Azure Network Manager

Azure module to deploy a Azure Network Manager.

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "network_manager" {
  source  = "claranet/network-manager/azurerm"
  version = "x.x.x"

  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  resource_group_name = module.rg.name

  client_name = var.client_name
  environment = var.environment
  stack       = var.stack

  network_manager_scope_accesses = [
    "Connectivity",
    "SecurityAdmin"
  ]

  network_manager_scope = {
    subscription_ids = [
      data.azurerm_subscription.current.id,
    ]
  }

  network_manager_description = "Global"

  network_groups = [
    {
      ng_name     = "mesh-global"
      description = "All floating spokes in prod"
      member_type = "VirtualNetwork"
      static_members = [
        # module.spoke3.vnet.id,
      ]
    },
    {
      ng_name     = "hubspoke-euw"
      description = "All spokes in prod region1"
      member_type = "VirtualNetwork"
      static_members = [
        # module.spoke1.vnet.id,
        # module.spoke2.vnet.id,
      ]
    },
  ]

  connectivity_configurations = [
    {
      connectivity_name     = "mesh-global"
      connectivity_topology = "Mesh"
      global_mesh_enabled   = true
      applies_to_groups = [{
        network_group_name  = "mesh-global"
        group_connectivity  = "DirectlyConnected"
        global_mesh_enabled = true
      }]
    },
    {
      connectivity_name     = "hubspoke-region-euw"
      deploy                = true
      connectivity_topology = "HubAndSpoke"
      global_mesh_enabled   = false
      applies_to_groups = [{
        network_group_name  = "hubspoke-euw"
        group_connectivity  = "None"
        global_mesh_enabled = false
        use_hub_gateway     = true
      }]
      # hub = {
      #   resource_id   = module.hub1.vnet.id
      #   resource_type = "Microsoft.Network/virtualNetworks"
      # }
    },
  ]

  security_admin_configurations = [
    {
      deploy              = true
      apply_default_rules = true
      sac_name            = "hubspoke-euw-soc1"
      rule_collections    = []
    },
    {
      sac_name            = "hubspoke-euw-soc2"
      apply_default_rules = true
      rule_collections    = []
    },
  ]

  connectivity_deployment = {
    configuration_names = ["hubspoke-region-euw", ]
  }

  security_deployment = {
    configuration_names = ["hubspoke-euw-soc1"]
    configuration_ids   = []
  }

  logs_destinations_ids = [
    module.run.logs_storage_account_id,
    module.run.log_analytics_workspace_id
  ]

  extra_tags = {
    foo = "bar"
  }
}

Providers

Name	Version
azapi	>= 2.0
azurecaf	~> 1.2.28
azurerm	~> 4.0

Modules

Name	Source	Version
diagnostics	claranet/diagnostic-settings/azurerm	~> 8.0.0

Resources

Name	Type
azapi_resource_action.main	resource
azurerm_network_manager.main	resource
azurerm_network_manager_admin_rule.default	resource
azurerm_network_manager_admin_rule.main	resource
azurerm_network_manager_admin_rule_collection.default	resource
azurerm_network_manager_admin_rule_collection.main	resource
azurerm_network_manager_connectivity_configuration.main	resource
azurerm_network_manager_deployment.connectivity	resource
azurerm_network_manager_deployment.security	resource
azurerm_network_manager_network_group.main	resource
azurerm_network_manager_security_admin_configuration.main	resource
azurerm_network_manager_static_member.main	resource
azurecaf_name.network_manager	data source
azurecaf_name.network_manager_connectivity_configuration	data source
azurecaf_name.network_manager_group	data source
azurecaf_name.network_manager_security_admin	data source

Inputs

Name	Description	Type	Default	Required
client_name	Client name/account used in naming.	string	n/a	yes
connectivity_configurations	Connectivity configurations to be created in the Azure Network Manager.	list(object({ connectivity_name = string custom_name = optional(string) connectivity_topology = optional(string) global_mesh_enabled = optional(bool, false) deploy = optional(bool, false) hub = optional(object({ resource_id = string resource_type = optional(string, "Microsoft.Network/virtualNetworks") }), null) applies_to_groups = list(object({ network_group_name = string direct_connectivity_enabled = optional(bool, false) global_mesh_enabled = optional(bool, false) use_hub_gateway = optional(bool, false) })) }))	[]	no
connectivity_deployment	Connectivity deployment configuration over connectivity created objects.	object({ configuration_names = optional(list(string), []) configuration_ids = optional(list(string), []) })	{}	no
custom_name	Custom Azure Network Manager, generated if not set.	string	""	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
diagnostic_settings_custom_name	Custom name of the diagnostics settings, name will be default if not set.	string	"default"	no
environment	Project environment.	string	n/a	yes
extra_tags	Additional tags to add on resources.	map(string)	{}	no
location	Azure region to use.	string	n/a	yes
location_short	Short string for Azure location.	string	n/a	yes
logs_categories	Log categories to send to destinations.	list(string)	null	no
logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character.	list(string)	n/a	yes
logs_metrics_categories	Metrics categories to send to destinations.	list(string)	null	no
name_prefix	Optional prefix for the generated name.	string	""	no
name_suffix	Optional suffix for the generated name.	string	""	no
network_groups	Network groups to be created in the Azure Network Manager.	list(object({ ng_name = string custom_name = optional(string) description = optional(string) member_type = optional(string, "VirtualNetwork") static_members = optional(list(string)) }))	[]	no
network_manager_description	A description of the Network Manager.	string	null	no
network_manager_scope	- management_group_ids - (Optional) A list of management group IDs. - subscription_ids - (Optional) A list of subscription IDs.	object({ management_group_ids = optional(list(string), []) subscription_ids = optional(list(string), []) })	n/a	yes
network_manager_scope_accesses	A list of configuration deployment type. Possible values are Connectivity and SecurityAdmin, corresponds to if Connectivity Configuration and Security Admin Configuration is allowed for the Network Manager.	list(string)	n/a	yes
network_manager_timeouts	- create - (Defaults to 30 minutes) Used when creating the Network Managers. - delete - (Defaults to 30 minutes) Used when deleting the Network Managers. - read - (Defaults to 5 minutes) Used when retrieving the Network Managers. - update - (Defaults to 30 minutes) Used when updating the Network Managers.	object({ create = optional(string) delete = optional(string) read = optional(string) update = optional(string) })	null	no
resource_group_name	Name of the resource group.	string	n/a	yes
security_admin_configurations	Security admin configurations to be created in the Azure Network Manager.	list(object({ sac_name = string custom_name = optional(string) description = optional(string) apply_default_rules = optional(bool, true) deploy = optional(bool, false) rule_collections = optional(list(object({ name = string description = optional(string) network_group_names = list(string) rules = list(object({ name = string description = optional(string) action = string direction = string priority = number protocol = string destination_port_ranges = list(string) source = list(object({ address_prefix_type = string address_prefix = string })) destinations = list(object({ address_prefix_type = string address_prefix = string })) })) }))) }))	[]	no
security_deployment	Security deployment configuration over security_admin created objects.	object({ configuration_names = optional(list(string), []) configuration_ids = optional(list(string), []) })	{}	no
stack	Project stack name.	string	n/a	yes

Outputs

Name	Description
id	Azure Network Manager ID.
module_diagnostics	Diagnostics settings module outputs.
name	Azure Network Manager name.
resource	Azure Network Manager output object.
resource_connectivity_configurations	Connectivity configurations resource objects.
resource_security_configurations	Security configurations resource objects.
resource_vnet_network_groups	Network groups resource objects.

Related documentation

Microsoft Azure documentation: xxxx