An Azure Terraform Ensono Verified Module (EVM) designed to abstract the complexity of provisioning resources related to Azure Virtual Networks, Subnets, NSGs, Routes and Flowlogs.
This repository uses the pre-commit git hook framework which can update and format some files enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
Examples can be found at the bottom taken from the examples directory.
| Name | Version |
|---|---|
| azurerm | >= 3.117.0, < 5 |
| Name | Source | Version |
|---|---|---|
| avm_res_network_virtualnetwork | Azure/avm-res-network-virtualnetwork/azurerm | 0.7.1 |
| avm_res_storage_storageaccount | Azure/avm-res-storage-storageaccount/azurerm | 0.2.9 |
| route_table | Azure/avm-res-network-routetable/azurerm | 0.3.1 |
| Name | Type |
|---|---|
| azurerm_network_security_group.nsg | resource |
| azurerm_network_watcher_flow_log.flow_log | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_tier | (Optional) Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot. |
string |
"Hot" |
no |
| account_kind | (Optional) Defines the Kind of account. Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2. |
string |
"StorageV2" |
no |
| account_replication_type | (Required) Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. Defaults to ZRS |
string |
"LRS" |
no |
| account_tier | (Required) Defines the Tier to use for this storage account. Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid. Changing this forces a new resource to be created. |
string |
"Standard" |
no |
| address_space | The address spaces applied to the virtual network. You can supply more than one address space. | set(string) |
n/a | yes |
| allow_nested_items_to_be_public | (Optional) Allow or disallow nested items within this Account to opt into being public. Defaults to false. |
bool |
true |
no |
| azure_location | The Azure target location for all resources managed by this module. | string |
n/a | yes |
| azure_resource_tags | Resource tags to add to all resources managed by this module. | map(string) |
n/a | yes |
| bgp_community | (Optional) The BGP community to send to the virtual network gateway. | string |
null |
no |
| cross_tenant_replication_enabled | (Optional) Should cross Tenant replication be enabled? Defaults to false. |
bool |
true |
no |
| ddos_protection_plan | Specifies an AzureNetwork DDoS Protection Plan. - id: The ID of the DDoS Protection Plan. (Required)- enable: Enables or disables the DDoS Protection Plan on the Virtual Network. (Required) |
object({ |
null |
no |
| default_to_oauth_authentication | (Optional) Default to Azure Active Directory authorization in the Azure portal when accessing the Storage Account. The default value is false |
bool |
false |
no |
| dns_servers | (Optional) Specifies a list of IP addresses representing DNS servers. - dns_servers: Set of IP addresses of DNS servers. |
object({ |
null |
no |
| enable_telemetry | This variable controls whether or not telemetry is enabled for the module. | bool |
false |
no |
| enable_vm_protection | Enable VM Protection for the virtual network | bool |
false |
no |
| encryption | (Optional) Specifies the encryption settings for the virtual network. | object({ |
null |
no |
| flow_log_enabled | Provision network watcher flow logs. | bool |
true |
no |
| flow_log_logging_enabled | Enable Network Flow Logging. | bool |
true |
no |
| flow_log_retention_policy_days | The number of days to retain flow log records. | number |
91 |
no |
| flow_log_retention_policy_enabled | Boolean flag to enable/disable retention. | bool |
true |
no |
| flow_timeout_in_minutes | The flow timeout in minutes for the virtual network | number |
null |
no |
| https_traffic_only_enabled | (Optional) Boolean flag which forces HTTPS if enabled, see here for more information. Defaults to true. |
bool |
true |
no |
| infrastructure_encryption_enabled | (Optional) Is infrastructure encryption enabled? Changing this forces a new resource to be created. Defaults to false. |
bool |
false |
no |
| min_tls_version | (Optional) The minimum supported TLS version for the storage account. Possible values are TLS1_0, TLS1_1, and TLS1_2. Defaults to TLS1_2 for new storage accounts. |
string |
"TLS1_2" |
no |
| network_rules | > Note the default value for this variable will block all public access to the storage account. If you want to disable all network rules, set this value to null.- bypass - (Optional) Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of Logging, Metrics, AzureServices, or None.- default_action - (Required) Specifies the default action of allow or deny when no other rules match. Valid options are Deny or Allow.- ip_rules - (Optional) List of public IP or IP ranges in CIDR Format. Only IPv4 addresses are allowed. Private IP address ranges (as defined in RFC 1918) are not allowed.- storage_account_id - (Required) Specifies the ID of the storage account. Changing this forces a new resource to be created.- virtual_network_subnet_ids - (Optional) A list of virtual network subnet ids to secure the storage account.--- private_link_access block supports the following:- endpoint_resource_id - (Required) The resource id of the resource access rule to be granted access.- endpoint_tenant_id - (Optional) The tenant id of the resource of the resource access rule to be granted access. Defaults to the current tenant id.--- timeouts block supports the following:- create - (Defaults to 60 minutes) Used when creating the Network Rules for this Storage Account.- delete - (Defaults to 60 minutes) Used when deleting the Network Rules for this Storage Account.- read - (Defaults to 5 minutes) Used when retrieving the Network Rules for this Storage Account.- update - (Defaults to 60 minutes) Used when updating the Network Rules for this Storage Account. |
