refactor(module/vnet_peering)!: module refactor and adjusted examples (…

…#355) Co-authored-by: Łukasz Pawlęga <42772730+FoSix@users.noreply.github.com>
PaloAltoNetworks · Nov 7, 2023 · 60ba789 · 60ba789
1 parent 5601617
commit 60ba789
Show file tree

Hide file tree

Showing 16 changed files with 298 additions and 127 deletions.
diff --git a/examples/common_vmseries/main.tf b/examples/common_vmseries/main.tf
@@ -53,9 +53,7 @@ module "vnet" {
   address_space = each.value.address_space
 
   create_subnets = each.value.create_subnets
-  subnets = each.value.create_subnets ? {
-    for k, v in each.value.subnets : k => merge(v, { name = "${var.name_prefix}${v.name}" })
-  } : each.value.subnets
+  subnets        = each.value.subnets
 
   network_security_groups = { for k, v in each.value.network_security_groups : k => merge(v, { name = "${var.name_prefix}${v.name}" })
   }

diff --git a/examples/common_vmseries_and_autoscale/main.tf b/examples/common_vmseries_and_autoscale/main.tf
@@ -47,9 +47,7 @@ module "vnet" {
   address_space = each.value.address_space
 
   create_subnets = each.value.create_subnets
-  subnets = each.value.create_subnets ? {
-    for k, v in each.value.subnets : k => merge(v, { name = "${var.name_prefix}${v.name}" })
-  } : each.value.subnets
+  subnets        = each.value.subnets
 
   network_security_groups = { for k, v in each.value.network_security_groups : k => merge(v, { name = "${var.name_prefix}${v.name}" })
   }

diff --git a/examples/dedicated_vmseries/main.tf b/examples/dedicated_vmseries/main.tf
@@ -53,9 +53,7 @@ module "vnet" {
   address_space = each.value.address_space
 
   create_subnets = each.value.create_subnets
-  subnets = each.value.create_subnets ? {
-    for k, v in each.value.subnets : k => merge(v, { name = "${var.name_prefix}${v.name}" })
-  } : each.value.subnets
+  subnets        = each.value.subnets
 
   network_security_groups = { for k, v in each.value.network_security_groups : k => merge(v, { name = "${var.name_prefix}${v.name}" })
   }

diff --git a/examples/dedicated_vmseries_and_autoscale/main.tf b/examples/dedicated_vmseries_and_autoscale/main.tf
@@ -47,9 +47,7 @@ module "vnet" {
   address_space = each.value.address_space
 
   create_subnets = each.value.create_subnets
-  subnets = each.value.create_subnets ? {
-    for k, v in each.value.subnets : k => merge(v, { name = "${var.name_prefix}${v.name}" })
-  } : each.value.subnets
+  subnets        = each.value.subnets
 
   network_security_groups = { for k, v in each.value.network_security_groups : k => merge(v, { name = "${var.name_prefix}${v.name}" })
   }

diff --git a/examples/gwlb_with_vmseries/main.tf b/examples/gwlb_with_vmseries/main.tf
@@ -39,9 +39,7 @@ module "vnet" {
   address_space = each.value.address_space
 
   create_subnets = each.value.create_subnets
-  subnets = each.value.create_subnets ? {
-    for k, v in each.value.subnets : k => merge(v, { name = "${var.name_prefix}${v.name}" })
-  } : each.value.subnets
+  subnets        = each.value.subnets
 
   network_security_groups = { for k, v in each.value.network_security_groups : k => merge(v, { name = "${var.name_prefix}${v.name}" })
   }

diff --git a/examples/standalone_panorama/main.tf b/examples/standalone_panorama/main.tf
@@ -46,9 +46,7 @@ module "vnet" {
   address_space = each.value.address_space
 
