New fields source_address_prefixes and destination_address_prefixes (#61)

yupwei68 · web-flow · commit 55008d97244a · 2020-11-24T15:22:57.000+08:00
* update

* update
diff --git a/README.md b/README.md
@@ -15,6 +15,10 @@ This module includes a a set of pre-defined rules for commonly used protocols (f
 
 The following example demonstrate how to use the network-security-group module with a combination of predefined and custom rules.
 
+~> **NOTE:** `source_address_prefix` is defined differently in `predefined_rules` and `custom_rules`. 
+`predefined_rules` uses `var.source_address_prefix` defined in the module.`var.source_address_prefix` is of type list(string), but allowed only one element (CIDR, `*`, source IP range or Tags). For more source_address_prefixes, please use `var.source_address_prefixes`. The same for `var.destination_address_prefix` in `predefined_rules`.
+`custom_rules` uses `source_address_prefix` defined in the block `custom_rules`. `source_address_prefix` is of type string (CIDR, `*`, source IP range or Tags). For more source_address_prefixes, please use `source_address_prefixes` in block `custom_rules`. The same for `destination_address_prefix` in `custom_rules`.
+
 ```hcl
 provider "azurerm" {
   features {}
@@ -44,14 +48,27 @@ module "network-security-group" {
 
   custom_rules = [
     {
-      name                   = "myhttp"
-      priority               = "200"
+      name                   = "myssh"
+      priority               = 201
       direction              = "Inbound"
       access                 = "Allow"
       protocol               = "tcp"
-      destination_port_range = "8080"
-      description            = "description-myhttp"
-    }
+      source_port_range      = "*"
+      destination_port_range = "22"
+      source_address_prefix  = "10.151.0.0/24"
+      description            = "description-myssh"
+    },
+    {
+      name                    = "myhttp"
+      priority                = 200
+      direction               = "Inbound"
+      access                  = "Allow"
+      protocol                = "tcp"
+      source_port_range       = "*"
+      destination_port_range  = "8080"
+      source_address_prefixes = ["10.151.0.0/24", "10.151.1.0/24"]
+      description             = "description-http"
+    },
   ]
 
   tags = {
diff --git a/main.tf b/main.tf
@@ -23,12 +23,14 @@ resource "azurerm_network_security_rule" "predefined_rules" {
   source_port_ranges                         = split(",", replace(lookup(var.predefined_rules[count.index], "source_port_range", "*"), "*", "0-65535"))
   destination_port_range                     = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 4)
   description                                = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 5)
-  source_address_prefix                      = length(lookup(var.predefined_rules[count.index], "source_application_security_group_ids", [])) == 0 ? join(",", var.source_address_prefix) : ""
-  destination_address_prefix                 = length(lookup(var.predefined_rules[count.index], "destination_application_security_group_ids", [])) == 0 ? join(",", var.destination_address_prefix) : ""
+  source_address_prefix                      = lookup(var.predefined_rules[count.index], "source_application_security_group_ids", null) == null && var.source_address_prefixes == null ? join(",", var.source_address_prefix) : null
+  source_address_prefixes                    = lookup(var.predefined_rules[count.index], "source_application_security_group_ids", null) == null ? var.source_address_prefixes : null
+  destination_address_prefix                 = lookup(var.predefined_rules[count.index], "destination_application_security_group_ids", null) == null && var.destination_address_prefixes == null ? join(",", var.destination_address_prefix) : null
+  destination_address_prefixes               = lookup(var.predefined_rules[count.index], "destination_application_security_group_ids", null) == null ? var.destination_address_prefixes : null
   resource_group_name                        = data.azurerm_resource_group.nsg.name
   network_security_group_name                = azurerm_network_security_group.nsg.name
-  source_application_security_group_ids      = lookup(var.predefined_rules[count.index], "source_application_security_group_ids", [])
-  destination_application_security_group_ids = lookup(var.predefined_rules[count.index], "destination_application_security_group_ids", [])
+  source_application_security_group_ids      = lookup(var.predefined_rules[count.index], "source_application_security_group_ids", null)
+  destination_application_security_group_ids = lookup(var.predefined_rules[count.index], "destination_application_security_group_ids", null)
 }
 
 #############################
@@ -44,11 +46,13 @@ resource "azurerm_network_security_rule" "custom_rules" {
   protocol                                   = lookup(var.custom_rules[count.index], "protocol", "*")
   source_port_ranges                         = split(",", replace(lookup(var.custom_rules[count.index], "source_port_range", "*"), "*", "0-65535"))
   destination_port_ranges                    = split(",", replace(lookup(var.custom_rules[count.index], "destination_port_range", "*"), "*", "0-65535"))
-  source_address_prefix                      = length(lookup(var.custom_rules[count.index], "source_application_security_group_ids", [])) == 0 ? lookup(var.custom_rules[count.index], "source_address_prefix", "*") : ""
-  destination_address_prefix                 = length(lookup(var.custom_rules[count.index], "destination_application_security_group_ids", [])) == 0 ? lookup(var.custom_rules[count.index], "destination_address_prefix", "*") : ""
+  source_address_prefix                      = lookup(var.custom_rules[count.index], "source_application_security_group_ids", null) == null && lookup(var.custom_rules[count.index], "source_address_prefixes", null) == null ? lookup(var.custom_rules[count.index], "source_address_prefix", "*") : null
