feat: add sg custom ingress rule support

modules/network/main.tf

@@ -104,6 +104,22 @@ resource "azurerm_network_security_rule" "sg_public_ssh" {
   network_security_group_name = azurerm_network_security_group.sg[0].name
 }
 
+# ====================== custom sg ========================== #
+resource "azurerm_network_security_rule" "sg_custom" {
+  count                       = var.sg_id == "" ? length(var.sg_custom_ingress_rules) : 0
+  name                        = "${var.prefix}-custom-sg-${count.index}"
+  resource_group_name         = data.azurerm_resource_group.rg.name
+  priority                    = 100 + (count.index + 1)
+  direction                   = "Inbound"
+  access                      = "Allow"
+  protocol                    = var.sg_custom_ingress_rules[count.index].protocol
+  source_port_range           = var.sg_custom_ingress_rules[count.index].from_port
+  destination_port_range      = var.sg_custom_ingress_rules[count.index].to_port
+  source_address_prefix       = var.sg_custom_ingress_rules[count.index].cidr_block
+  destination_address_prefix  = "*"
+  network_security_group_name = azurerm_network_security_group.sg[0].name
+}
+
 # ====================== sg  ========================== #
 resource "azurerm_network_security_rule" "sg_weka_ui" {
   count                       = var.sg_id == "" ? length(var.allow_weka_api_cidrs) : 0

modules/network/variables.tf

@@ -51,6 +51,17 @@ variable "allow_weka_api_cidrs" {
   default     = []
 }
 
+variable "sg_custom_ingress_rules" {
+  type = list(object({
+    from_port  = string
+    to_port    = string
+    protocol   = string
+    cidr_block = string
+  }))
+  default     = []
+  description = "Custom inbound rules to be added to the security group."
+}
+
 variable "vnet_rg_name" {
   type        = string
   default     = ""

prerequisites.tf

@@ -3,21 +3,22 @@ data "azurerm_resource_group" "rg" {
 }
 
 module "network" {
-  source                = "./modules/network"
-  prefix                = var.prefix
-  vnet_name             = var.vnet_name
-  subnet_name           = var.subnet_name
-  rg_name               = var.rg_name
-  vnet_rg_name          = var.vnet_rg_name
-  private_dns_rg_name   = var.private_dns_rg_name
-  address_space         = var.address_space
-  subnet_prefix         = var.subnet_prefix
-  allow_ssh_cidrs       = var.allow_ssh_cidrs
-  allow_weka_api_cidrs  = var.allow_weka_api_cidrs
-  private_dns_zone_name = var.private_dns_zone_name
-  private_dns_zone_use  = var.private_dns_zone_use
-  sg_id                 = var.sg_id
-  create_nat_gateway    = var.create_nat_gateway
+  source                  = "./modules/network"
+  prefix                  = var.prefix
+  vnet_name               = var.vnet_name
+  subnet_name             = var.subnet_name
+  rg_name                 = var.rg_name
+  vnet_rg_name            = var.vnet_rg_name
+  private_dns_rg_name     = var.private_dns_rg_name
+  address_space           = var.address_space
+  subnet_prefix           = var.subnet_prefix
+  allow_ssh_cidrs         = var.allow_ssh_cidrs
+  allow_weka_api_cidrs    = var.allow_weka_api_cidrs
+  sg_custom_ingress_rules = var.sg_custom_ingress_rules
+  private_dns_zone_name   = var.private_dns_zone_name
+  private_dns_zone_use    = var.private_dns_zone_use
+  sg_id                   = var.sg_id
+  create_nat_gateway      = var.create_nat_gateway
 }
 
 module "iam" {

variables.tf

@@ -43,6 +43,17 @@ variable "allow_weka_api_cidrs" {
   default     = []
 }
 
+variable "sg_custom_ingress_rules" {
+  type = list(object({
+    from_port  = string
+    to_port    = string
+    protocol   = string
+    cidr_block = string
+  }))
+  default     = []
+  description = "Custom inbound rules to be added to the security group."
+}
+
 variable "address_space" {
   type        = string
   description = "The range of IP addresses the virtual network uses."