From 87450cc6a0c65e7e728668ba7e9b14e0971f8229 Mon Sep 17 00:00:00 2001 From: fblankendaal Date: Wed, 4 Dec 2024 15:24:41 +0100 Subject: [PATCH 1/5] adding the option to modify the source ip for bastion --- locals.tf | 8 +++++++- variables.security.tf | 10 +++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/locals.tf b/locals.tf index 292ea38..65ca0b5 100644 --- a/locals.tf +++ b/locals.tf @@ -78,9 +78,15 @@ locals { ] ]) + azure_bastion_security_rules = { + for rule_key, rule in var.azure_bastion_security_rules : rule_key => rule_key == "Allow-Https-in-from-Internet" ? merge(rule, { + source_address_prefixes = var.azure_bastion_source_ip_prefixes + }) : rule + } + azure_bastion_with_rules = flatten([ for subnet_key, subnet in local.azure_bastion_subnet : [ - for rule_key, rule in local.azure_bastion_rules_map : { + for rule_key, rule in local.azure_bastion_security_rules : { subnet_key = subnet_key name = rule_key description = rule.description diff --git a/variables.security.tf b/variables.security.tf index b49b9cd..2791238 100644 --- a/variables.security.tf +++ b/variables.security.tf @@ -173,6 +173,13 @@ subnets = { DESCRIPTION } +variable "azure_bastion_source_ip_prefixes" { + description = "The source IP prefixes that can access the Azure Bastion service, recommendation is not to use the default!" + type = list(string) + default = ["0.0.0.0/0"] + nullable = false +} + variable "azure_bastion_security_rules" { type = map(object({ name = string @@ -208,7 +215,8 @@ variable "azure_bastion_security_rules" { direction = "Inbound" priority = 4040 protocol = "Tcp" - source_address_prefix = "Internet" + source_address_prefix = null + source_address_prefixes = null source_port_range = "*" }, "Allow-Https-in-from-GatewayManager" = { From 304f36deb1dfa1bc23f6da873880823d54915455 Mon Sep 17 00:00:00 2001 From: fblankendaal Date: Wed, 4 Dec 2024 15:55:47 +0100 Subject: [PATCH 2/5] fix map for rules --- locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/locals.tf b/locals.tf index 65ca0b5..f472958 100644 --- a/locals.tf +++ b/locals.tf @@ -79,7 +79,7 @@ locals { ]) azure_bastion_security_rules = { - for rule_key, rule in var.azure_bastion_security_rules : rule_key => rule_key == "Allow-Https-in-from-Internet" ? merge(rule, { + for rule_key, rule in local.azure_bastion_rules_map : rule_key => rule_key == "Allow-Https-in-from-Internet" ? merge(rule, { source_address_prefixes = var.azure_bastion_source_ip_prefixes }) : rule } From 6813ba2f98ebe82e6735c36f4b5fde42f095bd97 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 4 Dec 2024 20:10:17 +0000 Subject: [PATCH 3/5] docs(readme): update module usage --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b7a059b..06837c5 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,8 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [vnet\_name](#input\_vnet\_name) | The name of the virtual network. | `string` | n/a | yes | -| [azure\_bastion\_security\_rules](#input\_azure\_bastion\_security\_rules) | A map of security rules to be created in the AzureBastionSubnet Network Security Group. The key of the map is the name of the security rule.
This Map contains the required rules for the Azure Bastion Subnet. These rules are required for the Azure Bastion service to work properly.
This map is merged with the default rules and security rules to create the final set of rules for the Azure Bastion Subnet.
