NSG module for creating multiple NSGs with NSG rules

I have created a NSG module for creating multiple nsgs. Below is the code:

main.tf

resource "azurerm_network_security_group" "nsgcreation" {
  for_each = var.network_security_groups
  name = each.value["name"]
  location = var.location
  resource_group_name = var.resource_group_name
}

resource "azurerm_subnet_network_security_group_association" "associate" {
    for_each = {
        for key,value in var.network_security_groups : key => value 
    }
    subnet_id = data.azurerm_subnet.snet[each.key].id
    network_security_group_id = azurerm_network_security_group.nsgcreation[each.key].id
}

resource "azurerm_network_security_rule" "nsgrules" {
    for_each = var.nsg_rules
    name = each.value["name"]
    direction = each.value["direction"]
    access = each.value["access"]
    priority = each.value["priority"]
    protocol = each.value["protocol"]
    source_port_ranges = lookup(each.value, "source_port_ranges", null)
    source_port_range = lookup(each.value, "source_port_range", null)
    destination_port_ranges = lookup(each.value, "destination_port_ranges", null)
    destination_port_range = lookup(each.value, "destination_port_range", null)
    source_address_prefixes = lookup(each.value, "source_address_prefixes", null)
    source_address_prefix = lookup(each.value, "source_address_prefix", null)
    destination_address_prefixes = lookup(each.value, "destination_address_prefixes", null)
    destination_address_prefix = lookup(each.value, "destination_address_prefix", null)
    resource_group_name = var.resource_group_name
    network_security_group_name = each.value["network_security_group_name"]
    depends_on = [
        azurerm_network_security_group.nsgcreation
    ]
}

variables.tf

variable "network_security_groups" {
    description = "Details of network security groups to be created"
    default = {}
}

variable "nsg_rules" {
 default     = {}
}

variable "resource_group_name" {
  description = "Name of the resource group to be imported."
  #type        = string
}

variable "location" {
  description = "The location of the vnet to create. Defaults to the location of the resource group."
  type        = string
}

data.tf

data "azurerm_subnet" "snet" {
    for_each = {
         for key,value in var.network_security_groups : key => value 
    }
    name = each.value["subnet_name"]
    virtual_network_name = each.value["vnet_name"]
    resource_group_name = each.value["vnet_rgname"]
} 

Currently I am calling the module as per the below code and using tfvars for input. Given below is the code for tfvars and module

Module Code:

module "nsgs" {
  source = "./nsgs"
  network_security_groups = var.nsgs_aks_dev
  nsg_rules = var.nsg_rules_aks_dev
  resource_group_name = azurerm_resource_group.rg1.name
  location = azurerm_resource_group.rg1.location 
}

vnet.auto.tfvars

nsgs_aks_dev = {
    nsg_aks1 = {
        name = "nsg_subnet-mel-dev-aks-pa1-ext-10.80.200.0"
        vnet_name = "bupaanz-mel-dev-caas-vnet01"
        vnet_rgname = "caas-dev-rg01"
        subnet_name = "subnet-mel-dev-aks-pa1-ext-10.80.200.0"
    },
    nsg_aks2 = {
        name = "nsg_subnet-mel-dev-aks-internal01-10.80.192.0"
        vnet_name = "bupaanz-mel-dev-caas-vnet01"
        vnet_rgname = "caas-dev-rg01"
        subnet_name = "subnet-mel-dev-aks-internal01-10.80.192.0"
    },
}


