From 0816040be64927d0e2b9b6804aee5616d6fe2010 Mon Sep 17 00:00:00 2001 From: "Schirinzi, Francesco" Date: Thu, 6 Jul 2023 15:19:54 +0200 Subject: [PATCH 01/10] add ip_configuration to private endpoints --- modules/networking/private_endpoint/private_endpoint.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/networking/private_endpoint/private_endpoint.tf b/modules/networking/private_endpoint/private_endpoint.tf index aabc4cbf02..393ddcdba6 100644 --- a/modules/networking/private_endpoint/private_endpoint.tf +++ b/modules/networking/private_endpoint/private_endpoint.tf @@ -42,4 +42,13 @@ resource "azurerm_private_endpoint" "pep" { } } + dynamic "ip_configuration" { + for_each = can(var.settings.ip_configuration) ? [var.settings.ip_configuration] : [] + + content { + name = lookup(ip_configuration.value, "name") + private_ip_address = ip_configuration.value.private_ip_address + } + } + } \ No newline at end of file From b488ec61096dcdbee6c4153b515f4b27dd61cb7a Mon Sep 17 00:00:00 2001 From: "Schirinzi, Francesco" Date: Thu, 6 Jul 2023 15:32:50 +0200 Subject: [PATCH 02/10] private endpoint update ip_configuration --- modules/networking/private_endpoint/private_endpoint.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/networking/private_endpoint/private_endpoint.tf b/modules/networking/private_endpoint/private_endpoint.tf index 393ddcdba6..07d00ecc56 100644 --- a/modules/networking/private_endpoint/private_endpoint.tf +++ b/modules/networking/private_endpoint/private_endpoint.tf @@ -46,8 +46,10 @@ resource "azurerm_private_endpoint" "pep" { for_each = can(var.settings.ip_configuration) ? [var.settings.ip_configuration] : [] content { - name = lookup(ip_configuration.value, "name") + name = ip_configuration.value.name private_ip_address = ip_configuration.value.private_ip_address + subresource_name = lookup(ip_configuration.value, "subresource_name", null) + member_name = lookup(ip_configuration.value, "member_name ", null) } } From 09ac6b669a0592aec87bfe5b5886efc62a0caa20 Mon Sep 17 00:00:00 2001 From: "Schirinzi, Francesco" Date: Tue, 11 Jul 2023 09:03:39 +0200 Subject: [PATCH 03/10] tf format --- modules/networking/private_endpoint/private_endpoint.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/networking/private_endpoint/private_endpoint.tf b/modules/networking/private_endpoint/private_endpoint.tf index 07d00ecc56..26b405e7a3 100644 --- a/modules/networking/private_endpoint/private_endpoint.tf +++ b/modules/networking/private_endpoint/private_endpoint.tf @@ -46,11 +46,11 @@ resource "azurerm_private_endpoint" "pep" { for_each = can(var.settings.ip_configuration) ? [var.settings.ip_configuration] : [] content { - name = ip_configuration.value.name + name = ip_configuration.value.name private_ip_address = ip_configuration.value.private_ip_address - subresource_name = lookup(ip_configuration.value, "subresource_name", null) - member_name = lookup(ip_configuration.value, "member_name ", null) + subresource_name = lookup(ip_configuration.value, "subresource_name", null) + member_name = lookup(ip_configuration.value, "member_name ", null) } - } + } } \ No newline at end of file From ffea9dedc4a30921428f6efc210a52ce6c4e8940 Mon Sep 17 00:00:00 2001 From: "Schirinzi, Francesco" Date: Tue, 11 Jul 2023 09:05:36 +0200 Subject: [PATCH 04/10] add example --- .../private_endpoint/configuration.tfvars | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 examples/networking/private_endpoint/configuration.tfvars diff --git a/examples/networking/private_endpoint/configuration.tfvars b/examples/networking/private_endpoint/configuration.tfvars new file mode 100644 index 0000000000..70b6d2e80d --- /dev/null +++ b/examples/networking/private_endpoint/configuration.tfvars @@ -0,0 +1,29 @@ + +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } +} + +name = "stgtest" + +resource_group_name = "my-rg" +location = "australiaeast" + +subnet_id = "/subscriptions/.../some/subnet/id" + +settings = { + private_service_connection = { + name = "stgtest" + is_manual_connection = false + subresource_names = ["blob"] + } + + ip_configuration = { + name = "pep-name" + private_ip_address = "192.168.1.10" + subresource_name = "Blob" + member_name = "Blob" + } +} From 0dc1763a2ae40785d729513e373d1dea3b320a9a Mon Sep 17 00:00:00 2001 From: Francesco <5647342+fschirinzi@users.noreply.github.com> Date: Mon, 17 Jul 2023 10:22:31 +0200 Subject: [PATCH 05/10] fix private_endpoint static ip config --- modules/networking/private_endpoint/private_endpoint.