fix(module/vmseries): remove count when creating PublicIPs and NICs (#…

…226)
PaloAltoNetworks · Feb 2, 2023 · d4036b6 · d4036b6
1 parent bc46ac4
commit d4036b6
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 81 deletions.
diff --git a/makefile b/makefile
diff --git a/modules/vmseries/README.md b/modules/vmseries/README.md
@@ -96,7 +96,7 @@ No modules.
 | <a name="input_img_publisher"></a> [img\_publisher](#input\_img\_publisher) | The Azure Publisher identifier for a image which should be deployed. | `string` | `"paloaltonetworks"` | no |
 | <a name="input_img_sku"></a> [img\_sku](#input\_img\_sku) | VM-series SKU - list available with `az vm image list -o table --all --publisher paloaltonetworks` | `string` | `"bundle2"` | no |
 | <a name="input_img_version"></a> [img\_version](#input\_img\_version) | VM-series PAN-OS version - list available for a default `img_offer` with `az vm image list -o table --publisher paloaltonetworks --offer vmseries-flex --all` | `string` | `"10.1.0"` | no |
-| <a name="input_interfaces"></a> [interfaces](#input\_interfaces) | List of the network interface specifications.<br>The first should be the management interface, which does not participate in data filtering.<br>The remaining ones are the dataplane interfaces.<br>Options for an interface object:<br>- `name`                 - (required\|string) Interface name.<br>- `subnet_id`            - (required\|string) Identifier of an existing subnet to create interface in.<br>- `private_ip_address`   - (optional\|string) Static private IP to asssign to the interface. If null, dynamic one is allocated.<br>- `public_ip_address_id` - (optional\|string) Identifier of an existing public IP to associate.<br>- `create_public_ip`     - (optional\|bool) If true, create a public IP for the interface and ignore the `public_ip_address_id`. Default is false.<br>- `availability_zone`    - (optional\|string) Availability zone to create public IP in. If not specified, set based on `avzone` and `enable_zones`.<br>- `enable_ip_forwarding` - (optional\|bool) If true, the network interface will not discard packets sent to an IP address other than the one assigned. If false, the network interface only accepts traffic destined to its IP address.<br>- `enable_backend_pool`  - (optional\|bool) If true, associate interface with backend pool specified with `lb_backend_pool_id`. Default is false.<br>- `lb_backend_pool_id`   - (optional\|string) Identifier of an existing backend pool to associate interface with. Required if `enable_backend_pool` is true.<br>- `tags`                 - (optional\|map) Tags to assign to the interface and public IP (if created). Overrides contents of `tags` variable.<br><br>Example:<pre>[<br>  {<br>    name                 = "fw-mgmt"<br>    subnet_id            = azurerm_subnet.my_mgmt_subnet.id<br>    public_ip_address_id = azurerm_public_ip.my_mgmt_ip.id<br>  },<br>  {<br>    name                = "fw-public"<br>    subnet_id           = azurerm_subnet.my_pub_subnet.id<br>    lb_backend_pool_id  = module.inbound_lb.backend_pool_id<br>    enable_backend_pool = true<br>  },<br>]</pre> | `list(any)` | n/a | yes |
+| <a name="input_interfaces"></a> [interfaces](#input\_interfaces) | List of the network interface specifications.<br><br>NOTICE. The ORDER in which you specify the interfaces DOES MATTER.<br>Interfaces will be attached to VM in the order you define here, therefore:<br>* The first should be the management interface, which does not participate in data filtering.<br>* The remaining ones are the dataplane interfaces.<br><br>Options for an interface object:<br>- `name`                 - (required\|string) Interface name.<br>- `subnet_id`            - (required\|string) Identifier of an existing subnet to create interface in.<br>- `private_ip_address`   - (optional\|string) Static private IP to asssign to the interface. If null, dynamic one is allocated.<br>- `public_ip_address_id` - (optional\|string) Identifier of an existing public IP to associate.<br>- `create_public_ip`     - (optional\|bool) If true, create a public IP for the interface and ignore the `public_ip_address_id`. Default is false.<br>- `availability_zone`    - (optional\|string) Availability zone to create public IP in. If not specified, set based on `avzone` and `enable_zones`.<br>- `enable_ip_forwarding` - (optional\|bool) If true, the network interface will not discard packets sent to an IP address other than the one assigned. If false, the network interface only accepts traffic destined to its IP address.<br>- `enable_backend_pool`  - (optional\|bool) If true, associate interface with backend pool specified with `lb_backend_pool_id`. Default is false.<br>- `lb_backend_pool_id`   - (optional\|string) Identifier of an existing backend pool to associate interface with. Required if `enable_backend_pool` is true.<br>- `tags`                 - (optional\|map) Tags to assign to the interface and public IP (if created). Overrides contents of `tags` variable.<br><br>Example:<pre>[<br>  {<br>    name                 = "fw-mgmt"<br>    subnet_id            = azurerm_subnet.my_mgmt_subnet.id<br>    public_ip_address_id = azurerm_public_ip.my_mgmt_ip.id<br>  },<br>  {<br>    name                = "fw-public"<br>    subnet_id           = azurerm_subnet.my_pub_subnet.id<br>    lb_backend_pool_id  = module.inbound_lb.backend_pool_id<br>    enable_backend_pool = true<br>  },<br>]</pre> | `list(any)` | n/a | yes |
 | <a name="input_location"></a> [location](#input\_location) | Region where to deploy VM-Series and dependencies. | `string` | n/a | yes |
 | <a name="input_managed_disk_type"></a> [managed\_disk\_type](#input\_managed\_disk\_type) | Type of OS Managed Disk to create for the virtual machine. Possible values are `Standard_LRS`, `StandardSSD_LRS` or `Premium_LRS`. The `Premium_LRS` works only for selected `vm_size` values, details in Azure docs. | `string` | `"StandardSSD_LRS"` | no |
 | <a name="input_name"></a> [name](#input\_name) | VM-Series instance name. | `string` | n/a | yes |

