зеркало из
1
0
Форкнуть 0
Terraform module to create/provision Azure vnet
Перейти к файлу
github-actions[bot] 333cb8fb8e Auto update 2024-11-12 08:50:32 +00:00
.devcontainer update github action files, add devcontainer config, update .gitignore 2023-02-09 17:32:30 +08:00
.github prepare for oidc 2024-09-24 12:05:21 +08:00
examples add module telemetry 2024-11-12 16:46:23 +08:00
test bump dep 2024-11-11 16:52:05 +08:00
.gitignore prepare for oidc 2024-09-24 12:05:21 +08:00
.tflint.override.hcl use tflint override file 2024-02-05 08:53:01 +00:00
CHANGELOG-v2.md Prepare for CI 2022-10-09 17:57:21 +08:00
CHANGELOG-v3.md make var.use_for_each a required variable 2022-12-27 09:35:34 +08:00
CHANGELOG-v4.md Prepare for 5.0.0 (#140) 2023-09-15 09:55:05 +08:00
CHANGELOG.md Auto update 2024-11-12 08:50:32 +00:00
GNUmakefile prepare for oidc 2024-09-24 12:05:21 +08:00
LICENSE Moving network module to vnet 2018-02-05 16:30:28 -08:00
README.md Auto update 2024-11-12 08:50:32 +00:00
SECURITY.md Microsoft mandatory file 2022-07-28 16:55:34 +00:00
locals.tf Add new variable `use_for_each` so we can use `for_each` to create multiple resource instances. (#92) 2022-12-08 20:48:54 +08:00
main.tf depends on azurerm_virtual_network_dns_servers resource 2024-11-12 14:43:57 +08:00
outputs.tf Auto update 2023-06-06 08:46:02 +00:00
telemetry.tf add module telemetry 2024-11-12 16:46:23 +08:00
variables.tf Auto update 2024-11-12 08:50:32 +00:00
versions.tf update random provider constraint 2024-11-12 16:46:23 +08:00

README.md

terraform-azurerm-vnet

Create a basic virtual network in Azure

This Terraform module deploys a Virtual Network in Azure with a subnet or a set of subnets passed in as input parameters.

The module does not create nor expose a network security group. This would need to be defined separately as additional security rules on subnets in the deployed network.

Notice to contributor

Thanks for your contribution! This module was created before Terraform introduce for_each, and according to the document:

If your instances are almost identical, count is appropriate. If some of their arguments need distinct values that can't be directly derived from an integer, it's safer to use for_each.

This module contains resources with count meta-argument, but if we change count to for_each directly, it would require heavily manually state move operations with extremely caution, or the users who are maintaining existing infrastructure would face potential breaking change.

This module replicated a new azurerm_subnet which used for_each, and we provide a new toggle variable named use_for_each, this toggle is a switcher between count set and for_each set. Now user can set var.use_for_each to true to use for_each, and users who're maintaining existing resources could keep this toggle false to avoid potential breaking change. If you'd like to make changes to subnet resource, make sure that you've change both resource blocks. Thanks for your cooperation.

Notice on Upgrade to V4.x

In v4.0.0, we would make var.use_for_each a required variable so the users must set the value explicitly. For whom are maintaining the existing infrastructure that was created with count should use false, for those who are creating a new stack, we encourage them to use true.

V4.0.0 is a major version upgrade. Extreme caution must be taken during the upgrade to avoid resource replacement and downtime by accident.

Running the terraform plan first to inspect the plan is strongly advised.

Notice on Upgrade to V3.x

We've added a CI pipeline for this module to speed up our code review and to enforce a high code quality standard, if you want to contribute by submitting a pull request, please read Pre-Commit & Pr-Check & Test section, or your pull request might be rejected by CI pipeline.

A pull request will be reviewed when it has passed Pre Pull Request Check in the pipeline, and will be merged when it has passed the acceptance tests. Once the ci Pipeline failed, please read the pipeline's output, thanks for your cooperation.

V3.0.0 is a major version upgrade. Extreme caution must be taken during the upgrade to avoid resource replacement and downtime by accident.

Running the terraform plan first to inspect the plan is strongly advised.

We kept most code untouched, but the following breaking changes might affect your stack:

  • var.vnet_location now is required. #72
  • var.resource_group_name now cannot be set to null. #72
  • var.subnet_prefixes's default value now is ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]. #73

Terraform and terraform-provider-azurerm version restrictions

Now Terraform core's version is v1.x and terraform-provider-azurerm's version is v3.x.

Example Usage

Please refer to the sub folders under examples folder. You can execute terraform apply command in examples's sub folder to try the module. These examples are tested against every PR with the E2E Test.

Enable or disable tracing tags

We're using BridgeCrew Yor and yorbox to help manage tags consistently across infrastructure as code (IaC) frameworks. In this module you might see tags like:

resource "azurerm_resource_group" "rg" {
  location = "eastus"
  name     = random_pet.name
  tags = merge(var.tags, (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
    avm_git_commit           = "3077cc6d0b70e29b6e106b3ab98cee6740c916f6"
    avm_git_file             = "main.tf"
    avm_git_last_modified_at = "2023-05-05 08:57:54"
    avm_git_org              = "lonegunmanb"
    avm_git_repo             = "terraform-yor-tag-test-module"
    avm_yor_trace            = "a0425718-c57d-401c-a7d5-f3d88b2551a4"
  } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/))
}

To enable tracing tags, set the variable to true:

module "example" {
  source               = "{module_source}"
  ...
  tracing_tags_enabled = true
}

The tracing_tags_enabled is default to false.

