From 43e471c4bfb17b46991e9d444819729ad56a1ec5 Mon Sep 17 00:00:00 2001 From: Yngve Hansen <6208039+yngveh@users.noreply.github.com> Date: Thu, 20 Oct 2022 14:19:52 +0200 Subject: [PATCH] Add extra private dns zones (#16) * Add extra private dns zones and link them top the vnet. * Improve README for diagnostic settings * Rename additional_private_dns_zones to resolvable_private_dns_zones Add output resolvable_private_dns_zones * Change resolvable private dns zone link name * Change output for resolvable private dns zones * Fix regexp for output * Fix typo --- .gitignore | 2 +- .terraform.lock.hcl | 42 +++++++++ README.md | 13 +-- examples/dns/main.tf | 24 +++++ examples/firewall/main.tf | 7 +- main.tf | 188 ++++++++++++++++++++------------------ outputs.tf | 10 ++ test/example_ut_test.go | 1 + test/go.mod | 2 +- test/go.sum | 2 + variables.tf | 10 +- 11 files changed, 198 insertions(+), 103 deletions(-) create mode 100644 .terraform.lock.hcl create mode 100644 examples/dns/main.tf diff --git a/.gitignore b/.gitignore index 82f5599..5bb1977 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ # Local .terraform directories **/.terraform/* -.terraform.lock.hcl +examples/*/.terraform.lock.hcl # .tfstate files *.tfstate diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 0000000..ebe43db --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,42 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.23.0" + constraints = "~> 3.23.0" + hashes = [ + "h1:gL/GB7M9xFNr8SxyalWCkTUaYach2k1/0voy6hAqA0A=", + "zh:5856ee393eea2c5807d71794020ec16492b6a219c50fec816376c9c4c50d964a", + "zh:58883757371208106ae56b591759a7c308d9a3fd74fb38aefaebe00fee4e380f", + "zh:69aca3a6929e629d6fe1dc0c0ff105ee943e5d0f95fe0d8abb89965d5dbc07ce", + "zh:6cf146b28a5b82da39ee9b5def88e649ed831824b4e669aa60884743d4b08200", + "zh:756dfe6d54e54879bed340f0e05e72a3882a7e8f8f2e783b2064d8c27c9fa1c1", + "zh:76ed418c25160fe0be9158c82c425375d79e2427f4a8adbac061d4540c56de79", + "zh:8c4f42f67157619fdd21525049f5daf9eb4eb3681b43603570a65bd5d52939ff", + "zh:ae15665e0ebe6cb40894cd6b7b7345fe4a7d46ca024fc209e03caee3dff6b51d", + "zh:ba21ef2d27e6f96fccfa234201151e0ad195ec798cb5486fa70664e0f707b48a", + "zh:d0d9b21b65c7b110e599b78abfdc90cec0bafe2d1b1e0bb36c3a3d5d12ad63b4", + "zh:ea02b2e6de9ea4184db300903d75871b16b7e240f6b38c46f8b149878f47c739", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.4.3" + constraints = "~> 3.4.3" + hashes = [ + "h1:xZGZf18JjMS06pFa4NErzANI98qi59SEcBsOcS2P2yQ=", + "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752", + "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b", + "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3", + "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5", + "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda", + "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6", + "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1", + "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d", + "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8", + "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93", + ] +} diff --git a/README.md b/README.md index c68feff..e26d75f 100644 --- a/README.md +++ b/README.md @@ -57,10 +57,9 @@ module "hub" { address_space = "10.0.0.0/24" diagnostics = { - destination = "/subscription/xxxx-xxxx/.../resource_id" - eventhub_name = null - logs = ["all"] - metrics = [ + destination = "/subscription/xxxx-xxxx/.../resource_id" + logs = ["all"] + metrics = [ "all" ] } @@ -140,7 +139,7 @@ module "hub" { Diagnostics settings can be sent to either storage account, event hub or Log Analytics workspace. The variable `diagnostics.destination` is the id of receiver, ie. storage account id, event namespace authorization rule id or log analytics resource id. Depending on what id is it will