Collie Hub

Azure Network

Source code & Installation

The source code of this kit module can be found hereopen in new window

Run the following command to install the kit module:

collie kit import azure/networking
1

The Azure Network Kit defines the networking components within the Azure cloud environment. This infrastructure is designed to facilitate communication between various resources, whether they are within the same virtual network, on-premise, or on the internet.

Requirements

NameVersion
terraform>= 1.0
azuread~> 2.41.0
azurerm~> 3.85.0

Modules

No modules.

Resources

NameType
azuread_group.network_adminsopen in new windowresource
azurerm_firewall.fwopen in new windowresource
azurerm_firewall_application_rule_collection.fwopen in new windowresource
azurerm_firewall_nat_rule_collection.fwopen in new windowresource
azurerm_firewall_network_rule_collection.fwopen in new windowresource
azurerm_management_group_subscription_association.vnetopen in new windowresource
azurerm_monitor_diagnostic_setting.fwopen in new windowresource
azurerm_monitor_diagnostic_setting.fw_pipopen in new windowresource
azurerm_monitor_diagnostic_setting.mgmtopen in new windowresource
azurerm_monitor_diagnostic_setting.vnetopen in new windowresource
azurerm_network_ddos_protection_plan.hubopen in new windowresource
azurerm_network_security_group.mgmtopen in new windowresource
azurerm_network_security_rule.mgmtopen in new windowresource
azurerm_network_watcher.netwatcheropen in new windowresource
azurerm_network_watcher_flow_log.mgmt_logsopen in new windowresource
azurerm_public_ip.fwopen in new windowresource
azurerm_public_ip.fw_mgmtopen in new windowresource
azurerm_public_ip_prefix.fwopen in new windowresource
azurerm_resource_group.hub_resource_groupopen in new windowresource
azurerm_resource_group.netwatcheropen in new windowresource
azurerm_role_assignment.cloudfoundation_tfdeployopen in new windowresource
azurerm_role_assignment.network_adminsopen in new windowresource
azurerm_role_assignment.network_admins_connectivityopen in new windowresource
azurerm_role_assignment.network_admins_dnsopen in new windowresource
azurerm_role_assignment.network_admins_landingzoneopen in new windowresource
azurerm_role_definition.cloudfoundation_tfdeployopen in new windowresource
azurerm_route.fwopen in new windowresource
azurerm_route_table.outopen in new windowresource
azurerm_storage_account.flowlogsopen in new windowresource
azurerm_storage_container.flowlogsopen in new windowresource
azurerm_subnet.firewallopen in new windowresource
azurerm_subnet.firewallmgmtopen in new windowresource
azurerm_subnet.gatewayopen in new windowresource
azurerm_subnet.mgmtopen in new windowresource
azurerm_subnet_network_security_group_association.mgmtopen in new windowresource
azurerm_subnet_route_table_association.mgmtopen in new windowresource
azurerm_virtual_network.hub_networkopen in new windowresource
random_string.dnsopen in new windowresource
random_string.resource_codeopen in new windowresource
terraform_data.subscription_nameopen in new windowresource
azurerm_monitor_diagnostic_categories.fwopen in new windowdata source
azurerm_monitor_diagnostic_categories.fw_pipopen in new windowdata source
azurerm_monitor_diagnostic_categories.hubopen in new windowdata source
azurerm_monitor_diagnostic_categories.mgmtopen in new windowdata source
azurerm_subscription.currentopen in new windowdata source

Inputs

NameDescriptionTypeDefaultRequired
address_spaceList of address spaces for virtual networksstringn/ayes
cloudfoundationName of your cloud foundationstringn/ayes
cloudfoundation_deploy_principal_idPrincipal ID authorized for deploying Cloud Foundation resourcesstringn/ayes
connectivity_scopeIdentifier for the management group connectivitystringn/ayes
create_ddos_planCreate a DDos protection plan and attach it to the virtual network.boolfalseno
deploy_firewallToggle to deploy or bypass the firewall.boolfalseno
diagnosticsDiagnostic settings for supporting resources. Refer to README.md for configuration details.
object({
    destination = string
    logs        = list(string)
    metrics     = list(string)
  })
nullno
firewall_application_rulesList of application rules to apply to the firewall.
list(object({
    name             = string
    action           = string
    source_addresses = list(string)
    target_fqdns     = list(string)
    protocol = object({
      type = string
      port = string
    })
  }))
[]no
firewall_nat_rulesList of NAT rules to apply to the firewall.
list(object({
    name                  = string
    action                = string
    source_addresses      = list(string)
    destination_ports     = list(string)
    destination_addresses = list(string)
    protocols             = list(string)
    translated_address    = string
    translated_port       = string
  }))
[]no
firewall_network_rulesList of network rules to apply to the firewall.
list(object({
    name                  = string
    action                = string
    source_addresses      = list(string)
    destination_ports     = list(string)
    destination_addresses = list(string)
    protocols             = list(string)
  }))
[]no
firewall_sku_tierSpecify the tier for the firewall, choosing from options like Basic or Standard, Premium.string"Basic"no
firewall_zonesCollection of availability zones to distribute the Firewall across.list(string)nullno
hub_networking_deployService Principal responsible for deploying the central hub networkingstring"cloudfoundation_hub_network_deploy_user"no
hub_resource_groupName of the central hub resource groupstring"hub-vnet-rg"no
hub_subscription_nameName of your hub subscriptionstring"hub"no
hub_vnet_nameName of the central virtual networkstring"hub-vnet"no
landingzone_scopeIdentifier for the management group landinzonestringn/ayes
locationRegion for resource deploymentstringn/ayes
lz_networking_deployService Principal responsible for deploying the landing zone networkingstring"cloudfoundation_lz_network_deploy_user"no
management_nsg_rulesNetwork security rules to add to the management subnet. Refer to README for setup details.list(any)[]no
netwatcherProperties for creating network watcher. If set, it creates a Network Watcher resource using standard naming conventions.
object({
    log_analytics_workspace_id       = string
    log_analytics_workspace_id_short = string
    log_analytics_resource_id        = string
  })
nullno
network_admin_groupName of the Cloud Foundation network administration groupstring"cloudfoundation-network-admins"no
public_ip_namesList of public IP names connected to the firewall. At least one is required.list(string)
[
  "fw-public"
]
no
public_ip_prefix_lengthSpecifies the number of bits in the prefix. Value can be set between 24 (256 addresses) and 31 (2 addresses).number30no
service_endpointsService endpoints to add to the firewall subnet.list(string)
[
  "Microsoft.AzureActiveDirectory",
  "Microsoft.AzureCosmosDB",
  "Microsoft.EventHub",
  "Microsoft.KeyVault",
  "Microsoft.ServiceBus",
  "Microsoft.Sql",
  "Microsoft.Storage"
]
no
threat_intel_modeOperation mode for threat intelligence-based filtering. Possible values: Off, Alert, Deny, and "" (empty string).string"Off"no

Outputs

NameDescription
documentation_mdn/a
firewall_nameHub VNet firewall name
hub_locationLocation of hub vnet
hub_rgHub Resource Group name
hub_subscriptionSubscription of hub vnet
hub_vnetHub VNet name
hub_vnet_idHub VNet id
network_admins_azuread_group_idn/a