updating vnet module and formatting (#29)

* updating vnet module and formatting * updating files * updating linting issues * avm fix * updating submodule * udpating avmfix * updating linting format * updating linting * updating files * fixed duplicates * updating linting * fixing local * updating telem
Azure · May 29, 2024 · b62014e · b62014e
1 parent ac84525
commit b62014e
Show file tree

Hide file tree

Showing 18 changed files with 501 additions and 95 deletions.
diff --git a/README.md b/README.md
@@ -10,25 +10,26 @@ This is the module to create an Azure Firewall Policy
 
 The following requirements are needed by this module:
 
-- <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) (~> 1.5)
+- <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) (>= 1.5.0)
 
-- <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) (>= 3.71)
+- <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) (~> 3.71)
 
-- <a name="requirement_random"></a> [random](#requirement\_random) (>= 3.5)
+- <a name="requirement_random"></a> [random](#requirement\_random) (~> 3.5)
 
 ## Providers
 
 The following providers are used by this module:
 
-- <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) (>= 3.71)
+- <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) (~> 3.71)
 
-- <a name="provider_random"></a> [random](#provider\_random) (>= 3.5)
+- <a name="provider_random"></a> [random](#provider\_random) (~> 3.5)
 
 ## Resources
 
 The following resources are used by this module:
 
 - [azurerm_firewall_policy.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy) (resource)
+- [azurerm_management_lock.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock) (resource)
 - [azurerm_monitor_diagnostic_setting.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) (resource)
 - [azurerm_resource_group_template_deployment.telemetry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_template_deployment) (resource)
 - [azurerm_role_assignment.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
@@ -63,18 +64,18 @@ The following input variables are optional (have default values):
 
 ### <a name="input_diagnostic_settings"></a> [diagnostic\_settings](#input\_diagnostic\_settings)
 
-Description: A map of diagnostic settings to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
+Description:   A map of diagnostic settings to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
 
-- `name` - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
-- `log_categories` - (Optional) A set of log categories to send to the log analytics workspace. Defaults to `[]`.
-- `log_groups` - (Optional) A set of log groups to send to the log analytics workspace. Defaults to `["allLogs"]`.
-- `metric_categories` - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to `["AllMetrics"]`.
-- `log_analytics_destination_type` - (Optional) The destination type for the diagnostic setting. Possible values are `Dedicated` and `AzureDiagnostics`. Defaults to `Dedicated`.
-- `workspace_resource_id` - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
-- `storage_account_resource_id` - (Optional) The resource ID of the storage account to send logs and metrics to.
-- `event_hub_authorization_rule_resource_id` - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
-- `event_hub_name` - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
-- `marketplace_partner_resource_id` - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic LogsLogs.
+  - `name` - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
+  - `log_categories` - (Optional) A set of log categories to send to the log analytics workspace. Defaults to `[]`.
+  - `log_groups` - (Optional) A set of log groups to send to the log analytics workspace. Defaults to `["allLogs"]`.
+  - `metric_categories` - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to `["AllMetrics"]`.
+  - `log_analytics_destination_type` - (Optional) The destination type for the diagnostic setting. Possible values are `Dedicated` and `AzureDiagnostics`. Defaults to `Dedicated`.
+  - `workspace_resource_id` - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
+  - `storage_account_resource_id` - (Optional) The resource ID of the storage account to send logs and metrics to.
+  - `event_hub_authorization_rule_resource_id` - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
+  - `event_hub_name` - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
+  - `marketplace_partner_resource_id` - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic LogsLogs.
 
 Type:
 
@@ -336,10 +337,10 @@ Default: `null`
 
 ### <a name="input_lock"></a> [lock](#input\_lock)
 
-Description: Controls the Resource Lock configuration for this resource. The following properties can be specified:
+Description:   Controls the Resource Lock configuration for this resource. The following properties can be specified:
 
-- `kind` - (Required) The type of lock. Possible values are `\"CanNotDelete\"` and `\"ReadOnly\"`.
-- `name` - (Optional) The name of the lock. If not specified, a name will be generated based on the `kind` value. Changing this forces the creation of a new resource.
+  - `kind` - (Required) The type of lock. Possible values are `\"CanNotDelete\"` and `\"ReadOnly\"`.
+  - `name` - (Optional) The name of the lock. If not specified, a name will be generated based on the `kind` value. Changing this forces the creation of a new resource.
 