+  source_address_prefixes                    = lookup(var.custom_rules[count.index], "source_application_security_group_ids", null) == null ? lookup(var.custom_rules[count.index], "source_address_prefixes", null) : null
+  destination_address_prefix                 = lookup(var.custom_rules[count.index], "destination_application_security_group_ids", null) == null && lookup(var.custom_rules[count.index], "destination_address_prefixes", null) == null ? lookup(var.custom_rules[count.index], "destination_address_prefix", "*") : null
+  destination_address_prefixes               = length(lookup(var.custom_rules[count.index], "destination_application_security_group_ids", [])) == 0 ? lookup(var.custom_rules[count.index], "destination_address_prefixes", null) : null
   description                                = lookup(var.custom_rules[count.index], "description", "Security rule for ${lookup(var.custom_rules[count.index], "name", "default_rule_name")}")
   resource_group_name                        = data.azurerm_resource_group.nsg.name
   network_security_group_name                = azurerm_network_security_group.nsg.name
-  source_application_security_group_ids      = lookup(var.custom_rules[count.index], "source_application_security_group_ids", [])
-  destination_application_security_group_ids = lookup(var.custom_rules[count.index], "destination_application_security_group_ids", [])
+  source_application_security_group_ids      = lookup(var.custom_rules[count.index], "source_application_security_group_ids", null)
+  destination_application_security_group_ids = lookup(var.custom_rules[count.index], "destination_application_security_group_ids", null)
 }
diff --git a/test/fixture/main.tf b/test/fixture/main.tf
@@ -60,6 +60,42 @@ module "testPredefinedRuleWithCustom" {
   depends_on = [azurerm_resource_group.test]
 }
 
+module "testPredefinedRuleWithPrefix" {
+  source                = "../../"
+  resource_group_name   = azurerm_resource_group.test.name
+  security_group_name   = "nsg_${random_id.randomize.hex}testPredefinedWithPrefix"
+  source_address_prefix = ["VirtualNetwork"]
+  predefined_rules = [
+    {
+      name = "HTTP"
+    },
+    {
+      name     = "HTTPS"
+      priority = 510
+    },
+  ]
+
+  depends_on = [azurerm_resource_group.test]
+}
+
+module "testPredefinedRuleWithPrefixes" {
+  source                  = "../../"
+  resource_group_name     = azurerm_resource_group.test.name
+  security_group_name     = "nsg_${random_id.randomize.hex}testPredefinedWithPrefixes"
+  source_address_prefixes = ["10.151.0.0/24", "10.151.1.0/24"]
+  predefined_rules = [
+    {
+      name = "HTTP"
+    },
+    {
+      name     = "HTTPS"
+      priority = 510
+    },
+  ]
+
+  depends_on = [azurerm_resource_group.test]
+}
+
 
 
 module "testCustom" {
@@ -93,3 +129,37 @@ module "testCustom" {
 
   depends_on = [azurerm_resource_group.test]
 }
+
+module "testCustomPrefix" {
+  source              = "../../"
+  resource_group_name = azurerm_resource_group.test.name
+  security_group_name = "nsg_${random_id.randomize.hex}testCustomPrefix"
+  custom_rules = [
+    {
+      name                   = "myssh"
+      priority               = 201
+      direction              = "Inbound"
+      access                 = "Allow"
+      protocol               = "tcp"
+      source_port_range      = "*"
+      destination_port_range = "22"
+      source_address_prefix  = "10.151.0.0/24"
+      description            = "description-myssh"
+    },
+    {
+      name                                       = "myhttp"
+      priority                                   = 200
+      direction                                  = "Inbound"
+      access                                     = "Allow"
+      protocol                                   = "tcp"
+      source_port_range                          = "*"
+      destination_port_range                     = "8080"
+      source_address_prefixes                    = ["10.151.0.0/24", "10.151.1.0/24"]
+      description                                = "description-http"
+      destination_application_security_group_ids = [azurerm_application_security_group.second.id]
+    },
+  ]
+
+  depends_on = [azurerm_resource_group.test]
+}
+
diff --git a/variables.tf b/variables.tf
@@ -40,30 +40,32 @@ variable "custom_rules" {
   default     = []
 }
 
-# source address prefix to be applied to all rules
+# source address prefix to be applied to all predefined rules
+# list(string) only allowed one element (CIDR, `*`, source IP range or Tags)
+# Example ["10.0.3.0/24"] or ["VirtualNetwork"]
 variable "source_address_prefix" {
   type    = list(string)
   default = ["*"]
+}
 
-  # Example ["10.0.3.0/24"] or ["VirtualNetwork"]
+# Destination address prefix to be applied to all predefined rules
+# Example ["10.0.3.0/32","10.0.3.128/32"]
+variable "source_address_prefixes" {
+  type    = list(string)
+  default = null
 }
 
-# Destination address prefix to be applied to all rules
+# Destination address prefix to be applied to all predefined rules
+# list(string) only allowed one element (CIDR, `*`, source IP range or Tags)
+# Example ["10.0.3.0/24"] or ["VirtualNetwork"]
 variable "destination_address_prefix" {
   type    = list(string)
   default = ["*"]
-
-  # Example ["10.0.3.0/32","10.0.3.128/32"] or ["VirtualNetwork"] 
 }
 
-variable "source_application_security_group_ids" {
-  description = "(Optional) A List of source Application Security Group IDs. Conflicted with `source_address_prefix`. Once assigned with `source_address_prefix`, it'll have a higher priority."
-  type        = set(string)
-  default     = []
-}
-
-variable "destination_application_security_group_ids" {
-  description = "(Optional) A List of destination Application Security Group IDs. Conflicted with `destination_address_prefix`. Once assigned with `destination_address_prefix`, it'll have a higher priority."
-  type        = set(string)
-  default     = []
-}
+# Destination address prefix to be applied to all predefined rules
+# Example ["10.0.3.0/32","10.0.3.128/32"]
+variable "destination_address_prefixes" {
+  type    = list(string)
+  default = null
+}
