Skip to content

Commit

Permalink
Adding Module code for Azure Network security Groups
Browse files Browse the repository at this point in the history
  • Loading branch information
@rajivreddy
rajivreddy committed Dec 26, 2023
0 parents commit b74a36d
Show file tree
Hide file tree
Showing 14 changed files with 327 additions and 0 deletions.
25 changes: 25 additions & 0 deletions .github/workflows/checkov.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@

name: Static security analysis for Terraform

permissions: read-all

on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
checkov-job:
runs-on: ubuntu-latest
name: checkov-action
steps:
- name: Checkout repo
uses: actions/checkout@v2

- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: ./
34 changes: 34 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Local .terraform directories
**/.terraform/*

# .tfstate files
*.tfstate
*.tfstate.*
.terraform.*
# Crash log files
crash.log

# Exclude all .tfvars files, which are likely to contain sentitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
#
*.tfvars

# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json

# Include override files you do wish to add to version control using negated pattern
#
# !example_override.tf

# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*

# Ignore CLI configuration files
.terraformrc
terraform.rc
11 changes: 11 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.77.1
hooks:
- id: terraform_fmt
- id: terraform_validate
- id: terraform_checkov
- id: terraform_docs
args:
- '--args=--lockfile=false'

58 changes: 58 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Terraform module for Azure Network Security Group

## How to use it as a module

```hcl
module "nsg" {
source = "foss-cafe/nsg/azurerm"
version = "1.0.1"
name = "terraform-test-nsg"
location = "East US"
resource_group_name = "terraform-test"
}
```

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.0.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 3.0.0 |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [azurerm_network_security_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |
| [azurerm_network_security_rule.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
| [azurerm_subnet_network_security_group_association.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_associate_nsg"></a> [associate\_nsg](#input\_associate\_nsg) | (Optional) Do you want to associate nsg with subnet | `bool` | `false` | no |
| <a name="input_create_nsg"></a> [create\_nsg](#input\_create\_nsg) | (Optional) Do you want ot create Network secuirty group | `bool` | `true` | no |
| <a name="input_custom_nsg_rules"></a> [custom\_nsg\_rules](#input\_custom\_nsg\_rules) | (Optional) Any Custom NSG rules you want to add | `any` | `{}` | no |
| <a name="input_location"></a> [location](#input\_location) | (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | `string` | n/a | yes |
| <a name="input_name"></a> [name](#input\_name) | (Required) Specifies the name of the network security group. Changing this forces a new resource to be created. | `string` | n/a | yes |
| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Required) The name of the resource group in which to create the network security group. Changing this forces a new resource to be created. | `string` | `"type"` | no |
| <a name="input_security_rule"></a> [security\_rule](#input\_security\_rule) | (Optional) List of objects representing security rules | `any` | <pre>[<br> {<br> "access": "Allow",<br> "description": "Outbound 443",<br> "destination_address_prefixes": [<br> "0.0.0.0/0"<br> ],<br> "destination_port_ranges": [<br> 443<br> ],<br> "direction": "Outbound",<br> "name": "outbound-443",<br> "priority": "100",<br> "protocol": "Tcp",<br> "source_address_prefixes": [<br> "0.0.0.0/0"<br> ],<br> "source_port_ranges": [<br> 443<br> ]<br> },<br> {<br> "access": "Allow",<br> "description": "Outbound 80",<br> "destination_address_prefixes": [<br> "0.0.0.0/0"<br> ],<br> "destination_port_ranges": [<br> 80<br> ],<br> "direction": "Outbound",<br> "name": "outbound-80",<br> "priority": "101",<br> "protocol": "Tcp",<br> "source_address_prefixes": [<br> "0.0.0.0/0"<br> ],<br> "source_port_ranges": [<br> 80<br> ]<br> },<br> {<br> "access": "Allow",<br> "description": "Outbound 53",<br> "destination_address_prefixes": [<br> "0.0.0.0/0"<br> ],<br> "destination_port_ranges": [<br> 53<br> ],<br> "direction": "Outbound",<br> "name": "outbound-53",<br> "priority": "102",<br> "protocol": "Udp",<br> "source_address_prefixes": [<br> "0.0.0.0/0"<br> ],<br> "source_port_ranges": [<br> 53<br> ]<br> },<br> {<br> "access": "Allow",<br> "description": "Inbound 443",<br> "destination_address_prefixes": [<br> "0.0.0.0/0"<br> ],<br> "destination_port_ranges": [<br> 443<br> ],<br> "direction": "Inbound",<br> "name": "inbound-443",<br> "priority": "100",<br> "protocol": "Tcp",<br> "source_address_prefixes": [<br> "0.0.0.0/0"<br> ],<br> "source_port_ranges": [<br> 443<br> ]<br> },<br> {<br> "access": "Allow",<br> "description": "Inbound 80",<br> "destination_address_prefixes": [<br> "0.0.0.0/0"<br> ],<br> "destination_port_ranges": [<br> 80<br> ],<br> "direction": "Inbound",<br> "name": "inbound-80",<br> "priority": "101",<br> "protocol": "Tcp",<br> "source_address_prefixes": [<br> "0.0.0.0/0"<br> ],<br> "source_port_ranges": [<br> 80<br> ]<br> },<br> {<br> "access": "Allow",<br> "description": "Inbound 53",<br> "destination_address_prefixes": [<br> "0.0.0.0/0"<br> ],<br> "destination_port_ranges": [<br> 53<br> ],<br> "direction": "Inbound",<br> "name": "inbound-53",<br> "priority": "102",<br> "protocol": "Udp",<br> "source_address_prefixes": [<br> "0.0.0.0/0"<br> ],<br> "source_port_ranges": [<br> 53<br> ]<br> }<br>]</pre> | no |
| <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id) | (Optional) The ID of the Subnet. Changing this forces a new resource to be created. | `string` | `null` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A mapping of tags to assign to the resource. | `map(string)` | `{}` | no |

