Skip to content

Latest commit

 

History

History
296 lines (224 loc) · 13.5 KB

File metadata and controls

296 lines (224 loc) · 13.5 KB

Azure Private Endpoint

Changelog Notice Apache V2 License OpenTofu Registry

This Terraform module creates an Azure Private Endpoint with one or more Azure Private DNS Zones as an option.

You can create Private DNS Zones without creating a Private Endpoint by using the submodule modules/private-dns-zone.

Global versioning rule for Claranet Azure modules

Module version Terraform version OpenTofu version AzureRM version
>= 8.x.x Unverified 1.8.x >= 4.0
>= 7.x.x 1.3.x >= 3.0
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "vnet_01" {
  source  = "claranet/vnet/azurerm"
  version = "x.x.x"

  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  resource_group_name = module.rg.name

  name_suffix = "01"

  cidrs = ["192.168.1.0/24"]
}

module "subnet_01" {
  source  = "claranet/subnet/azurerm"
  version = "x.x.x"

  location_short      = module.azure_region.location_short
  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  resource_group_name = module.rg.name

  name_suffix = "01"

  virtual_network_name = module.vnet_01.name

  private_link_endpoint_enabled = true
  private_link_service_enabled  = true

  cidrs = ["192.168.1.128/25"]
}

module "vnet_02" {
  source  = "claranet/vnet/azurerm"
  version = "x.x.x"

  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  resource_group_name = module.rg.name

  name_suffix = "02"

  cidrs = ["172.16.0.0/16"]
}

module "subnet_02" {
  source  = "claranet/subnet/azurerm"
  version = "x.x.x"

  location_short      = module.azure_region.location_short
  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  resource_group_name = module.rg.name

  name_suffix = "02"

  virtual_network_name = module.vnet_02.name

  private_link_endpoint_enabled = true
  private_link_service_enabled  = false

  cidrs = ["172.16.4.0/24"]
}

module "key_vault" {
  source  = "claranet/keyvault/azurerm"
  version = "x.x.x"

  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  resource_group_name = module.rg.name

  admin_objects_ids = [data.azurerm_client_config.current.object_id]

  logs_destinations_ids = [
    module.logs.storage_account_id,
    module.logs.id,
  ]
}

module "lb" {
  source  = "claranet/lb/azurerm"
  version = "x.x.x"

  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  resource_group_name = module.rg.name

  public_ip_allocated = true
}

resource "azurerm_private_link_service" "example" {
  name                = format("pls-%s-%s-%s-%s", var.stack, var.client_name, module.azure_region.location_short, var.environment)
  location            = module.azure_region.location
  resource_group_name = module.rg.name

  load_balancer_frontend_ip_configuration_ids = [module.lb.frontend_ip_configuration[0].id]

  nat_ip_configuration {
    name      = "default"
    primary   = true
    subnet_id = module.subnet_02.id
  }
}

module "kv_private_endpoint" {
  source  = "claranet/private-endpoint/azurerm"
  version = "x.x.x"

  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  resource_group_name = module.rg.name

  name_suffix = "kv"

  nic_custom_name = "foo"

  subnet_id = module.subnet_01.id
  ip_configurations = [{           # The number of IP configurations depends on the target resource
    member_name        = "default" # The `member_name` value depends on the target resource
    private_ip_address = cidrhost(module.subnet_01.cidrs[0], 34)
  }]

  target_resource  = module.key_vault.id
  subresource_name = "vault"

  private_dns_zones_names     = ["privatelink.vaultcore.azure.net"]
  private_dns_zones_vnets_ids = [module.vnet_01.id, module.vnet_02.id]
}

module "example_private_endpoint" {
  source  = "claranet/private-endpoint/azurerm"
  version = "x.x.x"

  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  resource_group_name = module.rg.name

  name_suffix = "example"

  nic_custom_name = "bar"

  subnet_id = module.subnet_02.id

  target_resource = azurerm_private_link_service.example.id
}

module "example_alias_private_endpoint" {
  source  = "claranet/private-endpoint/azurerm"
  version = "x.x.x"

