Skip to content
This repository has been archived by the owner on Feb 14, 2024. It is now read-only.

refactor(module/loadbalancer): separate fip and rules #352

Draft
wants to merge 12 commits into
base: 307-refactor-modules
Choose a base branch
from
Draft

refactor(module/loadbalancer): separate fip and rules #352

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
9d57cd2
lb refactored, todo examples
FoSix Oct 6, 2023
fdbab31
Merge branch '307-refactor-modules' into 329-load-balancer-refactor
FoSix Oct 18, 2023
8ea497d
check admonitions
FoSix Oct 19, 2023
ca8fcc5
in_rules and generic properties validation
FoSix Oct 19, 2023
f652af8
validation for most of the variables in the module done
FoSix Oct 20, 2023
b76a63a
update documentation
FoSix Oct 23, 2023
4ec98da
update example's documentation
FoSix Oct 23, 2023
5d412e3
adjust examples
FoSix Oct 25, 2023
aad5e5b
fixing broken examples
FoSix Oct 25, 2023
1f5adbc
re-add main_test.go for the lb module
FoSix Oct 25, 2023
37c31a2
fix redundand regex
FoSix Oct 26, 2023
f8cc1ca
separate fip and rules
FoSix Oct 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions examples/common_vmseries/example.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,12 +122,14 @@ load_balancers = {
nsg_vnet_key = "transit"
nsg_key = "public"
network_security_allow_source_ips = ["0.0.0.0/0"] # Put your own public IP address here <-- TODO to be adjusted by the customer
avzones = ["1", "2", "3"]
frontend_ips = {
"palo-lb-app1" = {
"app1" = {
name = "app1"
public_ip_name = "public-lb-app1-pip"
create_public_ip = true
in_rules = {
"balanceHttp" = {
name = "HTTP"
protocol = "Tcp"
port = 80
}
Expand All @@ -136,15 +138,16 @@ load_balancers = {
}
}
"private" = {
name = "private-lb"
avzones = ["1", "2", "3"]
name = "private-lb"
frontend_ips = {
"ha-ports" = {
name = "private-vmseries"
vnet_key = "transit"
subnet_key = "private"
private_ip_address = "10.0.0.30"
in_rules = {
HA_PORTS = {
name = "HA-ports"
port = 0
protocol = "All"
}
Expand Down
46 changes: 25 additions & 21 deletions examples/common_vmseries/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,32 +103,35 @@ module "load_balancer" {
name = "${var.name_prefix}${each.value.name}"
location = var.location
resource_group_name = local.resource_group.name
enable_zones = var.enable_zones
avzones = try(each.value.avzones, null)
zones = each.value.zones

network_security_group_name = try(
"${var.name_prefix}${var.vnets[each.value.nsg_vnet_key].network_security_groups[each.value.nsg_key].name}",
each.value.network_security_group_name,
null
)
# network_security_group_name = try(each.value.network_security_group_name, null)
network_security_resource_group_name = try(
var.vnets[each.value.nsg_vnet_key].resource_group_name,
each.value.network_security_group_rg_name,
health_probes = each.value.health_probes

nsg_auto_rules_settings = try(
{
nsg_name = try(
"${var.name_prefix}${var.vnets[each.value.nsg_auto_rules_settings.nsg_vnet_key].network_security_groups[each.value.nsg_auto_rules_settings.nsg_key].name}",
each.value.nsg_auto_rules_settings.nsg_name
)
nsg_resource_group_name = try(
var.vnets[each.value.nsg_auto_rules_settings.nsg_vnet_key].resource_group_name,
each.value.nsg_auto_rules_settings.nsg_resource_group_name,
null
)
source_ips = each.value.nsg_auto_rules_settings.source_ips
base_priority = each.value.nsg_auto_rules_settings.base_priority
},
null
)
network_security_allow_source_ips = try(each.value.network_security_allow_source_ips, [])

