewall-policy.tf b/azure_firewall/firewall_policy/variables-firewall-policy.tf index 0148369..a536211 100644 --- a/azure_firewall/firewall_policy/variables-firewall-policy.tf +++ b/azure_firewall/firewall_policy/variables-firewall-policy.tf @@ -85,7 +85,7 @@ variable "intrusion_detection" { variable "private_ip_ranges" { description = "(Optional) A list of private IP ranges to which traffic will not be SNAT." type = list(string) - default = [] + default = null } variable "auto_learn_private_ranges_enabled" { From 85f527e4d7b28b22a81031b2a8fee9c8274f37fd Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Wed, 9 Oct 2024 17:47:49 -0400 Subject: [PATCH 20/32] PreCommit formatting --- azure_firewall/firewall_policy/README.md | 2 +- azure_key_vault/key_vault_certificate/README.md | 2 ++ azure_key_vault/key_vault_certificate/outputs.tf | 8 ++++---- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/azure_firewall/firewall_policy/README.md b/azure_firewall/firewall_policy/README.md index 2bce4dd..f097479 100644 --- a/azure_firewall/firewall_policy/README.md +++ b/azure_firewall/firewall_policy/README.md @@ -38,7 +38,7 @@ No modules. | [insights](#input\_insights) | (Optional) An insights block as defined below. | 
object({
    enabled                            = bool
    default_log_analytics_workspace_id = string
    retention_in_days                  = optional(number)
    log_analytics_workspace = optional(list(object({
      id                = string
      firewall_location = string
    })))
  })
| `null` | no | | [intrusion\_detection](#input\_intrusion\_detection) | (Optional) A intrusion\_detection block as defined below. | 
object({
    mode = string
    signature_overrides = optional(list(object({
      id    = optional(number)
      state = optional(string) # Can only be "Off", "Alert", or "Deny"
    })))
    traffic_bypass = optional(list(object({
      name                  = string
      protocol              = string
      description           = optional(string)
      destination_addresses = optional(list(string))
      destination_ip_groups = optional(list(string))
      destination_ports     = optional(list(string))
      source_addresses      = optional(list(string))
      source_ip_groups      = optional(list(string))
    })))
    private_ranges = optional(list(string))
  })
| `null` | no | | [location](#input\_location) | (Required) The Azure Region where the Firewall Policy should exist. | `string` | n/a | yes | -| [private\_ip\_ranges](#input\_private\_ip\_ranges) | (Optional) A list of private IP ranges to which traffic will not be SNAT. | `list(string)` | `[]` | no | +| [private\_ip\_ranges](#input\_private\_ip\_ranges) | (Optional) A list of private IP ranges to which traffic will not be SNAT. | `list(string)` | `null` | no | | [resource\_group\_name](#input\_resource\_group\_name) | (Required) The name of the Resource Group where the Firewall Policy should exist. | `string` | n/a | yes | | [sku](#input\_sku) | (Optional) The SKU Tier of the Firewall Policy. | `string` | `"Standard"` | no | | [sql\_redirect\_allowed](#input\_sql\_redirect\_allowed) | (Optional) Whether SQL Redirect traffic filtering is allowed. Enabling this flag requires no rule using ports between 11000-11999. | `bool` | `null` | no | diff --git a/azure_key_vault/key_vault_certificate/README.md b/azure_key_vault/key_vault_certificate/README.md index 9bb8444..bf9a26b 100644 --- a/azure_key_vault/key_vault_certificate/README.md +++ b/azure_key_vault/key_vault_certificate/README.md @@ -41,5 +41,7 @@ No modules. | Name | Description | |------|-------------| | [key\_vault\_certificate\_id](#output\_key\_vault\_certificate\_id) | The ID of the Key Vault Certificate. | +| [key\_vault\_certificate\_name](#output\_key\_vault\_certificate\_name) | The name of the Key Vault Certificate. | | [key\_vault\_certificate\_thumbprint](#output\_key\_vault\_certificate\_thumbprint) | The thumbprint of the Key Vault Certificate. | +| [key\_vault\_secret\_id](#output\_key\_vault\_secret\_id) | The ID of the Key Vault Secret. | diff --git a/azure_key_vault/key_vault_certificate/outputs.tf b/azure_key_vault/key_vault_certificate/outputs.tf index 7e47edd..231aaa9 100644 --- a/azure_key_vault/key_vault_certificate/outputs.tf +++ b/azure_key_vault/key_vault_certificate/outputs.tf @@ -1,6 +1,6 @@ output "key_vault_certificate_name" { description = "The name of the Key Vault Certificate." - value = azurerm_key_vault_certificate.this.name + value = azurerm_key_vault_certificate.this.name } output "key_vault_certificate_id" { @@ -15,6 +15,6 @@ output "key_vault_certificate_thumbprint" { output "key_vault_secret_id" { description = "The ID of the Key Vault Secret." - value = azurerm_key_vault_certificate.this.secret_id - sensitive = true -} \ No newline at end of file + value = azurerm_key_vault_certificate.this.secret_id + sensitive = true +} From e167dedd2fb0ae56616e8d51636dc13278c7d632 Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Thu, 10 Oct 2024 12:32:28 -0400 Subject: [PATCH 21/32] Removed provider, passed from CAF --- azure_firewall/firewall_policy/provider.tf | 10 +++++----- azure_identity/user_assigned_identity/provider.tf | 10 +++++----- azure_key_vault/key_vault/provider.tf | 10 +++++----- azure_key_vault/key_vault_access_policy/provider.tf | 10 +++++----- azure_key_vault/key_vault_certificate/provider.tf | 10 +++++----- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/azure_firewall/firewall_policy/provider.tf b/azure_firewall/firewall_policy/provider.tf index ed3b6e2..dda4f14 100644 --- a/azure_firewall/firewall_policy/provider.tf +++ b/azure_firewall/firewall_policy/provider.tf @@ -9,9 +9,9 @@ terraform { } } -provider "azurerm" { - use_oidc = true - features {} +# provider "azurerm" { +# use_oidc = true +# features {} - subscription_id = var.subscription_id_connectivity -} +# subscription_id = var.subscription_id_connectivity +# } diff --git a/azure_identity/user_assigned_identity/provider.tf b/azure_identity/user_assigned_identity/provider.tf index ed3b6e2..dda4f14 100644 --- a/azure_identity/user_assigned_identity/provider.tf +++ b/azure_identity/user_assigned_identity/provider.tf @@ -9,9 +9,9 @@ terraform { } } -provider "azurerm" { - use_oidc = true - features {} +# provider "azurerm" { +# use_oidc = true +# features {} - subscription_id = var.subscription_id_connectivity -} +# subscription_id = var.subscription_id_connectivity +# } diff --git a/azure_key_vault/key_vault/provider.tf b/azure_key_vault/key_vault/provider.tf index ed3b6e2..dda4f14 100644 --- a/azure_key_vault/key_vault/provider.tf +++ b/azure_key_vault/key_vault/provider.tf @@ -9,9 +9,9 @@ terraform { } } -provider "azurerm" { - use_oidc = true - features {} +# provider "azurerm" { +# use_oidc = true +# features {} - subscription_id = var.subscription_id_connectivity -} +# subscription_id = var.subscription_id_connectivity +# } diff --git a/azure_key_vault/key_vault_access_policy/provider.tf b/azure_key_vault/key_vault_access_policy/provider.tf index ed3b6e2..dda4f14 100644 --- a/azure_key_vault/key_vault_access_policy/provider.tf +++ b/azure_key_vault/key_vault_access_policy/provider.tf @@ -9,9 +9,9 @@ terraform { } } -provider "azurerm" { - use_oidc = true - features {} +# provider "azurerm" { +# use_oidc = true +# features {} - subscription_id = var.subscription_id_connectivity -} +# subscription_id = var.subscription_id_connectivity +# } diff --git a/azure_key_vault/key_vault_certificate/provider.tf b/azure_key_vault/key_vault_certificate/provider.tf index ed3b6e2..dda4f14 100644 --- a/azure_key_vault/key_vault_certificate/provider.tf +++ b/azure_key_vault/key_vault_certificate/provider.tf @@ -9,9 +9,9 @@ terraform { } } -provider "azurerm" { - use_oidc = true - features {} +# provider "azurerm" { +# use_oidc = true +# features {} - subscription_id = var.subscription_id_connectivity -} +# subscription_id = var.subscription_id_connectivity +# } From 8ee0d91f1e5235199116ca7b303115ba9a8e3ac3 Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Thu, 10 Oct 2024 14:48:48 -0400 Subject: [PATCH 22/32] Removed provider config in module (will pass in through CAF) --- azure_firewall/firewall_policy_rcg/provider.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/azure_firewall/firewall_policy_rcg/provider.tf b/azure_firewall/firewall_policy_rcg/provider.tf index 60aedf2..3e24f4b 100644 --- a/azure_firewall/firewall_policy_rcg/provider.tf +++ b/azure_firewall/firewall_policy_rcg/provider.tf @@ -9,9 +9,9 @@ terraform { } } -provider "azurerm" { - use_oidc = true - features {} +# provider "azurerm" { +# use_oidc = true +# features {} - subscription_id = var.subscription_id_connectivity -} +# subscription_id = var.subscription_id_connectivity +# } From 9a24df1757d0bfb7a4d4c47a26398ff4a3916964 Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Thu, 10 Oct 2024 15:20:46 -0400 Subject: [PATCH 23/32] Updated RCG variable default to null --- azure_firewall/firewall_policy_rcg/variables-fwpolicy-rcg.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure_firewall/firewall_policy_rcg/variables-fwpolicy-rcg.tf b/azure_firewall/firewall_policy_rcg/variables-fwpolicy-rcg.tf index 4671743..f99e36e 100644 --- a/azure_firewall/firewall_policy_rcg/variables-fwpolicy-rcg.tf +++ b/azure_firewall/firewall_policy_rcg/variables-fwpolicy-rcg.tf @@ -68,5 +68,5 @@ variable "firewall_policy_rule_collection_group" { }) }))) })) - default = [] + default = null } From eb81dafbb9202878210f0ac110d75c0dda714bc1 Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Thu, 10 Oct 2024 15:26:02 -0400 Subject: [PATCH 24/32] Added null check for RCG resource --- azure_firewall/firewall_policy_rcg/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure_firewall/firewall_policy_rcg/main.tf b/azure_firewall/firewall_policy_rcg/main.tf index 24ae1ae..701269a 100644 --- a/azure_firewall/firewall_policy_rcg/main.tf +++ b/azure_firewall/firewall_policy_rcg/main.tf @@ -1,7 +1,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "this" { - for_each = { + for_each = var.firewall_policy_rule_collection_group != null ? { for group in var.firewall_policy_rule_collection_group : group.name => group - } + } : {} name = each.value.name # firewall_policy_id = data.azurerm_firewall_policy.this.id From 6a51b2abafc651fa656d14d6e50937832367743d Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Thu, 