-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.tf
156 lines (145 loc) · 8.5 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
##-----------------------------------------------------------------------------
## Module : labels
## Description : Terraform module to create consistent naming for multiple names.
##-----------------------------------------------------------------------------
module "labels" {
source = "clouddrove/labels/azure"
version = "1.0.0"
name = var.name
environment = var.environment
managedby = var.managedby
label_order = var.label_order
repository = var.repository
extra_tags = var.extra_tags
}
##-----------------------------------------------------------------------------
## Below resource will create network security group in azure.
##-----------------------------------------------------------------------------
resource "azurerm_network_security_group" "nsg" {
count = var.enabled ? 1 : 0
name = format("%s-nsg", module.labels.id)
resource_group_name = var.resource_group_name
location = var.resource_group_location
tags = module.labels.tags
timeouts {
create = var.create
update = var.update
read = var.read
delete = var.delete
}
}
##-----------------------------------------------------------------------------
## Below resource will create network security group inbound rules in azure and will be attached to above network security group.
##-----------------------------------------------------------------------------
resource "azurerm_network_security_rule" "inbound" {
for_each = var.enabled ? { for rule in var.inbound_rules : rule.name => rule } : {}
resource_group_name = var.resource_group_name
network_security_group_name = azurerm_network_security_group.nsg[0].name
direction = "Inbound"
name = each.value.name
priority = each.value.priority
access = each.value.access
protocol = each.value.protocol
source_address_prefix = lookup(each.value, "source_address_prefix", null) // To be passed when only one source address or all address has to be passed or tag has to be passed
source_address_prefixes = lookup(each.value, "source_address_prefixes", null) // to be passed when 2 or more but not all address has to be passed
source_port_range = lookup(each.value, "source_port_range", "*") == "*" ? "*" : null
source_port_ranges = lookup(each.value, "source_port_range", "*") == "*" ? null : split(",", each.value.source_port_range)
destination_address_prefix = lookup(each.value, "destination_address_prefix", "*") // To be passed when only one source address or all address has to be passed or tag has to be passed
destination_address_prefixes = lookup(each.value, "destination_address_prefixes", null) // to be passed when 2 or more but not all address has to be passed
destination_port_range = lookup(each.value, "destination_port_range", null) == "*" ? "*" : null
destination_port_ranges = lookup(each.value, "destination_port_range", "*") == "*" ? null : split(",", each.value.destination_port_range)
description = lookup(each.value, "description", null)
timeouts {
create = var.create
update = var.update
read = var.read
delete = var.delete
}
}
##-----------------------------------------------------------------------------
## Below resource will create network security group outbound rules in azure and will be attached to above network security group.
##-----------------------------------------------------------------------------
resource "azurerm_network_security_rule" "outbound" {
for_each = var.enabled ? { for rule in var.outbound_rules : rule.name => rule } : {}
resource_group_name = var.resource_group_name
network_security_group_name = azurerm_network_security_group.nsg[0].name
direction = "Outbound"
name = each.value.name
priority = each.value.priority
access = each.value.access
protocol = each.value.protocol
source_address_prefix = lookup(each.value, "source_address_prefix", null) // To be passed when only one source address or all address has to be passed or tag has to be passed
source_address_prefixes = lookup(each.value, "source_address_prefixes", null) // to be passed when 2 or more but not all address has to be passed
source_port_range = lookup(each.value, "source_port_range", "*") == "*" ? "*" : null
source_port_ranges = lookup(each.value, "source_port_range", "*") == "*" ? null : split(",", each.value.source_port_range)
destination_address_prefix = lookup(each.value, "destination_address_prefix", "*") // To be passed when only one source address or all address has to be passed or tag has to be passed
destination_address_prefixes = lookup(each.value, "destination_address_prefixes", null) // to be passed when 2 or more but not all address has to be passed
destination_port_range = lookup(each.value, "destination_port_range", null) == "*" ? "*" : null
destination_port_ranges = lookup(each.value, "destination_port_range", "*") == "*" ? null : split(",", each.value.destination_port_range)
description = lookup(each.value, "description", null)
timeouts {
create = var.create
update = var.update
read = var.read
delete = var.delete
}
}
##-----------------------------------------------------------------------------
## Below resource will associate above created network security group to subnet.
##-----------------------------------------------------------------------------
resource "azurerm_subnet_network_security_group_association" "example" {
count = var.enabled ? length(var.subnet_ids) : 0
subnet_id = element(var.subnet_ids, count.index)
network_security_group_id = azurerm_network_security_group.nsg[0].id
}
##-----------------------------------------------------------------------------
## Below resource will create network watcher flow logs for network security group.
## Network security groups flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group.
##-----------------------------------------------------------------------------
resource "azurerm_network_watcher_flow_log" "nsg_flow_logs" {
count = var.enabled && var.enable_flow_logs ? 1 : 0
name = format("%s-flow_logs", module.labels.id)
enabled = var.enabled
version = var.flow_log_version
network_watcher_name = var.network_watcher_name
resource_group_name = var.resource_group_name
network_security_group_id = azurerm_network_security_group.nsg[0].id
storage_account_id = var.flow_log_storage_account_id
retention_policy {
enabled = var.flow_log_retention_policy_enabled
days = var.flow_log_retention_policy_days
}
dynamic "traffic_analytics" {
for_each = var.enable_traffic_analytics ? [1] : []
content {
enabled = var.enable_traffic_analytics
workspace_id = var.log_analytics_workspace_id
workspace_region = var.resource_group_location
workspace_resource_id = var.log_analytics_workspace_resource_id
interval_in_minutes = 60
}
}
}
##-----------------------------------------------------------------------------
## Below resource will create diagnostic setting for network security group.
##-----------------------------------------------------------------------------
resource "azurerm_monitor_diagnostic_setting" "example" {
count = var.enabled && var.enable_diagnostic ? 1 : 0
name = format("%s-nsg-diagnostic-log", module.labels.id)
target_resource_id = azurerm_network_security_group.nsg[0].id
storage_account_id = var.flow_log_storage_account_id
eventhub_name = var.eventhub_name
eventhub_authorization_rule_id = var.eventhub_authorization_rule_id
log_analytics_workspace_id = var.log_analytics_workspace_id
log_analytics_destination_type = var.log_analytics_destination_type
dynamic "enabled_log" {
for_each = var.logs
content {
category_group = lookup(enabled_log.value, "category_group", null)
category = lookup(enabled_log.value, "category", null)
}
}
lifecycle {
ignore_changes = [log_analytics_destination_type]
}
}