detect where to send. Unless using event namespace -the `eventhub_name` is not required, just set to `null` for storage account and log analytics workspace. +the `eventhub_name` is not required for storage account and log analytics workspace. Setting `all` in logs and metrics will send all possible diagnostics to destination. If not using `all` type name of categories to send. @@ -215,4 +214,6 @@ all service principals that should have access to peer against hub network. To create a private dns zone for virtual network set the domain name for zone with variable `private_dns_zone`. This will create a private dns zone and link the virtual network hub to zone. It will also assign all principals that have -peering access as contributors so spokes can be linked to same zone. +peering access as contributors so spokes can be linked to same zone. For additional private dns zones, example for use +with postgres flexible server, use `additional_private_dns_zones`. None of the additional zone must be linked with +registration enabled. diff --git a/examples/dns/main.tf b/examples/dns/main.tf new file mode 100644 index 0000000..1e0e97e --- /dev/null +++ b/examples/dns/main.tf @@ -0,0 +1,24 @@ +module "hub" { + source = "../../" + + name = "hub" + resource_group_name = "networking-hub" + location = "westeurope" + address_space = "10.0.0.0/24" + + public_ip_names = [ + "fw-public" + ] + + private_dns_zone = "cloud.mycorp.com" + + resolvable_private_dns_zones = [ + "example.postgres.database.azure.com", + "example2.postgres.database.azure.com", + ] + + peering_assignment = [ + "12345678-1234-1234-123456789012" + ] + +} \ No newline at end of file diff --git a/examples/firewall/main.tf b/examples/firewall/main.tf index c9f5cee..bafcd45 100644 --- a/examples/firewall/main.tf +++ b/examples/firewall/main.tf @@ -7,10 +7,9 @@ module "hub" { address_space = "10.0.0.0/24" diagnostics = { - destination = "/subscription/xxxx-xxxx/.../resource_id" - eventhub_name = null - logs = ["all"] - metrics = ["all"] + destination = "/subscription/xxxx-xxxx/.../resource_id" + logs = ["all"] + metrics = ["all"] } public_ip_names = [ diff --git a/main.tf b/main.tf index 53dc944..a862476 100644 --- a/main.tf +++ b/main.tf @@ -1,15 +1,10 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.3" required_providers { azurerm = { source = "hashicorp/azurerm" version = "~> 3.23.0" } - null = { - source = "hashicorp/null" - version = "~> 3.1.1" - - } random = { source = "hashicorp/random" version = "~> 3.4.3" @@ -38,6 +33,7 @@ locals { destination_address_prefixes = null destination_application_security_group_ids = null } + default_mgmt_nsg_rules = [ { name = "allow-load-balancer" @@ -65,24 +61,31 @@ locals { for nsg in var.dmz_nsg_rules : merge(local.default_nsg_rule, nsg) ]) - nat_rules = { for idx, rule in var.firewall_nat_rules : rule.name => { - idx : idx, - rule : rule, - } } + nat_rules = { + for idx, rule in var.firewall_nat_rules : rule.name => { + idx : idx, + rule : rule, + } + } - network_rules = { for idx, rule in var.firewall_network_rules : rule.name => { - idx : idx, - rule : rule, - } } + network_rules = { + for idx, rule in var.firewall_network_rules : rule.name => { + idx : idx, + rule : rule, + } + } - application_rules = { for idx, rule in var.firewall_application_rules : rule.name => { - idx : idx, - rule : rule, - } } + application_rules = { + for idx, rule in var.firewall_application_rules : rule.name => { + idx : idx, + rule : rule, + } + } public_ip_map = { for pip in var.public_ip_names : pip => true } diag_resource_list = var.diagnostics != null ? split("/", var.diagnostics.destination) : [] + parsed_diag = var.diagnostics != null ? { log_analytics_id = contains(local.diag_resource_list, "Microsoft.OperationalInsights") ? var.diagnostics.destination : null storage_account_id = contains(local.diag_resource_list, "Microsoft.Storage") ? var.diagnostics.destination : null @@ -98,7 +101,6 @@ locals { } } -data "azurerm_client_config" "current" {} # # Network watcher @@ -106,20 +108,20 @@ data "azurerm_client_config" "current" {} # resource "azurerm_resource_group" "netwatcher" { - count = var.netwatcher != null ? 