Merge pull request #2 from Think-Cube/develop

Develop

.github/workflows/tfsec.yml

@@ -0,0 +1,27 @@
+name: tfsec
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '31 16 * * 5'
+jobs:
+  tfsec:
+    name: Run tfsec sarif report
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@v3
+      - name: Run tfsec
+        uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
+        with:
+          sarif_file: tfsec.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: tfsec.sarif

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022 Maciej Michalski
+Copyright (c) 2024 ThinkCube
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -0,0 +1,52 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6.4 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.94.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.94.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_network_security_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/3.94.0/docs/resources/network_security_group) | resource |
+| [azurerm_network_security_rule.main](https://registry.terraform.io/providers/hashicorp/azurerm/3.94.0/docs/resources/network_security_rule) | resource |
+| [azurerm_subnet_network_security_group_association.main](https://registry.terraform.io/providers/hashicorp/azurerm/3.94.0/docs/resources/subnet_network_security_group_association) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.94.0/docs/data-sources/client_config) | data source |
+| [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/3.94.0/docs/data-sources/resource_group) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_associate_with_subnet"></a> [associate\_with\_subnet](#input\_associate\_with\_subnet) | Controls whether the Network Security Group should be associated with a subnet. When set to true, an association with the specified subnet is created; when set to false, no subnet association is established. | `bool` | `false` | no |
+| <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A mapping of tags to assign to the resource. | `map(any)` | <pre>{<br>  "ManagedByTerraform": "True"<br>}</pre> | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Variable that defines the name of the environment. | `string` | `"dev"` | no |
+| <a name="input_network_security_group_list"></a> [network\_security\_group\_list](#input\_network\_security\_group\_list) | List of security\_rule objects representing security rules, as defined below. | `map(any)` | <pre>{<br>  "AllowHTTPAndHTTPS": {<br>    "access": "Allow",<br>    "destination_address_prefix": "*",<br>    "destination_port_range": "80,443",<br>    "direction": "Inbound",<br>    "priority": "1001",<br>    "protocol": "Tcp",<br>    "source_address_prefix": "*",<br>    "source_port_range": "*"<br>  }<br>}</pre> | no |
+| <a name="input_network_security_group_name"></a> [network\_security\_group\_name](#input\_network\_security\_group\_name) | Specifies the name of the network security group. Changing this forces a new resource to be created. | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | Region in which resources are deployed. | `string` | `"weu"` | no |
+| <a name="input_resource_group_location"></a> [resource\_group\_location](#input\_resource\_group\_location) | Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | `any` | n/a | yes |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which to create the network security group. Changing this forces a new resource to be created. | `any` | n/a | yes |
+| <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id) | The ID of the Subnet. Changing this forces a new resource to be created. | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_network_security_group_id"></a> [network\_security\_group\_id](#output\_network\_security\_group\_id) | The ID of the NSG |
+| <a name="output_network_security_group_name"></a> [network\_security\_group\_name](#output\_network\_security\_group\_name) | The name of the NSG |
+| <a name="output_network_security_group_resource_group_name"></a> [network\_security\_group\_resource\_group\_name](#output\_network\_security\_group\_resource\_group\_name) | The name of the resource group the nsg is in |
+| <a name="output_network_security_group_rules"></a> [network\_security\_group\_rules](#output\_network\_security\_group\_rules) | List of network security rules |
+| <a name="output_network_security_group_subnet_association"></a> [network\_security\_group\_subnet\_association](#output\_network\_security\_group\_subnet\_association) | Information about the subnet association with the Network Security Group. |
+<!-- END_TF_DOCS -->

backend.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.94.0"
+    }
+  }
+  required_version = ">= 1.6.4"
+}

examples/network_security_group/README.md

@@ -0,0 +1,76 @@
+# Terraform Module: Azure Network Security Group
+
+This Terraform module provisions an Azure Network Security Group (NSG) with associated security rules. It provides flexibility in configuring security rules for inbound and outbound traffic.
+
+## Features
+
+* Create an Azure Network Security Group.
+* Define custom security rules for the NSG.
+* Optionally associate the NSG with a subnet.
+
+## Usage
+
+### Example
+
+```hcl
+provider "azurerm" {
+features {}
+}
+
+module "example_nsg" {
+  source  = "Think-Cube/network-security-group/azure"
+  version = "1.0.0"
+  resource_group_name = "test"
+  environment = "dev" 
+  region = "weu"
+  resource_group_location = "West Europe"
+  network_security_group_name = "test"
+  network_security_group_list = {
+    "AllowHTTPAndHTTPS" = {
+      priority                   = "1001"
+      direction                  = "Inbound"
+      access                     = "Allow"
+      protocol                   = "Tcp"
+      source_port_range          = "*"
+      destination_port_range     = "80,443"
+      source_address_prefix      = "*"
+      destination_address_prefix = "*"
+    }
+    # Add additional security rules as needed
+  }
+  associate_with_subnet = true
+  subnet_id             = "example-subnet-id"  
+  default_tags = {
+      Administrator     = "John Doe"
+      Department        = "IT"
+      CostCentre        = "CC123"
+      ContactPerson     = "Jane Smith"
+      ManagedByTerraform = "True"
+}
+}
+```
+
+### Variables
+
+* `environment`: Name of the environment (default: "dev").
+* `resource_group_name`: Name of the Azure Resource Group.
+* `network_security_group_name`: Name of the Network Security Group.
+* `network_security_group_list`: List of security rules.
+* `associate_with_subnet`: Controls subnet association.
+* `subnet_id`: ID of the subnet to associate with (if associate_with_subnet is set to true).
+
+### Outputs
+
+* `network_security_group_id`: ID of the NSG.
+* `network_security_group_name`: Name of the NSG.
+* `network_security_group_resource_group_name`: Name of the resource group containing the NSG.
+* `network_security_group_rules`: List of network security rules.
+* `network_security_group_subnet_association`: Subnet association information (if applicable).
+
+## License
+
+This project is licensed under the [MIT License](https://opensource.org/licenses/MIT).
+
+## Contribution
+
+Feel free to contribute by opening issues or pull requests. Your feedback and improvements are highly appreciated!