   create_subnets = each.value.create_subnets
-  subnets = each.value.create_subnets ? {
-    for k, v in each.value.subnets : k => merge(v, { name = "${var.name_prefix}${v.name}" })
-  } : each.value.subnets
+  subnets        = each.value.subnets
 
   network_security_groups = { for k, v in each.value.network_security_groups : k => merge(v, { name = "${var.name_prefix}${v.name}" })
   }

diff --git a/examples/standalone_vmseries/main.tf b/examples/standalone_vmseries/main.tf
@@ -53,9 +53,7 @@ module "vnet" {
   address_space = each.value.address_space
 
   create_subnets = each.value.create_subnets
-  subnets = each.value.create_subnets ? {
-    for k, v in each.value.subnets : k => merge(v, { name = "${var.name_prefix}${v.name}" })
-  } : each.value.subnets
+  subnets        = each.value.subnets
 
   network_security_groups = { for k, v in each.value.network_security_groups : k => merge(v, { name = "${var.name_prefix}${v.name}" })
   }

diff --git a/examples/test_infrastructure/example.tfvars b/examples/test_infrastructure/example.tfvars
@@ -14,16 +14,17 @@ vnets = {
     name          = "spoke-east"
     address_space = ["10.100.0.0/25"]
     # # Uncomment the lines below to enable peering between spokes created in this module and an existing transit VNET
-    # hub_resource_group_name = "example-transit-vnet-dedicated" # TODO: replace with the name of transit VNET's Resource Group Name
-    # hub_vnet_name = "example-transit" # TODO: replace with the name of the transit VNET
+    # hub_resource_group_name = "example-transit-vnet-common" # TODO: replace with the name of transit VNET's Resource Group Name
+    # hub_vnet_name           = "example-transit"             # TODO: replace with the name of the transit VNET
     route_tables = {
       nva = {
         name = "east2NVA"
         routes = {
           "2NVA" = {
-            address_prefix         = "0.0.0.0/0"
-            next_hop_type          = "VirtualAppliance"
-            next_hop_in_ip_address = "10.0.0.30" # TODO: this by default matches the private IP of the private Load Balancer deployed in any of the examples; adjust if needed
+            name                = "2NVA-udr"
+            address_prefix      = "0.0.0.0/0"
+            next_hop_type       = "VirtualAppliance"
+            next_hop_ip_address = "10.0.0.30" # TODO: this by default matches the private IP of the private Load Balancer deployed in any of the examples; adjust if needed
           }
         }
       }
@@ -44,16 +45,17 @@ vnets = {
     name          = "spoke-west"
     address_space = ["10.100.1.0/25"]
     # # Uncomment the lines below to enable peering between spokes created in this module and an existing transit VNET
-    # hub_resource_group_name = "example-transit-vnet-dedicated" # TODO: replace with the name of transit VNET's Resource Group Name
-    # hub_vnet_name = "example-transit" # TODO: replace with the name of the transit VNET
+    # hub_resource_group_name = "example-transit-vnet-common" # TODO: replace with the name of transit VNET's Resource Group Name
+    # hub_vnet_name           = "example-transit"             # TODO: replace with the name of the transit VNET
     route_tables = {
       nva = {
         name = "west2NVA"
         routes = {
           "2NVA" = {
-            address_prefix         = "0.0.0.0/0"
-            next_hop_type          = "VirtualAppliance"
-            next_hop_in_ip_address = "10.0.0.30" # TODO: replace with IP address of the private Load Balancer in the transit VNET
+            name                = "2NVA-udr"
+            address_prefix      = "0.0.0.0/0"
+            next_hop_type       = "VirtualAppliance"
+            next_hop_ip_address = "10.0.0.30" # TODO: replace with IP address of the private Load Balancer in the transit VNET
           }
         }
       }

diff --git a/examples/test_infrastructure/main.tf b/examples/test_infrastructure/main.tf
@@ -38,33 +38,36 @@ module "vnet" {
 
   for_each = var.vnets
 
-  name                   = each.value.name
-  name_prefix            = var.name_prefix
-  create_virtual_network = try(each.value.create_virtual_network, true)
-  resource_group_name    = try(each.value.resource_group_name, local.resource_group.name)
+  name                   = each.value.create_virtual_network ? "${var.name_prefix}${each.value.name}" : each.value.name
+  create_virtual_network = each.value.create_virtual_network
+  resource_group_name    = coalesce(each.value.resource_group_name, local.resource_group.name)
   location               = var.location
 
-  address_space = try(each.value.create_virtual_network, true) ? each.value.address_space : []
+  address_space = each.value.address_space
 
-  create_subnets = try(each.value.create_subnets, true)
+  create_subnets = each.value.create_subnets
   subnets        = each.value.subnets
 
-  network_security_groups = try(each.value.network_security_groups, {})
-  route_tables            = try(each.value.route_tables, {})
+  network_security_groups = { for k, v in each.value.network_security_groups : k => merge(v, { name = "${var.name_prefix}${v.name}" })
+  }
+  route_tables = { for k, v in each.value.route_tables : k => merge(v, { name = "${var.name_prefix}${v.name}" })
+  }
 
   tags = var.tags
 }
 
 module "vnet_peering" {
   source   = "../../modules/vnet_peering"
-  for_each = { for k, v in var.vnets : k => v if can(v.hub_vnet_name) }
+  for_each = { for k, v in var.vnets : k => v if v.hub_vnet_name != null }
 
 
   local_peer_config = {
+    name                = "peer-${each.value.name}-to-${each.value.hub_vnet_name}"
     resource_group_name = local.resource_group.name
     vnet_name           = "${var.name_prefix}${each.value.name}"
   }
   remote_peer_config = {
+    name                = "peer-${each.value.hub_vnet_name}-to-${each.value.name}"
     resource_group_name = try(each.value.hub_resource_group_name, local.resource_group.name)
     vnet_name           = each.value.hub_vnet_name
   }

diff --git a/examples/test_infrastructure/variables.tf b/examples/test_infrastructure/variables.tf
@@ -48,20 +48,67 @@ variable "vnets" {
   
   For detailed documentation on each property refer to [module documentation](../../modules/vnet/README.md)
 
-  - `name` :  A name of a VNET.
-  - `create_virtual_network` : (default: `true`) when set to `true` will create a VNET, `false` will source an existing VNET, in both cases the name of the VNET is specified with `name`
-  - `address_space` : a list of CIDRs for VNET
-  - `resource_group_name` :  (default: current RG) a name of a Resource Group in which the VNET will reside
-  - `hub_vnet_name` : (default: `null`) name of an existing transit VNET. Setting this value triggers peering between the spoke and the transit VNET
-  - `hub_resource_group_name`: (default: current RG) name of a Resource Group hosting a transit VNET, when skipped, the local Resource Group will be used
-
-  - `create_subnets` : (default: `true`) if true, create the Subnets inside the Virtual Network, otherwise use pre-existing subnets
-  - `subnets` : map of Subnets to create
-
-  - `network_security_groups` : map of Network Security Groups to create
-  - `route_tables` : map of Route Tables to create.
+  - `create_virtual_network`  - (`bool`, optional, defaults to `true`) when set to `true` will create a VNET, 
+                                `false` will source an existing VNET.
+  - `name`                    - (`string`, required) a name of a VNET. In case `create_virtual_network = false` this should be
+                                a full resource name, including prefixes.
+  - `address_space`           - (`list(string)`, required when `create_virtual_network = false`) a list of CIDRs for a newly
+                                created VNET
+  - `resource_group_name`     - (`string`, optional, defaults to current RG) a name of an existing Resource Group in which
+                                the VNET will reside or is sourced from
+  - `create_subnets`          - (`bool`, optional, defaults to `true`) if `true`, create Subnets inside the Virtual Network,
+                                otherwise use source existing subnets
+  - `subnets`                 - (`map`, optional) map of Subnets to create or source, for details see
+                                [VNET module documentation](../../modules/vnet/README.md#subnets)
+  - `network_security_groups` - (`map`, optional) map of Network Security Groups to create, for details see
+                                [VNET module documentation](../../modules/vnet/README.md#network_security_groups)
+  - `route_tables`            - (`map`, optional) map of Route Tables to create, for details see
+                                [VNET module documentation](../../modules/vnet/README.md#route_tables)
   EOF
-  type        = any
+
+  type = map(object({
+    name                    = string
+    resource_group_name     = optional(string)
+    create_virtual_network  = optional(bool, true)
+    address_space           = optional(list(string))
+    hub_resource_group_name = optional(string)
+    hub_vnet_name           = optional(string)
+    network_security_groups = optional(map(object({
+      name = string
+      rules = optional(map(object({
+        name                         = string
+        priority                     = number
+        direction                    = string
+        access                       = string
+        protocol                     = string
+        source_port_range            = optional(string)
+        source_port_ranges           = optional(list(string))
+        destination_port_range       = optional(string)
+        destination_port_ranges      = optional(list(string))
+        source_address_prefix        = optional(string)
+        source_address_prefixes      = optional(list(string))
+        destination_address_prefix   = optional(string)
+        destination_address_prefixes = optional(list(string))
+      })), {})
+    })), {})
+    route_tables = optional(map(object({
+      name = string
+      routes = map(object({
+        name                = string
+        address_prefix      = string
+        next_hop_type       = string
+        next_hop_ip_address = optional(string)
+      }))
+    })), {})
+    create_subnets = optional(bool, true)
+    subnets = optional(map(object({
+      name                            = string
+      address_prefixes                = optional(list(string), [])
+      network_security_group_key      = optional(string)
+      route_table_key                 = optional(string)
+      enable_storage_service_endpoint = optional(bool, false)
+    })), {})
+  }))
 }
 
 variable "hub_resource_group_name" {

diff --git a/examples/vnet/main.tf b/examples/vnet/main.tf
@@ -30,13 +30,15 @@ module "vnet" {
   address_space = each.value.address_space
 
   create_subnets = each.value.create_subnets
-  subnets = each.value.create_subnets ? {
-    for k, v in each.value.subnets : k => merge(v, { name = "${var.name_prefix}${v.name}" })
-  } : each.value.subnets
+  subnets        = each.value.subnets
 
-  network_security_groups = { for k, v in each.value.network_security_groups : k => merge(v, { name = "${var.name_prefix}${v.name}" })
+  network_security_groups = {
+    for k, v in each.value.network_security_groups :
+    k => merge(v, { name = "${var.name_prefix}${v.name}" })
   }
-  route_tables = { for k, v in each.value.route_tables : k => merge(v, { name = "${var.name_prefix}${v.name}" })
+  route_tables = {
+    for k, v in each.value.route_tables :
+    k => merge(v, { name = "${var.name_prefix}${v.name}" })
   }
 
   tags = var.tags

diff --git a/modules/vnet_peering/.header.md b/modules/vnet_peering/.header.md
@@ -0,0 +1,21 @@
+# Palo Alto Networks VNet Peering Module for Azure
+
+A terraform module for deploying a Virtual Network Peering and its components required for the VM-Series firewalls in Azure.
+
+## Usage
+
+Simple usage example:
+
+```hcl
+local_peer_config = {
+  name                = "peer-local_vnet-to-remote_vnet"
+  resource_group_name = "local_resourcegroup_name"
+  vnet_name           = "local_vnet_name"
+}
+
+remote_peer_config = {
+  name                = "peer-remote_vnet-to-local_vnet"
+  resource_group_name = "remote_resourcegroup_name"
+  vnet_name           = "remote_vnet_name"
+}
+```