Giters

libre-devops / terraform-azurerm-nsg

A module used to generate a sensible default NSG and attach it to an Azure subnet. Note, this NSG is deployed with some default rules including an explicit deny :bomb:

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

azureazurermazurerm-terraform-providermoduleterraformterraform-module
module "rg" {
  source = "registry.terraform.io/libre-devops/rg/azurerm"

  rg_name  = "rg-${var.short}-${var.loc}-${terraform.workspace}-build" // rg-ldo-euw-dev-build
  location = local.location                                            // compares var.loc with the var.regions var to match a long-hand name, in this case, "euw", so "westeurope"
  tags     = local.tags

  #  lock_level = "CanNotDelete" // Do not set this value to skip lock
}

module "network" {
  source = "registry.terraform.io/libre-devops/network/azurerm"

  rg_name  = module.rg.rg_name // rg-ldo-euw-dev-build
  location = module.rg.rg_location
  tags     = local.tags

  vnet_name     = "vnet-${var.short}-${var.loc}-${terraform.workspace}-01" // vnet-ldo-euw-dev-01
  vnet_location = module.network.vnet_location

  address_space   = ["10.0.0.0/16"]
  subnet_prefixes = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  subnet_names    = ["sn1-${module.network.vnet_name}", "sn2-${module.network.vnet_name}", "sn3-${module.network.vnet_name}"] //sn1-vnet-ldo-euw-dev-01
  subnet_service_endpoints = {
    "sn1-${module.network.vnet_name}" = ["Microsoft.Storage"]                   // Adds extra subnet endpoints to sn1-vnet-ldo-euw-dev-01
    "sn2-${module.network.vnet_name}" = ["Microsoft.Storage", "Microsoft.Sql"], // Adds extra subnet endpoints to sn2-vnet-ldo-euw-dev-01
    "sn3-${module.network.vnet_name}" = ["Microsoft.AzureActiveDirectory"]      // Adds extra subnet endpoints to sn3-vnet-ldo-euw-dev-01
  }
}

module "nsg" {
  source = "registry.terraform.io/libre-devops/nsg/azurerm"

  rg_name   = module.rg.rg_name
  location  = module.rg.rg_location
  nsg_name  = "nsg-${var.short}-${var.loc}-${terraform.workspace}-01"
  subnet_id = element(values(module.network.subnets_ids), 0)

  tags = module.rg.rg_tags
}

For a full example build, check out the Libre DevOps Website****

Requirements

No requirements.

Providers

Name Version
azurerm n/a

Modules

No modules.

Resources

Name Type
azurerm_network_security_group.nsg resource
azurerm_network_security_rule.nsg resource
azurerm_subnet_network_security_group_association.nsg_association resource

Inputs

Name Description Type Default Required
location The location for this resource to be put in string n/a yes
nsg_name The name of the resource to be created string n/a yes
rg_name The name of the resource group, this module does not create a resource group, it is expecting the value of a resource group already exists string n/a yes
standard_nsg_list call module with standard_nsg_list = {} to disable standard rules map 
{
  "AllowAzureActiveDirectoryOutbound": {
    "access": "Allow",
    "destination_address_prefix": "AzureActiveDirectory",
    "direction": "Outbound",
    "priority": "4050"
  },
  "AllowAzureBackupOutbound": {
    "access": "Allow",
    "destination_address_prefix": "AzureBackup",
    "direction": "Outbound",
    "priority": "4045"
  },
  "AllowAzureCloudOutbound": {
    "access": "Allow",
    "destination_address_prefix": "AzureCloud",
    "direction": "Outbound",
    "priority": "4040"
  },
  "AllowAzureKeyVaultOutbound": {
    "access": "Allow",
    "destination_address_prefix": "AzureKeyVault",
    "direction": "Outbound",
    "priority": "4035"
  },
  "AllowAzureLoadBalancerOutbound": {
    "access": "Allow",
    "destination_address_prefix": "AzureLoadBalancer",
    "direction": "Outbound",
    "priority": "4030"
  },
  "AllowAzureMonitorOutbound": {
    "access": "Allow",
    "destination_address_prefix": "AzureMonitor",
    "direction": "Outbound",
    "priority": "4025"
  },
  "AllowAzureStorageOutbound": {
    "access": "Allow",
    "destination_address_prefix": "Storage",
    "direction": "Outbound",
    "priority": "4020"
  },
  "DenyAllInbound": {
    "access": "Deny",
    "destination_address_prefix": "*",
    "direction": "Inbound",
    "priority": "4096"
  }
}
 no
subnet_id The ID of the subnet for the NSG to be attached to string n/a yes
tags The tags assigned to the resource map(string) n/a yes

Outputs

Name Description
nsg_id n/a
nsg_name n/a

About

A module used to generate a sensible default NSG and attach it to an Azure subnet. Note, this NSG is deployed with some default rules including an explicit deny :bomb:

azureazurermazurerm-terraform-providermoduleterraformterraform-module

License:MIT License

Languages

Language:PowerShell 80.5%Language:HCL 19.5%