diff --git a/modules/common/main.tf b/modules/common/main.tf
index 08bc5f9..d83c3e9 100755
--- a/modules/common/main.tf
+++ b/modules/common/main.tf
@@ -1,5 +1,6 @@
resource "azurerm_resource_group" "resource_group" {
name = var.resource_group_name
location = var.location
+ tags = var.tags
}
diff --git a/modules/common/variables.tf b/modules/common/variables.tf
index 3bd7088..79da9a6 100755
--- a/modules/common/variables.tf
+++ b/modules/common/variables.tf
@@ -37,8 +37,8 @@ variable "maintenance_mode_password_hash" {
}
variable "tags" {
- type = map(string)
- description = "A map of the tags to use on the resources that are deployed with this module."
+ description = "Tags to be associated with the resource group."
+ type = map(string)
default = {}
}
diff --git a/modules/high_availability_existing_vnet/README.md b/modules/high_availability_existing_vnet/README.md
index 224e5f9..0a9d890 100755
--- a/modules/high_availability_existing_vnet/README.md
+++ b/modules/high_availability_existing_vnet/README.md
@@ -23,7 +23,7 @@ provider "azurerm" {
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/azure//modules/high_availability_existing_vnet"
- version = "1.0.5"
+ version = "1.0.6"
tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
source_image_vhd_uri = "noCustomUri"
@@ -128,3 +128,4 @@ module "example_module" {
| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs
**Default:** [] |
| **security_rules** | Security rules for the Network Security Group | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] |
| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" |
+| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`storage-account`
`virtual-machine`
`custom-image`
`availability-set`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} |
\ No newline at end of file
diff --git a/modules/high_availability_existing_vnet/locals.tf b/modules/high_availability_existing_vnet/locals.tf
index b652c45..b63e970 100755
--- a/modules/high_availability_existing_vnet/locals.tf
+++ b/modules/high_availability_existing_vnet/locals.tf
@@ -1,4 +1,4 @@
locals {
module_name = "ha_terraform"
- module_version = "1.0.5"
+ module_version = "1.0.6"
}
diff --git a/modules/high_availability_existing_vnet/main.tf b/modules/high_availability_existing_vnet/main.tf
index d711440..b0a109c 100755
--- a/modules/high_availability_existing_vnet/main.tf
+++ b/modules/high_availability_existing_vnet/main.tf
@@ -19,6 +19,7 @@ module "common" {
serial_console_password_hash = var.serial_console_password_hash
maintenance_mode_password_hash = var.maintenance_mode_password_hash
storage_account_additional_ips = var.storage_account_additional_ips
+ tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}))
}
//********************** Networking **************************//
@@ -35,6 +36,7 @@ resource "azurerm_public_ip_prefix" "public_ip_prefix" {
location = module.common.resource_group_location
resource_group_name = module.common.resource_group_name
prefix_length = 30
+ tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {}))
}
data "azurerm_subnet" "frontend" {
@@ -58,6 +60,7 @@ resource "azurerm_public_ip" "public-ip" {
sku = var.sku
domain_name_label = "${lower(var.cluster_name)}-${count.index+1}-${random_id.random_id.hex}"
public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_public_ip" "cluster-vip" {
@@ -68,6 +71,7 @@ resource "azurerm_public_ip" "cluster-vip" {
sku = var.sku
domain_name_label = "${lower(var.cluster_name)}-vip-${random_id.random_id.hex}"
public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface" "nic_vip" {
@@ -103,6 +107,8 @@ resource "azurerm_network_interface" "nic_vip" {
ip_configuration
]
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface_backend_address_pool_association" "nic_vip_lb_association" {
@@ -137,6 +143,8 @@ resource "azurerm_network_interface" "nic" {
ip_configuration
]
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface_backend_address_pool_association" "nic_lb_association" {
@@ -162,6 +170,8 @@ resource "azurerm_network_interface" "nic1" {
private_ip_address_allocation = var.vnet_allocation_method
private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0], var.backend_IP_addresses[count.index+1])
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface_backend_address_pool_association" "nic1_lb_association" {
@@ -181,6 +191,7 @@ resource "azurerm_public_ip" "public-ip-lb" {
sku = var.sku
domain_name_label = "${lower(var.cluster_name)}-${random_id.random_id.hex}"
public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_lb" "frontend-lb" {
@@ -195,6 +206,8 @@ resource "azurerm_lb" "frontend-lb" {
name = "LoadBalancerFrontend"
public_ip_address_id = azurerm_public_ip.public-ip-lb.id
}
+
+ tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" {
@@ -213,6 +226,8 @@ resource "azurerm_lb" "backend-lb" {
private_ip_address_allocation = var.vnet_allocation_method
private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0], var.backend_IP_addresses[0])
}
+
+ tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_lb_backend_address_pool" "backend-lb-pool" {
@@ -256,6 +271,7 @@ resource "azurerm_availability_set" "availability-set" {
platform_fault_domain_count = 2
platform_update_domain_count = 5
managed = true
+ tags = merge(lookup(var.tags, "availability-set", {}), lookup(var.tags, "all", {}))
}
//********************** Storage accounts **************************//
@@ -283,6 +299,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" {
days = "15"
}
}
+ tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {}))
}
//********************** Virtual Machines **************************//
@@ -301,6 +318,8 @@ resource "azurerm_image" "custom-image" {
os_state = "Generalized"
blob_uri = var.source_image_vhd_uri
}
+
+ tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_virtual_machine" "vm-instance-availability-set" {
depends_on = [
@@ -393,6 +412,8 @@ resource "azurerm_virtual_machine" "vm-instance-availability-set" {
enabled = module.common.boot_diagnostics
storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : ""
}
+
+ tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_virtual_machine" "vm-instance-availability-zone" {
@@ -487,6 +508,8 @@ resource "azurerm_virtual_machine" "vm-instance-availability-zone" {
enabled = module.common.boot_diagnostics
storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : ""
}
+
+ tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {}))
}
//********************** Role Assigments **************************//
data "azurerm_role_definition" "virtual_machine_contributor_role_definition" {
diff --git a/modules/high_availability_existing_vnet/variables.tf b/modules/high_availability_existing_vnet/variables.tf
index cbb921f..b6c662e 100755
--- a/modules/high_availability_existing_vnet/variables.tf
+++ b/modules/high_availability_existing_vnet/variables.tf
@@ -322,3 +322,8 @@ variable "security_rules" {
default = []
}
+variable "tags" {
+ description = "Assign tags by resource."
+ type = map(map(string))
+ default = {}
+}
\ No newline at end of file
diff --git a/modules/high_availability_new_vnet/README.md b/modules/high_availability_new_vnet/README.md
index 5d82482..6d5fed4 100755
--- a/modules/high_availability_new_vnet/README.md
+++ b/modules/high_availability_new_vnet/README.md
@@ -29,7 +29,7 @@ provider "azurerm" {
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/azure//modules/high_availability_new_vnet"
- version = "1.0.5"
+ version = "1.0.6"
tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
source_image_vhd_uri = "noCustomUri"
@@ -130,3 +130,4 @@ module "example_module" {
| **storage_account_additional_ips**| IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs
**Default:** [] |
| **security_rules** | Security rules for the Network Security Group | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] |
| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" |
+| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
`availability-set`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} |
\ No newline at end of file
diff --git a/modules/high_availability_new_vnet/locals.tf b/modules/high_availability_new_vnet/locals.tf
index b652c45..b63e970 100755
--- a/modules/high_availability_new_vnet/locals.tf
+++ b/modules/high_availability_new_vnet/locals.tf
@@ -1,4 +1,4 @@
locals {
module_name = "ha_terraform"
- module_version = "1.0.5"
+ module_version = "1.0.6"
}
diff --git a/modules/high_availability_new_vnet/main.tf b/modules/high_availability_new_vnet/main.tf
index 7dd1514..13d3771 100755
--- a/modules/high_availability_new_vnet/main.tf
+++ b/modules/high_availability_new_vnet/main.tf
@@ -19,6 +19,7 @@ module "common" {
serial_console_password_hash = var.serial_console_password_hash
maintenance_mode_password_hash = var.maintenance_mode_password_hash
storage_account_additional_ips = var.storage_account_additional_ips
+ tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}))
}
//********************** Networking **************************//
@@ -30,6 +31,7 @@ module "vnet" {
nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id
address_space = var.address_space
subnet_prefixes = var.subnet_prefixes
+ tags = var.tags
}
module "network_security_group" {
@@ -39,6 +41,7 @@ module "network_security_group" {
security_group_name = "${module.common.resource_group_name}_nsg"
location = module.common.resource_group_location
security_rules = var.security_rules
+ tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {}))
}
resource "random_id" "random_id" {
@@ -54,6 +57,7 @@ resource "azurerm_public_ip_prefix" "public_ip_prefix" {
location = module.common.resource_group_location
resource_group_name = module.common.resource_group_name
prefix_length = 30
+ tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_public_ip" "public-ip" {
@@ -65,6 +69,7 @@ resource "azurerm_public_ip" "public-ip" {
sku = var.sku
domain_name_label = "${lower(var.cluster_name)}-${count.index+1}-${random_id.random_id.hex}"
public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_public_ip" "cluster-vip" {
@@ -75,6 +80,7 @@ resource "azurerm_public_ip" "cluster-vip" {
sku = var.sku
domain_name_label = "${lower(var.cluster_name)}-vip-${random_id.random_id.hex}"
public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface" "nic_vip" {
@@ -110,6 +116,8 @@ resource "azurerm_network_interface" "nic_vip" {
ip_configuration
]
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface_backend_address_pool_association" "nic_vip_lb_association" {
@@ -144,6 +152,8 @@ resource "azurerm_network_interface" "nic" {
ip_configuration
]
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface_backend_address_pool_association" "nic_lb_association" {
@@ -169,6 +179,8 @@ resource "azurerm_network_interface" "nic1" {