 Type:
 
@@ -354,16 +355,18 @@ Default: `null`
 
 ### <a name="input_role_assignments"></a> [role\_assignments](#input\_role\_assignments)
 
-Description: A map of role assignments to create on this resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
+Description:   A map of role assignments to create on the <RESOURCE>. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
 
-- `role_definition_id_or_name` - The ID or name of the role definition to assign to the principal.
-- `principal_id` - The ID of the principal to assign the role to.
-- `description` - The description of the role assignment.
-- `skip_service_principal_aad_check` - If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
-- `condition` - The condition which will be used to scope the role assignment.
-- `condition_version` - The version of the condition syntax. Valid values are '2.0'.
+  - `role_definition_id_or_name` - The ID or name of the role definition to assign to the principal.
+  - `principal_id` - The ID of the principal to assign the role to.
+  - `description` - (Optional) The description of the role assignment.
+  - `skip_service_principal_aad_check` - (Optional) If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
+  - `condition` - (Optional) The condition which will be used to scope the role assignment.
+  - `condition_version` - (Optional) The version of the condition syntax. Leave as `null` if you are not using a condition, if you are then valid values are '2.0'.
+  - `delegated_managed_identity_resource_id` - (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.
+  - `principal_type` - (Optional) The type of the `principal_id`. Possible values are `User`, `Group` and `ServicePrincipal`. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.
 
-> Note: only set `skip_service_principal_aad_check` to true if you are assigning a role to a service principal.
+  > Note: only set `skip_service_principal_aad_check` to true if you are assigning a role to a service principal.
 
 Type:
 