hcl
subnets = {
  "AzureBastionSubnet" = {
    address_prefixes                = ["100.0.5.0/24"]
  }
hcl | 
map(object({
    name                                       = string
    access                                     = string
    direction                                  = string
    priority                                   = number
    protocol                                   = string
    description                                = optional(string)
    destination_address_prefix                 = optional(string, null)
    destination_address_prefixes               = optional(set(string), null)
    destination_application_security_group_ids = optional(set(string), null)
    destination_port_range                     = optional(string, null)
    destination_port_ranges                    = optional(set(string), null)
    source_address_prefix                      = optional(string, null)
    source_address_prefixes                    = optional(set(string), null)
    source_application_security_group_ids      = optional(set(string), null)
    source_port_range                          = optional(string, null)
    source_port_ranges                         = optional(set(string), null)
    timeouts = optional(object({
      create = optional(string, "30")
      delete = optional(string, "30")
      read   = optional(string, "5")
      update = optional(string, "30")
    }))
  }))
| 
{
  "Allow-DataPlane-in-from-VirtualNetwork": {
    "access": "Allow",
    "description": "Allow DataPlane traffic from the VirtualNetwork",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "8080",
    "direction": "Inbound",
    "name": "Allow-DataPlane-in-from-VirtualNetwork",
    "priority": 4042,
    "protocol": "Tcp",
    "source_address_prefix": "VirtualNetwork",
    "source_port_range": "*"
  },
  "Allow-DataPlane-in-from-VirtualNetwork-5701": {
    "access": "Allow",
    "description": "Allow DataPlane traffic from the VirtualNetwork on port 5701",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "5701",
    "direction": "Inbound",
    "name": "Allow-DataPlane-in-from-VirtualNetwork-5701",
    "priority": 4043,
    "protocol": "Tcp",
    "source_address_prefix": "VirtualNetwork",
    "source_port_range": "*"
  },
  "Allow-DataPlane-out-to-VirtualNetwork-5701": {
    "access": "Allow",
    "description": "Allow DataPlane traffic to the VirtualNetwork on port 5701",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "5701",
    "direction": "Outbound",
    "name": "Allow-DataPlane-out-to-VirtualNetwork-5701",
    "priority": 4043,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-DataPlane-out-to-VirtualNetwork-8080": {
    "access": "Allow",
    "description": "Allow DataPlane traffic to the VirtualNetwork on port 8080",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "8080",
    "direction": "Outbound",
    "name": "Allow-DataPlane-out-to-VirtualNetwork-8080",
    "priority": 4042,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-Http-out-to-Internet": {
    "access": "Allow",
    "description": "Allow HTTP traffic to the Internet",
    "destination_address_prefix": "Internet",
    "destination_port_range": "80",
    "direction": "Outbound",
    "name": "Allow-Http-out-to-Internet",
    "priority": 4045,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-Https-in-from-AzureLoadBalancer": {
    "access": "Allow",
    "description": "Allow HTTPS traffic from the AzureLoadBalancer",
    "destination_address_prefix": "*",
    "destination_port_range": "443",
    "direction": "Inbound",
    "name": "Allow-Https-in-from-AzureLoadBalancer",
    "priority": 4044,
    "protocol": "Tcp",
    "source_address_prefix": "AzureLoadBalancer",
    "source_port_range": "*"
  },
  "Allow-Https-in-from-GatewayManager": {
    "access": "Allow",
    "description": "Allow HTTPS traffic from the GatewayManager",
    "destination_address_prefix": "*",
    "destination_port_range": "443",
    "direction": "Inbound",
    "name": "Allow-Https-in-from-GatewayManager",
    "priority": 4041,
    "protocol": "Tcp",
    "source_address_prefix": "GatewayManager",
    "source_port_range": "*"
  },
  "Allow-Https-in-from-Internet": {
    "access": "Allow",
    "description": "Allow HTTPS traffic from the Internet",
    "destination_address_prefix": "*",
    "destination_port_range": "443",
    "direction": "Inbound",
    "name": "Allow-Https-in-from-Internet",
    "priority": 4040,
    "protocol": "Tcp",
    "source_address_prefix": "Internet",
    "source_port_range": "*"
  },
  "Allow-Https-out-to-AzureCloud": {
    "access": "Allow",
    "description": "Allow HTTPS traffic to the AzureCloud",
    "destination_address_prefix": "AzureCloud",
    "destination_port_range": "443",
    "direction": "Outbound",
    "name": "Allow-Https-out-to-AzureCloud",
    "priority": 4044,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-Rdp-out-to-VirtualNetwork": {
    "access": "Allow",
    "description": "Allow RDP traffic to the VirtualNetwork",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "3389",
    "direction": "Outbound",
    "name": "Allow-Rdp-out-to-VirtualNetwork",
    "priority": 4040,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-Ssh-out-to-VirtualNetwork": {
    "access": "Allow",
    "description": "Allow SSH traffic to the VirtualNetwork",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "22",
    "direction": "Outbound",
    "name": "Allow-Ssh-out-to-VirtualNetwork",
    "priority": 4041,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  }
}
| no | +| [azure\_bastion\_security\_rules](#input\_azure\_bastion\_security\_rules) | A map of security rules to be created in the AzureBastionSubnet Network Security Group. The key of the map is the name of the security rule.
