feat(module/vnet): add possibility to re-use existing subnets (#219)

PaloAltoNetworks · Dec 13, 2022 · 5355404 · 5355404
1 parent d21b0e7
commit 5355404
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 8 deletions.
diff --git a/modules/vnet/README.md b/modules/vnet/README.md
@@ -57,19 +57,21 @@ No modules.
 | [azurerm_subnet_network_security_group_association.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association) | resource |
 | [azurerm_subnet_route_table_association.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) | resource |
 | [azurerm_virtual_network.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) | resource |
+| [azurerm_subnet.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_virtual_network.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_address_space"></a> [address\_space](#input\_address\_space) | The address space used by the virtual network. You can supply more than one address space. | `list(string)` | n/a | yes |
+| <a name="input_create_subnets"></a> [create\_subnets](#input\_create\_subnets) | If true, create the Subnets inside the Virtual Network, otherwise use a pre-existing subnets. | `bool` | `true` | no |
 | <a name="input_create_virtual_network"></a> [create\_virtual\_network](#input\_create\_virtual\_network) | If true, create the Virtual Network, otherwise just use a pre-existing network. | `bool` | `true` | no |
 | <a name="input_location"></a> [location](#input\_location) | Location of the resources that will be deployed. | `string` | n/a | yes |
 | <a name="input_network_security_groups"></a> [network\_security\_groups](#input\_network\_security\_groups) | Map of Network Security Groups to create. The key of each entry acts as the Network Security Group name.<br>List of available attributes of each Network Security Group entry:<br>- `location` : (Optional) Specifies the Azure location where to deploy the resource.<br>- `rules`: (Optional) A list of objects representing a Network Security Rule. The key of each entry acts as the name of the rule and<br>    needs to be unique across all rules in the Network Security Group.<br>    List of attributes available to define a Network Security Rule.<br>    Notice, all port values are integers between `0` and `65535`. Port ranges can be specified as `minimum-maximum` port value, example: `21-23`:<br>    - `priority` : Numeric priority of the rule. The value can be between 100 and 4096 and must be unique for each rule in the collection.<br>    The lower the priority number, the higher the priority of the rule.<br>    - `direction` : The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are `Inbound` and `Outbound`.<br>    - `access` : Specifies whether network traffic is allowed or denied. Possible values are `Allow` and `Deny`.<br>    - `protocol` : Network protocol this rule applies to. Possible values include `Tcp`, `Udp`, `Icmp`, or `*` (which matches all). For supported values refer to the [provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule#protocol)<br>    - `source_port_range` : A source port or a range of ports. This can also be an `*` to match all.<br>    - `source_port_ranges` : A list of source ports or ranges of ports. This can be specified only if `source_port_range` was not used.<br>    - `destination_port_range` : A destination port or a range of ports. This can also be an `*` to match all.<br>    - `destination_port_range` : A list of destination ports or a ranges of ports. This can be specified only if `destination_port_range` was not used.<br>    - `source_address_prefix` : Source CIDR or IP range or `*` to match any IP. This can also be a tag. To see all available tags for a region use the following command (example for US West Central): `az network list-service-tags --location westcentralus`.<br>    - `source_address_prefixes` : A list of source address prefixes. Tags are not allowed. Can be specified only if `source_address_prefix` was not used.<br>    - `destination_address_prefix` : Destination CIDR or IP range or `*` to match any IP. Tags are allowed, see `source_address_prefix` for details.<br>    - `destination_address_prefixes` : A list of destination address prefixes. Tags are not allowed. Can be specified only if `destination_address_prefix` was not used.<br><br>Example:<pre>{<br>  "network_security_group_1" = {<br>    location = "Australia Central"<br>    rules = {<br>      "AllOutbound" = {<br>        priority                   = 100<br>        direction                  = "Outbound"<br>        access                     = "Allow"<br>        protocol                   = "Tcp"<br>        source_port_range          = "*"<br>        destination_port_range     = "*"<br>        source_address_prefix      = "*"<br>        destination_address_prefix = "*"<br>      },<br>      "AllowSSH" = {<br>        priority                   = 200<br>        direction                  = "Inbound"<br>        access                     = "Allow"<br>        protocol                   = "Tcp"<br>        source_port_range          = "*"<br>        