feat: Added flow logs feature for network secuiryt group

clouddrove · Jun 14, 2023 · 61c3f91 · 61c3f91
1 parent 9d69787
commit 61c3f91
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 11 deletions.
diff --git a/main.tf b/main.tf
@@ -1,8 +1,12 @@
+##-----------------------------------------------------------------------------
 ## Managed By : CloudDrove
 ## Copyright @ CloudDrove. All Right Reserved.
+##-----------------------------------------------------------------------------
 
-#Module      : labels
-#Description : Terraform module to create consistent naming for multiple names.
+##-----------------------------------------------------------------------------
+## Module      : labels
+## Description : Terraform module to create consistent naming for multiple names.
+##-----------------------------------------------------------------------------
 module "labels" {
   source      = "clouddrove/labels/azure"
   version     = "1.0.0"
@@ -13,8 +17,9 @@ module "labels" {
   repository  = var.repository
 }
 
-#Module      : NETWORK SECURITY GROUP
-#Description : Terraform resource for security group.
+##-----------------------------------------------------------------------------
+## Below resource will create network security group in azure. 
+##-----------------------------------------------------------------------------
 resource "azurerm_network_security_group" "nsg" {
   count               = var.enabled ? 1 : 0
   name                = format("%s-nsg", module.labels.id)
@@ -30,9 +35,9 @@ resource "azurerm_network_security_group" "nsg" {
   }
 }
 
-#Module      : SECURITY GROUP RULE FOR EGRESS
-#Description : Provides a security group rule resource. Represents a single egress
-#              group rule, which can be added to external Security Groups.
+##-----------------------------------------------------------------------------
+## Below resource will create network security group inbound rules in azure and will be attached to above network security group.  
+##-----------------------------------------------------------------------------
 resource "azurerm_network_security_rule" "inbound" {
   for_each                     = { for rule in var.inbound_rules : rule.name => rule }
   resource_group_name          = var.resource_group_name
@@ -43,11 +48,11 @@ resource "azurerm_network_security_rule" "inbound" {
   access                       = each.value.access
   protocol                     = each.value.protocol
   source_address_prefix        = lookup(each.value, "source_address_prefix", null)   // To be passed when only one source address or all address has to be passed or tag has to be passed
-  source_address_prefixes      = lookup(each.value, "source_address_prefixes", null) // to be passed when 2 or more but not all address has yo be passed
+  source_address_prefixes      = lookup(each.value, "source_address_prefixes", null) // to be passed when 2 or more but not all address has to be passed
   source_port_range            = lookup(each.value, "source_port_range", "*") == "*" ? "*" : null
   source_port_ranges           = lookup(each.value, "source_port_range", "*") == "*" ? null : split(",", each.value.source_port_range)
   destination_address_prefix   = lookup(each.value, "destination_address_prefix", "*")    // To be passed when only one source address or all address has to be passed or tag has to be passed
-  destination_address_prefixes = lookup(each.value, "destination_address_prefixes", null) // to be passed when 2 or more but not all address has yo be passed
+  destination_address_prefixes = lookup(each.value, "destination_address_prefixes", null) // to be passed when 2 or more but not all address has to be passed
   destination_port_range       = lookup(each.value, "destination_port_range", null) == "*" ? "*" : null
   destination_port_ranges      = lookup(each.value, "destination_port_range", "*") == "*" ? null : split(",", each.value.destination_port_range)
   description                  = lookup(each.value, "description", null)
@@ -60,6 +65,9 @@ resource "azurerm_network_security_rule" "inbound" {
   }
 }
 
+##-----------------------------------------------------------------------------
+## Below resource will create network security group outbound rules in azure and will be attached to above network security group.  
+##-----------------------------------------------------------------------------
 resource "azurerm_network_security_rule" "outbound" {
   for_each                     = { for rule in var.outbound_rules : rule.name => rule }
   resource_group_name          = var.resource_group_name
@@ -70,11 +78,11 @@ resource "azurerm_network_security_rule" "outbound" {
   access                       = each.value.access
   protocol                     = each.value.protocol
   source_address_prefix        = lookup(each.value, "source_address_prefix", null)   // To be passed when only one source address or all address has to be passed or tag has to be passed
-  source_address_prefixes      = lookup(each.value, "source_address_prefixes", null) // to be passed when 2 or more but not all address has yo be passed
+  source_address_prefixes      = lookup(each.value, "source_address_prefixes", null) // to be passed when 2 or more but not all address has to be passed
   source_port_range            = lookup(each.value, "source_port_range", "*") == "*" ? "*" : null
   source_port_ranges           = lookup(each.value, "source_port_range", "*") == "*" ? null : split(",", each.value.source_port_range)
   destination_address_prefix   = lookup(each.value, "destination_address_prefix", "*")    // To be passed when only one source address or all address has to be passed or tag has to be passed
-  destination_address_prefixes = lookup(each.value, "destination_address_prefixes", null) // to be passed when 2 or more but not all address has yo be passed
+  destination_address_prefixes = lookup(each.value, "destination_address_prefixes", null) // to be passed when 2 or more but not all address has to be passed
   destination_port_range       = lookup(each.value, "destination_port_range", null) == "*" ? "*" : null
   destination_port_ranges      = lookup(each.value, "destination_port_range", "*") == "*" ? null : split(",", each.value.destination_port_range)
   description                  = lookup(each.value, "description", null)
@@ -87,12 +95,43 @@ resource "azurerm_network_security_rule" "outbound" {
   }
 }
 
+##-----------------------------------------------------------------------------
+## Below resource will associate above created network security group to subnet. 
+##-----------------------------------------------------------------------------
 resource "azurerm_subnet_network_security_group_association" "example" {
   count                     = var.enabled ? length(var.subnet_ids) : 0
   subnet_id                 = element(var.subnet_ids, count.index)
   network_security_group_id = join("", azurerm_network_security_group.nsg.*.id)
 }
 
+##-----------------------------------------------------------------------------
+## Below resource will create network watcher flow logs for network security group. 
+## Network security groups flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group.
+##-----------------------------------------------------------------------------
+resource "azurerm_network_watcher_flow_log" "nsg_flow_logs" {
+  count                     = var.enabled && var.enable_flow_logs ? 1 : 0
+  enabled                   = true
+  network_watcher_name      = var.network_watcher_name
+  resource_group_name       = var.resource_group_name
+  name                      = format("%s-flow_logs", module.labels.id)
+  network_security_group_id = azurerm_network_security_group.nsg.*.id
+  storage_account_id        = var.flow_log_storage_account_id
+  retention_policy {
+    enabled = var.flow_log_retention_policy_enabled
+    days    = var.flow_log_retention_policy_days
+  }
+  traffic_analytics {
+    enabled               = var.enable_traffic_analytics
+    workspace_id          = var.log_analytics_workspace_id
+    workspace_region      = var.resource_group_location
+    workspace_resource_id = var.log_analytics_workspace_resource_id
+    interval_in_minutes   = 60
+  }
+}
+
+##----------------------------------------------------------------------------- 
+## Below resource will create diagnostic setting for ACR.   
+##-----------------------------------------------------------------------------
 resource "azurerm_monitor_diagnostic_setting" "example" {
   count                          = var.enabled && var.enable_diagnostic ? 1 : 0
   name                           = format("%s-nsg-diagnostic-log", module.labels.id)

diff --git a/variables.tf b/variables.tf
@@ -165,3 +165,45 @@ variable "category" {
   default     = null
   description = " The name of a Diagnostic Log Category Group for this Resource."
 }
+
+variable "enable_flow_logs" {
+  type        = bool
+  default     = false
+  description = "Flag to be set true when network security group flow logging feature is to be enabled."
+}
+
+variable "network_watcher_name" {
+  type        = string
+  default     = null
+  description = "The name of the Network Watcher. Changing this forces a new resource to be created."
+}
+
+variable "flow_log_storage_account_id" {
+  type        = string
+  default     = null
+  description = "The id of storage account in which flow logs will be received. Note: Currently, only standard-tier storage accounts are supported."
+}
+
+variable "flow_log_retention_policy_enabled" {
+  type        = bool
+  default     = false
+  description = "Boolean flag to enable/disable retention."
+}
+
+variable "flow_log_retention_policy_days" {
+  type        = number
+  default     = 100
+  description = "The number of days to retain flow log records."
+}
+
+variable "log_analytics_workspace_resource_id" {
+  type        = string
+  default     = null
+  description = "The resource ID of the attached log analytics workspace."
+}
+
+variable "enable_traffic_analytics" {
+  type        = bool
+  default     = false
+  description = "Boolean flag to enable/disable traffic analytics."
+}