Azure Verified Module for Azure Virtual Networks

This module provides a generic way to create and manage Azure Virtual Networks (vNets) and their associated resources.

To use this module in your Terraform configuration, you'll need to provide values for the required variables. Here's a basic example:

module "azure_vnet" {
  source = "./path_to_this_module"

  address_spaces = ["10.0.0.0/16"]
  vnet_location  = "East US"
  name           = "myVNet"
  resource_group_name = "myResourceGroup"
  // ... other required variables ...
}

Requirements

The following requirements are needed by this module:

• terraform (>= 1.5.0)

• azurerm (>= 3.71.0)

• random (>= 3.5.0)

Providers

The following providers are used by this module:

• azurerm (>= 3.71.0)

• random (>= 3.5.0)

Resources

The following resources are used by this module:

• azurerm_management_lock.this (resource)
• azurerm_monitor_diagnostic_setting.example (resource)
• azurerm_resource_group_template_deployment.telemetry (resource)
• azurerm_role_assignment.subnet_level (resource)
• azurerm_role_assignment.vnet_level (resource)
• azurerm_subnet.subnet (resource)
• azurerm_subnet_nat_gateway_association.nat_gw (resource)
• azurerm_subnet_network_security_group_association.vnet (resource)
• azurerm_subnet_route_table_association.vnet (resource)
• azurerm_virtual_network.vnet (resource)
• azurerm_virtual_network_dns_servers.vnet_dns (resource)
• azurerm_virtual_network_peering.vnet_peering (resource)
• random_id.telem (resource)

Required Inputs

The following input variables are required:

location

Description: The location/region where the virtual network is created. Changing this forces a new resource to be created.

Type: string

resource_group_name

Description: The name of the resource group where the resources will be deployed.

Type: string

virtual_network_address_space

Description: (Required) The address space that is used the virtual network. You can supply more than one address space.

Type: list(string)

Optional Inputs

The following input variables are optional (have default values):

diagnostic_settings

Description: Map of diagnostic setting configurations

Type:

map(object({
    name                                     = optional(string, null)
    log_categories_and_groups                = optional(set(string), ["VMProtectionAlerts"])
    metric_categories                        = optional(set(string), ["AllMetrics"])
    log_analytics_destination_type           = optional(string, "Dedicated")
    workspace_resource_id                    = optional(string, null)
    storage_account_resource_id              = optional(string, null)
    event_hub_authorization_rule_resource_id = optional(string, null)
    event_hub_name                           = optional(string, null)
    marketplace_partner_resource_id          = optional(string, null)
  }))

Default: {}

enable_telemetry

Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetry.
If it is set to false, then no telemetry will be collected.

Type: bool

Default: true

lock

Description: The lock level to apply to the Virtual Network. Default is None. Possible values are None, CanNotDelete, and ReadOnly.

Type:

object({
    name = optional(string, null)
    kind = optional(string, "None")

  })

Default: {}

name

Description: The name of the virtual network to create.

Type: string

Default: "acctvnet"

role_assignments

Description: Map of configurations required to configure RBAC

Type:

map(object({
    role_definition_id_or_name             = string
    principal_id                           = string
    description                            = optional(string, null)
    skip_service_principal_aad_check       = optional(bool, false)
    condition                              = optional(string, null)
    condition_version                      = optional(string, null)
    delegated_managed_identity_resource_id = optional(string, null)
  }))

Default: {}

subnets

Description: The subnets to create

Type:

