schubergphilis · Blankf · Nov 25, 2024 · Nov 21, 2024 · Nov 21, 2024 · Nov 21, 2024
diff --git a/README.md b/README.md
diff --git a/locals.tf b/locals.tf
@@ -1,3 +1,86 @@
 locals {
   natgateway = var.natgateway == null ? 0 : 1
+
+  # Subnet selections
+  default_subnets      = { for k, v in var.subnets : k => v if !v.create_network_security_group && k != "AzureBastionSubnet" }
+  azure_bastion_subnet = { for k, v in var.subnets : k => v if k == "AzureBastionSubnet" }
+
+  subnets_with_nsg = {
+    for k, v in var.subnets :
+    k => v if(
+      v.create_network_security_group &&
+      v.network_security_group_config == null &&
+      k != "AzureBastionSubnet"
+    )
+  }
+
+  subnets_with_nsg_azure_default = {
+    for k, v in var.subnets :
+    k => v if(
+      v.create_network_security_group &&
+      try(v.network_security_group_config.azure_default, false) &&
+      k != "AzureBastionSubnet"
+    )
+  }
+
+  ## Security rules
+  preprocessed_security_rules = { for key, rule in var.security_rules : rule.name => rule }
+  security_rules              = merge(var.default_rules, local.preprocessed_security_rules)
+  azure_bastion_rules_map     = merge(var.azure_bastion_security_rules, local.security_rules)
+
+  nsg_with_rules = flatten([
+    for subnet_key, subnet in local.subnets_with_nsg : [
+      for rule_key, rule in local.security_rules : {
+        subnet_key                                 = subnet_key
+        name                                       = rule_key
+        description                                = rule.description
+        priority                                   = rule.priority
+        direction                                  = rule.direction
+        access                                     = rule.access
+        protocol                                   = rule.protocol
+        source_port_range                          = rule.source_port_range
+        source_port_ranges                         = rule.source_port_ranges
+        destination_port_range                     = rule.destination_port_range
+        destination_port_ranges                    = rule.destination_port_ranges
+        source_address_prefix                      = rule.source_address_prefix
+        source_address_prefixes                    = rule.source_address_prefixes
+        source_application_security_group_ids      = rule.source_application_security_group_ids
+        destination_address_prefix                 = rule.destination_address_prefix
+        destination_address_prefixes               = rule.destination_address_prefixes
+        destination_application_security_group_ids = rule.destination_application_security_group_ids
+        timeouts                                   = rule.timeouts
+      }
+    ]
+  ])
+
+  azure_bastion_with_rules = flatten([
+    for subnet_key, subnet in local.azure_bastion_subnet : [
+      for rule_key, rule in local.azure_bastion_rules_map : {
+        subnet_key                                 = subnet_key
+        name                                       = rule_key
+        description                                = rule.description
+        priority                                   = rule.priority
+        direction                                  = rule.direction
+        access                                     = rule.access
+        protocol                                   = rule.protocol
+        source_port_range                          = rule.source_port_range
+        source_port_ranges                         = rule.source_port_ranges
+        destination_port_range                     = rule.destination_port_range
+        destination_port_ranges                    = rule.destination_port_ranges
+        source_address_prefix                      = rule.source_address_prefix
+        source_address_prefixes                    = rule.source_address_prefixes
+        source_application_security_group_ids      = rule.source_application_security_group_ids
+        destination_address_prefix                 = rule.destination_address_prefix
+        destination_address_prefixes               = rule.destination_address_prefixes
+        destination_application_security_group_ids = rule.destination_application_security_group_ids
+        timeouts                                   = rule.timeouts
+      }
+    ]
+  ])
+
+  all_custom_network_security_groups = merge(
+    azurerm_network_security_group.additional,
+    azurerm_network_security_group.simple,
+    azurerm_network_security_group.azbastion
+  )
 }
diff --git a/main.tf b/main.tf
@@ -56,79 +56,3 @@ resource "azurerm_subnet" "this" {
     ]
   }
 }
-
-resource "azurerm_network_security_group" "this" {
-  name                = "${var.vnet_name}-nsg"
-  location            = azurerm_virtual_network.this.location
-  resource_group_name = azurerm_virtual_network.this.resource_group_name
-
-  tags = merge(
-    try(var.tags),
-    tomap({
-      "Resource Type" = "Network Security Group"
-    })
-  )
-}
-
-resource "azurerm_network_security_rule" "allow_https_in_from_vnets" {
-  name                        = "Allow-Https-in-from-vnets"
-  priority                    = 4095
-  direction                   = "Inbound"
-  access                      = "Allow"
-  protocol                    = "Tcp"
-  source_port_range           = "*"
-  destination_port_range      = "443"
-  source_address_prefix       = "VirtualNetwork"
-  destination_address_prefix  = "VirtualNetwork"
-  resource_group_name         = azurerm_network_security_group.this.resource_group_name
-  network_security_group_name = azurerm_network_security_group.this.name
-}
-
-resource "azurerm_network_security_rule" "allow_https_out_to_vnets" {
-  name                        = "Allow-Https-out-to-vnets"
-  priority                    = 4095
-  direction                   = "Outbound"
-  access                      = "Allow"
-  protocol                    = "Tcp"
-  source_port_range           = "*"
-  destination_port_range      = "443"
-  source_address_prefix       = "VirtualNetwork"
-  destination_address_prefix  = "VirtualNetwork"
-  resource_group_name         = azurerm_network_security_group.this.resource_group_name
-  network_security_group_name = azurerm_network_security_group.this.name
-}
-
-resource "azurerm_network_security_rule" "deny_any_any_any_in" {
-  name                        = "Deny-Any-Any-Any-In"
-  priority                    = 4096
-  direction                   = "Inbound"
-  access                      = "Deny"
-  protocol                    = "*"
-  source_port_range           = "*"
-  destination_port_range      = "*"
-  source_address_prefix       = "*"
-  destination_address_prefix  = "*"
-  resource_group_name         = azurerm_network_security_group.this.resource_group_name
-  network_security_group_name = azurerm_network_security_group.this.name
-}
-
-resource "azurerm_network_security_rule" "deny_any_any_any_out" {
-  name                        = "Deny-Any-Any-Any-Out"
-  priority                    = 4096
-  direction                   = "Outbound"
-  access                      = "Deny"
-  protocol                    = "*"
-  source_port_range           = "*"
-  destination_port_range      = "*"
-  source_address_prefix       = "*"
-  destination_address_prefix  = "*"
-  resource_group_name         = azurerm_network_security_group.this.resource_group_name
-  network_security_group_name = azurerm_network_security_group.this.name
-}
-
-resource "azurerm_subnet_network_security_group_association" "this" {
-  for_each = var.subnets
-
-  subnet_id                 = azurerm_subnet.this[each.key].id
-  network_security_group_id = azurerm_network_security_group.this.id
-}
diff --git a/outputs.tf b/outputs.tf
@@ -3,6 +3,11 @@ output "name" {
   value       = azurerm_virtual_network.this.name
 }
 
+output "resource_group" {
+  description = "The resource group in which the virtual network is created"
+  value       = azurerm_resource_group.this
+}
+
 output "id" {
   description = "The ID of the virtual network"
   value       = azurerm_virtual_network.this.id
@@ -27,3 +32,32 @@ output "private_dns_zone_list" {
     }
   }
 }
+
+output "all_subnets" {
+  description = "A list of all subnets created"
+  value = [for subnet in azurerm_subnet.this : {
+    name = subnet.name
+    id   = subnet.id
+  }]
+}
+
+output "all_network_security_groups" {
+  description = "A map of all network security groups created keyed by subnet"
+  value = { for subnet, nsg in local.all_custom_network_security_groups : subnet => {
+    name     = nsg.name
+    id       = nsg.id
+    location = nsg.location
+  } }
+}
+
+output "subnets_with_nsg" {
+  value = local.subnets_with_nsg
+}
+
+output "subnets_with_nsg_azure_default" {
+  value = local.subnets_with_nsg_azure_default
+}
+
+output "subnets_with_default_nsg" {
+  value = local.default_subnets
+}