From f1557774ee77f369689b86dff4818ab3a639b46d Mon Sep 17 00:00:00 2001 From: Dennis Kool <43271994+dkooll@users.noreply.github.com> Date: Wed, 18 Sep 2024 09:48:49 +0200 Subject: [PATCH] feat!: aligned several properties and resources (#47) * feat!: aligned several properties and resources BREAKING CHANGE: * data structure has changed due to renaming of properties and removal of resources. * feat: fix linting issues --------- Co-authored-by: dkool --- Makefile | 5 +- README.md | 24 +--- examples/collection-rule-groups/README.md | 122 ---------------- examples/collection-rule-groups/locals.tf | 84 ----------- examples/collection-rule-groups/main.tf | 53 ------- examples/collection-rule-groups/terraform.tf | 14 -- examples/default/README.md | 27 ++-- examples/default/main.tf | 16 +-- examples/intrustion-detection/README.md | 65 --------- examples/intrustion-detection/locals.tf | 48 ------- examples/intrustion-detection/main.tf | 34 ----- examples/intrustion-detection/terraform.tf | 14 -- examples/ip-groups/README.md | 134 ------------------ examples/ip-groups/ipgroups.tf | 76 ---------- examples/ip-groups/main.tf | 80 ----------- examples/ip-groups/rules.tf | 94 ------------ examples/ip-groups/terraform.tf | 14 -- examples/policy-inheritance/README.md | 90 ------------ examples/policy-inheritance/locals.tf | 32 ----- examples/policy-inheritance/main.tf | 65 --------- examples/policy-inheritance/terraform.tf | 14 -- examples/secure-vhubs/README.md | 61 ++------ examples/secure-vhubs/firewalls.tf | 22 +++ examples/secure-vhubs/locals.tf | 35 ----- examples/secure-vhubs/main.tf | 28 ++-- .../locals.tf => secure-vhubs/naming.tf} | 2 +- examples/secure-vhubs/vhubs.tf | 12 ++ locals.tf | 50 ------- main.tf | 109 +++----------- modules/collection-rule-groups/README.md | 34 ----- modules/collection-rule-groups/main.tf | 98 ------------- modules/collection-rule-groups/terraform.tf | 10 -- modules/collection-rule-groups/variables.tf | 22 --- modules/firewall-policy/README.md | 36 ----- modules/firewall-policy/main.tf | 64 --------- modules/firewall-policy/outputs.tf | 6 - modules/firewall-policy/terraform.tf | 10 -- modules/firewall-policy/variables.tf | 22 --- modules/ip-groups/README.md | 38 ----- modules/ip-groups/locals.tf | 10 -- modules/ip-groups/main.tf | 21 --- modules/ip-groups/outputs.tf | 6 - modules/ip-groups/terraform.tf | 10 -- modules/ip-groups/variables.tf | 23 --- outputs.tf | 30 +--- tests/go.mod | 6 +- tests/go.sum | 12 +- tests/shared/shared.go | 49 ------- tests/virtualwan_test.go | 28 ---- tests/vwan_test.go | 72 ++++++++++ variables.tf | 2 +- 51 files changed, 194 insertions(+), 1839 deletions(-) delete mode 100644 examples/collection-rule-groups/README.md delete mode 100644 examples/collection-rule-groups/locals.tf delete mode 100644 examples/collection-rule-groups/main.tf delete mode 100644 examples/collection-rule-groups/terraform.tf delete mode 100644 examples/intrustion-detection/README.md delete mode 100644 examples/intrustion-detection/locals.tf delete mode 100644 examples/intrustion-detection/main.tf delete mode 100644 examples/intrustion-detection/terraform.tf delete mode 100644 examples/ip-groups/README.md delete mode 100644 examples/ip-groups/ipgroups.tf delete mode 100644 examples/ip-groups/main.tf delete mode 100644 examples/ip-groups/rules.tf delete mode 100644 examples/ip-groups/terraform.tf delete mode 100644 examples/policy-inheritance/README.md delete mode 100644 examples/policy-inheritance/locals.tf delete mode 100644 examples/policy-inheritance/main.tf delete mode 100644 examples/policy-inheritance/terraform.tf create mode 100644 examples/secure-vhubs/firewalls.tf delete mode 100644 examples/secure-vhubs/locals.tf rename examples/{default/locals.tf => secure-vhubs/naming.tf} (82%) create mode 100644 examples/secure-vhubs/vhubs.tf delete mode 100644 locals.tf delete mode 100644 modules/collection-rule-groups/README.md delete mode 100644 modules/collection-rule-groups/main.tf delete mode 100644 modules/collection-rule-groups/terraform.tf delete mode 100644 modules/collection-rule-groups/variables.tf delete mode 100644 modules/firewall-policy/README.md delete mode 100644 modules/firewall-policy/main.tf delete mode 100644 modules/firewall-policy/outputs.tf delete mode 100644 modules/firewall-policy/terraform.tf delete mode 100644 modules/firewall-policy/variables.tf delete mode 100644 modules/ip-groups/README.md delete mode 100644 modules/ip-groups/locals.tf delete mode 100644 modules/ip-groups/main.tf delete mode 100644 modules/ip-groups/outputs.tf delete mode 100644 modules/ip-groups/terraform.tf delete mode 100644 modules/ip-groups/variables.tf delete mode 100644 tests/shared/shared.go delete mode 100644 tests/virtualwan_test.go create mode 100644 tests/vwan_test.go diff --git a/Makefile b/Makefile index 9539fec..e619e8e 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,4 @@ export TF_PATH test: - cd tests && go test -v -timeout 60m -run TestApplyNoError/$(TF_PATH) ./virtualwan_test.go - -#test_extended: - #cd tests && env go test -v -timeout 60m -run TestVm ./vm_extended_test.go + cd tests && go test -v -timeout 60m -run TestApplyNoError/$(TF_PATH) ./vwan_test.go diff --git a/README.md b/README.md index b1883b0..97b4d07 100644 --- a/README.md +++ b/README.md @@ -24,12 +24,9 @@ End-to-end testing is not conducted on these modules, as they are individual com ## Features -- simplified virtual wan deployment across regions +- simplified virtual wan deployment - multiple secure virtual hub support - utilization of terratest for robust validation -- multiple collection groups, collections and rules support -- optional ip group integration in collection rule groups -- supports base and child policy inheritance ## Requirements @@ -44,22 +41,10 @@ End-to-end testing is not conducted on these modules, as they are individual com |------|---------| | [azurerm](#provider\_azurerm) | ~> 3.61 | -## Modules - -| Name | Source | -|------|--------| -| [collection-rule-groups](./modules/collection-rule-groups) | resource | -| [firewall-policy](./modules/firewall-policy) | resource | - ## Resources | Name | Type | |------|------| -| [azurerm_firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) | resource | -| [azurerm_firewall_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy) | resource | -| [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) | resource | -| [azurerm_ip_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group) | resource | -| [azurerm_ip_group_cidr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group_cidr) | resource | | [azurerm_virtual_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub) | resource | | [azurerm_virtual_wan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_wan) | resource | @@ -70,17 +55,14 @@ End-to-end testing is not conducted on these modules, as they are individual com | `vwan` | describes virtual wan configuration | object | yes | | `naming` | contains naming convention | string | yes | | `location` | default azure region and can be used if location is not specified inside the object | string | no | -| `resourcegroup` | default resource group and can be used if resourcegroup is not specified inside the object | string | no | +| `resource_group` | default resource group and can be used if resourcegroup is not specified inside the object | string | no | ## Outputs | Name | Description | | :-- | :-- | | `vwan` | contains virtual wan configuration | -| `policy` | contains firewall policy configuration | -| `vhub` | contains virtual hub configuration | -| `firewall` | contains firewall configuration | -| `firewall_public_ip_addresses` | list of public ip addresses associated with the firewall | +| `vhubs` | contains virtual hub configuration | ## Testing diff --git a/examples/collection-rule-groups/README.md b/examples/collection-rule-groups/README.md deleted file mode 100644 index 89ff7ec..0000000 --- a/examples/collection-rule-groups/README.md +++ /dev/null @@ -1,122 +0,0 @@ -This example demonstrates managing collection groups within secure virtual hubs. - -## Usage - -```hcl -module "vwan" { - source = "cloudnationhq/vwan/azure" - version = "~> 0.11" - - naming = local.naming - location = module.rg.groups.demo.location - resourcegroup = module.rg.groups.demo.name - - vwan = { - vhubs = { - westeurope = { - name = module.naming.virtual_hub.name - resourcegroup = module.rg.groups.demo.name - location = "westeurope" - address_prefix = "10.0.0.0/23" - policy = { - name = module.naming.firewall_policy.name - location = "westeurope" - } - } - } - } -} -``` - -```hcl -module "collection_rule_groups" { - source = "cloudnationhq/vwan/azure//modules/collection-rule-groups" - version = "~> 0.1" - - naming = local.naming - groups = local.collection_rule_groups - - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location -} -``` - -The local below is utilized to store config, - -```hcl -locals { - collection_rule_groups = { - default = { - priority = 1000 - firewall_policy_id = module.vwan.policy.westeurope.id - network_rule_collections = { - netw_rules = { - name = "netwrules" - priority = 7000 - action = "Allow" - rules = { - rule1 = { - protocols = ["TCP"] - destination_ports = ["*"] - destination_addresses = ["10.0.1.0/8"] - source_addresses = ["10.0.0.0/8"] - } - rule2 = { - protocols = ["TCP"] - destination_ports = ["*"] - destination_addresses = ["12.0.1.0/8"] - source_addresses = ["12.0.0.0/8"] - } - } - } - } - application_rule_collections = { - app_rules = { - name = "apprules" - priority = 6000 - action = "Deny" - rules = { - rule1 = { - source_addresses = ["10.0.0.1"] - destination_fqdns = ["*.microsoft.com"] - protocols = [ - { - type = "Https" - port = 443 - } - ] - } - rule2 = { - source_addresses = ["10.0.0.1"] - destination_fqdns = ["*.bing.com"] - protocols = [ - { - type = "Https" - port = 443 - } - ] - } - } - } - } - nat_rule_collections = { - nat_rules = { - name = "natrules" - priority = 8000 - action = "Dnat" - rules = { - rule1 = { - source_addresses = ["145.23.23.23", "10.0.0.0/8"] - destination_ports = ["4430"] - destination_address = module.vwan.firewall_public_ip_addresses.public_ip_addresses[0] - translated_port = "443" - translated_address = "10.0.0.10" - protocols = ["TCP"] - } - } - } - } - } - } -} -``` diff --git a/examples/collection-rule-groups/locals.tf b/examples/collection-rule-groups/locals.tf deleted file mode 100644 index bf2fe45..0000000 --- a/examples/collection-rule-groups/locals.tf +++ /dev/null @@ -1,84 +0,0 @@ -locals { - naming = { - # lookup outputs to have consistent naming - for type in local.naming_types : type => lookup(module.naming, type).name - } - - naming_types = ["virtual_wan", "firewall", "firewall_policy", "ip_group"] -} - -locals { - collection_rule_groups = { - default = { - priority = 1000 - firewall_policy_id = module.vwan.policy.westeurope.id - network_rule_collections = { - netw_rules = { - name = "netwrules" - priority = 7000 - action = "Allow" - rules = { - rule1 = { - protocols = ["TCP"] - destination_ports = ["*"] - destination_addresses = ["10.0.1.0/8"] - source_addresses = ["10.0.0.0/8"] - } - rule2 = { - protocols = ["TCP"] - destination_ports = ["*"] - destination_addresses = ["12.0.1.0/8"] - source_addresses = ["12.0.0.0/8"] - } - } - } - } - application_rule_collections = { - app_rules = { - name = "apprules" - priority = 6000 - action = "Deny" - rules = { - rule1 = { - source_addresses = ["10.0.0.1"] - destination_fqdns = ["*.microsoft.com"] - protocols = [ - { - type = "Https" - port = 443 - } - ] - } - rule2 = { - source_addresses = ["10.0.0.1"] - destination_fqdns = ["*.bing.com"] - protocols = [ - { - type = "Https" - port = 443 - } - ] - } - } - } - } - nat_rule_collections = { - nat_rules = { - name = "natrules" - priority = 8000 - action = "Dnat" - rules = { - rule1 = { - source_addresses = ["145.23.23.23", "10.0.0.0/8"] - destination_ports = ["4430"] - destination_address = module.vwan.firewall_public_ip_addresses.public_ip_addresses[0] - translated_port = "443" - translated_address = "10.0.0.10" - protocols = ["TCP"] - } - } - } - } - } - } -} diff --git a/examples/collection-rule-groups/main.tf b/examples/collection-rule-groups/main.tf deleted file mode 100644 index 97f6eb9..0000000 --- a/examples/collection-rule-groups/main.tf +++ /dev/null @@ -1,53 +0,0 @@ -module "naming" { - source = "cloudnationhq/naming/azure" - version = "~> 0.1" - - suffix = ["demo", "dev"] -} - -module "rg" { - source = "cloudnationhq/rg/azure" - version = "~> 0.1" - - groups = { - demo = { - name = module.naming.resource_group.name - region = "westeurope" - } - } -} - -module "vwan" { - source = "cloudnationhq/vwan/azure" - version = "~> 0.1" - - naming = local.naming - location = module.rg.groups.demo.location - resourcegroup = module.rg.groups.demo.name - - vwan = { - vhubs = { - westeurope = { - name = module.naming.virtual_hub.name - resourcegroup = module.rg.groups.demo.name - location = "westeurope" - address_prefix = "10.0.0.0/23" - policy = { - name = module.naming.firewall_policy.name - location = "westeurope" - } - } - } - } -} - -module "collection_rule_groups" { - source = "cloudnationhq/vwan/azure//modules/collection-rule-groups" - version = "~> 0.1" - - naming = local.naming - groups = local.collection_rule_groups - - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location -} diff --git a/examples/collection-rule-groups/terraform.tf b/examples/collection-rule-groups/terraform.tf deleted file mode 100644 index 9867469..0000000 --- a/examples/collection-rule-groups/terraform.tf +++ /dev/null @@ -1,14 +0,0 @@ -terraform { - required_version = "~> 1.0" - - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.61" - } - } -} - -provider "azurerm" { - features {} -} diff --git a/examples/default/README.md b/examples/default/README.md index c0f7fb4..efe94cb 100644 --- a/examples/default/README.md +++ b/examples/default/README.md @@ -1,20 +1,15 @@ -This example illustrates the defaul tvirtual wan setup, in its simplest form. +# Default -## Usage +This example illustrates the default setup, in its simplest form. -```hcl -module "vwan" { - source = "cloudnationhq/vwan/azure" - version = "~> 0.11" - - naming = local.naming +## Types - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location - - vwan = { - allow_branch_to_branch_traffic = true - disable_vpn_encryption = false - } -} +```hcl +vwan = object({ + name = string + resource_group = string + location = string + allow_branch_to_branch_traffic = optional(bool) + disable_vpn_encryption = optional(bool) +}) ``` diff --git a/examples/default/main.tf b/examples/default/main.tf index ef9781d..0dd704c 100644 --- a/examples/default/main.tf +++ b/examples/default/main.tf @@ -7,26 +7,24 @@ module "naming" { module "rg" { source = "cloudnationhq/rg/azure" - version = "~> 0.1" + version = "~> 1.0" groups = { demo = { - name = module.naming.resource_group.name - region = "northeurope" + name = module.naming.resource_group.name + location = "westeurope" } } } module "vwan" { source = "cloudnationhq/vwan/azure" - version = "~> 0.1" - - naming = local.naming - - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location + version = "~> 1.0" vwan = { + name = module.naming.virtual_wan.name + resource_group = module.rg.groups.demo.name + location = module.rg.groups.demo.location allow_branch_to_branch_traffic = true disable_vpn_encryption = false } diff --git a/examples/intrustion-detection/README.md b/examples/intrustion-detection/README.md deleted file mode 100644 index 56670d7..0000000 --- a/examples/intrustion-detection/README.md +++ /dev/null @@ -1,65 +0,0 @@ -This example highlights intrusion detection within secure virtual hubs. - -## Usage - -```hcl -module "vwan" { - source = "cloudnationhq/vwan/azure" - version = "~> 0.11" - - naming = local.naming - location = module.rg.groups.demo.location - resourcegroup = module.rg.groups.demo.name - - vwan = { - allow_branch_to_branch_traffic = true - disable_vpn_encryption = false - - vhubs = local.vhubs - } -} -``` - -The local below is utilized to store config, - -```hcl -locals { - vhubs = { - northeurope = { - resourcegroup = module.rg.groups.demo.name - location = "northeurope" - address_prefix = "10.0.0.0/23" - firewall_tier = "Premium" - policy = { - location = "northeurope" - sku = "Premium" - intrusion_detection = { - mode = "Alert" - traffic_bypass = { - bypass1 = { - protocol = "TCP" - description = "bypass1" - source_addresses = ["10.0.1.0"] - destination_addresses = ["10.1.0.0"] - destination_ports = ["*"] - } - bypass2 = { - protocol = "TCP" - description = "bypass2" - source_addresses = ["10.0.2.0"] - destination_addresses = ["10.2.0.0"] - destination_ports = ["*"] - } - } - signature_overrides = { - or1 = { - id = "948321945312" - state = "Alert" - } - } - } - } - } - } -} -``` diff --git a/examples/intrustion-detection/locals.tf b/examples/intrustion-detection/locals.tf deleted file mode 100644 index c7c992a..0000000 --- a/examples/intrustion-detection/locals.tf +++ /dev/null @@ -1,48 +0,0 @@ -locals { - naming = { - # lookup outputs to have consistent naming - for type in local.naming_types : type => lookup(module.naming, type).name - } - - naming_types = ["virtual_wan", "firewall", "firewall_policy", "virtual_hub"] -} - -locals { - vhubs = { - northeurope = { - resourcegroup = module.rg.groups.demo.name - location = "northeurope" - address_prefix = "10.0.0.0/23" - firewall_tier = "Premium" - policy = { - location = "northeurope" - sku = "Premium" - intrusion_detection = { - mode = "Alert" - traffic_bypass = { - bypass1 = { - protocol = "TCP" - description = "bypass1" - source_addresses = ["10.0.1.0"] - destination_addresses = ["10.1.0.0"] - destination_ports = ["*"] - } - bypass2 = { - protocol = "TCP" - description = "bypass2" - source_addresses = ["10.0.2.0"] - destination_addresses = ["10.2.0.0"] - destination_ports = ["*"] - } - } - signature_overrides = { - or1 = { - id = "948321945312" - state = "Alert" - } - } - } - } - } - } -} diff --git a/examples/intrustion-detection/main.tf b/examples/intrustion-detection/main.tf deleted file mode 100644 index 7debedd..0000000 --- a/examples/intrustion-detection/main.tf +++ /dev/null @@ -1,34 +0,0 @@ -module "naming" { - source = "cloudnationhq/naming/azure" - version = "~> 0.1" - - suffix = ["demo", "dev"] -} - -module "rg" { - source = "cloudnationhq/rg/azure" - version = "~> 0.1" - - groups = { - demo = { - name = module.naming.resource_group.name - region = "northeurope" - } - } -} - -module "vwan" { - source = "cloudnationhq/vwan/azure" - version = "~> 0.1" - - naming = local.naming - location = module.rg.groups.demo.location - resourcegroup = module.rg.groups.demo.name - - vwan = { - allow_branch_to_branch_traffic = true - disable_vpn_encryption = false - - vhubs = local.vhubs - } -} diff --git a/examples/intrustion-detection/terraform.tf b/examples/intrustion-detection/terraform.tf deleted file mode 100644 index 9867469..0000000 --- a/examples/intrustion-detection/terraform.tf +++ /dev/null @@ -1,14 +0,0 @@ -terraform { - required_version = "~> 1.0" - - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.61" - } - } -} - -provider "azurerm" { - features {} -} diff --git a/examples/ip-groups/README.md b/examples/ip-groups/README.md deleted file mode 100644 index 36bad8a..0000000 --- a/examples/ip-groups/README.md +++ /dev/null @@ -1,134 +0,0 @@ -This example highlights the seamless integration of IP groups and collection rule groups using firewall policy inheritence. - -## Usage - -```hcl -module "vwan" { - source = "cloudnationhq/vwan/azure" - version = "~> 0.11" - - naming = local.naming - location = module.rg.groups.demo.location - resourcegroup = module.rg.groups.demo.name - - vwan = { - vhubs = { - westeurope = { - name = module.naming.virtual_hub.name - resourcegroup = module.rg.groups.demo.name - location = "westeurope" - address_prefix = "10.0.0.0/23" - policy = { - base_policy_id = module.fwpolicy.policy.parent.id - } - } - } - } -} -``` - -```hcl -module "collection_rule_groups" { - source = "cloudnationhq/vwan/azure//modules/collection-rule-groups" - version = "~> 0.1" - - naming = local.naming - groups = local.collection_rule_groups - - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location - - depends_on = [module.vwan, module.ip_groups] -} -``` - -```hcl -module "fwpolicy" { - source = "cloudnationhq/vwan/azure//modules/firewall-policy" - version = "~> 0.1" - - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location - - policy = { - parent = { - name = "fwp-demo-dev-parent" - } - } -} -``` - -```hcl -module "ip_groups" { - source = "cloudnationhq/vwan/azure//modules/ip-groups" - version = "~> 0.1" - - naming = local.naming - ip_groups = local.ip_groups - depends_on = [module.vwan] - - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location -} -``` - -The locals below are utilized to store config, - -```hcl -locals { - ip_groups = { - internal-networks = { - name = "ipg-internal-corporate-networks" - cidr = [ - "10.1.0.0/16", "172.20.0.0/16", "192.168.1.0/24", - "192.168.2.0/24", "192.168.5.0/24", "10.2.0.0/16", - "10.3.0.0/16", "172.21.0.0/16", "172.22.0.0/16", - "10.4.0.0/16" - ] - } - remote-workers = { - name = "ipg-remote-workers-vpn" - cidr = [ - "10.200.0.0/16", "10.201.0.0/16", "10.202.0.0/16", - "10.203.0.0/16", "10.204.0.0/16", "10.205.0.0/16", - "10.206.0.0/16", "10.207.0.0/16", "10.208.0.0/16", - "10.209.0.0/16" - ] - } - } -} -``` - -```hcl -locals { - collection_rule_groups = { - default = { - name = "EnhancedSecurityRuleCollectionGroup" - priority = 200 - firewall_policy_id = module.fwpolicy.policy.parent.id - network_rule_collections = { - CorporateWebAccessRules = { - priority = 100 - action = "Allow" - rules = { - allowHttpHttps = { - name = "AllowHTTPandHTTPS" - protocols = ["TCP"] - destination_ports = ["80", "443"] - source_ip_groups = [module.ip_groups.groups.internal-networks.id] - destination_addresses = ["*"] - } - allowVpnAccess = { - name = "AllowVPNAccess" - protocols = ["UDP"] - destination_ports = ["1194", "500", "4500"] - source_ip_groups = [module.ip_groups.groups.remote-workers.id] - destination_addresses = ["*"] - } - } - } - } - } - } -} -``` diff --git a/examples/ip-groups/ipgroups.tf b/examples/ip-groups/ipgroups.tf deleted file mode 100644 index bcbf34d..0000000 --- a/examples/ip-groups/ipgroups.tf +++ /dev/null @@ -1,76 +0,0 @@ -locals { - ip_groups = { - internal-networks = { - name = "ipg-internal-corporate-networks" - cidr = [ - "10.1.0.0/16", "172.20.0.0/16", "192.168.1.0/24", - "192.168.2.0/24", "192.168.5.0/24", "10.2.0.0/16", - "10.3.0.0/16", "172.21.0.0/16", "172.22.0.0/16", - "10.4.0.0/16" - ] - } - remote-workers = { - name = "ipg-remote-workers-vpn" - cidr = [ - "10.200.0.0/16", "10.201.0.0/16", "10.202.0.0/16", - "10.203.0.0/16", "10.204.0.0/16", "10.205.0.0/16", - "10.206.0.0/16", "10.207.0.0/16", "10.208.0.0/16", - "10.209.0.0/16" - ] - } - email-server = { - name = "ipg-corporate-email-server" - cidr = [ - "192.168.100.10/32", "192.168.100.11/32" - ] - } - tor-exit-nodes = { - name = "ipg-denied-tor-exit-nodes" - cidr = [ - "85.93.0.0/16", "93.115.95.0/24", "109.105.109.0/24", - "109.163.234.0/24", "176.10.99.0/24", "192.42.116.0/24", - "193.23.244.0/24", "193.90.12.0/24", "194.109.206.0/24", - "195.154.168.0/24" - ] - } - known-malicious = { - name = "ipg-denied-known-malicious-ips" - cidr = [ - "103.27.124.0/24", "103.76.180.0/24", "104.248.0.0/16", - "108.62.0.0/15", "109.201.133.0/24", "109.236.91.0/24", - "128.14.134.0/24", "149.56.0.0/16", "151.80.0.0/16", - "176.31.0.0/16" - ] - } - site-a = { - name = "ipg-site-a-network" - cidr = [ - "10.10.0.0/16" - ] - } - site-b = { - name = "ipg-site-b-network" - cidr = [ - "10.20.0.0/16" - ] - } - all-sites = { - name = "ipg-all-sites-network" - cidr = [ - "10.10.0.0/16", "10.20.0.0/16", "10.30.0.0/16" - ] - } - backup-services = { - name = "ipg-backup-services" - cidr = [ - "172.28.30.0/24", "172.28.31.0/24" - ] - } - rfc1918 = { - name = "ipg-rfc1918-private-addresses" - cidr = [ - "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" - ] - } - } -} diff --git a/examples/ip-groups/main.tf b/examples/ip-groups/main.tf deleted file mode 100644 index 3f3a211..0000000 --- a/examples/ip-groups/main.tf +++ /dev/null @@ -1,80 +0,0 @@ -module "naming" { - source = "cloudnationhq/naming/azure" - version = "~> 0.1" - - suffix = ["demo", "dev"] -} - -module "rg" { - source = "cloudnationhq/rg/azure" - version = "~> 0.1" - - groups = { - demo = { - name = module.naming.resource_group.name - region = "westeurope" - } - } -} - -module "vwan" { - source = "cloudnationhq/vwan/azure" - version = "~> 0.1" - - naming = local.naming - location = module.rg.groups.demo.location - resourcegroup = module.rg.groups.demo.name - - vwan = { - vhubs = { - westeurope = { - name = module.naming.virtual_hub.name - resourcegroup = module.rg.groups.demo.name - location = "westeurope" - address_prefix = "10.0.0.0/23" - policy = { - base_policy_id = module.fwpolicy.policy.parent.id - } - } - } - } -} - -module "collection_rule_groups" { - source = "cloudnationhq/vwan/azure//modules/collection-rule-groups" - version = "~> 0.1" - - naming = local.naming - groups = local.collection_rule_groups - - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location - - depends_on = [module.vwan, module.ip_groups] -} - -module "fwpolicy" { - source = "cloudnationhq/vwan/azure//modules/firewall-policy" - version = "~> 0.1" - - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location - - policy = { - parent = { - name = "fwp-demo-dev-parent" - } - } -} - -module "ip_groups" { - source = "cloudnationhq/vwan/azure//modules/ip-groups" - version = "~> 0.1" - - naming = local.naming - ip_groups = local.ip_groups - depends_on = [module.vwan] - - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location -} diff --git a/examples/ip-groups/rules.tf b/examples/ip-groups/rules.tf deleted file mode 100644 index ee4ec79..0000000 --- a/examples/ip-groups/rules.tf +++ /dev/null @@ -1,94 +0,0 @@ -locals { - naming = { - # lookup outputs to have consistent naming - for type in local.naming_types : type => lookup(module.naming, type).name - } - - naming_types = ["virtual_wan", "firewall", "firewall_policy", "ip_group"] -} - -locals { - collection_rule_groups = { - default = { - name = "EnhancedSecurityRuleCollectionGroup" - priority = 200 - firewall_policy_id = module.fwpolicy.policy.parent.id - network_rule_collections = { - CorporateWebAccessRules = { - priority = 100 - action = "Allow" - rules = { - allowHttpHttps = { - name = "AllowHTTPandHTTPS" - protocols = ["TCP"] - destination_ports = ["80", "443"] - source_ip_groups = [module.ip_groups.groups.internal-networks.id] - destination_addresses = ["*"] - } - allowVpnAccess = { - name = "AllowVPNAccess" - protocols = ["UDP"] - destination_ports = ["1194", "500", "4500"] - source_ip_groups = [module.ip_groups.groups.remote-workers.id] - destination_addresses = ["*"] - } - allowCorporateEmail = { - name = "AllowCorporateEmail" - protocols = ["TCP"] - destination_ports = ["993", "587"] - destination_ip_groups = [module.ip_groups.groups.email-server.id] - source_addresses = ["*"] - } - allowRemoteDesktop = { - name = "AllowRemoteDesktop" - protocols = ["TCP"] - destination_ports = ["3389"] - source_ip_groups = [module.ip_groups.groups.remote-workers.id] - destination_addresses = ["*"] - } - } - } - RestrictedAccessRules = { - priority = 150 - action = "Deny" - rules = { - denyTorExitNodes = { - name = "DenyTorExitNodes" - protocols = ["Any"] - destination_ports = ["*"] - source_ip_groups = [module.ip_groups.groups.tor-exit-nodes.id] - destination_addresses = ["*"] - } - denyKnownMalicious = { - name = "DenyKnownMaliciousIPs" - protocols = ["Any"] - destination_ports = ["*"] - source_ip_groups = [module.ip_groups.groups.known-malicious.id] - destination_addresses = ["*"] - } - } - } - InterSiteTrafficRules = { - priority = 250 - action = "Allow" - rules = { - allowSiteToSite = { - name = "AllowSiteToSite" - protocols = ["TCP", "UDP"] - destination_ports = ["*"] - source_ip_groups = [module.ip_groups.groups.site-a.id] - destination_ip_groups = [module.ip_groups.groups.site-b.id] - } - allowBackupServices = { - name = "AllowBackupServices" - protocols = ["TCP"] - destination_ports = ["443"] - source_ip_groups = [module.ip_groups.groups.all-sites.id] - destination_ip_groups = [module.ip_groups.groups.backup-services.id] - } - } - } - } - } - } -} diff --git a/examples/ip-groups/terraform.tf b/examples/ip-groups/terraform.tf deleted file mode 100644 index 9867469..0000000 --- a/examples/ip-groups/terraform.tf +++ /dev/null @@ -1,14 +0,0 @@ -terraform { - required_version = "~> 1.0" - - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.61" - } - } -} - -provider "azurerm" { - features {} -} diff --git a/examples/policy-inheritance/README.md b/examples/policy-inheritance/README.md deleted file mode 100644 index 5116ca2..0000000 --- a/examples/policy-inheritance/README.md +++ /dev/null @@ -1,90 +0,0 @@ -This example illustrates firewall policy inheritance using multiple secure vhubs in different regions. - -## Usage - -```hcl -module "vwan" { - source = "cloudnationhq/vwan/azure" - version = "~> 0.11" - - naming = local.naming - location = module.rg.groups.demo.location - resourcegroup = module.rg.groups.demo.name - - vwan = { - vhubs = { - northeurope = { - name = module.naming.virtual_hub.name - resourcegroup = module.rg.groups.demo.name - location = "northeurope" - address_prefix = "10.0.0.0/23" - policy = { - base_policy_id = module.fwp_inheritance.policy.base.id - } - } - } - } -} -``` - -```hcl -module "collection_rule_groups" { - source = "cloudnationhq/vwan/azure//modules/collection-rule-groups" - version = "~> 0.1" - - naming = local.naming - groups = local.collection_rule_groups - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location -} -``` - -```hcl -module "fwp_inheritance" { - source = "cloudnationhq/vwan/azure//modules/firewall-policy" - version = "~> 0.1" - - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location - - policy = { - base = { - name = "fwp-demo-dev-base" - } - } -} -``` - -The local below is utilized to store config, - -```hcl -locals { - collection_rule_groups = { - default = { - priority = 50000 - firewall_policy_id = module.fwp_inheritance.policy.base.id - network_rule_collections = [ - { - key = "netw_rules" - priority = 60000 - action = "Allow" - rules = { - rule1 = { - protocols = ["TCP"] - destination_ports = ["*"] - destination_addresses = ["10.1.0.0/16"] - source_addresses = ["10.0.0.0/8"] - } - rule2 = { - protocols = ["TCP"] - destination_ports = ["*"] - destination_addresses = ["12.0.1.0/8"] - source_addresses = ["12.0.0.0/8"] - } - } - } - ] - } - } -} -``` diff --git a/examples/policy-inheritance/locals.tf b/examples/policy-inheritance/locals.tf deleted file mode 100644 index 1752d93..0000000 --- a/examples/policy-inheritance/locals.tf +++ /dev/null @@ -1,32 +0,0 @@ -locals { - naming = { - # lookup outputs to have consistent naming - for type in local.naming_types : type => lookup(module.naming, type).name - } - - naming_types = ["virtual_wan", "firewall", "firewall_policy"] -} - -locals { - collection_rule_groups = { - default = { - priority = 1000 - firewall_policy_id = module.fwpolicy.policy.parent.id - network_rule_collections = { - netw_rules = { - name = "netwrules" - priority = 7000 - action = "Allow" - rules = { - rule1 = { - protocols = ["TCP"] - destination_ports = ["*"] - destination_addresses = ["10.0.1.0/8"] - source_addresses = ["10.0.0.0/8"] - } - } - } - } - } - } -} diff --git a/examples/policy-inheritance/main.tf b/examples/policy-inheritance/main.tf deleted file mode 100644 index a43f115..0000000 --- a/examples/policy-inheritance/main.tf +++ /dev/null @@ -1,65 +0,0 @@ -module "naming" { - source = "cloudnationhq/naming/azure" - version = "~> 0.1" - - suffix = ["demo", "dev"] -} - -module "rg" { - source = "cloudnationhq/rg/azure" - version = "~> 0.1" - - groups = { - demo = { - name = module.naming.resource_group.name - region = "westeurope" - } - } -} - -module "vwan" { - source = "cloudnationhq/vwan/azure" - version = "~> 0.1" - - naming = local.naming - location = module.rg.groups.demo.location - resourcegroup = module.rg.groups.demo.name - - vwan = { - vhubs = { - westeurope = { - name = module.naming.virtual_hub.name - resourcegroup = module.rg.groups.demo.name - location = "westeurope" - address_prefix = "10.0.0.0/23" - policy = { - base_policy_id = module.fwpolicy.policy.parent.id - } - } - } - } -} - -module "collection_rule_groups" { - source = "cloudnationhq/vwan/azure//modules/collection-rule-groups" - version = "~> 0.1" - - naming = local.naming - groups = local.collection_rule_groups - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location -} - -module "fwpolicy" { - source = "cloudnationhq/vwan/azure//modules/firewall-policy" - version = "~> 0.1" - - resourcegroup = module.rg.groups.demo.name - location = module.rg.groups.demo.location - - policy = { - parent = { - name = "fwp-demo-dev-parent" - } - } -} diff --git a/examples/policy-inheritance/terraform.tf b/examples/policy-inheritance/terraform.tf deleted file mode 100644 index 9867469..0000000 --- a/examples/policy-inheritance/terraform.tf +++ /dev/null @@ -1,14 +0,0 @@ -terraform { - required_version = "~> 