adding network security groups to azure networking module (#30)

* add nsgs to vnet module * set correct variable for location & resource_group * set correct subnet reference * adding other arguments to security rules * adding other arguments to security rules * set condition to be based on length of security_rules
cloudkite-io · Feb 28, 2024 · b8b5370 · b8b5370
1 parent 04cd7fb
commit b8b5370
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 1 deletion.
diff --git a/modules/azure/networking/README.md b/modules/azure/networking/README.md
@@ -76,9 +76,11 @@ No modules.
 |------|------|
 | [azurerm_nat_gateway.nat_gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway) | resource |
 | [azurerm_nat_gateway_public_ip_association.nat_address_gateway_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway_public_ip_association) | resource |
+| [azurerm_network_security_group.security_groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |
 | [azurerm_public_ip.nat_address](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
 | [azurerm_subnet.subnets](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
 | [azurerm_subnet_nat_gateway_association.subnet_nat_gateway_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_nat_gateway_association) | resource |
+| [azurerm_subnet_network_security_group_association.subnet_security_groups_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association) | resource |
 | [azurerm_virtual_network.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) | resource |
 
 ## Inputs
@@ -87,7 +89,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment like: infra-ops, dev, stage, prod | `string` | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Azure resource group name | `string` | n/a | yes |
-| <a name="input_subnets"></a> [subnets](#input\_subnets) | Azure subnets and their configuration | <pre>map(object({<br>    address_prefixes                          = list(string)<br>    enable_nat                                = bool<br>    service_endpoints                         = list(string)<br>    private_endpoint_network_policies_enabled = bool<br>    delegations = map(object({<br>      service_delegation_name    = string<br>      service_delegation_actions = list(string)<br>    }))<br>  }))</pre> | n/a | yes |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | Azure subnets and their configuration | <pre>map(object({<br>    address_prefixes                          = list(string)<br>    enable_nat                                = bool<br>    service_endpoints                         = list(string)<br>    private_endpoint_network_policies_enabled = bool<br>    delegations = map(object({<br>      service_delegation_name    = string<br>      service_delegation_actions = list(string)<br>    }))<br>    security_rules = optional(map(object({<br>      priority                              = number<br>      direction                             = string<br>      access                                = string<br>      protocol                              = string<br>      source_port_range                     = optional(string)<br>      source_port_ranges                    = optional(list(string))<br>      destination_port_range                = optional(string)<br>      destination_port_ranges               = optional(list(string))<br>      source_address_prefix                 = optional(string)<br>      source_address_prefixes               = optional(list(string))<br>      destination_address_prefix            = optional(string)<br>      destination_address_prefixes          = optional(list(string))<br>      source_application_security_group_ids = optional(list(string))<br>    })), {})<br>  }))</pre> | n/a | yes |
 | <a name="input_vnet_address_space"></a> [vnet\_address\_space](#input\_vnet\_address\_space) | Address space for the virtual network | `list(string)` | n/a | yes |
 | <a name="input_vnet_location"></a> [vnet\_location](#input\_vnet\_location) | Azure location for the virtual network | `string` | n/a | yes |
 | <a name="input_vnet_name"></a> [vnet\_name](#input\_vnet\_name) | Name for the virtual network | `string` | n/a | yes |

diff --git a/modules/azure/networking/main.tf b/modules/azure/networking/main.tf
@@ -59,3 +59,40 @@ resource "azurerm_subnet_nat_gateway_association" "subnet_nat_gateway_associatio
   subnet_id      = azurerm_subnet.subnets[each.key].id
   nat_gateway_id = azurerm_nat_gateway.nat_gateway.id
 }
+
+resource "azurerm_network_security_group" "security_groups" {
+  for_each = { for subnet, subnet-details in var.subnets :
+  subnet => subnet-details if length(subnet-details.security_rules) > 0 }
+  name                = "${each.key}-NSG"
+  location            = var.vnet_location
+  resource_group_name = var.resource_group_name
+
+  dynamic "security_rule" {
+    for_each = each.value.security_rules
+
+    content {
+      name                                  = security_rule.key
+      priority                              = security_rule.value.priority
+      direction                             = security_rule.value.direction
+      access                                = security_rule.value.access
+      protocol                              = security_rule.value.protocol
+      source_port_range                     = security_rule.value.source_port_range
+      source_port_ranges                    = security_rule.value.source_port_ranges
+      destination_port_range                = security_rule.value.destination_port_range
+      destination_port_ranges               = security_rule.value.destination_port_ranges
+      source_address_prefix                 = security_rule.value.source_address_prefix
+      source_address_prefixes               = security_rule.value.source_address_prefixes
+      destination_address_prefix            = security_rule.value.destination_address_prefix
+      destination_address_prefixes          = security_rule.value.destination_address_prefixes
+      source_application_security_group_ids = security_rule.value.source_application_security_group_ids
+    }
+
+  }
+}
+
+resource "azurerm_subnet_network_security_group_association" "subnet_security_groups_association" {
+  for_each = { for subnet, subnet-details in var.subnets :
+  subnet => subnet-details if length(subnet-details.security_rules) > 0 }
+  subnet_id                 = azurerm_subnet.subnets[each.key].id
+  network_security_group_id = azurerm_network_security_group.security_groups[each.key].id
+}
diff --git a/modules/azure/networking/variables.tf b/modules/azure/networking/variables.tf
@@ -34,5 +34,20 @@ variable "subnets" {
       service_delegation_name    = string
       service_delegation_actions = list(string)
     }))
+    security_rules = optional(map(object({
+      priority                              = number
+      direction                             = string
+      access                                = string
+      protocol                              = string
+      source_port_range                     = optional(string)
+      source_port_ranges                    = optional(list(string))
+      destination_port_range                = optional(string)
+      destination_port_ranges               = optional(list(string))
+      source_address_prefix                 = optional(string)
+      source_address_prefixes               = optional(list(string))
+      destination_address_prefix            = optional(string)
+      destination_address_prefixes          = optional(list(string))
+      source_application_security_group_ids = optional(list(string))
+    })), {})
   }))
 }