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/networking/private_endpoint/private_endpoint.tf b/modules/networking/private_endpoint/private_endpoint.tf index 26b405e7a3..d36105a170 100644 --- a/modules/networking/private_endpoint/private_endpoint.tf +++ b/modules/networking/private_endpoint/private_endpoint.tf @@ -49,8 +49,8 @@ resource "azurerm_private_endpoint" "pep" { name = ip_configuration.value.name private_ip_address = ip_configuration.value.private_ip_address subresource_name = lookup(ip_configuration.value, "subresource_name", null) - member_name = lookup(ip_configuration.value, "member_name ", null) + member_name = lookup(ip_configuration.value, "member_name", null) } } -} \ No newline at end of file +} From bccaae38e0778e66d897c2026df0a6e29cc46474 Mon Sep 17 00:00:00 2001 From: "Schirinzi, Francesco" Date: Wed, 26 Jul 2023 10:24:22 +0200 Subject: [PATCH 06/10] update private endpoint static ip example --- .../private_endpoint/configuration.tfvars | 95 +++++++++++++++---- 1 file changed, 79 insertions(+), 16 deletions(-) diff --git a/examples/networking/private_endpoint/configuration.tfvars b/examples/networking/private_endpoint/configuration.tfvars index 70b6d2e80d..b93019ac6b 100644 --- a/examples/networking/private_endpoint/configuration.tfvars +++ b/examples/networking/private_endpoint/configuration.tfvars @@ -1,29 +1,92 @@ - global_settings = { default_region = "region1" regions = { - region1 = "southeastasia" + region1 = "australiaeast" } } -name = "stgtest" +resource_groups = { + kv_region1 = { + name = "keyvault-rg1" + region = "region1" + } +} + +keyvaults = { + + # + # Keyvault with private endpoint enabled and configured with a static ip + # + kv01_rg1 = { + name = "certificates" + resource_group_key = "kv_region1" + sku_name = "premium" -resource_group_name = "my-rg" -location = "australiaeast" + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] + certificate_permissions = ["ManageContacts", "ManageIssuers"] + } + } -subnet_id = "/subscriptions/.../some/subnet/id" + network = { + bypass = "AzureServices" + default_action = "Deny" + } -settings = { - private_service_connection = { - name = "stgtest" - is_manual_connection = false - subresource_names = ["blob"] + private_endpoints = { + # Require enforce_private_link_endpoint_network_policies set to true on the subnet + private-link1 = { + name = "keyvault-certificates" + vnet_key = "vnet_security" + subnet_key = "private_link" + resource_group_key = "kv_region1" + # if the private_endpoint must be deployed in a remote resource group + # resource_group = { + # lz_key = "" + # key = "" + # } + + private_service_connection = { + name = "keyvault-certificates" + is_manual_connection = false + subresource_names = ["vault"] + } + + ip_configuration = { + name = "kv01_rg1-name" + private_ip_address = "10.150.100.70" + subresource_name = "vault" + member_name = "default" + } + + # private_dns = { + # lz_key = "" + # keys = ["vaultcore"] + # } + } + } } +} - ip_configuration = { - name = "pep-name" - private_ip_address = "192.168.1.10" - subresource_name = "Blob" - member_name = "Blob" +vnets = { + vnet_security = { + resource_group_key = "kv_region1" + vnet = { + name = "keyvaults" + address_space = ["10.150.100.0/24"] + } + subnets = { + keyvault_endpoints = { + name = "keyvault" + cidr = ["10.150.100.64/26"] + service_endpoints = ["Microsoft.KeyVault"] + } + private_link = { + name = "private-links" + cidr = ["10.150.100.128/26"] + enforce_private_link_endpoint_network_policies = true + } + } } } From c0723087e92e98888890a3feac399461b9c4d1d7 Mon Sep 17 00:00:00 2001 From: Francesco <5647342+fschirinzi@users.noreply.github.com> Date: Wed, 26 Jul 2023 14:48:03 +0200 Subject: [PATCH 07/10] Update examples/networking/private_endpoint/configuration.tfvars Co-authored-by: Arnaud Lheureux --- examples/networking/private_endpoint/configuration.