map(object(
    {
      address_prefixes = list(string) # (Required) The address prefixes to use for the subnet.
      nat_gateway = optional(object({
        id = string # (Required) The ID of the NAT Gateway which should be associated with the Subnet. Changing this forces a new resource to be created.
      }))
      network_security_group = optional(object({
        id = string # (Required) The ID of the Network Security Group which should be associated with the Subnet. Changing this forces a new association to be created.
      }))
      private_endpoint_network_policies_enabled     = optional(bool, true) # (Optional) Enable or Disable network policies for the private endpoint on the subnet. Setting this to `true` will **Enable** the policy and setting this to `false` will **Disable** the policy. Defaults to `true`.
      private_link_service_network_policies_enabled = optional(bool, true) # (Optional) Enable or Disable network policies for the private link service on the subnet. Setting this to `true` will **Enable** the policy and setting this to `false` will **Disable** the policy. Defaults to `true`.
      route_table = optional(object({
        id = string # (Required) The ID of the Route Table which should be associated with the Subnet. Changing this forces a new association to be created.
      }))
      service_endpoints           = optional(set(string)) # (Optional) The list of Service endpoints to associate with the subnet. Possible values include: `Microsoft.AzureActiveDirectory`, `Microsoft.AzureCosmosDB`, `Microsoft.ContainerRegistry`, `Microsoft.EventHub`, `Microsoft.KeyVault`, `Microsoft.ServiceBus`, `Microsoft.Sql`, `Microsoft.Storage` and `Microsoft.Web`.
      service_endpoint_policy_ids = optional(set(string)) # (Optional) The list of IDs of Service Endpoint Policies to associate with the subnet.
      delegations = optional(list(
        object(
          {
            name = string # (Required) A name for this delegation.
            service_delegation = object({
              name    = string                 # (Required) The name of service to delegate to. Possible values include `Microsoft.ApiManagement/service`, `Microsoft.AzureCosmosDB/clusters`, `Microsoft.BareMetal/AzureVMware`, `Microsoft.BareMetal/CrayServers`, `Microsoft.Batch/batchAccounts`, `Microsoft.ContainerInstance/containerGroups`, `Microsoft.ContainerService/managedClusters`, `Microsoft.Databricks/workspaces`, `Microsoft.DBforMySQL/flexibleServers`, `Microsoft.DBforMySQL/serversv2`, `Microsoft.DBforPostgreSQL/flexibleServers`, `Microsoft.DBforPostgreSQL/serversv2`, `Microsoft.DBforPostgreSQL/singleServers`, `Microsoft.HardwareSecurityModules/dedicatedHSMs`, `Microsoft.Kusto/clusters`, `Microsoft.Logic/integrationServiceEnvironments`, `Microsoft.MachineLearningServices/workspaces`, `Microsoft.Netapp/volumes`, `Microsoft.Network/managedResolvers`, `Microsoft.Orbital/orbitalGateways`, `Microsoft.PowerPlatform/vnetaccesslinks`, `Microsoft.ServiceFabricMesh/networks`, `Microsoft.Sql/managedInstances`, `Microsoft.Sql/servers`, `Microsoft.StoragePool/diskPools`, `Microsoft.StreamAnalytics/streamingJobs`, `Microsoft.Synapse/workspaces`, `Microsoft.Web/hostingEnvironments`, `Microsoft.Web/serverFarms`, `NGINX.NGINXPLUS/nginxDeployments` and `PaloAltoNetworks.Cloudngfw/firewalls`.
              actions = optional(list(string)) # (Optional) A list of Actions which should be delegated. This list is specific to the service to delegate to. Possible values include `Microsoft.Network/networkinterfaces/*`, `Microsoft.Network/virtualNetworks/subnets/action`, `Microsoft.Network/virtualNetworks/subnets/join/action`, `Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action` and `Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action`.
            })
          }
        )
      ))
    }
  ))

Default: {}

tags

Description: The tags to associate with your network and subnets.

Type: map(any)

Default: {}

tracing_tags_enabled

Description: Whether enable tracing tags that generated by BridgeCrew Yor.

Type: bool

Default: false

tracing_tags_prefix

Description: Default prefix for generated tracing tags.

Type: string

Default: "avm_"

virtual_network_ddos_protection_plan

Description: AzureNetwork DDoS Protection Plan.

Type:

object({
    id     = string #  (Required) The ID of DDoS Protection Plan.
    enable = bool   # (Required) Enable/disable DDoS Protection Plan on Virtual Network.
  })

Default: null

virtual_network_dns_servers

Description: (Optional) List of IP addresses of DNS servers

Type:

object({
    dns_servers = list(string)
  })

Default: null

vnet_peering_config

Description: A map of virtual network peering configurations. Each entry specifies a remote virtual network by ID and includes settings for traffic forwarding, gateway transit, and remote gateways usage.

Type:

map(object({
    remote_vnet_id          = string
    allow_forwarded_traffic = bool
    allow_gateway_transit   = bool
    use_remote_gateways     = bool
  }))

Default: {}

Outputs

The following outputs are exported:

subnets

Description: Information about the subnets created in the module.

virtual_network_id

Description: The resource ID of the virtual network.

vnet_resource

Description: The Azure Virtual Network resource

Modules

No modules.

Data Collection

The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.