Add variable source_application_security_group_ids and destination_application_security_group_ids (#55)

Author: yupwei68

README.md

@@ -16,14 +16,18 @@ This module includes a a set of pre-defined rules for commonly used protocols (f
 The following example demonstrate how to use the network-security-group module with a combination of predefined and custom rules.
 
 ```hcl
-resource "azurerm_resource_group" "test" {
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "example" {
   name     = "my-resources"
   location = "West Europe"
 }
 
 module "network-security-group" {
   source                = "Azure/network-security-group/azurerm"
-  resource_group_name   = azurerm_resource_group.test.name
+  resource_group_name   = azurerm_resource_group.example.name
   location              = "EastUS" # Optional; if not provided, will use Resource Group location
   security_group_name   = "nsg"
   source_address_prefix = ["10.0.3.0/24"]
@@ -37,6 +41,7 @@ module "network-security-group" {
       source_port_range = "1024-1026"
     }
   ]
+
   custom_rules = [
     {
       name                   = "myhttp"
@@ -48,6 +53,65 @@ module "network-security-group" {
       description            = "description-myhttp"
     }
   ]
+
+  tags = {
+    environment = "dev"
+    costcenter  = "it"
+  }
+}
+```
+
+## Usage with the Application Security Group module
+
+The following example demonstrate how to use the network-security-group module with a combination of predefined and custom rules with ASG source or destination.
+
+```hcl
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "my-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_application_security_group" "first" {
+  name                = "asg-first"
+  location            = "eastus"
+  resource_group_name = azurerm_resource_group.example.name
+}
+
+resource "azurerm_application_security_group" "second" {
+  name                = "asg-second"
+  location            = "eastus"
+  resource_group_name = azurerm_resource_group.example.name
+}
+
+module "network-security-group" {
+  source              = "Azure/network-security-group/azurerm"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = "eastus"
+  security_group_name = "nsg"
+  predefined_rules = [
+    {
+      name                                  = "SSH"
+      priority                              = "500"
+      source_application_security_group_ids = [azurerm_application_security_group.first.id]
+    }
+  ]
+
+  custom_rules = [
+    {
+      name                                       = "myhttp"
+      priority                                   = "200"
+      direction                                  = "Inbound"
+      access                                     = "Allow"
+      protocol                                   = "tcp"
+      destination_port_range                     = "8080"
+      description                                = "description-myhttp"
+      destination_application_security_group_ids = [azurerm_application_security_group.second.id]
+    }
+  ]
   tags = {
     environment = "dev"
     costcenter  = "it"
@@ -60,14 +124,14 @@ module "network-security-group" {
 The following example demonstrate how to use the pre-defined HTTP module with a custom rule for ssh.
 
 ```hcl
-resource "azurerm_resource_group" "test" {
+resource "azurerm_resource_group" "example" {
   name     = "my-resources"
   location = "West Europe"
 }
 
 module "network-security-group" {
   source              = "Azure/network-security-group/azurerm//modules/HTTP"
-  resource_group_name = azurerm_resource_group.test.name
+  resource_group_name = azurerm_resource_group.example.name
   security_group_name = "nsg"
   custom_rules = [
     {
@@ -126,7 +190,7 @@ $ rake full
 
 ### Docker
 
-We provide a Dockerfile to build a new image based `FROM` the `microsoft/terraform-test` Docker hub image which adds additional tools / packages specific for this module (see Custom Image section).  Alternatively use only the `microsoft/terraform-test` Docker hub image [by using these instructions](https://github.com/Azure/terraform-test).
+We provide a Dockerfile to build a new image based `FROM` the `mcr.microsoft.com/terraform-test` Docker hub image which adds additional tools / packages specific for this module (see Custom Image section).  Alternatively use only the `mcr.microsoft.com/terraform-test` Docker hub image [by using these instructions](https://github.com/Azure/terraform-test).
 
