Merge pull request #3 from schubergphilis/bgppeering

feature: Add BGP peering as an option
schubergphilis · Jan 15, 2025 · a3eeeaf · a3eeeaf
2 parents 9f088ec + 6ca2156
commit a3eeeaf
Show file tree

Hide file tree

Showing 6 changed files with 114 additions and 5 deletions.
diff --git a/.github/workflows/terraform-validation.yaml b/.github/workflows/terraform-validation.yaml
@@ -158,7 +158,7 @@ jobs:
           framework: terraform
           output_format: sarif
           quiet: true
-          skip_check: "CKV_GIT_5,CKV_GLB_1,CKV_TF_1"
+          skip_check: "CKV_GIT_5,CKV_GLB_1,CKV_TF_1,CKV_AZURE_220,CKV_AZURE_216"
           soft_fail: false
           skip_path: "examples/"
 

diff --git a/README.md b/README.md
@@ -25,12 +25,14 @@
 | Name | Type |
 |------|------|
 | [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_virtual_hub_bgp_connection.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub_bgp_connection) | resource |
 | [azurerm_virtual_wan.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_wan) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_hub_bgp_peers"></a> [hub\_bgp\_peers](#input\_hub\_bgp\_peers) | n/a | <pre>map(object({<br>    virtual_hub_id     = string<br>    name               = string<br>    peer_asn           = number<br>    peer_ip            = string<br>    vnet_connection_id = string<br>  }))</pre> | n/a | yes |
 | <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | n/a | <pre>object({<br>    name     = string<br>    location = string<br>  })</pre> | n/a | yes |
 | <a name="input_virtual_hubs"></a> [virtual\_hubs](#input\_virtual\_hubs) | n/a | <pre>map(object({<br>    virtual_hub_name                  = string<br>    location                          = string<br>    address_prefix                    = string<br>    routing_intent_name               = string<br>    firewall_name                     = string<br>    firewall_policy_name              = string<br>    firewall_sku_tier                 = string<br>    firewall_public_ip_count          = number<br>    firewall_threat_intelligence_mode = string<br>    firewall_proxy_enabled            = bool<br>    firewall_dns_servers              = list(string)<br>  }))</pre> | n/a | yes |
 | <a name="input_virtual_wan"></a> [virtual\_wan](#input\_virtual\_wan) | n/a | <pre>object({<br>    name     = string<br>    location = string<br>  })</pre> | n/a | yes |

diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -0,0 +1,80 @@
+terraform {
+  required_version = ">= 1.7"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 4"
+    }
+  }
+}
+resource "azurerm_resource_group" "this" {
+  name     = "example-resource-group"
+  location = "eastus"
+  tags = {
+    "Environment"   = "Production"
+    "Resource Type" = "Resource Group"
+  }
+}
+
+resource "azurerm_virtual_wan" "this" {
+  name                = "example-virtual-wan"
+  resource_group_name = azurerm_resource_group.this.name
+  location            = azurerm_resource_group.this.location
+  tags = {
+    "Environment"   = "Production"
+    "Resource Type" = "Virtual WAN"
+  }
+}
+
+module "vhub" {
+  source = "../../modules/vhub"
+  for_each = {
+    hub1 = {
+      virtual_hub_name                  = "example-virtual-hub"
+      location                          = "eastus"
+      address_prefix                    = "10.0.0.0/16"
+      routing_intent_name               = "example-routing-intent"
+      firewall_name                     = "example-firewall"
+      firewall_policy_name              = "example-firewall-policy"
+      firewall_sku_tier                 = "Standard"
+      firewall_public_ip_count          = 1
+      firewall_threat_intelligence_mode = "Alert"
+      firewall_proxy_enabled            = true
+      firewall_dns_servers              = ["8.8.8.8", "8.8.4.4"]
+      hub_bgp_peers = {
+        peer1 = {
+          virtual_hub_id     = "example-virtual-hub-id"
+          name               = "example-peer"
+          peer_asn           = 65001
+          peer_ip            = "10.0.1.1"
+          vnet_connection_id = "example-vnet-id"
+        }
+      }
+    }
+  }
+  virtual_hubs        = each.value
+  virtual_wan_id      = azurerm_virtual_wan.this.id
+  resource_group_name = azurerm_resource_group.this.name
+  tags = {
+    "Environment"   = "Production"
+    "Resource Type" = "Virtual Hub"
+  }
+}
+
+resource "azurerm_virtual_hub_bgp_connection" "this" {
+  for_each = {
+    peer1 = {
+      virtual_hub_id     = "example-virtual-hub-id"
+      name               = "example-peer"
+      peer_asn           = 65001
+      peer_ip            = "10.0.1.1"
+      vnet_connection_id = "example-vnet-id"
+    }
+  }
+  virtual_hub_id                = each.value.virtual_hub_id
+  name                          = each.value.name
+  peer_asn                      = each.value.peer_asn
+  peer_ip                       = each.value.peer_ip
+  virtual_network_connection_id = each.value.vnet_connection_id
+}
diff --git a/main.tf b/main.tf
@@ -34,3 +34,12 @@ module "vhub" {
     })
   )
 }
+
+resource "azurerm_virtual_hub_bgp_connection" "this" {
+  for_each                      = var.hub_bgp_peers != null ? var.hub_bgp_peers : {}
+  virtual_hub_id                = each.value.virtual_hub_id
+  name                          = each.value.name
+  peer_asn                      = each.value.peer_asn
+  peer_ip                       = each.value.peer_ip
+  virtual_network_connection_id = each.value.vnet_connection_id
+}
diff --git a/modules/vhub/main.tf b/modules/vhub/main.tf
@@ -58,10 +58,10 @@ resource "azurerm_firewall" "this" {
 }
 
 resource "azurerm_firewall_policy" "this" {
-  name                = var.virtual_hubs.firewall_policy_name
-  resource_group_name = var.resource_group_name
-  location            = var.virtual_hubs.location
-  sku                 = var.virtual_hubs.firewall_sku_tier
+  name                     = var.virtual_hubs.firewall_policy_name
+  resource_group_name      = var.resource_group_name
+  location                 = var.virtual_hubs.location
+  sku                      = var.virtual_hubs.firewall_sku_tier
   threat_intelligence_mode = var.virtual_hubs.firewall_threat_intelligence_mode
   dns {
     proxy_enabled = var.virtual_hubs.firewall_proxy_enabled

diff --git a/variables.tf b/variables.tf
@@ -22,6 +22,14 @@
 # This variable defines the name of the resource group.
 # - type: string.
 
+# variable "hub_bgp_peers"
+# This variable defines the configuration for BGP peers.
+# - virtual_hub_id: The ID of the virtual hub (string).
+# - name: The name of the BGP peer (string).
+# - peer_asn: The ASN of the BGP peer (number).
+# - peer_ip: The IP address of the BGP peer (string).
+# - vnet_connection_id: The ID of the VNET Hub connection (string).
+
 variable "tags" {
   type    = map(string)
   default = {}
@@ -56,3 +64,13 @@ variable "virtual_hubs" {
     firewall_dns_servers              = list(string)
   }))
 }
+
+variable "hub_bgp_peers" {
+  type = map(object({
+    virtual_hub_id     = string
+    name               = string
+    peer_asn           = number
+    peer_ip            = string
+    vnet_connection_id = string
+  }))
+}