Terraform Azure RM Module for Load Balancer
Перейти к файлу
hezijie 5e1041d802 use oidc 2024-09-23 15:37:17 +08:00
.devcontainer Prepare for CI (#49) 2023-01-09 09:50:03 +08:00
.github use oidc 2024-09-23 15:37:17 +08:00
examples Update TestVersionSnapshot 2024-01-28 00:23:45 +00:00
test Bump github.com/Azure/terraform-module-test-helper in /test (#103) 2023-08-07 11:25:57 +08:00
unit-fixture Add new variables to set subnet by name (#59) 2023-01-31 18:09:11 +08:00
.gitignore use override tflint config file 2024-02-05 08:25:54 +00:00
.tflint.override.hcl use override tflint config file 2024-02-05 08:25:54 +00:00
CHANGELOG-v3.md Prepare for CI (#49) 2023-01-09 09:50:03 +08:00
CHANGELOG.md Auto update 2023-08-07 05:38:44 +00:00
GNUmakefile use oidc 2024-09-23 15:37:17 +08:00
LICENSE initial version 2017-08-30 08:27:04 -04:00
README.md Update TestVersionSnapshot 2023-09-24 00:23:15 +00:00
SECURITY.md Microsoft mandatory file (#62) 2023-01-28 10:06:27 +08:00
locals.tf Auto update 2023-05-08 06:48:34 +00:00
main.tf Auto update 2024-02-05 08:29:36 +00:00
outputs.tf Auto update 2023-05-08 06:48:34 +00:00
providers.tf Prepare for CI (#49) 2023-01-09 09:50:03 +08:00
variables.tf Configurable frontend_ip_zones (#96) 2023-07-27 15:38:08 +08:00

README.md

terraform-azurerm-loadbalancer

A terraform module to provide load balancers in Azure with the following characteristics:

  • Ability to specify public or private loadbalancer using: var.type. Default is public.
  • Specify subnet to use for the loadbalancer: frontend_subnet_id
  • For private loadbalancer, specify the private ip address usingfrontend_private_ip_address
  • Specify the type of the private ip address with frontend_private_ip_address_allocation, Dynamic or Static , default is Dynamic

Notice on Upgrade to V4.x

We've added a CI pipeline for this module to speed up our code review and to enforce a high code quality standard, if you want to contribute by submitting a pull request, please read Pre-Commit & Pr-Check & Test section, or your pull request might be rejected by CI pipeline.

A pull request will be reviewed when it has passed Pre Pull Request Check in the pipeline, and will be merged when it has passed the acceptance tests. Once the ci Pipeline failed, please read the pipeline's output, thanks for your cooperation.

Usage in Terraform 1.2.0

Please view folders in examples.

Usage in Terraform 0.12

Public loadbalancer example:

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-lb"
  location = "West Europe"
}

module "mylb" {
  source              = "Azure/loadbalancer/azurerm"
  resource_group_name = azurerm_resource_group.example.name
  prefix              = "terraform-test"

  remote_port = {
    ssh = ["Tcp", "22"]
  }

  lb_port = {
    http = ["80", "Tcp", "80"]
  }

  lb_probe = {
    http = ["Tcp", "80", ""]
  }

}

Private loadbalancer example:

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-lb"
  location = "West Europe"
}

module "mylb" {
  source                                 = "Azure/loadbalancer/azurerm"
  resource_group_name                    = azurerm_resource_group.example.name
  type                                   = "private"
  frontend_subnet_id                     = module.network.vnet_subnets[0]
  frontend_private_ip_address_allocation = "Static"
  frontend_private_ip_address            = "10.0.1.6"
  lb_sku                                 = "Standard"
  pip_sku                                = "Standard" #`pip_sku` must match `lb_sku` 

  remote_port = {
    ssh = ["Tcp", "22"]
  }

  lb_port = {
    http  = ["80", "Tcp", "80"]
    https = ["443", "Tcp", "443"]
  }

  lb_probe = {
    http  = ["Tcp", "80", ""]
    http2 = ["Http", "1443", "/"]
  }

  tags = {
    cost-center = "12345"
    source      = "terraform"
  }
}

module "network" {
  source              = "Azure/network/azurerm"
  resource_group_name = azurerm_resource_group.example.name
  address_space       = "10.0.0.0/16"
  subnet_prefixes     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  subnet_names        = ["subnet1", "subnet2", "subnet3"]

  tags = {
    environment = "dev"
    costcenter  = "it"
  }
}

Example Usage

Please refer to the sub folders under examples folder. You can execute terraform apply command in examples's sub folder to try the module. These examples are tested against every PR with the E2E Test.