 #### Prerequisites
 

main.tf

@@ -14,37 +14,41 @@ resource "azurerm_network_security_group" "nsg" {
 #############################
 
 resource "azurerm_network_security_rule" "predefined_rules" {
-  count                       = length(var.predefined_rules)
-  name                        = lookup(var.predefined_rules[count.index], "name")
-  priority                    = lookup(var.predefined_rules[count.index], "priority", 4096 - length(var.predefined_rules) + count.index)
-  direction                   = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 0)
-  access                      = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 1)
-  protocol                    = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 2)
-  source_port_ranges          = split(",", replace(lookup(var.predefined_rules[count.index], "source_port_range", "*"), "*", "0-65535"))
-  destination_port_range      = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 4)
-  description                 = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 5)
-  source_address_prefix       = join(",", var.source_address_prefix)
-  destination_address_prefix  = join(",", var.destination_address_prefix)
-  resource_group_name         = data.azurerm_resource_group.nsg.name
-  network_security_group_name = azurerm_network_security_group.nsg.name
+  count                                      = length(var.predefined_rules)
+  name                                       = lookup(var.predefined_rules[count.index], "name")
+  priority                                   = lookup(var.predefined_rules[count.index], "priority", 4096 - length(var.predefined_rules) + count.index)
+  direction                                  = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 0)
+  access                                     = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 1)
+  protocol                                   = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 2)
+  source_port_ranges                         = split(",", replace(lookup(var.predefined_rules[count.index], "source_port_range", "*"), "*", "0-65535"))
+  destination_port_range                     = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 4)
+  description                                = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 5)
+  source_address_prefix                      = length(lookup(var.predefined_rules[count.index], "source_application_security_group_ids", [])) == 0 ? join(",", var.source_address_prefix) : ""
+  destination_address_prefix                 = length(lookup(var.predefined_rules[count.index], "destination_application_security_group_ids", [])) == 0 ? join(",", var.destination_address_prefix) : ""
+  resource_group_name                        = data.azurerm_resource_group.nsg.name
+  network_security_group_name                = azurerm_network_security_group.nsg.name
+  source_application_security_group_ids      = lookup(var.predefined_rules[count.index], "source_application_security_group_ids", [])
+  destination_application_security_group_ids = lookup(var.predefined_rules[count.index], "destination_application_security_group_ids", [])
 }
 
 #############################
 #  Detailed security rules  #
 #############################
 
 resource "azurerm_network_security_rule" "custom_rules" {
-  count                       = length(var.custom_rules)
-  name                        = lookup(var.custom_rules[count.index], "name", "default_rule_name")
-  priority                    = lookup(var.custom_rules[count.index], "priority")
-  direction                   = lookup(var.custom_rules[count.index], "direction", "Any")
-  access                      = lookup(var.custom_rules[count.index], "access", "Allow")
-  protocol                    = lookup(var.custom_rules[count.index], "protocol", "*")
-  source_port_ranges          = split(",", replace(lookup(var.custom_rules[count.index], "source_port_range", "*"), "*", "0-65535"))
-  destination_port_ranges     = split(",", replace(lookup(var.custom_rules[count.index], "destination_port_range", "*"), "*", "0-65535"))
-  source_address_prefix       = lookup(var.custom_rules[count.index], "source_address_prefix", "*")
-  destination_address_prefix  = lookup(var.custom_rules[count.index], "destination_address_prefix", "*")
-  description                 = lookup(var.custom_rules[count.index], "description", "Security rule for ${lookup(var.custom_rules[count.index], "name", "default_rule_name")}")
-  resource_group_name         = data.azurerm_resource_group.nsg.name
-  network_security_group_name = azurerm_network_security_group.nsg.name
+  count                                      = length(var.custom_rules)
+  name                                       = lookup(var.custom_rules[count.index], "name", "default_rule_name")
+  priority                                   = lookup(var.custom_rules[count.index], "priority")
+  direction                                  = lookup(var.custom_rules[count.index], "direction", "Any")
+  access                                     = lookup(var.custom_rules[count.index], "access", "Allow")
+  protocol                                   = lookup(var.custom_rules[count.index], "protocol", "*")
+  source_port_ranges                         = split(",", replace(lookup(var.custom_rules[count.index], "source_port_range", "*"), "*", "0-65535"))
+  destination_port_ranges                    = split(",", replace(lookup(var.custom_rules[count.index], "destination_port_range", "*"), "*", "0-65535"))
+  source_address_prefix                      = length(lookup(var.custom_rules[count.index], "source_application_security_group_ids", [])) == 0 ? lookup(var.custom_rules[count.index], "source_address_prefix", "*") : ""
+  destination_address_prefix                 = length(lookup(var.custom_rules[count.index], "destination_application_security_group_ids", [])) == 0 ? lookup(var.custom_rules[count.index], "destination_address_prefix", "*") : ""
+  description                                = lookup(var.custom_rules[count.index], "description", "Security rule for ${lookup(var.custom_rules[count.index], "name", "default_rule_name")}")
+  resource_group_name                        = data.azurerm_resource_group.nsg.name
+  network_security_group_name                = azurerm_network_security_group.nsg.name
+  source_application_security_group_ids      = lookup(var.custom_rules[count.index], "source_application_security_group_ids", [])
+  destination_application_security_group_ids = lookup(var.custom_rules[count.index], "destination_application_security_group_ids", [])
 }

test/fixture/main.tf

@@ -26,17 +26,62 @@ module "testPredefinedAD" {
   security_group_name = "nsg_testPredefinedAD"
 }
 
