From 26f6ef809673820b2a2614c2e8084ab6cfb0953d Mon Sep 17 00:00:00 2001
From: Horia Gunica <43091730+horiagunica@users.noreply.github.com>
Date: Fri, 21 Jul 2023 16:56:45 +0300
Subject: [PATCH] feat: VNet peering support (#273)

---
 modules/vnet_peering/Makefile     |  2 ++
 modules/vnet_peering/README.md    | 53 +++++++++++++++++++++++++++++++
 modules/vnet_peering/main.tf      | 31 ++++++++++++++++++
 modules/vnet_peering/outputs.tf   | 19 +++++++++++
 modules/vnet_peering/variables.tf | 35 ++++++++++++++++++++
 modules/vnet_peering/versions.tf  |  9 ++++++
 6 files changed, 149 insertions(+)
 create mode 100644 modules/vnet_peering/Makefile
 create mode 100644 modules/vnet_peering/README.md
 create mode 100644 modules/vnet_peering/main.tf
 create mode 100644 modules/vnet_peering/outputs.tf
 create mode 100644 modules/vnet_peering/variables.tf
 create mode 100644 modules/vnet_peering/versions.tf

diff --git a/modules/vnet_peering/Makefile b/modules/vnet_peering/Makefile
new file mode 100644
index 00000000..f9cee6eb
--- /dev/null
+++ b/modules/vnet_peering/Makefile
@@ -0,0 +1,2 @@
+validate:
+	@../../makefile.sh validate
\ No newline at end of file
diff --git a/modules/vnet_peering/README.md b/modules/vnet_peering/README.md
new file mode 100644
index 00000000..ed8237e8
--- /dev/null
+++ b/modules/vnet_peering/README.md
@@ -0,0 +1,53 @@
+# Palo Alto Networks VNet Peering Module for Azure
+
+A terraform module for deploying a Virtual Network Peering and its components required for the VM-Series firewalls in Azure.
+
+## Usage
+
+For usage refer to any example module.
+
+## Reference
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2, < 2.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.25 |
+
+### Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | ~> 3.25 |
+
+### Modules
+
+No modules.
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_virtual_network_peering.local](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering) | resource |
+| [azurerm_virtual_network_peering.remote](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering) | resource |
+| [azurerm_virtual_network.local_peer](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
+| [azurerm_virtual_network.remote_peer](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Prefix name appended to the peering names. | `string` | `""` | no |
+| <a name="input_local_peer_config"></a> [local\_peer\_config](#input\_local\_peer\_config) | A map that contains the local peer configuration.<br>Mandatory Values: <br>- `vnet_name`                   - (`string`, required) the local peer VNET name.<br>- `resource_group_name          - (`string`, required) : the resource group name of the local peer<br>- `allow\_virtual\_network\_access - (`bool`, optional, defaults to `true`) : allows communication between the two peering VNETs<br>- `allow_forwarded_traffic`     - (`bool`, optional, defaults to `true`) : allows traffic forwarded from the remote VNET but not originated from within it<br>- `allow_gateway_transit`       - (`bool`, optional, defaults to `false`) : controls the learning of routes from local VNET (gateway or route server) into the remote VNET. Must be true if `use_remote_gateways` is `true` for remote peer<br>- `use_remote_gateways`         - (`bool`, optional, defaults to `false`) : controls the learning of routes from the remote VNET (gateway or route server) into the local VNET<br>- `name`                        - (`string`, optional, defaults to `<var.name_prefix><var.local_peer_config.vnet_name>-to-<var.remote_peer_config.vnet_name>`) : the name of the local VNET peering | `map(any)` | n/a | yes |