1.0" - - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.61" - } - } -} - -provider "azurerm" { - features {} -} diff --git a/examples/secure-vhubs/README.md b/examples/secure-vhubs/README.md index ee6bb2f..b125e5e 100644 --- a/examples/secure-vhubs/README.md +++ b/examples/secure-vhubs/README.md @@ -1,52 +1,19 @@ -This example illustrates configuring multiple secure virtual hubs with their associated policy. +# Secure Vhubs -## Usage +This deploys secure vhubs within a virtual wan. -```hcl -module "vwan" { - source = "cloudnationhq/vwan/azure" - version = "~> 0.11" - - naming = local.naming - location = module.rg.groups.demo.location - resourcegroup = module.rg.groups.demo.name - - vwan = { - allow_branch_to_branch_traffic = true - disable_vpn_encryption = false - - vhubs = local.vhubs - } -} -``` - -The local below is utilized to store config, +## Types ```hcl -locals { - vhubs = { - northeurope = { - resourcegroup = module.rg.groups.demo.name - location = "northeurope" - address_prefix = "10.0.0.0/23" - firewall_tier = "Premium" - policy = { - location = "northeurope" - dns = { - proxy_enabled = true - servers = ["7.7.7.7", "8.8.8.8"] - } - } - } - southcentralus = { - resourcegroup = module.rg.groups.demo.name - location = "southcentralus" - address_prefix = "11.0.0.0/23" - firewall_tier = "Premium" - policy = { - location = "northeurope" - } - } - } -} +vwan = object({ + name = string + allow_branch_to_branch_traffic = optional(bool) + disable_vpn_encryption = optional(bool) + vhubs = map(object({ + resource_group = string + location = string + address_prefix = optional(string) + sku = optional(string) + })) +}) ``` diff --git a/examples/secure-vhubs/firewalls.tf b/examples/secure-vhubs/firewalls.tf new file mode 100644 index 0000000..759c8d8 --- /dev/null +++ b/examples/secure-vhubs/firewalls.tf @@ -0,0 +1,22 @@ +locals { + firewalls = { + weu = { + name = "fw-demo-dev-weu" + location = "westeurope" + sku_name = "AZFW_Hub" + sku_tier = "Standard" + virtual_hub = { + virtual_hub_id = module.vwan.vhubs.weu.id + } + } + eus = { + name = "fw-demo-dev-eus" + location = "eastus" + sku_name = "AZFW_Hub" + sku_tier = "Standard" + virtual_hub = { + virtual_hub_id = module.vwan.vhubs.eus.id + } + } + } +} diff --git a/examples/secure-vhubs/locals.tf b/examples/secure-vhubs/locals.tf deleted file mode 100644 index a5ddd31..0000000 --- a/examples/secure-vhubs/locals.tf +++ /dev/null @@ -1,35 +0,0 @@ -locals { - naming = { - # lookup outputs to have consistent naming - for type in local.naming_types : type => lookup(module.naming, type).name - } - - naming_types = ["virtual_wan", "firewall", "firewall_policy", "virtual_hub"] -} - -locals { - vhubs = { - northeurope = { - resourcegroup = module.rg.groups.demo.name - location = "northeurope" - address_prefix = "10.0.0.0/23" - firewall_tier = "Premium" - policy = { - location = "northeurope" - dns = { - proxy_enabled = true - servers = ["7.7.7.7", "8.8.8.8"] - } - } - } - southcentralus = { - resourcegroup = module.rg.groups.demo.name - location = "southcentralus" - address_prefix = "11.0.0.0/23" - firewall_tier = "Premium" - policy = { - location = "northeurope" - } - } - } -} diff --git a/examples/secure-vhubs/main.tf b/examples/secure-vhubs/main.tf index 7debedd..70b4aa7 100644 --- a/examples/secure-vhubs/main.tf +++ b/examples/secure-vhubs/main.tf @@ -7,28 +7,38 @@ module "naming" { module "rg" { source = "cloudnationhq/rg/azure" - version = "~> 0.1" + version = "~> 1.0" groups = { demo = { - name = module.naming.resource_group.name - region = "northeurope" + name = module.naming.resource_group.name_unique + location = "westeurope" } } } module "vwan" { source = "cloudnationhq/vwan/azure" - version = "~> 0.1" + version = "~> 1.0" - naming = local.naming - location = module.rg.groups.demo.location - resourcegroup = module.rg.groups.demo.name + naming = local.naming + location = module.rg.groups.demo.location + resource_group = module.rg.groups.demo.name vwan = { + name = module.naming.virtual_wan.name + vhubs = local.vhubs allow_branch_to_branch_traffic = true disable_vpn_encryption = false - - vhubs = local.vhubs } } + +module "firewall" { + source = "cloudnationhq/fw/azure" + version = "~> 1.0" + + resource_group = module.rg.groups.demo.name + for_each = local.firewalls + + instance = each.value +} diff --git a/examples/default/locals.tf b/examples/secure-vhubs/naming.tf similarity index 82% rename from examples/default/locals.tf rename to examples/secure-vhubs/naming.tf index e3a31d2..249ad30 100644 --- a/examples/default/locals.tf +++ b/examples/secure-vhubs/naming.tf @@ -4,5 +4,5 @@ locals { for type in local.naming_types : type => lookup(module.naming, type).name } - naming_types = ["virtual_wan"] + naming_types = ["virtual_hub"] } diff --git a/examples/secure-vhubs/vhubs.tf b/examples/secure-vhubs/vhubs.tf new file mode 100644 index 0000000..ba40e53 --- /dev/null +++ b/examples/secure-vhubs/vhubs.tf @@ -0,0 +1,12 @@ +locals { + vhubs = { + weu = { + location = "westeurope" + address_prefix = "10.0.0.0/23" + } + eus = { + location = "eastus" + address_prefix = "10.1.0.0/23" + } + } +} diff --git a/locals.tf b/locals.tf deleted file mode 100644 index 1743b9c..0000000 --- a/locals.tf +++ /dev/null @@ -1,50 +0,0 @@ -locals { - firewalls = { - for fw_key, fw in var.vwan.vhubs : fw_key => { - - name = try(fw.firewall_name, join("-", [var.naming.firewall, fw_key])) - location = try(fw.location, var.location) - resourcegroup = try(fw.resourcegroup, var.resourcegroup) - tier = try(fw.firewall_tier, "Standard") - sku = try(fw.firewall_sku, "AZFW_Hub") - tags = try(fw.tags, {}) - public_ip_count = try(fw.firewall_public_ip_count, 1) - associate_policy = try(fw.associate_policy, true) - } - } -} - -locals { - vhubs = { - for vh_key, vh in var.vwan.vhubs : vh_key => { - - name = try(vh.name, join("-", [var.naming.virtual_hub, vh_key])) - location = try(vh.location, var.location) - resourcegroup = try(vh.resourcegroup, var.resourcegroup) - address_prefix = vh.address_prefix - sku = try(vh.sku, "Standard") - hub_routing_preference = try(vh.hub_routing_preference, "ExpressRoute") - tags = try(vh.tags, {}) - } - } -} - -locals { - firewall_policies = { - for fwp_key, fwp in var.vwan.vhubs : fwp_key => { - - name = try(fwp.policy.name, join("-", [var.naming.firewall_policy, fwp_key])) - base_policy_id = try(fwp.policy.base_policy_id, null) - location = try(fwp.policy.location, var.location) - resourcegroup = try(fwp.resourcegroup, var.resourcegroup) - dns = try(fwp.policy.dns, null) - intrusion_detection = try(fwp.policy.intrusion_detection, null) - tags = try(fwp.tags, {}) - private_ip_ranges = try(fwp.policy.private_ip_ranges, null) - sku = try(fwp.policy.sku, "Standard") - sql_redirect_allowed = try(fwp.policy.sql_redirect_allowed, null) - threat_intelligence_mode = try(fwp.policy.threat_intelligence_mode, "Alert") - auto_learn_private_ranges_enabled = try(fwp.policy.auto_learn_private_ranges_enabled, null) - } - } -} diff --git a/main.tf b/main.tf index 10c0986..f5b7645 100644 --- a/main.tf +++ b/main.tf @@ -1,104 +1,27 @@ # virtual wan resource "azurerm_virtual_wan" "vwan" { - name = try(var.vwan.name, var.naming.virtual_wan) - location = var.location - resource_group_name = var.resourcegroup - allow_branch_to_branch_traffic = try(var.vwan.allow_branch_to_branch_traffic, true) - disable_vpn_encryption = try(var.vwan.disable_vpn_encryption, false) - type = try(var.vwan.type, "Standard") - tags = try(var.vwan.tags, {}) - + name = var.vwan.name + resource_group_name = coalesce(lookup(var.vwan, "resource_group", null), var.resource_group) + location = coalesce(lookup(var.vwan, "location", null), var.location) + allow_branch_to_branch_traffic = try(var.vwan.allow_branch_to_branch_traffic, true) + disable_vpn_encryption = try(var.vwan.disable_vpn_encryption, false) + type = try(var.vwan.type, "Standard") office365_local_breakout_category = try(var.vwan.office365_local_breakout_category, "None") + tags = try(var.vwan.tags, {}) } # vhubs resource "azurerm_virtual_hub" "vhub" { - for_each = local.vhubs + for_each = lookup( + var.vwan, "vhubs", {} + ) - name = each.value.name - location = each.value.location - resource_group_name = each.value.resourcegroup + name = try(each.value.name, join("-", [var.naming.virtual_hub, each.key])) + resource_group_name = coalesce(lookup(var.vwan, "resource_group", null), var.resource_group) + location = coalesce(lookup(var.vwan, "location", null), var.location) address_prefix = each.value.address_prefix virtual_wan_id = azurerm_virtual_wan.vwan.id - sku = each.value.sku - hub_routing_preference = each.value.hub_routing_preference - tags = each.value.tags -} - -# firewalls -resource "azurerm_firewall" "fw" { - for_each = { - for fw_key, fw in local.firewalls : fw_key => fw - } - - name = each.value.name - location = each.value.location - resource_group_name = each.value.resourcegroup - sku_tier = each.value.tier - sku_name = each.value.sku - tags = each.value.tags - firewall_policy_id = each.value.associate_policy ? azurerm_firewall_policy.fwp[each.key].id : null - - virtual_hub { - virtual_hub_id = azurerm_virtual_hub.vhub[each.key].id - public_ip_count = each.value.public_ip_count - } -} - -# firewall Policies -resource "azurerm_firewall_policy" "fwp" { - for_each = { - for fwp_key, fwp in local.firewall_policies : fwp_key => fwp - } - - name = each.value.name - location = each.value.location - resource_group_name = each.value.resourcegroup - tags = each.value.tags - base_policy_id = each.value.base_policy_id - private_ip_ranges = each.value.private_ip_ranges - sku = each.value.sku - sql_redirect_allowed = each.value.sql_redirect_allowed - threat_intelligence_mode = each.value.threat_intelligence_mode - auto_learn_private_ranges_enabled = each.value.auto_learn_private_ranges_enabled - - dynamic "dns" { - for_each = each.value.dns != null ? [each.value.dns] : [] - - content { - proxy_enabled = try(dns.value.proxy_enabled, false) - servers = try(dns.value.servers, []) - } - } - - dynamic "intrusion_detection" { - for_each = lookup(each.value, "intrusion_detection", null) != null ? [each.value.intrusion_detection] : [] - - content { - mode = intrusion_detection.value.mode - - dynamic "traffic_bypass" { - for_each = lookup(intrusion_detection.value, "traffic_bypass", {}) - - content { - name = traffic_bypass.key - protocol = traffic_bypass.value.protocol - description = lookup(traffic_bypass.value, "description", null) - destination_addresses = lookup(traffic_bypass.value, "destination_addresses", []) - destination_ip_groups = lookup(traffic_bypass.value, "destination_ip_groups", []) - destination_ports = lookup(traffic_bypass.value, "destination_ports", []) - source_addresses = lookup(traffic_bypass.value, "source_addresses", []) - source_ip_groups = lookup(traffic_bypass.value, "source_ip_groups", []) - } - } - dynamic "signature_overrides" { - for_each = lookup(intrusion_detection.value, "signature_overrides", {}) - - content { - id = signature_overrides.value.id - state = signature_overrides.value.state - } - } - } - } + sku = try(each.value.sku, "Standard") + hub_routing_preference = try(each.value.hub_routing_preference, "ExpressRoute") + tags = try(each.value.tags, {}) } diff --git a/modules/collection-rule-groups/README.md b/modules/collection-rule-groups/README.md deleted file mode 100644 index 066cac2..0000000 --- a/modules/collection-rule-groups/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# Collection Rule Groups - -This submodule illustrates how to manage collection groups through the use of IP groups within secure virtual hubs. - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | ~> 1.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.61 | - -## Providers - -| Name | Version | -|------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.61 | - -## Resources - -| Name | Type | -|------|------| -| [azurerm_firewall_policy_rule_collection_group.group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) | resource | -| [azurerm_ip_group.ipgroup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group) | resource | -| [azurerm_ip_group_cidr.ipcidr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group_cidr) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [groups](#input\_groups) | contains all firewall policy rule collection groups config | `any` | n/a | yes | -| [ip\_groups](#input\_ip\_groups) | describes all ip groups | `map(any)` | `{}` | no | -| [location](#input\_location) | contains the region | `string` | `null` | no | -| [naming](#input\_naming) | contains naming convention | `map(string)` | `null` | no | -| [resourcegroup](#input\_resourcegroup) | contains the resourcegroup name | `string` | `null` | no | diff --git a/modules/collection-rule-groups/main.tf b/modules/collection-rule-groups/main.tf deleted file mode 100644 index a4a5894..0000000 --- a/modules/collection-rule-groups/main.tf +++ /dev/null @@ -1,98 +0,0 @@ -# collection groups -resource "azurerm_firewall_policy_rule_collection_group" "group" { - for_each = var.groups - - name = try(each.value.name, format("fwrcg-%s", each.key)) - firewall_policy_id = try(var.groups[each.key].firewall_policy_id, null) - priority = each.value.priority - - dynamic "network_rule_collection" { - for_each = contains(keys(each.value), "network_rule_collections") ? each.value.network_rule_collections : tomap({}) - - content { - name = try(network_rule_collection.name, network_rule_collection.key) - priority = network_rule_collection.value.priority - action = network_rule_collection.value.action - - dynamic "rule" { - for_each = network_rule_collection.value.rules - - content { - name = try(rule.value.name, rule.key) - description = try(rule.value.description, null) - protocols = rule.value.protocols - destination_ports = rule.value.destination_ports - destination_addresses = try(rule.value.destination_addresses, []) - destination_fqdns = try(rule.value.destination_fqdns, []) - source_addresses = try(rule.value.source_addresses, []) - source_ip_groups = try(rule.value.source_ip_groups, []) - destination_ip_groups = try(rule.value.destination_ip_groups, []) - } - } - } - } - - dynamic "application_rule_collection" { - for_each = contains(keys(each.value), "application_rule_collections") ? each.value.application_rule_collections : tomap({}) - - content { - name = try(application_rule_collection.name, application_rule_collection.key) - priority = application_rule_collection.value.priority - action = application_rule_collection.value.action - - dynamic "rule" { - for_each = application_rule_collection.value.rules - - - content { - name = try(rule.value.name, rule.key) - description = try(rule.value.description, null) - source_addresses = try(rule.value.source_addresses, null) - source_ip_groups = try(rule.value.source_ip_groups, null) - destination_addresses = try(rule.value.destination_addresses, null) - destination_urls = try(rule.value.destination_urls, null) - destination_fqdns = try(rule.value.destination_fqdns, null) - destination_fqdn_tags = try(rule.value.destination_fqdn_tags, null) - terminate_tls = try(rule.value.terminate_tls, null) - web_categories = try(rule.value.web_categories, null) - - dynamic "protocols" { - for_each = rule.value.protocols - - content { - type = protocols.value.type - port = protocols.value.port - } - } - } - } - } - } - - dynamic "nat_rule_collection" { - for_each = contains(keys(each.value), "nat_rule_collections") ? each.value.nat_rule_collections : tomap({}) - - content { - name = try(nat_rule_collection.name, nat_rule_collection.key) - priority = nat_rule_collection.value.priority - action = nat_rule_collection.value.action - - dynamic "rule" { - for_each = nat_rule_collection.value.rules - - content { - name = try(rule.value.name, rule.key) - description = try(rule.value.description, null) - protocols = rule.value.protocols - source_addresses = try(rule.value.source_addresses, null) - source_ip_groups = try(rule.value.source_ip_groups, null) - destination_address = try(rule.value.destination_address, null) - destination_ports = try(rule.value.destination_ports, null) - translated_address = try(rule.value.translated_address, null) - translated_fqdn = try(rule.value.translated_fqdn, null) - translated_port = try(rule.value.translated_port, null) - } - } - } - } -} diff --git a/modules/collection-rule-groups/terraform.tf b/modules/collection-rule-groups/terraform.tf deleted file mode 100644 index 6c1c905..0000000 --- a/modules/collection-rule-groups/terraform.