nsg_rules_aks_dev = {
    nsg_aks1 = {
      name                   = "DenyAllIn"
      priority               = 4096
      network_security_group_name = "nsg_subnet-mel-dev-aks-pa1-ext-10.80.200.0"
      direction              = "Inbound"
      access                 = "Deny"
      protocol               = "tcp"
      source_port_range      = "*"
      destination_port_range = "*"
      source_address_prefix  = "*"
      destination_address_prefix = "*"
      description            = "Deny all inbound ports"
    },    
    nsg_aks2 = {
      name                   = "DenyAllOut"
      priority               = 4096
      network_security_group_name = "nsg_subnet-mel-dev-aks-pa1-ext-10.80.200.0"
      direction              = "Outbound"
      access                 = "Deny"
      protocol               = "tcp"
      source_port_range      = "*"
      destination_port_range = "*"
      source_address_prefix  = "*"
      destination_address_prefix = "*"
      description            = "Deny all outbound ports"
    },    
    nsg_aks3 =  {
     name                    = "AllowSCOMOutbound"
     priority                = 100
     network_security_group_name = "nsg_subnet-mel-dev-aks-pa1-ext-10.80.200.0"
     direction               = "Outbound"
     access                  = "Allow"
     protocol                = "tcp"
     source_port_range       = "*"
     source_port_ranges      = null
     source_address_prefix   = "*"
     source_address_prefixes = null
     destination_port_range  = "5723"
     destination_port_ranges = null
     destination_address_prefix   = null
     destination_address_prefixes = ["10.68.100.168","10.64.150.162","10.68.100.169","10.64.150.164"]    
     description                  = "Allow outbound connection to SCOM"
   },  
   nsg_aks4 =  {
     name                    = "AllowSCCMOutbound"
     priority                = 200
     network_security_group_name = "nsg_subnet-mel-dev-aks-pa1-ext-10.80.200.0"
     direction               = "Outbound"
     access                  = "Allow"
     protocol                = "tcp"
     source_port_range       = "*"
     source_port_ranges      = null
     source_address_prefix   = "*"
     source_address_prefixes = null
     source_address_prefixes = null
     destination_port_ranges = [
      "80",
      "443",
      "445",
      "8530",
      "8531"
    ]
     destination_address_prefix   = null
     destination_address_prefixes = ["10.68.100.129","10.68.100.130","10.64.150.177"]    
     description                  = "Allow outbound connection to SCCM"
  },  
    nsg_aks5 = {
      name                   = "DenyAllIn"
      priority               = 4096
      network_security_group_name = "nsg_subnet-mel-dev-aks-internal01-10.80.192.0"
      direction              = "Inbound"
      access                 = "Deny"
      protocol               = "tcp"
      source_port_range      = "*"
      destination_port_range = "*"
      source_address_prefix  = "*"
      destination_address_prefix = "*"
      description            = "Deny all inbound ports"
    },    
    nsg_aks6 = {
      name                   = "DenyAllOut"
      priority               = 4096
      network_security_group_name = "nsg_subnet-mel-dev-aks-internal01-10.80.192.0"
      direction              = "Outbound"
      access                 = "Deny"
      protocol               = "tcp"
      source_port_range      = "*"
      destination_port_range = "*"
      source_address_prefix  = "*"
      destination_address_prefix = "*"
      description            = "Deny all outbound ports"
    },    
    nsg_aks7 =  {
      name                    = "AllowSCOMOutbound"
      priority                = 100
      network_security_group_name = "nsg_subnet-mel-dev-aks-internal01-10.80.192.0"
      direction               = "Outbound"
      access                  = "Allow"
      protocol                = "tcp"
      source_port_range       = "*"
      source_port_ranges      = null
      source_address_prefix   = "*"
      source_address_prefixes = null
      destination_port_range  = "5723"
      destination_port_ranges = null
      destination_address_prefix   = null
      destination_address_prefixes = ["10.68.100.168","10.64.150.162","10.68.100.169","10.64.150.164"]    
      description                  = "Allow outbound connection to SCOM"
    },  
     nsg_aks8 =  {
      name                    = "AllowSCCMOutbound"
      priority                = 200
      network_security_group_name = "nsg_subnet-mel-dev-aks-internal01-10.80.192.0"
      direction               = "Outbound"
      access                  = "Allow"
      protocol                = "tcp"
      source_port_range       = "*"
      source_port_ranges      = null
      source_address_prefix   = "*"
      source_address_prefixes = null
      destination_port_range  = null
      destination_port_ranges = [
      "80",
      "443",
      "445",
      "8530",
      "8531"
      ]
      destination_address_prefix   = null
      destination_address_prefixes = ["10.68.100.129","10.68.100.130","10.64.150.177"]    
      description                  = "Allow outbound connection to SCCM"
  },  
}

Now as per the tfvars file, I am creating the same four rules for two nsgs but I writing each nsg rule code twice(each time for one nsg). Please can you let me know if we can reduce the tfvars so that the same rules have to be defined only once and not multiple times.

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum