From ceacf501a8a311617b81fd504c496b9d5d4ef42d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Pawl=C4=99ga?=
<42772730+FoSix@users.noreply.github.com>
Date: Tue, 13 Dec 2022 11:43:08 +0100
Subject: [PATCH] feat(module/vnet): adding support for destination and source
port ranges (#211)
---
.github/workflows/ci.yml | 2 +-
modules/vnet/README.md | 2 +-
modules/vnet/main.tf | 6 ++++--
modules/vnet/variables.tf | 27 +++++++++++++++++++++------
4 files changed, 27 insertions(+), 10 deletions(-)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 51d5b6b0..c08ca459 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,7 +23,7 @@ jobs:
uses: actions/setup-python@v2
with:
# Semantic version range syntax (like 3.x) or the exact Python version
- python-version: '3.9.4'
+ python-version: '3.10'
- name: Run pre-commit framework as the developer should run it
run: sudo ./scripts/install.sh && sudo ./scripts/run.sh
diff --git a/modules/vnet/README.md b/modules/vnet/README.md
index 0f4404c8..7cf3acdb 100644
--- a/modules/vnet/README.md
+++ b/modules/vnet/README.md
@@ -66,7 +66,7 @@ No modules.
| [address\_space](#input\_address\_space) | The address space used by the virtual network. You can supply more than one address space. | `list(string)` | n/a | yes |
| [create\_virtual\_network](#input\_create\_virtual\_network) | If true, create the Virtual Network, otherwise just use a pre-existing network. | `bool` | `true` | no |
| [location](#input\_location) | Location of the resources that will be deployed. | `string` | n/a | yes |
-| [network\_security\_groups](#input\_network\_security\_groups) | Map of Network Security Groups to create. The key of each entry acts as the Network Security Group name.
List of available attributes of each Network Security Group entry:
- `location` : (Optional) Specifies the Azure location where to deploy the resource.
- `rules`: (Optional) A list of objects representing a Network Security Rule. The key of each entry acts as the name of the rule and
needs to be unique across all rules in the Network Security Group.
List of attributes available to define a Network Security Rule:
- `priority` : Numeric priority of the rule. The value can be between 100 and 4096 and must be unique for each rule in the collection.
The lower the priority number, the higher the priority of the rule.
- `direction` : The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are `Inbound` and `Outbound`.
- `access` : Specifies whether network traffic is allowed or denied. Possible values are `Allow` and `Deny`.
- `protocol` : Network protocol this rule applies to. Possible values include `Tcp`, `Udp`, `Icmp`, or `*` (which matches all).
- `source_port_range` : List of source ports or port ranges.
- `destination_port_range` : Destination Port or Range. Integer or range between `0` and `65535` or `*` to match any.
- `source_address_prefix` : List of source address prefixes. Tags may not be used.
- `destination_address_prefix` : CIDR or destination IP range or `*` to match any IP.
Example:{
"network_security_group_1" = {
location = "Australia Central"
rules = {
"AllOutbound" = {
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
},
"AllowSSH" = {
priority = 200
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
},
"network_security_group_2" = {
rules = {}
}
} | `any` | n/a | yes |
+| [network\_security\_groups](#input\_network\_security\_groups) | Map of Network Security Groups to create. The key of each entry acts as the Network Security Group name.
List of available attributes of each Network Security Group entry:
- `location` : (Optional) Specifies the Azure location where to deploy the resource.
- `rules`: (Optional) A list of objects representing a Network Security Rule. The key of each entry acts as the name of the rule and
needs to be unique across all rules in the Network Security Group.
List of attributes available to define a Network Security Rule.
Notice, all port values are integers between `0` and `65535`. Port ranges can be specified as `minimum-maximum` port value, example: `21-23`:
- `priority` : Numeric priority of the rule. The value can be between 100 and 4096 and must be unique for each rule in the collection.
The lower the priority number, the higher the priority of the rule.
- `direction` : The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are `Inbound` and `Outbound`.