@@ -376,6 +379,7 @@ map(object({
     condition                              = optional(string, null)
     condition_version                      = optional(string, null)
     delegated_managed_identity_resource_id = optional(string, null)
+    principal_type                         = optional(string, null)
   }))
 ```
 
@@ -402,6 +406,10 @@ Examples:
 - module.firewall\_policy.resource.child\_policies
 - module.firewall\_policy.resource.rule\_collection\_groups
 
+### <a name="output_resource_id"></a> [resource\_id](#output\_resource\_id)
+
+Description: the resource id of the firewall policy
+
 ## Modules
 
 No modules.

diff --git a/avmmakefile b/avmmakefile
@@ -49,7 +49,7 @@ checkovplancheck:
 
 fmtcheck: gofmtcheck tffmtcheck terrafmtcheck
 
-pr-check: fmtcheck tfvalidatecheck lint unit-test
+pr-check: clean fmtcheck tfvalidatecheck lint unit-test clean2
 
 unit-test:
 	curl -H 'Cache-Control: no-cache, no-store' -sSL "$(REMOTE_SCRIPT)/run-unit-test.sh" | bash
@@ -80,4 +80,10 @@ autofix:
 grept-apply:
 	curl -H 'Cache-Control: no-cache, no-store' -sSL "$(REMOTE_SCRIPT)/grept-apply.sh" | bash
 
-.PHONY: docs docscheck fmt gofmt fumpt gosec tffmtcheck tfvalidatecheck terrafmtcheck gofmtcheck golint tflint lint checkovcheck checkovplancheck fmtcheck pr-check unit-test e2e-test version-upgrade-test terrafmt pre-commit depsensure yor-tag autofix tools
+clean:
+	curl -H 'Cache-Control: no-cache, no-store' -sSL "$(REMOTE_SCRIPT)/clean.sh" | bash
+
+clean2:
+	curl -H 'Cache-Control: no-cache, no-store' -sSL "$(REMOTE_SCRIPT)/clean.sh" | bash
+
+.PHONY: clean clean2 docs docscheck fmt gofmt fumpt gosec tffmtcheck tfvalidatecheck terrafmtcheck gofmtcheck golint tflint lint checkovcheck checkovplancheck fmtcheck pr-check unit-test e2e-test version-upgrade-test terrafmt pre-commit depsensure yor-tag autofix tools
diff --git a/examples/deploy_fw_policy_with_ipgroups/README.md b/examples/deploy_fw_policy_with_ipgroups/README.md
@@ -48,20 +48,20 @@ resource "azurerm_resource_group" "rg" {
 }
 
 module "vnet" {
-  source                        = "Azure/avm-res-network-virtualnetwork/azurerm"
-  version                       = ">= 0.1.4"
-  enable_telemetry              = var.enable_telemetry
-  location                      = azurerm_resource_group.rg.location
-  resource_group_name           = azurerm_resource_group.rg.name
-  name                          = module.naming.virtual_network.name_unique
-  virtual_network_address_space = ["10.1.0.0/16"]
+  source              = "Azure/avm-res-network-virtualnetwork/azurerm"
+  version             = ">=0.2.0"
+  enable_telemetry    = var.enable_telemetry
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  name                = module.naming.virtual_network.name_unique
+  address_space       = ["10.1.0.0/16"]
 }
 
 resource "azurerm_subnet" "subnet" {
   address_prefixes     = ["10.1.0.0/26"]
   name                 = "AzureFirewallSubnet"
   resource_group_name  = azurerm_resource_group.rg.name
-  virtual_network_name = module.vnet.vnet_resource.name
+  virtual_network_name = module.vnet.resource.name
 }
 
 resource "azurerm_public_ip" "pip" {
@@ -245,7 +245,7 @@ Version:
 
 Source: Azure/avm-res-network-virtualnetwork/azurerm
 
-Version: >= 0.1.4
+Version: >=0.2.0
 
 <!-- markdownlint-disable-next-line MD041 -->
 ## Data Collection

diff --git a/examples/deploy_fw_policy_with_ipgroups/main.tf b/examples/deploy_fw_policy_with_ipgroups/main.tf
@@ -35,20 +35,20 @@ resource "azurerm_resource_group" "rg" {
 }
 
 module "vnet" {
-  source                        = "Azure/avm-res-network-virtualnetwork/azurerm"
-  version                       = ">= 0.1.4"
-  enable_telemetry              = var.enable_telemetry
-  location                      = azurerm_resource_group.rg.location
-  resource_group_name           = azurerm_resource_group.rg.name
-  name                          = module.naming.virtual_network.name_unique
-  virtual_network_address_space = ["10.1.0.0/16"]
+  source              = "Azure/avm-res-network-virtualnetwork/azurerm"
+  version             = ">=0.2.0"
+  enable_telemetry    = var.enable_telemetry
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  name                = module.naming.virtual_network.name_unique
+  address_space       = ["10.1.0.0/16"]
 }
 
 resource "azurerm_subnet" "subnet" {
   address_prefixes     = ["10.1.0.0/26"]
   name                 = "AzureFirewallSubnet"
   resource_group_name  = azurerm_resource_group.rg.name
-  virtual_network_name = module.vnet.vnet_resource.name
+  virtual_network_name = module.vnet.resource.name
 }
 
 resource "azurerm_public_ip" "pip" {

diff --git a/locals.tf b/locals.tf
@@ -1,8 +1,4 @@
-
-locals {
-  enable_telemetry = true
-}
-
 locals {
+  enable_telemetry                   = var.enable_telemetry
   role_definition_resource_substring = "providers/Microsoft.Authorization/roleDefinitions"
-}
+}
diff --git a/locals.version.tf.json b/locals.version.tf.json
@@ -1,5 +1,5 @@
 {
   "locals": {
-    "module_version": "0.1.2"
+    "module_version": "0.1.3"
   }
 }
diff --git a/main.telemetry.tf b/main.telemetry.tf
@@ -1,5 +1,5 @@
 resource "random_id" "telem" {
-  count = var.enable_telemetry ? 1 : 0
+  count = local.enable_telemetry ? 1 : 0
 
   byte_length = 4
 }

diff --git a/main.tf b/main.tf
@@ -104,7 +104,6 @@ resource "azurerm_firewall_policy" "this" {
   }
 }
 
-
 # Assigning Roles to the Virtual Network based on the provided configurations.
 resource "azurerm_role_assignment" "this" {
   for_each = var.role_assignments
@@ -151,3 +150,12 @@ resource "azurerm_monitor_diagnostic_setting" "this" {
   }
 }
 
+# required AVM resources interfaces
+resource "azurerm_management_lock" "this" {
+  count = var.lock != null ? 1 : 0
+
+  lock_level = var.lock.kind
+  name       = coalesce(var.lock.name, "lock-${var.lock.kind}")
+  scope      = azurerm_firewall_policy.this.id # TODO: Replace with your azurerm resource name
+  notes      = var.lock.kind == "CanNotDelete" ? "Cannot delete the resource or its child resources." : "Cannot delete or modify the resource or its child resources."
+}
diff --git a/modules/rule_collection_groups/_footer.md b/modules/rule_collection_groups/_footer.md
@@ -0,0 +1,4 @@
+<!-- markdownlint-disable-next-line MD041 -->
+## Data Collection
+
+The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at <https://go.microsoft.com/fwlink/?LinkID=824704>. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
diff --git a/modules/rule_collection_groups/_header.md b/modules/rule_collection_groups/_header.md
@@ -0,0 +1,13 @@
+# Azure Firewall Policy Rule Collection Group
+
+This is the sub-module to create Rule Collection Groups in Azure Firewall Policy
+
+## Features
+
+This module supports:
+
+- Creates Rule Collection Groups
+- Creates Rule Collections
+- Creates Network Rules, Application Rules, and NAT Rules
+
+"Major version Zero (0.y.z) is for initial development. Anything MAY change at any time. The module SHOULD NOT be considered stable till at least it is major version one (1.0.0) or greater. Changes will always be via new versions being published and no changes will be made to existing published versions. For more details please go to <https://semver.org/>"
diff --git a/modules/rule_collection_groups/main.tf b/modules/rule_collection_groups/main.tf
@@ -96,4 +96,4 @@ resource "azurerm_firewall_policy_rule_collection_group" "this" {
       update = timeouts.value.update
     }
   }
-}
+}
diff --git a/modules/rule_collection_groups/outputs.tf b/modules/rule_collection_groups/outputs.tf
@@ -0,0 +1,9 @@
+output "resource" {
+  description = "this is the resource of the rule collection group"
+  value       = azurerm_firewall_policy_rule_collection_group.this
+}
+
+output "resource_id" {
+  description = "the resource id of the rule_collection_group"
+  value       = azurerm_firewall_policy_rule_collection_group.this.id
+}
-Original file line number
+Diff line change
@@ Expand Up @@
           update = timeouts.value.update
         }
       }
-    }
+    }