Enable or disable tracing tags

We're using BridgeCrew Yor and yorbox to help manage tags consistently across infrastructure as code (IaC) frameworks. In this module you might see tags like:

resource "azurerm_resource_group" "rg" {
  location = "eastus"
  name     = random_pet.name
  tags = merge(var.tags, (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
    avm_git_commit           = "3077cc6d0b70e29b6e106b3ab98cee6740c916f6"
    avm_git_file             = "main.tf"
    avm_git_last_modified_at = "2023-05-05 08:57:54"
    avm_git_org              = "lonegunmanb"
    avm_git_repo             = "terraform-yor-tag-test-module"
    avm_yor_trace            = "a0425718-c57d-401c-a7d5-f3d88b2551a4"
  } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/))
}

To enable tracing tags, set the variable to true:

module "example" {
  source               = "{module_source}"
  ...
  tracing_tags_enabled = true
}

The tracing_tags_enabled is default to false.

To customize the prefix for your tracing tags, set the tracing_tags_prefix variable value in your Terraform configuration:

module "example" {
  source              = "{module_source}"
  ...
  tracing_tags_prefix = "custom_prefix_"
}

The actual applied tags would be:

{
  custom_prefix_git_commit           = "3077cc6d0b70e29b6e106b3ab98cee6740c916f6"
  custom_prefix_git_file             = "main.tf"
  custom_prefix_git_last_modified_at = "2023-05-05 08:57:54"
  custom_prefix_git_org              = "lonegunmanb"
  custom_prefix_git_repo             = "terraform-yor-tag-test-module"
  custom_prefix_yor_trace            = "a0425718-c57d-401c-a7d5-f3d88b2551a4"
}

Pre-Commit & Pr-Check & Test

Configurations

We assumed that you have setup service principal's credentials in your environment variables like below:

export ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
export ARM_TENANT_ID="<azure_subscription_tenant_id>"
export ARM_CLIENT_ID="<service_principal_appid>"
export ARM_CLIENT_SECRET="<service_principal_password>"

On Windows Powershell:

$env:ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
$env:ARM_TENANT_ID="<azure_subscription_tenant_id>"
$env:ARM_CLIENT_ID="<service_principal_appid>"
$env:ARM_CLIENT_SECRET="<service_principal_password>"

We provide a docker image to run the pre-commit checks and tests for you: mcr.microsoft.com/azterraform:latest

To run the pre-commit task, we can run the following command:

$ docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

On Windows Powershell:

$ docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

In pre-commit task, we will:

  1. Run terraform fmt -recursive command for your Terraform code.
  2. Run terrafmt fmt -f command for markdown files and go code files to ensure that the Terraform code embedded in these files are well formatted.
  3. Run go mod tidy and go mod vendor for test folder to ensure that all the dependencies have been synced.
  4. Run gofmt for all go code files.
  5. Run gofumpt for all go code files.
  6. Run terraform-docs on README.md file, then run markdown-table-formatter to format markdown tables in README.md.

Then we can run the pr-check task to check whether our code meets our pipeline's requirement(We strongly recommend you run the following command before you commit):

$ docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pr-check

On Windows Powershell:

$ docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pr-check

To run the e2e-test, we can run the following command:

docker run --rm -v $(pwd):/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

On Windows Powershell:

docker run --rm -v ${pwd}:/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

Prerequisites

Authors

Originally created by David Tesar

License

MIT

Requirements

Name Version
terraform >= 1.2
azurerm >= 3.0.0

Providers

Name Version
azurerm >= 3.0.0

Modules

No modules.

Resources

Name Type
azurerm_lb.azlb resource
azurerm_lb_backend_address_pool.azlb resource
azurerm_lb_nat_rule.azlb resource
azurerm_lb_probe.azlb resource
azurerm_lb_rule.azlb resource
azurerm_public_ip.azlb resource
azurerm_resource_group.azlb data source
azurerm_subnet.snet data source