+| <a name="input_remote_peer_config"></a> [remote\_peer\_config](#input\_remote\_peer\_config) | A map that contains the remote peer configuration.<br>Mandatory Values :<br>- `vnet_name`                   - (`string`, required) : the remote peer VNET name.<br>- `resource_group_name          - (`string`, required) : the resource group name of the remote peer<br>- `allow\_virtual\_network\_access - (`bool`, optional, defaults to `true`) : allows communication between the two peering VNETs<br>- `allow_forwarded_traffic`     - (`bool`, optional, defaults to `true`) : allows traffic forwarded from the local VNET but not originated from within it<br>- `allow_gateway_transit`       - (`bool`, optional, defaults to `false`) : controls the learning of routes from remote VNET (gateway or route server) into the local VNET. Must be true if `use_remote_gateways` is `true` for local peer<br>- `use_remote_gateways`         - (`bool`, optional, defaults to `false`) : controls the learning of routes from the local VNET (gateway or route server) into the remote VNET<br>- `name`                        - (`string`, optional, defaults to `<var.name_prefix><var.remote_peer_config.vnet_name>-to-<var.local_peer_config.vnet_name>`) : the name of the local VNET peering | `map(any)` | n/a | yes |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_local_peering_name"></a> [local\_peering\_name](#output\_local\_peering\_name) | The name of the local VNET peering. |
+| <a name="output_remote_peering_name"></a> [remote\_peering\_name](#output\_remote\_peering\_name) | The name of the remote VNET peering. |
+| <a name="output_local_peering_id"></a> [local\_peering\_id](#output\_local\_peering\_id) | The ID of the local VNET peering. |
+| <a name="output_remote_peering_id"></a> [remote\_peering\_id](#output\_remote\_peering\_id) | The ID of the remote VNET peering. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
\ No newline at end of file
diff --git a/modules/vnet_peering/main.tf b/modules/vnet_peering/main.tf
new file mode 100644
index 00000000..91c19687
--- /dev/null
+++ b/modules/vnet_peering/main.tf
@@ -0,0 +1,31 @@
+data "azurerm_virtual_network" "local_peer" {
+  name                = var.local_peer_config.vnet_name
+  resource_group_name = var.local_peer_config.resource_group_name
+}
+
+data "azurerm_virtual_network" "remote_peer" {
+  name                = var.remote_peer_config.vnet_name
+  resource_group_name = var.remote_peer_config.resource_group_name
+}
+
+resource "azurerm_virtual_network_peering" "local" {
+  name                         = try(var.local_peer_config.name, "${var.local_peer_config.vnet_name}-to-${var.remote_peer_config.vnet_name}")
+  resource_group_name          = var.local_peer_config.resource_group_name
+  virtual_network_name         = var.local_peer_config.vnet_name
+  remote_virtual_network_id    = data.azurerm_virtual_network.remote_peer.id
+  allow_virtual_network_access = try(var.local_peer_config.allow_virtual_network_access, true)
+  allow_forwarded_traffic      = try(var.local_peer_config.allow_forwarded_traffic, true)
+  allow_gateway_transit        = try(var.local_peer_config.allow_gateway_transit, false)
+  use_remote_gateways          = try(var.local_peer_config.use_remote_gateways, false)
+}
+
+resource "azurerm_virtual_network_peering" "remote" {
+  name                         = try(var.remote_peer_config.name, "${var.remote_peer_config.vnet_name}-to-${var.local_peer_config.vnet_name}")
+  resource_group_name          = var.remote_peer_config.resource_group_name
+  virtual_network_name         = var.remote_peer_config.vnet_name
+  remote_virtual_network_id    = data.azurerm_virtual_network.local_peer.id
+  allow_virtual_network_access = try(var.remote_peer_config.allow_virtual_network_access, true)
+  allow_forwarded_traffic      = try(var.remote_peer_config.allow_forwarded_traffic, true)
+  allow_gateway_transit        = try(var.remote_peer_config.allow_gateway_transit, false)
+  use_remote_gateways          = try(var.remote_peer_config.use_remote_gateways, false)
+}
\ No newline at end of file
diff --git a/modules/vnet_peering/outputs.tf b/modules/vnet_peering/outputs.tf
new file mode 100644
index 00000000..c43dbab8
--- /dev/null
+++ b/modules/vnet_peering/outputs.tf
@@ -0,0 +1,19 @@
+output "local_peering_name" {
+  description = "The name of the local VNET peering."
