-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.security.tf
356 lines (343 loc) · 17.5 KB
/
variables.security.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
variable "security_rules" {
type = map(object({
name = string
access = string
description = optional(string)
destination_address_prefix = optional(string)
destination_address_prefixes = optional(set(string))
destination_application_security_group_ids = optional(set(string))
destination_port_range = optional(string)
destination_port_ranges = optional(set(string))
direction = string
priority = number
protocol = string
source_address_prefix = optional(string)
source_address_prefixes = optional(set(string))
source_application_security_group_ids = optional(set(string))
source_port_range = optional(string)
source_port_ranges = optional(set(string))
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
}))
}))
default = {}
nullable = false
description = <<DESCRIPTION
A map of security rules to be created in **every** Network Security Group. The key of the map is the name of the security rule.
- `access` - (Required) Specifies whether network traffic is allowed or denied. Possible values are `Allow` and `Deny`.
- `name` - (Required) Name of the network security rule to be created.
- `description` - (Optional) A description for this rule. Restricted to 140 characters.
- `destination_address_prefix` - (Optional) CIDR or destination IP range or * to match any IP. Tags such as `VirtualNetwork`, `AzureLoadBalancer` and `Internet` can also be used. Besides, it also supports all available Service Tags like ‘Sql.WestEurope‘, ‘Storage.EastUS‘, etc. You can list the available service tags with the CLI: ```shell az network list-service-tags --location westcentralus```. For further information please see [Azure CLI
- `destination_address_prefixes` - (Optional) List of destination address prefixes. Tags may not be used. This is required if `destination_address_prefix` is not specified.
- `destination_application_security_group_ids` - (Optional) A List of destination Application Security Group IDs
- `destination_port_range` - (Optional) Destination Port or Range. Integer or range between `0` and `65535` or `*` to match any. This is required if `destination_port_ranges` is not specified.
- `destination_port_ranges` - (Optional) List of destination ports or port ranges. This is required if `destination_port_range` is not specified.
- `direction` - (Required) The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are `Inbound` and `Outbound`.
- `name` - (Required) The name of the security rule. This needs to be unique across all Rules in the Network Security Group. Changing this forces a new resource to be created.
- `priority` - (Required) Specifies the priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.
- `protocol` - (Required) Network protocol this rule applies to. Possible values include `Tcp`, `Udp`, `Icmp`, `Esp`, `Ah` or `*` (which matches all).
- `resource_group_name` - (Required) The name of the resource group in which to create the Network Security Rule. Changing this forces a new resource to be created.
- `source_address_prefix` - (Optional) CIDR or source IP range or * to match any IP. Tags such as `VirtualNetwork`, `AzureLoadBalancer` and `Internet` can also be used. This is required if `source_address_prefixes` is not specified.
- `source_address_prefixes` - (Optional) List of source address prefixes. Tags may not be used. This is required if `source_address_prefix` is not specified.
- `source_application_security_group_ids` - (Optional) A List of source Application Security Group IDs
- `source_port_range` - (Optional) Source Port or Range. Integer or range between `0` and `65535` or `*` to match any. This is required if `source_port_ranges` is not specified.
- `source_port_ranges` - (Optional) List of source ports or port ranges. This is required if `source_port_range` is not specified.
---
`timeouts` block supports the following:
- `create` - (Defaults to 30 minutes) Used when creating the Network Security Rule.
- `delete` - (Defaults to 30 minutes) Used when deleting the Network Security Rule.
- `read` - (Defaults to 5 minutes) Used when retrieving the Network Security Rule.
- `update` - (Defaults to 30 minutes) Used when updating the Network Security Rule.