  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  resource_group_name = module.rg.name

  name_suffix = "examplealias"

  is_manual_connection = true

  subnet_id = module.subnet_02.id
  ip_configurations = [{
    private_ip_address = cidrhost(module.subnet_02.cidrs[0], 34)
  }]

  target_resource = azurerm_private_link_service.example.alias
}

Providers

Name Version
azurecaf ~> 1.2.28
azurerm ~> 4.0

Modules

Name Source Version
private_dns_zones ./modules/private-dns-zone n/a

Resources

Name Type
azurerm_private_endpoint.main resource
azurecaf_name.private_dns_zone_group data source
azurecaf_name.private_endpoint data source
azurecaf_name.private_service_connection data source

Inputs

Name Description Type Default Required
client_name Client name/account used in naming. string n/a yes
custom_name Custom Private Endpoint name, generated if not set. string "" no
default_tags_enabled Option to enable or disable default tags. bool true no
environment Project environment. string n/a yes
extra_tags Extra tags to add. map(string) {} no
ip_configurations List of IP Configuration object. Any modification to the parameters of the IP Configuration object forces a new resource to be created.
name               = Name of the IP Configuration.
member_name = Member name of the IP Configuration. If it is not specified, it will use the value of subresource_name. Only valid if target_resource is not a Private Link Service.
subresource_name = Subresource name of the IP Configuration. Only valid if target_resource is not a Private Link Service.
private_ip_address = Private IP address within the Subnet of the Private Endpoint.
list(object({
name = optional(string, "default")
member_name = optional(string)
subresource_name = optional(string)
private_ip_address = string
}))
[] no
is_manual_connection Does the Private Endpoint require manual approval from the remote resource owner? Default to false. bool false no
location Azure location. string n/a yes
location_short Short string for Azure location. string n/a yes
name_prefix Optional prefix for the generated name. string "" no
name_suffix Optional suffix for the generated name. string "" no
nic_custom_name Custom network interface name of the Private Endpoint, generated by Azure if not set. string null no
private_dns_zone_group_custom_name Custom Private DNS Zone Group name, generated if not set. string "" no
private_dns_zones_ids IDs of the Private DNS Zones in which a new record will be created for the Private Endpoint. Only valid if use_existing_private_dns_zones is set to true and target_resource is not a Private Link Service. One of private_dns_zones_ids or private_dns_zones_names must be specified. list(string) [] no
private_dns_zones_names Names of the Private DNS Zones to create. Only valid if use_existing_private_dns_zones is set to false and target_resource is not a Private Link Service. One of private_dns_zones_ids or private_dns_zones_names must be specified. list(string) [] no
private_dns_zones_vnets_ids IDs of the VNets to link to the Private DNS Zones. Only valid if use_existing_private_dns_zones is set to false and target_resource is not a Private Link Service. list(string) [] no
private_service_connection_custom_name Custom Private Service Connection name, generated if not set. string "" no
request_message A message passed to the owner of the remote resource when the Private Endpoint attempts to establish the connection to the remote resource. Only valid if is_manual_connection is set to true. string "Private Endpoint Deployment" no
resource_group_name Resource group name. string n/a yes
stack Project stack name. string n/a yes
subnet_id ID of the subnet in which the Private Endpoint will be created. string n/a yes
subresource_name Name of the subresource corresponding to the target Azure resource. Only valid if target_resource is not a Private Link Service. string "" no
target_resource Private Link Service Alias or ID of the target resource. string n/a yes
use_existing_private_dns_zones Boolean to create the Private DNS Zones corresponding to the Private Endpoint. If you wish to centralize the Private DNS Zones in another Resource Group that could belong to another subscription, set this option to true and use the private-dns-zone submodule directly. bool false no

Outputs

Name Description
id Private Endpoint ID.
ip_address IP address associated with the Private Endpoint.
module_private_dns_zone Azure Private DNS Zone module outputs.
private_dns_zones_ids Maps of Private DNS Zones IDs created as part of this module. Only available if use_existing_private_dns_zones is set to false and target_resource is not a Private Link Service.
private_dns_zones_record_sets Maps of Private DNS Zones record sets created as part of this module. Only available if use_existing_private_dns_zones is set to false and target_resource is not a Private Link Service.
resource Azure Private Endpoint resource object.

Related documentation

Microsoft Azure documentation: docs.microsoft.com/en-us/azure/private-link/