Hub-Spoke Network

This is an opinionated Terraform module written by Ensono for use with Ensono Stacks

The aim of this module is to provide private networking for applications. The main use case is for the Ensono Stacks Azure Data. That project stands up all the necsssary components to run data pipelines in Azure Databricks.

As is most often the case, it is preferential to have all of the data components on a private network or subnet. If it is the case that these resources do not already exist, then this module can perform that work.

NOTE: It is not a requirement to have private networking in order to use Ensono Stacks Data.

Requirements

No requirements.

Providers

Name	Version
azurerm	n/a

Modules

No modules.

Resources

Name	Type
azurerm_firewall.azfw	resource
azurerm_nat_gateway.nat_databricks	resource
azurerm_nat_gateway.nat_gw	resource
azurerm_nat_gateway_public_ip_association.example	resource
azurerm_nat_gateway_public_ip_association.nat_databricks_association	resource
azurerm_network_security_group.nsg	resource
azurerm_network_security_group.nsg_databricks	resource
azurerm_network_security_rule.nsg_databricks_aad_rule	resource
azurerm_network_security_rule.nsg_databricks_adf_rule	resource
azurerm_network_security_rule.nsg_databricks_azfrontdoor_rule	resource
azurerm_network_security_rule.ssh	resource
azurerm_private_dns_zone.example	resource
azurerm_private_dns_zone_virtual_network_link.hub-privatelink-dns	resource
azurerm_public_ip.azfw_pip	resource
azurerm_public_ip.nat_databricks_pip	resource
azurerm_public_ip.nat_public_ip	resource
azurerm_resource_group.rg	resource
azurerm_subnet.az_fw_subnet	resource
azurerm_subnet.subnets	resource
azurerm_subnet_nat_gateway_association.nat_subnet	resource
azurerm_subnet_nat_gateway_association.private_subnet_association	resource
azurerm_subnet_nat_gateway_association.public_subnet_association	resource
azurerm_subnet_network_security_group_association.nsg_subnet_assoc	resource
azurerm_subnet_network_security_group_association.private	resource
azurerm_subnet_network_security_group_association.public	resource
azurerm_virtual_network.vnet	resource
azurerm_virtual_network_peering.hub-spoke	resource
azurerm_virtual_network_peering.spoke-hub	resource
azurerm_subnet.private_subnet	data source
azurerm_subnet.public_subnet	data source