Inputs

Name Description Type Default Required
allocation_method (Required) Defines how an IP address is assigned. Options are Static or Dynamic. string "Static" no
disable_outbound_snat (Optional) Is snat enabled for this Load Balancer Rule? Default false. bool false no
edge_zone (Optional) Specifies the Edge Zone within the Azure Region where this Public IP and Load Balancer should exist. Changing this forces new resources to be created. string null no
frontend_ip_zones (Optional) A collection containing the availability zone to allocate the IP in. Changing this forces a new resource to be created. Availability Zones are only supported with a Standard SKU and in select regions at this time. Standard SKU Public IP Addresses that do not specify a zone are not zone-redundant by default. set(string) null no
frontend_name (Required) Specifies the name of the frontend ip configuration. string "myPublicIP" no
frontend_private_ip_address (Optional) Private ip address to assign to frontend. Use it with type = private string "" no
frontend_private_ip_address_allocation (Optional) Frontend ip allocation type (Static or Dynamic) string "Dynamic" no
frontend_private_ip_address_version (Optional) The version of IP that the Private IP Address is. Possible values are IPv4 or IPv6. string null no
frontend_subnet_id (Optional) Frontend subnet id to use when in private mode string "" no
frontend_subnet_name (Optional) Frontend virtual network name to use when in private mode. Conflict with frontend_subnet_id. string "" no
frontend_vnet_name (Optional) Frontend virtual network name to use when in private mode. Conflict with frontend_subnet_id. string "" no
lb_floating_ip_enabled (Optional) Are the Floating IPs enabled for this Load Balancer Rule? A floating IP is reassigned to a secondary server in case the primary server fails. Required to configure a SQL AlwaysOn Availability Group. Defaults to false. bool false no
lb_port Protocols to be used for lb rules. Format as [frontend_port, protocol, backend_port] map(any) {} no
lb_probe (Optional) Protocols to be used for lb health probes. Format as [protocol, port, request_path] map(any) {} no
lb_probe_interval Interval in seconds the load balancer health probe rule does a check number 5 no
lb_probe_unhealthy_threshold Number of times the load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy. number 2 no
lb_sku (Optional) The SKU of the Azure Load Balancer. Accepted values are Basic and Standard. string "Basic" no
lb_sku_tier (Optional) The SKU tier of this Load Balancer. Possible values are Global and Regional. Defaults to Regional. Changing this forces a new resource to be created. string "Regional" no
location (Optional) The location/region where the core network will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions string "" no
name (Optional) Name of the load balancer. If it is set, the 'prefix' variable will be ignored. string "" no
pip_ddos_protection_mode (Optional) The DDoS protection mode of the public IP. Possible values are Disabled, Enabled, and VirtualNetworkInherited. Defaults to VirtualNetworkInherited. string "VirtualNetworkInherited" no
pip_ddos_protection_plan_id (Optional) The ID of DDoS protection plan associated with the public IP. ddos_protection_plan_id can only be set when ddos_protection_mode is Enabled. string null no
pip_domain_name_label (Optional) Label for the Domain Name. Will be used to make up the FQDN. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system. string null no
pip_idle_timeout_in_minutes (Optional) Specifies the timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. Defaults to 4. number 4 no
pip_ip_tags (Optional) A mapping of IP tags to assign to the public IP. Changing this forces a new resource to be created. IP Tag RoutingPreference requires multiple zones and Standard SKU to be set. map(string) null no
pip_ip_version (Optional) The IP Version to use, IPv6 or IPv4. Defaults to IPv4. Changing this forces a new resource to be created. Only static IP address allocation is supported for IPv6. string "IPv4" no
pip_name (Optional) Name of public ip. If it is set, the 'prefix' variable will be ignored. string "" no
pip_public_ip_prefix_id (Optional) If specified then public IP address allocated will be provided from the public IP prefix resource. Changing this forces a new resource to be created. string null no
pip_reverse_fqdn (Optional) A fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN. string null no
pip_sku (Optional) The SKU of the Azure Public IP. Accepted values are Basic and Standard. string "Basic" no
pip_sku_tier (Optional) The SKU Tier that should be used for the Public IP. Possible values are Regional and Global. Defaults to Regional. Changing this forces a new resource to be created. string "Regional" no
pip_zones (Optional) A collection containing the availability zone to allocate the Public IP in. Changing this forces a new resource to be created. Availability Zones are only supported with a Standard SKU and in select regions at this time. Standard SKU Public IP Addresses that do not specify a zone are not zone-redundant by default. list(string) null no
prefix (Required) Default prefix to use with your resource names. string "azure_lb" no
remote_port Protocols to be used for remote vm access. [protocol, backend_port]. Frontend port will be automatically generated starting at 50000 and in the output. map(any) {} no
resource_group_name (Required) The name of the resource group where the load balancer resources will be imported. string n/a yes
tags (Optional) A mapping of tags to assign to the resource. map(string)
{
"source": "terraform"
}
no
tracing_tags_enabled Whether enable tracing tags that generated by BridgeCrew Yor. bool false no
tracing_tags_prefix Default prefix for generated tracing tags string "avm_" no
type (Optional) Defined if the loadbalancer is private or public string "public" no

Outputs

Name Description
azurerm_lb_backend_address_pool_id the id for the azurerm_lb_backend_address_pool resource
azurerm_lb_frontend_ip_configuration the frontend_ip_configuration for the azurerm_lb resource
azurerm_lb_id the id for the azurerm_lb resource
azurerm_lb_nat_rule_ids the ids for the azurerm_lb_nat_rule resources
azurerm_lb_probe_ids the ids for the azurerm_lb_probe resources
azurerm_public_ip_address the ip address for the azurerm_lb_public_ip resource
azurerm_public_ip_id the id for the azurerm_lb_public_ip resource
azurerm_resource_group_name name of the resource group provisioned
azurerm_resource_group_tags the tags provided for the resource group