feat: Introduce public_ip module (#80)

PaloAltoNetworks · Aug 8, 2024 · 6cc5eb4 · 6cc5eb4
1 parent 91d7f52
commit 6cc5eb4
Show file tree

Hide file tree

Showing 72 changed files with 2,812 additions and 518 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -23,7 +23,7 @@ repos:
     - --compact
     - --quiet
     - --skip-check
-    - CKV_GHA_7,CKV_AZURE_1,CKV_AZURE_35,CKV_AZURE_44,CKV_AZURE_49,CKV_AZURE_59,CKV_AZURE_93,CKV_AZURE_97,CKV_AZURE_118,CKV_AZURE_119,CKV_AZURE_120,CKV_AZURE_179,CKV_AZURE_190,CKV_AZURE_206,CKV_AZURE_217,CKV_AZURE_218,CKV2_AZURE_1,CKV2_AZURE_10,CKV2_AZURE_12,CKV2_AZURE_18,CKV2_AZURE_33,CKV2_AZURE_39,CKV2_AZURE_40,CKV2_AZURE_41
+    - CKV_GHA_7,CKV_AZURE_1,CKV_AZURE_35,CKV_AZURE_44,CKV_AZURE_49,CKV_AZURE_59,CKV_AZURE_93,CKV_AZURE_97,CKV_AZURE_118,CKV_AZURE_119,CKV_AZURE_120,CKV_AZURE_179,CKV_AZURE_190,CKV_AZURE_206,CKV_AZURE_217,CKV_AZURE_218,CKV2_AZURE_1,CKV2_AZURE_10,CKV2_AZURE_12,CKV2_AZURE_18,CKV2_AZURE_31,CKV2_AZURE_33,CKV2_AZURE_39,CKV2_AZURE_40,CKV2_AZURE_41
     id: checkov
     verbose: true
   repo: https://github.com/bridgecrewio/checkov.git

diff --git a/examples/common_vmseries/README.md b/examples/common_vmseries/README.md
@@ -191,6 +191,7 @@ Name | Version | Source | Description
 --- | --- | --- | ---
 `vnet` | - | ../../modules/vnet | 
 `vnet_peering` | - | ../../modules/vnet_peering | 
+`public_ip` | - | ../../modules/public_ip | 
 `natgw` | - | ../../modules/natgw | 
 `load_balancer` | - | ../../modules/loadbalancer | 
 `appgw` | - | ../../modules/appgw | 
@@ -223,6 +224,7 @@ Name | Type | Description
 [`create_resource_group`](#create_resource_group) | `bool` | When set to `true` it will cause a Resource Group creation.
 [`tags`](#tags) | `map` | Map of tags to assign to the created resources.
 [`vnet_peerings`](#vnet_peerings) | `map` | A map defining VNET peerings.
+[`public_ips`](#public_ips) | `object` | A map defining Public IP Addresses and Prefixes.
 [`natgws`](#natgws) | `map` | A map defining NAT Gateways.
 [`load_balancers`](#load_balancers) | `map` | A map containing configuration for all (both private and public) Load Balancers.
 [`appgws`](#appgws) | `map` | A map defining all Application Gateways in the current deployment.
@@ -247,7 +249,7 @@ Name |  Description
 `test_vms_usernames` | Initial administrative username to use for test VMs.
 `test_vms_passwords` | Initial administrative password to use for test VMs.
 `test_vms_ips` | IP Addresses of the test VMs.
-`app_lb_frontend_ips` | IP Addresses of the load balancers.
+`test_lb_frontend_ips` | IP Addresses of the test load balancers.
 
 ### Required Inputs details
 
@@ -415,6 +417,49 @@ map(object({
 ```
 
 
+Default value: `map[]`
+
+<sup>[back to list](#modules-optional-inputs)</sup>
+
+#### public_ips
+
+A map defining Public IP Addresses and Prefixes.
