Feature/optional dns resolver

[QBY-ChristianHartmann]

Description

As we are not deploying private dns resolver or azure as a standard and not always azure dcs, both network collection groups are now optional. There is also a new option to add rules for azure bastion.

Change overview (tick true):

• This introduces backward incompatible changes
• This adds a new backward compatible Feature
• This fixes a Bug

Version information:

• Previous Version: 1.1.0

• Next Version based on Semantic Versioning (see above): 1.2.0

How Has This Been Tested?

• Apply of all examples was successful

Checklist:

• I have run tests and documented them above
• I have performed a self-review of my own code
• I have updated the documentation
• I have updated the CHANGELOG

[QBY-MarkusMaring]

It works when the optional parameters are empty. But when I put something in it seems that no network rule collections will be deployed at all and the apply fails.

Can you add an example of more than just required IP groups? And take a look whats happening there. I don't think you can combine static and dynamic network_rule_collection blocks like that. I remember it being a one or the other kind of thing. So either 100% dynamic or 100% static. But I can't find documentation for that :/

See issue: hashicorp/terraform#34933

[ghost]

I don't get it :(

[ghost]

oooh, I think I got it.

Suggested change

	ipg_rdp_access_ids: If rdp access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion.
	ipg_ssh_access_ids: If ssh access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion.
	ipg_rdp_access_ids: If rdp access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible via rdp by bastion.
	ipg_ssh_access_ids: If ssh access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible via ssh by bastion.

[ghost]

Change of priority on purpose?
This would make this a breaking change, if someone already uses priority 100

[QBY-MarkusMaring]

Priority 100 is reserved by platform. So no collisions there.

Rules were re-ordered because all network rules need to be in front of application rules. Previously we didn't leave any free space so it was not possible to insert a new rule if we wanted to stick to a 10 diff.

We did a 5 diff to allow for more RCs in total and left space between the end of network rules and the start of application rules.

This change causes no downtime.

[ghost]

Why do we need any port to DNS resolver?

Suggested change

	protocols = ["Any"]
	source_ip_groups = var.ipg_onpremise_dc_id != null ? [var.ipg_azure_dc_id, var.ipg_onpremise_dc_id] : [var.ipg_azure_dc_id]
	destination_ip_groups = [var.ipg_dnsprivateresolver_id]
	destination_ports = ["*"]
	protocols = ["Any"]
	source_ip_groups = var.ipg_onpremise_dc_id != null ? [var.ipg_azure_dc_id, var.ipg_onpremise_dc_id] : [var.ipg_azure_dc_id]
	destination_ip_groups = [var.ipg_dnsprivateresolver_id]
	destination_ports = ["53"]

[QBY-MarkusMaring]

Yes. Probably better to do 53 UDP only

[ghost]

What does the regex do?

[QBY-MarkusMaring]

Get the name of the ip group from its resource ID. Needed to avoid naming collisions.

[ghost]

What does the regex do?

[QBY-MarkusMaring]

Get the name of the ip group from its resource ID. Needed to avoid naming collisions.

[ghost]

Change of priority on purpose?
This would make this a breaking change, if someone already uses priority 150

[QBY-MarkusMaring]

See above. Not a breaking change. No risk of collision.