1 : 0 + count = var.netwatcher != null ? 1 : 0 + name = "NetworkWatcherRG" location = var.netwatcher.resource_group_location - - tags = var.tags + tags = var.tags } resource "azurerm_network_watcher" "netwatcher" { - count = var.netwatcher != null ? 1 : 0 + count = var.netwatcher != null ? 1 : 0 + name = "NetworkWatcher_${var.location}" location = var.location resource_group_name = azurerm_resource_group.netwatcher.0.name - - tags = var.tags + tags = var.tags } # @@ -129,8 +131,7 @@ resource "azurerm_network_watcher" "netwatcher" { resource "azurerm_resource_group" "vnet" { name = var.resource_group_name location = var.location - - tags = var.tags + tags = var.tags } # @@ -138,12 +139,12 @@ resource "azurerm_resource_group" "vnet" { # resource "azurerm_network_ddos_protection_plan" "vnet" { - count = var.create_ddos_plan ? 1 : 0 + count = var.create_ddos_plan ? 1 : 0 + name = "${var.name}-protection-plan" location = azurerm_resource_group.vnet.location resource_group_name = azurerm_resource_group.vnet.name - - tags = var.tags + tags = var.tags } # @@ -155,6 +156,7 @@ resource "azurerm_virtual_network" "vnet" { location = azurerm_resource_group.vnet.location resource_group_name = azurerm_resource_group.vnet.name address_space = [var.address_space] + tags = var.tags dynamic "ddos_protection_plan" { for_each = var.create_ddos_plan ? [true] : [] @@ -164,12 +166,11 @@ resource "azurerm_virtual_network" "vnet" { enable = true } } - - tags = var.tags } resource "azurerm_role_assignment" "peering" { - count = length(var.peering_assignment) + count = length(var.peering_assignment) + scope = azurerm_virtual_network.vnet.id role_definition_name = "Network Contributor" principal_id = var.peering_assignment[count.index] @@ -180,7 +181,8 @@ data "azurerm_monitor_diagnostic_categories" "vnet" { } resource "azurerm_monitor_diagnostic_setting" "vnet" { - count = var.diagnostics != null ? 1 : 0 + count = var.diagnostics != null ? 1 : 0 + name = "vnet-diag" target_resource_id = azurerm_virtual_network.vnet.id log_analytics_workspace_id = local.parsed_diag.log_analytics_id @@ -226,9 +228,7 @@ resource "azurerm_subnet" "firewall" { resource_group_name = azurerm_resource_group.vnet.name virtual_network_name = azurerm_virtual_network.vnet.name address_prefixes = [cidrsubnet(var.address_space, 2, 0)] - - service_endpoints = var.service_endpoints - + service_endpoints = var.service_endpoints } resource "azurerm_subnet" "gateway" { @@ -272,12 +272,12 @@ module "storage" { source = "avinor/storage-account/azurerm" version = "3.5.2" - name = var.name - resource_group_name = azurerm_resource_group.vnet.name - resource_group_create = var.storage_account_resource_group_create - location = azurerm_resource_group.vnet.location - + name = var.name + resource_group_name = azurerm_resource_group.vnet.name + resource_group_create = var.storage_account_resource_group_create + location = azurerm_resource_group.vnet.location enable_advanced_threat_protection = var.enable_advanced_threat_protection + tags = var.tags # TODO Not yet supported to use service endpoints together with flow logs. Not a trusted Microsoft service !! # FIXME It should be resolved now 16.04.2021 https://feedback.azure.com/forums/217313/suggestions/33684529 @@ -287,8 +287,6 @@ module "storage" { # ip_rules = ["127.0.0.1"] # virtual_network_subnet_ids = ["${azurerm_subnet.firewall.id}"] # } - - tags = var.tags } # @@ -299,8 +297,7 @@ resource "azurerm_route_table" "out" { name = "${var.name}-outbound-rt" location = azurerm_resource_group.vnet.location resource_group_name = azurerm_resource_group.vnet.name - - tags = var.tags + tags = var.tags } resource "azurerm_route" "fw" { @@ -330,21 +327,20 @@ resource "azurerm_network_security_group" "mgmt" { name = "subnet-mgmt-nsg" location = azurerm_resource_group.vnet.location resource_group_name = azurerm_resource_group.vnet.name - - tags = var.tags + tags = var.tags } resource "azurerm_network_watcher_flow_log" "mgmt_logs" { count = var.netwatcher != null ? 1 : 0 - network_watcher_name = azurerm_network_watcher.netwatcher[0].name - resource_group_name = azurerm_resource_group.netwatcher[0].name - name = "${azurerm_resource_group.vnet.name}subnet-mgmt-nsg" - + network_watcher_name = azurerm_network_watcher.netwatcher[0].name + resource_group_name = azurerm_resource_group.netwatcher[0].name + name = "${azurerm_resource_group.vnet.name}subnet-mgmt-nsg" network_security_group_id = azurerm_network_security_group.mgmt.id storage_account_id = module.storage.id enabled = true version = 2 + tags = var.tags traffic_analytics { enabled = true @@ -357,16 +353,14 @@ resource "azurerm_network_watcher_flow_log" "mgmt_logs" { days = 0 enabled = false } - - tags = var.tags } resource "azurerm_network_security_rule" "mgmt" { - count = length(local.merged_mgmt_nsg_rules) - resource_group_name = azurerm_resource_group.vnet.name - network_security_group_name = azurerm_network_security_group.mgmt.name - priority = 100 + 100 * count.index + count = length(local.merged_mgmt_nsg_rules) + resource_group_name = azurerm_resource_group.vnet.name + network_security_group_name = azurerm_network_security_group.mgmt.name + priority = 100 + 100 * count.index name = local.merged_mgmt_nsg_rules[count.index].name direction = local.merged_mgmt_nsg_rules[count.index].direction access = local.merged_mgmt_nsg_rules[count.index].access @@ -389,7 +383,8 @@ data "azurerm_monitor_diagnostic_categories" "mgmt" { } resource "azurerm_monitor_diagnostic_setting" "mgmt" { - count = var.diagnostics != null ? 1 : 0 + count = var.diagnostics != null ? 1 : 0 + name = "mgmt-nsg-diag" target_resource_id = azurerm_network_security_group.mgmt.id log_analytics_workspace_id = local.parsed_diag.log_analytics_id @@ -423,21 +418,20 @@ resource "azurerm_network_security_group" "dmz" { name = "subnet-dmz-nsg" location = azurerm_resource_group.vnet.location resource_group_name = azurerm_resource_group.vnet.name - - tags = var.tags + tags = var.tags } resource "azurerm_network_watcher_flow_log" "dmz_logs" { count = var.netwatcher != null ? 1 : 0 - network_watcher_name = azurerm_network_watcher.netwatcher[0].name - resource_group_name = azurerm_resource_group.netwatcher[0].name - name = "${azurerm_resource_group.vnet.name}subnet-dmz-nsg" - + name = "${azurerm_resource_group.vnet.name}subnet-dmz-nsg" + network_watcher_name = azurerm_network_watcher.netwatcher[0].name + resource_group_name = azurerm_resource_group.netwatcher[0].name network_security_group_id = azurerm_network_security_group.dmz.id storage_account_id = module.storage.id enabled = true version = 2 + tags = var.tags traffic_analytics { enabled = true @@ -450,16 +444,14 @@ resource "azurerm_network_watcher_flow_log" "dmz_logs" { days = 0 enabled = false } - - tags = var.tags } resource "azurerm_network_security_rule" "dmz" { - count = length(local.merged_dmz_nsg_rules) - resource_group_name = azurerm_resource_group.vnet.name - network_security_group_name = azurerm_network_security_group.dmz.name - priority = 100 + 100 * count.index + count = length(local.merged_dmz_nsg_rules) + resource_group_name = azurerm_resource_group.vnet.name + network_security_group_name = azurerm_network_security_group.dmz.name + priority = 100 + 100 * count.index name = local.merged_dmz_nsg_rules[count.index].name direction = local.merged_dmz_nsg_rules[count.index].direction access = local.merged_dmz_nsg_rules[count.index].access @@ -482,7 +474,8 @@ data "azurerm_monitor_diagnostic_categories" "dmz" { } resource "azurerm_monitor_diagnostic_setting" "dmz" { - count = var.diagnostics != null ? 