```hcl
security_rules = {
"test" = {
access = "Allow"
name = "Allow-HTTPS-Internet"
description = "Allow HTTPS traffic to the Internet"
destination_address_prefix = "Internet"
destination_port_range = "443"
direction = "Outbound"
priority = 555
protocol = "Tcp"
source_address_prefix = "VirtualNetwork"
source_port_range = "*"
}
}
```hcl
DESCRIPTION
}
variable "default_rules" {
type = map(object({
name = string
access = string
direction = string
priority = number
protocol = string
description = optional(string)
destination_address_prefix = optional(string, null)
destination_address_prefixes = optional(set(string), null)
destination_application_security_group_ids = optional(set(string), null)
destination_port_range = optional(string, null)
destination_port_ranges = optional(set(string), null)
source_address_prefix = optional(string, null)
source_address_prefixes = optional(set(string), null)
source_application_security_group_ids = optional(set(string), null)
source_port_range = optional(string, null)
source_port_ranges = optional(set(string), null)
timeouts = optional(object({
create = optional(string, "30")
delete = optional(string, "30")
read = optional(string, "5")
update = optional(string, "30")
}))
}))
default = {
"Allow-Https-in-from-vnets" = {
access = "Allow"
name = "Allow-Https-in-from-vnets"
description = "Allow HTTPS traffic from VNets"
destination_address_prefix = "VirtualNetwork"
destination_port_range = "443"
direction = "Inbound"
priority = 4095
protocol = "Tcp"
source_address_prefix = "VirtualNetwork"
source_port_range = "*"
},
"Allow-Http-out-to-vnets" = {
access = "Allow"
name = "Allow-Http-out-to-vnets"
description = "Allow HTTP(S) traffic to VNets"
destination_address_prefix = "VirtualNetwork"
destination_port_ranges = ["80", "443"]
direction = "Outbound"
priority = 4095
protocol = "Tcp"
source_address_prefix = "VirtualNetwork"
source_port_range = "*"
},
"Deny-Any-Any-Any-In" = {
access = "Deny"
name = "Deny-Any-Any-Any-In"
description = "Deny all inbound traffic"
destination_address_prefix = "*"
destination_port_range = "*"
direction = "Inbound"
priority = 4096
protocol = "*"
source_address_prefix = "*"
source_port_range = "*"
},
"Deny-Any-Any-Any-Out" = {
access = "Deny"
name = "Deny-Any-Any-Any-Out"
description = "Deny all outbound traffic"
destination_address_prefix = "*"
destination_port_range = "*"
direction = "Outbound"
priority = 4096
protocol = "*"
source_address_prefix = "*"
source_port_range = "*"
}
}
nullable = false
description = <<DESCRIPTION
A map of default security rules to be created in **every** Network Security Group, except if you specificy "network_security_group_config -> Azure default" in the subnet configuration.
but of course, you can override these defaults by specifying the same rule in a new `default_rules` map.
This map is merged with the security rules map to create the final set of rules for the Network Security Group.
```hcl
subnets = {
"ToolingSubnet" = {
address_prefixes = ["100.0.3.0/24"]
default_outbound_access_enabled = false
create_network_security_group = true
network_security_group_config = {
azure_default = true
}
}
```hcl
DESCRIPTION
}
variable "azure_bastion_source_ip_prefixes" {
description = "The source IP prefixes that can access the Azure Bastion service, recommendation is not to use the default!"
type = set(string)
default = ["0.0.0.0/0"]
nullable = false
}
variable "azure_bastion_security_rules" {
type = map(object({
name = string
access = string
direction = string
priority = number
protocol = string
description = optional(string)
destination_address_prefix = optional(string, null)
destination_address_prefixes = optional(set(string), null)
destination_application_security_group_ids = optional(set(string), null)
destination_port_range = optional(string, null)
destination_port_ranges = optional(set(string), null)
source_address_prefix = optional(string, null)
source_address_prefixes = optional(set(string), null)
source_application_security_group_ids = optional(set(string), null)
source_port_range = optional(string, null)
source_port_ranges = optional(set(string), null)
timeouts = optional(object({
create = optional(string, "30")
delete = optional(string, "30")
read = optional(string, "5")
update = optional(string, "30")
}))
}))
default = {
"Allow-Https-in-from-Internet" = {
access = "Allow"
name = "Allow-Https-in-from-Internet"