This Map contains the required rules for the Azure Bastion Subnet. These rules are required for the Azure Bastion service to work properly.
This map is merged with the default rules and security rules to create the final set of rules for the Azure Bastion Subnet.
hcl
subnets = {
  "AzureBastionSubnet" = {
    address_prefixes                = ["100.0.5.0/24"]
  }
hcl | 
map(object({
    name                                       = string
    access                                     = string
    direction                                  = string
    priority                                   = number
    protocol                                   = string
    description                                = optional(string)
    destination_address_prefix                 = optional(string, null)
    destination_address_prefixes               = optional(set(string), null)
    destination_application_security_group_ids = optional(set(string), null)
    destination_port_range                     = optional(string, null)
    destination_port_ranges                    = optional(set(string), null)
    source_address_prefix                      = optional(string, null)
    source_address_prefixes                    = optional(set(string), null)
    source_application_security_group_ids      = optional(set(string), null)
    source_port_range                          = optional(string, null)
    source_port_ranges                         = optional(set(string), null)
    timeouts = optional(object({
      create = optional(string, "30")
      delete = optional(string, "30")
      read   = optional(string, "5")
      update = optional(string, "30")
    }))
  }))
| 
{
  "Allow-DataPlane-in-from-VirtualNetwork": {
    "access": "Allow",
    "description": "Allow DataPlane traffic from the VirtualNetwork",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "8080",
    "direction": "Inbound",
    "name": "Allow-DataPlane-in-from-VirtualNetwork",
    "priority": 4042,
    "protocol": "Tcp",
    "source_address_prefix": "VirtualNetwork",
    "source_port_range": "*"
  },
  "Allow-DataPlane-in-from-VirtualNetwork-5701": {
    "access": "Allow",
    "description": "Allow DataPlane traffic from the VirtualNetwork on port 5701",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "5701",
    "direction": "Inbound",
    "name": "Allow-DataPlane-in-from-VirtualNetwork-5701",
    "priority": 4043,
    "protocol": "Tcp",
    "source_address_prefix": "VirtualNetwork",
    "source_port_range": "*"
  },
  "Allow-DataPlane-out-to-VirtualNetwork-5701": {
    "access": "Allow",
    "description": "Allow DataPlane traffic to the VirtualNetwork on port 5701",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "5701",
    "direction": "Outbound",
    "name": "Allow-DataPlane-out-to-VirtualNetwork-5701",
    "priority": 4043,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-DataPlane-out-to-VirtualNetwork-8080": {
    "access": "Allow",
    "description": "Allow DataPlane traffic to the VirtualNetwork on port 8080",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "8080",
    "direction": "Outbound",
    "name": "Allow-DataPlane-out-to-VirtualNetwork-8080",
    "priority": 4042,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-Http-out-to-Internet": {
    "access": "Allow",
    "description": "Allow HTTP traffic to the Internet",
    "destination_address_prefix": "Internet",
    "destination_port_range": "80",
    "direction": "Outbound",
    "name": "Allow-Http-out-to-Internet",
    "priority": 4045,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-Https-in-from-AzureLoadBalancer": {
    "access": "Allow",
    "description": "Allow HTTPS traffic from the AzureLoadBalancer",
    "destination_address_prefix": "*",
    "destination_port_range": "443",
    "direction": "Inbound",
    "name": "Allow-Https-in-from-AzureLoadBalancer",
    "priority": 4044,
    "protocol": "Tcp",
    "source_address_prefix": "AzureLoadBalancer",
    "source_port_range": "*"
  },
  "Allow-Https-in-from-GatewayManager": {
    "access": "Allow",
    "description": "Allow HTTPS traffic from the GatewayManager",
    "destination_address_prefix": "*",
    "destination_port_range": "443",
    "direction": "Inbound",
    "name": "Allow-Https-in-from-GatewayManager",
    "priority": 4041,
    "protocol": "Tcp",
    "source_address_prefix": "GatewayManager",
    "source_port_range": "*"
  },
  "Allow-Https-in-from-Internet": {
    "access": "Allow",
    "description": "Allow HTTPS traffic from the Internet",
    "destination_address_prefix": "*",
    "destination_port_range": "443",
    "direction": "Inbound",
    "name": "Allow-Https-in-from-Internet",
    "priority": 4040,
    "protocol": "Tcp",
    "source_address_prefix": null,
    "source_address_prefixes": null,
    "source_port_range": "*"
  },
  "Allow-Https-out-to-AzureCloud": {
    "access": "Allow",
    "description": "Allow HTTPS traffic to the AzureCloud",
