From fde9ed65eaeba52161b9cfff8ee12c7b12dbdf7c Mon Sep 17 00:00:00 2001 From: Archit Chopra Date: Thu, 15 Jun 2023 17:03:34 +0530 Subject: [PATCH] feat: Added support for existing ddos protection plan --- _example/default/exmaple.tf | 23 ----- _example/exmaple.tf | 35 +++++++ _example/{default => }/output.tf | 0 _example/vnet-with-flow-logs/example.tf | 127 ------------------------ _example/vnet-with-flow-logs/output.tf | 29 ------ main.tf | 23 ++++- outputs.tf | 2 +- variables.tf | 8 +- 8 files changed, 63 insertions(+), 184 deletions(-) delete mode 100644 _example/default/exmaple.tf create mode 100644 _example/exmaple.tf rename _example/{default => }/output.tf (100%) delete mode 100644 _example/vnet-with-flow-logs/example.tf delete mode 100644 _example/vnet-with-flow-logs/output.tf diff --git a/_example/default/exmaple.tf b/_example/default/exmaple.tf deleted file mode 100644 index f1f4514..0000000 --- a/_example/default/exmaple.tf +++ /dev/null @@ -1,23 +0,0 @@ -provider "azurerm" { - features {} -} - -module "resource_group" { - source = "clouddrove/resource-group/azure" - version = "1.0.2" - - name = "app" - environment = "test" - label_order = ["name", "environment"] - location = "North Europe" -} - -module "vnet" { - source = "../../" - - name = "app" - environment = "test" - resource_group_name = module.resource_group.resource_group_name - location = module.resource_group.resource_group_location - address_space = "10.0.0.0/16" -} diff --git a/_example/exmaple.tf b/_example/exmaple.tf new file mode 100644 index 0000000..3069d93 --- /dev/null +++ b/_example/exmaple.tf @@ -0,0 +1,35 @@ +provider "azurerm" { + features {} +} + +locals { + name = "app" + environment = "test" + label_order = ["name", "environment"] +} + +##----------------------------------------------------------------------------- +## Resource Group module call +## Resource group in which all resources will be deployed. +##----------------------------------------------------------------------------- +module "resource_group" { + source = "clouddrove/resource-group/azure" + version = "1.0.2" + name = local.name + environment = local.environment + label_order = local.label_order + location = "North Europe" +} + +##----------------------------------------------------------------------------- +## Virtual Network module call. +##----------------------------------------------------------------------------- +module "vnet" { + source = "../" + name = local.name + environment = local.environment + resource_group_name = module.resource_group.resource_group_name + location = module.resource_group.resource_group_location + address_space = "10.0.0.0/16" + enable_network_watcher = false # To be set true when network security group flow logs are to be tracked and network watcher with specific name is to be deployed. +} diff --git a/_example/default/output.tf b/_example/output.tf similarity index 100% rename from _example/default/output.tf rename to _example/output.tf diff --git a/_example/vnet-with-flow-logs/example.tf b/_example/vnet-with-flow-logs/example.tf deleted file mode 100644 index b47afa9..0000000 --- a/_example/vnet-with-flow-logs/example.tf +++ /dev/null @@ -1,127 +0,0 @@ -provider "azurerm" { - features {} -} - -module "resource_group" { - source = "clouddrove/resource-group/azure" - version = "1.0.2" - - name = "app" - environment = "test" - label_order = ["name", "environment"] - location = "North Europe" -} - - -module "log-analytics" { - source = "clouddrove/log-analytics/azure" - version = "1.0.1" - name = "app" - environment = "test" - label_order = ["name", "environment"] - create_log_analytics_workspace = true - log_analytics_workspace_sku = "PerGB2018" - resource_group_name = module.resource_group.resource_group_name - log_analytics_workspace_location = module.resource_group.resource_group_location -} - - -module "storage" { - source = "clouddrove/storage/azure" - version = "1.0.8" - - name = "app" - environment = "test" - default_enabled = true - resource_group_name = module.resource_group.resource_group_name - location = module.resource_group.resource_group_location - storage_account_name = "stordtyre236" - - - ## Storage Container - containers_list = [ - { name = "app-test", access_type = "private" }, - ] - - ## Storage File Share - file_shares = [ - { name = "fileshare1", quota = 5 }, - ] - - ## Storage Tables - tables = ["table1"] - - ## Storage Queues - queues = ["queue1"] - - management_policy_enable = true - - #enable private endpoint - virtual_network_id = module.vnet.vnet_id[0] - subnet_id = module.subnet.default_subnet_id[0] - - log_analytics_workspace_id = module.log-analytics.workspace_id - -} - -module "vnet" { - source = "../../" - - name = "app" - environment = "test" - resource_group_name = module.resource_group.resource_group_name - location = module.resource_group.resource_group_location - address_space = "10.0.0.0/16" - ## For enabling network flow logs for vnet. - enable_flow_logs = true - enable_network_watcher = true - enable_traffic_analytics = true - network_security_group_id = module.security_group.id - storage_account_id = module.storage.default_storage_account_id - workspace_id = module.log-analytics.workspace_customer_id - workspace_resource_id = module.log-analytics.workspace_id -} - -###subnet -module "subnet" { - source = "clouddrove/subnet/azure" - version = "1.0.2" - - name = "app" - environment = "test" - resource_group_name = module.resource_group.resource_group_name - location = module.resource_group.resource_group_location - virtual_network_name = join("", module.vnet.vnet_name) - - #subnet - subnet_names = ["subnet1"] - subnet_prefixes = ["10.0.1.0/24"] - -} - -module "security_group" { - source = "clouddrove/network-security-group/azure" - version = "1.0.3" - ## Tags - name = "app" - environment = "test" - - ## Security Group - resource_group_name = module.resource_group.resource_group_name - resource_group_location = module.resource_group.resource_group_location - subnet_ids = module.subnet.default_subnet_id - ##Security Group rule for Custom port. - inbound_rules = [ - { - name = "ssh" - priority = 101 - access = "Allow" - protocol = "Tcp" - source_address_prefix = "0.0.0.0/0" - source_port_range = "*" - destination_address_prefix = "0.0.0.0/0" - destination_port_range = "22" - description = "ssh allowed port" - }] - -} diff --git a/_example/vnet-with-flow-logs/output.tf b/_example/vnet-with-flow-logs/output.tf deleted file mode 100644 index c819dea..0000000 --- a/_example/vnet-with-flow-logs/output.tf +++ /dev/null @@ -1,29 +0,0 @@ -output "vnet_id" { - description = "The id of the newly created vNet" - value = module.vnet.vnet_id -} - -output "vnet_name" { - description = "The name of the newly created vNet" - value = module.vnet.vnet_name -} - -output "vnet_location" { - description = "The location of the newly created vNet" - value = module.vnet.vnet_location -} - -output "vnet_address_space" { - description = "The address space of the newly created vNet" - value = module.vnet.vnet_address_space -} - -output "vnet_guid" { - description = "The GUID of the virtual network." - value = module.vnet.vnet_guid -} - -output "vnet_rg_name" { - description = "The name of the resource group in which to create the virtual network. Changing this forces a new resource to be created." - value = module.vnet.vnet_rg_name -} diff --git a/main.tf b/main.tf index cb29303..76cdf1f 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,13 @@ +##----------------------------------------------------------------------------- +## Locals declaration for determining the id of ddos protection plan. +##----------------------------------------------------------------------------- locals { - ddos_pp_id = var.enable_ddos_pp ? azurerm_network_ddos_protection_plan.example[0].id : "" + ddos_pp_id = var.enable_ddos_pp && var.existing_ddos_pp != null ? var.existing_ddos_pp : var.enable_ddos_pp && var.existing_ddos_pp == null ? azurerm_network_ddos_protection_plan.example[0].id : null } +##----------------------------------------------------------------------------- +## Labels module callled that will be used for naming and tags. +##----------------------------------------------------------------------------- module "labels" { source = "clouddrove/labels/azure" @@ -14,6 +20,9 @@ module "labels" { repository = var.repository } +##----------------------------------------------------------------------------- +## Below resource will deploy virtual network in your azure environment. +##----------------------------------------------------------------------------- resource "azurerm_virtual_network" "vnet" { count = var.enable == true ? 1 : 0 name = format("%s-vnet", module.labels.id) @@ -25,7 +34,7 @@ resource "azurerm_virtual_network" "vnet" { edge_zone = var.edge_zone flow_timeout_in_minutes = var.flow_timeout_in_minutes dynamic "ddos_protection_plan" { - for_each = local.ddos_pp_id != "" ? ["ddos_protection_plan"] : [] + for_each = local.ddos_pp_id != null ? ["ddos_protection_plan"] : [] content { id = local.ddos_pp_id enable = true @@ -34,6 +43,9 @@ resource "azurerm_virtual_network" "vnet" { tags = module.labels.tags } +##----------------------------------------------------------------------------- +## Below resource will deploy ddos protection plan for virtual network. +##----------------------------------------------------------------------------- resource "azurerm_network_ddos_protection_plan" "example" { count = var.enable_ddos_pp && var.enable == true ? 1 : 0 name = format("%s-ddospp", module.labels.id) @@ -42,8 +54,13 @@ resource "azurerm_network_ddos_protection_plan" "example" { tags = module.labels.tags } +##----------------------------------------------------------------------------- +## Below resource will deploy network watcher resource group in azure. +## To be deployed when flow logs for network security group is to be tracked. +## By default azure deploys network wather on its own, but if in azure infrastructure deployment you need network watcher with specific name than set 'enable_network_watcher' variable to true. +##----------------------------------------------------------------------------- resource "azurerm_network_watcher" "flow_log_nw" { - count = var.enable_network_watcher ? 1 : 0 + count = var.enable && var.enable_network_watcher ? 1 : 0 name = format("%s-network_watcher", module.labels.id) location = var.location resource_group_name = var.resource_group_name diff --git a/outputs.tf b/outputs.tf index b47f9c7..583a25b 100644 --- a/outputs.tf +++ b/outputs.tf @@ -33,6 +33,6 @@ output "ddos_protection_plan_id" { description = "The ID of the DDoS Protection Plan" } output "network_watcher_id" { - value = join("", azurerm_network_watcher.test.*.id) + value = join("", azurerm_network_watcher.flow_log_nw.*.id) description = "The ID of the Network Watcher." } diff --git a/variables.tf b/variables.tf index e0b9b82..4ff7672 100644 --- a/variables.tf +++ b/variables.tf @@ -106,13 +106,18 @@ variable "dns_servers" { description = "The DNS servers to be used with vNet." } - variable "enable_ddos_pp" { type = bool default = false description = "Flag to control the resource creation" } +variable "existing_ddos_pp" { + type = string + default = null + description = "ID of an existing DDOPS plan defined in the same subscription" +} + variable "enable_network_watcher" { type = bool default = false @@ -154,6 +159,7 @@ variable "enable_traffic_analytics" { default = true description = "Flag to control creation of traffic analytics." } + variable "retention_policy_enabled" { type = bool default = true