+resource "azurerm_application_security_group" "first" {
+  name                = "acctest-first"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+}
+
+resource "azurerm_application_security_group" "second" {
+  name                = "acctest-second"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+}
+
 module "testPredefinedRuleWithCustom" {
   source              = "../../"
   resource_group_name = azurerm_resource_group.test.name
   security_group_name = "nsg_testPredefinedWithCustom"
-  custom_rules        = var.custom_rules
-  predefined_rules    = var.predefined_rules
+  predefined_rules = [
+    {
+      name                                  = "HTTP"
+      source_application_security_group_ids = [azurerm_application_security_group.first.id]
+    },
+    {
+      name     = "HTTPS"
+      priority = 510
+    },
+  ]
 }
 
+
+
 module "testCustom" {
   source              = "../../"
   resource_group_name = azurerm_resource_group.test.name
   security_group_name = "nsg_testCustom"
-  custom_rules        = var.custom_rules
+  custom_rules = [
+    {
+      name                                  = "myssh"
+      priority                              = 201
+      direction                             = "Inbound"
+      access                                = "Allow"
+      protocol                              = "tcp"
+      source_port_range                     = "*"
+      destination_port_range                = "22"
+      description                           = "description-myssh"
+      source_application_security_group_ids = [azurerm_application_security_group.first.id]
+    },
+    {
+      name                                       = "myhttp"
+      priority                                   = 200
+      direction                                  = "Inbound"
+      access                                     = "Allow"
+      protocol                                   = "tcp"
+      source_port_range                          = "*"
+      destination_port_range                     = "8080"
+      description                                = "description-http"
+      destination_application_security_group_ids = [azurerm_application_security_group.second.id]
+    },
+  ]
 }

test/fixture/terraform.tfvars

@@ -1,35 +1 @@
-location = "westus"
-
-custom_rules = [
-  {
-    name                   = "myssh"
-    priority               = "101"
-    direction              = "Inbound"
-    access                 = "Allow"
-    protocol               = "tcp"
-    source_port_range      = "1234"
-    destination_port_range = "22"
-    description            = "description-myssh"
-  },
-  {
-    name                   = "myhttp"
-    priority               = "200"
-    direction              = "Inbound"
-    access                 = "Allow"
-    protocol               = "tcp"
-    source_port_range      = "666,4096-4098"
-    destination_port_range = "8080"
-    description            = "description-http"
-  },
-]
-
-predefined_rules = [
-  {
-    name              = "HTTP"
-    source_port_range = "666,1024-1026"
-  },
-  {
-    name     = "HTTPS"
-    priority = "510"
-  },
-]
+location = "westus"

test/fixture/variables.tf

@@ -1,9 +1 @@
 variable "location" {}
-
-variable "custom_rules" {
-  type = list(any)
-}
-
-variable "predefined_rules" {
-  type = list(any)
-}

variables.tf

@@ -24,7 +24,7 @@ variable "location" {
 
 # Predefined rules   
 variable "predefined_rules" {
-  type    = list(any)
+  type    = any
   default = []
 }
 
@@ -33,7 +33,7 @@ variable "predefined_rules" {
 # All the fields are required.
 variable "custom_rules" {
   description = "Security rules for the network security group using this format name = [priority, direction, access, protocol, source_port_range, destination_port_range, source_address_prefix, destination_address_prefix, description]"
-  type        = list(any)
+  type        = any
   default     = []
 }
 
@@ -52,3 +52,15 @@ variable "destination_address_prefix" {
 
   # Example ["10.0.3.0/32","10.0.3.128/32"] or ["VirtualNetwork"] 
 }
+
+variable "source_application_security_group_ids" {
+  description = "(Optional) A List of source Application Security Group IDs. Conflicted with `source_address_prefix`. Once assigned with `source_address_prefix`, it'll have a higher priority."
+  type        = set(string)
+  default     = []
+}
+
+variable "destination_application_security_group_ids" {
+  description = "(Optional) A List of destination Application Security Group IDs. Conflicted with `destination_address_prefix`. Once assigned with `destination_address_prefix`, it'll have a higher priority."
+  type        = set(string)
+  default     = []
+}