To customize the prefix for your tracing tags, set the tracing_tags_prefix variable value in your Terraform configuration:

module "example" {
  source              = "{module_source}"
  ...
  tracing_tags_prefix = "custom_prefix_"
}

The actual applied tags would be:

{
  custom_prefix_git_commit           = "3077cc6d0b70e29b6e106b3ab98cee6740c916f6"
  custom_prefix_git_file             = "main.tf"
  custom_prefix_git_last_modified_at = "2023-05-05 08:57:54"
  custom_prefix_git_org              = "lonegunmanb"
  custom_prefix_git_repo             = "terraform-yor-tag-test-module"
  custom_prefix_yor_trace            = "a0425718-c57d-401c-a7d5-f3d88b2551a4"
}

Pre-Commit & Pr-Check & Test

Configurations

We assumed that you have setup service principal's credentials in your environment variables like below:

export ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
export ARM_TENANT_ID="<azure_subscription_tenant_id>"
export ARM_CLIENT_ID="<service_principal_appid>"
export ARM_CLIENT_SECRET="<service_principal_password>"

On Windows Powershell:

$env:ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
$env:ARM_TENANT_ID="<azure_subscription_tenant_id>"
$env:ARM_CLIENT_ID="<service_principal_appid>"
$env:ARM_CLIENT_SECRET="<service_principal_password>"

We provide a docker image to run the pre-commit checks and tests for you: mcr.microsoft.com/azterraform:latest

To run the pre-commit task, we can run the following command:

$ docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

On Windows Powershell:

$ docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

In pre-commit task, we will:

  1. Run terraform fmt -recursive command for your Terraform code.
  2. Run terrafmt fmt -f command for markdown files and go code files to ensure that the Terraform code embedded in these files are well formatted.
  3. Run go mod tidy and go mod vendor for test folder to ensure that all the dependencies have been synced.
  4. Run gofmt for all go code files.
  5. Run gofumpt for all go code files.
  6. Run terraform-docs on README.md file, then run markdown-table-formatter to format markdown tables in README.md.

Then we can run the pr-check task to check whether our code meets our pipeline's requirement(We strongly recommend you run the following command before you commit):

$ docker run --rm -v $(pwd):/src -w /src -e TFLINT_CONFIG=.tflint_alt.hcl mcr.microsoft.com/azterraform:latest make pr-check

On Windows Powershell:

$ docker run --rm -v ${pwd}:/src -w /src -e TFLINT_CONFIG=.tflint_alt.hcl mcr.microsoft.com/azterraform:latest make pr-check

To run the e2e-test, we can run the following command:

docker run --rm -v $(pwd):/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

On Windows Powershell:

docker run --rm -v ${pwd}:/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

Prerequisites

Authors

Originally created by Eugene Chuvyrov

License

MIT

Requirements

Name Version
terraform >= 1.3.5
azurerm ~> 4.0
modtm 0.3.2
random >= 3.3.2, < 4.0

Providers

Name Version
azurerm ~> 4.0
modtm 0.3.2
random >= 3.3.2, < 4.0

Modules

No modules.

Resources

Name Type
azurerm_subnet.subnet_count resource
azurerm_subnet.subnet_for_each resource
azurerm_subnet_network_security_group_association.vnet resource
azurerm_subnet_route_table_association.vnet resource
azurerm_virtual_network.vnet resource
azurerm_virtual_network_dns_servers.this resource
modtm_telemetry.telemetry resource
random_uuid.telemetry resource
azurerm_client_config.telemetry data source
modtm_module_source.telemetry data source

Inputs

Name Description Type Default Required
address_space The address space that is used by the virtual network. list(string)
[
"10.0.0.0/16"
]
no
bgp_community (Optional) The BGP community attribute in format <as-number>:<community-value>. string null no
ddos_protection_plan The set of DDoS protection plan configuration
object({
enable = bool
id = string
})
null no
dns_servers The DNS servers to be used with vNet. list(string) [] no
enable_telemetry This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
bool true no
nsg_ids A map of subnet name to Network Security Group IDs map(string) {} no
resource_group_name Name of the resource group to be imported. string n/a yes
route_tables_ids A map of subnet name to Route table ids map(string) {} no
subnet_delegation A map of subnet name to delegation block on the subnet map(map(any)) {} no
subnet_enforce_private_link_endpoint_network_policies A map of subnet name to enable/disable private link endpoint network policies on the subnet. map(bool) {} no
subnet_enforce_private_link_service_network_policies A map of subnet name to enable/disable private link service network policies on the subnet. map(bool) {} no
subnet_names A list of public subnets inside the vNet. list(string)
[
"subnet1",
"subnet2",
"subnet3"
]
no
subnet_prefixes The address prefix to use for the subnet. list(string)
[
"10.0.1.0/24",
"10.0.2.0/24",
"10.0.3.0/24"
]
no
subnet_service_endpoints A map of subnet name to service endpoints to add to the subnet. map(any) {} no
tags The tags to associate with your network and subnets. map(string) {} no
tracing_tags_enabled Whether enable tracing tags that generated by BridgeCrew Yor. bool false no
tracing_tags_prefix Default prefix for generated tracing tags string "avm_" no
use_for_each Use for_each instead of count to create multiple resource instances. Defaults to true. bool true no
vnet_location The location of the vnet to create. string n/a yes
vnet_name Name of the vnet to create string "acctvnet" no

Outputs

Name Description
vnet_address_space The address space of the newly created vNet
vnet_guid The GUID of the newly created vNet
vnet_id The id of the newly created vNet
vnet_location The location of the newly created vNet
vnet_name The Name of the newly created vNet
vnet_subnets The ids of subnets created inside the newly created vNet
vnet_subnets_name_id Can be queried subnet-id by subnet name by using lookup(module.vnet.vnet_subnets_name_id, subnet1)