destination_port_range     = "22"<br>        source_address_prefix      = "*"<br>        destination_address_prefix = "*"<br>      },<br>      "AllowWebBrowsing" = {<br>        priority                   = 300<br>        direction                  = "Inbound"<br>        access                     = "Allow"<br>        protocol                   = "Tcp"<br>        source_port_range          = "*"<br>        destination_port_ranges    = ["80","443"]<br>        source_address_prefix      = "*"<br>        destination_address_prefix = "VirtualNetwork"<br>      }<br>    }<br>  },<br>  "network_security_group_2" = {<br>    rules = {}<br>  }<br>}</pre> | `any` | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the Resource Group to use. | `string` | n/a | yes |
 | <a name="input_route_tables"></a> [route\_tables](#input\_route\_tables) | Map of objects describing a Route Table. The key of each entry acts as the Route Table name.<br>List of available attributes of each Route Table entry:<br>- `location` : (Optional) Specifies the Azure location where to deploy the resource.<br>- `routes` : (Optional) Map of routes within the Route Table.<br>  List of available attributes of each route entry:<br>  - `address_prefix` : The destination CIDR to which the route applies, such as `10.1.0.0/16`.<br>  - `next_hop_type` : The type of Azure hop the packet should be sent to.<br>    Possible values are: `VirtualNetworkGateway`, `VnetLocal`, `Internet`, `VirtualAppliance` and `None`.<br>  - `next_hop_in_ip_address` : Contains the IP address packets should be forwarded to. <br>    Next hop values are only allowed in routes where the next hop type is `VirtualAppliance`.<br><br>Example:<pre>{<br>  "route_table_1" = {<br>    routes = {<br>      "route_1" = {<br>        address_prefix = "10.1.0.0/16"<br>        next_hop_type  = "vnetlocal"<br>      },<br>      "route_2" = {<br>        address_prefix = "10.2.0.0/16"<br>        next_hop_type  = "vnetlocal"<br>      },<br>    }<br>  },<br>  "route_table_2" = {<br>    routes = {<br>      "route_3" = {<br>        address_prefix         = "0.0.0.0/0"<br>        next_hop_type          = "VirtualAppliance"<br>        next_hop_in_ip_address = "10.112.0.100"<br>      }<br>    },<br>  },<br>}</pre> | `map` | `{}` | no |
-| <a name="input_subnets"></a> [subnets](#input\_subnets) | Map of subnet objects to create within a virtual network. The key of each entry acts as the subnet name.<br>List of available attributes of each subnet entry:<br>- `address_prefixes` : The address prefix to use for the subnet.<br>- `network_security_group_id` : The Network Security Group identifier to associate with the subnet.<br>- `route_table_id` : The Route Table identifier to associate with the subnet.<br>- `tags` : (Optional) Map of tags to assign to the resource.<br><br>Example:<pre>{<br>  "management" = {<br>    address_prefixes       = ["10.100.0.0/24"]<br>    network_security_group = "network_security_group_1"<br>    route_table            = "route_table_1"<br>  },<br>  "private" = {<br>    address_prefixes       = ["10.100.1.0/24"]<br>    network_security_group = "network_security_group_2"<br>    route_table            = "route_table_2"<br>  },<br>  "public" = {<br>    address_prefixes       = ["10.100.2.0/24"]<br>    network_security_group = "network_security_group_3"<br>    route_table            = "route_table_3"<br>  },<br>}</pre> | `any` | n/a | yes |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | Map of subnet objects to create within a virtual network. If `create_subnets` is set to `false` this is just a mapping between the existing subnets and UDRs and NSGs that should be assigned to them.<br><br>The key of each entry acts as the subnet name.<br>List of available attributes of each subnet entry:<br>- `address_prefixes` : The address prefix to use for the subnet. Only required when a subnet will be created.<br>- `network_security_group_id` : The Network Security Group identifier to associate with the subnet.<br>- `route_table_id` : The Route Table identifier to associate with the subnet.<br>- `tags` : (Optional) Map of tags to assign to the resource. Only required when a subnet will be created.<br><br>Example:<pre>{<br>  "management" = {<br>    address_prefixes       = ["10.100.0.0/24"]<br>    network_security_group = "network_security_group_1"<br>    route_table            = "route_table_1"<br>  },<br>  "private" = {<br>    address_prefixes       = ["10.100.1.0/24"]<br>    network_security_group = "network_security_group_2"<br>    route_table            = "route_table_2"<br>  },<br>  "public" = {<br>    address_prefixes       = ["10.100.2.0/24"]<br>    network_security_group = "network_security_group_3"<br>    route_table            = "route_table_3"<br>  },<br>}</pre> | `any` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to assign to all of the created resources. | `map(any)` | `{}` | no |
 | <a name="input_virtual_network_name"></a> [virtual\_network\_name](#input\_virtual\_network\_name) | The name of the Azure Virtual Network. | `string` | n/a | yes |
 