- `access` : Specifies whether network traffic is allowed or denied. Possible values are `Allow` and `Deny`.
- `protocol` : Network protocol this rule applies to. Possible values include `Tcp`, `Udp`, `Icmp`, or `*` (which matches all). For supported values refer to the [provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule#protocol)
- `source_port_range` : A source port or a range of ports. This can also be an `*` to match all.
- `source_port_ranges` : A list of source ports or ranges of ports. This can be specified only if `source_port_range` was not used.
- `destination_port_range` : A destination port or a range of ports. This can also be an `*` to match all.
- `destination_port_range` : A list of destination ports or a ranges of ports. This can be specified only if `destination_port_range` was not used.
- `source_address_prefix` : Source CIDR or IP range or `*` to match any IP. This can also be a tag. To see all available tags for a region use the following command (example for US West Central): `az network list-service-tags --location westcentralus`.
- `source_address_prefixes` : A list of source address prefixes. Tags are not allowed. Can be specified only if `source_address_prefix` was not used.
- `destination_address_prefix` : Destination CIDR or IP range or `*` to match any IP. Tags are allowed, see `source_address_prefix` for details.
- `destination_address_prefixes` : A list of destination address prefixes. Tags are not allowed. Can be specified only if `destination_address_prefix` was not used.
Example:{
"network_security_group_1" = {
location = "Australia Central"
rules = {
"AllOutbound" = {
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
},
"AllowSSH" = {
priority = 200
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
},
"AllowWebBrowsing" = {
priority = 300
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["80","443"]
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
}
}
},
"network_security_group_2" = {
rules = {}
}
} | `any` | n/a | yes |
| [resource\_group\_name](#input\_resource\_group\_name) | Name of the Resource Group to use. | `string` | n/a | yes |
| [route\_tables](#input\_route\_tables) | Map of objects describing a Route Table. The key of each entry acts as the Route Table name.
List of available attributes of each Route Table entry:
- `location` : (Optional) Specifies the Azure location where to deploy the resource.
- `routes` : (Optional) Map of routes within the Route Table.
List of available attributes of each route entry:
- `address_prefix` : The destination CIDR to which the route applies, such as `10.1.0.0/16`.
- `next_hop_type` : The type of Azure hop the packet should be sent to.
Possible values are: `VirtualNetworkGateway`, `VnetLocal`, `Internet`, `VirtualAppliance` and `None`.
- `next_hop_in_ip_address` : Contains the IP address packets should be forwarded to.
Next hop values are only allowed in routes where the next hop type is `VirtualAppliance`.
Example:{
"route_table_1" = {
routes = {
"route_1" = {
address_prefix = "10.1.0.0/16"
next_hop_type = "vnetlocal"
},
"route_2" = {
address_prefix = "10.2.0.0/16"
next_hop_type = "vnetlocal"
},
}
},
"route_table_2" = {
routes = {
"route_3" = {
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = "10.112.0.100"
}
},
},
} | `map` | `{}` | no |
| [subnets](#input\_subnets) | Map of subnet objects to create within a virtual network. The key of each entry acts as the subnet name.
List of available attributes of each subnet entry:
- `address_prefixes` : The address prefix to use for the subnet.
- `network_security_group_id` : The Network Security Group identifier to associate with the subnet.
- `route_table_id` : The Route Table identifier to associate with the subnet.
- `tags` : (Optional) Map of tags to assign to the resource.