frontend_ips = {
for k, v in each.value.frontend_ips : k => {
create_public_ip = try(v.create_public_ip, false)
public_ip_name = try(v.public_ip_name, null)
public_ip_resource_group = try(v.public_ip_resource_group, null)
private_ip_address = try(v.private_ip_address, null)
subnet_id = try(module.vnet[v.vnet_key].subnet_ids[v.subnet_key], null)
in_rules = try(v.in_rules, {})
out_rules = try(v.out_rules, {})
}
for k, v in each.value.frontend_ips : k => merge(
v,
{
public_ip_name = v.create_public_ip ? "${var.name_prefix}${v.public_ip_name}" : "${v.public_ip_name}",
subnet_id = try(module.vnet[v.vnet_key].subnet_ids[v.subnet_key], null)
}
)
}

tags = var.tags
Expand All @@ -137,6 +140,7 @@ module "load_balancer" {




# create the actual VMSeries VMs and resources
module "ai" {
source = "../../modules/application_insights"
Expand Down
148 changes: 83 additions & 65 deletions examples/common_vmseries/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,73 +154,91 @@ variable "natgws" {
### Load Balancing
variable "load_balancers" {
description = <<-EOF
A map containing configuration for all (private and public) Load Balancer that will be created in this deployment.

Following properties are available (for details refer to module's documentation):

- `name`: name of the Load Balancer resource.
- `nsg_vnet_key`: (public LB) defaults to `null`, a key describing a vnet (as defined in `vnet` variable) that hold an NSG we will update with an ingress rule for each listener.
- `nsg_key`: (public LB) defaults to `null`, a key describing an NSG (as defined in `vnet` variable, under `nsg_vnet_key`) we will update with an ingress rule for each listener.
- `network_security_group_name`: (public LB) defaults to `null`, in case of a brownfield deployment (no possibility to depend on `vnet` variable), a name of a security group, an ingress rule will be created in that NSG for each listener. **NOTE** this is the FULL NAME of the NSG (including prefixes).
- `network_security_group_rg_name`: (public LB) defaults to `null`, in case of a brownfield deployment (no possibility to depend on `vnet` variable), a name of a resource group for the security group, to be used when the NSG is hosted in a different RG than the one described in `var.resource_group_name`.
- `network_security_allow_source_ips`: (public LB) a list of IP addresses that will used in the ingress rules.
- `avzones`: (both) for regional Load Balancers, a list of supported zones (this has different meaning for public and private LBs - please refer to module's documentation for details).
- `frontend_ips`: (both) a map configuring both a listener and a load balancing rule, key is the name that will be used as an application name inside LB config as well as to create a rule in NSG (for public LBs), value is an object with the following properties:
- `create_public_ip`: (public LB) defaults to `false`, when set to `true` a Public IP will be created and associated with a listener
- `public_ip_name`: (public LB) defaults to `null`, when `create_public_ip` is set to `false` this property is used to reference an existing Public IP object in Azure
- `public_ip_resource_group`: (public LB) defaults to `null`, when using an existing Public IP created in a different Resource Group than the currently used use this property is to provide the name of that RG
- `private_ip_address`: (private LB) defaults to `null`, specify a static IP address that will be used by a listener
- `vnet_key`: (private LB) defaults to `null`, when `private_ip_address` is set specifies a vnet's key (as defined in `vnet` variable). This will be the VNET hosting this Load Balancer
- `subnet_key`: (private LB) defaults to `null`, when `private_ip_address` is set specifies a subnet's key (as defined in `vnet` variable) to which the LB will be attached, in case of VMSeries this should be a internal/trust subnet
- `rules` - a map configuring the actual rules load balancing rules, a key is a rule name, a value is an object with the following properties:
- `protocol`: protocol used by the rule, can be one the following: `TCP`, `UDP` or `All` when creating an HA PORTS rule
- `port`: port used by the rule, for HA PORTS rule set this to `0`

