Skip to content

schubergphilis/terraform-azure-mcaf-private-endpoints

Repository files navigation

Requirements

Name Version
terraform >= 1.7
azurerm >= 4

Providers

Name Version
azurerm >= 4

Modules

No modules.

Resources

Name Type
azurerm_private_endpoint.this resource
azurerm_private_link_service.this resource

Inputs

Name Description Type Default Required
location The location/region where the virtual network private endpoint is created. string n/a yes
private_endpoints This object describes the private endpoint configuration.

- name - (Optional) Specifies the Name of the Private Endpoint.
- location - (Optional) The supported Azure location where the resource exists.
- resource_group_name - (Optional) The resource group name.
- custom_network_interface_name - (Optional) The custom name of the network interface attached to the private endpoint. Defaults to the private endpoint name with '-nic'.
- ip_configuration- (Optional) This allows a static IP address to be set for this Private Endpoint, otherwise an address is dynamically allocated from the Subnet.
- name - (Optional)
- member_name - (Optional)
- private_ip_address - (Optional) -
- subresource_name - (Optional)
- is_manual_connection - (Optional) Does the Private Endpoint require Manual Approval from the remote resource owner? Use together with request_message.
- private_connection_resource_alias - (Optional) The Service Alias of the Private Link Enabled Remote Resource which this Private Endpoint should be connected to. One of private_connection_resource_id or private_connection_resource_alias must be specified.
- private_connection_resource_id - (Required) The ID of the Private Link Enabled Remote Resource which this Private Endpoint should be connected to. One of private_connection_resource_id or private_connection_resource_alias must be specified.
- private_dns_zone_group_name - (Optional) Specifies the Name of the Private DNS Zone Group.
- private_dns_zone_ids - (Optional) Specifies the list of Private DNS Zones to include.
- private_service_connection_name - (Optional) Specifies the Name of the Private Service Connection.
- request_message - (Optional) A message passed to the owner of the remote resource when the private endpoint attempts to establish the connection to the remote resource.
- subnet_id - (Required) The ID of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint.
- subresource_name - (Optional) A subresource name which the Private Endpoint is able to connect to, e.g. 'vault' for key vault or 'blob' for storage account. Required when not using a custom Private Link service.
- tags - (Optional) A mapping of tags to assign to the resource.

Example Inputs:
hcl
private_endpoints = {
"blob-private-endpoint" = {
private_connection_resource_id = azurerm_storage_account.storage_account.id
subnet_id = azurerm_subnet.app-subnet.id
subresource_name = "blob"
}
}
hcl
map(object({
name = optional(string)
location = optional(string)
resource_group_name = optional(string)
custom_network_interface_name = optional(string)
ip_configuration = optional(list(object({
name = optional(string)
member_name = optional(string)
private_ip_address = optional(string)
subresource_name = optional(string)
})), [])
is_manual_connection = optional(bool)
private_connection_resource_alias = optional(string)
private_connection_resource_id = optional(string)
private_dns_zone_group_name = optional(string, "default")
private_dns_zone_resource_ids = optional(list(string), [])
private_service_connection_name = optional(string)
request_message = optional(string)
subnet_id = string
subresource_name = optional(string)
tags = optional(map(string))
}))
{} no
private_link_services This object describes the private link configuration.

- name - (Optional) Specifies the name of this Private Link Service.
- location - (Optional) The supported Azure location where the resource exists.
- resource_group_name - (Optional) The resource group name.
- auto_approval_subscription_ids - (Optional) A list of Subscription UUID/GUID's that will be automatically be able to use this Private Link Service.
- enable_proxy_protocol - (Optional) Should the Private Link Service support the Proxy Protocol?
- fqdns - (Optional) List of FQDNs allowed for the Private Link Service.
- load_balancer_frontend_ip_configuration_ids - (Required) A list of Frontend IP Configuration IDs from a Standard Load Balancer, where traffic from the Private Link Service should be routed.
- nat_ip_configuration - (Required)
- name - (Optional) Specifies the name which should be used for the NAT IP Configuration.
- primary - (Optional) Is this is the Primary IP Configuration?
- private_ip_address - (Optional) Specifies a Private Static IP Address for this IP Configuration.
- private_ip_address_version - (Optional) - The version of the IP Protocol which should be used.
- subnet_id - (Required) - Specifies the ID of the Subnet which should be used for the Private Link Service.
- visibility_subscription_ids - (Optional)
- tags - (Optional) A list of zones where this public IP should be deployed. Defaults to no zone. if you prefer, you can set other values for the zones ["1","2","3"]. Changing this forces a new resource to be created.

Example Inputs:
hcl
private_link_services = {
lb-private-link = {
load_balancer_frontend_ip_configuration_ids = [azurerm_lb.locabalancer.frontend_ip_configuration[0].id]
nat_ip_configuration = [{
subnet_id = azurerm_subnet.app-subnet.id
}]
}
}
hcl
map(object({
name = optional(string)
location = optional(string)
resource_group_name = optional(string)
auto_approval_subscription_ids = optional(list(string), [])
enable_proxy_protocol = optional(bool)
fqdns = optional(list(string), [])
load_balancer_frontend_ip_configuration_ids = list(string)
nat_ip_configuration = list(object({
name = optional(string)
primary = optional(bool)
private_ip_address = optional(string)
private_ip_address_version = optional(string)
subnet_id = string
}))
tags = optional(map(string))
visibility_subscription_ids = optional(set(string), [])

}))
{} no
resource_group_name The resource group to deploy the resources in, can be overridden on a per resource level string null no

Outputs

Name Description
private_endpoint_list A map of private endpoint names to their corresponding names and IDs

License

Copyright: Schuberg Philis

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.