From 9ce3ba1f21ea7773eae59f9b05b263e1c2dcde22 Mon Sep 17 00:00:00 2001 From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com> Date: Wed, 1 May 2024 16:24:18 +0100 Subject: [PATCH] Launch Private Endpoints into targetted networks --- README.md | 8 ++------ data.tf | 7 ------- locals.tf | 9 ++------- variables.tf | 18 ------------------ virtual-network.tf | 24 ------------------------ 5 files changed, 4 insertions(+), 62 deletions(-) delete mode 100644 virtual-network.tf diff --git a/README.md b/README.md index 6ae25e4..00dc8c0 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ |------|------| | [azapi_update_resource.mssql_threat_protection](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/update_resource) | resource | | [azapi_update_resource.mssql_vulnerability_assessment](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/update_resource) | resource | +| [azurerm_data_factory_managed_private_endpoint.mssql](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_factory_managed_private_endpoint) | resource | | [azurerm_monitor_action_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group) | resource | | [azurerm_monitor_metric_alert.sql_cpu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource | | [azurerm_monitor_metric_alert.sql_dataio](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource | @@ -42,23 +43,21 @@ | [azurerm_storage_account.mssql_security_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource | | [azurerm_storage_account_network_rules.mssql_security_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules) | resource | | [azurerm_storage_container.mssql_security_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource | -| [azurerm_subnet.mssql_private_endpoint_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource | | [azurerm_subnet.private_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource | | [azurerm_subnet_route_table_association.private_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) | resource | | [azurerm_user_assigned_identity.mssql](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | -| [azurerm_virtual_network.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) | resource | | [azapi_resource_action.existing_logic_app_workflow_callback_url](https://registry.terraform.io/providers/Azure/azapi/latest/docs/data-sources/resource_action) | data source | | [azurerm_logic_app_workflow.existing_logic_app_workflow](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/logic_app_workflow) | data source | | [azurerm_resource_group.existing_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_route_table.private_endpoints](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/route_table) | data source | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | -| [azurerm_virtual_network.existing_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | | [azurerm_virtual_network.private_endpoints](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [adf\_private\_endpoint\_configurations](#input\_adf\_private\_endpoint\_configurations) | Key value pair. Specify the Key as the ADF Name, and the value as the ADF Resource ID | `map(string)` | `{}` | no | | [azure\_location](#input\_azure\_location) | Azure location in which to launch resources. | `string` | n/a | yes | | [enable\_monitoring](#input\_enable\_monitoring) | Create an App Insights instance and notification group for the Container App | `bool` | `false` | no | | [enable\_mssql\_database](#input\_enable\_mssql\_database) | Set to true to create an Azure SQL server/database, with a private endpoint within the virtual network | `bool` | `false` | no | @@ -66,9 +65,7 @@ | [environment](#input\_environment) | Environment name. Will be used along with `project_name` as a prefix for all resources. | `string` | n/a | yes | | [existing\_logic\_app\_workflow](#input\_existing\_logic\_app\_workflow) | Name, Resource Group and HTTP Trigger URL of an existing Logic App Workflow. Leave empty to create a new Resource |
object({
name : string
resource_group_name : string
})
|
{
"name": "",
"resource_group_name": ""
}