Example of a public Load Balancer:

```
"public_lb" = {
name = "https_app_lb"
network_security_group_name = "untrust_nsg"
network_security_allow_source_ips = ["1.2.3.4"]
avzones = ["1", "2", "3"]
frontend_ips = {
"https_app_1" = {
create_public_ip = true
rules = {
"balanceHttps" = {
protocol = "Tcp"
port = 443
}
}
}
}
}
```

Example of a private Load Balancer with HA PORTS rule:

```
"private_lb" = {
name = "ha_ports_internal_lb
frontend_ips = {
"ha-ports" = {
vnet_key = "trust_vnet"
subnet_key = "trust_snet"
private_ip_address = "10.0.0.1"
rules = {
HA_PORTS = {
port = 0
protocol = "All"
}
}
}
}
}
```

A map containing configuration for all (private and public) Load Balancers.

This is a brief description of available properties. For a detailed one please refer to
[module documentation](../../modules/loadbalancer/README.md).

Following properties are available:

- `name` - (`string`, required) a name of the Load Balancer
- `zones` - (`list`, optional, defaults to `["1", "2", "3"]`) list of zones the resource will be
available in, please check the
[module documentation](../../modules/loadbalancer/README.md#zones) for more details
- `health_probes` - (`map`, optional, defaults to `null`) a map defining health probes that will be used by
load balancing rules;
please check [module documentation](../../modules/loadbalancer/README.md#health_probes)
for more specific use cases and available properties
- `nsg_auto_rules_settings` - (`map`, optional, defaults to `null`) a map defining a location of an existing NSG rule
that will be populated with `Allow` rules for each load balancing rule (`in_rules`); please check
[module documentation](../../modules/loadbalancer/README.md#nsg_auto_rules_settings)
for available properties; please note that in this example two additional properties are
available:
- `nsg_key` - (`string`, optional, mutually exclusive with `nsg_name`) a key pointing to an NSG definition
in the `var.vnets` map
- `nsg_vnet_key` - (`string`, optional, mutually exclusive with `nsg_name`) a key pointing to a VNET definition
in the `var.vnets` map that stores the NSG described by `nsg_key`
- `frontend_ips` - (`map`, optional, defaults to `{}`) a map containing frontend IP configuration with respective
`in_rules` and `out_rules`

Please refer to [module documentation](../../modules/loadbalancer/README.md#frontend_ips) for available properties.

> [!NOTE]
> In this example the `subnet_id` is not available directly, three other properties were introduced instead.

- `subnet_key` - (`string`, optional, defaults to `null`) a key pointing to a Subnet definition in the `var.vnets` map
- `vnet_key` - (`string`, optional, defaults to `null`) a key pointing to a VNET definition in the `var.vnets` map
that stores the Subnet described by `subnet_key`
EOF
default = {}
nullable = false
type = map(object({
name = string
zones = optional(list(string), ["1", "2", "3"])
health_probes = optional(map(object({
name = string
protocol = string
port = optional(number)
probe_threshold = optional(number)
interval_in_seconds = optional(number)
request_path = optional(string)
})))
nsg_auto_rules_settings = optional(object({
nsg_name = optional(string)
nsg_vnet_key = optional(string)
nsg_key = optional(string)
nsg_resource_group_name = optional(string)
source_ips = list(string)
base_priority = optional(number)
}))
frontend_ips = optional(map(object({
name = string
public_ip_name = optional(string)
create_public_ip = optional(bool, false)
public_ip_resource_group = optional(string)
vnet_key = optional(string)
subnet_key = optional(string)
private_ip_address = optional(string)
gwlb_key = optional(string)
in_rules = optional(map(object({
name = string
protocol = string
port = number
backend_port = optional(number)
health_probe_key = optional(string)
floating_ip = optional(bool)
session_persistence = optional(string)
nsg_priority = optional(number)
})), {})
out_rules = optional(map(object({
name = string
protocol = string
allocated_outbound_ports = optional(number)
enable_tcp_reset = optional(bool)
idle_timeout_in_minutes = optional(number)
})), {})
})), {})
}))
}


