From fb7aebf73c89e9ba7d862fad13267155436d013e Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Wed, 4 May 2022 01:59:30 +0000 Subject: [PATCH 1/2] Update support for vnet peering cross subscripition --- examples/module.tf | 1 + .../103-vnet-peering-v1/configuration.tfvars | 481 ++++++++++++++++++ examples/variables.tf | 3 + locals.tf | 7 +- main.tf | 4 +- networking.tf | 26 + 6 files changed, 518 insertions(+), 4 deletions(-) create mode 100644 examples/networking/virtual_network/103-vnet-peering-v1/configuration.tfvars diff --git a/examples/module.tf b/examples/module.tf index 4ab0a23d5d..18910b5e50 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -215,6 +215,7 @@ module "example" { virtual_network_gateways = var.virtual_network_gateways virtual_wans = var.virtual_wans vnet_peerings = var.vnet_peerings + vnet_peerings_v1 = var.vnet_peerings_v1 vnets = var.vnets virtual_subnets = var.virtual_subnets vpn_gateway_connections = var.vpn_gateway_connections diff --git a/examples/networking/virtual_network/103-vnet-peering-v1/configuration.tfvars b/examples/networking/virtual_network/103-vnet-peering-v1/configuration.tfvars new file mode 100644 index 0000000000..432ca77fb9 --- /dev/null +++ b/examples/networking/virtual_network/103-vnet-peering-v1/configuration.tfvars @@ -0,0 +1,481 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "australiaeast" + region2 = "australiacentral" + } +} + +resource_groups = { + vnet_hub_re1 = { + name = "vnet-hub-re1" + region = "region1" + } + vnet_hub_re2 = { + name = "vnet-hub-re2" + region = "region2" + } +} + +# +# Definition of the networking security groups +# +network_security_group_definition = { + # This entry is applied to all subnets with no NSG defined + empty_nsg = { + } + + azure_bastion_nsg = { + name = "bastion-nsg" + nsg = [ + { + name = "bastion-in-allow", + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "bastion-control-in-allow-443", + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "135" + source_address_prefix = "GatewayManager" + destination_address_prefix = "*" + }, + { + name = "Kerberos-password-change", + priority = "121" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "4443" + source_address_prefix = "GatewayManager" + destination_address_prefix = "*" + }, + { + name = "bastion-vnet-out-allow-22", + priority = "103" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "bastion-vnet-out-allow-3389", + priority = "101" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "bastion-azure-out-allow", + priority = "120" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "AzureCloud" + } + ] + } + + application_gateway = { + + nsg = [ + { + name = "Inbound-HTTP", + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "80-82" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Inbound-HTTPs", + priority = "130" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Inbound-AGW", + priority = "140" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "65200-65535" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + ] + } + + api_management = { + + nsg = [ + { + name = "Inbound-APIM", + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "3443" + source_address_prefix = "ApiManagement" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "Inbound-Redis", + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "6381-6383" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "Inbound-LoadBalancer", + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "AzureLoadBalancer" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "Outbound-StorageHttp", + priority = "100" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "80" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "Storage" + }, + { + name = "Outbound-StorageHttps", + priority = "110" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "Storage" + }, + { + name = "Outbound-AADHttp", + priority = "120" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "80" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "AzureActiveDirectory" + }, + { + name = "Outbound-AADHttps", + priority = "130" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "AzureActiveDirectory" + }, + { + name = "Outbound-SQL", + priority = "140" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "1433" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "SQL" + }, + { + name = "Outbound-EventHub", + priority = "150" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "5671-5672" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "EventHub" + }, + { + name = "Outbound-EventHubHttps", + priority = "160" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "EventHub" + }, + { + name = "Outbound-FileShareGit", + priority = "170" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "445" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "Storage" + }, + { + name = "Outbound-Health", + priority = "180" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "1886" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "INTERNET" + }, + { + name = "Outbound-Monitor", + priority = "190" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "AzureMonitor" + }, + { + name = "Outbound-MoSMTP1itor", + priority = "200" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "25" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "INTERNET" + }, + { + name = "Outbound-SMTP2", + priority = "210" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "587" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "INTERNET" + }, + { + name = "Outbound-SMTP3", + priority = "220" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "25028" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "INTERNET" + }, + { + name = "Outbound-Redis", + priority = "230" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "6381-6383" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "VirtualNetwork" + }, + ] + } + + jumpbox = { + + nsg = [ + { + name = "ssh-inbound-22", + priority = "200" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "VirtualNetwork" + }, + ] + } + +} + + +vnets = { + hub_re1 = { + resource_group_key = "vnet_hub_re1" + region = "region1" + vnet = { + name = "hub-re1" + address_space = ["100.64.100.0/22"] + } + specialsubnets = { + GatewaySubnet = { + name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway + cidr = ["100.64.100.0/27"] + } + AzureFirewallSubnet = { + name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet + cidr = ["100.64.101.0/26"] + } + } + subnets = { + AzureBastionSubnet = { + name = "AzureBastionSubnet" #Must be called AzureBastionSubnet + cidr = ["100.64.101.64/26"] + nsg_key = "azure_bastion_nsg" + } + jumpbox = { + name = "jumpbox" + cidr = ["100.64.102.0/27"] + nsg_key = "jumpbox" + } + private_endpoints = { + name = "private_endpoints" + cidr = ["100.64.103.128/25"] + enforce_private_link_endpoint_network_policies = true + } + } + + } + + hub_re2 = { + resource_group_key = "vnet_hub_re2" + region = "region2" + vnet = { + name = "hub-re2" + address_space = ["100.65.100.0/22"] + } + subnets = { + AzureBastionSubnet = { + name = "AzureBastionSubnet" #Must be called AzureBastionSubnet + cidr = ["100.65.101.64/26"] + nsg_key = "azure_bastion_nsg" + } + jumpbox = { + name = "jumpbox" + cidr = ["100.65.102.0/27"] + nsg_key = "jumpbox" + } + private_endpoints = { + name = "private_endpoints" + cidr = ["100.65.103.128/25"] + enforce_private_link_endpoint_network_policies = true + } + } + + } + + +} + + +vnet_peerings_v1 = { + hub_re1_TO_hub_re2 = { + name = "hub_re1_TO_hub_re2" + from = { + vnet_key = "hub_re1" + } + to = { + vnet_key = "hub_re2" + } + allow_virtual_network_access = true + allow_forwarded_traffic = false + allow_gateway_transit = false + use_remote_gateways = false + } + + hub_re2_TO_hub_re1 = { + name = "hub_re2_TO_hub_re1" + from = { + vnet_key = "hub_re2" + } + to = { + vnet_key = "hub_re1" + } + allow_virtual_network_access = true + allow_forwarded_traffic = false + allow_gateway_transit = false + use_remote_gateways = false + } + + + # to peer with a vnet in a different subscription you can reference the id in from or to + # or use vnet_key and lz_key + test_TO_hub_re1 = { + name = "test_TO_hub_re1" + from = { + id = "/subscriptions/xxxxxxxxxxxx/resourceGroups/vnet/providers/Microsoft.Network/virtualNetworks/vnet1" + } + to = { + vnet_key = "hub_re1" + } + allow_virtual_network_access = true + allow_forwarded_traffic = false + allow_gateway_transit = false + use_remote_gateways = false + } + + hub_re1_TO_test = { + name = "hub_re1_TO_test" + from = { + vnet_key = "hub_re1" + } + to = { + id = "/subscriptions/xxxxxxxxxxxxx/resourceGroups/vnet/providers/Microsoft.Network/virtualNetworks/vnet1" + } + allow_virtual_network_access = true + allow_forwarded_traffic = false + allow_gateway_transit = false + use_remote_gateways = false + } + +} diff --git a/examples/variables.tf b/examples/variables.tf index d5964ed8a6..600ac073b4 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -429,6 +429,9 @@ variable "diagnostics_destinations" { variable "vnet_peerings" { default = {} } +variable "vnet_peerings_v1" { + default = {} +} variable "packer_service_principal" { default = {} diff --git a/locals.tf b/locals.tf index 00d7d8d08d..9fe48b3048 100644 --- a/locals.tf +++ b/locals.tf @@ -244,8 +244,8 @@ locals { azurerm_firewall_policy_rule_collection_groups = try(var.networking.azurerm_firewall_policy_rule_collection_groups, {}) azurerm_firewalls = try(var.networking.azurerm_firewalls, {}) azurerm_routes = try(var.networking.azurerm_routes, {}) - cdn_profile = try(var.networking.cdn_profile, {}) cdn_endpoint = try(var.networking.cdn_endpoint, {}) + cdn_profile = try(var.networking.cdn_profile, {}) ddos_services = try(var.networking.ddos_services, {}) dns_zone_records = try(var.networking.dns_zone_records, {}) dns_zones = try(var.networking.dns_zones, {}) @@ -256,8 +256,8 @@ locals { express_route_connections = try(var.networking.express_route_connections, {}) front_door_waf_policies = try(var.networking.front_door_waf_policies, {}) front_doors = try(var.networking.front_doors, {}) - frontdoor_rules_engine = try(var.networking.frontdoor_rules_engine, {}) frontdoor_custom_https_configuration = try(var.networking.frontdoor_custom_https_configuration, {}) + frontdoor_rules_engine = try(var.networking.frontdoor_rules_engine, {}) ip_groups = try(var.networking.ip_groups, {}) lb = try(var.networking.lb, {}) lb_backend_address_pool = try(var.networking.lb_backend_address_pool, {}) @@ -287,10 +287,11 @@ locals { virtual_hubs = try(var.networking.virtual_hubs, {}) virtual_network_gateway_connections = try(var.networking.virtual_network_gateway_connections, {}) virtual_network_gateways = try(var.networking.virtual_network_gateways, {}) + virtual_subnets = try(var.networking.virtual_subnets, {}) virtual_wans = try(var.networking.virtual_wans, {}) vnet_peerings = try(var.networking.vnet_peerings, {}) + vnet_peerings_v1 = try(var.networking.vnet_peerings_v1, {}) vnets = try(var.networking.vnets, {}) - virtual_subnets = try(var.networking.virtual_subnets, {}) vpn_gateway_connections = try(var.networking.vpn_gateway_connections, {}) vpn_sites = try(var.networking.vpn_sites, {}) } diff --git a/main.tf b/main.tf index ff325a715d..991a6d0d9f 100644 --- a/main.tf +++ b/main.tf @@ -12,6 +12,9 @@ terraform { source = "hashicorp/azuread" version = "~> 1.4.0" } + azapi = { + source = "azure/azapi" + } azurecaf = { source = "aztfmod/azurecaf" version = "~> 1.2.0" @@ -36,7 +39,6 @@ provider "azurerm" { } } - data "azurerm_subscription" "primary" {} data "azurerm_client_config" "current" {} diff --git a/networking.tf b/networking.tf index e14fca42f9..86acf01470 100644 --- a/networking.tf +++ b/networking.tf @@ -210,6 +210,32 @@ resource "azurerm_virtual_network_peering" "peering" { } +# Allow creating from and to in the same deployment when vnets are in different subscriptions +# (azurerm does not access the resource id of the vnet in the from) +# use the variable vnet_peerings_v1 +resource "azapi_resource" "virtualNetworkPeerings" { + depends_on = [module.networking] + for_each = local.networking.vnet_peerings_v1 + + type = "Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2021-05-01" + name = each.value.name + parent_id = can(each.value.from.id) ? each.value.from.id : local.combined_objects_networking[try(each.value.from.lz_key, local.client_config.landingzone_key)][each.value.from.vnet_key].id + + body = jsonencode({ + properties = { + allowForwardedTraffic = try(each.value.allow_forwarded_traffic, false) + allowGatewayTransit = try(each.value.allow_gateway_transit, false) + allowVirtualNetworkAccess = try(each.value.allow_virtual_network_access, true) + doNotVerifyRemoteGateways = try(each.value.do_not_verify_remote_gateways, false) + useRemoteGateways = try(each.value.use_remote_gateways, false) + remoteVirtualNetwork = { + id = can(each.value.to.remote_virtual_network_id) || can(each.value.to.id) ? try(each.value.to.remote_virtual_network_id, each.value.to.id) : local.combined_objects_networking[try(each.value.to.lz_key, local.client_config.landingzone_key)][each.value.to.vnet_key].id + } + } + }) + +} + # # # Route tables and routes From 1cf354c6758854119a942d3dde90c14114408cdc Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Wed, 4 May 2022 02:05:28 +0000 Subject: [PATCH 2/2] Update CI and version --- .github/workflows/standalone-scenarios.json | 1 + .../103-vnet-peering-v1/configuration.tfvars | 55 ++++++++++--------- main.tf | 3 +- 3 files changed, 32 insertions(+), 27 deletions(-) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 00467b5fd9..bfb8706c79 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -162,6 +162,7 @@ "networking/virtual_network/100-simple-vnet-subnets-nsgs", "networking/virtual_network/100-subnet-delegation", "networking/virtual_network/101-vnet-peering-nsg", + "networking/virtual_network/103-vnet-peering-v1", "networking/virtual_network/200-nsg-flow-logs", "networking/virtual_network/201-nsg-flow-logs-v1", "networking/virtual_subnets/100-simple-subnet-rbac", diff --git a/examples/networking/virtual_network/103-vnet-peering-v1/configuration.tfvars b/examples/networking/virtual_network/103-vnet-peering-v1/configuration.tfvars index 432ca77fb9..9a960c5dc0 100644 --- a/examples/networking/virtual_network/103-vnet-peering-v1/configuration.tfvars +++ b/examples/networking/virtual_network/103-vnet-peering-v1/configuration.tfvars @@ -450,32 +450,35 @@ vnet_peerings_v1 = { # to peer with a vnet in a different subscription you can reference the id in from or to # or use vnet_key and lz_key - test_TO_hub_re1 = { - name = "test_TO_hub_re1" - from = { - id = "/subscriptions/xxxxxxxxxxxx/resourceGroups/vnet/providers/Microsoft.Network/virtualNetworks/vnet1" - } - to = { - vnet_key = "hub_re1" - } - allow_virtual_network_access = true - allow_forwarded_traffic = false - allow_gateway_transit = false - use_remote_gateways = false - } + # + # uncomment and adjust the following example for cross subscripiton vnet peering + # + # test_TO_hub_re1 = { + # name = "test_TO_hub_re1" + # from = { + # id = "/subscriptions/xxxxxxxxxxxx/resourceGroups/vnet/providers/Microsoft.Network/virtualNetworks/vnet1" + # } + # to = { + # vnet_key = "hub_re1" + # } + # allow_virtual_network_access = true + # allow_forwarded_traffic = false + # allow_gateway_transit = false + # use_remote_gateways = false + # } - hub_re1_TO_test = { - name = "hub_re1_TO_test" - from = { - vnet_key = "hub_re1" - } - to = { - id = "/subscriptions/xxxxxxxxxxxxx/resourceGroups/vnet/providers/Microsoft.Network/virtualNetworks/vnet1" - } - allow_virtual_network_access = true - allow_forwarded_traffic = false - allow_gateway_transit = false - use_remote_gateways = false - } + # hub_re1_TO_test = { + # name = "hub_re1_TO_test" + # from = { + # vnet_key = "hub_re1" + # } + # to = { + # id = "/subscriptions/xxxxxxxxxxxxx/resourceGroups/vnet/providers/Microsoft.Network/virtualNetworks/vnet1" + # } + # allow_virtual_network_access = true + # allow_forwarded_traffic = false + # allow_gateway_transit = false + # use_remote_gateways = false + # } } diff --git a/main.tf b/main.tf index 991a6d0d9f..26b084d4a1 100644 --- a/main.tf +++ b/main.tf @@ -13,7 +13,8 @@ terraform { version = "~> 1.4.0" } azapi = { - source = "azure/azapi" + source = "azure/azapi" + version = "~> 0.1.1" } azurecaf = { source = "aztfmod/azurecaf"