private_ip_address_allocation = module.vnet.allocation_method
private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], count.index+5)
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface_backend_address_pool_association" "nic1_lb_association" {
@@ -188,6 +200,7 @@ resource "azurerm_public_ip" "public-ip-lb" {
sku = var.sku
domain_name_label = "${lower(var.cluster_name)}-${random_id.random_id.hex}"
public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_lb" "frontend-lb" {
@@ -202,6 +215,8 @@ resource "azurerm_lb" "frontend-lb" {
name = "LoadBalancerFrontend"
public_ip_address_id = azurerm_public_ip.public-ip-lb.id
}
+
+ tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" {
@@ -220,6 +235,8 @@ resource "azurerm_lb" "backend-lb" {
private_ip_address_allocation = module.vnet.allocation_method
private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], 4)
}
+
+ tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_lb_backend_address_pool" "backend-lb-pool" {
@@ -263,6 +280,8 @@ resource "azurerm_availability_set" "availability-set" {
platform_fault_domain_count = 2
platform_update_domain_count = 5
managed = true
+
+ tags = merge(lookup(var.tags, "availability-set", {}), lookup(var.tags, "all", {}))
}
//********************** Storage accounts **************************//
@@ -290,6 +309,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" {
days = "15"
}
}
+ tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {}))
}
//********************** Virtual Machines **************************//
@@ -308,6 +328,8 @@ resource "azurerm_image" "custom-image" {
os_state = "Generalized"
blob_uri = var.source_image_vhd_uri
}
+
+ tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_virtual_machine" "vm-instance-availability-set" {
depends_on = [
@@ -400,6 +422,8 @@ resource "azurerm_virtual_machine" "vm-instance-availability-set" {
enabled = module.common.boot_diagnostics
storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : ""
}
+
+ tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_virtual_machine" "vm-instance-availability-zone" {
@@ -494,6 +518,8 @@ resource "azurerm_virtual_machine" "vm-instance-availability-zone" {
enabled = module.common.boot_diagnostics
storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : ""
}
+
+ tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {}))
}
//********************** Role Assigments **************************//
data "azurerm_role_definition" "virtual_machine_contributor_role_definition" {
diff --git a/modules/high_availability_new_vnet/variables.tf b/modules/high_availability_new_vnet/variables.tf
index fde2d00..a3c51d8 100755
--- a/modules/high_availability_new_vnet/variables.tf
+++ b/modules/high_availability_new_vnet/variables.tf
@@ -321,3 +321,9 @@ variable "security_rules" {
}
]
}
+
+variable "tags" {
+ description = "Assign tags by resource."
+ type = map(map(string))
+ default = {}
+}
\ No newline at end of file
diff --git a/modules/management_existing_vnet/README.md b/modules/management_existing_vnet/README.md
index c23f0c4..7349dad 100755
--- a/modules/management_existing_vnet/README.md
+++ b/modules/management_existing_vnet/README.md
@@ -24,7 +24,7 @@ provider "azurerm" {
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/azure//modules/management_existing_vnet"
- version = "1.0.5"
+ version = "1.0.6"
source_image_vhd_uri = "noCustomUri"
resource_group_name = "checkpoint-mgmt-terraform"
@@ -84,4 +84,5 @@ module "example_module" {
| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | |
| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID.
**Default:** "" |
| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false |
-| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] |
\ No newline at end of file
+| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] |
+| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-security-group`
`network-interface`
`public-ip`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} |
\ No newline at end of file
diff --git a/modules/management_existing_vnet/locals.tf b/modules/management_existing_vnet/locals.tf
index d0c0838..8ebafa9 100755
--- a/modules/management_existing_vnet/locals.tf
+++ b/modules/management_existing_vnet/locals.tf
@@ -1,4 +1,4 @@
locals {
module_name = "management_terraform_registry"
- module_version = "1.0.5"
+ module_version = "1.0.6"
}
diff --git a/modules/management_existing_vnet/main.tf b/modules/management_existing_vnet/main.tf
index b4aac2c..5ec6b9a 100755
--- a/modules/management_existing_vnet/main.tf
+++ b/modules/management_existing_vnet/main.tf
@@ -20,6 +20,7 @@ module "common" {
serial_console_password_hash = var.serial_console_password_hash
maintenance_mode_password_hash = var.maintenance_mode_password_hash
storage_account_additional_ips = var.storage_account_additional_ips
+ tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}))
}
//********************** Networking **************************//
@@ -40,6 +41,7 @@ resource "azurerm_public_ip" "public-ip" {
lower(var.mgmt_name),
"-",
random_id.randomId.hex])
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
module "network_security_group" {
@@ -146,6 +148,8 @@ module "network_security_group" {
destination_address_prefix = "*"
}
])
+
+ tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface_security_group_association" "security_group_association" {
@@ -169,6 +173,8 @@ resource "azurerm_network_interface" "nic" {
private_ip_address = var.subnet_1st_Address
public_ip_address_id = azurerm_public_ip.public-ip.id
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
//********************** Storage accounts **************************//
@@ -197,7 +203,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" {
days = "15"
}
}
-
+ tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {}))
}
//********************** Virtual Machines **************************//
@@ -217,6 +223,8 @@ resource "azurerm_image" "custom-image" {
os_state = "Generalized"
blob_uri = var.source_image_vhd_uri
}
+
+ tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_virtual_machine" "mgmt-vm-instance" {
@@ -301,4 +309,6 @@ resource "azurerm_virtual_machine" "mgmt-vm-instance" {
managed_disk_type = module.common.storage_account_type
disk_size_gb = module.common.disk_size
}
+
+ tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {}))
}
\ No newline at end of file
diff --git a/modules/management_existing_vnet/variables.tf b/modules/management_existing_vnet/variables.tf
index fc68193..c80f487 100755
--- a/modules/management_existing_vnet/variables.tf
+++ b/modules/management_existing_vnet/variables.tf
@@ -226,3 +226,9 @@ variable "security_rules" {
type = list(any)
default = []
}
+
+variable "tags" {
+ description = "Assign tags by resource."
+ type = map(map(string))
+ default = {}
+}
diff --git a/modules/management_new_vnet/README.md b/modules/management_new_vnet/README.md
index 69b4f81..d79b199 100755
--- a/modules/management_new_vnet/README.md
+++ b/modules/management_new_vnet/README.md
@@ -26,7 +26,7 @@ provider "azurerm" {
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/azure//modules/management_new_vnet"
- version = "1.0.5"
+ version = "1.0.6"
source_image_vhd_uri = "noCustomUri"
resource_group_name = "checkpoint-mgmt-terraform"
@@ -87,3 +87,4 @@ module "example_module" {
| **security_rules** | SSecurity rules for the Network Security | list(any) | A security rule is composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] |
| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** ""
| **is_blink** | Define if blink image is used for deployment | boolean | true;
false;
**Default:** true |
+| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} |
\ No newline at end of file
diff --git a/modules/management_new_vnet/locals.tf b/modules/management_new_vnet/locals.tf
index d0c0838..8ebafa9 100755
--- a/modules/management_new_vnet/locals.tf
+++ b/modules/management_new_vnet/locals.tf
@@ -1,4 +1,4 @@
locals {
module_name = "management_terraform_registry"
- module_version = "1.0.5"
+ module_version = "1.0.6"
}
diff --git a/modules/management_new_vnet/main.tf b/modules/management_new_vnet/main.tf
index fa467f1..8bcc3ec 100755
--- a/modules/management_new_vnet/main.tf
+++ b/modules/management_new_vnet/main.tf
@@ -19,6 +19,7 @@ module "common" {
serial_console_password_hash = var.serial_console_password_hash
maintenance_mode_password_hash = var.maintenance_mode_password_hash
storage_account_additional_ips = var.storage_account_additional_ips
+ tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}))
}
//********************** Networking **************************//
@@ -32,6 +33,7 @@ module "vnet" {
subnet_prefixes = [var.subnet_prefix]
subnet_names = ["${var.mgmt_name}-subnet"]
nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id
+ tags = var.tags
}
module "network_security_group" {
@@ -138,6 +140,8 @@ module "network_security_group" {
destination_address_prefix = "*"
}
])
+
+ tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_public_ip" "public-ip" {
@@ -151,6 +155,8 @@ resource "azurerm_public_ip" "public-ip" {
lower(var.mgmt_name),
"-",
random_id.randomId.hex])
+
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface_security_group_association" "security_group_association" {
@@ -174,6 +180,8 @@ resource "azurerm_network_interface" "nic" {
private_ip_address = cidrhost(var.subnet_prefix, 4)
public_ip_address_id = azurerm_public_ip.public-ip.id
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
//********************** Storage accounts **************************//
@@ -202,6 +210,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" {
days = "15"
}
}
+ tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {}))
}
//********************** Virtual Machines **************************//
@@ -221,6 +230,8 @@ resource "azurerm_image" "custom-image" {
os_state = "Generalized"
blob_uri = var.source_image_vhd_uri
}
+
+ tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_virtual_machine" "mgmt-vm-instance" {
@@ -304,4 +315,6 @@ resource "azurerm_virtual_machine" "mgmt-vm-instance" {
managed_disk_type = module.common.storage_account_type
disk_size_gb = module.common.disk_size
}
+
+ tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {}))
}
diff --git a/modules/management_new_vnet/variables.tf b/modules/management_new_vnet/variables.tf
index 0ee2e7f..a949027 100755
--- a/modules/management_new_vnet/variables.tf
+++ b/modules/management_new_vnet/variables.tf
@@ -225,3 +225,9 @@ variable "admin_SSH_key" {
description = "(Optional) TheUsed when the authentication_type is 'SSH Public Key'. The SSH public key for SSH authentication to the template instances."
default = ""
}
+
+variable "tags" {
+ description = "Assign tags by resource."
