Terraform module which creates networking resources on Azure.
These types of resources are supported:
module "network" {
source = "innovationnorway/network/azurerm"
# Resource group
create_resource_group = true
resource_group_name = "my-dev"
location = "westeurope"
# Virtual network
name = "my-dev-network"
address_spaces = ["10.0.0.0/16"]
dns_servers = ["20.20.20.20"]
public_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
private_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
aci_subnets = ["10.0.128.0/24"]
# Routes
public_internet_route_next_hop_type = "VirtualAppliance"
public_internet_route_next_hop_in_ip_address = "AzureFirewall"
# Firewall
create_firewall = true
firewall_subnet_address_prefix = "10.0.192.0/24"
# Tags
tags = {
Terraform = "true"
Environment = "dev"
}
}This module handles creation of these types of subnets:
- Public -
public_subnetsdefines a list of address spaces for public subnets. They can be configured to allow access to the internet either viaVirtualApplianceor using any other hop type. - Private -
private_subnetsdefines a list of address spaces for private subnets. They can be configured to access resources using hop typeVnetLocal. - Azure Container Instances (ACI) -
aci_subnetsdefines a list of address spaces for ACI subnets where service delegation is set toMicrosoft.ContainerInstance/containerGroups. - Firewall -
firewall_subnet_address_prefixdefines an address prefix for firewall subnet (nameAzureFirewallSubnet). - Gateway -
vnet_gateway_subnet_address_prefixdefines an address prefix for firewall subnet (nameGatewaySubnet).
It is possible to add other routes to the associated route tables outside of this module.
This module also creates network security groups for each type of subnet (public, private, etc).
By default this module will not create a resource group and a name of an existing one should be provided in an argument resource_group_name.
If you want to create it using this module, set argument create_resource_group = true.
To create Azure Firewall resources (subnet, public IP and firewall) specify create_firewall = true.
To enable route to the internet from public subnet via Azure Firewall, firewall has to be created (create_firewall = true), set public_internet_route_next_hop_type = "VirtualAppliance" and public_internet_route_next_hop_in_ip_address = "AzureFirewall".
Virtual Network Gateway can be configured to:
- Accept IPSec point-to-site connections:
- active-standby:
- with VPN client using certificates -
azurerm_virtual_network_gateway.with_active_standby_vpn_client_and_certificates - with VPN client using RADIUS server -
azurerm_virtual_network_gateway.with_active_standby_vpn_client_and_radius - without VPN client (eg, when using
VNet-to-VNetconnection) -azurerm_virtual_network_gateway.with_active_standby_no_vpn_client
- with VPN client using certificates -
- active-active VPN client and certificates:
- with VPN client using certificates -
azurerm_virtual_network_gateway.with_active_active_vpn_client_and_certificates - with VPN client using RADIUS server -
azurerm_virtual_network_gateway.with_active_active_vpn_client_and_radius
- with VPN client using certificates -
- Use ExpressRoute type:
- active-standby VPN client -
azurerm_virtual_network_gateway.with_vpn_client_active_standby - active-active VPN client (todo: two
ip_configurationblocks) -azurerm_virtual_network_gateway.with_vpn_client_active_active
- At most single resource of
azurerm_virtual_network_gatewaytype is created depending on input arguments with_active_active_...contains twoip_configurationblockswith_active_standby_...contains oneip_configurationblockwith_..._vpn_clientcontainsvpn_client_configurationblockwith_..._no_vpn_clientdoes not containvpn_client_configurationblock..._and_certificatescontainsroot_certificateandrevoked_certificateblocks, but does not containradius_server_addressandradius_server_secretblocks..._and_radiuscontainsradius_server_addressandradius_server_secretblocks, but does not containroot_certificateandrevoked_certificateblocks
All network resources which support tagging can be tagged by specifying key-values in arguments like resource_group_tags, virtual_network_tags, public_route_table_tags, private_route_table_tags, tags. Tag Name is added automatically on all resources. For eg, you can specify virtual network tags like this:
module "network" {
source = "innovationnorway/network/azurerm"
# ... omitted
virtual_network_tags = {
Owner = "test-user"
Terraform = "true"
}
}Sometimes you need to have a way to create network resources conditionally but Terraform does not allow to use count inside module block, so the solution is to specify argument create_network.
# This network will not be created
module "network" {
source = "innovationnorway/network/azurerm"
create_network = false
# ... omitted
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aci_subnet_suffix | Suffix to append to private subnets name | string | "aci" |
no |
| aci_subnets | A list of Azure Container Instances (ACI) subnets inside virtual network | list | [] |
no |
| aci_subnets_service_endpoints | The list of Service endpoints to associate with the ACI subnets. Possible values include: Microsoft.AzureActiveDirectory, Microsoft.AzureCosmosDB, Microsoft.EventHub, Microsoft.KeyVault, Microsoft.ServiceBus, Microsoft.Sql and Microsoft.Storage. | list | [] |
no |
| address_spaces | List of address spaces to use for virtual network | list | [] |
no |
| create_firewall | Whether to create firewall (incl. subnet and public IP)) | string | "false" |
no |
| create_network | Controls if networking resources should be created (it affects almost all resources) | string | "true" |
no |
| create_network_security_group | Whether to create network security group | string | "true" |
no |
| create_network_watcher | Whether to create network watcher | string | "true" |
no |
| create_resource_group | Whether to create resource group and use it for all networking resources | string | "false" |
no |
| create_vnet_gateway | Whether to create virtual network gateway (incl. subnet and public IP)) | string | "false" |
no |
| dns_servers | List of dns servers to use for virtual network | list | [] |
no |
| firewall_subnet_address_prefix | Address prefix to use on firewall subnet. Default is a valid value, which should be overriden. | string | "0.0.0.0/0" |
no |
| firewall_suffix | Suffix to append to firewall name | string | "firewall" |
no |
| firewall_tags | Additional tags for the firewall | map | {} |
no |
| location | Location where resource should be created | string | "" |
no |
| name | Name to use on resources | string | "" |
no |
| network_security_group_name | Name to be used on network security group | string | "" |
no |
| network_security_group_tags | Additional tags for the network security group | map | {} |
no |
| network_watcher_suffix | Suffix to append to network watcher name | string | "nw" |
no |
| network_watcher_tags | Additional tags for the network watcher | map | {} |
no |
| private_route_table_disable_bgp_route_propagation | Boolean flag which controls propagation of routes learned by BGP on private route table. True means disable. | string | "false" |
no |
| private_route_table_suffix | Suffix to append to private route table name | string | "private" |
no |
| private_route_table_tags | Additional tags for the private route table | map | {} |
no |
| private_subnet_suffix | Suffix to append to private subnets name | string | "private" |
no |
| private_subnets | A list of private subnets inside virtual network | list | [] |
no |
| private_subnets_service_endpoints | The list of Service endpoints to associate with the private subnets. Possible values include: Microsoft.AzureActiveDirectory, Microsoft.AzureCosmosDB, Microsoft.EventHub, Microsoft.KeyVault, Microsoft.ServiceBus, Microsoft.Sql and Microsoft.Storage. | list | [] |
no |
| private_vnetlocal_route_suffix | Suffix to append to private VnetLocal route name | string | "private-vnetlocal" |
no |
| public_internet_route_next_hop_in_ip_address | Contains the IP address packets should be forwarded to when destination is 0.0.0.0/0 for the public subnets. Next hop values are only allowed in routes where the next hop type is VirtualAppliance. | string | "" |
no |
| public_internet_route_next_hop_type | The type of Azure hop the packet should be sent when reaching 0.0.0.0/0 for the public subnets. Possible values are VirtualNetworkGateway, VnetLocal, Internet, VirtualAppliance and None. | string | "Internet" |
no |
| public_internet_route_suffix | Suffix to append to public internet route name | string | "public" |
no |
| public_route_table_disable_bgp_route_propagation | Boolean flag which controls propagation of routes learned by BGP on public route table. True means disable. | string | "false" |
no |
| public_route_table_suffix | Suffix to append to public route table name | string | "public" |
no |
| public_route_table_tags | Additional tags for the public route table | map | {} |
no |
| public_subnet_suffix | Suffix to append to public subnets name | string | "public" |
no |
| public_subnets | A list of public subnets inside virtual network | list | [] |
no |
| public_subnets_service_endpoints | The list of Service endpoints to associate with the public subnets. Possible values include: Microsoft.AzureActiveDirectory, Microsoft.AzureCosmosDB, Microsoft.EventHub, Microsoft.KeyVault, Microsoft.ServiceBus, Microsoft.Sql and Microsoft.Storage. | list | [] |
no |
| resource_group_name | Name to be used on resource group | string | "" |
no |
| resource_group_tags | Additional tags for the resource group | map | {} |
no |
| tags | A map of tags to add to all resources | map | {} |
no |
| virtual_network_tags | Additional tags for the virtual network | map | {} |
no |
| vnet_gateway_active_active | If true, an active-active Virtual Network Gateway will be created. An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. | string | "false" |
no |