## Outputs

No outputs.
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Empty file added examples/simple/README.md
Empty file.
Empty file added examples/simple/main.tf
Empty file.
Empty file added examples/simple/outputs.tf
Empty file.
Empty file added examples/simple/provider.tf
Empty file.
Empty file added examples/simple/variables.tf
Empty file.
Empty file added locals.tf
Empty file.
62 changes: 62 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
resource "azurerm_network_security_group" "this" {
count = var.create_nsg ? 1 : 0

name = var.name
location = var.location
resource_group_name = var.resource_group_name

dynamic "security_rule" {
for_each = var.security_rule

content {
name = try(security_rule.value.name)
description = try(security_rule.value.description, null)
protocol = try(security_rule.value.protocol)
source_port_ranges = try(security_rule.value.source_port_ranges, [])
destination_port_ranges = try(security_rule.value.destination_port_ranges, [])
source_address_prefix = try(security_rule.value.source_address_prefix, null)
source_address_prefixes = try(security_rule.value.source_address_prefixes, [])
source_application_security_group_ids = try(security_rule.value.source_application_security_group_ids, [])
destination_address_prefix = try(security_rule.value.destination_address_prefix, null)
destination_address_prefixes = try(security_rule.value.destination_address_prefixes, [])
destination_application_security_group_ids = try(security_rule.value.destination_application_security_group_ids, [])
access = try(security_rule.value.access, "Deny")
priority = try(security_rule.value.priority, "100")
direction = try(security_rule.value.direction, "Outbound")
}
}

tags = var.tags
}


resource "azurerm_network_security_rule" "this" {
for_each = var.custom_nsg_rules

