feat: Firewall rules

dploeger · dploeger · commit 7ea753bd8eaf · 2021-05-05T14:29:22.000+02:00
diff --git a/README.md b/README.md
@@ -35,6 +35,7 @@ No modules.
 The following resources are used by this module:
 
 - [azurerm_mysql_database.db](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_database) (resource)
+- [azurerm_mysql_firewall_rule.firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_firewall_rule) (resource)
 - [azurerm_mysql_server.server](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server) (resource)
 
 ## Required Inputs
@@ -89,6 +90,22 @@ Type: `string`
 
 Default: `"mysqladmin"`
 
+### allowed\_ips
+
+Description:     A hash of permissions to access the database server by ip. The hash key is the name suffix and each value  
+    has a start and an end value.
+
+Type:
+
+```hcl
+object({
+    start = string,
+    end   = string
+  })
+```
+
+Default: `[]`
+
 ### backup\_retention\_days
 
 Description: Number of days to keep backups
@@ -99,15 +116,15 @@ Default: `7`
 
 ### database\_host\_sku
 
-Description: n/a
+Description: SKU for the database server to use
 
 Type: `string`
 
-Default: `"GP_Gen5_1"`
+Default: `"GP_Gen5_2"`
 
 ### database\_storage
 
-Description: n/a
+Description: Required database storage (in MB)
 
 Type: `string`
 
@@ -121,6 +138,14 @@ Type: `string`
 
 Default: `"8.0"`
 
+### public\_access
+
+Description: Wether to allow public access to the database server
+
+Type: `bool`
+
+Default: `false`
+
 ### suffix
 
 Description: Naming suffix to allow multiple instances of this module
diff --git a/firewall.tf b/firewall.tf
@@ -0,0 +1,8 @@
+resource "azurerm_mysql_firewall_rule" "firewall" {
+  for_each            = var.allowed_ips
+  start_ip_address    = each.value.start
+  end_ip_address      = each.value.end
+  name                = "${var.project}${var.stage}dbfw${each.key}"
+  resource_group_name = var.resource_group
+  server_name         = azurerm_mysql_server.server.name
+}
diff --git a/main.tf b/main.tf
@@ -14,7 +14,7 @@ resource "azurerm_mysql_server" "server" {
   backup_retention_days             = var.backup_retention_days
   geo_redundant_backup_enabled      = false
   infrastructure_encryption_enabled = true
-  public_network_access_enabled     = false
+  public_network_access_enabled     = var.public_access
   ssl_enforcement_enabled           = true
 }
 
diff --git a/vars.tf b/vars.tf
@@ -45,7 +45,6 @@ variable "backup_retention_days" {
   }
 }
 
-
 variable "admin_login" {
   type        = string
   description = "Admin login"
@@ -58,11 +57,31 @@ variable "admin_password" {
 }
 
 variable "database_host_sku" {
-  type    = string
-  default = "GP_Gen5_2"
+  type        = string
+  default     = "GP_Gen5_2"
+  description = "SKU for the database server to use"
 }
 
 variable "database_storage" {
-  type    = string
-  default = "5120"
+  type        = string
+  default     = "5120"
+  description = "Required database storage (in MB)"
+}
+
+variable "public_access" {
+  description = "Wether to allow public access to the database server"
+  type        = bool
+  default     = false
+}
+
+variable "allowed_ips" {
+  description = <<EOF
+    A hash of permissions to access the database server by ip. The hash key is the name suffix and each value
+    has a start and an end value.
+  EOF
+  type = object({
+    start = string,
+    end   = string
+  })
+  default = []
 }

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ resource "azurerm_mysql_server" "server" {`
`14`	`14`	`backup_retention_days = var.backup_retention_days`
`15`	`15`	`geo_redundant_backup_enabled = false`
`16`	`16`	`infrastructure_encryption_enabled = true`
`17`		`- public_network_access_enabled = false`
	`17`	`+ public_network_access_enabled = var.public_access`
`18`	`18`	`ssl_enforcement_enabled = true`
`19`	`19`	`}`
`20`	`20`