1 : 0 + count = var.diagnostics != null ? 1 : 0 + name = "dmz-nsg-diag" target_resource_id = azurerm_network_security_group.dmz.id log_analytics_workspace_id = local.parsed_diag.log_analytics_id @@ -517,26 +510,46 @@ resource "azurerm_subnet_network_security_group_association" "dmz" { # resource "azurerm_private_dns_zone" "main" { - count = var.private_dns_zone != null ? 1 : 0 + count = var.private_dns_zone != null ? 1 : 0 + name = var.private_dns_zone resource_group_name = azurerm_resource_group.vnet.name - - tags = var.tags + tags = var.tags } resource "azurerm_private_dns_zone_virtual_network_link" "main" { - count = var.private_dns_zone != null ? 1 : 0 + count = var.private_dns_zone != null ? 1 : 0 + name = "${var.name}-link" resource_group_name = azurerm_resource_group.vnet.name private_dns_zone_name = azurerm_private_dns_zone.main[0].name virtual_network_id = azurerm_virtual_network.vnet.id registration_enabled = true + tags = var.tags +} + +resource "azurerm_private_dns_zone" "resolvable" { + for_each = { for a in var.resolvable_private_dns_zones : a => true } - tags = var.tags + name = each.key + resource_group_name = azurerm_resource_group.vnet.name + tags = var.tags +} + +resource "azurerm_private_dns_zone_virtual_network_link" "resolvable" { + for_each = { for a in var.resolvable_private_dns_zones : a => true } + + name = "${var.name}-link" + resource_group_name = azurerm_resource_group.vnet.name + private_dns_zone_name = azurerm_private_dns_zone.resolvable[each.key].name + virtual_network_id = azurerm_virtual_network.vnet.id + registration_enabled = false + tags = var.tags } resource "azurerm_role_assignment" "dns" { - count = var.private_dns_zone != null ? length(var.peering_assignment) : 0 + count = var.private_dns_zone != null ? length(var.peering_assignment) : 0 + scope = azurerm_private_dns_zone.main[0].id role_definition_name = "Private DNS Zone Contributor" principal_id = var.peering_assignment[count.index] @@ -550,11 +563,9 @@ resource "azurerm_public_ip_prefix" "fw" { name = "${var.name}-pip-prefix" location = azurerm_resource_group.vnet.location resource_group_name = azurerm_resource_group.vnet.name - - prefix_length = var.public_ip_prefix_length - zones = var.firewall_zones - - tags = var.tags + prefix_length = var.public_ip_prefix_length + zones = var.firewall_zones + tags = var.tags } resource "random_string" "dns" { @@ -571,14 +582,12 @@ resource "azurerm_public_ip" "fw" { name = "${var.name}-fw-${each.key}-pip" location = azurerm_resource_group.vnet.location resource_group_name = azurerm_resource_group.vnet.name - allocation_method = "Static" sku = "Standard" domain_name_label = format("%s%sfw%s", lower(replace(var.name, "/[[:^alnum:]]/", "")), lower(replace(each.key, "/[[:^alnum:]]/", "")), random_string.dns[each.key].result) public_ip_prefix_id = azurerm_public_ip_prefix.fw.id zones = var.firewall_zones - - tags = var.tags + tags = var.tags } data "azurerm_monitor_diagnostic_categories" "fw_pip" { @@ -637,6 +646,7 @@ resource "azurerm_firewall" "fw" { zones = var.firewall_zones sku_name = "AZFW_VNet" sku_tier = "Standard" + tags = var.tags dynamic "ip_configuration" { for_each = local.public_ip_map @@ -654,8 +664,6 @@ resource "azurerm_firewall" "fw" { ip_configuration, ] } - - tags = var.tags } data "azurerm_monitor_diagnostic_categories" "fw" { @@ -663,7 +671,8 @@ data "azurerm_monitor_diagnostic_categories" "fw" { } resource "azurerm_monitor_diagnostic_setting" "fw" { - count = var.diagnostics != null ? 