Update Azure RM provider version and refactor subnet IP range filters…

… in Terraform configurations
microsoft · Jan 6, 2025 · 0487de5 · 0487de5
1 parent 5f27bae
commit 0487de5
Show file tree

Hide file tree

Showing 7 changed files with 107 additions and 192 deletions.
diff --git a/core/terraform/cosmos_mongo.tf b/core/terraform/cosmos_mongo.tf
@@ -6,8 +6,8 @@ resource "azurerm_cosmosdb_account" "mongo" {
   kind                       = "MongoDB"
   automatic_failover_enabled = false
   mongo_server_version       = 4.2
-  ip_range_filter            = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}"
-
+  ip_range_filter = toset(var.enable_local_debugging ? concat(split(",", local.azure_portal_cosmos_ips), [local.myip]) : split(",", local.azure_portal_cosmos_ips))
+  
   capabilities {
     name = "EnableServerless"
   }

diff --git a/core/terraform/main.tf b/core/terraform/main.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "=3.117.0"
+      version = "=4.14.0"
     }
     random = {
       source  = "hashicorp/random"

diff --git a/core/terraform/network/main.tf b/core/terraform/network/main.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.117"
+      version = "= 4.14.0"
     }
   }
 }
diff --git a/core/terraform/network/network.tf b/core/terraform/network/network.tf
@@ -5,146 +5,112 @@ resource "azurerm_virtual_network" "core" {
   address_space       = [var.core_address_space]
   tags                = local.tre_core_tags
   lifecycle { ignore_changes = [tags] }
-}
 
-resource "azurerm_subnet" "bastion" {
-  name                 = "AzureBastionSubnet"
-  virtual_network_name = azurerm_virtual_network.core.name
-  resource_group_name  = var.resource_group_name
-  address_prefixes     = [local.bastion_subnet_address_prefix]
-}
+  subnet {
+    name                 = "AzureBastionSubnet"
+    address_prefixes     = [local.bastion_subnet_address_prefix]
+    security_group       = azurerm_network_security_group.bastion.id
+  }
 
-resource "azurerm_subnet" "azure_firewall" {
-  name                 = "AzureFirewallSubnet"
-  virtual_network_name = azurerm_virtual_network.core.name
-  resource_group_name  = var.resource_group_name
-  address_prefixes     = [local.firewall_subnet_address_space]
-  depends_on           = [azurerm_subnet.bastion]
-}
+  subnet {
+    name                 = "AzureFirewallSubnet"
+    address_prefixes     = [local.firewall_subnet_address_space]
+  }
 
-resource "azurerm_subnet" "app_gw" {
-  name                                          = "AppGwSubnet"
-  virtual_network_name                          = azurerm_virtual_network.core.name
-  resource_group_name                           = var.resource_group_name
-  address_prefixes                              = [local.app_gw_subnet_address_prefix]
-  private_endpoint_network_policies             = "Disabled"
-  private_link_service_network_policies_enabled = true
-  depends_on                                    = [azurerm_subnet.azure_firewall]
-}
+  subnet {
+    name                                          = "AppGwSubnet"
+    address_prefixes                              = [local.app_gw_subnet_address_prefix]
+    private_endpoint_network_policies             = "Disabled"
+    private_link_service_network_policies_enabled = true
+    security_group                                = azurerm_network_security_group.app_gw.id
+  }
 
-resource "azurerm_subnet" "web_app" {
-  name                                          = "WebAppSubnet"
-  virtual_network_name                          = azurerm_virtual_network.core.name
-  resource_group_name                           = var.resource_group_name
-  address_prefixes                              = [local.web_app_subnet_address_prefix]
-  private_endpoint_network_policies             = "Disabled"
-  private_link_service_network_policies_enabled = true
-  depends_on                                    = [azurerm_subnet.app_gw]
-
-  delegation {
-    name = "delegation"
-
-    service_delegation {
-      name    = "Microsoft.Web/serverFarms"
-      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+  subnet {
+    name                                          = "WebAppSubnet"
+    address_prefixes                              = [local.web_app_subnet_address_prefix]
+    private_endpoint_network_policies             = "Disabled"
+    private_link_service_network_policies_enabled = true
+    security_group                                = azurerm_network_security_group.default_rules.id
+
+    delegation {
+      name = "delegation"
+
+      service_delegation {
+        name    = "Microsoft.Web/serverFarms"
+        actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+      }
     }
   }
-}
 
