Skip to content
This repository has been archived by the owner on Feb 14, 2024. It is now read-only.

feat(module/vnet): adding support for destination and source port ranges #211

Merged
merged 2 commits into from
Dec 13, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
uses: actions/setup-python@v2
with:
# Semantic version range syntax (like 3.x) or the exact Python version
python-version: '3.9.4'
python-version: '3.10'

- name: Run pre-commit framework as the developer should run it
run: sudo ./scripts/install.sh && sudo ./scripts/run.sh
Expand Down
2 changes: 1 addition & 1 deletion modules/vnet/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ No modules.
| <a name="input_address_space"></a> [address\_space](#input\_address\_space) | The address space used by the virtual network. You can supply more than one address space. | `list(string)` | n/a | yes |
| <a name="input_create_virtual_network"></a> [create\_virtual\_network](#input\_create\_virtual\_network) | If true, create the Virtual Network, otherwise just use a pre-existing network. | `bool` | `true` | no |
| <a name="input_location"></a> [location](#input\_location) | Location of the resources that will be deployed. | `string` | n/a | yes |
| <a name="input_network_security_groups"></a> [network\_security\_groups](#input\_network\_security\_groups) | Map of Network Security Groups to create. The key of each entry acts as the Network Security Group name.<br>List of available attributes of each Network Security Group entry:<br>- `location` : (Optional) Specifies the Azure location where to deploy the resource.<br>- `rules`: (Optional) A list of objects representing a Network Security Rule. The key of each entry acts as the name of the rule and<br> needs to be unique across all rules in the Network Security Group.<br> List of attributes available to define a Network Security Rule:<br> - `priority` : Numeric priority of the rule. The value can be between 100 and 4096 and must be unique for each rule in the collection.<br> The lower the priority number, the higher the priority of the rule.<br> - `direction` : The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are `Inbound` and `Outbound`.<br> - `access` : Specifies whether network traffic is allowed or denied. Possible values are `Allow` and `Deny`.<br> - `protocol` : Network protocol this rule applies to. Possible values include `Tcp`, `Udp`, `Icmp`, or `*` (which matches all).<br> - `source_port_range` : List of source ports or port ranges.<br> - `destination_port_range` : Destination Port or Range. Integer or range between `0` and `65535` or `*` to match any.<br> - `source_address_prefix` : List of source address prefixes. Tags may not be used.<br> - `destination_address_prefix` : CIDR or destination IP range or `*` to match any IP.<br><br>Example:<pre>{<br> "network_security_group_1" = {<br> location = "Australia Central"<br> rules = {<br> "AllOutbound" = {<br> priority = 100<br> direction = "Outbound"<br> access = "Allow"<br> protocol = "Tcp"<br> source_port_range = "*"<br> destination_port_range = "*"<br> source_address_prefix = "*"<br> destination_address_prefix = "*"<br> },<br> "AllowSSH" = {<br> priority = 200<br> direction = "Inbound"<br> access = "Allow"<br> protocol = "Tcp"<br> source_port_range = "*"<br> destination_port_range = "22"<br> source_address_prefix = "*"<br> destination_address_prefix = "*"<br> }<br> }<br> },<br> "network_security_group_2" = {<br> rules = {}<br> }<br>}</pre> | `any` | n/a | yes |
| <a name="input_network_security_groups"></a> [network\_security\_groups](#input\_network\_security\_groups) | Map of Network Security Groups to create. The key of each entry acts as the Network Security Group name.<br>List of available attributes of each Network Security Group entry:<br>- `location` : (Optional) Specifies the Azure location where to deploy the resource.<br>- `rules`: (Optional) A list of objects representing a Network Security Rule. The key of each entry acts as the name of the rule and<br> needs to be unique across all rules in the Network Security Group.<br> List of attributes available to define a Network Security Rule.<br> Notice, all port values are integers between `0` and `65535`. Port ranges can be specified as `minimum-maximum` port value, example: `21-23`:<br> - `priority` : Numeric priority of the rule. The value can be between 100 and 4096 and must be unique for each rule in the collection.<br> The lower the priority number, the higher the priority of the rule.<br> - `direction` : The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are `Inbound` and `Outbound`.<br> - `access` : Specifies whether network traffic is allowed or denied. Possible values are `Allow` and `Deny`.