Merge branch 'add-ip-configuration-to-private-endpoints' of https://g…

…ithub.com/fschirinzi/terraform-azurerm-caf into fschirinzi-add-ip-configuration-to-private-endpoints
aztfmod · Aug 3, 2023 · c136c92 · c136c92
2 parents 8203460 + a090d22
commit c136c92
Show file tree

Hide file tree

Showing 4 changed files with 132 additions and 1 deletion.
diff --git a/.github/workflows/standalone-networking.json b/.github/workflows/standalone-networking.json
@@ -32,6 +32,7 @@
     "networking/pip_prefix/100-simple-pip-prefix",
     "networking/private_dns_vnet_link/100_pvtdns_vnetlink",
     "networking/private_dns/100-private-dns-vnet-links",
+    "networking/private_endpoint",
     "networking/private_links/endpoints/centralized",
     "networking/virtual_network/100-import-rg",
     "networking/virtual_network/100-simple-vnet-subnets-nsgs",

diff --git a/examples/networking/private_endpoint/README.md b/examples/networking/private_endpoint/README.md
@@ -0,0 +1,19 @@
+You can test this module outside of a landingzone using
+
+```bash
+sudo terraform init
+
+terraform [plan|apply|destroy] \
+  -var-file ../configuration.tfvars \
+  -var-file ../keyvaults.tfvars \
+  -var-file ../nsg_definitions.tfvars \
+  -var-file ../virtual_networks.tfvars \
+  -var-file ../public_ip_addresses.tfvars \
+  -var-file ../virtual_machines.tfvars
+
+
+```
+
+sudo terraform plan -var-file examples/networking/private_endpoint/configuration.tfvars
+
+sudo terraform plan -var-file configuration.tfvars
diff --git a/examples/networking/private_endpoint/configuration.tfvars b/examples/networking/private_endpoint/configuration.tfvars
@@ -0,0 +1,100 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "australiaeast"
+  }
+}
+
+resource_groups = {
+  kv_region1 = {
+    name   = "keyvault-rg1"
+    region = "region1"
+  }
+}
+
+keyvaults = {
+
+  #
+  # Keyvault with private endpoint enabled and configured with two static ips
+  #
+  kv01_rg1 = {
+    name               = "certificates"
+    resource_group_key = "kv_region1"
+    sku_name           = "premium"
+
+    creation_policies = {
+      logged_in_user = {
+        secret_permissions      = ["Set", "Get", "List", "Delete", "Purge"]
+        certificate_permissions = ["ManageContacts", "ManageIssuers"]
+      }
+    }
+
+    network = {
+      bypass         = "AzureServices"
+      default_action = "Deny"
+    }
+
+    private_endpoints = {
+      # Require enforce_private_link_endpoint_network_policies set to true on the subnet
+      private-link1 = {
+        name               = "keyvault-certificates"
+        vnet_key           = "vnet_security"
+        subnet_key         = "private_link"
+        resource_group_key = "kv_region1"
+        # if the private_endpoint must be deployed in a remote resource group
+        # resource_group = {
+        #   lz_key = ""
+        #   key    = ""
+        # }
+
+        private_service_connection = {
+          name                 = "keyvault-certificates"
+          is_manual_connection = false
+          subresource_names    = ["vault"]
+        }
+
+        ip_configurations = {
+          static1= {          
+            name               = "kv01_rg1-name1"
+            private_ip_address = "10.150.100.140"
+            subresource_name   = "vault"
+            member_name        = "default"
+          }
+          static2 = {
+            name               = "kv01_rg1-name2"
+            private_ip_address = "10.150.100.150"
+            subresource_name   = "vault"
+            member_name        = "default2"
+          }
+        }
+
+        # private_dns = {
+        #   lz_key = ""
+        #   keys   = ["vaultcore"]
+        # }
+      }
+    }
+  }
+}
+
+vnets = {
+  vnet_security = {
+    resource_group_key = "kv_region1"
+    vnet = {
+      name          = "keyvaults"
+      address_space = ["10.150.100.0/24"]
+    }
+    subnets = {
+      keyvault_endpoints = {
+        name              = "keyvault"
+        cidr              = ["10.150.100.64/26"]
+        service_endpoints = ["Microsoft.KeyVault"]
+      }
+      private_link = {
+        name                                           = "private-links"
+        cidr                                           = ["10.150.100.128/26"]
+        enforce_private_link_endpoint_network_policies = true
+      }
+    }
+  }
+}
diff --git a/modules/networking/private_endpoint/private_endpoint.tf b/modules/networking/private_endpoint/private_endpoint.tf
@@ -42,4 +42,15 @@ resource "azurerm_private_endpoint" "pep" {
     }
   }
 
-}
+  dynamic "ip_configuration" {
+    for_each = try(var.settings.ip_configurations, {})
+
+    content {
+      name               = ip_configuration.value.name
+      private_ip_address = ip_configuration.value.private_ip_address
+      subresource_name   = lookup(ip_configuration.value, "subresource_name", null)
+      member_name        = lookup(ip_configuration.value, "member_name", null)
+    }
+  }
+
+}