Thanks for your interest in Cloud Adoption Framework for Azure landing zones on Terraform. This module is now deprecated and no longer maintained.
As part of Cloud Adoption Framework landing zones for Terraform, we have migrated to a single module model, which you can find here: https://github.com/aztfmod/terraform-azurerm-caf and on the Terraform registry: https://registry.terraform.io/modules/aztfmod/caf/azurerm
In Terraform 0.13 you can now call directly submodules easily with the following syntax:
module "caf_virtual_network" {
source = "aztfmod/caf/azurerm//modules/networking/virtual_network"
version = "0.4.18"
# insert the 8 required variables here
}
Creates a virtual network with:
- Virtual network
- DNS Settings
- Subnet creation
- NSG creation
- DDoS protection standard attachment
- Network Watcher Flow Logs and Traffic Analytics
- Diagnostics logging for the virtual network
- Diagnostics logging for the each sub-network
- Diagnostics logging for the network security groups
Reference the module to a specific version (recommended):
module "virtual_network" {
source = "aztfmod/caf-virtual-network/azurerm"
version = "0.x.y"
convention = local.convention
resource_group_name = azurerm_resource_group.rg_test.name
prefix = local.prefix
location = local.location
networking_object = local.vnet_config
tags = local.tags
diagnostics_map = module.diags_test.diagnostics_map
log_analytics_workspace = module.la_test
diagnostics_settings = local.vnet_config.diagnostics
ddos_id = azurerm_network_ddos_protection_plan.ddos_protection_plan.id
}
No requirements.
Name | Version |
---|---|
azurecaf | n/a |
azurerm | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
convention | (Required) Naming convention method to use | any |
n/a | yes |
ddos_id | (Optional) ID of the DDoS protection plan if exists | string |
"" |
no |
diagnostics_map | (Required) contains the SA and EH details for operations diagnostics | any |
n/a | yes |
diagnostics_settings | (Required) configuration object describing the diagnostics | any |
n/a | yes |
location | (Required) Specifies the Azure location to deploy the resource. Changing this forces a new resource to be created. | string |
n/a | yes |
log_analytics_workspace | (Required) contains the log analytics workspace details for operations diagnostics | any |
n/a | yes |
max_length | (Optional) You can speficy a maximum length to the name of the resource | string |
"60" |
no |
netwatcher | (Optional) is a map with two attributes: name, rg who describes the name and rg where the netwatcher was already deployed | map |
{} |
no |
networking_object | (Required) configuration object describing the networking configuration, as described in README | any |
n/a | yes |
postfix | (Optional) You can use a postfix to the name of the resource | string |
"" |
no |
prefix | (Optional) You can use a prefix to the name of the resource | string |
"" |
no |
resource_group_name | (Required) Name of the resource group where to create the resource. Changing this forces a new resource to be created. | string |
n/a | yes |
tags | (Required) map of tags for the deployment | any |
n/a | yes |
Name | Description |
---|---|
nsg_obj | Returns the complete set of NSG objects created in the virtual network |
nsg_vnet | Returns a map of nsg from the virtual network: - key = nsg name - value = nsg id |
subnet_ids_map | Returns all the subnets objects in the Virtual Network. As a map of keys, ID |
vnet | For a Vnet, returns: -vnet_name - vnet_adress_space - vnet_id - vnet_dns |
vnet_obj | Virtual network object |
vnet_subnets | Returns a map of subnets from the virtual network: - key = subnet name - value = subnet ID |
(Required) Map with the diagnostics settings for virtual network deployment. See the required structure in the following example or in the diagnostics module documentation.
variable "diagnostics_settings" {
description = "(Required) Map with the diagnostics settings for public virtual network deployment"
}
Example
diagnostics_settings = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
(Required) Configuration object describing the networking configuration. The object has 3 mandatory sections as follow:
input | type | optional | comment |
---|---|---|---|
name | string | mandatory | name of the virtul network to be created |
address_space | list | optional | address speace for the subnet |
dns | list | optional | if not provided,uses the default Azure DNS |
input | type | optional | comment |
---|---|---|---|
subnet_key_name | object | mandatory | specialsubnets is use to create specific subnets where you dont want default NSG to be created, for instance AzureFirewallSubnet must be created via this object. (see below for example) |
For each subnet, create an object that contain the following fields (see example below)
input | type | optional | comment |
---|---|---|---|
name | object | mandatory | name of the virtual subnet |
nsg_name | object | mandatory | name of the nsg ruleset |
cidr | object | mandatory | CIDR block for the virtual subnet |
service_endpoints | object | mandatory | service endpoints for the virtual subnet |
nsg | object | optional | network security groups settings - a NSG is always created for each subnet - this section will tune the NSG entries for inbound and outbound flows. |
delegation | object | optional | defines a subnet delegation feature. takes an object as described in the following example. |
The following sections are optional:
If this object is defined, it will enable network watcher, flow logs and traffic analytics for all the subnets in the Virtual Network. The configuration object is as follow:
input | type | optional | comment |
---|---|---|---|
create | bool | mandatory | determines if network watcher should be created or should be used from a previous deployment. /!\ If set to false, the netwatcher optional variable must be set. |
name | string | mandatory | name of the network watcher to be created |
flow_logs_settings | object | mandatory | specifies the configuration for flow logs according to the following object structure: enabled = (bool) retention = (bool) period = (integer) |
traffic_analytics_settings | object | mandatory | specifies if traffic analytics should be enabled. If enabled, we use the settings defined in the virtual network settings (log_analytics_workspace). |
The following networking_object shows an example of composition:
Sample of network configuration object below
networking_object = {
vnet = {
name = "sg1-vnet-dmz"
address_space = ["10.101.4.0/22"] # 10.100.4.0 - 10.100.7.255
dns = ["192.168.0.16", "192.168.0.64"]
}
specialsubnets = {
AzureFirewallSubnet = {
name = "AzureFirewallSubnet"
cidr = ["10.101.4.0/25"]
}
}
subnets = {
Subnet_1 = {
name = "Active_Directory"
cidr = ["10.101.4.128/27"]
service_endpoints = []
nsg_inbound = [
# {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" },
["LDAP-t", "100", "Inbound", "Allow", "*", "*", "389", "*", "*"],
["RPC-EPM", "102", "Inbound", "Allow", "tcp", "*", "135", "*", "*"],
["SMB-In", "103", "Inbound", "Allow", "tcp", "*", "445", "*", "*"],
]
nsg_outbound = []
delegation = {
name = "acctestdelegation1"
service_delegation = {
name = "Microsoft.ContainerInstance/containerGroups"
actions = ["Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action"]
}
}
}
Subnet_2 = {
name = "SQL_Servers"
cidr = ["10.101.4.160/27"]
service_endpoints = []
nsg_inbound = [
["SQL", "100", "Inbound", "Allow", "tcp", "*", "1433", "*", "*"],
]
nsg_outbound = []
}
Subnet_3 = {
name = "Network_Monitoring"
cidr = ["10.101.4.192/27"]
service_endpoints = ["Microsoft.EventHub"]
nsg_inbound = [
# ["Test", "101", "Inbound", "Allow", "tcp", "*", "1643", "*", "*"],
]
nsg_outbound = []
}
}
netwatcher = {
create = true
#create the network watcher for a subscription and for the location of the vnet
name = "nwtest"
#name of the network watcher to be created
flow_logs_settings = {
enabled = true
retention = true
period = 7
}
traffic_analytics_settings = {
enabled = true
}
}
}