Example:{
"management" = {
address_prefixes = ["10.100.0.0/24"]
network_security_group = "network_security_group_1"
route_table = "route_table_1"
},
"private" = {
address_prefixes = ["10.100.1.0/24"]
network_security_group = "network_security_group_2"
route_table = "route_table_2"
},
"public" = {
address_prefixes = ["10.100.2.0/24"]
network_security_group = "network_security_group_3"
route_table = "route_table_3"
},
} | `any` | n/a | yes |
diff --git a/modules/vnet/main.tf b/modules/vnet/main.tf
index c6a35d8a..de533d86 100644
--- a/modules/vnet/main.tf
+++ b/modules/vnet/main.tf
@@ -61,8 +61,10 @@ resource "azurerm_network_security_rule" "this" {
direction = each.value.rule.direction
access = each.value.rule.access
protocol = each.value.rule.protocol
- source_port_range = each.value.rule.source_port_range
- destination_port_range = each.value.rule.destination_port_range
+ source_port_range = lookup(each.value.rule, "source_port_range", null)
+ source_port_ranges = lookup(each.value.rule, "source_port_ranges", null)
+ destination_port_range = lookup(each.value.rule, "destination_port_range", null)
+ destination_port_ranges = lookup(each.value.rule, "destination_port_ranges", null)
source_address_prefix = lookup(each.value.rule, "source_address_prefix", null)
source_address_prefixes = lookup(each.value.rule, "source_address_prefixes", null)
destination_address_prefix = lookup(each.value.rule, "destination_address_prefix", null)
diff --git a/modules/vnet/variables.tf b/modules/vnet/variables.tf
index e2e43a6d..4fc66ad1 100644
--- a/modules/vnet/variables.tf
+++ b/modules/vnet/variables.tf
@@ -37,16 +37,21 @@ variable "network_security_groups" {
- `location` : (Optional) Specifies the Azure location where to deploy the resource.
- `rules`: (Optional) A list of objects representing a Network Security Rule. The key of each entry acts as the name of the rule and
needs to be unique across all rules in the Network Security Group.
- List of attributes available to define a Network Security Rule:
+ List of attributes available to define a Network Security Rule.
+ Notice, all port values are integers between `0` and `65535`. Port ranges can be specified as `minimum-maximum` port value, example: `21-23`:
- `priority` : Numeric priority of the rule. The value can be between 100 and 4096 and must be unique for each rule in the collection.
The lower the priority number, the higher the priority of the rule.
- `direction` : The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are `Inbound` and `Outbound`.
- `access` : Specifies whether network traffic is allowed or denied. Possible values are `Allow` and `Deny`.
- - `protocol` : Network protocol this rule applies to. Possible values include `Tcp`, `Udp`, `Icmp`, or `*` (which matches all).
- - `source_port_range` : List of source ports or port ranges.
- - `destination_port_range` : Destination Port or Range. Integer or range between `0` and `65535` or `*` to match any.
- - `source_address_prefix` : List of source address prefixes. Tags may not be used.
- - `destination_address_prefix` : CIDR or destination IP range or `*` to match any IP.
+ - `protocol` : Network protocol this rule applies to. Possible values include `Tcp`, `Udp`, `Icmp`, or `*` (which matches all). For supported values refer to the [provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule#protocol)
+ - `source_port_range` : A source port or a range of ports. This can also be an `*` to match all.
+ - `source_port_ranges` : A list of source ports or ranges of ports. This can be specified only if `source_port_range` was not used.
+ - `destination_port_range` : A destination port or a range of ports. This can also be an `*` to match all.
+ - `destination_port_range` : A list of destination ports or a ranges of ports. This can be specified only if `destination_port_range` was not used.
+ - `source_address_prefix` : Source CIDR or IP range or `*` to match any IP. This can also be a tag. To see all available tags for a region use the following command (example for US West Central): `az network list-service-tags --location westcentralus`.
+ - `source_address_prefixes` : A list of source address prefixes. Tags are not allowed. Can be specified only if `source_address_prefix` was not used.
+ - `destination_address_prefix` : Destination CIDR or IP range or `*` to match any IP. Tags are allowed, see `source_address_prefix` for details.
+ - `destination_address_prefixes` : A list of destination address prefixes. Tags are not allowed. Can be specified only if `destination_address_prefix` was not used.
Example:
```
@@ -73,6 +78,16 @@ variable "network_security_groups" {
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
+ },
+ "AllowWebBrowsing" = {
+ priority = 300
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_port_range = "*"
+ destination_port_ranges = ["80","443"]
+ source_address_prefix = "*"
+ destination_address_prefix = "VirtualNetwork"
}
}
},