+ type = map(map(string))
+ default = {}
+}
diff --git a/modules/mds_existing_vnet/README.md b/modules/mds_existing_vnet/README.md
index bbd08ff..f90b954 100755
--- a/modules/mds_existing_vnet/README.md
+++ b/modules/mds_existing_vnet/README.md
@@ -23,7 +23,7 @@ provider "azurerm" {
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/azure//modules/mds_existing_vnet"
- version = "1.0.5"
+ version = "1.0.6"
source_image_vhd_uri = "noCustomUri"
resource_group_name = "checkpoint-mds-rg-terraform"
@@ -96,4 +96,5 @@ module "example_module" {
| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false |
| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] |
| **security_rules** | Security rules for the Network Security | list(any) | A list of valid security rules values.
A security rule composed of:
{name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}.
**Default:** [{"name":"AllowAllInBound", "priority":"100", "direction":"Inbound", "access":"Allow", "protocol":"*", "source_port_ranges":"*", "destination_port_ranges":"", "description":"Allow all inbound connections", "source_address_prefix":"*", "destination_address_prefix":""}] |
-| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" |
\ No newline at end of file
+| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" |
+| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-security-group`
`network-interface`
`public-ip`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} |
\ No newline at end of file
diff --git a/modules/mds_existing_vnet/locals.tf b/modules/mds_existing_vnet/locals.tf
index 20053eb..803352d 100755
--- a/modules/mds_existing_vnet/locals.tf
+++ b/modules/mds_existing_vnet/locals.tf
@@ -1,4 +1,4 @@
locals {
module_name = "mds_terraform_registry"
- module_version = "1.0.5"
+ module_version = "1.0.6"
}
diff --git a/modules/mds_existing_vnet/main.tf b/modules/mds_existing_vnet/main.tf
index c26f8cd..3f54494 100755
--- a/modules/mds_existing_vnet/main.tf
+++ b/modules/mds_existing_vnet/main.tf
@@ -19,6 +19,7 @@ module "common" {
serial_console_password_hash = var.serial_console_password_hash
maintenance_mode_password_hash = var.maintenance_mode_password_hash
storage_account_additional_ips = var.storage_account_additional_ips
+ tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}))
}
//********************** Networking **************************//
@@ -39,6 +40,8 @@ resource "azurerm_public_ip" "public-ip" {
lower(var.mds_name),
"-",
random_id.randomId.hex])
+
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
module "network_security_group" {
@@ -145,6 +148,8 @@ module "network_security_group" {
destination_address_prefix = "*"
}
])
+
+ tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface_security_group_association" "security_group_association" {
@@ -168,6 +173,8 @@ resource "azurerm_network_interface" "nic" {
private_ip_address = var.subnet_1st_Address
public_ip_address_id = azurerm_public_ip.public-ip.id
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
//********************** Storage accounts **************************//
@@ -196,7 +203,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" {
days = "15"
}
}
-
+ tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {}))
}
//********************** Virtual Machines **************************//
@@ -216,6 +223,8 @@ resource "azurerm_image" "custom-image" {
os_state = "Generalized"
blob_uri = var.source_image_vhd_uri
}
+
+ tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_virtual_machine" "mds-vm-instance" {
@@ -304,4 +313,6 @@ resource "azurerm_virtual_machine" "mds-vm-instance" {
managed_disk_type = module.common.storage_account_type
disk_size_gb = module.common.disk_size
}
+
+ tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {}))
}
\ No newline at end of file
diff --git a/modules/mds_existing_vnet/variables.tf b/modules/mds_existing_vnet/variables.tf
index 542e36c..c941149 100755
--- a/modules/mds_existing_vnet/variables.tf
+++ b/modules/mds_existing_vnet/variables.tf
@@ -255,3 +255,9 @@ variable "security_rules" {
type = list(any)
default = []
}
+
+variable "tags" {
+ description = "Assign tags by resource."
+ type = map(map(string))
+ default = {}
+}
diff --git a/modules/mds_new_vnet/README.md b/modules/mds_new_vnet/README.md
index b9fc739..843916c 100755
--- a/modules/mds_new_vnet/README.md
+++ b/modules/mds_new_vnet/README.md
@@ -26,7 +26,7 @@ provider "azurerm" {
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/azure//modules/mds_new_vnet"
- version = "1.0.5"
+ version = "1.0.6"
source_image_vhd_uri = "noCustomUri"
@@ -95,4 +95,5 @@ module "example_module" {
| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false |
| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] |
| **security_rules** | Security rules for the Network Security | list(any) | A list of valid security rules values.
A security rule composed of:
{name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}.
**Default:** [{"name":"AllowAllInBound", "priority":"100", "direction":"Inbound", "access":"Allow", "protocol":"*", "source_port_ranges":"*", "destination_port_ranges":"", "description":"Allow all inbound connections", "source_address_prefix":"*", "destination_address_prefix":""}] |
-| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" |
\ No newline at end of file
+| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" |
+| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} |
\ No newline at end of file
diff --git a/modules/mds_new_vnet/locals.tf b/modules/mds_new_vnet/locals.tf
index 20053eb..803352d 100755
--- a/modules/mds_new_vnet/locals.tf
+++ b/modules/mds_new_vnet/locals.tf
@@ -1,4 +1,4 @@
locals {
module_name = "mds_terraform_registry"
- module_version = "1.0.5"
+ module_version = "1.0.6"
}
diff --git a/modules/mds_new_vnet/main.tf b/modules/mds_new_vnet/main.tf
index 328e806..c9dd7f4 100755
--- a/modules/mds_new_vnet/main.tf
+++ b/modules/mds_new_vnet/main.tf
@@ -19,6 +19,7 @@ module "common" {
serial_console_password_hash = var.serial_console_password_hash
maintenance_mode_password_hash = var.maintenance_mode_password_hash
storage_account_additional_ips = var.storage_account_additional_ips
+ tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}))
}
//********************** Networking **************************//
@@ -32,6 +33,7 @@ module "vnet" {
subnet_prefixes = [var.subnet_prefix]
subnet_names = ["${var.mds_name}-subnet"]
nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id
+ tags = var.tags
}
module "network_security_group" {
@@ -138,6 +140,8 @@ module "network_security_group" {
destination_address_prefix = "*"
}
])
+
+ tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_public_ip" "public-ip" {
@@ -151,6 +155,8 @@ resource "azurerm_public_ip" "public-ip" {
lower(var.mds_name),
"-",
random_id.randomId.hex])
+
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface_security_group_association" "security_group_association" {
@@ -174,6 +180,8 @@ resource "azurerm_network_interface" "nic" {
private_ip_address = cidrhost(var.subnet_prefix, 4)
public_ip_address_id = azurerm_public_ip.public-ip.id
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
//********************** Storage accounts **************************//
@@ -202,7 +210,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" {
days = "15"
}
}
-
+ tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {}))
}
//********************** Virtual Machines **************************//
@@ -222,6 +230,8 @@ resource "azurerm_image" "custom-image" {
os_state = "Generalized"
blob_uri = var.source_image_vhd_uri
}
+
+ tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_virtual_machine" "mds-vm-instance" {
@@ -309,4 +319,6 @@ resource "azurerm_virtual_machine" "mds-vm-instance" {
managed_disk_type = module.common.storage_account_type
disk_size_gb = module.common.disk_size
}
+
+ tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {}))
}
diff --git a/modules/mds_new_vnet/variables.tf b/modules/mds_new_vnet/variables.tf
index 29d4afe..d7935d0 100755
--- a/modules/mds_new_vnet/variables.tf
+++ b/modules/mds_new_vnet/variables.tf
@@ -254,3 +254,8 @@ variable "security_rules" {
type = list(any)
default = []
}
+variable "tags" {
+ description = "Assign tags by resource."
+ type = map(map(string))
+ default = {}
+}
diff --git a/modules/nva_into_existing_hub/README.md b/modules/nva_into_existing_hub/README.md
index 7ac491f..6385b50 100755
--- a/modules/nva_into_existing_hub/README.md
+++ b/modules/nva_into_existing_hub/README.md
@@ -22,7 +22,7 @@ provider "azurerm" {
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/azure//modules/nva_into_existing_hub"
- version = "1.0.5"
+ version = "1.0.6"
authentication_method = "Service Principal"
client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
@@ -92,7 +92,4 @@ module "example_module" {
| **smart1-cloud-token-c** | Smart-1 Cloud token to connect automatically ***NVA instance c*** to Check Point's Security Management as a Service.
Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. |
| **smart1-cloud-token-d** | Smart-1 Cloud token to connect automatically ***NVA instance d*** to Check Point's Security Management as a Service.
Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. |
| **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.
Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. |
-
-
-
-
+| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group` (Applies tags to managed application resource group)
`managed-identity` (Applies tags to the managed identity of the managed application)
`managed-application`
`routing-intent`
`network-virtual-appliance`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} |
\ No newline at end of file
diff --git a/modules/nva_into_existing_hub/main.tf b/modules/nva_into_existing_hub/main.tf
index c0a8dfb..3173004 100755
--- a/modules/nva_into_existing_hub/main.tf
+++ b/modules/nva_into_existing_hub/main.tf
@@ -2,6 +2,7 @@
resource "azurerm_resource_group" "managed-app-rg" {
name = var.resource-group-name
location = var.location
+ tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}))
}
data "azurerm_virtual_hub" "vwan-hub" {
@@ -72,7 +73,7 @@ data "http" "accept-marketplace-terms-existing-agreement" {
resource "azurerm_marketplace_agreement" "accept-marketplace-terms" {
count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1
publisher = "checkpoint"
- offer = "cp-vwan-managed-app"
+ offer = var.plan_product
plan = "vwan-app"
}
@@ -95,6 +96,7 @@ resource "azurerm_user_assigned_identity" "managed_app_identity" {
location = azurerm_resource_group.managed-app-rg.location
name = "managed_app_identity"
resource_group_name = azurerm_resource_group.managed-app-rg.name
+ tags = merge(lookup(var.tags, "managed-identity", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_role_assignment" "reader" {
@@ -140,9 +142,9 @@ resource "azapi_resource" "managed-app" {
kind = "MarketPlace",
plan = {
name = "vwan-app"
- product = "cp-vwan-managed-app"
+ product = var.plan_product
publisher = "checkpoint"
- version = "1.0.22"
+ version = var.plan_version
},
identity = {
type = "UserAssigned"
@@ -223,11 +225,18 @@ resource "azapi_resource" "managed-app" {
},
templateName = {
value = "wan_terraform_registry"
+ },
+ tags = {
+ value = {
+ "Microsoft.Network/networkVirtualAppliances" = merge(lookup(var.tags, "network-virtual-appliance", {}), lookup(var.tags, "all", {}))
+ }
}
},
managedResourceGroupId = "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}"
}
}
+
+ tags = merge(lookup(var.tags, "managed-application", {}), lookup(var.tags, "all", {}))
}
//********************** Routing Intent **************************//
@@ -262,6 +271,8 @@ resource "azapi_resource" "routing_intent" {
routingPolicies = local.routing-intent-policies
}
}
+
+ tags = merge(lookup(var.tags, "routing-intent", {}), lookup(var.tags, "all", {}))
}
resource "azapi_update_resource" "update_routing_intent" {
diff --git a/modules/nva_into_existing_hub/variables.tf b/modules/nva_into_existing_hub/variables.tf
index cfc1268..bac2136 100755
--- a/modules/nva_into_existing_hub/variables.tf
+++ b/modules/nva_into_existing_hub/variables.tf
@@ -1,6 +1,6 @@
variable "authentication_method" {
description = "Azure authentication method"
- type = string
+ type = string
validation {
condition = contains(["Azure CLI", "Service Principal"], var.authentication_method)
error_message = "Valid values for authentication_method are 'Azure CLI','Service Principal'"
@@ -9,22 +9,22 @@ variable "authentication_method" {
variable "subscription_id" {
description = "Subscription ID"
- type = string
+ type = string
}
variable "tenant_id" {
description = "Tenant ID"
- type = string
+ type = string
}
variable "client_id" {
description = "Application ID(Client ID)"
- type = string
+ type = string
}
variable "client_secret" {
description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password."
- type = string
+ type = string
}
variable "resource-group-name" {
@@ -43,11 +43,11 @@ variable "managed-app-name" {
}
variable "vwan-hub-name" {
- type = string
+ type = string
}
variable "vwan-hub-resource-group" {
- type = string
+ type = string
}
variable "nva-rg-name" {
@@ -62,10 +62,10 @@ variable "nva-name" {
variable "os-version" {
description = "GAIA OS version"
- type = string
- default = "R82"
+ type = string
+ default = "R82"
validation {
- condition = contains(["R8110", "R8120", "R82"], var.os-version)
+ condition = contains(["R8110", "R8120", "R82"], var.os-version)
error_message = "Allowed values for os-version are 'R8110', 'R8120', 'R82'"
}
}
@@ -107,7 +107,7 @@ variable "sic-key" {
default = ""
sensitive = true
validation {
- condition = can(regex("^[a-z0-9A-Z]{8,30}$", var.sic-key))
+ condition = can(regex("^[a-z0-9A-Z]{8,30}$", var.sic-key))
error_message = "Only alphanumeric characters are allowed, and the value must be 8-30 characters long."
}
}
@@ -121,7 +121,7 @@ variable "bgp-asn" {
type = string
default = "64512"
validation {
- condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn))
+ condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn))
error_message = "Only numbers between 64512 to 65534 are allowed excluding 65515, 65520."
}
}
@@ -177,22 +177,28 @@ variable "smart1-cloud-token-e" {
}
variable "existing-public-ip" {
- type = string
- default = ""
+ type = string
+ default = ""
}
variable "new-public-ip" {
- type = string
+ type = string
default = "no"
- validation {
+ validation {
condition = contains(["yes", "no"], var.new-public-ip)
error_message = "Valid options are string('yes' or 'no')"
}
}
-locals{
+locals {
# Validate that new-public-ip is false when existing-public-ip is used
- is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes"
+ is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes"
validation_message_both = "Only one parameter of existing-public-ip or new-public-ip can be used"
- _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both))
-}
\ No newline at end of file
+ _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both))
+}
+
+variable "tags" {
+ description = "Assign tags by resource."
+ type = map(map(string))
+ default = {}
+}
diff --git a/modules/nva_into_new_vwan/README.md b/modules/nva_into_new_vwan/README.md
index 4997749..000b656 100755
--- a/modules/nva_into_new_vwan/README.md
+++ b/modules/nva_into_new_vwan/README.md
@@ -24,7 +24,7 @@ provider "azurerm" {
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/azure//modules/nva_into_new_vwan"
- version = "1.0.5"
+ version = "1.0.6"
authentication_method = "Service Principal"
client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
@@ -100,3 +100,4 @@ module "example_module" {
| **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.
Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. |
| **existing-public-ip** | Existing public IP reosurce to attach to the newly deployed NVA | string | A resource ID of the public IP resource. |
| **new-public-ip** | Deploy a new public IP resource as part of the managed app and attach to the NVA | string | yes;
no. |
+| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group` (Applies tags to managed application resource group)
`virtual-wan`
`virtual-hub`
`managed-identity` (Applies tags to the managed identity of the managed application)
`managed-application`
`routing-intent`
`network-virtual-appliance`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} |
\ No newline at end of file
diff --git a/modules/nva_into_new_vwan/main.tf b/modules/nva_into_new_vwan/main.tf
index d148e18..70c65cc 100755
--- a/modules/nva_into_new_vwan/main.tf
+++ b/modules/nva_into_new_vwan/main.tf
@@ -2,12 +2,14 @@
resource "azurerm_resource_group" "managed-app-rg" {
name = var.resource-group-name
location = var.location
+ tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_virtual_wan" "vwan" {
name = var.vwan-name
resource_group_name = azurerm_resource_group.managed-app-rg.name
location = var.location
+ tags = merge(lookup(var.tags, "virtual-wan", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_virtual_hub" "vwan-hub" {
@@ -16,17 +18,18 @@ resource "azurerm_virtual_hub" "vwan-hub" {
location = azurerm_resource_group.managed-app-rg.location
address_prefix = var.vwan-hub-address-prefix
virtual_wan_id = azurerm_virtual_wan.vwan.id
+ tags = merge(lookup(var.tags, "virtual-hub", {}), lookup(var.tags, "all", {}))
}
//********************** Image Version **************************//
data "external" "az_access_token" {
- count = var.authentication_method == "Azure CLI" ? 1 : 0
+ count = var.authentication_method == "Azure CLI" ? 1 : 0
program = ["az", "account", "get-access-token", "--resource=https://management.azure.com", "--query={accessToken: accessToken}", "--output=json"]
}
data "http" "azure_auth" {
- count = var.authentication_method == "Service Principal" ? 1 : 0
+ count = var.authentication_method == "Service Principal" ? 1 : 0
url = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/v2.0/token"
method = "POST"
request_headers = {
@@ -41,64 +44,64 @@ locals {
data "http" "image-versions" {
method = "GET"
- url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSKUs/checkpoint${var.license-type == "Full Package (NGTX and Smart1-Cloud)" ? "-ngtx" : var.license-type == "Full Package Premium (NGTX and Smart1-Cloud Premium)" ? "-premium" : ""}?api-version=2020-05-01"
+ url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSKUs/checkpoint${var.license-type == "Full Package (NGTX and Smart1-Cloud)" ? "-ngtx" : var.license-type == "Full Package Premium (NGTX and Smart1-Cloud Premium)" ? "-premium" : ""}?api-version=2020-05-01"
request_headers = {
- Accept = "application/json"
+ Accept = "application/json"
"Authorization" = "Bearer ${local.access_token}"
}
}
locals {
- image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(length(var.os-version) > 3 ? var.os-version : "${var.os-version}00"), 1, 4)])
- routing_intent-internet-policy = {
- "name": "InternetTraffic",
- "destinations": [
- "Internet"
- ],
- "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}"
- }
- routing_intent-private-policy = {
- "name": "PrivateTrafficPolicy",
- "destinations": [
- "PrivateTraffic"
- ],
- "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}"
- }
- routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : [])
- public_ip_resource_group = "/subscriptions/${var.subscription_id}/resourceGroups/${var.new-public-ip == "yes" ? azurerm_resource_group.managed-app-rg.name : var.existing-public-ip != "" ? split("/", var.existing-public-ip)[4] : ""}"
+ image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(length(var.os-version) > 3 ? var.os-version : "${var.os-version}00"), 1, 4)])
+ routing_intent-internet-policy = {
+ "name" : "InternetTraffic",