diff --git a/modules/vmseries/main.tf b/modules/vmseries/main.tf
@@ -1,5 +1,5 @@
 resource "azurerm_public_ip" "this" {
-  for_each = { for k, v in var.interfaces : k => v if try(v.create_public_ip, false) }
+  for_each = { for v in var.interfaces : v.name => v if try(v.create_public_ip, false) }
 
   location            = var.location
   resource_group_name = var.resource_group_name
@@ -11,26 +11,26 @@ resource "azurerm_public_ip" "this" {
 }
 
 resource "azurerm_network_interface" "this" {
-  count = length(var.interfaces)
+  for_each = { for k, v in var.interfaces : v.name => merge(v, { index = k }) }
 
-  name                          = var.interfaces[count.index].name
+  name                          = each.value.name
   location                      = var.location
   resource_group_name           = var.resource_group_name
-  enable_accelerated_networking = count.index == 0 ? false : var.accelerated_networking                                  # for interface 0 it is unsupported by PAN-OS
-  enable_ip_forwarding          = try(var.interfaces[count.index].enable_ip_forwarding, count.index == 0 ? false : true) # for interface 0 use false per Reference Arch
-  tags                          = try(var.interfaces[count.index].tags, var.tags)
+  enable_accelerated_networking = each.value.index == 0 ? false : var.accelerated_networking                 # for interface 0 it is unsupported by PAN-OS
+  enable_ip_forwarding          = try(each.value.enable_ip_forwarding, each.value.index == 0 ? false : true) # for interface 0 use false per Reference Arch
+  tags                          = try(each.value.tags, var.tags)
 
   ip_configuration {
     name                          = "primary"
-    subnet_id                     = var.interfaces[count.index].subnet_id
-    private_ip_address_allocation = try(var.interfaces[count.index].private_ip_address, null) != null ? "Static" : "Dynamic"
-    private_ip_address            = try(var.interfaces[count.index].private_ip_address, null)
-    public_ip_address_id          = try(azurerm_public_ip.this[count.index].id, var.interfaces[count.index].public_ip_address_id, null)
+    subnet_id                     = each.value.subnet_id
+    private_ip_address_allocation = try(each.value.private_ip_address, null) != null ? "Static" : "Dynamic"
+    private_ip_address            = try(each.value.private_ip_address, null)
+    public_ip_address_id          = try(azurerm_public_ip.this[each.value.name].id, each.value.public_ip_address_id, null)
   }
 }
 
 resource "azurerm_network_interface_backend_address_pool_association" "this" {
-  for_each = { for k, v in var.interfaces : k => v if try(v.enable_backend_pool, false) }
+  for_each = { for v in var.interfaces : v.name => v if try(v.enable_backend_pool, false) }
 
   backend_address_pool_id = each.value.lb_backend_pool_id
   ip_configuration_name   = azurerm_network_interface.this[each.key].ip_configuration[0].name
@@ -45,9 +45,10 @@ resource "azurerm_virtual_machine" "this" {
   vm_size                      = var.vm_size
   zones                        = var.enable_zones && var.avzone != null && var.avzone != "" ? [var.avzone] : null
   availability_set_id          = var.avset_id
-  primary_network_interface_id = azurerm_network_interface.this[0].id
+  primary_network_interface_id = azurerm_network_interface.this[var.interfaces[0].name].id
 
-  network_interface_ids = [for k, v in azurerm_network_interface.this : v.id]
+  # network_interface_ids = [for k, v in azurerm_network_interface.this : v.id]
+  network_interface_ids = [for v in var.interfaces : azurerm_network_interface.this[v.name].id]
 
   storage_image_reference {
     id        = var.custom_image_id

diff --git a/modules/vmseries/outputs.tf b/modules/vmseries/outputs.tf
@@ -1,6 +1,6 @@
 output "mgmt_ip_address" {
   description = "VM-Series management IP address. If `create_public_ip` was `true`, it is a public IP address, otherwise a private IP address."
-  value       = try(var.interfaces[0].create_public_ip, false) ? azurerm_public_ip.this[0].ip_address : azurerm_network_interface.this[0].ip_configuration[0].private_ip_address
+  value       = try(var.interfaces[0].create_public_ip, false) ? azurerm_public_ip.this[var.interfaces[0].name].ip_address : azurerm_network_interface.this[var.interfaces[0].name].ip_configuration[0].private_ip_address
 }
 
 output "interfaces" {

diff --git a/modules/vmseries/variables.tf b/modules/vmseries/variables.tf
@@ -44,8 +44,12 @@ variable "avset_id" {
 variable "interfaces" {
   description = <<-EOF
   List of the network interface specifications.
-  The first should be the management interface, which does not participate in data filtering.
-  The remaining ones are the dataplane interfaces.
+
+  NOTICE. The ORDER in which you specify the interfaces DOES MATTER.
+  Interfaces will be attached to VM in the order you define here, therefore:
+  * The first should be the management interface, which does not participate in data filtering.
+  * The remaining ones are the dataplane interfaces.
+  
   Options for an interface object:
   - `name`                 - (required|string) Interface name.
   - `subnet_id`            - (required|string) Identifier of an existing subnet to create interface in.