diff --git a/modules/vnet/main.tf b/modules/vnet/main.tf
@@ -20,14 +20,26 @@ locals {
 }
 
 resource "azurerm_subnet" "this" {
-  for_each = var.subnets
+  for_each = { for k, v in var.subnets : k => v if var.create_subnets }
 
   name                 = each.key
   resource_group_name  = var.resource_group_name
   virtual_network_name = local.virtual_network.name
   address_prefixes     = each.value.address_prefixes
 }
 
+data "azurerm_subnet" "this" {
+  for_each = { for k, v in var.subnets : k => v if var.create_subnets == false }
+
+  name                 = each.key
+  resource_group_name  = var.resource_group_name
+  virtual_network_name = local.virtual_network.name
+}
+
+locals {
+  subnets = var.create_subnets ? azurerm_subnet.this : data.azurerm_subnet.this
+}
+
 resource "azurerm_network_security_group" "this" {
   for_each = var.network_security_groups
 
@@ -110,13 +122,13 @@ resource "azurerm_route" "this" {
 resource "azurerm_subnet_network_security_group_association" "this" {
   for_each = { for k, v in var.subnets : k => v if lookup(v, "network_security_group", "") != "" }
 
-  subnet_id                 = azurerm_subnet.this[each.key].id
+  subnet_id                 = local.subnets[each.key].id
   network_security_group_id = azurerm_network_security_group.this[each.value.network_security_group].id
 }
 
 resource "azurerm_subnet_route_table_association" "this" {
   for_each = { for k, v in var.subnets : k => v if lookup(v, "route_table", "") != "" }
 
-  subnet_id      = azurerm_subnet.this[each.key].id
+  subnet_id      = local.subnets[each.key].id
   route_table_id = azurerm_route_table.this[each.value.route_table].id
 }
diff --git a/modules/vnet/outputs.tf b/modules/vnet/outputs.tf
@@ -6,7 +6,7 @@ output "virtual_network_id" {
 output "subnet_ids" {
   description = "The identifiers of the created Subnets."
   value = {
-    for k, v in azurerm_subnet.this : k => v.id
+    for k, v in local.subnets : k => v.id
   }
 }
 

diff --git a/modules/vnet/variables.tf b/modules/vnet/variables.tf
@@ -9,6 +9,12 @@ variable "create_virtual_network" {
   type        = bool
 }
 
+variable "create_subnets" {
+  description = "If true, create the Subnets inside the Virtual Network, otherwise use a pre-existing subnets."
+  default     = true
+  type        = bool
+}
+
 variable "location" {
   description = "Location of the resources that will be deployed."
   type        = string
@@ -144,12 +150,14 @@ variable "route_tables" {
 
 variable "subnets" {
   description = <<-EOF
-  Map of subnet objects to create within a virtual network. The key of each entry acts as the subnet name.
+  Map of subnet objects to create within a virtual network. If `create_subnets` is set to `false` this is just a mapping between the existing subnets and UDRs and NSGs that should be assigned to them.
+  
+  The key of each entry acts as the subnet name.
   List of available attributes of each subnet entry:
-  - `address_prefixes` : The address prefix to use for the subnet.
+  - `address_prefixes` : The address prefix to use for the subnet. Only required when a subnet will be created.
   - `network_security_group_id` : The Network Security Group identifier to associate with the subnet.
   - `route_table_id` : The Route Table identifier to associate with the subnet.
-  - `tags` : (Optional) Map of tags to assign to the resource.
+  - `tags` : (Optional) Map of tags to assign to the resource. Only required when a subnet will be created.
   
   Example:
   ```