'NSG module for creating multiple NSGs with NSG rules
I have created a NSG module for creating multiple nsgs. Below is the code:
main.tf
resource "azurerm_network_security_group" "nsgcreation" {
for_each = var.network_security_groups
name = each.value["name"]
location = var.location
resource_group_name = var.resource_group_name
}
resource "azurerm_subnet_network_security_group_association" "associate" {
for_each = {
for key,value in var.network_security_groups : key => value
}
subnet_id = data.azurerm_subnet.snet[each.key].id
network_security_group_id = azurerm_network_security_group.nsgcreation[each.key].id
}
resource "azurerm_network_security_rule" "nsgrules" {
for_each = var.nsg_rules
name = each.value["name"]
direction = each.value["direction"]
access = each.value["access"]
priority = each.value["priority"]
protocol = each.value["protocol"]
source_port_ranges = lookup(each.value, "source_port_ranges", null)
source_port_range = lookup(each.value, "source_port_range", null)
destination_port_ranges = lookup(each.value, "destination_port_ranges", null)
destination_port_range = lookup(each.value, "destination_port_range", null)
source_address_prefixes = lookup(each.value, "source_address_prefixes", null)
source_address_prefix = lookup(each.value, "source_address_prefix", null)
destination_address_prefixes = lookup(each.value, "destination_address_prefixes", null)
destination_address_prefix = lookup(each.value, "destination_address_prefix", null)
resource_group_name = var.resource_group_name
network_security_group_name = each.value["network_security_group_name"]
depends_on = [
azurerm_network_security_group.nsgcreation
]
}
variables.tf
variable "network_security_groups" {
description = "Details of network security groups to be created"
default = {}
}
variable "nsg_rules" {
default = {}
}
variable "resource_group_name" {
description = "Name of the resource group to be imported."
#type = string
}
variable "location" {
description = "The location of the vnet to create. Defaults to the location of the resource group."
type = string
}
data.tf
data "azurerm_subnet" "snet" {
for_each = {
for key,value in var.network_security_groups : key => value
}
name = each.value["subnet_name"]
virtual_network_name = each.value["vnet_name"]
resource_group_name = each.value["vnet_rgname"]
}
Currently I am calling the module as per the below code and using tfvars for input. Given below is the code for tfvars and module
Module Code:
module "nsgs" {
source = "./nsgs"
network_security_groups = var.nsgs_aks_dev
nsg_rules = var.nsg_rules_aks_dev
resource_group_name = azurerm_resource_group.rg1.name
location = azurerm_resource_group.rg1.location
}
vnet.auto.tfvars
nsgs_aks_dev = {
nsg_aks1 = {
name = "nsg_subnet-mel-dev-aks-pa1-ext-10.80.200.0"
vnet_name = "bupaanz-mel-dev-caas-vnet01"
vnet_rgname = "caas-dev-rg01"
subnet_name = "subnet-mel-dev-aks-pa1-ext-10.80.200.0"
},
nsg_aks2 = {
name = "nsg_subnet-mel-dev-aks-internal01-10.80.192.0"
vnet_name = "bupaanz-mel-dev-caas-vnet01"
vnet_rgname = "caas-dev-rg01"
subnet_name = "subnet-mel-dev-aks-internal01-10.80.192.0"
},
}
nsg_rules_aks_dev = {
nsg_aks1 = {
name = "DenyAllIn"
priority = 4096
network_security_group_name = "nsg_subnet-mel-dev-aks-pa1-ext-10.80.200.0"
direction = "Inbound"
access = "Deny"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
description = "Deny all inbound ports"
},
nsg_aks2 = {
name = "DenyAllOut"
priority = 4096
network_security_group_name = "nsg_subnet-mel-dev-aks-pa1-ext-10.80.200.0"
direction = "Outbound"
access = "Deny"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
description = "Deny all outbound ports"
},
nsg_aks3 = {
name = "AllowSCOMOutbound"
priority = 100
network_security_group_name = "nsg_subnet-mel-dev-aks-pa1-ext-10.80.200.0"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
source_port_ranges = null
source_address_prefix = "*"
source_address_prefixes = null
destination_port_range = "5723"
destination_port_ranges = null
destination_address_prefix = null
destination_address_prefixes = ["10.68.100.168","10.64.150.162","10.68.100.169","10.64.150.164"]
description = "Allow outbound connection to SCOM"
},
nsg_aks4 = {
name = "AllowSCCMOutbound"
priority = 200
network_security_group_name = "nsg_subnet-mel-dev-aks-pa1-ext-10.80.200.0"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
source_port_ranges = null
source_address_prefix = "*"
source_address_prefixes = null
source_address_prefixes = null
destination_port_ranges = [
"80",
"443",
"445",
"8530",
"8531"
]
destination_address_prefix = null
destination_address_prefixes = ["10.68.100.129","10.68.100.130","10.64.150.177"]
description = "Allow outbound connection to SCCM"
},
nsg_aks5 = {
name = "DenyAllIn"
priority = 4096
network_security_group_name = "nsg_subnet-mel-dev-aks-internal01-10.80.192.0"
direction = "Inbound"
access = "Deny"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
description = "Deny all inbound ports"
},
nsg_aks6 = {
name = "DenyAllOut"
priority = 4096
network_security_group_name = "nsg_subnet-mel-dev-aks-internal01-10.80.192.0"
direction = "Outbound"
access = "Deny"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
description = "Deny all outbound ports"
},
nsg_aks7 = {
name = "AllowSCOMOutbound"
priority = 100
network_security_group_name = "nsg_subnet-mel-dev-aks-internal01-10.80.192.0"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
source_port_ranges = null
source_address_prefix = "*"
source_address_prefixes = null
destination_port_range = "5723"
destination_port_ranges = null
destination_address_prefix = null
destination_address_prefixes = ["10.68.100.168","10.64.150.162","10.68.100.169","10.64.150.164"]
description = "Allow outbound connection to SCOM"
},
nsg_aks8 = {
name = "AllowSCCMOutbound"
priority = 200
network_security_group_name = "nsg_subnet-mel-dev-aks-internal01-10.80.192.0"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
source_port_ranges = null
source_address_prefix = "*"
source_address_prefixes = null
destination_port_range = null
destination_port_ranges = [
"80",
"443",
"445",
"8530",
"8531"
]
destination_address_prefix = null
destination_address_prefixes = ["10.68.100.129","10.68.100.130","10.64.150.177"]
description = "Allow outbound connection to SCCM"
},
}
Now as per the tfvars file, I am creating the same four rules for two nsgs but I writing each nsg rule code twice(each time for one nsg). Please can you let me know if we can reduce the tfvars so that the same rules have to be defined only once and not multiple times.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|