object({ |
null |
no |
| nfsv3_enabled | (Optional) Is NFSv3 protocol enabled? Changing this forces a new resource to be created. Defaults to false. |
bool |
false |
no |
| nsg_rules | A map of NSG rules | map(object({ |
{} |
no |
| public_network_access_enabled | (Optional) Whether the public network access is enabled? Defaults to false. |
bool |
true |
no |
| resource_group_name | Resource group name for all resources managed by this module. | string |
n/a | yes |
| routes | (Optional) A map of route objects to create on the route table. | map(object({ |
{} |
no |
| shared_access_key_enabled | (Optional) Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is false. |
bool |
true |
no |
| storageaccount_name | The name of the resource. | string |
"defaultstorageacct" |
no |
| subnets | A map of subnets to create | map(object({ |
n/a | yes |
| subscription_id | (Optional) Subscription ID passed in by an external process. If this is not supplied, then the configuration either needs to include the subscription ID, or needs to be supplied properties to create the subscription. | string |
null |
no |
| vnet_name | The name of the virtual network | string |
n/a | yes |
| Name | Description |
|---|---|
| nsg_ids | The IDs of the network security groups |
| route_table_ids | The IDs of the route tables |
| subnets | Information about the subnets created in the module. |
| vnet_name | The resource name of the virtual network. |
| vnet_resource_id | The resource ID of the virtual network. |
company_name_short = "ens"
subscription_name_short = "sub"
module_names = ["example"]
azure_location = "uksouth"
/*
Sensitive inputs should be passed as pipeline environment variables
azure_subscription_id = "xxx"
*/
vnet_name = "example-vnet"
address_space = ["10.0.0.0/16"]
subnets = {
subnet1 = {
name = "subnet-test-inbound"
address_prefixes = ["10.0.1.0/24"]
default_outbound_access_enabled = true
private_endpoint_network_policies = "Disabled"
private_link_service_network_policies_enabled = true
service_endpoints = ["Microsoft.Storage", "Microsoft.KeyVault"]
nsg_rule_names = ["allow_http", "allow_multiple_destinations", "deny_all_inbound"]
}
subnet2 = {
name = "subnet-test-outbound"
address_prefixes = ["10.0.2.0/24"]
default_outbound_access_enabled = true
private_endpoint_network_policies = "Disabled"
private_link_service_network_policies_enabled = true
delegation = [{
name = "Microsoft.Web.serverFarms"
service_delegation = {
name = "Microsoft.Web/serverFarms"
}
}]
service_endpoints = ["Microsoft.Storage", "Microsoft.KeyVault"]
# nsg_rule_names = ["allow_https", "allow_rdp"]
nsg_rule_names = []
route_names = []
}
subnet3 = {
name = "pvt-subnet"
address_prefixes = ["10.0.3.0/24"]
default_outbound_access_enabled = true
private_endpoint_network_policies = "Disabled"
private_link_service_network_policies_enabled = true
service_endpoints = ["Microsoft.Storage", "Microsoft.KeyVault"]
nsg_rule_names = ["allow_http", "allow_ssh", "deny_all_outbound"]
}
GatewaySubnet = {
name = "GatewaySubnet"
address_prefixes = ["10.0.4.0/27"]
default_outbound_access_enabled = false
private_endpoint_network_policies = "Disabled"
private_link_service_network_policies_enabled = false
bgp_route_propagation_enabled = false
}
AzureFirewallSubnet = {
name = "AzureFirewallSubnet"
address_prefixes = ["10.0.5.0/26"]
default_outbound_access_enabled = false
private_endpoint_network_policies = "Disabled"
route_names = ["Default"]
private_link_service_network_policies_enabled = false
route_names = ["Default"]
}
}
nsg_rules = {
allow_ssh = {
name = "allow_ssh"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
allow_http = {
name = "allow_http"
priority = 200
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
}
allow_https = {
name = "allow_https"
priority = 300
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
}
allow_rdp = {
name = "allow_rdp"
priority = 400
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "*"
destination_address_prefix = "*"
}
deny_all_outbound = {
name = "deny_all_outbound"
priority = 600
direction = "Outbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
allow_multiple_destinations = {
name = "allow_multiple_destinations"
priority = 900
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "8080"
source_address_prefix = "*"
destination_address_prefixes = ["10.0.0.7", "10.0.0.8"]
}
deny_all_inbound = {
name = "deny_all_inbound"
priority = 1000
direction = "Inbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
routes = {
Default = {
name = "Default"
address_prefix = "0.0.0.0/0"
next_hop_type = "Internet"
}
}module "example" {
source = "../../"
resource_group_name = azurerm_resource_group.modules["example"].name
azure_location = azurerm_resource_group.modules["example"].location
vnet_name = module.naming["example"].virtual_network.name
address_space = var.address_space
subnets = var.subnets
nsg_rules = var.nsg_rules
routes = var.routes
storageaccount_name = module.naming["example"].storage_account.name
azure_resource_tags = local.resource_tags
}