| no | | [existing\_resource\_group](#input\_existing\_resource\_group) | Conditionally launch resources into an existing resource group. Specifying this will NOT create a resource group. | `string` | `""` | no | -| [existing\_virtual\_network](#input\_existing\_virtual\_network) | Conditionally use an existing virtual network. The `virtual_network_address_space` must match an existing address space in the VNet. This also requires the resource group name. | `string` | `""` | no | | [key\_vault\_access\_ipv4](#input\_key\_vault\_access\_ipv4) | List of IPv4 Addresses that are permitted to access the Key Vault | `list(string)` | n/a | yes | -| [launch\_in\_vnet](#input\_launch\_in\_vnet) | Conditionally launch into a VNet | `bool` | `true` | no | | [monitor\_email\_receivers](#input\_monitor\_email\_receivers) | A list of email addresses that should be notified by monitoring alerts | `list(string)` | `[]` | no | | [mssql\_azuread\_admin\_object\_id](#input\_mssql\_azuread\_admin\_object\_id) | Object ID of a User within Azure AD that you want to assign as the SQL Server Administrator | `string` | `""` | no | | [mssql\_azuread\_admin\_username](#input\_mssql\_azuread\_admin\_username) | Username of a User within Azure AD that you want to assign as the SQL Server Administrator | `string` | `""` | no | @@ -87,7 +84,6 @@ | [project\_name](#input\_project\_name) | Project name. Will be used along with `environment` as a prefix for all resources. | `string` | n/a | yes | | [tags](#input\_tags) | Tags to be applied to all resources | `map(string)` | `{}` | no | | [tfvars\_filename](#input\_tfvars\_filename) | tfvars filename. This file is uploaded and stored encrypted within Key Vault, to ensure that the latest tfvars are stored in a shared place. | `string` | n/a | yes | -| [virtual\_network\_address\_space](#input\_virtual\_network\_address\_space) | Virtual Network address space CIDR | `string` | `"172.16.0.0/12"` | no | ## Outputs diff --git a/data.tf b/data.tf index ad5181e..cea3ff0 100644 --- a/data.tf +++ b/data.tf @@ -1,10 +1,3 @@ -data "azurerm_virtual_network" "existing_virtual_network" { - count = local.existing_virtual_network == "" ? 0 : 1 - - name = local.existing_virtual_network - resource_group_name = local.existing_resource_group -} - data "azurerm_resource_group" "existing_resource_group" { count = local.existing_resource_group == "" ? 0 : 1 diff --git a/locals.tf b/locals.tf index 6fdfbe0..22f40fc 100644 --- a/locals.tf +++ b/locals.tf @@ -15,13 +15,8 @@ locals { resource_group = local.existing_resource_group == "" ? azurerm_resource_group.default[0] : data.azurerm_resource_group.existing_resource_group[0] # Networking - launch_in_vnet = var.launch_in_vnet - existing_virtual_network = var.existing_virtual_network - virtual_network = local.existing_virtual_network == "" ? azurerm_virtual_network.default[0] : data.azurerm_virtual_network.existing_virtual_network[0] - virtual_network_address_space = var.virtual_network_address_space - virtual_network_address_space_mask = element(split("/", local.virtual_network_address_space), 1) - mssql_private_endpoint_subnet_cidr = cidrsubnet(local.virtual_network_address_space, 23 - local.virtual_network_address_space_mask, 1) - private_endpoint_configurations = var.private_endpoint_configurations + private_endpoint_configurations = var.private_endpoint_configurations + adf_private_endpoint_configurations = var.adf_private_endpoint_configurations # SQL Server enable_mssql_database = var.enable_mssql_database diff --git a/variables.tf b/variables.tf index 7bbf0a6..174617c 100644 --- a/variables.tf +++ b/variables.tf @@ -25,24 +25,6 @@ variable "existing_resource_group" { default = "" } -variable "launch_in_vnet" { - description = "Conditionally launch into a VNet" - type = bool - default = false -} - -variable "existing_virtual_network" { - description = "Conditionally use an existing virtual network. The `virtual_network_address_space` must match an existing address space in the VNet. This also requires the resource group name." - type = string - default = "" -} - -variable "virtual_network_address_space" { - description = "Virtual Network address space CIDR" - type = string - default = "172.16.0.0/12" -} - variable "enable_mssql_database" { description = "Set to true to create an Azure SQL server/database, with a private endpoint within the virtual network" type = bool diff --git a/virtual-network.tf b/virtual-network.tf deleted file mode 100644 index f63b804..0000000 --- a/virtual-network.tf +++ /dev/null @@ -1,24 +0,0 @@ -resource "azurerm_virtual_network" "default" { - count = local.existing_virtual_network == "" ? ( - local.launch_in_vnet ? 1 : 0 - ) : 0 - - name = "${local.resource_prefix}default" - address_space = [local.virtual_network_address_space] - location = local.resource_group.location - resource_group_name = local.resource_group.name - tags = local.tags -} - -# SQL Server Networking -resource "azurerm_subnet" "mssql_private_endpoint_subnet" { - count = local.enable_mssql_database ? ( - local.launch_in_vnet ? 1 : 0 - ) : 0 - - name = "${local.resource_prefix}mssqlprivateendpoint" - virtual_network_name = local.virtual_network.name - resource_group_name = local.resource_group.name - address_prefixes = [local.mssql_private_endpoint_subnet_cidr] - private_endpoint_network_policies_enabled = true -}