10 Oct 2024 16:35:52 -0400 Subject: [PATCH 25/32] Added lifecycle_ignore variable --- azure_firewall/firewall_policy/main.tf | 19 +++++++++++++++++++ .../variables-firewall-policy.tf | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/azure_firewall/firewall_policy/main.tf b/azure_firewall/firewall_policy/main.tf index cc3c1c3..675d742 100644 --- a/azure_firewall/firewall_policy/main.tf +++ b/azure_firewall/firewall_policy/main.tf @@ -103,4 +103,23 @@ resource "azurerm_firewall_policy" "this" { pac_file = explicit_proxy.value.pac_file } } + + lifecycle { + ignore_changes = var.lifecycle_ignore_enabled == true ? [ + base_policy_id, + dns, + identity, + insights, + intrusion_detection, + private_ip_ranges, + auto_learn_private_ranges_enabled, + sku, + tags, + threat_intelligence_mode, + threat_intelligence_allowlist, + tls_certificate, + sql_redirect_allowed, + explicit_proxy, + ] : null + } } diff --git a/azure_firewall/firewall_policy/variables-firewall-policy.tf b/azure_firewall/firewall_policy/variables-firewall-policy.tf index a536211..81710ef 100644 --- a/azure_firewall/firewall_policy/variables-firewall-policy.tf +++ b/azure_firewall/firewall_policy/variables-firewall-policy.tf @@ -1,3 +1,9 @@ +variable "lifecycle_ignore_enabled" { + description = "(Optional) Ignore changes to the lifecycle configuration of the Firewall Policy. This is useful when you want to manage the lifecycle outside of Terraform." + type = bool + default = false +} + variable "firewall_policy_name" { description = "(Required) The name which should be used for this Firewall Policy." type = string From 76a9f513d040776abd1c43bef7f8960560431f1e Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Thu, 10 Oct 2024 16:58:22 -0400 Subject: [PATCH 26/32] Testing dynamic lifecycle ignore_changes --- azure_firewall/firewall_policy/locals.tf | 7 +++ azure_firewall/firewall_policy/main.tf | 48 ++++++++++++------- .../variables-firewall-policy.tf | 4 +- 3 files changed, 40 insertions(+), 19 deletions(-) diff --git a/azure_firewall/firewall_policy/locals.tf b/azure_firewall/firewall_policy/locals.tf index e69de29..785b952 100644 --- a/azure_firewall/firewall_policy/locals.tf +++ b/azure_firewall/firewall_policy/locals.tf @@ -0,0 +1,7 @@ +locals { + combined_ignore_changes = concat(var.lifecycle_ignore_enabled, [ + # Add any additional attributes you want to ignore changes for + # For example: + # "some_other_attribute", + ]) +} \ No newline at end of file diff --git a/azure_firewall/firewall_policy/main.tf b/azure_firewall/firewall_policy/main.tf index 675d742..f0bb9e5 100644 --- a/azure_firewall/firewall_policy/main.tf +++ b/azure_firewall/firewall_policy/main.tf @@ -104,22 +104,36 @@ resource "azurerm_firewall_policy" "this" { } } - lifecycle { - ignore_changes = var.lifecycle_ignore_enabled == true ? [ - base_policy_id, - dns, - identity, - insights, - intrusion_detection, - private_ip_ranges, - auto_learn_private_ranges_enabled, - sku, - tags, - threat_intelligence_mode, - threat_intelligence_allowlist, - tls_certificate, - sql_redirect_allowed, - explicit_proxy, - ] : null + dynamic "lifecycle" { + for_each = var.lifecycle_ignore_enabled != null ? [var.lifecycle_ignore_enabled] : [] + content { + ignore_changes = lifecycle.value.ignore_changes + } } + + dynamic "lifecycle" { + for_each = var.lifecycle_ignore_enabled != null ? toset(var.lifecycle_ignore_enabled) : [] + content { + ignore_changes = local.combined_ignore_changes + } + } + + # lifecycle { + # # ignore_changes = var.lifecycle_ignore_enabled == true ? [ + # # base_policy_id, + # # dns, + # # identity, + # # insights, + # # intrusion_detection, + # # private_ip_ranges, + # # auto_learn_private_ranges_enabled, + # # sku, + # # tags, + # # threat_intelligence_mode, + # # threat_intelligence_allowlist, + # # tls_certificate, + # # sql_redirect_allowed, + # # explicit_proxy, + # # ] : null + # } } diff --git a/azure_firewall/firewall_policy/variables-firewall-policy.tf b/azure_firewall/firewall_policy/variables-firewall-policy.tf index 81710ef..77f40af 100644 --- a/azure_firewall/firewall_policy/variables-firewall-policy.tf +++ b/azure_firewall/firewall_policy/variables-firewall-policy.tf @@ -1,7 +1,7 @@ variable "lifecycle_ignore_enabled" { description = "(Optional) Ignore changes to the lifecycle configuration of the Firewall Policy. This is useful when you want to manage the lifecycle outside of Terraform." - type = bool - default = false + type = list(string) + default = null } variable "firewall_policy_name" { From bed99da904b7f6bd00aff5d789c599b5879a9386 Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Thu, 10 Oct 2024 17:18:30 -0400 Subject: [PATCH 27/32] Hardcoded ignore_changes list --- azure_firewall/firewall_policy/main.tf | 60 +++++++++++++------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/azure_firewall/firewall_policy/main.tf b/azure_firewall/firewall_policy/main.tf index f0bb9e5..82916ba 100644 --- a/azure_firewall/firewall_policy/main.tf +++ b/azure_firewall/firewall_policy/main.tf @@ -104,36 +104,36 @@ resource "azurerm_firewall_policy" "this" { } } - dynamic "lifecycle" { - for_each = var.lifecycle_ignore_enabled != null ? [var.lifecycle_ignore_enabled] : [] - content { - ignore_changes = lifecycle.value.ignore_changes - } - } - - dynamic "lifecycle" { - for_each = var.lifecycle_ignore_enabled != null ? toset(var.lifecycle_ignore_enabled) : [] - content { - ignore_changes = local.combined_ignore_changes - } - } + # dynamic "lifecycle" { + # for_each = var.lifecycle_ignore_enabled != null ? [var.lifecycle_ignore_enabled] : [] + # content { + # ignore_changes = lifecycle.value.ignore_changes + # } + # } - # lifecycle { - # # ignore_changes = var.lifecycle_ignore_enabled == true ? [ - # # base_policy_id, - # # dns, - # # identity, - # # insights, - # # intrusion_detection, - # # private_ip_ranges, - # # auto_learn_private_ranges_enabled, - # # sku, - # # tags, - # # threat_intelligence_mode, - # # threat_intelligence_allowlist, - # # tls_certificate, - # # sql_redirect_allowed, - # # explicit_proxy, - # # ] : null + # dynamic "lifecycle" { + # for_each = var.lifecycle_ignore_enabled != null ? toset(var.lifecycle_ignore_enabled) : [] + # content { + # ignore_changes = local.combined_ignore_changes + # } # } + + lifecycle { + ignore_changes = [ + "base_policy_id", + "dns", + "identity", + "insights", + "intrusion_detection", + "private_ip_ranges", + "auto_learn_private_ranges_enabled", + "sku", + "tags", + "threat_intelligence_mode", + "threat_intelligence_allowlist", + "tls_certificate", + "sql_redirect_allowed", + "explicit_proxy" + ] + } } From eb0bfb240a23e2034d35cca18b8bb92453f9177a Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Thu, 10 Oct 2024 17:22:40 -0400 Subject: [PATCH 28/32] Removed locals --- azure_firewall/firewall_policy/locals.tf | 10 ++++----- azure_firewall/firewall_policy/main.tf | 28 ++++++++++++------------ 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/azure_firewall/firewall_policy/locals.tf b/azure_firewall/firewall_policy/locals.tf index 785b952..32d3073 100644 --- a/azure_firewall/firewall_policy/locals.tf +++ b/azure_firewall/firewall_policy/locals.tf @@ -1,7 +1,7 @@ locals { - combined_ignore_changes = concat(var.lifecycle_ignore_enabled, [ - # Add any additional attributes you want to ignore changes for - # For example: - # "some_other_attribute", - ]) + # combined_ignore_changes = concat(var.lifecycle_ignore_enabled, [ + # # Add any additional attributes you want to ignore changes for + # # For example: + # # "some_other_attribute", + # ]) } \ No newline at end of file diff --git a/azure_firewall/firewall_policy/main.tf b/azure_firewall/firewall_policy/main.tf index 82916ba..d6267da 100644 --- a/azure_firewall/firewall_policy/main.tf +++ b/azure_firewall/firewall_policy/main.tf @@ -120,20 +120,20 @@ resource "azurerm_firewall_policy" "this" { lifecycle { ignore_changes = [ - "base_policy_id", - "dns", - "identity", - "insights", - "intrusion_detection", - "private_ip_ranges", - "auto_learn_private_ranges_enabled", - "sku", - "tags", - "threat_intelligence_mode", - "threat_intelligence_allowlist", - "tls_certificate", - "sql_redirect_allowed", - "explicit_proxy" + base_policy_id, + dns, + identity, + insights, + intrusion_detection, + private_ip_ranges, + auto_learn_private_ranges_enabled, + sku, + tags, + threat_intelligence_mode, + threat_intelligence_allowlist, + tls_certificate, + sql_redirect_allowed, + explicit_proxy ] } } From 3a564d013699c8204bf1aded26f45baef3b82913 Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Thu, 10 Oct 2024 17:39:46 -0400 Subject: [PATCH 29/32] Testing locals ignore_cchanges --- azure_firewall/firewall_policy/locals.tf | 17 ++++++++++ azure_firewall/firewall_policy/main.tf | 33 ++++++++++--------- .../variables-firewall-policy.tf | 10 +++--- 3 files changed, 39 insertions(+), 21 deletions(-) diff --git a/azure_firewall/firewall_policy/locals.tf b/azure_firewall/firewall_policy/locals.tf index 32d3073..22cde79 100644 --- a/azure_firewall/firewall_policy/locals.tf +++ b/azure_firewall/firewall_policy/locals.tf @@ -4,4 +4,21 @@ locals { # # For example: # # "some_other_attribute", # ]) + + ignore_changes = [ + base_policy_id, + dns, + identity, + insights, + intrusion_detection, + private_ip_ranges, + auto_learn_private_ranges_enabled, + sku, + tags, + threat_intelligence_mode, + threat_intelligence_allowlist, + tls_certificate, + sql_redirect_allowed, + explicit_proxy + ] } \ No newline at end of file diff --git a/azure_firewall/firewall_policy/main.tf b/azure_firewall/firewall_policy/main.tf index d6267da..53e5402 100644 --- a/azure_firewall/firewall_policy/main.tf +++ b/azure_firewall/firewall_policy/main.tf @@ -119,21 +119,22 @@ resource "azurerm_firewall_policy" "this" { # } lifecycle { - ignore_changes = [ - base_policy_id, - dns, - identity, - insights, - intrusion_detection, - private_ip_ranges, - auto_learn_private_ranges_enabled, - sku, - tags, - threat_intelligence_mode, - threat_intelligence_allowlist, - tls_certificate, - sql_redirect_allowed, - explicit_proxy - ] + ignore_changes = local.ignore_changes + # ignore_changes = [ + # base_policy_id, + # dns, + # identity, + # insights, + # intrusion_detection, + # private_ip_ranges, + # auto_learn_private_ranges_enabled, + # sku, + # tags, + # threat_intelligence_mode, + # threat_intelligence_allowlist, + # tls_certificate, + # sql_redirect_allowed, + # explicit_proxy + # ] } } diff --git a/azure_firewall/firewall_policy/variables-firewall-policy.tf b/azure_firewall/firewall_policy/variables-firewall-policy.tf index 77f40af..41a32fd 100644 --- a/azure_firewall/firewall_policy/variables-firewall-policy.tf +++ b/azure_firewall/firewall_policy/variables-firewall-policy.tf @@ -1,8 +1,8 @@ -variable "lifecycle_ignore_enabled" { - description = "(Optional) Ignore changes to the lifecycle configuration of the Firewall Policy. This is useful when you want to manage the lifecycle outside of Terraform." - type = list(string) - default = null -} +# variable "lifecycle_ignore_enabled" { +# description = "(Optional) Ignore changes to the lifecycle configuration of the Firewall Policy. This is useful when you want to manage the lifecycle outside of Terraform." +# type = list(string) +# default = null +# } variable "firewall_policy_name" { description = "(Required) The name which should be used for this Firewall Policy." From c0013144029fde1c1106cf191808430aec13ab3f Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Thu, 10 Oct 2024 17:45:14 -0400 Subject: [PATCH 30/32] Added quotes --- azure_firewall/firewall_policy/locals.tf | 28 ++++++++++++------------ 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/azure_firewall/firewall_policy/locals.tf b/azure_firewall/firewall_policy/locals.tf index 22cde79..aa07050 100644 --- a/azure_firewall/firewall_policy/locals.tf +++ b/azure_firewall/firewall_policy/locals.tf @@ -6,19 +6,19 @@ locals { # ]) ignore_changes = [ - base_policy_id, - dns, - identity, - insights, - intrusion_detection, - private_ip_ranges, - auto_learn_private_ranges_enabled, - sku, - tags, - threat_intelligence_mode, - threat_intelligence_allowlist, - tls_certificate, - sql_redirect_allowed, - explicit_proxy + "base_policy_id", + "dns", + "identity", + "insights", + "intrusion_detection", + "private_ip_ranges", + "auto_learn_private_ranges_enabled", + "sku", + "tags", + "threat_intelligence_mode", + "threat_intelligence_allowlist", + "tls_certificate", + "sql_redirect_allowed", + "explicit_proxy" ] } \ No newline at end of file From e957e7db4c4678332cc747c17acbbf2d143e1055 Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Thu, 10 Oct 2024 18:02:21 -0400 Subject: [PATCH 31/32] Reverted variablized lifecycle ignore_changes --- azure_firewall/firewall_policy/locals.tf | 21 ------------ azure_firewall/firewall_policy/main.tf | 34 ------------------- .../variables-firewall-policy.tf | 6 ---- 3 files changed, 61 deletions(-) diff --git a/azure_firewall/firewall_policy/locals.tf b/azure_firewall/firewall_policy/locals.tf index aa07050..ef76cd5 100644 --- a/azure_firewall/firewall_policy/locals.tf +++ b/azure_firewall/firewall_policy/locals.tf @@ -1,24 +1,3 @@ locals { - # combined_ignore_changes = concat(var.lifecycle_ignore_enabled, [ - # # Add any additional attributes you want to ignore changes for - # # For example: - # # "some_other_attribute", - # ]) - ignore_changes = [ - "base_policy_id", - "dns", - "identity", - "insights", - "intrusion_detection", - "private_ip_ranges", - "auto_learn_private_ranges_enabled", - "sku", - "tags", - "threat_intelligence_mode", - "threat_intelligence_allowlist", - "tls_certificate", - "sql_redirect_allowed", - "explicit_proxy" - ] } \ No newline at end of file diff --git a/azure_firewall/firewall_policy/main.tf b/azure_firewall/firewall_policy/main.tf index 53e5402..cc3c1c3 100644 --- a/azure_firewall/firewall_policy/main.tf +++ b/azure_firewall/firewall_policy/main.tf @@ -103,38 +103,4 @@ resource "azurerm_firewall_policy" "this" { pac_file = explicit_proxy.value.pac_file } } - - # dynamic "lifecycle" { - # for_each = var.lifecycle_ignore_enabled != null ? [var.lifecycle_ignore_enabled] : [] - # content { - # ignore_changes = lifecycle.value.ignore_changes - # } - # } - - # dynamic "lifecycle" { - # for_each = var.lifecycle_ignore_enabled != null ? toset(var.lifecycle_ignore_enabled) : [] - # content { - # ignore_changes = local.combined_ignore_changes - # } - # } - - lifecycle { - ignore_changes = local.ignore_changes - # ignore_changes = [ - # base_policy_id, - # dns, - # identity, - # insights, - # intrusion_detection, - # private_ip_ranges, - # auto_learn_private_ranges_enabled, - # sku, - # tags, - # threat_intelligence_mode, - # threat_intelligence_allowlist, - # tls_certificate, - # sql_redirect_allowed, - # explicit_proxy - # ] - } } diff --git a/azure_firewall/firewall_policy/variables-firewall-policy.tf b/azure_firewall/firewall_policy/variables-firewall-policy.tf index 41a32fd..a536211 100644 --- a/azure_firewall/firewall_policy/variables-firewall-policy.tf +++ b/azure_firewall/firewall_policy/variables-firewall-policy.tf @@ -1,9 +1,3 @@ -# variable "lifecycle_ignore_enabled" { -# description = "(Optional) Ignore changes to the lifecycle configuration of the Firewall Policy. This is useful when you want to manage the lifecycle outside of Terraform." -# type = list(string) -# default = null -# } - variable "firewall_policy_name" { description = "(Required) The name which should be used for this Firewall Policy." type = string From 2360614bf054a764baefd33c8726a2dfd110500c Mon Sep 17 00:00:00 2001 From: Adin Ermie Date: Fri, 11 Oct 2024 15:22:06 -0400 Subject: [PATCH 32/32] Code cleanup and PreCommit formatting --- azure_firewall/firewall_policy/locals.tf | 2 +- azure_firewall/firewall_policy/provider.tf | 7 ------- .../firewall_policy/variables-firewall-policy.tf | 8 -------- azure_firewall/firewall_policy_rcg/README.md | 2 +- azure_firewall/firewall_policy_rcg/data.tf | 5 ----- azure_firewall/firewall_policy_rcg/main.tf | 3 +-- azure_firewall/firewall_policy_rcg/outputs.tf | 4 ---- azure_firewall/firewall_policy_rcg/provider.tf | 7 ------- .../firewall_policy_rcg/variables-firewall-policy.tf | 10 ---------- azure_identity/role_assignment/provider.tf | 7 ------- azure_identity/user_assigned_identity/provider.tf | 7 ------- azure_key_vault/key_vault/provider.tf | 7 ------- azure_key_vault/key_vault/variables-key-vault.tf | 5 ----- azure_key_vault/key_vault_access_policy/provider.tf | 7 ------- azure_key_vault/key_vault_certificate/provider.tf | 7 ------- terraform-azure-lz-project-set/README.md | 3 ++- terraform-azure-lz-project-set/main.tf | 1 - 17 files changed, 5 insertions(+), 87 deletions(-) diff --git a/azure_firewall/firewall_policy/locals.tf b/azure_firewall/firewall_policy/locals.tf index ef76cd5..d555d86 100644 --- a/azure_firewall/firewall_policy/locals.tf +++ b/azure_firewall/firewall_policy/locals.tf @@ -1,3 +1,3 @@ locals { -} \ No newline at end of file +} diff --git a/azure_firewall/firewall_policy/provider.tf b/azure_firewall/firewall_policy/provider.tf index dda4f14..1de5e86 100644 --- a/azure_firewall/firewall_policy/provider.tf +++ b/azure_firewall/firewall_policy/provider.tf @@ -8,10 +8,3 @@ terraform { } } } - -# provider "azurerm" { -# use_oidc = true -# features {} - -# subscription_id = var.subscription_id_connectivity -# } diff --git a/azure_firewall/firewall_policy/variables-firewall-policy.tf b/azure_firewall/firewall_policy/variables-firewall-policy.tf index a536211..3fc5b9f 100644 --- a/azure_firewall/firewall_policy/variables-firewall-policy.tf +++ b/azure_firewall/firewall_policy/variables-firewall-policy.tf @@ -35,14 +35,6 @@ variable "identity" { identity_ids = optional(list(string)) }) default = null - - # validation { - # condition = ( - # var.identity != null && - # contains(["UserAssigned"], var.identity.type) - # ) - # error_message = "Invalid Identity Type. Only valid opiton is UserAssigned." - # } } variable "insights" { diff --git a/azure_firewall/firewall_policy_rcg/README.md b/azure_firewall/firewall_policy_rcg/README.md index 838bc49..ffe43d7 100644 --- a/azure_firewall/firewall_policy_rcg/README.md +++ b/azure_firewall/firewall_policy_rcg/README.md @@ -30,7 +30,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [firewall\_policy\_id](#input\_firewall\_policy\_id) | The ID of the Azure Firewall Policy. | `string` | n/a | yes | -| [firewall\_policy\_rule\_collection\_group](#input\_firewall\_policy\_rule\_collection\_group) | The Azure Firewall Policy Rule Collection Group. | 
list(object({
    name     = string
    priority = number

    application_rule_collection = optional(list(object({
      name     = string
      action   = string
      priority = number
      rule = list(object({
        name        = string
        description = optional(string)
        protocols = optional(list(object({
          type = string
          port = number
        })))
        http_headers = optional(list(object({
          name  = string
          value = string
        })))
        source_addresses      = optional(list(string))
        source_ip_groups      = optional(list(string))
        destination_addresses = optional(list(string))
        destination_urls      = optional(list(string))
        destination_fqdns     = optional(list(string))
        destination_fqdn_tags = optional(list(string))
        terminate_tls         = optional(bool)
        web_categories        = optional(list(string))
      }))
    })))

    network_rule_collection = optional(list(object({
      name     = string
      action   = string
      priority = number

      rule = list(object({
        name                  = string
        description           = optional(string)
        protocols             = optional(list(string))
        destination_ports     = list(string)
        source_addresses      = optional(list(string))
        source_ip_groups      = optional(list(string))
        destination_addresses = optional(list(string))
        destination_ip_groups = optional(list(string))
        destination_fqdns     = optional(list(string))
      }))
    })))

    nat_rule_collection = optional(list(object({
      name     = string
      action   = string
      priority = number

      rule = object({
        name                = string
        description         = optional(string)
        protocols           = list(string)
        source_addresses    = optional(list(string))
        source_ip_groups    = optional(list(string))
        destination_address = optional(string)
        destination_ports   = optional(list(string))