+ "destinations" : [
+ "Internet"
+ ],
+ "nextHop" : "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}"
+ }
+ routing_intent-private-policy = {
+ "name" : "PrivateTrafficPolicy",
+ "destinations" : [
+ "PrivateTraffic"
+ ],
+ "nextHop" : "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}"
+ }
+ routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : [])
+ public_ip_resource_group = "/subscriptions/${var.subscription_id}/resourceGroups/${var.new-public-ip == "yes" ? azurerm_resource_group.managed-app-rg.name : var.existing-public-ip != "" ? split("/", var.existing-public-ip)[4] : ""}"
}
//********************** Marketplace Terms & Solution Registration **************************//
data "http" "accept-marketplace-terms-existing-agreement" {
method = "GET"
- url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/cp-vwan-managed-app/plans/vwan-app?api-version=2021-01-01"
+ url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/cp-vwan-managed-app/plans/vwan-app?api-version=2021-01-01"
request_headers = {
- Accept = "application/json"
+ Accept = "application/json"
"Authorization" = "Bearer ${local.access_token}"
}
}
resource "azurerm_marketplace_agreement" "accept-marketplace-terms" {
- count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1
+ count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1
publisher = "checkpoint"
- offer = "cp-vwan-managed-app"
+ offer = var.plan_product
plan = "vwan-app"
}
data "http" "azurerm_resource_provider_registration-exist" {
method = "GET"
- url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01"
+ url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01"
request_headers = {
- Accept = "application/json"
+ Accept = "application/json"
"Authorization" = "Bearer ${local.access_token}"
}
}
resource "azurerm_resource_provider_registration" "solutions" {
count = jsondecode(data.http.azurerm_resource_provider_registration-exist.response_body).registrationState == "Registered" ? 0 : 1
- name = "Microsoft.Solutions"
+ name = "Microsoft.Solutions"
}
//********************** Managed Identity **************************//
@@ -106,10 +109,11 @@ resource "azurerm_user_assigned_identity" "managed_app_identity" {
location = azurerm_resource_group.managed-app-rg.location
name = "managed_app_identity"
resource_group_name = azurerm_resource_group.managed-app-rg.name
+ tags = merge(lookup(var.tags, "managed-identity", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_role_assignment" "reader" {
- depends_on = [azurerm_user_assigned_identity.managed_app_identity]
+ depends_on = [azurerm_user_assigned_identity.managed_app_identity]
scope = azurerm_virtual_hub.vwan-hub.id
role_definition_name = "Reader"
principal_id = azurerm_user_assigned_identity.managed_app_identity.principal_id
@@ -123,9 +127,9 @@ resource "random_id" "randomId" {
}
resource "azurerm_role_definition" "public-ip-join-role" {
- count = var.new-public-ip == "yes" || length(var.existing-public-ip) > 0 ? 1 : 0
- name = "Managed Application Public IP Join Role - ${random_id.randomId.hex}"
- scope = local.public_ip_resource_group
+ count = var.new-public-ip == "yes" || length(var.existing-public-ip) > 0 ? 1 : 0
+ name = "Managed Application Public IP Join Role - ${random_id.randomId.hex}"
+ scope = local.public_ip_resource_group
permissions {
actions = ["Microsoft.Network/publicIPAddresses/join/action"]
not_actions = []
@@ -134,8 +138,8 @@ resource "azurerm_role_definition" "public-ip-join-role" {
}
resource "azurerm_role_assignment" "public-ip-join-role-assignment" {
- count = var.new-public-ip == "yes" || length(var.existing-public-ip) > 0 ? 1 : 0
- scope = local.public_ip_resource_group
+ count = var.new-public-ip == "yes" || length(var.existing-public-ip) > 0 ? 1 : 0
+ scope = local.public_ip_resource_group
role_definition_id = azurerm_role_definition.public-ip-join-role[0].role_definition_resource_id
principal_id = azurerm_user_assigned_identity.managed_app_identity.principal_id
}
@@ -143,117 +147,126 @@ resource "azurerm_role_assignment" "public-ip-join-role-assignment" {
//********************** Managed Application Configuration **************************//
resource "azapi_resource" "managed-app" {
depends_on = [azurerm_marketplace_agreement.accept-marketplace-terms, azurerm_resource_provider_registration.solutions]
- type = "Microsoft.Solutions/applications@2019-07-01"
- name = var.managed-app-name
- location = azurerm_resource_group.managed-app-rg.location
- parent_id = azurerm_resource_group.managed-app-rg.id
+ type = "Microsoft.Solutions/applications@2019-07-01"
+ name = var.managed-app-name
+ location = azurerm_resource_group.managed-app-rg.location
+ parent_id = azurerm_resource_group.managed-app-rg.id
body = {
- kind = "MarketPlace",
- plan = {
- name = "vwan-app"
- product = "cp-vwan-managed-app"
- publisher = "checkpoint"
- version = "1.0.22"
- },
- identity = {
- type = "UserAssigned"
- userAssignedIdentities = {
+ kind = "MarketPlace",
+ plan = {
+ name = "vwan-app"
+ product = var.plan_product
+ publisher = "checkpoint"
+ version = var.plan_version
+ },
+ identity = {
+ type = "UserAssigned"
+ userAssignedIdentities = {
(azurerm_user_assigned_identity.managed_app_identity.id) = {}
}
- },
- properties = {
- parameters = {
- location = {
- value = azurerm_resource_group.managed-app-rg.location
- },
- hubId = {
- value = azurerm_virtual_hub.vwan-hub.id
- },
- osVersion = {
- value = var.os-version
- },
- LicenseType = {
- value = var.license-type
- },
- imageVersion = {
- value = element(local.image_versions, length(local.image_versions) -1)
- },
- scaleUnit = {
- value = var.scale-unit
- },
- bootstrapScript = {
- value = var.bootstrap-script
- },
- adminShell = {
- value = var.admin-shell
- },
- sicKey = {
- value = var.sic-key
- },
- sshPublicKey = {
- value = var.admin_SSH_key
- },
- BGP = {
- value = var.bgp-asn
- },
- NVA = {
- value = var.nva-name
- },
- customMetrics = {
- value = var.custom-metrics
- },
- hubASN = {
- value = azurerm_virtual_hub.vwan-hub.virtual_router_asn
- },
- hubPeers = {
- value = azurerm_virtual_hub.vwan-hub.virtual_router_ips
- },
- smart1CloudTokenA = {
- value = var.smart1-cloud-token-a
- },
- smart1CloudTokenB = {
- value = var.smart1-cloud-token-b
- },
- smart1CloudTokenC = {
- value = var.smart1-cloud-token-c
- },
- smart1CloudTokenD = {
- value = var.smart1-cloud-token-d
- },
- smart1CloudTokenE = {
- value = var.smart1-cloud-token-e
- },
- publicIPIngress = {
- value = (var.new-public-ip == "yes" || length(var.existing-public-ip) > 0) ? "yes" : "no"
- },
- createNewIPIngress = {
- value = var.new-public-ip
- },
- ipIngressExistingResourceId = {
- value = var.existing-public-ip
- },
- templateName = {
- value = "wan_terraform_registry"
- }
- },
- managedResourceGroupId = "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}"
- }
+ },
+ properties = {
+ parameters = {
+ location = {
+ value = azurerm_resource_group.managed-app-rg.location
+ },
+ hubId = {
+ value = azurerm_virtual_hub.vwan-hub.id
+ },
+ osVersion = {
+ value = var.os-version
+ },
+ LicenseType = {
+ value = var.license-type
+ },
+ imageVersion = {
+ value = element(local.image_versions, length(local.image_versions) - 1)
+ },
+ scaleUnit = {
+ value = var.scale-unit
+ },
+ bootstrapScript = {
+ value = var.bootstrap-script
+ },
+ adminShell = {
+ value = var.admin-shell
+ },
+ sicKey = {
+ value = var.sic-key
+ },
+ sshPublicKey = {
+ value = var.admin_SSH_key
+ },
+ BGP = {
+ value = var.bgp-asn
+ },
+ NVA = {
+ value = var.nva-name
+ },
+ customMetrics = {
+ value = var.custom-metrics
+ },
+ hubASN = {
+ value = azurerm_virtual_hub.vwan-hub.virtual_router_asn
+ },
+ hubPeers = {
+ value = azurerm_virtual_hub.vwan-hub.virtual_router_ips
+ },
+ smart1CloudTokenA = {
+ value = var.smart1-cloud-token-a
+ },
+ smart1CloudTokenB = {
+ value = var.smart1-cloud-token-b
+ },
+ smart1CloudTokenC = {
+ value = var.smart1-cloud-token-c
+ },
+ smart1CloudTokenD = {
+ value = var.smart1-cloud-token-d
+ },
+ smart1CloudTokenE = {
+ value = var.smart1-cloud-token-e
+ },
+ publicIPIngress = {
+ value = (var.new-public-ip == "yes" || length(var.existing-public-ip) > 0) ? "yes" : "no"
+ },
+ createNewIPIngress = {
+ value = var.new-public-ip
+ },
+ ipIngressExistingResourceId = {
+ value = var.existing-public-ip
+ },
+ templateName = {
+ value = "wan_terraform_registry"
+ },
+ tags = {
+ value = {
+ "Microsoft.Network/networkVirtualAppliances" = merge(lookup(var.tags, "network-virtual-appliance", {}), lookup(var.tags, "all", {}))
+ }
+ }
+ },
+ managedResourceGroupId = "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}"
+ }
}
+
+ tags = merge(lookup(var.tags, "managed-application", {}), lookup(var.tags, "all", {}))
}
//********************** Routing Intent **************************//
resource "azapi_resource" "routing_intent" {
- count = length(local.routing-intent-policies) != 0 ? 1 : 0
+ count = length(local.routing-intent-policies) != 0 ? 1 : 0
depends_on = [azapi_resource.managed-app]
- type = "Microsoft.Network/virtualHubs/routingIntent@2024-05-01"
- name = "hubRoutingIntent"
- parent_id = azurerm_virtual_hub.vwan-hub.id
+ type = "Microsoft.Network/virtualHubs/routingIntent@2024-05-01"
+ name = "hubRoutingIntent"
+ parent_id = azurerm_virtual_hub.vwan-hub.id
body = {
properties = {
routingPolicies = local.routing-intent-policies
}
}
-}
\ No newline at end of file
+
+ tags = merge(lookup(var.tags, "routing-intent", {}), lookup(var.tags, "all", {}))
+}
diff --git a/modules/nva_into_new_vwan/variables.tf b/modules/nva_into_new_vwan/variables.tf
index 2759e3f..1cfb03e 100755
--- a/modules/nva_into_new_vwan/variables.tf
+++ b/modules/nva_into_new_vwan/variables.tf
@@ -1,6 +1,6 @@
variable "authentication_method" {
description = "Azure authentication method"
- type = string
+ type = string
validation {
condition = contains(["Azure CLI", "Service Principal"], var.authentication_method)
error_message = "Valid values for authentication_method are 'Azure CLI','Service Principal'"
@@ -9,22 +9,22 @@ variable "authentication_method" {
variable "subscription_id" {
description = "Subscription ID"
- type = string
+ type = string
}
variable "tenant_id" {
description = "Tenant ID"
- type = string
+ type = string
}
variable "client_id" {
description = "Application ID(Client ID)"
- type = string
+ type = string
}
variable "client_secret" {
description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password."
