This Terraform module creates an Azure Private Endpoint with one or more Azure Private DNS Zones as an option.
You can create Private DNS Zones without creating a Private Endpoint by using the submodule modules/private-dns-zone.
| Module version | Terraform version | OpenTofu version | AzureRM version |
|---|---|---|---|
| >= 8.x.x | Unverified | 1.8.x | >= 4.0 |
| >= 7.x.x | 1.3.x | >= 3.0 | |
| >= 6.x.x | 1.x | >= 3.0 | |
| >= 5.x.x | 0.15.x | >= 2.0 | |
| >= 4.x.x | 0.13.x / 0.14.x | >= 2.0 | |
| >= 3.x.x | 0.12.x | >= 2.0 | |
| >= 2.x.x | 0.12.x | < 2.0 | |
| < 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper available in the documentation.
module "vnet_01" {
source = "claranet/vnet/azurerm"
version = "x.x.x"
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.name
name_suffix = "01"
cidrs = ["192.168.1.0/24"]
}
module "subnet_01" {
source = "claranet/subnet/azurerm"
version = "x.x.x"
location_short = module.azure_region.location_short
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.name
name_suffix = "01"
virtual_network_name = module.vnet_01.name
private_link_endpoint_enabled = true
private_link_service_enabled = true
cidrs = ["192.168.1.128/25"]
}
module "vnet_02" {
source = "claranet/vnet/azurerm"
version = "x.x.x"
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.name
name_suffix = "02"
cidrs = ["172.16.0.0/16"]
}
module "subnet_02" {
source = "claranet/subnet/azurerm"
version = "x.x.x"
location_short = module.azure_region.location_short
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.name
name_suffix = "02"
virtual_network_name = module.vnet_02.name
private_link_endpoint_enabled = true
private_link_service_enabled = false
cidrs = ["172.16.4.0/24"]
}
module "key_vault" {
source = "claranet/keyvault/azurerm"
version = "x.x.x"
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.name
admin_objects_ids = [data.azurerm_client_config.current.object_id]
logs_destinations_ids = [
module.logs.storage_account_id,
module.logs.id,
]
}
module "lb" {
source = "claranet/lb/azurerm"
version = "x.x.x"
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.name
public_ip_allocated = true
}
resource "azurerm_private_link_service" "example" {
name = format("pls-%s-%s-%s-%s", var.stack, var.client_name, module.azure_region.location_short, var.environment)
location = module.azure_region.location
resource_group_name = module.rg.name
load_balancer_frontend_ip_configuration_ids = [module.lb.frontend_ip_configuration[0].id]
nat_ip_configuration {
name = "default"
primary = true
subnet_id = module.subnet_02.id
}
}
module "kv_private_endpoint" {
source = "claranet/private-endpoint/azurerm"
version = "x.x.x"
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.name
name_suffix = "kv"
nic_custom_name = "foo"
subnet_id = module.subnet_01.id
ip_configurations = [{ # The number of IP configurations depends on the target resource
member_name = "default" # The `member_name` value depends on the target resource
private_ip_address = cidrhost(module.subnet_01.cidrs[0], 34)
}]
target_resource = module.key_vault.id
subresource_name = "vault"
private_dns_zones_names = ["privatelink.vaultcore.azure.net"]
private_dns_zones_vnets_ids = [module.vnet_01.id, module.vnet_02.id]
}
module "example_private_endpoint" {
source = "claranet/private-endpoint/azurerm"
version = "x.x.x"
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.name
name_suffix = "example"
nic_custom_name = "bar"
subnet_id = module.subnet_02.id
target_resource = azurerm_private_link_service.example.id
}
module "example_alias_private_endpoint" {
source = "claranet/private-endpoint/azurerm"
version = "x.x.x"
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.name
name_suffix = "examplealias"
is_manual_connection = true
subnet_id = module.subnet_02.id
ip_configurations = [{
private_ip_address = cidrhost(module.subnet_02.cidrs[0], 34)
}]
target_resource = azurerm_private_link_service.example.alias
}| Name | Version |
|---|---|
| azurecaf | ~> 1.2.28 |
| azurerm | ~> 4.0 |
| Name | Source | Version |
|---|---|---|
| private_dns_zones | ./modules/private-dns-zone | n/a |
| Name | Type |
|---|---|
| azurerm_private_endpoint.main | resource |
| azurecaf_name.private_dns_zone_group | data source |