+
+Following properties are available:
+
+- `public_ip_addresses` - (`map`, optional) map of objects describing Public IP Addresses, please refer to
+                          [module documentation](../../modules/public_ip/README.md#public_ip_addresses)
+                          for available properties.
+- `public_ip_prefixes`  - (`map`, optional) map of objects describing Public IP Prefixes, please refer to
+                          [module documentation](../../modules/public_ip/README.md#public_ip_prefixes)
+                          for available properties.
+
+
+Type: 
+
+```hcl
+object({
+    public_ip_addresses = optional(map(object({
+      create                     = bool
+      name                       = string
+      resource_group_name        = optional(string)
+      zones                      = optional(list(string))
+      domain_name_label          = optional(string)
+      idle_timeout_in_minutes    = optional(number)
+      prefix_name                = optional(string)
+      prefix_resource_group_name = optional(string)
+    })), {})
+    public_ip_prefixes = optional(map(object({
+      create              = bool
+      name                = string
+      resource_group_name = optional(string)
+      zones               = optional(list(string))
+      length              = optional(number)
+    })), {})
+  })
+```
+
+
 Default value: `map[]`
 
 <sup>[back to list](#modules-optional-inputs)</sup>
@@ -473,14 +518,16 @@ map(object({
     idle_timeout        = optional(number, 4)
     public_ip = optional(object({
       create              = bool
-      name                = string
+      name                = optional(string)
       resource_group_name = optional(string)
+      key                 = optional(string)
     }))
     public_ip_prefix = optional(object({
       create              = bool
-      name                = string
+      name                = optional(string)
       resource_group_name = optional(string)
       length              = optional(number)
+      key                 = optional(string)
     }))
   }))
 ```
@@ -559,9 +606,11 @@ map(object({
     frontend_ips = optional(map(object({
       name                          = string
       subnet_key                    = optional(string)
-      public_ip_name                = optional(string)
       create_public_ip              = optional(bool, false)
+      public_ip_name                = optional(string)
       public_ip_resource_group_name = optional(string)
+      public_ip_key                 = optional(string)
+      public_ip_prefix_key          = optional(string)
       private_ip_address            = optional(string)
       gwlb_key                      = optional(string)
       in_rules = optional(map(object({
@@ -640,9 +689,10 @@ map(object({
     subnet_key = string
     zones      = optional(list(string))
     public_ip = object({
-      name                = string
       create              = optional(bool, true)
+      name                = optional(string)
       resource_group_name = optional(string)
+      key                 = optional(string)
     })
     domain_name_label = optional(string)
     capacity = optional(object({
@@ -1140,6 +1190,7 @@ map(object({
       create_public_ip              = optional(bool, false)
       public_ip_name                = optional(string)
       public_ip_resource_group_name = optional(string)
+      public_ip_key                 = optional(string)
       private_ip_address            = optional(string)
       load_balancer_key             = optional(string)
       application_gateway_key       = optional(string)
@@ -1336,9 +1387,11 @@ map(object({
       frontend_ips = optional(map(object({
         name                          = string
         subnet_key                    = optional(string)
-        public_ip_name                = optional(string)
         create_public_ip              = optional(bool, false)
+        public_ip_name                = optional(string)