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = "~> 1.0" - - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.61" - } - } -} diff --git a/modules/collection-rule-groups/variables.tf b/modules/collection-rule-groups/variables.tf deleted file mode 100644 index 8251dff..0000000 --- a/modules/collection-rule-groups/variables.tf +++ /dev/null @@ -1,22 +0,0 @@ -variable "groups" { - description = "contains all firewall policy rule collection groups config" - type = any -} - -variable "location" { - description = "contains the region" - type = string - default = null -} - -variable "resourcegroup" { - description = "contains the resourcegroup name" - type = string - default = null -} - -variable "naming" { - description = "contains naming convention" - type = map(string) - default = null -} diff --git a/modules/firewall-policy/README.md b/modules/firewall-policy/README.md deleted file mode 100644 index ca0606f..0000000 --- a/modules/firewall-policy/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# Firewall Policy - -This submodule focuses on the effective management of firewall policies. - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | ~> 1.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.61 | - -## Providers - -| Name | Version | -|------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.61 | - -## Resources - -| Name | Type | -|------|------| -| [azurerm_firewall_policy.policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [location](#input\_location) | contains the region | `string` | `null` | no | -| [policy](#input\_policy) | contains firewall policy configuration | `any` | n/a | yes | -| [resourcegroup](#input\_resourcegroup) | contains the resourcegroup name | `string` | `null` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [policy](#output\_policy) | contains all firewall policy configuration | diff --git a/modules/firewall-policy/main.tf b/modules/firewall-policy/main.tf deleted file mode 100644 index 07bd25e..0000000 --- a/modules/firewall-policy/main.tf +++ /dev/null @@ -1,64 +0,0 @@ -# firewall policy -resource "azurerm_firewall_policy" "policy" { - for_each = try(var.policy, {}) - - name = try(each.value.name, join("-", [var.naming.firewall_policy, each.key])) - location = var.location - resource_group_name = var.resourcegroup - tags = try(each.value.tags, {}) - private_ip_ranges = try(each.value.private_ip_ranges, null) - sku = try(each.value.sku, "Standard") - sql_redirect_allowed = try(each.value.sql_redirect_allowed, null) - threat_intelligence_mode = try(each.value.threat_intelligence_mode, "Alert") - auto_learn_private_ranges_enabled = try(each.value.auto_learn_private_ranges_enabled, null) - - dynamic "dns" { - for_each = lookup(each.value, "dns", null) != null ? [each.value.dns] : [] - - content { - proxy_enabled = try(dns.value.proxy_enabled, false) - servers = try(dns.value.servers, []) - } - } - - dynamic "intrusion_detection" { - for_each = lookup(each.value, "intrusion_detection", null) != null ? [each.value.intrusion_detection] : [] - - content { - mode = intrusion_detection.value.mode - - dynamic "traffic_bypass" { - for_each = lookup(intrusion_detection.value, "traffic_bypass", {}) - - content { - name = traffic_bypass.key - protocol = traffic_bypass.value.protocol - description = lookup(traffic_bypass.value, "description", null) - destination_addresses = lookup(traffic_bypass.value, "destination_addresses", []) - destination_ip_groups = lookup(traffic_bypass.value, "destination_ip_groups", []) - destination_ports = lookup(traffic_bypass.value, "destination_ports", []) - source_addresses = lookup(traffic_bypass.value, "source_addresses", []) - source_ip_groups = lookup(traffic_bypass.value, "source_ip_groups", []) - } - } - - dynamic "signature_overrides" { - for_each = lookup(intrusion_detection.value, "signature_overrides", {}) - - content { - id = signature_overrides.value.id - state = signature_overrides.value.state - } - } - - } - } - - dynamic "threat_intelligence_allowlist" { - for_each = try(each.value.threat_intelligence_allowlist != null ? [1] : [], []) - content { - fqdns = try(each.value.threat_intelligence_allowlist.fqdns, []) - ip_addresses = try(each.value.threat_intelligence_allowlist.ip_addresses, []) - } - } -} diff --git a/modules/firewall-policy/outputs.tf b/modules/firewall-policy/outputs.tf deleted file mode 100644 index fdf984b..0000000 --- a/modules/firewall-policy/outputs.tf +++ /dev/null @@ -1,6 +0,0 @@ -output "policy" { - description = "contains all firewall policy configuration" - value = { - for k, policy in azurerm_firewall_policy.policy : k => policy - } -} diff --git a/modules/firewall-policy/terraform.tf b/modules/firewall-policy/terraform.tf deleted file mode 100644 index 6c1c905..0000000 --- a/modules/firewall-policy/terraform.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = "~> 1.0" - - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.61" - } - } -} diff --git a/modules/firewall-policy/variables.tf b/modules/firewall-policy/variables.tf deleted file mode 100644 index 36ec360..0000000 --- a/modules/firewall-policy/variables.tf +++ /dev/null @@ -1,22 +0,0 @@ -variable "location" { - description = "contains the region" - type = string - default = null -} - -variable "resourcegroup" { - description = "contains the resourcegroup name" - type = string - default = null -} - -variable "policy" { - description = "contains firewall policy configuration" - type = any -} - -variable "naming" { - description = "contains naming convention" - type = map(string) - default = null -} diff --git a/modules/ip-groups/README.md b/modules/ip-groups/README.md deleted file mode 100644 index 50a1820..0000000 --- a/modules/ip-groups/README.md +++ /dev/null @@ -1,38 +0,0 @@ -# Ip Groups - -This submodule focuses on the effective management of ip groups. - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | ~> 1.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.61 | - -## Providers - -| Name | Version | -|------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.61 | - -## Resources - -| Name | Type | -|------|------| -| [azurerm_ip_group.ipgroup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group) | resource | -| [azurerm_ip_group_cidr.ipcidr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group_cidr) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [ip\_groups](#input\_ip\_groups) | describes all ip groups | `map(any)` | `{}` | no | -| [location](#input\_location) | contains the region | `string` | `null` | no | -| [naming](#input\_naming) | contains naming convention | `map(string)` | `null` | no | -| [resourcegroup](#input\_resourcegroup) | contains the resourcegroup name | `string` | `null` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [groups](#output\_groups) | contains all ip groups configuration | diff --git a/modules/ip-groups/locals.tf b/modules/ip-groups/locals.tf deleted file mode 100644 index 9d01576..0000000 --- a/modules/ip-groups/locals.tf +++ /dev/null @@ -1,10 +0,0 @@ -locals { - flattened_ip_groups = merge([ - for group_name, group_values in try(var.ip_groups, {}) : { - for cidr in group_values.cidr : "${group_name}-${cidr}" => { - group = group_name - cidr = cidr - } - } - ]...) -} diff --git a/modules/ip-groups/main.tf b/modules/ip-groups/main.tf deleted file mode 100644 index ceed7c9..0000000 --- a/modules/ip-groups/main.tf +++ /dev/null @@ -1,21 +0,0 @@ -# ip groups -resource "azurerm_ip_group" "ipgroup" { - for_each = try(var.ip_groups, {}) - - name = try(each.value.name, join("-", [var.naming.ip_group, each.key])) - location = var.location - resource_group_name = var.resourcegroup - tags = try(each.value.tags, {}) - - lifecycle { - ignore_changes = [cidrs] - } -} - -# ip group cidrs -resource "azurerm_ip_group_cidr" "ipcidr" { - for_each = local.flattened_ip_groups - - ip_group_id = azurerm_ip_group.ipgroup[each.value.group].id - cidr = each.value.cidr -} diff --git a/modules/ip-groups/outputs.tf b/modules/ip-groups/outputs.tf deleted file mode 100644 index 4ac60a8..0000000 --- a/modules/ip-groups/outputs.tf +++ /dev/null @@ -1,6 +0,0 @@ -output "groups" { - description = "contains all ip groups configuration" - value = { - for k, ipgroup in azurerm_ip_group.ipgroup : k => ipgroup - } -} diff --git a/modules/ip-groups/terraform.tf b/modules/ip-groups/terraform.tf deleted file mode 100644 index 6c1c905..0000000 --- a/modules/ip-groups/terraform.