A terraform module to provide load balancers in Azure with the following characteristics:
- Ability to specify
publicorprivateloadbalancer using:var.type. Default is public. - Specify subnet to use for the loadbalancer:
frontend_subnet_id - For
privateloadbalancer, specify the private ip address usingfrontend_private_ip_address - Specify the type of the private ip address with
frontend_private_ip_address_allocation, Dynamic or Static , default isDynamic
We've added a CI pipeline for this module to speed up our code review and to enforce a high code quality standard, if you want to contribute by submitting a pull request, please read Pre-Commit & Pr-Check & Test section, or your pull request might be rejected by CI pipeline.
A pull request will be reviewed when it has passed Pre Pull Request Check in the pipeline, and will be merged when it has passed the acceptance tests. Once the ci Pipeline failed, please read the pipeline's output, thanks for your cooperation.
Please view folders in examples.
Public loadbalancer example:
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-lb"
location = "West Europe"
}
module "mylb" {
source = "Azure/loadbalancer/azurerm"
resource_group_name = azurerm_resource_group.example.name
prefix = "terraform-test"
remote_port = {
ssh = ["Tcp", "22"]
}
lb_port = {
http = ["80", "Tcp", "80"]
}
lb_probe = {
http = ["Tcp", "80", ""]
}
}
Private loadbalancer example:
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-lb"
location = "West Europe"
}
module "mylb" {
source = "Azure/loadbalancer/azurerm"
resource_group_name = azurerm_resource_group.example.name
type = "private"
frontend_subnet_id = module.network.vnet_subnets[0]
frontend_private_ip_address_allocation = "Static"
frontend_private_ip_address = "10.0.1.6"
lb_sku = "Standard"
pip_sku = "Standard" #`pip_sku` must match `lb_sku`
remote_port = {
ssh = ["Tcp", "22"]
}
lb_port = {
http = ["80", "Tcp", "80"]
https = ["443", "Tcp", "443"]
}
lb_probe = {
http = ["Tcp", "80", ""]
http2 = ["Http", "1443", "/"]
}
tags = {
cost-center = "12345"
source = "terraform"
}
}
module "network" {
source = "Azure/network/azurerm"
resource_group_name = azurerm_resource_group.example.name
address_space = "10.0.0.0/16"
subnet_prefixes = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
subnet_names = ["subnet1", "subnet2", "subnet3"]
tags = {
environment = "dev"
costcenter = "it"
}
}Please refer to the sub folders under examples folder. You can execute terraform apply command in examples's sub folder to try the module. These examples are tested against every PR with the E2E Test.
We're using BridgeCrew Yor and yorbox to help manage tags consistently across infrastructure as code (IaC) frameworks. In this module you might see tags like:
resource "azurerm_resource_group" "rg" {
location = "eastus"
name = random_pet.name
tags = merge(var.tags, (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
avm_git_commit = "3077cc6d0b70e29b6e106b3ab98cee6740c916f6"
avm_git_file = "main.tf"
avm_git_last_modified_at = "2023-05-05 08:57:54"
avm_git_org = "lonegunmanb"
avm_git_repo = "terraform-yor-tag-test-module"
avm_yor_trace = "a0425718-c57d-401c-a7d5-f3d88b2551a4"
} /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/))
}To enable tracing tags, set the variable to true:
module "example" {
source = "{module_source}"
...
tracing_tags_enabled = true
}The tracing_tags_enabled is default to false.
To customize the prefix for your tracing tags, set the tracing_tags_prefix variable value in your Terraform configuration:
module "example" {
source = "{module_source}"
...