         public_ip_resource_group_name = optional(string)
+        public_ip_key                 = optional(string)
+        public_ip_prefix_key          = optional(string)
         private_ip_address            = optional(string)
         gwlb_key                      = optional(string)
         in_rules = optional(map(object({
@@ -1383,10 +1436,13 @@ map(object({
       custom_data = optional(string)
     }))
     bastions = map(object({
-      name           = string
-      public_ip_name = optional(string)
-      vnet_key       = string
-      subnet_key     = string
+      name                          = string
+      create_public_ip              = optional(bool, true)
+      public_ip_name                = optional(string)
+      public_ip_resource_group_name = optional(string)
+      public_ip_key                 = optional(string)
+      vnet_key                      = string
+      subnet_key                    = string
     }))
   }))
 ```

diff --git a/examples/common_vmseries/main.tf b/examples/common_vmseries/main.tf
@@ -95,13 +95,33 @@ module "vnet_peering" {
   depends_on = [module.vnet]
 }
 
+module "public_ip" {
+  source = "../../modules/public_ip"
+
+  region = var.region
+  public_ip_addresses = {
+    for k, v in var.public_ips.public_ip_addresses : k => merge(v, {
+      name                = "${var.name_prefix}${v.name}"
+      resource_group_name = coalesce(v.resource_group_name, local.resource_group.name)
+    })
+  }
+  public_ip_prefixes = {
+    for k, v in var.public_ips.public_ip_prefixes : k => merge(v, {
+      name                = "${var.name_prefix}${v.name}"
+      resource_group_name = coalesce(v.resource_group_name, local.resource_group.name)
+    })
+  }
+
+  tags = var.tags
+}
+
 module "natgw" {
   source = "../../modules/natgw"
 
   for_each = var.natgws
 
   create_natgw        = each.value.create_natgw
-  name                = each.value.natgw.create ? "${var.name_prefix}${each.value.name}" : each.value.name
+  name                = each.value.create_natgw ? "${var.name_prefix}${each.value.name}" : each.value.name
   resource_group_name = coalesce(each.value.resource_group_name, local.resource_group.name)
   region              = var.region
   zone                = try(each.value.zone, null)
@@ -110,9 +130,11 @@ module "natgw" {
 
   public_ip = try(merge(each.value.public_ip, {
     name = "${each.value.public_ip.create ? var.name_prefix : ""}${each.value.public_ip.name}"
+    id   = try(module.public_ip.pip_ids[each.value.key], null)
   }), null)
   public_ip_prefix = try(merge(each.value.public_ip_prefix, {
     name = "${each.value.public_ip_prefix.create ? var.name_prefix : ""}${each.value.public_ip_prefix.name}"
+    id   = try(module.public_ip.ippre_ids[each.value.key], null)
   }), null)
 
   tags       = var.tags
@@ -156,8 +178,12 @@ module "load_balancer" {
     for k, v in each.value.frontend_ips : k => merge(
       v,
       {
-        public_ip_name = v.create_public_ip ? "${var.name_prefix}${v.public_ip_name}" : v.public_ip_name,
-        subnet_id      = try(module.vnet[each.value.vnet_key].subnet_ids[v.subnet_key], null)
+        public_ip_name           = v.create_public_ip ? "${var.name_prefix}${v.public_ip_name}" : v.public_ip_name,
+        public_ip_id             = try(module.public_ip.pip_ids[v.public_ip_key], null)
+        public_ip_address        = try(module.public_ip.pip_ip_addresses[v.public_ip_key], null)
+        public_ip_prefix_id      = try(module.public_ip.ippre_ids[v.public_ip_prefix_key], null)
+        public_ip_prefix_address = try(module.public_ip.ippre_ip_prefixes[v.public_ip_prefix_key], null)
+        subnet_id                = try(module.vnet[each.value.vnet_key].subnet_ids[v.subnet_key], null)
       }
     )
   }
@@ -197,7 +223,10 @@ module "appgw" {
   zones = each.value.zones
   public_ip = merge(
     each.value.public_ip,
-    { name = "${each.value.public_ip.create ? var.name_prefix : ""}${each.value.public_ip.name}" }
