diff --git a/examples/container_registry.tfvars b/examples/container_registry.tfvars new file mode 100644 index 00000000..f7369d56 --- /dev/null +++ b/examples/container_registry.tfvars @@ -0,0 +1,63 @@ +container_registries = { + acr_test_1 = { + resource_group_ref = "rg_test" + name = "acrtestdevne01" + sku = "Premium" + + georeplications = { + georeplication_test_1 = { + location = "West Europe" + zone_redundancy_enabled = true + tags = { Owner = "prod" } + } + } + + private_endpoint = { + name = "pe-acrtestdevne01" + subnet_ref = "vnet_test/snet_private_endpoint_1" + + # This block is needed only if you need name different than the default + private_service_connection = { + name = "test-privateserviceconnection" + } + + private_dns_zone_group_ref = "container_registries" + } + } +} + +# pre-requisites +resource_groups = { + rg_test = { + name = "rg-test-dv-ne-01" + location = "northeurope" + } +} + +private_dns_zones = { + container_registries = { + resource_kind = "container_registries" + resource_group_ref = "rg_test" + vnet_ref = ["vnet_test"] + } +} + +virtual_networks = { + vnet_test = { + name = "vnet-test-dv-ne-01" + resource_group_ref = "rg_test" + cidr = ["10.10.10.0/24"] + subnets = { + snet_private_endpoint_1 = { + name = "snet-private-endpoint_1" + cidr = ["10.10.10.0/25"] + service_endpoints = ["Microsoft.ContainerRegistry"] + } + snet_private_endpoint_2 = { + name = "snet-private-endpoint_2" + cidr = ["10.10.10.128/25"] + service_endpoints = ["Microsoft.ContainerRegistry"] + } + } + } +} diff --git a/src/_variables.resources.tf b/src/_variables.resources.tf index e3876f54..0acc47bd 100644 --- a/src/_variables.resources.tf +++ b/src/_variables.resources.tf @@ -1,17 +1,19 @@ variable "resource_groups" { default = {} } -variable "managed_identities" { default = {} } - variable "virtual_networks" { default = {} } -variable "vnet_peerings" { default = {} } +variable "container_registry" { default = {} } -variable "local_network_gateways" { default = {} } +variable "private_dns_zones" { default = {} } + +variable "keyvaults" { default = {} } + +variable "storage_accounts" { default = {} } + +variable "managed_identities" { default = {} } variable "virtual_network_gateways" { default = {} } variable "public_ips" { default = {} } -variable "keyvaults" { default = {} } - -variable "storage_accounts" { default = {} } +variable "local_network_gateways" { default = {} } diff --git a/src/container_registry.tf b/src/container_registry.tf new file mode 100644 index 00000000..eb92cffd --- /dev/null +++ b/src/container_registry.tf @@ -0,0 +1,13 @@ +module "container_registry" { + source = "./modules/container_registry" + for_each = var.container_registry + + settings = each.value + global_settings = local.global_settings + + resources = { + resource_groups = module.resource_groups + virtual_networks = module.virtual_networks + private_dns_zones = module.private_dns_zones + } +} diff --git a/src/modules/_networking/local_network_gateway/_variables.tf b/src/modules/_networking/local_network_gateway/_variables.tf index 315edc56..6f1524d4 100644 --- a/src/modules/_networking/local_network_gateway/_variables.tf +++ b/src/modules/_networking/local_network_gateway/_variables.tf @@ -7,8 +7,5 @@ variable "settings" { } variable "resources" { - type = object({ - resource_groups = map(any) - }) description = "All required resources" } diff --git a/src/modules/_networking/local_network_gateway/local_network_gateway.tf b/src/modules/_networking/local_network_gateway/local_network_gateway.tf.tf similarity index 100% rename from src/modules/_networking/local_network_gateway/local_network_gateway.tf rename to src/modules/_networking/local_network_gateway/local_network_gateway.tf.tf