+  value       = azurerm_virtual_network_peering.local.name
+}
+
+output "remote_peering_name" {
+  description = "The name of the remote VNET peering."
+  value       = azurerm_virtual_network_peering.remote.name
+}
+
+output "local_peering_id" {
+  description = "The ID of the local VNET peering."
+  value       = azurerm_virtual_network_peering.local.id
+}
+
+output "remote_peering_id" {
+  description = "The ID of the remote VNET peering."
+  value       = azurerm_virtual_network_peering.remote.id
+}
\ No newline at end of file
diff --git a/modules/vnet_peering/variables.tf b/modules/vnet_peering/variables.tf
new file mode 100644
index 00000000..3ea3d060
--- /dev/null
+++ b/modules/vnet_peering/variables.tf
@@ -0,0 +1,35 @@
+variable "name_prefix" {
+  description = "Prefix name appended to the peering names."
+  default     = ""
+  type        = string
+}
+
+variable "local_peer_config" {
+  description = <<-EOF
+  A map that contains the local peer configuration.
+  Mandatory Values: 
+  - `vnet_name`                   - (`string`, required) the local peer VNET name.
+  - `resource_group_name          - (`string`, required) : the resource group name of the local peer
+  - `allow_virtual_network_access - (`bool`, optional, defaults to `true`) : allows communication between the two peering VNETs
+  - `allow_forwarded_traffic`     - (`bool`, optional, defaults to `true`) : allows traffic forwarded from the remote VNET but not originated from within it
+  - `allow_gateway_transit`       - (`bool`, optional, defaults to `false`) : controls the learning of routes from local VNET (gateway or route server) into the remote VNET. Must be true if `use_remote_gateways` is `true` for remote peer
+  - `use_remote_gateways`         - (`bool`, optional, defaults to `false`) : controls the learning of routes from the remote VNET (gateway or route server) into the local VNET
+  - `name`                        - (`string`, optional, defaults to `<var.name_prefix><var.local_peer_config.vnet_name>-to-<var.remote_peer_config.vnet_name>`) : the name of the local VNET peering
+  EOF
+  type        = map(any)
+}
+
+variable "remote_peer_config" {
+  description = <<-EOF
+  A map that contains the remote peer configuration.
+  Mandatory Values :
+  - `vnet_name`                   - (`string`, required) : the remote peer VNET name.
+  - `resource_group_name          - (`string`, required) : the resource group name of the remote peer
+  - `allow_virtual_network_access - (`bool`, optional, defaults to `true`) : allows communication between the two peering VNETs
+  - `allow_forwarded_traffic`     - (`bool`, optional, defaults to `true`) : allows traffic forwarded from the local VNET but not originated from within it
+  - `allow_gateway_transit`       - (`bool`, optional, defaults to `false`) : controls the learning of routes from remote VNET (gateway or route server) into the local VNET. Must be true if `use_remote_gateways` is `true` for local peer
+  - `use_remote_gateways`         - (`bool`, optional, defaults to `false`) : controls the learning of routes from the local VNET (gateway or route server) into the remote VNET
+  - `name`                        - (`string`, optional, defaults to `<var.name_prefix><var.remote_peer_config.vnet_name>-to-<var.local_peer_config.vnet_name>`) : the name of the local VNET peering
+  EOF
+  type        = map(any)
+}
\ No newline at end of file
diff --git a/modules/vnet_peering/versions.tf b/modules/vnet_peering/versions.tf
new file mode 100644
index 00000000..7690b8e4
--- /dev/null
+++ b/modules/vnet_peering/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.2, < 2.0"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.25"
+    }
+  }
+}
\ No newline at end of file