    "destination_address_prefix": "AzureCloud",
    "destination_port_range": "443",
    "direction": "Outbound",
    "name": "Allow-Https-out-to-AzureCloud",
    "priority": 4044,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-Rdp-out-to-VirtualNetwork": {
    "access": "Allow",
    "description": "Allow RDP traffic to the VirtualNetwork",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "3389",
    "direction": "Outbound",
    "name": "Allow-Rdp-out-to-VirtualNetwork",
    "priority": 4040,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-Ssh-out-to-VirtualNetwork": {
    "access": "Allow",
    "description": "Allow SSH traffic to the VirtualNetwork",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "22",
    "direction": "Outbound",
    "name": "Allow-Ssh-out-to-VirtualNetwork",
    "priority": 4041,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  }
}
| no | +| [azure\_bastion\_source\_ip\_prefixes](#input\_azure\_bastion\_source\_ip\_prefixes) | The source IP prefixes that can access the Azure Bastion service, recommendation is not to use the default! | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [default\_rules](#input\_default\_rules) | A map of default security rules to be created in **every** Network Security Group, except if you specificy "network\_security\_group\_config -> Azure default" in the subnet configuration.
but of course, you can override these defaults by specifying the same rule in a new `default_rules` map.
This map is merged with the security rules map to create the final set of rules for the Network Security Group.
hcl
subnets = {
  "ToolingSubnet" = {
    address_prefixes                = ["100.0.3.0/24"]
    default_outbound_access_enabled = false
    create_network_security_group   = true
    network_security_group_config = {
      azure_default = true
    }
  }
hcl | 
map(object({
    name                                       = string
    access                                     = string
    direction                                  = string
    priority                                   = number
    protocol                                   = string
    description                                = optional(string)
    destination_address_prefix                 = optional(string, null)
    destination_address_prefixes               = optional(set(string), null)
    destination_application_security_group_ids = optional(set(string), null)
    destination_port_range                     = optional(string, null)
    destination_port_ranges                    = optional(set(string), null)
    source_address_prefix                      = optional(string, null)
    source_address_prefixes                    = optional(set(string), null)
    source_application_security_group_ids      = optional(set(string), null)
    source_port_range                          = optional(string, null)
    source_port_ranges                         = optional(set(string), null)
    timeouts = optional(object({
      create = optional(string, "30")
      delete = optional(string, "30")
      read   = optional(string, "5")
      update = optional(string, "30")
    }))
  }))
| 
{
  "Allow-Https-in-from-vnets": {
    "access": "Allow",
    "description": "Allow HTTPS traffic from VNets",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "443",
    "direction": "Inbound",
    "name": "Allow-Https-in-from-vnets",
    "priority": 4095,
    "protocol": "Tcp",
    "source_address_prefix": "VirtualNetwork",
    "source_port_range": "*"
  },
  "Allow-Https-out-to-vnets": {
    "access": "Allow",
    "description": "Allow HTTPS traffic to VNets",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "443",
    "direction": "Outbound",
    "name": "Allow-Https-out-to-vnets",
    "priority": 4095,
    "protocol": "Tcp",
    "source_address_prefix": "VirtualNetwork",
    "source_port_range": "*"
  },
  "Deny-Any-Any-Any-In": {
    "access": "Deny",
    "description": "Deny all inbound traffic",
    "destination_address_prefix": "*",
    "destination_port_range": "*",
    "direction": "Inbound",
    "name": "Deny-Any-Any-Any-In",
    "priority": 4096,
    "protocol": "*",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Deny-Any-Any-Any-Out": {
    "access": "Deny",
    "description": "Deny all outbound traffic",
    "destination_address_prefix": "*",
    "destination_port_range": "*",
    "direction": "Outbound",
    "name": "Deny-Any-Any-Any-Out",
    "priority": 4096,
    "protocol": "*",
    "source_address_prefix": "*",
    "source_port_range": "*"
  }
}
| no | | [natgateway](#input\_natgateway) | This object describes the public IP configuration when creating Nat Gateway's with a public IP. If creating more than one public IP, then these values will be used for all public IPs.

- `allocation_method` = (Required) - Defines the allocation method for this IP address. Possible values are Static or Dynamic.
- `ddos_protection_mode` = (Optional) - The DDoS protection mode of the public IP. Possible values are Disabled, Enabled, and VirtualNetworkInherited. Defaults to VirtualNetworkInherited.
- `ddos_protection_plan_id` = (Optional) - The ID of DDoS protection plan associated with the public IP. ddos\_protection\_plan\_id can only be set when ddos\_protection\_mode is Enabled
- `domain_name_label` = (Optional) - Label for the Domain Name. Will be used to make up the FQDN. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system.
- `idle_timeout_in_minutes` = (Optional) - Specifies the timeout for the TCP idle connection. The value can be set between 4 and 30 minutes.
- `inherit_tags` = (Optional) - Defaults to false. Set this to false if only the tags defined on this resource should be applied. - Future functionality leaving in.
- `ip_version` = (Optional) - The IP Version to use, IPv6 or IPv4. Changing this forces a new resource to be created. Only static IP address allocation is supported for IPv6.
- `lock_level` = (Optional) - Set this value to override the resource level lock value. Possible values are `None`, `CanNotDelete`, and `ReadOnly`.
- `name` = (Optional) - The name of the Nat gateway. Changing this forces a new resource to be created.
- `sku` = (Optional) - The SKU of the Public IP. Accepted values are Basic and Standard. Defaults to Standard to support zones by default. Changing this forces a new resource to be created. When sku\_tier is set to Global, sku must be set to Standard.
- `sku_tier` = (Optional) - The SKU tier of the Public IP. Accepted values are Global and Regional. Defaults to Regional
- `zones` = (Optional) - A list of zones where this public IP should be deployed. Defaults to no zone. if you prefer, you can set other values for the zones ["1","2","3"]. Changing this forces a new resource to be created.

Example Inputs:
hcl
  natgateway = {
    name = "my-nat-gw"
  }
hcl | 
object({
    name                    = optional(string, null)
    allocation_method       = optional(string, "Static")
    ddos_protection_mode    = optional(string, "VirtualNetworkInherited")
    ddos_protection_plan_id = optional(string, null)
    domain_name_label       = optional(string, null)
    idle_timeout_in_minutes = optional(number, 4)
    inherit_tags            = optional(bool, true)
    ip_version              = optional(string, "IPv4")
    lock_level              = optional(string, null)
    sku                     = optional(string, "Standard")
    sku_tier                = optional(string, "Regional")
    zones                   = optional(list(string))
  })
| `null` | no | | [private\_dns](#input\_private\_dns) | This object describes the private DNS configuration for the virtual network.

- `zone_name` = (Required) - The name of the private DNS zone.
- `zone_link_enabled` = (Optional) - Whether to link the private DNS zone to the virtual network. Defaults to true.
- `zone_link_name` = (Optional) - The name of the private DNS zone link. Changing this forces a new resource to be created.
- `resource_group_name` = (Optional) - The name of the resource group to link the private DNS zone to. Changing this forces a new resource to be created.

Example Inputs:
hcl
private_dns = {
  "keyvault" = {
    zone_name = "privatelink.vaultcore.azure.net"
  }
  "blob" = {
    zone_name = "privatelink.blob.core.windows.net"
  }
  "azurecr" = {
    zone_name = "privatelink.azurecr.io"
  }
}
hcl | 
map(object({
    zone_name           = string
    zone_link_enabled   = optional(bool, true)
    zone_link_name      = optional(string)
    resource_group_name = optional(string)
  }))
| `null` | no | From 29f60473f66d48b90148de1f14e40e3a6cb3cb29 Mon Sep 17 00:00:00 2001 From: Ferry Blankendaal Date: Wed, 4 Dec 2024 22:02:18 +0100 Subject: [PATCH 4/5] Update variables.security.tf --- variables.security.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.security.tf b/variables.security.tf index 2791238..9f07b3f 100644 --- a/variables.security.tf +++ b/variables.security.tf @@ -175,7 +175,7 @@ DESCRIPTION variable "azure_bastion_source_ip_prefixes" { description = "The source IP prefixes that can access the Azure Bastion service, recommendation is not to use the default!" - type = list(string) + type = set(string) default = ["0.0.0.0/0"] nullable = false } From c7a0a9b9ce3bda70cf65b2b55f7d1571d930c579 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 4 Dec 2024 21:02:36 +0000 Subject: [PATCH 5/5] docs(readme): update module usage --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 06837c5..810e61a 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ No modules. |------|-------------|------|---------|:--------:| | [vnet\_name](#input\_vnet\_name) | The name of the virtual network. | `string` | n/a | yes | | [azure\_bastion\_security\_rules](#input\_azure\_bastion\_security\_rules) | A map of security rules to be created in the AzureBastionSubnet Network Security Group. The key of the map is the name of the security rule.
