Skip to content

Instantly share code, notes, and snippets.

@JamesDLD

JamesDLD/demo-az-network.tf

Last active December 4, 2019 20:32
Show Gist options
  • Save JamesDLD/c990685e428939674910a672b2d68b7a to your computer and use it in GitHub Desktop.
Save JamesDLD/c990685e428939674910a672b2d68b7a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
demo-az-network.tf
#Set the terraform backend
terraform {
backend "local" {} #Using a local backend just for the demo, the reco is to use a remote backend, see : https://jamesdld.github.io/terraform/Best-Practice/BestPractice-1/
}
#Set the Provider
provider "azurerm" {
tenant_id = var.tenant_id
subscription_id = var.subscription_id
client_id = var.client_id
client_secret = var.client_secret
version = ">= 1.37.0" #1.36.0 to support the resource azurerm_bastion_host #1.37.0 fix a bug with the bastion host naming #With "=1.32.0" No warning with version the nsg and route linkd
}
#Set authentication variables
variable "tenant_id" {
description = "Azure tenant Id."
}
variable "subscription_id" {
description = "Azure subscription Id."
}
variable "client_id" {
description = "Azure service principal application Id."
}
variable "client_secret" {
description = "Azure service principal application Secret."
}
#Set resource variables
# -
# - Network object
# -
variable "virtual_networks" {
default = {
vnet_sec1 = {
id = "1"
prefix = "sec"
address_space = ["10.0.1.0/24"]
}
vnet_apps1 = {
id = "1"
prefix = "apps"
address_space = ["10.0.2.0/24"]
}
}
}
variable "subnets" {
default = {
AzureFirewall_sec1 = {
vnet_key = "vnet_sec1" #(Mandatory)
name = "AzureFirewall" #(Mandatory)
address_prefix = "10.0.1.0/26" #(Mandatory)
}
AppGw1_sec1 = {
vnet_key = "vnet_sec1" #(Mandatory)
name = "AppGw1" #(Mandatory)
address_prefix = "10.0.1.64/27" #(Mandatory)
nsg_key = "appgw_nsg1" #(Optional) delete this line for no NSG
}
Bastion_sec1 = {
vnet_key = "vnet_sec1" #(Mandatory)
name = "AzureBastionSubnet" #(Mandatory)
address_prefix = "10.0.1.224/27" #(Mandatory)
}
Front1_apps1 = {
vnet_key = "vnet_apps1" #(Mandatory)
name = "front1" #(Mandatory)
address_prefix = "10.0.2.0/26" #(Mandatory)
}
Back1_apps1 = {
vnet_key = "vnet_apps1" #(Mandatory)
name = "back1" #(Mandatory)
address_prefix = "10.0.2.64/27" #(Mandatory)
}
Bastion_apps1 = {
vnet_key = "vnet_apps1" #(Mandatory)
name = "AzureBastionSubnet" #(Mandatory)
address_prefix = "10.0.2.224/27" #(Mandatory)
}
}
}
variable "vnets_to_peer" {
default = {
vnets_to_peer1 = {
vnet_key = "vnet_sec1" #(Mandatory)
remote_vnet_name = "demo-net-apps-vnet1" #(Mandatory)
remote_vnet_rg_name = "demo-jdld-noprd-rg1" #(Mandatory)
allow_virtual_network_access = true #(Optional) Controls if the VMs in the remote virtual network can access VMs in the local virtual network. Defaults to false.
}
vnets_to_peer2 = {
vnet_key = "vnet_apps1" #(Mandatory)
remote_vnet_name = "demo-net-sec-vnet1" #(Mandatory)
remote_vnet_rg_name = "demo-jdld-noprd-rg1" #(Mandatory)
allow_virtual_network_access = true #(Optional) Controls if the VMs in the remote virtual network can access VMs in the local virtual network. Defaults to false.
allow_forwarded_traffic = true #(Optional) Controls if forwarded traffic from VMs in the remote virtual network is allowed. Defaults to false.
}
}
}
# -
# - Network Security Group
# -
variable "network_security_groups" {
default = {
appgw_nsg1 = {
id = "1"
security_rules = [
{
description = "MS Reco : https://docs.microsoft.com/fr-fr/azure/application-gateway/configuration-overview"
direction = "Inbound"
name = "AzureLoadBalancer_to_AppGw"
access = "Allow"
priority = "2000"
source_address_prefix = "AzureLoadBalancer"
destination_address_prefix = "*"
destination_port_range = "*"
protocol = "*"
source_port_range = "*"
},
{
description = "MS Reco : https://docs.microsoft.com/fr-fr/azure/application-gateway/configuration-overview"
direction = "Inbound"
name = "All_to_AppGw_Rangesv2"
access = "Allow"
priority = "2010"
source_address_prefix = "*"
destination_address_prefix = "*"
destination_port_range = "65200-65535"
protocol = "*"
source_port_range = "*"
},
{
direction = "Inbound"
name = "All_to_AppGw_Http_Https"
access = "Allow"
priority = "2020"
source_address_prefix = "*"
destination_address_prefix = "*"
destination_port_ranges = ["80", "443"]
protocol = "Tcp"
source_port_range = "*"
},
{
description = "MS Reco : https://docs.microsoft.com/fr-fr/azure/application-gateway/configuration-overview"
direction = "Inbound"
name = "All_to_AppGw_any"
access = "Deny"
priority = "3000"
source_address_prefix = "*"
destination_address_prefix = "*"
destination_port_range = "*"
protocol = "*"
source_port_range = "*"
},
{
description = "MS Reco : https://docs.microsoft.com/fr-fr/azure/application-gateway/configuration-overview"
direction = "Outbound"
name = "ALL_to_ALL"
access = "Allow"
priority = "2100"
source_address_prefix = "*"
destination_address_prefix = "*"
destination_port_range = "*"
protocol = "*"
source_port_range = "*"
},
]
}
}
}
variable "net_additional_tags" {
default = {
demo = "network"
}
}
#Call module
module "Az-VirtualNetwork-Demo" {
source = "JamesDLD/Az-VirtualNetwork/azurerm"
version = "0.1.3"
net_prefix = "demo-net"
network_resource_group_name = "demo-jdld-noprd-rg1"
virtual_networks = var.virtual_networks
subnets = var.subnets
route_tables = {}
network_security_groups = var.network_security_groups
pips = {}
vnets_to_peer = var.vnets_to_peer
net_additional_tags = var.net_additional_tags
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment