Skip to content

Latest commit

 

History

History
218 lines (134 loc) · 8.96 KB

README.md

File metadata and controls

218 lines (134 loc) · 8.96 KB

Network Security Group Module

This module creates an Azure Network Security Group and allows you to manage multiple inbound and outbound rules

This repository is a READ-ONLY sub-tree split. See https://github.com/FriendsOfTerraform/modules to create issues or submit pull requests.

Table of Contents

Requirements

  • Terraform v1.3.0+

Example Usage

Basic Usage

This example creates a network security group, and then multiple inbound rules.

module "demo_nsg" {
  source = "github.com/FriendsOfTerraform/azure-network-security-group.git?ref=v1.0.0"

  azure = {
    resource_group_name = "sandbox"
    location = "westus" # if unspecified, resource group's location will be used
  }

  name                = "demo-nsg"

  additional_tags_all = {
    created-by = "Peter Sin" # Tag all resources with the creator information
  }

  inbound_security_rules = {
    rdp = {
      priority            = 100
      description         = "Allows RDP from a particular CIDR"
      source_ip_addresses = ["10.0.0.0/24"]
      port_ranges         = ["3389"]
    }
    web-frontend = {
      priority    = 200
      description = "Allows HTTPS from Anywhere"
      port_ranges = ["443"]
    }
  }
}

Argument Reference

Mandatory

  • (object) azure [since v0.0.1]

    The resource group name and the location where the resources will be deployed to

    azure = {
  resource_group_name = "sandbox"
  location = "westus"
}

    • (string) resource_group_name [since v0.0.1]

      The name of an Azure resource group where the virtual network will be deployed

    • (string) location = null [since v0.0.1]

      The name of an Azure location where the virtual network will be deployed. If unspecified, the resource group's location will be used.

  • (string) name [since v0.0.1]

    The name of the network security group. This will also be used as a prefix to all associating resources' names.

Optional

  • (map(string)) additional_tags = {} [since v0.0.1]

    Additional tags for the network security group

  • (map(string)) additional_tags_all = {} [since v0.0.1]

    Additional tags for all resources deployed with this module

  • (map(object)) inbound_security_rules = {} [since v0.0.1]

    Manages multiple inbound security rules, in {rule_name = {configuration}} format.

    inbound_security_rules = {
  rdp = {
    priority            = 100
    description         = "Allows RDP from a particular CIDR"
    source_ip_addresses = ["10.0.0.0/24"]
    port_ranges         = ["3389"]
  }
}

    • (number) priority [since v0.0.1]

      The priority of the rule. Lower number has higher priority

    • (string) action = "Allow" [since v0.0.1]

      Defines if the matching rule should be allowed or denied. Valid values are Allow and Deny

    • (string) description = null [since v0.0.1]

      Description of the security rule

    • (list(string)) destination_application_security_group_ids = null [since v0.0.1]

      Defines a list of destination application security group IDs that match this rule. This option is mutually exclusive to destination_ip_addresses and destination_service_tag. If none of the destinations are specified, all destinations (Any) will be used.

    • (list(string)) destination_ip_addresses = null [since v0.0.1]

      Defines a list of destination ip addresses or CIDR that match this rule. This option is mutually exclusive to destination_application_security_group_ids and destination_service_tag. If none of the destinations are specified, all destinations (Any) will be used.

    • (string) destination_service_tag = null [since v0.0.1]

      Defines a destination Service Tag that matches this rule. This option is mutually exclusive to destination_application_security_group_ids and destination_ip_addresses. If none of the destinations are specified, all destinations (Any) will be used.

    • (list(string)) port_ranges = "*" [since v0.0.1]

      Defines a list of port ranges that match this rule. Input can either be a range eg. "0-1024" or a port number eg. "8080"

    • (string) protocol = "Tcp" [since v0.0.1]

      The protocol of the connection that matches this rule. Valid options are "Tcp", "Udp", "Icmp", "Esp", "Ah", and "*"

    • (list(string)) source_application_security_group_ids = null [since v0.0.1]

      Defines a list of source application security group IDs that match this rule. This option is mutually exclusive to source_ip_addresses and source_service_tag. If none of the sources are specified, all sources (Any) will be used.

    • (list(string)) source_ip_addresses = null [since v0.0.1]

      Defines a list of source ip addresses or CIDR that match this rule. This option is mutually exclusive to source_application_security_group_ids and source_service_tag. If none of the sources are specified, all sources (Any) will be used.

    • (string) source_service_tag = null [since v0.0.1]

      Defines a source Service Tag that matches this rule. This option is mutually exclusive to source_application_security_group_ids and source_ip_addresses. If none of the sources are specified, all sources (Any) will be used.

  • (map(object)) outbound_security_rules = {} [since v0.0.1]

    Manages multiple outbound security rules, in {rule_name = {configuration}} format.

    outbound_security_rules = {
  dns = {
    priority    = 100
    description = "Allow all outbound DNS call"
    port_ranges = ["53"]
    protocol    = "Udp"
  }
}

    • (number) priority [since v0.0.1]

      The priority of the rule. Lower number has higher priority

    • (string) action = "Allow" [since v0.0.1]

      Defines if the matching rule should be allowed or denied. Valid values are Allow and Deny

    • (string) description = null [since v0.0.1]

      Description of the security rule

    • (list(string)) destination_application_security_group_ids = null [since v0.0.1]

      Defines a list of destination application security group IDs that match this rule. This option is mutually exclusive to destination_ip_addresses and destination_service_tag. If none of the destinations are specified, all destinations (Any) will be used.

    • (list(string)) destination_ip_addresses = null [since v0.0.1]

      Defines a list of destination ip addresses or CIDR that match this rule. This option is mutually exclusive to destination_application_security_group_ids and destination_service_tag. If none of the destinations are specified, all destinations (Any) will be used.

    • (string) destination_service_tag = null [since v0.0.1]

      Defines a destination Service Tag that matches this rule. This option is mutually exclusive to destination_application_security_group_ids and destination_ip_addresses. If none of the destinations are specified, all destinations (Any) will be used.

    • (list(string)) port_ranges = "*" [since v0.0.1]

      Defines a list of port ranges that match this rule. Input can either be a range eg. "0-1024" or a port number eg. "8080"

    • (string) protocol = "Tcp" [since v0.0.1]

      The protocol of the connection that matches this rule. Valid options are "Tcp", "Udp", "Icmp", "Esp", "Ah", and "*"

    • (list(string)) source_application_security_group_ids = null [since v0.0.1]

      Defines a list of source application security group IDs that match this rule. This option is mutually exclusive to source_ip_addresses and source_service_tag. If none of the sources are specified, all sources (Any) will be used.

    • (list(string)) source_ip_addresses = null [since v0.0.1]

      Defines a list of source ip addresses or CIDR that match this rule. This option is mutually exclusive to source_application_security_group_ids and source_service_tag. If none of the sources are specified, all sources (Any) will be used.

    • (string) source_service_tag = null [since v0.0.1]

      Defines a source Service Tag that matches this rule. This option is mutually exclusive to source_application_security_group_ids and source_ip_addresses. If none of the sources are specified, all sources (Any) will be used.

Outputs

  • (string) id [since v0.0.1]

    The ID of the network security group