forked from Azure/terraform-azurerm-avm-ptn-hubnetworking
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
223 lines (207 loc) · 14.1 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
variable "enable_telemetry" {
type = bool
default = true
description = <<DESCRIPTION
This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
DESCRIPTION
nullable = false
}
variable "hub_virtual_networks" {
type = map(object({
name = string
address_space = list(string)
location = string
resource_group_name = string
route_table_name = optional(string)
bgp_community = optional(string)
ddos_protection_plan_id = optional(string)
dns_servers = optional(list(string))
flow_timeout_in_minutes = optional(number, 4)
mesh_peering_enabled = optional(bool, true)
resource_group_creation_enabled = optional(bool, true)
resource_group_lock_enabled = optional(bool, true)
resource_group_lock_name = optional(string)
resource_group_tags = optional(map(string))
routing_address_space = optional(list(string), [])
hub_router_ip_address = optional(string)
tags = optional(map(string), {})
route_table_entries = optional(set(object({
name = string
address_prefix = string
next_hop_type = string
has_bgp_override = optional(bool, false)
next_hop_ip_address = optional(string)
})), [])
subnets = optional(map(object(
{
name = string
address_prefixes = list(string)
nat_gateway = optional(object({
id = string
}))
network_security_group = optional(object({
id = string
}))
private_endpoint_network_policies_enabled = optional(bool, true)
private_link_service_network_policies_enabled = optional(bool, true)
assign_generated_route_table = optional(bool, true)
external_route_table_id = optional(string)
service_endpoints = optional(set(string))
service_endpoint_policy_ids = optional(set(string))
delegations = optional(list(
object(
{
name = string
service_delegation = object({
name = string
actions = optional(list(string))
})
}
)
))
}
)), {})
firewall = optional(object({
sku_name = string
sku_tier = string
subnet_address_prefix = string
firewall_policy_id = optional(string, null)
management_subnet_address_prefix = optional(string, null)
name = optional(string)
private_ip_ranges = optional(list(string))
subnet_route_table_id = optional(string)
tags = optional(map(string))
zones = optional(list(string))
default_ip_configuration = optional(object({
name = optional(string)
public_ip_config = optional(object({
ip_version = optional(string)
name = optional(string)
sku_tier = optional(string, "Regional")
zones = optional(set(string))
}))
}))
management_ip_configuration = optional(object({
name = optional(string)
public_ip_config = optional(object({
ip_version = optional(string)
name = optional(string)
sku_tier = optional(string, "Regional")
zones = optional(set(string))
}))
}))
firewall_policy = optional(object({
name = optional(string)
sku = optional(string, "Standard")
auto_learn_private_ranges_enabled = optional(bool)
base_policy_id = optional(string)
dns = optional(object({
proxy_enabled = optional(bool, false)
servers = optional(list(string))
}))
threat_intelligence_mode = optional(string, "Alert")
private_ip_ranges = optional(list(string))
threat_intelligence_allowlist = optional(object({
fqdns = optional(set(string))
ip_addresses = optional(set(string))
}))
}))
}))
}))
default = {}
description = <<DESCRIPTION
A map of the hub virtual networks to create. The map key is an arbitrary value to avoid Terraform's restriction that map keys must be known at plan time.
### Mandatory fields
- `name` - The name of the Virtual Network.
- `address_space` - A list of IPv4 address spaces that are used by this virtual network in CIDR format, e.g. `["192.168.0.0/24"]`.
- `location` - The Azure location where the virtual network should be created.
- `resource_group_name` - The name of the resource group in which the virtual network should be created.
### Optional fields
- `bgp_community` - The BGP community associated with the virtual network.
- `ddos_protection_plan_id` - The ID of the DDoS protection plan associated with the virtual network.
- `dns_servers` - A list of DNS servers IP addresses for the virtual network.
- `flow_timeout_in_minutes` - The flow timeout in minutes for the virtual network. Default `4`.
- `mesh_peering_enabled` - Should the virtual network be peered to other hub networks with this flag enabled? Default `true`.
- `resource_group_creation_enabled` - Should the resource group for this virtual network be created by this module? Default `true`.
- `resource_group_lock_enabled` - Should the resource group for this virtual network be locked? Default `true`.
- `resource_group_lock_name` - The name of the resource group lock.
- `resource_group_tags` - A map of tags to apply to the resource group.
- `routing_address_space` - A list of IPv4 address spaces in CIDR format that are used for routing to this hub, e.g. `["192.168.0.0","172.16.0.0/12"]`.
- `hub_router_ip_address` - If not using Azure Firewall, this is the IP address of the hub router. This is used to create route table entries for other hub networks.
- `tags` - A map of tags to apply to the virtual network.
#### Route table entries
- `route_table_entries` - (Optional) A set of additional route table entries to add to the route table for this hub network. Default empty `[]`. The value is an object with the following fields:
- `name` - The name of the route table entry.
- `address_prefix` - The address prefix to match for this route table entry.
- `next_hop_type` - The type of the next hop. Possible values include `Internet`, `VirtualAppliance`, `VirtualNetworkGateway`, `VnetLocal`, `None`.
- `has_bgp_override` - Should the BGP override be enabled for this route table entry? Default `false`.
- `next_hop_ip_address` - The IP address of the next hop. Required if `next_hop_type` is `VirtualAppliance`.
#### Subnets
- `subnets` - (Optional) A map of subnets to create in the virtual network. The value is an object with the following fields:
- `name` - The name of the subnet.
- `address_prefixes` - The IPv4 address prefixes to use for the subnet in CIDR format.
- `nat_gateway` - (Optional) An object with the following fields:
- `id` - The ID of the NAT Gateway which should be associated with the Subnet. Changing this forces a new resource to be created.
- `network_security_group` - (Optional) An object with the following fields:
- `id` - The ID of the Network Security Group which should be associated with the Subnet. Changing this forces a new association to be created.
- `private_endpoint_network_policies_enabled` - (Optional) Enable or Disable network policies for the private endpoint on the subnet. Setting this to true will Enable the policy and setting this to false will Disable the policy. Defaults to true.
- `private_link_service_network_policies_enabled` - (Optional) Enable or Disable network policies for the private link service on the subnet. Setting this to true will Enable the policy and setting this to false will Disable the policy. Defaults to true.
- `assign_generated_route_table` - (Optional) Should the Route Table generated by this module be associated with this Subnet? Default `true`. Cannot be used with `external_route_table_id`.
- `external_route_table_id` - (Optional) The ID of the Route Table which should be associated with the Subnet. Changing this forces a new association to be created. Cannot be used with `assign_generated_route_table`.
- `service_endpoints` - (Optional) The list of Service endpoints to associate with the subnet.
- `service_endpoint_policy_ids` - (Optional) The list of Service Endpoint Policy IDs to associate with the subnet.
- `service_endpoint_policy_assignment_enabled` - (Optional) Should the Service Endpoint Policy be assigned to the subnet? Default `true`.
- `delegation` - (Optional) An object with the following fields:
- `name` - The name of the delegation.
- `service_delegation` - An object with the following fields:
- `name` - The name of the service delegation.
- `actions` - A list of actions that should be delegated, the list is specific to the service being delegated.
#### Azure Firewall
- `firewall` - (Optional) An object with the following fields:
- `sku_name` - The name of the SKU to use for the Azure Firewall. Possible values include `AZFW_Hub`, `AZFW_VNet`.
- `sku_tier` - The tier of the SKU to use for the Azure Firewall. Possible values include `Basic`, ``Standard`, `Premium`.
- `subnet_address_prefix` - The IPv4 address prefix to use for the Azure Firewall subnet in CIDR format. Needs to be a part of the virtual network's address space.