diff --git a/src/modules/_networking/private_dns_zone/_locals.tf b/src/modules/_networking/private_dns_zone/_locals.tf new file mode 100644 index 00000000..d5dd2830 --- /dev/null +++ b/src/modules/_networking/private_dns_zone/_locals.tf @@ -0,0 +1,32 @@ +locals { + resource_group = var.resources.resource_groups[var.settings.resource_group_ref] + resource_group_name = local.resource_group.name + location = local.resource_group.location + + vnet_ids = { + for vnet in var.settings.vnet_ref : + vnet => { + name = var.resources.virtual_networks[vnet].name + id = var.resources.virtual_networks[vnet].id + } + } + + tags = merge( + var.global_settings.tags, + var.global_settings.inherit_resource_group_tags ? local.resource_group.tags : {}, + try(var.settings.tags, {}) + ) +} + +locals { + # local object used to map possible private dns zoone names + zone_names = { + "storage_blob" = "privatelink.blob.core.windows.net" + "storage_tables" = "privatelink.table.core.windows.net" + "storage_queues" = "privatelink.queue.core.windows.net" + "storage_files" = "privatelink.file.core.windows.net" + "function_apps" = "privatelink.azurewebsites.net" + "keyvaults" = "privatelink.vaultcore.azure.net" + "container_registries" = "privatelink.azurecr.io" + } +} diff --git a/src/modules/_networking/private_dns_zone/_outputs.tf b/src/modules/_networking/private_dns_zone/_outputs.tf new file mode 100644 index 00000000..86b619a2 --- /dev/null +++ b/src/modules/_networking/private_dns_zone/_outputs.tf @@ -0,0 +1,7 @@ +output "id" { + value = azurerm_private_dns_zone.main.id +} + +output "name" { + value = azurerm_private_dns_zone.main.name +} diff --git a/src/modules/storage_account/_variables.tf b/src/modules/_networking/private_dns_zone/_variables.tf similarity index 53% rename from src/modules/storage_account/_variables.tf rename to src/modules/_networking/private_dns_zone/_variables.tf index 4b379539..6f1524d4 100644 --- a/src/modules/storage_account/_variables.tf +++ b/src/modules/_networking/private_dns_zone/_variables.tf @@ -3,13 +3,9 @@ variable "global_settings" { } variable "settings" { - description = "All the configuration for a storage account" + description = "All the configuration for this resource" } variable "resources" { - type = object({ - resource_groups = map(any) - virtual_networks = map(any) - }) description = "All required resources" } diff --git a/src/modules/_networking/private_dns_zone/private_dns_vnet_link.tf b/src/modules/_networking/private_dns_zone/private_dns_vnet_link.tf new file mode 100644 index 00000000..08444fe8 --- /dev/null +++ b/src/modules/_networking/private_dns_zone/private_dns_vnet_link.tf @@ -0,0 +1,7 @@ +resource "azurerm_private_dns_zone_virtual_network_link" "main" { + for_each = local.vnet_ids + name = "${each.value.name}-${azurerm_private_dns_zone.main.name}-link" + private_dns_zone_name = azurerm_private_dns_zone.main.name + resource_group_name = azurerm_private_dns_zone.main.resource_group_name + virtual_network_id = each.value.id +} diff --git a/src/modules/_networking/private_dns_zone/private_dns_zone_group.tf b/src/modules/_networking/private_dns_zone/private_dns_zone_group.tf new file mode 100644 index 00000000..69fc0fb5 --- /dev/null +++ b/src/modules/_networking/private_dns_zone/private_dns_zone_group.tf @@ -0,0 +1,5 @@ +resource "azurerm_private_dns_zone" "main" { + name = try(local.zone_names[var.settings.resource_kind], var.settings.name) + resource_group_name = local.resource_group_name + tags = try(local.tags, null) +} diff --git a/src/modules/_networking/public_ip/_variables.tf b/src/modules/_networking/public_ip/_variables.tf index 315edc56..6f1524d4 100644 --- a/src/modules/_networking/public_ip/_variables.tf +++ b/src/modules/_networking/public_ip/_variables.tf @@ -7,8 +7,5 @@ variable "settings" { } variable "resources" { - type = object({ - resource_groups = map(any) - }) description = "All required resources" } diff --git a/src/modules/_networking/public_ip/main.tf b/src/modules/_networking/public_ip/main.tf index 753d0e8b..43fe1e55 100644 --- a/src/modules/_networking/public_ip/main.tf +++ b/src/modules/_networking/public_ip/main.tf @@ -4,4 +4,5 @@ resource "azurerm_public_ip" "main" { location = local.location allocation_method = try(var.settings.allocation_method, "Static") tags = local.tags + zones = try(var.settings.zones, null) } diff --git a/src/modules/_networking/virtual_network/_variables.tf b/src/modules/_networking/virtual_network/_variables.tf index 315edc56..6f1524d4 100644 --- a/src/modules/_networking/virtual_network/_variables.tf +++ b/src/modules/_networking/virtual_network/_variables.tf @@ -7,8 +7,5 @@ variable "settings" { } variable "resources" { - type = object({ - resource_groups = map(any) - }) description = "All required resources" } diff --git a/src/modules/_networking/virtual_network_gateway/_variables.tf b/src/modules/_networking/virtual_network_gateway/_variables.tf index 8cf17357..4c20a831 100644 --- a/src/modules/_networking/virtual_network_gateway/_variables.tf +++ b/src/modules/_networking/virtual_network_gateway/_variables.tf @@ -7,10 +7,5 @@ variable "settings" { } variable "resources" { - type = object({ - resource_groups = map(any) - virtual_networks = map(any) - public_ips = map(any) - }) - description = "All required resources" + description = "All the configuration for this resource" } diff --git a/src/modules/_networking/virtual_network_gateway/main.tf b/src/modules/_networking/virtual_network_gateway/main.tf index d371a671..a04a5641 100644 --- a/src/modules/_networking/virtual_network_gateway/main.tf +++ b/src/modules/_networking/virtual_network_gateway/main.tf @@ -4,12 +4,12 @@ resource "azurerm_virtual_network_gateway" "main" { location = local.location tags = local.tags - sku = var.settings.sku + sku = try(var.settings.sku, "VpnGw1") type = try(var.settings.type, "Vpn") generation = try(var.settings.generation, null) vpn_type = try(var.settings.vpn_type, null) - active_active = try(var.settings.active_active, null) + active_active = try(var.settings.active_active, false) enable_bgp = try(var.settings.enable_bgp, null) dynamic "ip_configuration" { diff --git a/src/modules/_networking/vnet_peering/_variables.tf b/src/modules/_networking/vnet_peering/_variables.tf index cc077015..4e8c0d49 100644 --- a/src/modules/_networking/vnet_peering/_variables.tf +++ b/src/modules/_networking/vnet_peering/_variables.tf @@ -11,8 +11,5 @@ variable "settings" { } variable "resources" { - type = object({ - virtual_networks = map(any) - }) description = "All required resources" } diff --git a/src/modules/container_registry/_locals.tf b/src/modules/container_registry/_locals.tf new file mode 100644 index 00000000..2dd3c7fd --- /dev/null +++ b/src/modules/container_registry/_locals.tf @@ -0,0 +1,21 @@ +locals { + resource_group = var.resources.resource_groups[var.settings.resource_group_ref] + resource_group_name = local.resource_group.name + location = local.resource_group.location + + dns_zone_group = var.resources.private_dns_zones[var.settings.private_endpoint.private_dns_zone_group_ref] + dns_zone_group_name = local.dns_zone_group.name + private_dns_zone_ids = [local.dns_zone_group.id] + + subnet_id = try(var.resources.virtual_networks[ + split("/", var.settings.private_endpoint.subnet_ref)[0] + ].subnets[ + split("/", var.settings.private_endpoint.subnet_ref)[1] + ].id, null) + + tags = merge( + var.global_settings.tags, + var.global_settings.inherit_resource_group_tags ? local.resource_group.tags : {}, + try(var.settings.tags, {}) + ) +} diff --git a/src/modules/container_registry/_outputs.tf b/src/modules/container_registry/_outputs.tf new file mode 100644 index 00000000..ffcc4613 --- /dev/null +++ b/src/modules/container_registry/_outputs.tf @@ -0,0 +1,3 @@ +output "id" { + value = azurerm_container_registry.main.id +} diff --git a/src/modules/container_registry/_variables.tf b/src/modules/container_registry/_variables.tf new file mode 100644 index 00000000..23af81a0 --- /dev/null +++ b/src/modules/container_registry/_variables.tf @@ -0,0 +1,11 @@ +variable "global_settings" { + description = "Global settings for tinycaf" +} + +variable "settings" { + description = "All the configuration for a azure container registry" +} + +variable "resources" { + description = "All required resources" +} diff --git a/src/modules/container_registry/container_registry.tf b/src/modules/container_registry/container_registry.tf new file mode 100644 index 00000000..9a286510 --- /dev/null +++ b/src/modules/container_registry/container_registry.tf @@ -0,0 +1,20 @@ +resource "azurerm_container_registry" "main" { + name = var.settings.name + resource_group_name = local.resource_group_name + location = local.location + tags = local.tags + sku = var.settings.sku + + public_network_access_enabled = try(var.settings.public_network_access_enabled, false) + admin_enabled = try(var.settings.admin_enabled, false) + + dynamic "georeplications" { + for_each = var.settings.georeplications + + content { + location = georeplications.value.location + zone_redundancy_enabled = try(georeplications.value.zone_redundancy_enabled, false) + tags = try(georeplications.value.tags, null) + } + } +} diff --git a/src/modules/container_registry/private_endpoint.tf b/src/modules/container_registry/private_endpoint.tf new file mode 100644 index 00000000..3d9521e1 --- /dev/null +++ b/src/modules/container_registry/private_endpoint.tf @@ -0,0 +1,20 @@ +resource "azurerm_private_endpoint" "main" { + name = "pe-${var.settings.name}" + resource_group_name = local.resource_group_name + location = local.location + subnet_id = local.subnet_id + + tags = local.tags + + private_service_connection { + name = try(var.settings.private_endpoint.private_service_connection.name, "psc-${var.settings.name}") + private_connection_resource_id = azurerm_container_registry.main.id + is_manual_connection = try(var.settings.private_endpoint.private_service_connection.is_manual_connection, false) + subresource_names = ["registry"] + } + + private_dns_zone_group { + name = local.dns_zone_group_name + private_dns_zone_ids = local.private_dns_zone_ids + } +} diff --git a/src/modules/managed_identity/_variables.tf b/src/modules/managed_identity/_variables.tf index 315edc56..6f1524d4 100644 --- a/src/modules/managed_identity/_variables.tf +++ b/src/modules/managed_identity/_variables.tf @@ -7,8 +7,5 @@ variable "settings" { } variable "resources" { - type = object({ - resource_groups = map(any) - }) description = "All required resources" } diff --git a/src/modules/storage_account/_locals.tf b/src/modules/storage_account/_locals.tf deleted file mode 100644 index af37c82b..00000000 --- a/src/modules/storage_account/_locals.tf +++ /dev/null @@ -1,17 +0,0 @@ -locals { - resource_group = var.resources.resource_groups[var.settings.resource_group_ref] - resource_group_name = local.resource_group.name - location = local.resource_group.location - - subnet_ids = [ - for network_rule_ref, config in try(var.settings.network_rules.subnets, {}) : ( - var.resources.virtual_networks[split("/", config.subnet_ref)[0]].subnets[split("/", config.subnet_ref)[1]].id - ) - ] - - tags = merge( - var.global_settings.tags, - var.global_settings.inherit_resource_group_tags ? local.resource_group.tags : {}, - try(var.settings.tags, {}) - ) -} diff --git a/src/modules/storage_account/_outputs.tf b/src/modules/storage_account/_outputs.tf deleted file mode 100644 index 4761ad59..00000000 --- a/src/modules/storage_account/_outputs.tf +++ /dev/null @@ -1,10 +0,0 @@ -output "id" { - value = azurerm_storage_account.main.id -} - -output "containers" { - value = { - for container_ref, _ in try(var.settings.containers) : - container_ref => azurerm_storage_container.main[container_ref] - } -} diff --git a/src/modules/storage_account/storage_account.tf b/src/modules/storage_account/storage_account.tf deleted file mode 100644 index ef0fa1cd..00000000 --- a/src/modules/storage_account/storage_account.tf +++ /dev/null @@ -1,34 +0,0 @@ -resource "azurerm_storage_account" "main" { - name = var.settings.name - resource_group_name = local.resource_group_name - location = local.location - tags = local.tags - - account_kind = try(var.settings.account_kind, null) # defaults to StorageV2 - account_tier = try(var.settings.account_tier, "Standard") - account_replication_type = var.settings.account_replication_type - - cross_tenant_replication_enabled = try(var.settings.cross_tenant_replication_enabled, null) - large_file_share_enabled = try(var.settings.large_file_share_enabled, null) - infrastructure_encryption_enabled = try(var.settings.infrastructure_encryption_enabled, null) - - is_hns_enabled = try(var.settings.is_hns_enabled, null) - sftp_enabled = try(var.settings.sftp_enabled, null) - nfsv3_enabled = try(var.settings.nfsv3_enabled, null) - - # TODO: identity block - # TODO: blob properties block - # TODO: share_properties - # TODO: azure_files_authentication block - # TODO: routing block - # TODO: sas_policy block - - network_rules { - default_action = try(var.settings.network_rules.default_action, "Deny") - bypass = try(var.settings.network_rules.bypass, null) - ip_rules = try(var.settings.network_rules.allowed_ips, null) - virtual_network_subnet_ids = local.subnet_ids - - # TODO: private_link_access block - } -} diff --git a/src/modules/storage_account/storage_container.tf b/src/modules/storage_account/storage_container.tf deleted file mode 100644 index b490d093..00000000 --- a/src/modules/storage_account/storage_container.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "azurerm_storage_container" "main" { - for_each = try(var.settings.containers, {}) - - name = each.value.name - storage_account_id = azurerm_storage_account.main.id - - container_access_type = try(each.value.access_type, null) -} diff --git a/src/networking.tf b/src/networking.tf index 32e893b8..b4285d4a 100644 --- a/src/networking.tf +++ b/src/networking.tf @@ -10,14 +10,14 @@ module "virtual_networks" { } } -module "vnet_peerings" { - source = "./modules/_networking/vnet_peering" - for_each = var.vnet_peerings +module "private_dns_zones" { + source = "./modules/_networking/private_dns_zone" + for_each = var.private_dns_zones - settings = each.value global_settings = local.global_settings - + settings = each.value resources = { + resource_groups = module.resource_groups virtual_networks = module.virtual_networks } } diff --git a/src/storage_account.tf b/src/storage_account.tf deleted file mode 100644 index b595afc5..00000000 --- a/src/storage_account.tf +++ /dev/null @@ -1,12 +0,0 @@ -module "storage_accounts" { - source = "./modules/storage_account" - for_each = var.storage_accounts - - settings = each.value - global_settings = var.global_settings - - resources = { - resource_groups = module.resource_groups - virtual_networks = module.virtual_networks - } -}