| vnet_gateway_bgp_settings | List of map containing BGP settings. Keys are: asn - (Optional) The Autonomous System Number (ASN) to use as part of the BGP; peering_address - (Optional) The BGP peer IP address of the virtual network gateway. This address is needed to configure the created gateway as a BGP Peer on the on-premises VPN devices. The IP address must be part of the subnet of the Virtual Network Gateway. Changing this forces a new resource to be created.; peer_weight - (Optional) The weight added to routes which have been learned through BGP peering. Valid values can be between 0 and 100. | list | [ { "asn": 65515 } ] |
no |
| vnet_gateway_default_local_network_gateway_id | The ID of the local network gateway through which outbound Internet traffic from the virtual network in which the gateway is created will be routed (forced tunneling). Refer to the Azure documentation on forced tunneling. If not specified, forced tunneling is disabled. | string | "" |
no |
| vnet_gateway_enable_bgp | If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. | string | "false" |
no |
| vnet_gateway_sku | Configuration of the size and capacity of the virtual network gateway. Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2 and VpnGw3 and depend on the type and vpn_type arguments. A PolicyBased gateway only supports the Basic sku. Further, the UltraPerformance sku is only supported by an ExpressRoute gateway. | string | "Basic" |
no |
| vnet_gateway_subnet_address_prefix | Address prefix to use on virtual network gateway subnet. Default is a valid value, which should be overriden. | string | "0.0.0.0/0" |
no |
| vnet_gateway_suffix | Suffix to append to virtual network gateway name | string | "vnet-gateway" |
no |
| vnet_gateway_tags | Additional tags for the virtual network gateway | map | {} |
no |
| vnet_gateway_type | The type of the Virtual Network Gateway. Valid options are Vpn or ExpressRoute. | string | "Vpn" |
no |
| vnet_gateway_vpn_client_configuration_address_space | The address space out of which ip addresses for vpn clients will be taken. You can provide more than one address space, e.g. in CIDR notation. | list | [ "0.0.0.0/0" ] |
no |
| vnet_gateway_vpn_client_configuration_revoked_certificate | One or more revoked_certificate blocks which are defined below. Type - list of maps, where keys are: name - (Required) A user-defined name of the revoked certificate.; thumbprint - (Required) The SHA1 thumbprint of the certificate to be revoked. | list | [] |
no |
| vnet_gateway_vpn_client_configuration_root_certificate | One or more root_certificate blocks which are defined below. These root certificates are used to sign the client certificate used by the VPN clients to connect to the gateway. Type - list of maps, where keys are: name - (Required) A user-defined name of the root certificate; public_cert_data - (Required) The public certificate of the root certificate authority. The certificate must be provided in Base-64 encoded X.509 format (PEM). In particular, this argument must not include the -----BEGIN CERTIFICATE----- or -----END CERTIFICATE----- markers. | list | [] |
no |
| vnet_gateway_vpn_client_configuration_vpn_client_protocols | List of the protocols supported by the vpn client. The supported values are SSTP, IkeV2 and OpenVPN. | list | [ "" ] |
no |
| vnet_gateway_vpn_type | The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. | string | "RouteBased" |
no |
| Name | Description |
|---|---|
| aci_network_security_group_id | The Network Security Group ID of ACI subnet |
| aci_subnet_address_prefixes | List of address prefix for ACI subnets |
| aci_subnet_ids | List of IDs of ACI subnets |
| firewall_public_ip_id | ID of firewall public IP |
| firewall_public_ip_ip_address | Public IP of firewall |
| firewall_subnet_address_prefixes | List of address prefix for firewall subnets |
| firewall_subnet_ids | List of IDs of firewall subnets |
| gateway_public_ip_id | ID of gateway public IP |
| gateway_public_ip_ip_address | Public IP of gateway |
| gateway_subnet_address_prefixes | List of address prefix for gateway subnets |
| gateway_subnet_ids | List of IDs of gateway subnets |
| private_network_security_group_id | The Network Security Group ID of private subnet |
| private_route_table_id | ID of private route table |
| private_route_table_subnets | List of subnets associated with private route table |
| private_subnet_address_prefixes | List of address prefix for private subnets |
| private_subnet_ids | List of IDs of private subnets |
| public_network_security_group_id | The Network Security Group ID of public subnet |
| public_route_table_id | ID of public route table |
| public_route_table_subnets | List of subnets associated with public route table |
| public_subnet_address_prefixes | List of address prefix for public subnets |
| public_subnet_ids | List of IDs of public subnets |
| this_firewall_id | The Resource ID of the Azure Firewall |
| this_network_watcher_id | ID of Network Watcher |
| this_resource_group_id | The ID of the resource group in which resources are created. |
| this_resource_group_location | The location of the resource group in which resources are created |
| this_resource_group_name | The name of the resource group in which resources are created |
| this_virtual_network_address_space | List of address spaces that are used the virtual network. |
| this_virtual_network_gateway_id | The ID of the Virtual Network Gateway |
| this_virtual_network_id | The virtual NetworkConfiguration ID. |
| this_virtual_network_name | The name of the virtual network. |
Module is maintained by Anton Babenko with help from these awesome contributors.
Apache 2 Licensed. See LICENSE for full details.