tracing_tags_prefix = "custom_prefix_"
}The actual applied tags would be:
{
custom_prefix_git_commit = "3077cc6d0b70e29b6e106b3ab98cee6740c916f6"
custom_prefix_git_file = "main.tf"
custom_prefix_git_last_modified_at = "2023-05-05 08:57:54"
custom_prefix_git_org = "lonegunmanb"
custom_prefix_git_repo = "terraform-yor-tag-test-module"
custom_prefix_yor_trace = "a0425718-c57d-401c-a7d5-f3d88b2551a4"
}
We assumed that you have setup service principal's credentials in your environment variables like below:
export ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
export ARM_TENANT_ID="<azure_subscription_tenant_id>"
export ARM_CLIENT_ID="<service_principal_appid>"
export ARM_CLIENT_SECRET="<service_principal_password>"On Windows Powershell:
$env:ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
$env:ARM_TENANT_ID="<azure_subscription_tenant_id>"
$env:ARM_CLIENT_ID="<service_principal_appid>"
$env:ARM_CLIENT_SECRET="<service_principal_password>"We provide a docker image to run the pre-commit checks and tests for you: mcr.microsoft.com/azterraform:latest
To run the pre-commit task, we can run the following command:
$ docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pre-commitOn Windows Powershell:
$ docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pre-commitIn pre-commit task, we will:
- Run
terraform fmt -recursivecommand for your Terraform code. - Run
terrafmt fmt -fcommand for markdown files and go code files to ensure that the Terraform code embedded in these files are well formatted. - Run
go mod tidyandgo mod vendorfor test folder to ensure that all the dependencies have been synced. - Run
gofmtfor all go code files. - Run
gofumptfor all go code files. - Run
terraform-docsonREADME.mdfile, then runmarkdown-table-formatterto format markdown tables inREADME.md.
Then we can run the pr-check task to check whether our code meets our pipeline's requirement(We strongly recommend you run the following command before you commit):
$ docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pr-checkOn Windows Powershell:
$ docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pr-checkTo run the e2e-test, we can run the following command:
docker run --rm -v $(pwd):/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test
On Windows Powershell:
docker run --rm -v ${pwd}:/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test
Originally created by David Tesar
| Name | Version |
|---|---|
| terraform | >= 1.2 |
| azurerm | >= 3.0.0 |
| Name | Version |
|---|---|
| azurerm | >= 3.0.0 |
No modules.
| Name | Type |
|---|---|
| azurerm_lb.azlb | resource |
| azurerm_lb_backend_address_pool.azlb | resource |
| azurerm_lb_nat_rule.azlb | resource |
| azurerm_lb_probe.azlb | resource |
| azurerm_lb_rule.azlb | resource |
| azurerm_public_ip.azlb | resource |
| azurerm_resource_group.azlb | data source |
| azurerm_subnet.snet | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allocation_method | (Required) Defines how an IP address is assigned. Options are Static or Dynamic. | string |
"Static" |
no |
| disable_outbound_snat | (Optional) Is snat enabled for this Load Balancer Rule? Default false. |
bool |
false |
no |
| edge_zone | (Optional) Specifies the Edge Zone within the Azure Region where this Public IP and Load Balancer should exist. Changing this forces new resources to be created. | string |
null |
no |
| frontend_ip_zones | (Optional) A collection containing the availability zone to allocate the IP in. Changing this forces a new resource to be created. Availability Zones are only supported with a Standard SKU and in select regions at this time. Standard SKU Public IP Addresses that do not specify a zone are not zone-redundant by default. | set(string) |
null |
no |
| frontend_name | (Required) Specifies the name of the frontend ip configuration. | string |
"myPublicIP" |
no |
| frontend_private_ip_address | (Optional) Private ip address to assign to frontend. Use it with type = private | string |
"" |
no |
| frontend_private_ip_address_allocation | (Optional) Frontend ip allocation type (Static or Dynamic) | string |
"Dynamic" |
no |
| frontend_private_ip_address_version | (Optional) The version of IP that the Private IP Address is. Possible values are IPv4 or IPv6. |
string |
null |
no |
| frontend_subnet_id | (Optional) Frontend subnet id to use when in private mode | string |
"" |
no |
| frontend_subnet_name | (Optional) Frontend virtual network name to use when in private mode. Conflict with frontend_subnet_id. |
string |
"" |
no |
| frontend_vnet_name | (Optional) Frontend virtual network name to use when in private mode. Conflict with frontend_subnet_id. |
string |
"" |
no |
| lb_floating_ip_enabled | (Optional) Are the Floating IPs enabled for this Load Balancer Rule? A floating IP is reassigned to a secondary server in case the primary server fails. Required to configure a SQL AlwaysOn Availability Group. Defaults to false. |
bool |
false |
no |