main.tf

@@ -0,0 +1,10 @@
+provider "azurerm" {
+
+  features {}
+}
+
+data "azurerm_client_config" "current" {}
+
+data "azurerm_resource_group" "main" {
+  name = var.resource_group_name
+}

network_security_group.tf

@@ -0,0 +1,29 @@
+resource "azurerm_network_security_group" "main" {
+  name                = "${var.environment}-${var.network_security_group_name}-${var.region}-nsg"
+  location            = data.azurerm_resource_group.rg.location
+  resource_group_name = data.azurerm_resource_group.rg.name
+  tags                = var.default_tags
+
+  timeouts {
+    create = "5m"
+    delete = "10m"
+  }
+}
+
+resource "azurerm_network_security_rule" "main" {
+  for_each = var.network_security_group_list
+
+  name                        = each.key
+  priority                    = each.value.priority
+  direction                   = each.value.direction
+  access                      = each.value.access
+  protocol                    = each.value.protocol
+  source_port_range           = each.value.source_port_range
+  destination_port_range      = each.value.destination_port_range
+  source_address_prefix       = each.value.source_address_prefix
+  destination_address_prefix  = each.value.destination_address_prefix
+  resource_group_name         = data.azurerm_resource_group.rg.name
+  network_security_group_name = azurerm_network_security_group.main.name
+
+  depends_on = [azurerm_network_security_group.main]
+}

network_security_group_association.tf

@@ -0,0 +1,12 @@
+resource "azurerm_subnet_network_security_group_association" "main" {
+  count                     = var.associate_with_subnet ? 1 : 0
+  subnet_id                 = var.subnet_id
+  network_security_group_id = azurerm_network_security_group.main.id
+
+  timeouts {
+    create = "5m"
+    delete = "10m"
+  }
+
+  depends_on = [azurerm_network_security_group.main]
+}

output.tf

@@ -0,0 +1,41 @@
+output "network_security_group_id" {
+  value       = azurerm_network_security_group.main.id
+  description = "The ID of the NSG"
+}
+
+output "network_security_group_name" {
+  value       = azurerm_network_security_group.main.name
+  description = "The name of the NSG"
+}
+
+output "network_security_group_resource_group_name" {
+  value       = azurerm_network_security_group.main.resource_group_name
+  description = "The name of the resource group the nsg is in"
+}
+
+output "network_security_group_rules" {
+  description = "List of network security rules"
+  value = {
+    for rule in var.network_security_group_list : rule.key => {
+      name                        = rule.key
+      priority                    = rule.priority
+      direction                   = rule.direction
+      access                      = rule.access
+      protocol                    = rule.protocol
+      source_port_range           = rule.source_port_range
+      destination_port_range      = rule.destination_port_range
+      source_address_prefix       = rule.source_address_prefix
+      destination_address_prefix  = rule.destination_address_prefix
+      resource_group_name         = data.azurerm_resource_group.rg.name
+      network_security_group_name = azurerm_network_security_group.main.name
+    }
+  }
+}
+
+output "network_security_group_subnet_association" {
+  description = "Information about the subnet association with the Network Security Group."
+  value = var.associate_with_subnet ? {
+    subnet_id                 = azurerm_subnet_network_security_group_association.main[0].subnet_id
+    network_security_group_id = azurerm_subnet_network_security_group_association.main[0].network_security_group_id
+  } : null
+}

variables.tf

@@ -0,0 +1,53 @@
+###########################
+# Common vars
+###########################
+variable "environment" {
+  description = "Variable that defines the name of the environment."
+  type        = string
+  default     = "dev"
+}
+variable "default_tags" {
+  description = "A mapping of tags to assign to the resource."
+  type        = map(any)
+  default = {
+    "ManagedByTerraform" = "True"
+  }
+}
+variable "region" {
+  description = "Region in which resources are deployed."
+  type        = string
+  default     = "weu"
+}
+############################
+#Resource gropus vars
+############################
+variable "resource_group_location" {
+  description = "Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created."
+}
+variable "resource_group_name" {
+  description = "The name of the resource group in which to create the network security group. Changing this forces a new resource to be created."
+}
+###############################
+#Network scurity group variable
+###############################
+variable "network_security_group_name" {
+  description = "Specifies the name of the network security group. Changing this forces a new resource to be created."
+  type        = string
+}
+variable "network_security_group_list" {
+  description = "List of security_rule objects representing security rules, as defined below."
+  type        = map(any)
+  default = {
+    "AllowHTTPAndHTTPS" = { priority = "1001", direction = "Inbound", access = "Allow", protocol = "Tcp", source_port_range = "*", destination_port_range = "80,443", source_address_prefix = "192.168.1.0/24", destination_address_prefix = "10.1.0.0/16" },
+  }
+}
+variable "associate_with_subnet" {
+  description = "Controls whether the Network Security Group should be associated with a subnet. When set to true, an association with the specified subnet is created; when set to false, no subnet association is established."
+  type        = bool
+  default     = false
+}
+variable "subnet_id" {
+  description = "The ID of the Subnet. Changing this forces a new resource to be created."
+  type        = string
+  default     = ""
+}