- `firewall_policy_id` - (Optional) The resource id of the Azure Firewall Policy to associate with the Azure Firewall.
- `management_subnet_address_prefix` - (Optional) The IPv4 address prefix to use for the Azure Firewall management subnet in CIDR format. Needs to be a part of the virtual network's address space.
- `name` - (Optional) The name of the firewall resource. If not specified will use `afw-{vnetname}`.
- `private_ip_ranges` - (Optional) A list of private IP ranges to use for the Azure Firewall, to which the firewall will not NAT traffic. If not specified will use RFC1918.
- `subnet_route_table_id` = (Optional) The resource id of the Route Table which should be associated with the Azure Firewall subnet. If not specified the module will assign the generated route table.
- `tags` - (Optional) A map of tags to apply to the Azure Firewall. If not specified
- `zones` - (Optional) A list of availability zones to use for the Azure Firewall. If not specified will be `null`.
- `default_ip_configuration` - (Optional) An object with the following fields. If not specified the defaults below will be used:
- `name` - (Optional) The name of the default IP configuration. If not specified will use `default`.
- `public_ip_config` - (Optional) An object with the following fields:
- `name` - (Optional) The name of the public IP configuration. If not specified will use `pip-afw-{vnetname}`.
- `zones` - (Optional) A list of availability zones to use for the public IP configuration. If not specified will be `null`.
- `ip_version` - (Optional) The IP version to use for the public IP configuration. Possible values include `IPv4`, `IPv6`. If not specified will be `IPv4`.
- `sku_tier` - (Optional) The SKU tier to use for the public IP configuration. Possible values include `Regional`, `Global`. If not specified will be `Regional`.
- `management_ip_configuration` - (Optional) An object with the following fields. If not specified the defaults below will be used:
- `name` - (Optional) The name of the management IP configuration. If not specified will use `defaultMgmt`.
- `public_ip_config` - (Optional) An object with the following fields:
- `name` - (Optional) The name of the public IP configuration. If not specified will use `pip-afw-mgmt-<Map Key>`.
- `zones` - (Optional) A list of availability zones to use for the public IP configuration. If not specified will be `null`.
- `ip_version` - (Optional) The IP version to use for the public IP configuration. Possible values include `IPv4`, `IPv6`. If not specified will be `IPv4`.
- `sku_tier` - (Optional) The SKU tier to use for the public IP configuration. Possible values include `Regional`, `Global`. If not specified will be `Regional`.
- `firewall_policy` - (Optional) An object with the following fields. Cannot be used with `firewall_policy_id`. If not specified the defaults below will be used:
- `name` - (Optional) The name of the firewall policy. If not specified will use `afw-policy-{vnetname}`.
- `sku` - (Optional) The SKU to use for the firewall policy. Possible values include `Standard`, `Premium`.
- `auto_learn_private_ranges_enabled` - (Optional) Should the firewall policy automatically learn private ranges? Default `false`.
- `base_policy_id` - (Optional) The resource id of the base policy to use for the firewall policy.
- `dns` - (Optional) An object with the following fields:
- `proxy_enabled` - (Optional) Should the DNS proxy be enabled for the firewall policy? Default `false`.
- `servers` - (Optional) A list of DNS server IP addresses for the firewall policy.
- `threat_intelligence_mode` - (Optional) The threat intelligence mode for the firewall policy. Possible values include `Alert`, `Deny`, `Off`.
- `private_ip_ranges` - (Optional) A list of private IP ranges to use for the firewall policy.
- `threat_intelligence_allowlist` - (Optional) An object with the following fields:
- `fqdns` - (Optional) A set of FQDNs to allowlist for threat intelligence.
- `ip_addresses` - (Optional) A set of IP addresses to allowlist for threat intelligence.
DESCRIPTION
nullable = false
# Validate that there is at least 1 hub network defined
validation {
condition = length(var.hub_virtual_networks) > 0
error_message = "At least one hub virtual network must be defined."
}
}