| lb_port | Protocols to be used for lb rules. Format as [frontend_port, protocol, backend_port] | map(any) |
{} |
no |
| lb_probe | (Optional) Protocols to be used for lb health probes. Format as [protocol, port, request_path] | map(any) |
{} |
no |
| lb_probe_interval | Interval in seconds the load balancer health probe rule does a check | number |
5 |
no |
| lb_probe_unhealthy_threshold | Number of times the load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy. | number |
2 |
no |
| lb_sku | (Optional) The SKU of the Azure Load Balancer. Accepted values are Basic and Standard. | string |
"Basic" |
no |
| lb_sku_tier | (Optional) The SKU tier of this Load Balancer. Possible values are Global and Regional. Defaults to Regional. Changing this forces a new resource to be created. |
string |
"Regional" |
no |
| location | (Optional) The location/region where the core network will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions | string |
"" |
no |
| name | (Optional) Name of the load balancer. If it is set, the 'prefix' variable will be ignored. | string |
"" |
no |
| pip_ddos_protection_mode | (Optional) The DDoS protection mode of the public IP. Possible values are Disabled, Enabled, and VirtualNetworkInherited. Defaults to VirtualNetworkInherited. |
string |
"VirtualNetworkInherited" |
no |
| pip_ddos_protection_plan_id | (Optional) The ID of DDoS protection plan associated with the public IP. ddos_protection_plan_id can only be set when ddos_protection_mode is Enabled. |
string |
null |
no |
| pip_domain_name_label | (Optional) Label for the Domain Name. Will be used to make up the FQDN. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system. | string |
null |
no |
| pip_idle_timeout_in_minutes | (Optional) Specifies the timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. Defaults to 4. |
number |
4 |
no |
| pip_ip_tags | (Optional) A mapping of IP tags to assign to the public IP. Changing this forces a new resource to be created. IP Tag RoutingPreference requires multiple zones and Standard SKU to be set. |
map(string) |
null |
no |
| pip_ip_version | (Optional) The IP Version to use, IPv6 or IPv4. Defaults to IPv4. Changing this forces a new resource to be created. Only static IP address allocation is supported for IPv6. |
string |
"IPv4" |
no |
| pip_name | (Optional) Name of public ip. If it is set, the 'prefix' variable will be ignored. | string |
"" |
no |
| pip_public_ip_prefix_id | (Optional) If specified then public IP address allocated will be provided from the public IP prefix resource. Changing this forces a new resource to be created. | string |
null |
no |
| pip_reverse_fqdn | (Optional) A fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN. | string |
null |
no |
| pip_sku | (Optional) The SKU of the Azure Public IP. Accepted values are Basic and Standard. | string |
"Basic" |
no |
| pip_sku_tier | (Optional) The SKU Tier that should be used for the Public IP. Possible values are Regional and Global. Defaults to Regional. Changing this forces a new resource to be created. |
string |
"Regional" |
no |
| pip_zones | (Optional) A collection containing the availability zone to allocate the Public IP in. Changing this forces a new resource to be created. Availability Zones are only supported with a Standard SKU and in select regions at this time. Standard SKU Public IP Addresses that do not specify a zone are not zone-redundant by default. | list(string) |
null |
no |
| prefix | (Required) Default prefix to use with your resource names. | string |
"azure_lb" |
no |
| remote_port | Protocols to be used for remote vm access. [protocol, backend_port]. Frontend port will be automatically generated starting at 50000 and in the output. | map(any) |
{} |
no |
| resource_group_name | (Required) The name of the resource group where the load balancer resources will be imported. | string |
n/a | yes |
| tags | (Optional) A mapping of tags to assign to the resource. | map(string) |
{ |
no |
| tracing_tags_enabled | Whether enable tracing tags that generated by BridgeCrew Yor. | bool |
false |
no |
| tracing_tags_prefix | Default prefix for generated tracing tags | string |
"avm_" |
no |
| type | (Optional) Defined if the loadbalancer is private or public | string |
"public" |
no |
| Name | Description |
|---|---|
| azurerm_lb_backend_address_pool_id | the id for the azurerm_lb_backend_address_pool resource |
| azurerm_lb_frontend_ip_configuration | the frontend_ip_configuration for the azurerm_lb resource |
| azurerm_lb_id | the id for the azurerm_lb resource |
| azurerm_lb_nat_rule_ids | the ids for the azurerm_lb_nat_rule resources |
| azurerm_lb_probe_ids | the ids for the azurerm_lb_probe resources |
| azurerm_public_ip_address | the ip address for the azurerm_lb_public_ip resource |
| azurerm_public_ip_id | the id for the azurerm_lb_public_ip resource |
| azurerm_resource_group_name | name of the resource group provisioned |
| azurerm_resource_group_tags | the tags provided for the resource group |