-resource "azurerm_subnet" "shared" {
-  name                 = "SharedSubnet"
-  virtual_network_name = azurerm_virtual_network.core.name
-  resource_group_name  = var.resource_group_name
-  address_prefixes     = [local.shared_services_subnet_address_prefix]
-  # notice that private endpoints do not adhere to NSG rules
-  private_endpoint_network_policies = "Disabled"
-  depends_on                        = [azurerm_subnet.web_app]
-}
+  subnet {
+    name                 = "SharedSubnet"
+    address_prefixes     = [local.shared_services_subnet_address_prefix]
+    private_endpoint_network_policies = "Disabled"
+    security_group       = azurerm_network_security_group.default_rules.id
+  }
 
-resource "azurerm_subnet" "resource_processor" {
-  name                 = "ResourceProcessorSubnet"
-  virtual_network_name = azurerm_virtual_network.core.name
-  resource_group_name  = var.resource_group_name
-  address_prefixes     = [local.resource_processor_subnet_address_prefix]
-  # notice that private endpoints do not adhere to NSG rules
-  private_endpoint_network_policies = "Disabled"
-  depends_on                        = [azurerm_subnet.shared]
-}
+  subnet {
+    name                 = "ResourceProcessorSubnet"
+    address_prefixes     = [local.resource_processor_subnet_address_prefix]
+    private_endpoint_network_policies = "Disabled"
+    security_group       = azurerm_network_security_group.default_rules.id
+  }
 
-resource "azurerm_subnet" "airlock_processor" {
-  name                 = "AirlockProcessorSubnet"
-  virtual_network_name = azurerm_virtual_network.core.name
-  resource_group_name  = var.resource_group_name
-  address_prefixes     = [local.airlock_processor_subnet_address_prefix]
-  # notice that private endpoints do not adhere to NSG rules
-  private_endpoint_network_policies = "Disabled"
-  depends_on                        = [azurerm_subnet.resource_processor]
-
-  delegation {
-    name = "delegation"
-
-    service_delegation {
-      name    = "Microsoft.Web/serverFarms"
-      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+  subnet {
+    name                 = "AirlockProcessorSubnet"
+    address_prefixes     = [local.airlock_processor_subnet_address_prefix]
+    private_endpoint_network_policies = "Disabled"
+    security_group       = azurerm_network_security_group.default_rules.id
+
+    delegation {
+      name = "delegation"
+
+      service_delegation {
+        name    = "Microsoft.Web/serverFarms"
+        actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+      }
     }
+
+    service_endpoints = ["Microsoft.Storage"]
   }
 
-  # Todo: needed as we want to open the fw for this subnet in some of the airlock storages (export inprogress)
-  # https://github.com/microsoft/AzureTRE/issues/2098
-  service_endpoints = ["Microsoft.Storage"]
-}
+  subnet {
+    name                 = "AirlockNotifiactionSubnet"
+    address_prefixes     = [local.airlock_notifications_subnet_address_prefix]
+    private_endpoint_network_policies = "Disabled"
+    security_group       = azurerm_network_security_group.default_rules.id
 
-resource "azurerm_subnet" "airlock_notification" {
-  name                 = "AirlockNotifiactionSubnet"
-  virtual_network_name = azurerm_virtual_network.core.name
-  resource_group_name  = var.resource_group_name
-  address_prefixes     = [local.airlock_notifications_subnet_address_prefix]
-  # notice that private endpoints do not adhere to NSG rules
-  private_endpoint_network_policies = "Disabled"
-  depends_on                        = [azurerm_subnet.airlock_processor]
-
-  delegation {
-    name = "delegation"
-
-    service_delegation {
-      name    = "Microsoft.Web/serverFarms"
-      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+    delegation {
+      name = "delegation"
+
+      service_delegation {
+        name    = "Microsoft.Web/serverFarms"
+        actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+      }
     }
+    service_endpoints = ["Microsoft.ServiceBus"]
   }
-  service_endpoints = ["Microsoft.ServiceBus"]
-}
 