This Map contains the required rules for the Azure Bastion Subnet. These rules are required for the Azure Bastion service to work properly.
This map is merged with the default rules and security rules to create the final set of rules for the Azure Bastion Subnet.
hcl
subnets = {
  "AzureBastionSubnet" = {
    address_prefixes                = ["100.0.5.0/24"]
  }
hcl | 
map(object({
    name                                       = string
    access                                     = string
    direction                                  = string
    priority                                   = number
    protocol                                   = string
    description                                = optional(string)
    destination_address_prefix                 = optional(string, null)
    destination_address_prefixes               = optional(set(string), null)
    destination_application_security_group_ids = optional(set(string), null)
    destination_port_range                     = optional(string, null)
    destination_port_ranges                    = optional(set(string), null)
    source_address_prefix                      = optional(string, null)
    source_address_prefixes                    = optional(set(string), null)
    source_application_security_group_ids      = optional(set(string), null)
    source_port_range                          = optional(string, null)
    source_port_ranges                         = optional(set(string), null)
    timeouts = optional(object({
      create = optional(string, "30")
      delete = optional(string, "30")
      read   = optional(string, "5")
      update = optional(string, "30")
    }))
  }))
| 
{
  "Allow-DataPlane-in-from-VirtualNetwork": {
    "access": "Allow",
    "description": "Allow DataPlane traffic from the VirtualNetwork",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "8080",
    "direction": "Inbound",
    "name": "Allow-DataPlane-in-from-VirtualNetwork",
    "priority": 4042,
    "protocol": "Tcp",
    "source_address_prefix": "VirtualNetwork",
    "source_port_range": "*"
  },
  "Allow-DataPlane-in-from-VirtualNetwork-5701": {
    "access": "Allow",
    "description": "Allow DataPlane traffic from the VirtualNetwork on port 5701",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "5701",
    "direction": "Inbound",
    "name": "Allow-DataPlane-in-from-VirtualNetwork-5701",
    "priority": 4043,
    "protocol": "Tcp",
    "source_address_prefix": "VirtualNetwork",
    "source_port_range": "*"
  },
  "Allow-DataPlane-out-to-VirtualNetwork-5701": {
    "access": "Allow",
    "description": "Allow DataPlane traffic to the VirtualNetwork on port 5701",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "5701",
    "direction": "Outbound",
    "name": "Allow-DataPlane-out-to-VirtualNetwork-5701",
    "priority": 4043,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-DataPlane-out-to-VirtualNetwork-8080": {
    "access": "Allow",
    "description": "Allow DataPlane traffic to the VirtualNetwork on port 8080",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "8080",
    "direction": "Outbound",
    "name": "Allow-DataPlane-out-to-VirtualNetwork-8080",
    "priority": 4042,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-Http-out-to-Internet": {
    "access": "Allow",
    "description": "Allow HTTP traffic to the Internet",
    "destination_address_prefix": "Internet",
    "destination_port_range": "80",
    "direction": "Outbound",
    "name": "Allow-Http-out-to-Internet",
    "priority": 4045,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-Https-in-from-AzureLoadBalancer": {
    "access": "Allow",
    "description": "Allow HTTPS traffic from the AzureLoadBalancer",
    "destination_address_prefix": "*",
    "destination_port_range": "443",
    "direction": "Inbound",
    "name": "Allow-Https-in-from-AzureLoadBalancer",
    "priority": 4044,
    "protocol": "Tcp",
    "source_address_prefix": "AzureLoadBalancer",
    "source_port_range": "*"
  },
  "Allow-Https-in-from-GatewayManager": {
    "access": "Allow",
    "description": "Allow HTTPS traffic from the GatewayManager",
    "destination_address_prefix": "*",
    "destination_port_range": "443",
    "direction": "Inbound",
    "name": "Allow-Https-in-from-GatewayManager",
    "priority": 4041,
    "protocol": "Tcp",
    "source_address_prefix": "GatewayManager",
    "source_port_range": "*"
  },
  "Allow-Https-in-from-Internet": {
    "access": "Allow",
    "description": "Allow HTTPS traffic from the Internet",
    "destination_address_prefix": "*",
    "destination_port_range": "443",
    "direction": "Inbound",
    "name": "Allow-Https-in-from-Internet",
    "priority": 4040,
    "protocol": "Tcp",
    "source_address_prefix": null,
    "source_address_prefixes": null,
    "source_port_range": "*"
  },
  "Allow-Https-out-to-AzureCloud": {
    "access": "Allow",
    "description": "Allow HTTPS traffic to the AzureCloud",
    "destination_address_prefix": "AzureCloud",
    "destination_port_range": "443",
    "direction": "Outbound",
    "name": "Allow-Https-out-to-AzureCloud",
    "priority": 4044,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-Rdp-out-to-VirtualNetwork": {
    "access": "Allow",
    "description": "Allow RDP traffic to the VirtualNetwork",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "3389",
    "direction": "Outbound",
    "name": "Allow-Rdp-out-to-VirtualNetwork",
    "priority": 4040,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Allow-Ssh-out-to-VirtualNetwork": {
    "access": "Allow",
    "description": "Allow SSH traffic to the VirtualNetwork",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "22",
    "direction": "Outbound",
    "name": "Allow-Ssh-out-to-VirtualNetwork",
    "priority": 4041,
    "protocol": "Tcp",
    "source_address_prefix": "*",
    "source_port_range": "*"
  }
}
| no | -| [azure\_bastion\_source\_ip\_prefixes](#input\_azure\_bastion\_source\_ip\_prefixes) | The source IP prefixes that can access the Azure Bastion service, recommendation is not to use the default! | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [azure\_bastion\_source\_ip\_prefixes](#input\_azure\_bastion\_source\_ip\_prefixes) | The source IP prefixes that can access the Azure Bastion service, recommendation is not to use the default! | `set(string)` | 
[
  "0.0.0.0/0"
]
| no | | [default\_rules](#input\_default\_rules) | A map of default security rules to be created in **every** Network Security Group, except if you specificy "network\_security\_group\_config -> Azure default" in the subnet configuration.
but of course, you can override these defaults by specifying the same rule in a new `default_rules` map.
This map is merged with the security rules map to create the final set of rules for the Network Security Group.
hcl
subnets = {
  "ToolingSubnet" = {
    address_prefixes                = ["100.0.3.0/24"]
    default_outbound_access_enabled = false
    create_network_security_group   = true
    network_security_group_config = {
      azure_default = true
    }
  }
hcl | 
map(object({
    name                                       = string
    access                                     = string
    direction                                  = string
    priority                                   = number
    protocol                                   = string
    description                                = optional(string)
    destination_address_prefix                 = optional(string, null)
    destination_address_prefixes               = optional(set(string), null)
    destination_application_security_group_ids = optional(set(string), null)
    destination_port_range                     = optional(string, null)
    destination_port_ranges                    = optional(set(string), null)
    source_address_prefix                      = optional(string, null)
    source_address_prefixes                    = optional(set(string), null)
    source_application_security_group_ids      = optional(set(string), null)
    source_port_range                          = optional(string, null)
    source_port_ranges                         = optional(set(string), null)
    timeouts = optional(object({
      create = optional(string, "30")
      delete = optional(string, "30")
      read   = optional(string, "5")
      update = optional(string, "30")
    }))
  }))
| 
{
  "Allow-Https-in-from-vnets": {
    "access": "Allow",
    "description": "Allow HTTPS traffic from VNets",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "443",
    "direction": "Inbound",
    "name": "Allow-Https-in-from-vnets",
    "priority": 4095,
    "protocol": "Tcp",
    "source_address_prefix": "VirtualNetwork",
    "source_port_range": "*"
  },
  "Allow-Https-out-to-vnets": {
    "access": "Allow",
    "description": "Allow HTTPS traffic to VNets",
    "destination_address_prefix": "VirtualNetwork",
    "destination_port_range": "443",
    "direction": "Outbound",
    "name": "Allow-Https-out-to-vnets",
    "priority": 4095,
    "protocol": "Tcp",
    "source_address_prefix": "VirtualNetwork",
    "source_port_range": "*"
  },
  "Deny-Any-Any-Any-In": {
    "access": "Deny",
    "description": "Deny all inbound traffic",
    "destination_address_prefix": "*",
    "destination_port_range": "*",
    "direction": "Inbound",
    "name": "Deny-Any-Any-Any-In",
    "priority": 4096,
    "protocol": "*",
    "source_address_prefix": "*",
    "source_port_range": "*"
  },
  "Deny-Any-Any-Any-Out": {
    "access": "Deny",
    "description": "Deny all outbound traffic",
    "destination_address_prefix": "*",
    "destination_port_range": "*",
    "direction": "Outbound",
    "name": "Deny-Any-Any-Any-Out",
    "priority": 4096,
    "protocol": "*",
    "source_address_prefix": "*",
    "source_port_range": "*"
  }
}
| no | | [natgateway](#input\_natgateway) | This object describes the public IP configuration when creating Nat Gateway's with a public IP. If creating more than one public IP, then these values will be used for all public IPs.