        translated_address  = optional(string)
        translated_fqdn     = optional(string)
        translated_port     = string
      })
    })))
  }))
| `[]` | no | +| [firewall\_policy\_rule\_collection\_group](#input\_firewall\_policy\_rule\_collection\_group) | The Azure Firewall Policy Rule Collection Group. | 
list(object({
    name     = string
    priority = number

    application_rule_collection = optional(list(object({
      name     = string
      action   = string
      priority = number
      rule = list(object({
        name        = string
        description = optional(string)
        protocols = optional(list(object({
          type = string
          port = number
        })))
        http_headers = optional(list(object({
          name  = string
          value = string
        })))
        source_addresses      = optional(list(string))
        source_ip_groups      = optional(list(string))
        destination_addresses = optional(list(string))
        destination_urls      = optional(list(string))
        destination_fqdns     = optional(list(string))
        destination_fqdn_tags = optional(list(string))
        terminate_tls         = optional(bool)
        web_categories        = optional(list(string))
      }))
    })))

    network_rule_collection = optional(list(object({
      name     = string
      action   = string
      priority = number

      rule = list(object({
        name                  = string
        description           = optional(string)
        protocols             = optional(list(string))
        destination_ports     = list(string)
        source_addresses      = optional(list(string))
        source_ip_groups      = optional(list(string))
        destination_addresses = optional(list(string))
        destination_ip_groups = optional(list(string))
        destination_fqdns     = optional(list(string))
      }))
    })))

    nat_rule_collection = optional(list(object({
      name     = string
      action   = string
      priority = number

      rule = object({
        name                = string
        description         = optional(string)
        protocols           = list(string)
        source_addresses    = optional(list(string))
        source_ip_groups    = optional(list(string))
        destination_address = optional(string)
        destination_ports   = optional(list(string))
        translated_address  = optional(string)
        translated_fqdn     = optional(string)
        translated_port     = string
      })
    })))
  }))
| `null` | no | | [subscription\_id\_connectivity](#input\_subscription\_id\_connectivity) | Subscription ID to use for "connectivity" resources. | `string` | n/a | yes | ## Outputs diff --git a/azure_firewall/firewall_policy_rcg/data.tf b/azure_firewall/firewall_policy_rcg/data.tf index 6d8d54f..434dac2 100644 --- a/azure_firewall/firewall_policy_rcg/data.tf +++ b/azure_firewall/firewall_policy_rcg/data.tf @@ -1,7 +1,2 @@ # Get the current client configuration from the AzureRM provider data "azurerm_client_config" "current" {} - -# data "azurerm_firewall_policy" "this" { -# name = var.firewall_policy_name -# resource_group_name = var.firewall_policy_resource_group_name -# } diff --git a/azure_firewall/firewall_policy_rcg/main.tf b/azure_firewall/firewall_policy_rcg/main.tf index 701269a..054a627 100644 --- a/azure_firewall/firewall_policy_rcg/main.tf +++ b/azure_firewall/firewall_policy_rcg/main.tf @@ -3,8 +3,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "this" { for group in var.firewall_policy_rule_collection_group : group.name => group } : {} - name = each.value.name - # firewall_policy_id = data.azurerm_firewall_policy.this.id + name = each.value.name firewall_policy_id = var.firewall_policy_id priority = each.value.priority diff --git a/azure_firewall/firewall_policy_rcg/outputs.tf b/azure_firewall/firewall_policy_rcg/outputs.tf index 36c1bb8..90cd7f5 100644 --- a/azure_firewall/firewall_policy_rcg/outputs.tf +++ b/azure_firewall/firewall_policy_rcg/outputs.tf @@ -1,7 +1,3 @@ -# output "firewall_policy_id" { -# value = data.azurerm_firewall_policy.this.id -# } - output "firewall_policy_rule_collection_group" { value = { for idx, group in azurerm_firewall_policy_rule_collection_group.this : idx => { diff --git a/azure_firewall/firewall_policy_rcg/provider.tf b/azure_firewall/firewall_policy_rcg/provider.tf index 3e24f4b..e1eb106 100644 --- a/azure_firewall/firewall_policy_rcg/provider.tf +++ b/azure_firewall/firewall_policy_rcg/provider.tf @@ -8,10 +8,3 @@ terraform { } } } - -# provider "azurerm" { -# use_oidc = true -# features {} - -# subscription_id = var.subscription_id_connectivity -# } diff --git a/azure_firewall/firewall_policy_rcg/variables-firewall-policy.tf b/azure_firewall/firewall_policy_rcg/variables-firewall-policy.tf index 8325f9c..7555633 100644 --- a/azure_firewall/firewall_policy_rcg/variables-firewall-policy.tf +++ b/azure_firewall/firewall_policy_rcg/variables-firewall-policy.tf @@ -1,13 +1,3 @@ -# variable "firewall_policy_name" { -# description = "The name of the Azure Firewall Policy." -# type = string -# } - -# variable "firewall_policy_resource_group_name" { -# description = "The name of the resource group in which the Azure Firewall Policy exists." -# type = string -# } - variable "firewall_policy_id" { description = "The ID of the Azure Firewall Policy." type = string diff --git a/azure_identity/role_assignment/provider.tf b/azure_identity/role_assignment/provider.tf index ed3b6e2..1de5e86 100644 --- a/azure_identity/role_assignment/provider.tf +++ b/azure_identity/role_assignment/provider.tf @@ -8,10 +8,3 @@ terraform { } } } - -provider "azurerm" { - use_oidc = true - features {} - - subscription_id = var.subscription_id_connectivity -} diff --git a/azure_identity/user_assigned_identity/provider.tf b/azure_identity/user_assigned_identity/provider.tf index dda4f14..1de5e86 100644 --- a/azure_identity/user_assigned_identity/provider.tf +++ b/azure_identity/user_assigned_identity/provider.tf @@ -8,10 +8,3 @@ terraform { } } } - -# provider "azurerm" { -# use_oidc = true -# features {} - -# subscription_id = var.subscription_id_connectivity -# } diff --git a/azure_key_vault/key_vault/provider.tf b/azure_key_vault/key_vault/provider.tf index dda4f14..1de5e86 100644 --- a/azure_key_vault/key_vault/provider.tf +++ b/azure_key_vault/key_vault/provider.tf @@ -8,10 +8,3 @@ terraform { } } } - -# provider "azurerm" { -# use_oidc = true -# features {} - -# subscription_id = var.subscription_id_connectivity -# } diff --git a/azure_key_vault/key_vault/variables-key-vault.tf b/azure_key_vault/key_vault/variables-key-vault.tf index 09b225a..a4ed932 100644 --- a/azure_key_vault/key_vault/variables-key-vault.tf +++ b/azure_key_vault/key_vault/variables-key-vault.tf @@ -29,11 +29,6 @@ variable "sku_name" { } } -# variable "tenant_id" { -# description = "(Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." -# type = string -# } - variable "enabled_for_deployment" { description = "(Optional) Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault." type = bool diff --git a/azure_key_vault/key_vault_access_policy/provider.tf b/azure_key_vault/key_vault_access_policy/provider.tf index dda4f14..1de5e86 100644 --- a/azure_key_vault/key_vault_access_policy/provider.tf +++ b/azure_key_vault/key_vault_access_policy/provider.tf @@ -8,10 +8,3 @@ terraform { } } } - -# provider "azurerm" { -# use_oidc = true -# features {} - -# subscription_id = var.subscription_id_connectivity -# } diff --git a/azure_key_vault/key_vault_certificate/provider.tf b/azure_key_vault/key_vault_certificate/provider.tf index dda4f14..1de5e86 100644 --- a/azure_key_vault/key_vault_certificate/provider.tf +++ b/azure_key_vault/key_vault_certificate/provider.tf @@ -8,10 +8,3 @@ terraform { } } } - -# provider "azurerm" { -# use_oidc = true -# features {} - -# subscription_id = var.subscription_id_connectivity -# } diff --git a/terraform-azure-lz-project-set/README.md b/terraform-azure-lz-project-set/README.md index 7fa3b65..3cfb414 100644 --- a/terraform-azure-lz-project-set/README.md +++ b/terraform-azure-lz-project-set/README.md @@ -79,6 +79,7 @@ For each environment, the module will create a subscription, a network resource | Name | Type | |------|------| +| [azurerm_consumption_budget_subscription.subscription_budget](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/consumption_budget_subscription) | resource | | [azurerm_management_group.project_set](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | | [azurerm_management_group.landing_zones](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source | @@ -93,7 +94,7 @@ For each environment, the module will create a subscription, a network resource | [project\_set\_name](#input\_project\_set\_name) | The name of the project set | `string` | n/a | yes | | [secondary\_location](#input\_secondary\_location) | The secondary location for resources | `string` | `"canadaeast"` | no | | [subscription\_billing\_scope](#input\_subscription\_billing\_scope) | The billing scope for the subscription | `string` | n/a | yes | -| [subscriptions](#input\_subscriptions) | Configuration details for each subscription | 
map(object({
    name : string
    display_name : string
    budget_amount : optional(number, 0)
    network : object({
      enabled : bool
      address_space : list(string)
      dns_servers : optional(list(string))
    })
    tags : optional(map(string), {})
  }))
| n/a | yes | +| [subscriptions](#input\_subscriptions) | Configuration details for each subscription | 
map(object({
    name : string
    display_name : string
    budget : optional(number, 0)
    network : object({
      enabled : bool
      address_space : list(string)
      dns_servers : optional(list(string))
    })
    tags : optional(map(string), {})
  }))
| n/a | yes | | [vwan\_hub\_resource\_id](#input\_vwan\_hub\_resource\_id) | The resource ID for the virtual WAN hub | `string` | n/a | yes | ## Outputs diff --git a/terraform-azure-lz-project-set/main.tf b/terraform-azure-lz-project-set/main.tf index 6c098f6..d826bda 100644 --- a/terraform-azure-lz-project-set/main.tf +++ b/terraform-azure-lz-project-set/main.tf @@ -103,4 +103,3 @@ resource "azurerm_consumption_budget_subscription" "subscription_budget" { ignore_changes = [time_period] } } -