description = "Allow HTTPS traffic from the Internet"
destination_address_prefix = "*"
destination_port_range = "443"
direction = "Inbound"
priority = 4040
protocol = "Tcp"
source_address_prefix = null
source_address_prefixes = null
source_port_range = "*"
},
"Allow-Https-in-from-GatewayManager" = {
access = "Allow"
name = "Allow-Https-in-from-GatewayManager"
description = "Allow HTTPS traffic from the GatewayManager"
destination_address_prefix = "*"
destination_port_range = "443"
direction = "Inbound"
priority = 4041
protocol = "Tcp"
source_address_prefix = "GatewayManager"
source_port_range = "*"
},
"Allow-DataPlane-in-from-VirtualNetwork" = {
access = "Allow"
name = "Allow-DataPlane-in-from-VirtualNetwork"
description = "Allow DataPlane traffic from the VirtualNetwork"
destination_address_prefix = "VirtualNetwork"
destination_port_range = "8080"
direction = "Inbound"
priority = 4042
protocol = "Tcp"
source_address_prefix = "VirtualNetwork"
source_port_range = "*"
},
"Allow-DataPlane-in-from-VirtualNetwork-5701" = {
access = "Allow"
name = "Allow-DataPlane-in-from-VirtualNetwork-5701"
description = "Allow DataPlane traffic from the VirtualNetwork on port 5701"
destination_address_prefix = "VirtualNetwork"
destination_port_range = "5701"
direction = "Inbound"
priority = 4043
protocol = "Tcp"
source_address_prefix = "VirtualNetwork"
source_port_range = "*"
},
"Allow-Https-in-from-AzureLoadBalancer" = {
access = "Allow"
name = "Allow-Https-in-from-AzureLoadBalancer"
description = "Allow HTTPS traffic from the AzureLoadBalancer"
destination_address_prefix = "*"
destination_port_range = "443"
direction = "Inbound"
priority = 4044
protocol = "Tcp"
source_address_prefix = "AzureLoadBalancer"
source_port_range = "*"
},
"Allow-Rdp-out-to-VirtualNetwork" = {
access = "Allow"
name = "Allow-Rdp-out-to-VirtualNetwork"
description = "Allow RDP traffic to the VirtualNetwork"
destination_address_prefix = "VirtualNetwork"
destination_port_range = "3389"
direction = "Outbound"
priority = 4040
protocol = "Tcp"
source_address_prefix = "*"
source_port_range = "*"
},
"Allow-Ssh-out-to-VirtualNetwork" = {
access = "Allow"
name = "Allow-Ssh-out-to-VirtualNetwork"
description = "Allow SSH traffic to the VirtualNetwork"
destination_address_prefix = "VirtualNetwork"
destination_port_range = "22"
direction = "Outbound"
priority = 4041
protocol = "Tcp"
source_address_prefix = "*"
source_port_range = "*"
},
"Allow-DataPlane-out-to-VirtualNetwork-8080" = {
access = "Allow"
name = "Allow-DataPlane-out-to-VirtualNetwork-8080"
description = "Allow DataPlane traffic to the VirtualNetwork on port 8080"
destination_address_prefix = "VirtualNetwork"
destination_port_range = "8080"
direction = "Outbound"
priority = 4042
protocol = "Tcp"
source_address_prefix = "*"
source_port_range = "*"
},
"Allow-DataPlane-out-to-VirtualNetwork-5701" = {
access = "Allow"
name = "Allow-DataPlane-out-to-VirtualNetwork-5701"
description = "Allow DataPlane traffic to the VirtualNetwork on port 5701"
destination_address_prefix = "VirtualNetwork"
destination_port_range = "5701"
direction = "Outbound"
priority = 4043
protocol = "Tcp"
source_address_prefix = "*"
source_port_range = "*"
},
"Allow-Https-out-to-AzureCloud" = {
access = "Allow"
name = "Allow-Https-out-to-AzureCloud"
description = "Allow HTTPS traffic to the AzureCloud"
destination_address_prefix = "AzureCloud"
destination_port_range = "443"
direction = "Outbound"
priority = 4044
protocol = "Tcp"
source_address_prefix = "*"
source_port_range = "*"
},
"Allow-Http-out-to-Internet" = {
access = "Allow"
name = "Allow-Http-out-to-Internet"
description = "Allow HTTP traffic to the Internet"
destination_address_prefix = "Internet"
destination_port_range = "80"
direction = "Outbound"
priority = 4045
protocol = "Tcp"
source_address_prefix = "*"
source_port_range = "*"
}
}
nullable = false
description = <<DESCRIPTION
A map of security rules to be created in the AzureBastionSubnet Network Security Group. The key of the map is the name of the security rule.
This Map contains the required rules for the Azure Bastion Subnet. These rules are required for the Azure Bastion service to work properly.
This map is merged with the default rules and security rules to create the final set of rules for the Azure Bastion Subnet.
```hcl
subnets = {
"AzureBastionSubnet" = {
address_prefixes = ["100.0.5.0/24"]
}
```hcl
DESCRIPTION
}