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/networking/private_endpoint/configuration.tfvars b/examples/networking/private_endpoint/configuration.tfvars index b93019ac6b..e7e098b183 100644 --- a/examples/networking/private_endpoint/configuration.tfvars +++ b/examples/networking/private_endpoint/configuration.tfvars @@ -55,7 +55,7 @@ keyvaults = { ip_configuration = { name = "kv01_rg1-name" - private_ip_address = "10.150.100.70" + private_ip_address = "10.150.100.140" subresource_name = "vault" member_name = "default" } From 69ce3d680a91dec5f6a60febcc24a63cdac22dd9 Mon Sep 17 00:00:00 2001 From: "Schirinzi, Francesco" Date: Mon, 31 Jul 2023 08:52:18 +0200 Subject: [PATCH 08/10] private endpoint: add multi ip_configuration --- .../private_endpoint/configuration.tfvars | 18 +++++++++++++----- .../private_endpoint/private_endpoint.tf | 2 +- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/examples/networking/private_endpoint/configuration.tfvars b/examples/networking/private_endpoint/configuration.tfvars index e7e098b183..062b15d0ba 100644 --- a/examples/networking/private_endpoint/configuration.tfvars +++ b/examples/networking/private_endpoint/configuration.tfvars @@ -53,11 +53,19 @@ keyvaults = { subresource_names = ["vault"] } - ip_configuration = { - name = "kv01_rg1-name" - private_ip_address = "10.150.100.140" - subresource_name = "vault" - member_name = "default" + ip_configurations = { + static1= { + name = "kv01_rg1-name1" + private_ip_address = "10.150.100.140" + subresource_name = "vault" + member_name = "default" + } + static2 = { + name = "kv01_rg1-name2" + private_ip_address = "10.150.100.150" + subresource_name = "vault" + member_name = "default2" + } } # private_dns = { diff --git a/modules/networking/private_endpoint/private_endpoint.tf b/modules/networking/private_endpoint/private_endpoint.tf index d36105a170..199478464b 100644 --- a/modules/networking/private_endpoint/private_endpoint.tf +++ b/modules/networking/private_endpoint/private_endpoint.tf @@ -43,7 +43,7 @@ resource "azurerm_private_endpoint" "pep" { } dynamic "ip_configuration" { - for_each = can(var.settings.ip_configuration) ? [var.settings.ip_configuration] : [] + for_each = try(var.settings.ip_configurations, {}) content { name = ip_configuration.value.name From b8a5d875de1d6f9008ac4d3d4ec9c5f11dbceeb4 Mon Sep 17 00:00:00 2001 From: "Schirinzi, Francesco" Date: Mon, 31 Jul 2023 09:06:44 +0200 Subject: [PATCH 09/10] fix docs --- .../networking/private_endpoint/README.md | 19 +++++++++++++++++++ .../private_endpoint/configuration.tfvars | 2 +- 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 examples/networking/private_endpoint/README.md diff --git a/examples/networking/private_endpoint/README.md b/examples/networking/private_endpoint/README.md new file mode 100644 index 0000000000..891bead835 --- /dev/null +++ b/examples/networking/private_endpoint/README.md @@ -0,0 +1,19 @@ +You can test this module outside of a landingzone using + +```bash +sudo terraform init + +terraform [plan|apply|destroy] \ + -var-file ../configuration.tfvars \ + -var-file ../keyvaults.tfvars \ + -var-file ../nsg_definitions.tfvars \ + -var-file ../virtual_networks.tfvars \ + -var-file ../public_ip_addresses.tfvars \ + -var-file ../virtual_machines.tfvars + + +``` + +sudo terraform plan -var-file examples/networking/private_endpoint/configuration.tfvars + +sudo terraform plan -var-file configuration.tfvars \ No newline at end of file diff --git a/examples/networking/private_endpoint/configuration.tfvars b/examples/networking/private_endpoint/configuration.tfvars index 062b15d0ba..3754101d29 100644 --- a/examples/networking/private_endpoint/configuration.tfvars +++ b/examples/networking/private_endpoint/configuration.tfvars @@ -15,7 +15,7 @@ resource_groups = { keyvaults = { # - # Keyvault with private endpoint enabled and configured with a static ip + # Keyvault with private endpoint enabled and configured with two static ips # kv01_rg1 = { name = "certificates" From a090d229498391ab01394590ace2b4c9abf9e6b3 Mon Sep 17 00:00:00 2001 From: "Schirinzi, Francesco" Date: Mon, 31 Jul 2023 09:06:59 +0200 Subject: [PATCH 10/10] add example to workflows --- .github/workflows/standalone-networking.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/standalone-networking.json b/.github/workflows/standalone-networking.json index 0243fe4723..bb723062b3 100644 --- a/.github/workflows/standalone-networking.json +++ b/.github/workflows/standalone-networking.json @@ -22,6 +22,7 @@ "networking/pip_prefix/100-simple-pip-prefix", "networking/private_dns_vnet_link/100_pvtdns_vnetlink", "networking/private_dns/100-private-dns-vnet-links", + "networking/private_endpoint", "networking/private_links/endpoints/centralized", "networking/virtual_network/100-import-rg", "networking/virtual_network/100-simple-vnet-subnets-nsgs",