- `allocation_method` = (Required) - Defines the allocation method for this IP address. Possible values are Static or Dynamic.
- `ddos_protection_mode` = (Optional) - The DDoS protection mode of the public IP. Possible values are Disabled, Enabled, and VirtualNetworkInherited. Defaults to VirtualNetworkInherited.
- `ddos_protection_plan_id` = (Optional) - The ID of DDoS protection plan associated with the public IP. ddos\_protection\_plan\_id can only be set when ddos\_protection\_mode is Enabled
- `domain_name_label` = (Optional) - Label for the Domain Name. Will be used to make up the FQDN. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system.
- `idle_timeout_in_minutes` = (Optional) - Specifies the timeout for the TCP idle connection. The value can be set between 4 and 30 minutes.
- `inherit_tags` = (Optional) - Defaults to false. Set this to false if only the tags defined on this resource should be applied. - Future functionality leaving in.
- `ip_version` = (Optional) - The IP Version to use, IPv6 or IPv4. Changing this forces a new resource to be created. Only static IP address allocation is supported for IPv6.
- `lock_level` = (Optional) - Set this value to override the resource level lock value. Possible values are `None`, `CanNotDelete`, and `ReadOnly`.
- `name` = (Optional) - The name of the Nat gateway. Changing this forces a new resource to be created.
- `sku` = (Optional) - The SKU of the Public IP. Accepted values are Basic and Standard. Defaults to Standard to support zones by default. Changing this forces a new resource to be created. When sku\_tier is set to Global, sku must be set to Standard.
- `sku_tier` = (Optional) - The SKU tier of the Public IP. Accepted values are Global and Regional. Defaults to Regional
- `zones` = (Optional) - A list of zones where this public IP should be deployed. Defaults to no zone. if you prefer, you can set other values for the zones ["1","2","3"]. Changing this forces a new resource to be created.

Example Inputs:
hcl
  natgateway = {
    name = "my-nat-gw"
  }
hcl | 
object({
    name                    = optional(string, null)
    allocation_method       = optional(string, "Static")
    ddos_protection_mode    = optional(string, "VirtualNetworkInherited")
    ddos_protection_plan_id = optional(string, null)
    domain_name_label       = optional(string, null)
    idle_timeout_in_minutes = optional(number, 4)
    inherit_tags            = optional(bool, true)
    ip_version              = optional(string, "IPv4")
    lock_level              = optional(string, null)
    sku                     = optional(string, "Standard")
    sku_tier                = optional(string, "Regional")
    zones                   = optional(list(string))
  })
| `null` | no | | [private\_dns](#input\_private\_dns) | This object describes the private DNS configuration for the virtual network.

- `zone_name` = (Required) - The name of the private DNS zone.
- `zone_link_enabled` = (Optional) - Whether to link the private DNS zone to the virtual network. Defaults to true.
- `zone_link_name` = (Optional) - The name of the private DNS zone link. Changing this forces a new resource to be created.
- `resource_group_name` = (Optional) - The name of the resource group to link the private DNS zone to. Changing this forces a new resource to be created.

Example Inputs:
hcl
private_dns = {
  "keyvault" = {
    zone_name = "privatelink.vaultcore.azure.net"
  }
  "blob" = {
    zone_name = "privatelink.blob.core.windows.net"
  }
  "azurecr" = {
    zone_name = "privatelink.azurecr.io"
  }
}
hcl | 
map(object({
    zone_name           = string
    zone_link_enabled   = optional(bool, true)
    zone_link_name      = optional(string)
    resource_group_name = optional(string)
  }))
| `null` | no |