1 : 0 + count = var.diagnostics != null ? 1 : 0 + name = "fw-diag" target_resource_id = azurerm_firewall.fw.id log_analytics_workspace_id = local.parsed_diag.log_analytics_id @@ -751,6 +760,7 @@ resource "azurerm_firewall_nat_rule_collection" "fw" { resource_group_name = azurerm_resource_group.vnet.name priority = 100 * (each.value.idx + 1) action = each.value.rule.action + rule { name = each.key source_addresses = each.value.rule.source_addresses diff --git a/outputs.tf b/outputs.tf index f50543f..4feb335 100644 --- a/outputs.tf +++ b/outputs.tf @@ -36,6 +36,16 @@ output "private_dns" { } } +output "resolvable_private_dns_zones" { + description = "Map of resolvable private dns zones settings if configured. The key is the private zone name where dots (.) is replaced with underscores (_). Value of the maps is id and name of private dns zone." + value = { + for k, v in azurerm_private_dns_zone.resolvable : replace(k, ".", "_") => { + id = azurerm_private_dns_zone.resolvable[k].id + name = azurerm_private_dns_zone.resolvable[k].name + } + } +} + output "public_ip_prefix" { description = "Public ip prefix of firewall." value = azurerm_public_ip_prefix.fw.ip_prefix diff --git a/test/example_ut_test.go b/test/example_ut_test.go index d4bba40..a5945b6 100644 --- a/test/example_ut_test.go +++ b/test/example_ut_test.go @@ -13,6 +13,7 @@ func TestUT_Examples(t *testing.T) { "../examples/simple", "../examples/firewall", "../examples/aks", + "../examples/dns", } for _, test := range tests { diff --git a/test/go.mod b/test/go.mod index e1e6aa1..2f9f338 100644 --- a/test/go.mod +++ b/test/go.mod @@ -2,7 +2,7 @@ module github.com/avinor/terraform-azurerm-virtual-network-hub/test go 1.19 -require github.com/gruntwork-io/terratest v0.40.22 +require github.com/gruntwork-io/terratest v0.40.23 require ( cloud.google.com/go v0.83.0 // indirect diff --git a/test/go.sum b/test/go.sum index c392914..e36a00d 100644 --- a/test/go.sum +++ b/test/go.sum @@ -154,6 +154,8 @@ github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/gruntwork-io/terratest v0.40.22 h1:qHIk+feNFspZQK2UTeH+zeMGfTfSuRduU10RCMMTveg= github.com/gruntwork-io/terratest v0.40.22/go.mod h1:JGeIGgLbxbG9/Oqm06z6YXVr76CfomdmLkV564qov+8= +github.com/gruntwork-io/terratest v0.40.23 h1:UKSJhrXfbyiaGOkQmqjTtbQsXi+9uSu3H8nrT9X1PGg= +github.com/gruntwork-io/terratest v0.40.23/go.mod h1:JGeIGgLbxbG9/Oqm06z6YXVr76CfomdmLkV564qov+8= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= diff --git a/variables.tf b/variables.tf index e80752f..4dc801f 100644 --- a/variables.tf +++ b/variables.tf @@ -24,7 +24,7 @@ variable "diagnostics" { description = "Diagnostic settings for those resources that support it. See README.md for details on configuration." type = object({ destination = string - eventhub_name = string + eventhub_name = optional(string) logs = list(string) metrics = list(string) }) @@ -140,10 +140,16 @@ variable "create_ddos_plan" { } variable "private_dns_zone" { - description = "Name of private dns zone to create and associate with virtual network." + description = "Name of private dns zone to create and associate with virtual network. This is the only zone that must be linked with registration enabled." default = null } +variable "resolvable_private_dns_zones" { + description = "List of resolvable private dns zones to create and associate with virtual network. None of these zones must be linked with registration enabled and must only be used as resolvable." + type = list(string) + default = [] +} + variable "storage_account_resource_group_create" { description = "Property for supporting terraform state created by older version of this module. NEVER set set this to true for new installations!" type = bool