-resource "azurerm_subnet" "airlock_storage" {
-  name                 = "AirlockStorageSubnet"
-  virtual_network_name = azurerm_virtual_network.core.name
-  resource_group_name  = var.resource_group_name
-  address_prefixes     = [local.airlock_storage_subnet_address_prefix]
-  # notice that private endpoints do not adhere to NSG rules
-  private_endpoint_network_policies = "Disabled"
-  depends_on                        = [azurerm_subnet.airlock_notification]
-}
+  subnet {
+    name                 = "AirlockStorageSubnet"
+    address_prefixes     = [local.airlock_storage_subnet_address_prefix]
+    private_endpoint_network_policies = "Disabled"
+    security_group       = azurerm_network_security_group.default_rules.id
+  }
 
-resource "azurerm_subnet" "airlock_events" {
-  name                 = "AirlockEventsSubnet"
-  virtual_network_name = azurerm_virtual_network.core.name
-  resource_group_name  = var.resource_group_name
-  address_prefixes     = [local.airlock_events_subnet_address_prefix]
-  # notice that private endpoints do not adhere to NSG rules
-  private_endpoint_network_policies = "Disabled"
-  depends_on                        = [azurerm_subnet.airlock_storage]
-
-  # Eventgrid CAN'T send messages over private endpoints, hence we need to allow service endpoints to the service bus
-  # We are using service endpoints + managed identity to send these messaages
-  # https://docs.microsoft.com/en-us/azure/event-grid/consume-private-endpoints
-  service_endpoints = ["Microsoft.ServiceBus"]
-}
+  subnet {
+    name                 = "AirlockEventsSubnet"
+    address_prefixes     = [local.airlock_events_subnet_address_prefix]
+    private_endpoint_network_policies = "Disabled"
+    security_group       = azurerm_network_security_group.default_rules.id
+
+    service_endpoints = ["Microsoft.ServiceBus"]
+  }
 
-resource "azurerm_subnet" "firewall_management" {
-  name                 = "AzureFirewallManagementSubnet"
-  virtual_network_name = azurerm_virtual_network.core.name
-  resource_group_name  = var.resource_group_name
-  address_prefixes     = [local.firewall_management_subnet_address_prefix]
-  depends_on           = [azurerm_subnet.airlock_events]
+  subnet {
+    name                 = "AzureFirewallManagementSubnet"
+    address_prefixes     = [local.firewall_management_subnet_address_prefix]
+  }
 }
 
 resource "azurerm_ip_group" "resource_processor" {
@@ -187,3 +153,7 @@ module "terraform_azurerm_environment_configuration" {
   source          = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0"
   arm_environment = var.arm_environment
 }
+
+locals {
+  subnet_ids_map = { for s in azurerm_virtual_network.core.subnet : s.name => s.id }
+}
diff --git a/core/terraform/network/network_security_groups.tf b/core/terraform/network/network_security_groups.tf
@@ -105,13 +105,6 @@ resource "azurerm_network_security_group" "bastion" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "azurerm_subnet_network_security_group_association" "bastion" {
-  subnet_id                 = azurerm_subnet.bastion.id
-  network_security_group_id = azurerm_network_security_group.bastion.id
-  # depend on the last subnet we created in the vnet
-  depends_on = [azurerm_subnet.firewall_management]
-}
-
 # Network security group for Application Gateway
 # See https://docs.microsoft.com/azure/application-gateway/configuration-infrastructure#network-security-groups
 resource "azurerm_network_security_group" "app_gw" {
@@ -147,12 +140,6 @@ resource "azurerm_network_security_group" "app_gw" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "azurerm_subnet_network_security_group_association" "app_gw" {
-  subnet_id                 = azurerm_subnet.app_gw.id
-  network_security_group_id = azurerm_network_security_group.app_gw.id
-  depends_on                = [azurerm_subnet_network_security_group_association.bastion]
-}
-
 # Network security group with only default security rules
 # See https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview#default-security-rules
 resource "azurerm_network_security_group" "default_rules" {
@@ -163,45 +150,3 @@ resource "azurerm_network_security_group" "default_rules" {
 