+    {
+      name = try("${each.value.public_ip.create ? var.name_prefix : ""}${each.value.public_ip.name}", null)
+      id   = try(module.public_ip.pip_ids[each.value.public_ip.key], null)
+    }
   )
   domain_name_label              = each.value.domain_name_label
   capacity                       = each.value.capacity
@@ -409,6 +438,7 @@ module "vmseries" {
       var.name_prefix}${coalesce(v.public_ip_name, "${v.name}-pip")
     }" : v.public_ip_name
     public_ip_resource_group_name = v.public_ip_resource_group_name
+    public_ip_id                  = try(module.public_ip.pip_ids[v.public_ip_key], null)
     private_ip_address            = v.private_ip_address
     attach_to_lb_backend_pool     = v.load_balancer_key != null
     lb_backend_pool_id            = try(module.load_balancer[v.load_balancer_key].backend_pool_id, null)
@@ -462,6 +492,13 @@ module "test_infrastructure" {
   load_balancers = { for k, v in each.value.load_balancers : k => merge(v, {
     name         = "${var.name_prefix}${v.name}"
     backend_name = coalesce(v.backend_name, "${v.name}-backend")
+    public_ip_name = v.frontend_ips.create_public_ip ? (
+      "${var.name_prefix}${v.frontend_ips.public_ip_name}"
+    ) : v.frontend_ips.public_ip_name
+    public_ip_id             = try(module.public_ip.pip_ids[v.frontend_ips.public_ip_key], null)
+    public_ip_address        = try(module.public_ip.pip_ip_addresses[v.frontend_ips.public_ip_key], null)
+    public_ip_prefix_id      = try(module.public_ip.ippre_ids[v.frontend_ips.public_ip_prefix_key], null)
+    public_ip_prefix_address = try(module.public_ip.ippre_ip_prefixes[v.frontend_ips.public_ip_prefix_key], null)
   }) }
   authentication = local.test_vm_authentication[each.key]
   spoke_vms = { for k, v in each.value.spoke_vms : k => merge(v, {
@@ -471,7 +508,8 @@ module "test_infrastructure" {
   }) }
   bastions = { for k, v in each.value.bastions : k => merge(v, {
     name           = "${var.name_prefix}${v.name}"
-    public_ip_name = "${var.name_prefix}${coalesce(v.public_ip_name, "${v.name}-pip")}"
+    public_ip_name = v.public_ip_key != null ? null : "${var.name_prefix}${coalesce(v.public_ip_name, "${v.name}-pip")}"
+    public_ip_id   = try(module.public_ip.pip_ids[v.public_ip_key], null)
   }) }
 
   tags       = var.tags

diff --git a/examples/common_vmseries/outputs.tf b/examples/common_vmseries/outputs.tf
@@ -11,9 +11,9 @@ output "passwords" {
 
 output "natgw_public_ips" {
   description = "Nat Gateways Public IP resources."
-  value = length(var.natgws) > 0 ? { for k, v in module.natgw : k => {
-    pip        = v.natgw_pip
-    pip_prefix = v.natgw_pip_prefix
+  value = length(var.natgws) > 0 ? { for k, v in var.natgws : k => {
+    pip        = try(coalesce(module.public_ip.pip_ip_addresses[v.public_ip.key], module.natgw[k].natgw_pip), null)
+    pip_prefix = try(coalesce(module.public_ip.ippre_ip_prefixes[v.public_ip_prefix.key], module.natgw[k].natgw_pip_prefix), null)
   } } : null
 }
 
@@ -30,7 +30,10 @@ output "lb_frontend_ips" {
 
 output "vmseries_mgmt_ips" {
   description = "IP addresses for the VM-Series management interface."
-  value       = { for k, v in module.vmseries : k => v.mgmt_ip_address }
+  value = { for k, v in var.vmseries : k => coalesce(
+    try(module.public_ip.pip_ip_addresses[v.interfaces[0].public_ip_key], null),
+    module.vmseries[k].mgmt_ip_address
+  ) }
 }
 
 output "bootstrap_storage_urls" {
@@ -58,9 +61,9 @@ output "test_vms_ips" {
   value       = length(var.test_infrastructure) > 0 ? { for k, v in module.test_infrastructure : k => v.vm_private_ips } : null
 }
 
-output "app_lb_frontend_ips" {
-  description = "IP Addresses of the load balancers."
+output "test_lb_frontend_ips" {
+  description = "IP Addresses of the test load balancers."
   value = length({ for k, v in var.test_infrastructure : k => v if v.load_balancers != null }) > 0 ? {
     for k, v in module.test_infrastructure : k => v.frontend_ip_configs
   } : null
-}
+}