- type = string
+ type = string
}
variable "resource-group-name" {
@@ -73,10 +73,10 @@ variable "nva-name" {
variable "os-version" {
description = "GAIA OS version"
- type = string
- default = "R82"
+ type = string
+ default = "R82"
validation {
- condition = contains(["R8110", "R8120", "R82"], var.os-version)
+ condition = contains(["R8110", "R8120", "R82"], var.os-version)
error_message = "Allowed values for os-version are 'R8110', 'R8120', 'R82'"
}
}
@@ -118,7 +118,7 @@ variable "sic-key" {
default = ""
sensitive = true
validation {
- condition = can(regex("^[a-z0-9A-Z]{8,30}$", var.sic-key))
+ condition = can(regex("^[a-z0-9A-Z]{8,30}$", var.sic-key))
error_message = "Only alphanumeric characters are allowed, and the value must be 8-30 characters long."
}
}
@@ -132,7 +132,7 @@ variable "bgp-asn" {
type = string
default = "64512"
validation {
- condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn))
+ condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn))
error_message = "Only numbers between 64512 to 65534 are allowed excluding 65515, 65520."
}
}
@@ -188,22 +188,28 @@ variable "smart1-cloud-token-e" {
}
variable "existing-public-ip" {
- type = string
- default = ""
+ type = string
+ default = ""
}
variable "new-public-ip" {
- type = string
+ type = string
default = "no"
- validation {
+ validation {
condition = contains(["yes", "no"], var.new-public-ip)
error_message = "Valid options are string('yes' or 'no')"
}
}
-locals{
+locals {
# Validate that new-public-ip is false when existing-public-ip is used
- is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes"
+ is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes"
validation_message_both = "Only one parameter of existing-public-ip or new-public-ip can be used"
- _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both))
-}
\ No newline at end of file
+ _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both))
+}
+
+variable "tags" {
+ description = "Assign tags by resource."
+ type = map(map(string))
+ default = {}
+}
diff --git a/modules/single_gateway_existing_vnet/README.md b/modules/single_gateway_existing_vnet/README.md
index 64ba5e6..fb56ba7 100755
--- a/modules/single_gateway_existing_vnet/README.md
+++ b/modules/single_gateway_existing_vnet/README.md
@@ -23,7 +23,7 @@ provider "azurerm" {
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/azure//modules/single_gateway_existing_vnet"
- version = "1.0.5"
+ version = "1.0.6"
source_image_vhd_uri = "noCustomUri"
resource_group_name = "checkpoint-single-gw-terraform"
@@ -99,4 +99,5 @@ module "example_module" {
| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | |
| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID.
**Default:** "" |
| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false |
-| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] |
\ No newline at end of file
+| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] |
+| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-security-group`
`network-interface`
`public-ip`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} |
\ No newline at end of file
diff --git a/modules/single_gateway_existing_vnet/locals.tf b/modules/single_gateway_existing_vnet/locals.tf
index f9af94a..57ecef8 100755
--- a/modules/single_gateway_existing_vnet/locals.tf
+++ b/modules/single_gateway_existing_vnet/locals.tf
@@ -1,4 +1,4 @@
locals {
module_name = "single_terraform_registry"
- module_version = "1.0.5"
+ module_version = "1.0.6"
}
diff --git a/modules/single_gateway_existing_vnet/main.tf b/modules/single_gateway_existing_vnet/main.tf
index 9891a59..8ec47c1 100755
--- a/modules/single_gateway_existing_vnet/main.tf
+++ b/modules/single_gateway_existing_vnet/main.tf
@@ -19,6 +19,7 @@ module "common" {
serial_console_password_hash = var.serial_console_password_hash
maintenance_mode_password_hash = var.maintenance_mode_password_hash
storage_account_additional_ips = var.storage_account_additional_ips
+ tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}))
}
//********************** Networking **************************//
@@ -45,6 +46,8 @@ resource "azurerm_public_ip" "public-ip" {
lower(var.single_gateway_name),
"-",
random_id.randomId.hex])
+
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
module "network_security_group" {
@@ -54,6 +57,7 @@ module "network_security_group" {
security_group_name = "${module.common.resource_group_name}-nsg"
location = module.common.resource_group_location
security_rules = var.security_rules
+ tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface_security_group_association" "security_group_association" {
@@ -79,6 +83,8 @@ resource "azurerm_network_interface" "nic" {
private_ip_address = var.subnet_frontend_1st_Address
public_ip_address_id = azurerm_public_ip.public-ip.id
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface" "nic1" {
@@ -96,6 +102,8 @@ resource "azurerm_network_interface" "nic1" {
private_ip_address_allocation = var.vnet_allocation_method
private_ip_address = var.subnet_backend_1st_Address
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
//********************** Storage accounts **************************//
@@ -125,6 +133,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" {
}
}
+ tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {}))
}
//********************** Virtual Machines **************************//
@@ -144,6 +153,8 @@ resource "azurerm_image" "custom-image" {
os_state = "Generalized"
blob_uri = var.source_image_vhd_uri
}
+
+ tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_virtual_machine" "single-gateway-vm-instance" {
@@ -232,4 +243,6 @@ resource "azurerm_virtual_machine" "single-gateway-vm-instance" {
managed_disk_type = module.common.storage_account_type
disk_size_gb = module.common.disk_size
}
+
+ tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {}))
}
diff --git a/modules/single_gateway_existing_vnet/variables.tf b/modules/single_gateway_existing_vnet/variables.tf
index 1c2f588..b7a92ef 100755
--- a/modules/single_gateway_existing_vnet/variables.tf
+++ b/modules/single_gateway_existing_vnet/variables.tf
@@ -269,3 +269,9 @@ variable "security_rules" {
}
]
}
+
+variable "tags" {
+ description = "Assign tags by resource."