   lifecycle { ignore_changes = [tags] }
 }
-
-resource "azurerm_subnet_network_security_group_association" "shared" {
-  subnet_id                 = azurerm_subnet.shared.id
-  network_security_group_id = azurerm_network_security_group.default_rules.id
-  depends_on                = [azurerm_subnet_network_security_group_association.app_gw]
-}
-
-resource "azurerm_subnet_network_security_group_association" "web_app" {
-  subnet_id                 = azurerm_subnet.web_app.id
-  network_security_group_id = azurerm_network_security_group.default_rules.id
-  depends_on                = [azurerm_subnet_network_security_group_association.shared]
-}
-
-resource "azurerm_subnet_network_security_group_association" "resource_processor" {
-  subnet_id                 = azurerm_subnet.resource_processor.id
-  network_security_group_id = azurerm_network_security_group.default_rules.id
-  depends_on                = [azurerm_subnet_network_security_group_association.web_app]
-}
-
-resource "azurerm_subnet_network_security_group_association" "airlock_processor" {
-  subnet_id                 = azurerm_subnet.airlock_processor.id
-  network_security_group_id = azurerm_network_security_group.default_rules.id
-  depends_on                = [azurerm_subnet_network_security_group_association.resource_processor]
-}
-
-resource "azurerm_subnet_network_security_group_association" "airlock_storage" {
-  subnet_id                 = azurerm_subnet.airlock_storage.id
-  network_security_group_id = azurerm_network_security_group.default_rules.id
-  depends_on                = [azurerm_subnet_network_security_group_association.airlock_processor]
-}
-
-resource "azurerm_subnet_network_security_group_association" "airlock_events" {
-  subnet_id                 = azurerm_subnet.airlock_events.id
-  network_security_group_id = azurerm_network_security_group.default_rules.id
-  depends_on                = [azurerm_subnet_network_security_group_association.airlock_storage]
-}
-
-resource "azurerm_subnet_network_security_group_association" "airlock_notification" {
-  subnet_id                 = azurerm_subnet.airlock_notification.id
-  network_security_group_id = azurerm_network_security_group.default_rules.id
-  depends_on                = [azurerm_subnet_network_security_group_association.airlock_events]
-}
diff --git a/core/terraform/network/outputs.tf b/core/terraform/network/outputs.tf
@@ -3,43 +3,43 @@ output "core_vnet_id" {
 }
 
 output "bastion_subnet_id" {
-  value = azurerm_subnet.bastion.id
+  value = local.subnet_ids_map["AzureBastionSubnet"]
 }
 
 output "azure_firewall_subnet_id" {
-  value = azurerm_subnet.azure_firewall.id
+  value = local.subnet_ids_map["AzureFirewallSubnet"]
 }
 
 output "app_gw_subnet_id" {
-  value = azurerm_subnet.app_gw.id
+  value = local.subnet_ids_map["AppGwSubnet"]
 }
 
 output "web_app_subnet_id" {
-  value = azurerm_subnet.web_app.id
+  value = local.subnet_ids_map["WebAppSubnet"]
 }
 
 output "shared_subnet_id" {
-  value = azurerm_subnet.shared.id
+  value = local.subnet_ids_map["SharedSubnet"]
 }
 
 output "airlock_processor_subnet_id" {
-  value = azurerm_subnet.airlock_processor.id
+  value = local.subnet_ids_map["AirlockProcessorSubnet"]
 }
 
 output "airlock_storage_subnet_id" {
-  value = azurerm_subnet.airlock_storage.id
+  value = local.subnet_ids_map["AirlockStorageSubnet"]
 }
 
 output "airlock_events_subnet_id" {
-  value = azurerm_subnet.airlock_events.id
+  value = local.subnet_ids_map["AirlockEventsSubnet"]
 }
 
 output "resource_processor_subnet_id" {
-  value = azurerm_subnet.resource_processor.id
+  value = local.subnet_ids_map["ResourceProcessorSubnet"]
 }
 
 output "airlock_notification_subnet_id" {
-  value = azurerm_subnet.airlock_notification.id
+  value = local.subnet_ids_map["AirlockNotifiactionSubnet"]
 }
 
 # DNS Zones