From 4b8eb610bb2a509cb0267eef6edcf346345aeb5c Mon Sep 17 00:00:00 2001 From: Florian de Vries Date: Thu, 11 Jul 2024 13:21:36 +0200 Subject: [PATCH] Restructure module layout --- README.md | 16 +++---- main.tf | 58 ++++++++++++++++--------- outputs.tf | 2 +- resource_group.tf | 10 ----- variables.tf | 87 ++++++++++--------------------------- vpn_server_configuration.tf | 86 ------------------------------------ 6 files changed, 69 insertions(+), 190 deletions(-) delete mode 100644 resource_group.tf delete mode 100644 vpn_server_configuration.tf diff --git a/README.md b/README.md index 9edbe99..66d1425 100644 --- a/README.md +++ b/README.md @@ -11,33 +11,31 @@ No requirements. ## Modules -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | github.com/fjdev/terraform-azurerm-resource-group | n/a | +No modules. ## Resources | Name | Type | |------|------| -| [azurerm_point_to_site_vpn_gateway.p2s_vpng](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/point_to_site_vpn_gateway) | resource | -| [azurerm_vpn_server_configuration.vpnsc](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/vpn_server_configuration) | resource | +| [azurerm_point_to_site_vpn_gateway.p2svpng](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/point_to_site_vpn_gateway) | resource | +| [azurerm_resource_group.rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [connection\_configuration](#input\_connection\_configuration) | (Required) A connection\_configuration block as defined below. | 
object({
    name = string
    vpn_client_address_pool = object({
      address_prefixes = list(string)
    })
    route = optional(object({
      associated_route_table_id = string
      inbound_route_map_id      = string
      outbound_route_map_id     = string
      propagated_route_table = optional(object({
        ids    = list(string)
        labels = optional(list(string))
      }))
    }))
    internet_security_enabled = optional(bool)
  })
| n/a | yes | +| [connection\_configurations](#input\_connection\_configurations) | (Required) One or more connection\_configuration blocks as defined above. | 
map(object({
    vpn_client_address_pool = object({
      address_prefixes = list(string)
    })
    route = optional(object({
      associated_route_table_id = string
      inbound_route_map_id      = optional(string)
      outbound_route_map_id     = optional(string)
      propagated_route_table = optional(object({
        ids    = list(string)
        labels = optional(list(string))
      }))
    }))
    internet_security_enabled = optional(bool)
  }))
| n/a | yes | | [deploy\_resource\_group](#input\_deploy\_resource\_group) | (Optional) Specifies whether to deploy the resource group or not. Defaults to true. | `bool` | `true` | no | -| [dns\_servers](#input\_dns\_servers) | (Optional) A list of IP Addresses of DNS Servers for the Point-to-Site VPN Gateway. | `list(string)` | `null` | no | +| [dns\_servers](#input\_dns\_servers) | (Optional) A list of IP Addresses of DNS Servers for the Point-to-Site VPN Gateway. | `list(string)` | `[]` | no | | [location](#input\_location) | (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | `string` | n/a | yes | | [managed\_by](#input\_managed\_by) | (Optional) The ID of the resource or application that manages this Resource Group. | `string` | `null` | no | | [name](#input\_name) | (Required) Specifies the name of the Point-to-Site VPN Gateway. Changing this forces a new resource to be created. | `string` | n/a | yes | | [resource\_group\_name](#input\_resource\_group\_name) | (Required) The name of the resource group in which to create the Point-to-Site VPN Gateway. Changing this forces a new resource to be created. | `string` | n/a | yes | | [routing\_preference\_internet\_enabled](#input\_routing\_preference\_internet\_enabled) | (Optional) Is the Routing Preference for the Public IP Interface of the VPN Gateway enabled? Defaults to false. Changing this forces a new resource to be created. | `bool` | `false` | no | | [scale\_unit](#input\_scale\_unit) | (Required) The Scale Unit for this Point-to-Site VPN Gateway. | `number` | n/a | yes | -| [tags](#input\_tags) | (Optional) A mapping of tags to assign to the Point-to-Site VPN Gateway. | `any` | `null` | no | +| [tags](#input\_tags) | (Optional) A mapping of tags to assign to the resources | `any` | `null` | no | | [virtual\_hub\_id](#input\_virtual\_hub\_id) | (Required) The ID of the Virtual Hub where this Point-to-Site VPN Gateway should exist. Changing this forces a new resource to be created. | `string` | n/a | yes | -| [vpn\_server\_configuration](#input\_vpn\_server\_configuration) | (Required) A vpn\_server\_configuration block as defined below. | 
object({
    name                     = string
    vpn_authentication_types = string
    ipsec_policy = optional(object({
      dh_group               = string
      ike_encryption         = string
      ike_integrity          = string
      ipsec_encryption       = string
      ipsec_integrity        = string
      pfs_group              = string
      sa_lifetime_seconds    = number
      sa_data_size_kilobytes = number
    }))
    vpn_protocols = optional(list(string))
    azure_active_directory_authentication = optional(object({
      audience = string
      issuer   = string
      tenant   = string
    }))
    client_root_certificate = optional(map(object({
      public_cert_data = string
    })))
    client_revoked_certificate = optional(map(object({
      thumbprint = string
    })))
    radius = optional(object({
      server = map(object({
        address = string
        secret  = string
        score   = number
      }))
      client_root_certificate = optional(map(object({
        thumbprint = string
      })))
      server_root_certificate = optional(map(object({
        public_cert_data = string
      })))
    }))
  })
| n/a | yes | +| [vpn\_server\_configuration\_id](#input\_vpn\_server\_configuration\_id) | (Required) The ID of the VPN Server Configuration which this Point-to-Site VPN Gateway should use. Changing this forces a new resource to be created. | `string` | n/a | yes | ## Outputs diff --git a/main.tf b/main.tf index 6102b2a..71c6c64 100644 --- a/main.tf +++ b/main.tf @@ -1,40 +1,56 @@ -resource "azurerm_point_to_site_vpn_gateway" "p2s_vpng" { +# Resource Group +resource "azurerm_resource_group" "rg" { + count = var.deploy_resource_group ? 1 : 0 + + name = var.resource_group_name + location = var.location + managed_by = var.managed_by + tags = try(var.tags.resource_group, null) +} + +# Point-to-Site VPN Gateway +resource "azurerm_point_to_site_vpn_gateway" "p2svpng" { name = var.name - resource_group_name = var.deploy_resource_group ? module.resource_group[0].name : var.resource_group_name + resource_group_name = var.deploy_resource_group ? azurerm_resource_group.rg[0].name : var.resource_group_name location = var.location - connection_configuration { - name = var.connection_configuration.name + dynamic "connection_configuration" { + for_each = var.connection_configurations != null ? var.connection_configurations : {} - vpn_client_address_pool { - address_prefixes = var.connection_configuration.vpn_client_address_pool.address_prefixes - } + content { + + name = each.key - dynamic "route" { - for_each = var.connection_configuration.route != null ? [var.connection_configuration.route] : [] + vpn_client_address_pool { + address_prefixes = each.value.vpn_client_address_pool.address_prefixes + } + + dynamic "route" { + for_each = each.value.route != null ? [each.value.route] : [] - content { - associated_route_table_id = route.value.associated_route_table_id - inbound_route_map_id = route.value.inbound_route_map_id - outbound_route_map_id = route.value.outbound_route_map_id + content { + associated_route_table_id = route.value.associated_route_table_id + inbound_route_map_id = route.value.inbound_route_map_id + outbound_route_map_id = route.value.outbound_route_map_id - dynamic "propagated_route_table" { - for_each = route.value.propagated_route_table != null ? [route.value.propagated_route_table] : [] + dynamic "propagated_route_table" { + for_each = route.value.propagated_route_table != null ? [route.value.propagated_route_table] : [] - content { - ids = propagated_route_table.value.ids - labels = propagated_route_table.value.labels + content { + ids = propagated_route_table.value.ids + labels = propagated_route_table.value.labels + } } } } - } - internet_security_enabled = var.connection_configuration.internet_security_enabled + internet_security_enabled = each.value.internet_security_enabled + } } scale_unit = var.scale_unit virtual_hub_id = var.virtual_hub_id - vpn_server_configuration_id = azurerm_vpn_server_configuration.vpnsc.id + vpn_server_configuration_id = var.vpn_server_configuration_id dns_servers = var.dns_servers routing_preference_internet_enabled = var.routing_preference_internet_enabled tags = try(var.tags.point_to_site_vpn_gateway, null) diff --git a/outputs.tf b/outputs.tf index db87712..9f39615 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,4 +1,4 @@ output "id" { - value = azurerm_point_to_site_vpn_gateway.p2s_vpng.id description = "The ID of the Point-to-Site VPN Gateway." + value = azurerm_point_to_site_vpn_gateway.p2svpng.id } diff --git a/resource_group.tf b/resource_group.tf deleted file mode 100644 index 553f89e..0000000 --- a/resource_group.tf +++ /dev/null @@ -1,10 +0,0 @@ -module "resource_group" { - count = var.deploy_resource_group ? 1 : 0 - - source = "github.com/fjdev/terraform-azurerm-resource-group" - - name = var.resource_group_name - location = var.location - managed_by = var.managed_by - tags = try(var.tags.resource_group, null) -} diff --git a/variables.tf b/variables.tf index 6d84625..dc2c174 100644 --- a/variables.tf +++ b/variables.tf @@ -3,12 +3,6 @@ variable "name" { description = "(Required) Specifies the name of the Point-to-Site VPN Gateway. Changing this forces a new resource to be created." } -variable "deploy_resource_group" { - type = bool - default = true - description = "(Optional) Specifies whether to deploy the resource group or not. Defaults to true." -} - variable "resource_group_name" { type = string description = "(Required) The name of the resource group in which to create the Point-to-Site VPN Gateway. Changing this forces a new resource to be created." @@ -19,24 +13,23 @@ variable "location" { description = "(Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created." } -variable "connection_configuration" { - type = object({ - name = string +variable "connection_configurations" { + type = map(object({ vpn_client_address_pool = object({ address_prefixes = list(string) }) route = optional(object({ associated_route_table_id = string - inbound_route_map_id = string - outbound_route_map_id = string + inbound_route_map_id = optional(string) + outbound_route_map_id = optional(string) propagated_route_table = optional(object({ ids = list(string) labels = optional(list(string)) })) })) internet_security_enabled = optional(bool) - }) - description = "(Required) A connection_configuration block as defined below." + })) + description = "(Required) One or more connection_configuration blocks as defined above." } variable "scale_unit" { @@ -49,69 +42,37 @@ variable "virtual_hub_id" { description = "(Required) The ID of the Virtual Hub where this Point-to-Site VPN Gateway should exist. Changing this forces a new resource to be created." } +variable "vpn_server_configuration_id" { + type = string + description = "(Required) The ID of the VPN Server Configuration which this Point-to-Site VPN Gateway should use. Changing this forces a new resource to be created." +} + variable "dns_servers" { type = list(string) - default = null description = "(Optional) A list of IP Addresses of DNS Servers for the Point-to-Site VPN Gateway." + default = [] } variable "routing_preference_internet_enabled" { type = bool - default = false description = "(Optional) Is the Routing Preference for the Public IP Interface of the VPN Gateway enabled? Defaults to false. Changing this forces a new resource to be created." -} - -variable "managed_by" { - type = string - default = null - description = "(Optional) The ID of the resource or application that manages this Resource Group." + default = false } variable "tags" { type = any + description = "(Optional) A mapping of tags to assign to the resources" default = null - description = "(Optional) A mapping of tags to assign to the Point-to-Site VPN Gateway." } -variable "vpn_server_configuration" { - type = object({ - name = string - vpn_authentication_types = string - ipsec_policy = optional(object({ - dh_group = string - ike_encryption = string - ike_integrity = string - ipsec_encryption = string - ipsec_integrity = string - pfs_group = string - sa_lifetime_seconds = number - sa_data_size_kilobytes = number - })) - vpn_protocols = optional(list(string)) - azure_active_directory_authentication = optional(object({ - audience = string - issuer = string - tenant = string - })) - client_root_certificate = optional(map(object({ - public_cert_data = string - }))) - client_revoked_certificate = optional(map(object({ - thumbprint = string - }))) - radius = optional(object({ - server = map(object({ - address = string - secret = string - score = number - })) - client_root_certificate = optional(map(object({ - thumbprint = string - }))) - server_root_certificate = optional(map(object({ - public_cert_data = string - }))) - })) - }) - description = "(Required) A vpn_server_configuration block as defined below." +variable "deploy_resource_group" { + type = bool + description = "(Optional) Specifies whether to deploy the resource group or not. Defaults to true." + default = true +} + +variable "managed_by" { + type = string + default = null + description = "(Optional) The ID of the resource or application that manages this Resource Group." } diff --git a/vpn_server_configuration.tf b/vpn_server_configuration.tf deleted file mode 100644 index f5db12d..0000000 --- a/vpn_server_configuration.tf +++ /dev/null @@ -1,86 +0,0 @@ -resource "azurerm_vpn_server_configuration" "vpnsc" { - name = var.vpn_server_configuration.name - resource_group_name = var.deploy_resource_group ? module.resource_group[0].name : var.resource_group_name - location = var.location - vpn_authentication_types = var.vpn_server_configuration.vpn_authentication_types - - dynamic "ipsec_policy" { - for_each = var.vpn_server_configuration.ipsec_policy != null ? [var.vpn_server_configuration.ipsec_policy] : [] - - content { - dh_group = ipsec_policy.value.dh_group - ike_encryption = ipsec_policy.value.ike_encryption - ike_integrity = ipsec_policy.value.ike_integrity - ipsec_encryption = ipsec_policy.value.ipsec_encryption - ipsec_integrity = ipsec_policy.value.ipsec_integrity - pfs_group = ipsec_policy.value.pfs_group - sa_lifetime_seconds = ipsec_policy.value.sa_lifetime_seconds - sa_data_size_kilobytes = ipsec_policy.value.sa_data_size_kilobytes - } - } - - vpn_protocols = var.vpn_server_configuration.vpn_protocols - tags = try(var.tags.vpn_server_configuration, null) - - dynamic "azure_active_directory_authentication" { - for_each = var.vpn_server_configuration.vpn_authentication_types == "AAD" ? [var.vpn_server_configuration.azure_active_directory_authentication] : [] - - content { - audience = azure_active_directory_authentication.value.audience - issuer = azure_active_directory_authentication.value.issuer - tenant = azure_active_directory_authentication.value.tenant - } - } - - dynamic "client_root_certificate" { - for_each = var.vpn_server_configuration.vpn_authentication_types == "Certificate" ? var.vpn_server_configuration.client_root_certificate : {} - - content { - name = client_root_certificate.key - public_cert_data = client_root_certificate.value.publipublic_cert_data - } - } - - dynamic "client_revoked_certificate" { - for_each = var.vpn_server_configuration.vpn_authentication_types == "Certificate" && var.vpn_server_configuration.client_revoked_certificate != null ? var.vpn_server_configuration.client_revoked_certificate : {} - - content { - name = client_revoked_certificate.key - thumbprint = client_revoked_certificate.value.thumbprint - } - } - - dynamic "radius" { - for_each = var.vpn_server_configuration.vpn_authentication_types == "Radius" && var.vpn_server_configuration.radius != null ? [var.vpn_server_configuration.radius] : [] - - content { - dynamic "server" { - for_each = radius.value.server - - content { - address = server.value.address - secret = server.value.secret - score = server.value.score - } - } - - dynamic "client_root_certificate" { - for_each = radius.value.client_root_certificate != null ? radius.value.client_root_certificate : {} - - content { - name = client_root_certificate.key - thumbprint = client_root_certificate.value.thumbprint - } - } - - dynamic "server_root_certificate" { - for_each = radius.value.server_root_certificate != null ? radius.value.server_root_certificate : {} - - content { - name = server_root_certificate.key - public_cert_data = server_root_certificate.value.public_cert_data - } - } - } - } -}