Skip to content

Commit

Permalink
terraform/module: Refactor security rule from security group
Browse files Browse the repository at this point in the history 
Azure security group definition allows in-line security rule as well as
standalone security rules but not both. This change creates standalone
security rules so that one can add security rules later via scripts.

closes=BUG681462

Change-Id: Ie2b315aeebee54fb2a28232d0fc109f846a12d8c
Signed-off-by: manishp <manishp@arista.com>
  • Loading branch information
@manishpatel-arista
manishpatel-arista committed Apr 11, 2022
1 parent 8d72792 commit 37dcc96
Show file tree
Hide file tree
Showing 2 changed files with 120 additions and 96 deletions.
108 changes: 60 additions & 48 deletions terraform/module/cloudeos/azure/rg-static/rg.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,63 +6,75 @@ resource "azurerm_network_security_group" "publicNSG" {
name = var.nsg_name
location = data.azurerm_resource_group.rg.location
resource_group_name = var.rg_name
}

security_rule {
name = "allow_SSH"
description = "Allow SSH access"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "allow_IKE500"
description = "Allow IKE access"
priority = 110
direction = "Inbound"
access = "Allow"
protocol = "Udp"
source_port_range = "*"
destination_port_range = "500"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "allow_IKE4500"
description = "Allow IKE4500 access"
priority = 120
direction = "Inbound"
access = "Allow"
protocol = "Udp"
source_port_range = "*"
destination_port_range = "4500"
source_address_prefix = "*"
destination_address_prefix = "*"
}
resource "azurerm_network_security_rule" "publicSSH" {
count = var.role == "CloudEdge" ? 1 : 0
name = "allow_SSH"
description = "Allow SSH access"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = var.rg_name
network_security_group_name = azurerm_network_security_group.publicNSG[count.index].name
}
resource "azurerm_network_security_rule" "publicIKE500" {
count = var.role == "CloudEdge" ? 1 : 0
name = "allow_IKE500"
description = "Allow IKE access"
priority = 110
direction = "Inbound"
access = "Allow"
protocol = "Udp"
source_port_range = "*"
destination_port_range = "500"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = var.rg_name
network_security_group_name = azurerm_network_security_group.publicNSG[count.index].name
}
resource "azurerm_network_security_rule" "publicIKE4500" {
count = var.role == "CloudEdge" ? 1 : 0
name = "allow_IKE4500"
description = "Allow IKE4500 access"
priority = 120
direction = "Inbound"
access = "Allow"
protocol = "Udp"
source_port_range = "*"
destination_port_range = "4500"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = var.rg_name
network_security_group_name = azurerm_network_security_group.publicNSG[count.index].name
}


resource "azurerm_network_security_group" "privateNSG" {
count = var.role != "CloudEdge" ? 1 : 0
depends_on = [data.azurerm_resource_group.rg]
name = "${var.nsg_name}-leaf"
location = data.azurerm_resource_group.rg.location
resource_group_name = var.rg_name

security_rule {
name = "allow_all"
priority = 130
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
resource "azurerm_network_security_rule" "privateAll" {
count = var.role != "CloudEdge" ? 1 : 0
name = "allow_all"
priority = 130
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = var.rg_name
network_security_group_name = azurerm_network_security_group.privateNSG[count.index].name
}

data "azurerm_resource_group" "rg" {
Expand Down
108 changes: 60 additions & 48 deletions terraform/module/cloudeos/azure/rg/rg.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,65 +6,77 @@ resource "azurerm_network_security_group" "publicNSG" {
name = var.nsg_name
location = var.rg_location
resource_group_name = var.rg_name
}

security_rule {
name = "allow_SSH"
description = "Allow SSH access"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "allow_IKE500"
description = "Allow IKE access"
priority = 110
direction = "Inbound"
access = "Allow"
protocol = "Udp"
source_port_range = "*"
destination_port_range = "500"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "allow_IKE4500"
description = "Allow IKE4500 access"
priority = 120
direction = "Inbound"
access = "Allow"
protocol = "Udp"
source_port_range = "*"
destination_port_range = "4500"
source_address_prefix = "*"
destination_address_prefix = "*"
}
resource "azurerm_network_security_rule" "publicSSH" {
count = var.role == "CloudEdge" ? 1 : 0
name = "allow_SSH"
description = "Allow SSH access"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = var.rg_name
network_security_group_name = azurerm_network_security_group.publicNSG[count.index].name
}
resource "azurerm_network_security_rule" "publicIKE500" {
count = var.role == "CloudEdge" ? 1 : 0
name = "allow_IKE500"
description = "Allow IKE access"
priority = 110
direction = "Inbound"
access = "Allow"
protocol = "Udp"
source_port_range = "*"
destination_port_range = "500"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = var.rg_name
network_security_group_name = azurerm_network_security_group.publicNSG[count.index].name
}
resource "azurerm_network_security_rule" "publicIKE4500" {
count = var.role == "CloudEdge" ? 1 : 0
name = "allow_IKE4500"
description = "Allow IKE4500 access"
priority = 120
direction = "Inbound"
access = "Allow"
protocol = "Udp"
source_port_range = "*"
destination_port_range = "4500"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = var.rg_name
network_security_group_name = azurerm_network_security_group.publicNSG[count.index].name
}


resource "azurerm_network_security_group" "privateNSG" {
count = var.role != "CloudEdge" ? 1 : 0
depends_on = [azurerm_resource_group.rg]
name = "${var.nsg_name}-leaf"
location = var.rg_location
resource_group_name = var.rg_name

security_rule {
name = "allow_all"
priority = 130
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}

resource "azurerm_network_security_rule" "privateAll" {
count = var.role != "CloudEdge" ? 1 : 0
name = "allow_all"
priority = 130
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = var.rg_name
network_security_group_name = azurerm_network_security_group.privateNSG[count.index].name
}
resource "azurerm_resource_group" "rg" {
name = var.rg_name
location = var.rg_location
Expand Down

0 comments on commit 37dcc96

Please sign in to comment.