<br> - `protocol` : Network protocol this rule applies to. Possible values include `Tcp`, `Udp`, `Icmp`, or `*` (which matches all). For supported values refer to the [provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule#protocol)<br> - `source_port_range` : A source port or a range of ports. This can also be an `*` to match all.<br> - `source_port_ranges` : A list of source ports or ranges of ports. This can be specified only if `source_port_range` was not used.<br> - `destination_port_range` : A destination port or a range of ports. This can also be an `*` to match all.<br> - `destination_port_range` : A list of destination ports or a ranges of ports. This can be specified only if `destination_port_range` was not used.<br> - `source_address_prefix` : Source CIDR or IP range or `*` to match any IP. This can also be a tag. To see all available tags for a region use the following command (example for US West Central): `az network list-service-tags --location westcentralus`.<br> - `source_address_prefixes` : A list of source address prefixes. Tags are not allowed. Can be specified only if `source_address_prefix` was not used.<br> - `destination_address_prefix` : Destination CIDR or IP range or `*` to match any IP. Tags are allowed, see `source_address_prefix` for details.<br> - `destination_address_prefixes` : A list of destination address prefixes. Tags are not allowed. Can be specified only if `destination_address_prefix` was not used.<br><br>Example:<pre>{<br> "network_security_group_1" = {<br> location = "Australia Central"<br> rules = {<br> "AllOutbound" = {<br> priority = 100<br> direction = "Outbound"<br> access = "Allow"<br> protocol = "Tcp"<br> source_port_range = "*"<br> destination_port_range = "*"<br> source_address_prefix = "*"<br> destination_address_prefix = "*"<br> },<br> "AllowSSH" = {<br> priority = 200<br> direction = "Inbound"<br> access = "Allow"<br> protocol = "Tcp"<br> source_port_range = "*"<br> destination_port_range = "22"<br> source_address_prefix = "*"<br> destination_address_prefix = "*"<br> },<br> "AllowWebBrowsing" = {<br> priority = 300<br> direction = "Inbound"<br> access = "Allow"<br> protocol = "Tcp"<br> source_port_range = "*"<br> destination_port_ranges = ["80","443"]<br> source_address_prefix = "*"<br> destination_address_prefix = "VirtualNetwork"<br> }<br> }<br> },<br> "network_security_group_2" = {<br> rules = {}<br> }<br>}</pre> | `any` | n/a | yes |
| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the Resource Group to use. | `string` | n/a | yes |
| <a name="input_route_tables"></a> [route\_tables](#input\_route\_tables) | Map of objects describing a Route Table. The key of each entry acts as the Route Table name.<br>List of available attributes of each Route Table entry:<br>- `location` : (Optional) Specifies the Azure location where to deploy the resource.<br>- `routes` : (Optional) Map of routes within the Route Table.<br> List of available attributes of each route entry:<br> - `address_prefix` : The destination CIDR to which the route applies, such as `10.1.0.0/16`.<br> - `next_hop_type` : The type of Azure hop the packet should be sent to.<br> Possible values are: `VirtualNetworkGateway`, `VnetLocal`, `Internet`, `VirtualAppliance` and `None`.<br> - `next_hop_in_ip_address` : Contains the IP address packets should be forwarded to. <br> Next hop values are only allowed in routes where the next hop type is `VirtualAppliance`.<br><br>Example:<pre>{<br> "route_table_1" = {<br> routes = {<br> "route_1" = {<br> address_prefix = "10.1.0.0/16"<br> next_hop_type = "vnetlocal"<br> },<br> "route_2" = {<br> address_prefix = "10.2.0.0/16"<br> next_hop_type = "vnetlocal"<br> },<br> }<br> },<br> "route_table_2" = {<br> routes = {<br> "route_3" = {<br> address_prefix = "0.0.0.0/0"<br> next_hop_type = "VirtualAppliance"<br> next_hop_in_ip_address = "10.112.0.100"<br> }<br> },<br> },<br>}</pre> | `map` | `{}` | no |
| <a name="input_subnets"></a> [subnets](#input\_subnets) | Map of subnet objects to create within a virtual network. The key of each entry acts as the subnet name.<br>List of available attributes of each subnet entry:<br>- `address_prefixes` : The address prefix to use for the subnet.<br>- `network_security_group_id` : The Network Security Group identifier to associate with the subnet.<br>- `route_table_id` : The Route Table identifier to associate with the subnet.<br>- `tags` : (Optional) Map of tags to assign to the resource.<br><br>Example:<pre>{<br> "management" = {<br> address_prefixes = ["10.100.0.0/24"]<br> network_security_group = "network_security_group_1"<br> route_table = "route_table_1"<br> },<br> "private" = {<br> address_prefixes = ["10.100.1.0/24"]<br> network_security_group = "network_security_group_2"<br> route_table = "route_table_2"<br> },<br> "public" = {<br> address_prefixes = ["10.100.2.0/24"]<br> network_security_group = "network_security_group_3"<br> route_table = "route_table_3"<br> },<br>}</pre> | `any` | n/a | yes |
Expand Down
6 changes: 4 additions & 2 deletions modules/vnet/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,10 @@ resource "azurerm_network_security_rule" "this" {
direction = each.value.rule.direction
access = each.value.rule.access
protocol = each.value.rule.protocol
source_port_range = each.value.rule.source_port_range
destination_port_range = each.value.rule.destination_port_range
source_port_range = lookup(each.value.rule, "source_port_range", null)
source_port_ranges = lookup(each.value.rule, "source_port_ranges", null)
destination_port_range = lookup(each.value.rule, "destination_port_range", null)
destination_port_ranges = lookup(each.value.rule, "destination_port_ranges", null)
source_address_prefix = lookup(each.value.rule, "source_address_prefix", null)
source_address_prefixes = lookup(each.value.rule, "source_address_prefixes", null)
destination_address_prefix = lookup(each.value.rule, "destination_address_prefix", null)
Expand Down
27 changes: 21 additions & 6 deletions modules/vnet/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -37,16 +37,21 @@ variable "network_security_groups" {
- `location` : (Optional) Specifies the Azure location where to deploy the resource.
- `rules`: (Optional) A list of objects representing a Network Security Rule. The key of each entry acts as the name of the rule and
needs to be unique across all rules in the Network Security Group.
List of attributes available to define a Network Security Rule:
List of attributes available to define a Network Security Rule.
Notice, all port values are integers between `0` and `65535`. Port ranges can be specified as `minimum-maximum` port value, example: `21-23`:
- `priority` : Numeric priority of the rule. The value can be between 100 and 4096 and must be unique for each rule in the collection.
The lower the priority number, the higher the priority of the rule.
- `direction` : The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are `Inbound` and `Outbound`.
- `access` : Specifies whether network traffic is allowed or denied. Possible values are `Allow` and `Deny`.
- `protocol` : Network protocol this rule applies to. Possible values include `Tcp`, `Udp`, `Icmp`, or `*` (which matches all).
- `source_port_range` : List of source ports or port ranges.
- `destination_port_range` : Destination Port or Range. Integer or range between `0` and `65535` or `*` to match any.
- `source_address_prefix` : List of source address prefixes. Tags may not be used.
- `destination_address_prefix` : CIDR or destination IP range or `*` to match any IP.
- `protocol` : Network protocol this rule applies to. Possible values include `Tcp`, `Udp`, `Icmp`, or `*` (which matches all). For supported values refer to the [provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule#protocol)
- `source_port_range` : A source port or a range of ports. This can also be an `*` to match all.
- `source_port_ranges` : A list of source ports or ranges of ports. This can be specified only if `source_port_range` was not used.
- `destination_port_range` : A destination port or a range of ports. This can also be an `*` to match all.
- `destination_port_range` : A list of destination ports or a ranges of ports. This can be specified only if `destination_port_range` was not used.
- `source_address_prefix` : Source CIDR or IP range or `*` to match any IP. This can also be a tag. To see all available tags for a region use the following command (example for US West Central): `az network list-service-tags --location westcentralus`.
- `source_address_prefixes` : A list of source address prefixes. Tags are not allowed. Can be specified only if `source_address_prefix` was not used.
- `destination_address_prefix` : Destination CIDR or IP range or `*` to match any IP. Tags are allowed, see `source_address_prefix` for details.
- `destination_address_prefixes` : A list of destination address prefixes. Tags are not allowed. Can be specified only if `destination_address_prefix` was not used.

Example:
```
Expand All @@ -73,6 +78,16 @@ variable "network_security_groups" {
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
},
"AllowWebBrowsing" = {
priority = 300
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["80","443"]
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
}
}
},
Expand Down