name = each.key
resource_group_name = var.resource_group_name
network_security_group_name = azurerm_network_security_group.this[0].name
description = try(each.value.description, null)
protocol = each.value.protocol
source_port_range = try(each.value.source_port_range, null)
source_port_ranges = try(each.value.source_port_ranges, null)
destination_port_range = try(each.value.destination_port_range, null)
destination_port_ranges = try(each.value.destination_port_ranges, null)
source_address_prefix = try(each.value.source_address_prefix, null)
source_address_prefixes = try(each.value.source_address_prefixes, null)
source_application_security_group_ids = try(each.value.source_application_security_group_ids, null)
destination_address_prefix = try(each.value.destination_address_prefix, null)
destination_address_prefixes = try(each.value.destination_address_prefixes, null)
destination_application_security_group_ids = try(each.value.destination_application_security_group_ids, null)
access = each.value.access
priority = each.value.priority
direction = each.value.direction
}


resource "azurerm_subnet_network_security_group_association" "this" {
count = var.associate_nsg ? 1 : 0

subnet_id = var.subnet_id
network_security_group_id = azurerm_network_security_group.this[0].id
}
Empty file added outputs.tf
Empty file.
127 changes: 127 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
variable "create_nsg" {
type = bool
description = "(Optional) Do you want ot create Network secuirty group"
default = true
}

variable "name" {
type = string
description = "(Required) Specifies the name of the network security group. Changing this forces a new resource to be created."
}

variable "location" {
type = string
description = "(Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created."
}

variable "resource_group_name" {
type = string
description = "(Required) The name of the resource group in which to create the network security group. Changing this forces a new resource to be created."
default = "type"
}

variable "security_rule" {
type = any
description = "(Optional) List of objects representing security rules"
default = [
{
name = "outbound-443"
description = "Outbound 443"
protocol = "Tcp"
source_port_ranges = [443]
destination_port_ranges = [443]
source_address_prefixes = ["0.0.0.0/0"]
destination_address_prefixes = ["0.0.0.0/0"]
access = "Allow"
priority = "100"
direction = "Outbound"
},
{
name = "outbound-80"
description = "Outbound 80"
protocol = "Tcp"
source_port_ranges = [80]
destination_port_ranges = [80]
source_address_prefixes = ["0.0.0.0/0"]
destination_address_prefixes = ["0.0.0.0/0"]
access = "Allow"
priority = "101"
direction = "Outbound"
},
{
name = "outbound-53"
description = "Outbound 53"
protocol = "Udp"
source_port_ranges = [53]
destination_port_ranges = [53]
source_address_prefixes = ["0.0.0.0/0"]
destination_address_prefixes = ["0.0.0.0/0"]
access = "Allow"
priority = "102"
direction = "Outbound"
},
{
name = "inbound-443"
description = "Inbound 443"
protocol = "Tcp"
source_port_ranges = [443]
destination_port_ranges = [443]
source_address_prefixes = ["0.0.0.0/0"]
destination_address_prefixes = ["0.0.0.0/0"]
access = "Allow"
priority = "100"
direction = "Inbound"
},
{
name = "inbound-80"
description = "Inbound 80"
protocol = "Tcp"
source_port_ranges = [80]
destination_port_ranges = [80]
source_address_prefixes = ["0.0.0.0/0"]
destination_address_prefixes = ["0.0.0.0/0"]
access = "Allow"
priority = "101"
direction = "Inbound"
},
{
name = "inbound-53"
description = "Inbound 53"
protocol = "Udp"
source_port_ranges = [53]
destination_port_ranges = [53]
source_address_prefixes = ["0.0.0.0/0"]
destination_address_prefixes = ["0.0.0.0/0"]
access = "Allow"
priority = "102"
direction = "Inbound"
}


]
}

variable "tags" {
type = map(string)
description = "(Optional) A mapping of tags to assign to the resource."
default = {}
}

variable "custom_nsg_rules" {
type = any
description = "(Optional) Any Custom NSG rules you want to add"
default = {}
}

variable "associate_nsg" {
type = bool
description = "(Optional) Do you want to associate nsg with subnet"
default = false
}

variable "subnet_id" {
type = string
description = "(Optional) The ID of the Subnet. Changing this forces a new resource to be created."
default = null
}

10 changes: 10 additions & 0 deletions versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
terraform {
required_version = ">= 0.13.1"

required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.0.0"
}
}
}

0 comments on commit b74a36d

Please sign in to comment.