+ type = map(map(string))
+ default = {}
+}
diff --git a/modules/single_gateway_new_vnet/README.md b/modules/single_gateway_new_vnet/README.md
index bc34f48..e385934 100755
--- a/modules/single_gateway_new_vnet/README.md
+++ b/modules/single_gateway_new_vnet/README.md
@@ -25,7 +25,7 @@ provider "azurerm" {
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/azure//modules/single_gateway_new_vnet"
- version = "1.0.5"
+ version = "1.0.6"
source_image_vhd_uri = "noCustomUri"
resource_group_name = "checkpoint-single-gw-terraform"
@@ -99,3 +99,4 @@ module "example_module" {
| **security_rules** | SSecurity rules for the Network Security | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] |
| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" |
| **is_blink** | Define if blink image is used for deployment | boolean | true;
false;
**Default:** true |
+| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} |
\ No newline at end of file
diff --git a/modules/single_gateway_new_vnet/locals.tf b/modules/single_gateway_new_vnet/locals.tf
index f9af94a..57ecef8 100755
--- a/modules/single_gateway_new_vnet/locals.tf
+++ b/modules/single_gateway_new_vnet/locals.tf
@@ -1,4 +1,4 @@
locals {
module_name = "single_terraform_registry"
- module_version = "1.0.5"
+ module_version = "1.0.6"
}
diff --git a/modules/single_gateway_new_vnet/main.tf b/modules/single_gateway_new_vnet/main.tf
index cdb1506..6edf9f4 100755
--- a/modules/single_gateway_new_vnet/main.tf
+++ b/modules/single_gateway_new_vnet/main.tf
@@ -19,6 +19,7 @@ module "common" {
serial_console_password_hash = var.serial_console_password_hash
maintenance_mode_password_hash = var.maintenance_mode_password_hash
storage_account_additional_ips = var.storage_account_additional_ips
+ tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}))
}
//********************** Networking **************************//
@@ -31,7 +32,8 @@ module "vnet" {
address_space = var.address_space
subnet_prefixes = [var.frontend_subnet_prefix, var.backend_subnet_prefix]
subnet_names = ["${var.single_gateway_name}-frontend-subnet", "${var.single_gateway_name}-backend-subnet"]
- nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id
+ nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id : var.nsg_id
+ tags = var.tags
}
module "network_security_group" {
@@ -41,6 +43,7 @@ module "network_security_group" {
security_group_name = "${module.common.resource_group_name}-nsg"
location = module.common.resource_group_location
security_rules = var.security_rules
+ tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_public_ip" "public-ip" {
@@ -54,6 +57,8 @@ resource "azurerm_public_ip" "public-ip" {
lower(var.single_gateway_name),
"-",
random_id.randomId.hex])
+
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface_security_group_association" "security_group_association" {
@@ -79,6 +84,8 @@ resource "azurerm_network_interface" "nic" {
private_ip_address = cidrhost(var.frontend_subnet_prefix, 4)
public_ip_address_id = azurerm_public_ip.public-ip.id
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_network_interface" "nic1" {
@@ -96,6 +103,8 @@ resource "azurerm_network_interface" "nic1" {
private_ip_address_allocation = var.vnet_allocation_method
private_ip_address = cidrhost(var.backend_subnet_prefix, 4)
}
+
+ tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {}))
}
//********************** Storage accounts **************************//
@@ -125,6 +134,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" {
}
}
+ tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {}))
}
//********************** Virtual Machines **************************//
@@ -144,6 +154,8 @@ resource "azurerm_image" "custom-image" {
os_state = "Generalized"
blob_uri = var.source_image_vhd_uri
}
+
+ tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_virtual_machine" "single-gateway-vm-instance" {
@@ -231,4 +243,6 @@ resource "azurerm_virtual_machine" "single-gateway-vm-instance" {
managed_disk_type = module.common.storage_account_type
disk_size_gb = module.common.disk_size
}
+
+ tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {}))
}
diff --git a/modules/single_gateway_new_vnet/variables.tf b/modules/single_gateway_new_vnet/variables.tf
index 00c725d..2430f01 100755
--- a/modules/single_gateway_new_vnet/variables.tf
+++ b/modules/single_gateway_new_vnet/variables.tf
@@ -268,4 +268,10 @@ variable "admin_SSH_key" {
type = string
description = "(Optional) TheUsed when the authentication_type is 'SSH Public Key'. The SSH public key for SSH authentication to the template instances."
default = ""
-}
\ No newline at end of file
+}
+
+variable "tags" {
+ description = "Assign tags by resource."
+ type = map(map(string))
+ default = {}
+}
diff --git a/modules/vmss_existing_vnet/README.md b/modules/vmss_existing_vnet/README.md
index 68f9a53..f2da9da 100755
--- a/modules/vmss_existing_vnet/README.md
+++ b/modules/vmss_existing_vnet/README.md
@@ -24,7 +24,7 @@ provider "azurerm" {
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/azure//modules/vmss_existing_vnet"
- version = "1.0.5"
+ version = "1.0.6"
subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
source_image_vhd_uri = "noCustomUri"
@@ -144,4 +144,5 @@ module "example_module" {
| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false |
| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] |
| **security_rules** | Security rules for the Network Security | list(any) | A list of valid security rules values.
A security rule composed of:
{name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}.
**Default:** [{"name":"AllowAllInBound", "priority":"100", "direction":"Inbound", "access":"Allow", "protocol":"*", "source_port_ranges":"*", "destination_port_ranges":"", "description":"Allow all inbound connections", "source_address_prefix":"*", "destination_address_prefix":""}] |
-| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" |
\ No newline at end of file
+| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" |
+| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-security-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`storage-account`
`virtual-machine-scale-set`
`custom-image`
`autoscale-setting`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} |
\ No newline at end of file
diff --git a/modules/vmss_existing_vnet/locals.tf b/modules/vmss_existing_vnet/locals.tf
index 302d292..f55ca15 100755
--- a/modules/vmss_existing_vnet/locals.tf
+++ b/modules/vmss_existing_vnet/locals.tf
@@ -1,6 +1,6 @@
locals {
module_name = "vmss_terraform_registry"
- module_version = "1.0.5"
+ module_version = "1.0.6"
// Validate that the minimum number of VM instances is at least 0.
// If not, return an error message.
@@ -17,4 +17,23 @@ locals {
// Validate the number of VM instances against the minimum requirement.
// If the number of instances is less than the minimum, return an error message.
validate_number_of_vm_instances = local.number_of_vm_instances >= var.minimum_number_of_vm_instances? 0 : index("error: The number of VM instances must be at least ${var.minimum_number_of_vm_instances}.")
+
+ vmss_tags = var.management_interface == "eth0" ? {
+ x-chkp-management = var.management_name,
+ x-chkp-template = var.configuration_template_name,
+ x-chkp-ip-address = local.management_ip_address_type,
+ x-chkp-management-interface = local.management_interface_name,
+ x-chkp-management-address = var.management_IP,
+ x-chkp-topology = "eth0:external,eth1:internal",
+ x-chkp-anti-spoofing = "eth0:false,eth1:false",
+ x-chkp-srcImageUri = var.source_image_vhd_uri
+ } : {
+ x-chkp-management = var.management_name,
+ x-chkp-template = var.configuration_template_name,
+ x-chkp-ip-address = local.management_ip_address_type,
+ x-chkp-management-interface = local.management_interface_name,
+ x-chkp-topology = "eth0:external,eth1:internal",
+ x-chkp-anti-spoofing = "eth0:false,eth1:false",
+ x-chkp-srcImageUri = var.source_image_vhd_uri
+ }
}
diff --git a/modules/vmss_existing_vnet/main.tf b/modules/vmss_existing_vnet/main.tf
index 14dac00..1d28cdb 100755
--- a/modules/vmss_existing_vnet/main.tf
+++ b/modules/vmss_existing_vnet/main.tf
@@ -19,6 +19,7 @@ module "common" {
serial_console_password_hash = var.serial_console_password_hash
maintenance_mode_password_hash = var.maintenance_mode_password_hash
storage_account_additional_ips = var.storage_account_additional_ips
+ tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}), local.vmss_tags)
}
//********************** Networking **************************//
@@ -42,6 +43,7 @@ module "network_security_group" {
security_group_name = "${module.common.resource_group_name}_nsg"
location = module.common.resource_group_location
security_rules = var.security_rules
+ tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {}))
}
//********************** Load Balancers **************************//
@@ -58,6 +60,7 @@ resource "azurerm_public_ip_prefix" "public_ip_prefix" {
location = module.common.resource_group_location
resource_group_name = module.common.resource_group_name
prefix_length = 30
+ tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_public_ip" "public-ip-lb" {
@@ -69,6 +72,7 @@ resource "azurerm_public_ip" "public-ip-lb" {
sku = var.sku
domain_name_label = "${lower(var.vmss_name)}-${random_id.random_id.hex}"
public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_lb" "frontend-lb" {
@@ -83,6 +87,8 @@ resource "azurerm_lb" "frontend-lb" {
name = "${var.vmss_name}-app-1"
public_ip_address_id = azurerm_public_ip.public-ip-lb[0].id
}
+
+ tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" {
@@ -103,6 +109,8 @@ resource "azurerm_lb" "backend-lb" {
private_ip_address_allocation = "Static"
private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0],var.backend_lb_IP_address)
}
+
+ tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_lb_backend_address_pool" "backend-lb-pool" {
@@ -195,6 +203,8 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" {
days = "15"
}
}
+
+ tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {}))
}
@@ -218,6 +228,8 @@ resource "azurerm_image" "custom-image" {
os_state = "Generalized"
blob_uri = var.source_image_vhd_uri
}
+
+ tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_linux_virtual_machine_scale_set" "vmss" {
@@ -335,24 +347,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "vmss" {
}
}
- tags = var.management_interface == "eth0"?{
- x-chkp-management = var.management_name,
- x-chkp-template = var.configuration_template_name,
- x-chkp-ip-address = local.management_ip_address_type,
- x-chkp-management-interface = local.management_interface_name,
- x-chkp-management-address = var.management_IP,
- x-chkp-topology = "eth0:external,eth1:internal",
- x-chkp-anti-spoofing = "eth0:false,eth1:false",
- x-chkp-srcImageUri = var.source_image_vhd_uri
- }:{
- x-chkp-management = var.management_name,
- x-chkp-template = var.configuration_template_name,
- x-chkp-ip-address = local.management_ip_address_type,
- x-chkp-management-interface = local.management_interface_name,
- x-chkp-topology = "eth0:external,eth1:internal",
- x-chkp-anti-spoofing = "eth0:false,eth1:false",
- x-chkp-srcImageUri = var.source_image_vhd_uri
- }
+ tags = merge(lookup(var.tags, "virtual-machine-scale-set", {}), lookup(var.tags, "all", {}), local.vmss_tags)
}
resource "azurerm_monitor_autoscale_setting" "vmss_settings" {
@@ -419,6 +414,8 @@ resource "azurerm_monitor_autoscale_setting" "vmss_settings" {
custom_emails = var.notification_email == "" ? [] : [var.notification_email]
}
}
+
+ tags = merge(lookup(var.tags, "autoscale-setting", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_role_assignment" "custom_metrics_role_assignment"{
diff --git a/modules/vmss_existing_vnet/variables.tf b/modules/vmss_existing_vnet/variables.tf
index ab88499..8a2fcf7 100755
--- a/modules/vmss_existing_vnet/variables.tf
+++ b/modules/vmss_existing_vnet/variables.tf
@@ -415,3 +415,9 @@ variable "security_rules" {
}
]
}
+
+variable "tags" {
+ description = "Assign tags by resource."
