Feature/optional dns resolver

CHANGELOG.md

@@ -7,6 +7,10 @@ and this module adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [1.2.0] - 2023-03-12
+
+- made rules for private dns resolver and azure dcs optional
+
 ## [1.1.0] - 2023-11-17
 
 ### Added

README.md

@@ -14,6 +14,7 @@ It's very easy to use!
 ```hcl
 provider "azurerm" {
   features {}
+  skip_provider_registration = true
 }
 
 resource "azurerm_resource_group" "example" {
@@ -79,10 +80,7 @@ module "firewall_rules" {
   stage            = "prd"
   default_location = local.location
 
-  ipg_azure_dc_id           = azurerm_ip_group.azure_dc.id
-  ipg_onpremise_dc_id       = azurerm_ip_group.onpremise_dc.id
   ipg_application_lz_id     = azurerm_ip_group.application_lz.id
-  ipg_dnsprivateresolver_id = azurerm_ip_group.dnsprivateresolver.id
   ipg_platform_id           = azurerm_ip_group.platform.id
 }
 ```
@@ -99,12 +97,12 @@ module "firewall_rules" {
 |------|-------------|------|---------|:--------:|
 | <a name="input_default_location"></a> [default\_location](#input\_default\_location) | The default location used for this module. | `string` | n/a | yes |
 | <a name="input_ipg_application_lz_id"></a> [ipg\_application\_lz\_id](#input\_ipg\_application\_lz\_id) | IP ranges for all application landing zones. | `string` | n/a | yes |
-| <a name="input_ipg_azure_dc_id"></a> [ipg\_azure\_dc\_id](#input\_ipg\_azure\_dc\_id) | The ip addresses of the domain controller located in azure. | `string` | n/a | yes |
-| <a name="input_ipg_dnsprivateresolver_id"></a> [ipg\_dnsprivateresolver\_id](#input\_ipg\_dnsprivateresolver\_id) | The ip address of the private dns resolver inbound endpoint. | `string` | n/a | yes |
 | <a name="input_ipg_platform_id"></a> [ipg\_platform\_id](#input\_ipg\_platform\_id) | IP ranges for the whole platform service, defined by the azure landing zone core modules. | `string` | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which the firewall policy and the azure firewall are located. | `string` | n/a | yes |
 | <a name="input_stage"></a> [stage](#input\_stage) | The stage that the resource is located in, e.g. prod, dev. | `string` | n/a | yes |
 | <a name="input_firewall_policy_id"></a> [firewall\_policy\_id](#input\_firewall\_policy\_id) | For testing use this | `string` | `null` | no |
+| <a name="input_ipg_azure_dc_id"></a> [ipg\_azure\_dc\_id](#input\_ipg\_azure\_dc\_id) | The ip addresses of the domain controller located in azure. If the value is not provided, this network rule collection will not be created. | `string` | `""` | no |
+| <a name="input_ipg_dnsprivateresolver_id"></a> [ipg\_dnsprivateresolver\_id](#input\_ipg\_dnsprivateresolver\_id) | The ip address of the private dns resolver inbound endpoint. If the value is not provided, this network rule collection will not be created | `string` | `""` | no |
 | <a name="input_ipg_onpremise_dc_id"></a> [ipg\_onpremise\_dc\_id](#input\_ipg\_onpremise\_dc\_id) | If the customer still operates domain controller on premise, provide these in this variable. | `string` | `null` | no |
 | <a name="input_responsibility"></a> [responsibility](#input\_responsibility) | The responsibility means who is responsible for the rule collection, e.g. is this rule collection in this module used as general rule set for the firewall, other responsibilities would be the customer etc. | `string` | `"Platform"` | no |
 ## Outputs

examples/basic/ip_groups.tf

@@ -47,7 +47,7 @@ resource "azurerm_ip_group" "application_lz" {
 }
 
 resource "azurerm_ip_group" "platform" {
-  name                = "ipg-application-landing-zone"
+  name                = "ipg-platform"
   location            = local.location
   resource_group_name = azurerm_resource_group.example.name
 

examples/basic/main.tf

@@ -1,5 +1,6 @@
 provider "azurerm" {
   features {}
+  skip_provider_registration = true
 }
 
 resource "azurerm_resource_group" "example" {
@@ -65,9 +66,6 @@ module "firewall_rules" {
   stage            = "prd"
   default_location = local.location
 
