# Network Security Group definition variable "resource_group_name" { type = string description = "Name of the resource group" } # Custom security rules # [name, priority, direction, access, protocol, source_port_range, destination_port_range, description]" # All the fields are required. variable "custom_rules" { type = any default = [] description = "Security rules for the network security group using this format name = [name, priority, direction, access, protocol, source_port_range, destination_port_range, source_address_prefix, destination_address_prefix, description]" } variable "destination_address_prefix" { type = list(string) default = ["*"] description = "Destination address prefix to be applied to all predefined rules. list(string) only allowed one element (CIDR, `*`, source IP range or Tags). Example [\"10.0.3.0/24\"] or [\"VirtualNetwork\"]" } variable "destination_address_prefixes" { type = list(string) default = null description = "Destination address prefix to be applied to all predefined rules. Example [\"10.0.3.0/32\",\"10.0.3.128/32\"]" } variable "location" { # No default - if it's not specified, use the resource group location (see main.tf) type = string default = "" description = "Location (Azure Region) for the network security group." } variable "predefined_rules" { type = any default = [] description = "Predefined rules" } variable "rules" { type = map(any) # [direction, access, protocol, source_port_range, destination_port_range, description]" # The following info are in the submodules: source_address_prefix, destination_address_prefix default = { #ActiveDirectory ActiveDirectory-AllowADReplication = ["Inbound", "Allow", "*", "*", "389", "AllowADReplication"] ActiveDirectory-AllowADReplicationSSL = ["Inbound", "Allow", "*", "*", "636", "AllowADReplicationSSL"] ActiveDirectory-AllowADGCReplication = ["Inbound", "Allow", "Tcp", "*", "3268", "AllowADGCReplication"] ActiveDirectory-AllowADGCReplicationSSL = ["Inbound", "Allow", "Tcp", "*", "3269", "AllowADGCReplicationSSL"] ActiveDirectory-AllowDNS = ["Inbound", "Allow", "*", "*", "53", "AllowDNS"] ActiveDirectory-AllowKerberosAuthentication = ["Inbound", "Allow", "*", "*", "88", "AllowKerberosAuthentication"] ActiveDirectory-AllowADReplicationTrust = ["Inbound", "Allow", "*", "*", "445", "AllowADReplicationTrust"] ActiveDirectory-AllowSMTPReplication = ["Inbound", "Allow", "Tcp", "*", "25", "AllowSMTPReplication"] ActiveDirectory-AllowRPCReplication = ["Inbound", "Allow", "Tcp", "*", "135", "AllowRPCReplication"] ActiveDirectory-AllowFileReplication = ["Inbound", "Allow", "Tcp", "*", "5722", "AllowFileReplication"] ActiveDirectory-AllowWindowsTime = ["Inbound", "Allow", "Udp", "*", "123", "AllowWindowsTime"] ActiveDirectory-AllowPasswordChangeKerberes = ["Inbound", "Allow", "*", "*", "464", "AllowPasswordChangeKerberes"] ActiveDirectory-AllowDFSGroupPolicy = ["Inbound", "Allow", "Udp", "*", "138", "AllowDFSGroupPolicy"] ActiveDirectory-AllowADDSWebServices = ["Inbound", "Allow", "Tcp", "*", "9389", "AllowADDSWebServices"] ActiveDirectory-AllowNETBIOSAuthentication = ["Inbound", "Allow", "Udp", "*", "137", "AllowNETBIOSAuthentication"] ActiveDirectory-AllowNETBIOSReplication = ["Inbound", "Allow", "Tcp", "*", "139", "AllowNETBIOSReplication"] #Cassandra Cassandra = ["Inbound", "Allow", "Tcp", "*", "9042", "Cassandra"] #Cassandra-JMX Cassandra-JMX = ["Inbound", "Allow", "Tcp", "*", "7199", "Cassandra-JMX"] #Cassandra-Thrift Cassandra-Thrift = ["Inbound", "Allow", "Tcp", "*", "9160", "Cassandra-Thrift"] #CouchDB CouchDB = ["Inbound", "Allow", "Tcp", "*", "5984", "CouchDB"] #CouchDB-HTTPS CouchDB-HTTPS = ["Inbound", "Allow", "Tcp", "*", "6984", "CouchDB-HTTPS"] #DNS-TCP DNS-TCP = ["Inbound", "Allow", "Tcp", "*", "53", "DNS-TCP"] #DNS-UDP DNS-UDP = ["Inbound", "Allow", "Udp", "*", "53", "DNS-UDP"] #DynamicPorts DynamicPorts = ["Inbound", "Allow", "Tcp", "*", "49152-65535", "DynamicPorts"] #ElasticSearch ElasticSearch = ["Inbound", "Allow", "Tcp", "*", "9200-9300", "ElasticSearch"] #FTP FTP = ["Inbound", "Allow", "Tcp", "*", "21", "FTP"] #HTTP HTTP = ["Inbound", "Allow", "Tcp", "*", "80", "HTTP"] #HTTPS HTTPS = ["Inbound", "Allow", "Tcp", "*", "443", "HTTPS"] #IMAP IMAP = ["Inbound", "Allow", "Tcp", "*", "143", "IMAP"] #IMAPS IMAPS = ["Inbound", "Allow", "Tcp", "*", "993", "IMAPS"] #Kestrel Kestrel = ["Inbound", "Allow", "Tcp", "*", "22133", "Kestrel"] #LDAP LDAP = ["Inbound", "Allow", "Tcp", "*", "389", "LDAP"] #MongoDB MongoDB = ["Inbound", "Allow", "Tcp", "*", "27017", "MongoDB"] #Memcached Memcached = ["Inbound", "Allow", "Tcp", "*", "11211", "Memcached"] #MSSQL MSSQL = ["Inbound", "Allow", "Tcp", "*", "1433", "MSSQL"] #MySQL MySQL = ["Inbound", "Allow", "Tcp", "*", "3306", "MySQL"] #Neo4J Neo4J = ["Inbound", "Allow", "Tcp", "*", "7474", "Neo4J"] #POP3 POP3 = ["Inbound", "Allow", "Tcp", "*", "110", "POP3"] #POP3S POP3S = ["Inbound", "Allow", "Tcp", "*", "995", "POP3S"] #PostgreSQL PostgreSQL = ["Inbound", "Allow", "Tcp", "*", "5432", "PostgreSQL"] #RabbitMQ RabbitMQ = ["Inbound", "Allow", "Tcp", "*", "5672", "RabbitMQ"] #RDP RDP = ["Inbound", "Allow", "Tcp", "*", "3389", "RDP"] #Redis Redis = ["Inbound", "Allow", "Tcp", "*", "6379", "Redis"] #Riak Riak = ["Inbound", "Allow", "Tcp", "*", "8093", "Riak"] #Riak-JMX Riak-JMX = ["Inbound", "Allow", "Tcp", "*", "8985", "Riak-JMX"] #SMTP SMTP = ["Inbound", "Allow", "Tcp", "*", "25", "SMTP"] #SMTPS SMTPS = ["Inbound", "Allow", "Tcp", "*", "465", "SMTPS"] #SSH SSH = ["Inbound", "Allow", "Tcp", "*", "22", "SSH"] #WinRM WinRM = ["Inbound", "Allow", "Tcp", "*", "5986", "WinRM"] } description = "Standard set of predefined rules" } variable "security_group_name" { type = string default = "nsg" description = "Network security group name" } variable "source_address_prefix" { type = list(string) default = ["*"] description = "Source address prefix to be applied to all predefined rules. list(string) only allowed one element (CIDR, `*`, source IP range or Tags). Example [\"10.0.3.0/24\"] or [\"VirtualNetwork\"]" } variable "source_address_prefixes" { type = list(string) default = null description = "Destination address prefix to be applied to all predefined rules. Example [\"10.0.3.0/32\",\"10.0.3.128/32\"]" } variable "tags" { type = map(string) default = {} description = "The tags to associate with your network security group." } # tflint-ignore: terraform_unused_declarations variable "tracing_tags_enabled" { type = bool default = false description = "Whether enable tracing tags that generated by BridgeCrew Yor." nullable = false } # tflint-ignore: terraform_unused_declarations variable "tracing_tags_prefix" { type = string default = "avm_" description = "Default prefix for generated tracing tags" nullable = false } variable "use_for_each" { type = bool default = false description = "Choose wheter to use 'for_each' as iteration technic to generate the rules, defaults to false so we will use 'count' for compatibilty with previous module versions, but prefered method is 'for_each'" nullable = false }