| azurecaf_name.private_endpoint | data source |
| azurecaf_name.private_service_connection | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| client_name | Client name/account used in naming. | string |
n/a | yes |
| custom_name | Custom Private Endpoint name, generated if not set. | string |
"" |
no |
| default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
| environment | Project environment. | string |
n/a | yes |
| extra_tags | Extra tags to add. | map(string) |
{} |
no |
| ip_configurations | List of IP Configuration object. Any modification to the parameters of the IP Configuration object forces a new resource to be created.name = Name of the IP Configuration. |
list(object({ |
[] |
no |
| is_manual_connection | Does the Private Endpoint require manual approval from the remote resource owner? Default to false. |
bool |
false |
no |
| location | Azure location. | string |
n/a | yes |
| location_short | Short string for Azure location. | string |
n/a | yes |
| name_prefix | Optional prefix for the generated name. | string |
"" |
no |
| name_suffix | Optional suffix for the generated name. | string |
"" |
no |
| nic_custom_name | Custom network interface name of the Private Endpoint, generated by Azure if not set. | string |
null |
no |
| private_dns_zone_group_custom_name | Custom Private DNS Zone Group name, generated if not set. | string |
"" |
no |
| private_dns_zones_ids | IDs of the Private DNS Zones in which a new record will be created for the Private Endpoint. Only valid if use_existing_private_dns_zones is set to true and target_resource is not a Private Link Service. One of private_dns_zones_ids or private_dns_zones_names must be specified. |
list(string) |
[] |
no |
| private_dns_zones_names | Names of the Private DNS Zones to create. Only valid if use_existing_private_dns_zones is set to false and target_resource is not a Private Link Service. One of private_dns_zones_ids or private_dns_zones_names must be specified. |
list(string) |
[] |
no |
| private_dns_zones_vnets_ids | IDs of the VNets to link to the Private DNS Zones. Only valid if use_existing_private_dns_zones is set to false and target_resource is not a Private Link Service. |
list(string) |
[] |
no |
| private_service_connection_custom_name | Custom Private Service Connection name, generated if not set. | string |
"" |
no |
| request_message | A message passed to the owner of the remote resource when the Private Endpoint attempts to establish the connection to the remote resource. Only valid if is_manual_connection is set to true. |
string |
"Private Endpoint Deployment" |
no |
| resource_group_name | Resource group name. | string |
n/a | yes |
| stack | Project stack name. | string |
n/a | yes |
| subnet_id | ID of the subnet in which the Private Endpoint will be created. | string |
n/a | yes |
| subresource_name | Name of the subresource corresponding to the target Azure resource. Only valid if target_resource is not a Private Link Service. |
string |
"" |
no |
| target_resource | Private Link Service Alias or ID of the target resource. | string |
n/a | yes |
| use_existing_private_dns_zones | Boolean to create the Private DNS Zones corresponding to the Private Endpoint. If you wish to centralize the Private DNS Zones in another Resource Group that could belong to another subscription, set this option to true and use the private-dns-zone submodule directly. |
bool |
false |
no |
| Name | Description |
|---|---|
| id | Private Endpoint ID. |
| ip_address | IP address associated with the Private Endpoint. |
| module_private_dns_zone | Azure Private DNS Zone module outputs. |
| private_dns_zones_ids | Maps of Private DNS Zones IDs created as part of this module. Only available if use_existing_private_dns_zones is set to false and target_resource is not a Private Link Service. |
| private_dns_zones_record_sets | Maps of Private DNS Zones record sets created as part of this module. Only available if use_existing_private_dns_zones is set to false and target_resource is not a Private Link Service. |
| resource | Azure Private Endpoint resource object. |
Microsoft Azure documentation: docs.microsoft.com/en-us/azure/private-link/