+ type = map(map(string))
+ default = {}
+}
\ No newline at end of file
diff --git a/modules/vmss_new_vnet/README.md b/modules/vmss_new_vnet/README.md
index cf44905..b333d89 100755
--- a/modules/vmss_new_vnet/README.md
+++ b/modules/vmss_new_vnet/README.md
@@ -29,7 +29,7 @@ provider "azurerm" {
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/azure//modules/vmss_new_vnet"
- version = "1.0.5"
+ version = "1.0.6"
subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
source_image_vhd_uri = "noCustomUri"
@@ -145,3 +145,4 @@ module "example_module" {
| **security_rules** | SSecurity rules for the Network Security | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] |
| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" |
| **is_blink** | Define if blink image is used for deployment | boolean | true;
false;
**Default:** true |
+| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`route-table`
`storage-account`
`virtual-machine-scale-set`
`custom-image`
`autoscale-setting`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} |
\ No newline at end of file
diff --git a/modules/vmss_new_vnet/locals.tf b/modules/vmss_new_vnet/locals.tf
index 302d292..f55ca15 100755
--- a/modules/vmss_new_vnet/locals.tf
+++ b/modules/vmss_new_vnet/locals.tf
@@ -1,6 +1,6 @@
locals {
module_name = "vmss_terraform_registry"
- module_version = "1.0.5"
+ module_version = "1.0.6"
// Validate that the minimum number of VM instances is at least 0.
// If not, return an error message.
@@ -17,4 +17,23 @@ locals {
// Validate the number of VM instances against the minimum requirement.
// If the number of instances is less than the minimum, return an error message.
validate_number_of_vm_instances = local.number_of_vm_instances >= var.minimum_number_of_vm_instances? 0 : index("error: The number of VM instances must be at least ${var.minimum_number_of_vm_instances}.")
+
+ vmss_tags = var.management_interface == "eth0" ? {
+ x-chkp-management = var.management_name,
+ x-chkp-template = var.configuration_template_name,
+ x-chkp-ip-address = local.management_ip_address_type,
+ x-chkp-management-interface = local.management_interface_name,
+ x-chkp-management-address = var.management_IP,
+ x-chkp-topology = "eth0:external,eth1:internal",
+ x-chkp-anti-spoofing = "eth0:false,eth1:false",
+ x-chkp-srcImageUri = var.source_image_vhd_uri
+ } : {
+ x-chkp-management = var.management_name,
+ x-chkp-template = var.configuration_template_name,
+ x-chkp-ip-address = local.management_ip_address_type,
+ x-chkp-management-interface = local.management_interface_name,
+ x-chkp-topology = "eth0:external,eth1:internal",
+ x-chkp-anti-spoofing = "eth0:false,eth1:false",
+ x-chkp-srcImageUri = var.source_image_vhd_uri
+ }
}
diff --git a/modules/vmss_new_vnet/main.tf b/modules/vmss_new_vnet/main.tf
index 76b226a..f69289e 100755
--- a/modules/vmss_new_vnet/main.tf
+++ b/modules/vmss_new_vnet/main.tf
@@ -1,3 +1,7 @@
+provider "azurerm" {
+ features {}
+}
+
//********************** Basic Configuration **************************//
module "common" {
source = "../common"
@@ -19,6 +23,7 @@ module "common" {
serial_console_password_hash = var.serial_console_password_hash
maintenance_mode_password_hash = var.maintenance_mode_password_hash
storage_account_additional_ips = var.storage_account_additional_ips
+ tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}))
}
//********************** Networking **************************//
@@ -30,6 +35,7 @@ module "vnet" {
nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id
address_space = var.address_space
subnet_prefixes = var.subnet_prefixes
+ tags = var.tags
}
module "network_security_group" {
@@ -39,6 +45,7 @@ module "network_security_group" {
security_group_name = "${module.common.resource_group_name}_nsg"
location = module.common.resource_group_location
security_rules = var.security_rules
+ tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {}))
}
//********************** Load Balancers **************************//
@@ -55,6 +62,7 @@ resource "azurerm_public_ip_prefix" "public_ip_prefix" {
location = module.common.resource_group_location
resource_group_name = module.common.resource_group_name
prefix_length = 30
+ tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_public_ip" "public-ip-lb" {
@@ -66,6 +74,7 @@ resource "azurerm_public_ip" "public-ip-lb" {
sku = var.sku
domain_name_label = "${lower(var.vmss_name)}-${random_id.random_id.hex}"
public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null
+ tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_lb" "frontend-lb" {
@@ -80,6 +89,8 @@ resource "azurerm_lb" "frontend-lb" {
name = "${var.vmss_name}-app-1"
public_ip_address_id = azurerm_public_ip.public-ip-lb[0].id
}
+
+ tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" {
@@ -100,6 +111,8 @@ resource "azurerm_lb" "backend-lb" {
private_ip_address_allocation = module.vnet.allocation_method
private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], var.backend_lb_IP_address)
}
+
+ tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_lb_backend_address_pool" "backend-lb-pool" {
@@ -192,6 +205,8 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" {
days = "15"
}
}
+
+ tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {}))
}
//********************** Virtual Machines **************************//
@@ -214,6 +229,8 @@ resource "azurerm_image" "custom-image" {
os_state = "Generalized"
blob_uri = var.source_image_vhd_uri
}
+
+ tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_linux_virtual_machine_scale_set" "vmss" {
@@ -330,24 +347,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "vmss" {
}
}
- tags = var.management_interface == "eth0"?{
- x-chkp-management = var.management_name,
- x-chkp-template = var.configuration_template_name,
- x-chkp-ip-address = local.management_ip_address_type,
- x-chkp-management-interface = local.management_interface_name,
- x-chkp-management-address = var.management_IP,
- x-chkp-topology = "eth0:external,eth1:internal",
- x-chkp-anti-spoofing = "eth0:false,eth1:false",
- x-chkp-srcImageUri = var.source_image_vhd_uri
- }:{
- x-chkp-management = var.management_name,
- x-chkp-template = var.configuration_template_name,
- x-chkp-ip-address = local.management_ip_address_type,
- x-chkp-management-interface = local.management_interface_name,
- x-chkp-topology = "eth0:external,eth1:internal",
- x-chkp-anti-spoofing = "eth0:false,eth1:false",
- x-chkp-srcImageUri = var.source_image_vhd_uri
- }
+ tags = merge(lookup(var.tags, "virtual-machine-scale-set", {}), lookup(var.tags, "all", {}), local.vmss_tags)
}
resource "azurerm_monitor_autoscale_setting" "vmss_settings" {
@@ -414,6 +414,8 @@ resource "azurerm_monitor_autoscale_setting" "vmss_settings" {
custom_emails = var.notification_email == "" ? [] : [var.notification_email]
}
}
+
+ tags = merge(lookup(var.tags, "autoscale-setting", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_role_assignment" "custom_metrics_role_assignment"{
diff --git a/modules/vmss_new_vnet/variables.tf b/modules/vmss_new_vnet/variables.tf
index ecf269c..da6b93e 100755
--- a/modules/vmss_new_vnet/variables.tf
+++ b/modules/vmss_new_vnet/variables.tf
@@ -404,3 +404,9 @@ variable "security_rules" {
}
]
}
+
+variable "tags" {
+ description = "Assign tags by resource."
+ type = map(map(string))
+ default = {}
+}
\ No newline at end of file
diff --git a/modules/vnet/main.tf b/modules/vnet/main.tf
index f4665fe..b9edafa 100755
--- a/modules/vnet/main.tf
+++ b/modules/vnet/main.tf
@@ -4,7 +4,7 @@ resource "azurerm_virtual_network" "vnet" {
address_space = [var.address_space]
resource_group_name = var.resource_group_name
dns_servers = var.dns_servers
- tags = var.tags
+ tags = merge(lookup(var.tags, "virtual-network", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_subnet" "subnet" {
@@ -55,6 +55,8 @@ resource "azurerm_route_table" "frontend" {
next_hop_type = local.next_hop_type_allowed_values[3]
next_hop_in_ip_address = join(".", [for i, v in split(".", element(split("/", azurerm_subnet.subnet[0].address_prefixes[0]), 0)) : i == 3 ? tostring(tonumber(v) + 4) : v])
}
+
+ tags = merge(lookup(var.tags, "route-table", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_subnet_route_table_association" "frontend_association" {
@@ -74,6 +76,8 @@ resource "azurerm_route_table" "backend" {
next_hop_type = local.next_hop_type_allowed_values[3]
next_hop_in_ip_address = join(".", [for i, v in split(".", element(split("/", azurerm_subnet.subnet[1].address_prefixes[0]), 0)) : i == 3 ? tostring(tonumber(v) + 4) : v])
}
+
+ tags = merge(lookup(var.tags, "route-table", {}), lookup(var.tags, "all", {}))
}
resource "azurerm_subnet_route_table_association" "backend_association" {
diff --git a/modules/vnet/variables.tf b/modules/vnet/variables.tf
index 1f64d28..3a34972 100755
--- a/modules/vnet/variables.tf
+++ b/modules/vnet/variables.tf
@@ -40,7 +40,7 @@ variable "subnet_names" {
variable "tags" {
description = "Tags to be associated with Virtual Network and subnets"
- type = map(string)
+ type = map(map(string))
default = {}
}
variable "nsg_id" {