Inputs

Name	Description	Type	Default	Required
create_databricks_nat	weather to create a NAT gateway for databricks	bool	true	no
create_fw_public_ip	weather to create a public IP for Azure firewall in hub network	bool	false	no
create_hub_fw	weather to create a Azure fierwall in hub network	bool	false	no
create_private_dns_zone	set value wether to create a private_dns_zone or not	bool	true	no
debug_enabled	If debug enabled then SSH will be enabled inbound on the NSG	bool	false	no
dns_zone_name	The name of the Private DNS Zone. Must be a valid domain name. Changing this forces a new resource to be created.	list(string)	[ "privatelink.vaultcore.azure.net", "privatelink.azuredatabricks.net", "privatelink.database.windows.net", "privatelink.blob.core.windows.net", "privatelink.dfs.core.windows.net" ]	no
existing_resource_group_name	Resource Group Name	string	null	no
fw_public_allocation_method	Defines the allocation method for this IP address. Possible values are Static or Dynamic	string	"Static"	no
fw_public_ip_sku	The SKU of the Public IP. Accepted values are Basic and Standard. Defaults to Standard. Changing this forces a new resource to be created.	string	"Standard"	no
label	label to apply to resources that are deployed	string	n/a	yes
link_dns_network	weather link DNS with vnets	bool	false	no
nat_idle_timeout	Idle timeout period in minutes.	number	10	no
network_details	n/a	list(object({ name = string environment = string address_space = list(string) dns_servers = list(string) resource_group_name = string is_hub = bool is_adf_network = bool # not sure that this is required link_to_private_dns = bool # not sure that this is required subnet_details = list(object({ sub_name = string sub_address_prefix = list(string) private_endpoint_network_policies_enabled = bool private_link_service_network_policies_enabled = bool service_endpoints = list(string) is_pe_subnet = bool is_prod = bool is_adf_private_subnet = bool is_adf_public_subnet = bool }) ) }))	[ { "address_space": [ "10.1.0.0/16" ], "dns_servers": [ "10.1.0.4", "10.1.0.5" ], "environment": "dev", "is_adf_network": false, "is_hub": true, "link_to_private_dns": true, "name": "network1", "resource_group_name": "hub-rg", "subnet_details": [ { "is_adf_private_subnet": false, "is_adf_public_subnet": false, "is_pe_subnet": false, "is_prod": false, "private_endpoint_network_policies_enabled": true, "private_link_service_network_policies_enabled": true, "service_endpoints": [], "sub_address_prefix": [ "10.1.1.0/24" ], "sub_name": "subnet3" } ] }, { "address_space": [ "10.2.0.0/16" ], "dns_servers": [ "10.2.0.4", "10.2.0.5" ], "environment": "dev", "is_adf_network": false, "is_hub": false, "link_to_private_dns": true, "name": "network2", "resource_group_name": "spoke1-rg", "subnet_details": [ { "is_adf_private_subnet": false, "is_adf_public_subnet": false, "is_pe_subnet": false, "is_prod": false, "private_endpoint_network_policies_enabled": true, "private_link_service_network_policies_enabled": true, "service_endpoints": [], "sub_address_prefix": [ "10.2.1.0/24" ], "sub_name": "subnet1" }, { "is_adf_private_subnet": false, "is_adf_public_subnet": false, "is_pe_subnet": false, "is_prod": true, "private_endpoint_network_policies_enabled": true, "private_link_service_network_policies_enabled": true, "service_endpoints": [], "sub_address_prefix": [ "10.2.2.0/24" ], "sub_name": "subnet2" } ] }, { "address_space": [ "10.3.0.0/16" ], "dns_servers": [ "10.3.0.4", "10.3.0.5" ], "environment": "dev", "is_adf_network": true, "is_hub": false, "link_to_private_dns": true, "name": "network3", "resource_group_name": "spoke2-rg", "subnet_details": [ { "is_adf_private_subnet": false, "is_adf_public_subnet": false, "is_pe_subnet": true, "is_prod": false, "private_endpoint_network_policies_enabled": true, "private_link_service_network_policies_enabled": true, "service_endpoints": [], "sub_address_prefix": [ "10.3.1.0/24" ], "sub_name": "subnet5" }, { "is_adf_private_subnet": false, "is_adf_public_subnet": false, "is_pe_subnet": true, "is_prod": true, "private_endpoint_network_policies_enabled": true, "private_link_service_network_policies_enabled": true, "service_endpoints": [], "sub_address_prefix": [ "10.3.2.0/24" ], "sub_name": "subnet6" } ] } ]	no
registration_enabled	Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled? Defaults to false.	bool	false	no
resource_group_location	Location of the resource group	string	"uksouth"	no
resource_group_name	he Name which should be used for this Resource Group. Changing this forces a new Resource Group to be created.	string	"network-test"	no
sku_az_fw	SKU name of the Firewall. Possible values are AZFW_Hub and AZFW_VNet. Changing this forces a new resource to be created.	string	"AZFW_VNet"	no
sku_tier_az_fw	SKU tier of the Firewall. Possible values are Premium, Standard and Basic.	string	"Standard"	no
tags	Map of tags to be applied to all resources created as part of this module	map(string)	{}	no

Outputs

Name	Description
adf_subnets	n/a
hub_firewall_id	n/a
hub_net_id	n/a
hub_net_name	n/a
hub_pub_ip	n/a
nat_gateway_ids	n/a
nat_public_ip_ids	n/a
nat_subnet_associations	n/a
nsg_subnet_associations	n/a
private_dns_zone_ids	n/a
private_endpoint_subnets	n/a
subnet_ids	n/a
subnet_names	n/a
subnets	n/a
vnets	n/a