Expand Down
14 changes: 8 additions & 6 deletions examples/common_vmseries_and_autoscale/example.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ tags = {
"CreatedBy" = "Palo Alto Networks"
"CreatedWith" = "Terraform"
}
enable_zones = true


# --- VNET PART --- #
vnets = {
Expand Down Expand Up @@ -132,12 +132,14 @@ load_balancers = {
nsg_vnet_key = "transit"
nsg_key = "public"
network_security_allow_source_ips = ["0.0.0.0/0"] # Put your own public IP address here <-- TODO to be adjusted by the customer
avzones = ["1", "2", "3"]
frontend_ips = {
"palo-lb-app1" = {
"app1" = {
name = "app1"
public_ip_name = "public-lb-app1-pip"
create_public_ip = true
in_rules = {
"balanceHttp" = {
name = "HTTP"
protocol = "Tcp"
port = 80
}
Expand All @@ -146,16 +148,16 @@ load_balancers = {
}
}
"private" = {
name = "private-lb"
avzones = ["1", "2", "3"]

name = "private-lb"
frontend_ips = {
"ha-ports" = {
name = "private-vmseries"
vnet_key = "transit"
subnet_key = "private"
private_ip_address = "10.0.0.30"
in_rules = {
HA_PORTS = {
name = "HA-ports"
port = 0
protocol = "All"
}
Expand Down
47 changes: 25 additions & 22 deletions examples/common_vmseries_and_autoscale/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,32 +97,35 @@ module "load_balancer" {
name = "${var.name_prefix}${each.value.name}"
location = var.location
resource_group_name = local.resource_group.name
enable_zones = var.enable_zones
avzones = try(each.value.avzones, null)

network_security_group_name = try(
"${var.name_prefix}${var.vnets[each.value.nsg_vnet_key].network_security_groups[each.value.nsg_key].name}",
each.value.network_security_group_name,
null
)
# network_security_group_name = try(each.value.network_security_group_name, null)
network_security_resource_group_name = try(
var.vnets[each.value.nsg_vnet_key].resource_group_name,
each.value.network_security_group_rg_name,
zones = each.value.zones

health_probes = each.value.health_probes

nsg_auto_rules_settings = try(
{
nsg_name = try(
"${var.name_prefix}${var.vnets[each.value.nsg_auto_rules_settings.nsg_vnet_key].network_security_groups[each.value.nsg_auto_rules_settings.nsg_key].name}",
each.value.nsg_auto_rules_settings.nsg_name
)
nsg_resource_group_name = try(
var.vnets[each.value.nsg_auto_rules_settings.nsg_vnet_key].resource_group_name,
each.value.nsg_auto_rules_settings.nsg_resource_group_name,
null
)
source_ips = each.value.nsg_auto_rules_settings.source_ips
base_priority = each.value.nsg_auto_rules_settings.base_priority
},
null
)
network_security_allow_source_ips = try(each.value.network_security_allow_source_ips, [])

frontend_ips = {
for k, v in each.value.frontend_ips : k => {
create_public_ip = try(v.create_public_ip, false)
public_ip_name = try(v.public_ip_name, null)
public_ip_resource_group = try(v.public_ip_resource_group, null)
private_ip_address = try(v.private_ip_address, null)
subnet_id = try(module.vnet[v.vnet_key].subnet_ids[v.subnet_key], null)
in_rules = try(v.in_rules, {})
out_rules = try(v.out_rules, {})
}
for k, v in each.value.frontend_ips : k => merge(
v,
{
public_ip_name = v.create_public_ip ? "${var.name_prefix}${v.public_ip_name}" : "${v.public_ip_name}",
subnet_id = try(module.vnet[v.vnet_key].subnet_ids[v.subnet_key], null)
}
)
}

tags = var.tags
Expand Down
Loading