-  ipg_azure_dc_id           = azurerm_ip_group.azure_dc.id
-  ipg_onpremise_dc_id       = azurerm_ip_group.onpremise_dc.id
   ipg_application_lz_id     = azurerm_ip_group.application_lz.id
-  ipg_dnsprivateresolver_id = azurerm_ip_group.dnsprivateresolver.id
   ipg_platform_id           = azurerm_ip_group.platform.id
 }

main.tf

@@ -3,37 +3,44 @@ resource "azurerm_firewall_policy_rule_collection_group" "this" {
   firewall_policy_id = var.firewall_policy_id
   priority           = 100
 
-  network_rule_collection {
-    name     = "rc-DomainController-${var.stage}"
-    priority = 100
-    action   = "Allow"
+  dynamic "network_rule_collection" {
+    for_each = var.ipg_azure_dc_id == "" ? [] : [var.ipg_azure_dc_id]
+    content {
+      name     = "rc-DomainController-${var.stage}"
+      priority = 100
+      action   = "Allow"
 
-    rule {
-      name                  = "allow-alz-to-dc-inbound"
-      protocols             = ["TCP", "UDP"]
-      source_ip_groups      = [var.ipg_application_lz_id]
-      destination_ip_groups = var.ipg_onpremise_dc_id != null ? [var.ipg_azure_dc_id, var.ipg_onpremise_dc_id] : [var.ipg_azure_dc_id]
-      destination_ports = [
-        "53", "88", "123", "135", "137", "138", "139",
-        "389", "445", "464", "636", "3268", "3269", "9389"
-      ]
+      rule {
+        name                  = "allow-alz-to-dc-inbound"
+        protocols             = ["TCP", "UDP"]
+        source_ip_groups      = [var.ipg_application_lz_id]
+        destination_ip_groups = var.ipg_onpremise_dc_id != null ? [var.ipg_azure_dc_id, var.ipg_onpremise_dc_id] : [var.ipg_azure_dc_id]
+        destination_ports = [
+          "53", "88", "123", "135", "137", "138", "139",
+          "389", "445", "464", "636", "3268", "3269", "9389"
+        ]
+      }
     }
   }
 
-  network_rule_collection {
-    name     = "rc-DNSPrivateResolver-${var.stage}"
-    priority = 110
-    action   = "Allow"
+  dynamic "network_rule_collection" {
+    for_each = var.ipg_dnsprivateresolver_id == "" ? [] : [var.ipg_dnsprivateresolver_id]
+    content {
+      name     = "rc-DNSPrivateResolver-${var.stage}"
+      priority = 110
+      action   = "Allow"
 
-    rule {
-      name                  = "allow-dc-to-dnsresolver-inbound"
-      protocols             = ["Any"]
-      source_ip_groups      = var.ipg_onpremise_dc_id != null ? [var.ipg_azure_dc_id, var.ipg_onpremise_dc_id] : [var.ipg_azure_dc_id]
-      destination_ip_groups = [var.ipg_dnsprivateresolver_id]
-      destination_ports     = ["*"]
+      rule {
+        name                  = "allow-dc-to-dnsresolver-inbound"
+        protocols             = ["Any"]
+        source_ip_groups      = var.ipg_onpremise_dc_id != null ? [var.ipg_azure_dc_id, var.ipg_onpremise_dc_id] : [var.ipg_azure_dc_id]
+        destination_ip_groups = [var.ipg_dnsprivateresolver_id]
+        destination_ports     = ["*"]
+      }
     }
   }
 
+
   network_rule_collection {
     name     = "rc-internet_outbound-${var.stage}"
     priority = 120

variables.tf

@@ -29,7 +29,8 @@ variable "default_location" {
 
 variable "ipg_azure_dc_id" {
   type        = string
-  description = "The ip addresses of the domain controller located in azure."
+  description = "The ip addresses of the domain controller located in azure. If the value is not provided, this network rule collection will not be created."
+  default     = ""
 }
 
 variable "ipg_onpremise_dc_id" {
@@ -40,7 +41,8 @@ variable "ipg_onpremise_dc_id" {
 
 variable "ipg_dnsprivateresolver_id" {
   type        = string
-  description = "The ip address of the private dns resolver inbound endpoint."
+  description = "The ip address of the private dns resolver inbound endpoint. If the value is not provided, this network rule collection will not be created"
+  default     = ""
 }
 
 variable "ipg_application_lz_id" {