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = "~> 1.0" - - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.61" - } - } -} diff --git a/modules/ip-groups/variables.tf b/modules/ip-groups/variables.tf deleted file mode 100644 index 3edb24c..0000000 --- a/modules/ip-groups/variables.tf +++ /dev/null @@ -1,23 +0,0 @@ -variable "ip_groups" { - description = "describes all ip groups" - type = map(any) - default = {} -} - -variable "location" { - description = "contains the region" - type = string - default = null -} - -variable "resourcegroup" { - description = "contains the resourcegroup name" - type = string - default = null -} - -variable "naming" { - description = "contains naming convention" - type = map(string) - default = null -} diff --git a/outputs.tf b/outputs.tf index 1966692..36e026e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,31 +1,9 @@ -output "policy" { - description = "contains firewall policy configuration" - value = { - for k, policy in azurerm_firewall_policy.fwp : k => policy - } -} - -output "firewall_public_ip_addresses" { - description = "list of public ip addresses associated with the firewall" - value = { - public_ip_addresses = [ - for key, fw in azurerm_firewall.fw : - fw.virtual_hub[0].public_ip_addresses[0] - ] - } -} - -output "firewall" { - description = "contains firewall configuration" - value = azurerm_firewall.fw +output "vwan" { + description = "contains virtual wan configuration" + value = azurerm_virtual_wan.vwan } -output "vhub" { +output "vhubs" { description = "contains virtual hub configuration" value = azurerm_virtual_hub.vhub } - -output "vwan" { - description = "contains virtual wan configuration" - value = azurerm_virtual_wan.vwan -} diff --git a/tests/go.mod b/tests/go.mod index 0293fdb..3627adf 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -1,8 +1,8 @@ module github.com/cloudnationhq/terraform-azure-vwan -go 1.20 +go 1.23.1 -require github.com/gruntwork-io/terratest v0.47.0 +require github.com/gruntwork-io/terratest v0.47.1 require ( cloud.google.com/go v0.110.0 // indirect @@ -23,7 +23,7 @@ require ( github.com/googleapis/gax-go/v2 v2.7.1 // indirect github.com/hashicorp/errwrap v1.0.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-getter v1.7.5 // indirect + github.com/hashicorp/go-getter v1.7.6 // indirect github.com/hashicorp/go-multierror v1.1.0 // indirect github.com/hashicorp/go-safetemp v1.0.0 // indirect github.com/hashicorp/go-version v1.6.0 // indirect diff --git a/tests/go.sum b/tests/go.sum index 8117435..e5dd8d4 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -116,6 +116,7 @@ cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQn cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08= cloud.google.com/go/longrunning v0.4.1 h1:v+yFJOfKC3yZdY6ZUI933pIYdhyhV8S3NpWrXWmg7jM= +cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo= cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4= cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w= cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE= @@ -300,6 +301,7 @@ github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIG github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= +github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -336,14 +338,14 @@ github.com/googleapis/gax-go/v2 v2.7.1 h1:gF4c0zjUP2H/s/hEGyLA3I0fA2ZWjzYiONAD6c github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/gruntwork-io/terratest v0.47.0 h1:xIy1pT7NbGVlMLDZEHl3+3iSnvffh8tN2pL6idn448c= -github.com/gruntwork-io/terratest v0.47.0/go.mod h1:oywHw1cFKXSYvKPm27U7quZVzDUlA22H2xUrKCe26xM= +github.com/gruntwork-io/terratest v0.47.1 h1:qOaxnL7Su5+KpDHYUN/ek1jn8ImvCKtOkaY4OSMS4tI= +github.com/gruntwork-io/terratest v0.47.1/go.mod h1:LnYX8BN5WxUMpDr8rtD39oToSL4CBERWSCusbJ0d/64= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-getter v1.7.5 h1:dT58k9hQ/vbxNMwoI5+xFYAJuv6152UNvdHokfI5wE4= -github.com/hashicorp/go-getter v1.7.5/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= +github.com/hashicorp/go-getter v1.7.6 h1:5jHuM+aH373XNtXl9TNTUH5Qd69Trve11tHIrB+6yj4= +github.com/hashicorp/go-getter v1.7.6/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo= @@ -653,6 +655,7 @@ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9sn golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -954,6 +957,7 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/tests/shared/shared.go b/tests/shared/shared.go deleted file mode 100644 index 4a038e7..0000000 --- a/tests/shared/shared.go +++ /dev/null @@ -1,49 +0,0 @@ -package shared - -import ( - "os" - "path/filepath" - "testing" - - "github.com/gruntwork-io/terratest/modules/terraform" -) - -var filesToCleanup = []string{ - "*.terraform*", - "*tfstate*", -} - -type TestCase struct { - Name string - Path string -} - -func GetTerraformOptions(terraformDir string) *terraform.Options { - return &terraform.Options{ - TerraformDir: terraformDir, - NoColor: true, - Parallelism: 20, - } -} - -func Cleanup(t *testing.T, tfOpts *terraform.Options) { - terraform.Destroy(t, tfOpts) - CleanupFiles(t, tfOpts.TerraformDir) -} - -func CleanupFiles(t *testing.T, dir string) { - for _, pattern := range filesToCleanup { - matches, err := filepath.Glob(filepath.Join(dir, pattern)) - if err != nil { - t.Logf("Error: %v", err) - continue - } - for _, filePath := range matches { - if err := os.RemoveAll(filePath); err != nil { - t.Logf("Failed to remove %s: %v\n", filePath, err) - } else { - t.Logf("Successfully removed %s\n", filePath) - } - } - } -} diff --git a/tests/virtualwan_test.go b/tests/virtualwan_test.go deleted file mode 100644 index c221e68..0000000 --- a/tests/virtualwan_test.go +++ /dev/null @@ -1,28 +0,0 @@ -package main - -import ( - "os" - "testing" - - "github.com/cloudnationhq/terraform-azure-vwan/shared" - "github.com/gruntwork-io/terratest/modules/terraform" -) - -func TestApplyNoError(t *testing.T) { - t.Parallel() - - tests := []shared.TestCase{ - {Name: os.Getenv("TF_PATH"), Path: "../examples/" + os.Getenv("TF_PATH")}, - } - - for _, test := range tests { - t.Run(test.Name, func(t *testing.T) { - terraformOptions := shared.GetTerraformOptions(test.Path) - - terraform.WithDefaultRetryableErrors(t, &terraform.Options{}) - - defer shared.Cleanup(t, terraformOptions) - terraform.InitAndApply(t, terraformOptions) - }) - } -} diff --git a/tests/vwan_test.go b/tests/vwan_test.go new file mode 100644 index 0000000..8a4d914 --- /dev/null +++ b/tests/vwan_test.go @@ -0,0 +1,72 @@ +package main + +import ( + "os" + "path/filepath" + "testing" + + "github.com/gruntwork-io/terratest/modules/terraform" +) + +type TerraformModule struct { + Name string + Path string + Options *terraform.Options +} + +func NewTerraformModule(name, path string) *TerraformModule { + return &TerraformModule{ + Name: name, + Path: path, + Options: &terraform.Options{ + TerraformDir: path, + NoColor: true, + }, + } +} + +func (m *TerraformModule) Apply(t *testing.T) { + t.Logf("Applying Terraform module: %s", m.Name) + terraform.WithDefaultRetryableErrors(t, m.Options) + terraform.InitAndApply(t, m.Options) +} + +func (m *TerraformModule) Destroy(t *testing.T) { + t.Logf("Destroying Terraform module: %s", m.Name) + terraform.Destroy(t, m.Options) + m.cleanupFiles(t) +} + +func (m *TerraformModule) cleanupFiles(t *testing.T) { + t.Logf("Cleaning up in: %s", m.Options.TerraformDir) + filesToCleanup := []string{"*.terraform*", "*tfstate*"} + for _, pattern := range filesToCleanup { + matches, err := filepath.Glob(filepath.Join(m.Options.TerraformDir, pattern)) + if err != nil { + t.Errorf("Error matching pattern %s: %v", pattern, err) + continue + } + for _, filePath := range matches { + if err := os.RemoveAll(filePath); err != nil { + t.Errorf("Failed to remove %s: %v", filePath, err) + } + } + } +} + +func TestApplyNoError(t *testing.T) { + t.Parallel() + + example := os.Getenv("EXAMPLE") + if example == "" { + t.Fatal("EXAMPLE environment variable is not set") + } + + modulePath := filepath.Join("..", "examples", example) + module := NewTerraformModule(example, modulePath) + + t.Run(module.Name, func(t *testing.T) { + defer module.Destroy(t) + module.Apply(t) + }) +} diff --git a/variables.tf b/variables.tf index 9bd65bd..108064c 100644 --- a/variables.tf +++ b/variables.tf @@ -15,7 +15,7 @@ variable "location" { default = null } -variable "resourcegroup" { +variable "resource_group" { description = "default resource group and can be used if resourcegroup is not specified inside the object." type = string default = null