Azure Bastion

Azure terraform module to create an Azure Bastion (managed jump host) with optional dedicated subnet.

Naming

Resource naming is based on the Microsoft CAF naming convention best practices. Legacy naming is available by setting the parameter use_caf_naming to false. We rely on the official Terraform Azure CAF naming provider to generate resource names.

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "vnet" {
  source  = "claranet/vnet/azurerm"
  version = "x.x.x"

  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.client_name
  environment    = var.environment
  stack          = var.stack

  resource_group_name = module.rg.name

  cidrs = ["10.10.1.0/16"]
}

module "bastion_host" {
  source  = "claranet/bastion/azurerm"
  version = "x.x.x"

  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.client_name
  environment    = var.environment
  stack          = var.stack

  resource_group_name = module.rg.name

  subnet_bastion_cidr = "10.10.1.0/27"

  virtual_network_name = module.vnet.name

  logs_destinations_ids = [
    module.run.logs_storage_account_id,
    module.run.log_analytics_workspace_id,
  ]

  extra_tags = {
    foo = "bar"
  }
}

Providers

Name	Version
azurecaf	~> 1.2.28
azurerm	~> 4.0

Modules

Name	Source	Version
diagnostics	claranet/diagnostic-settings/azurerm	~> 8.0.0
subnet_bastion	claranet/subnet/azurerm	~> 8.0.0

Resources

Name	Type
azurerm_bastion_host.main	resource
azurerm_public_ip.main	resource
azurecaf_name.bastion	data source
azurecaf_name.bastion_pip	data source

Inputs

Name	Description	Type	Default	Required
client_name	Client name/account used in naming.	string	n/a	yes
copy_paste_enabled	Is Copy/Paste feature enabled for the Bastion Host.	bool	true	no
custom_ipconfig_name	Bastion IP Config custom name.	string	""	no
custom_name	Custom Bastion name, generated if not set.	string	""	no
custom_public_ip_name	Bastion IP Config resource custom name.	string	""	no
default_outbound_access_enabled	Enable or Disable default_outbound_access. See documentation.	bool	false	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
diagnostic_settings_custom_name	Custom name of the diagnostics settings, name will be default if not set.	string	"default"	no
environment	Project environment.	string	n/a	yes
extra_tags	Additional tags to associate with resources.	map(string)	{}	no
file_copy_enabled	Is File Copy feature enabled for the Bastion Host.	bool	true	no
ip_connect_enabled	Is IP Connect feature enabled for the Bastion Host.	bool	true	no
location	Azure region to use.	string	n/a	yes
location_short	Short string for Azure location.	string	n/a	yes
logs_categories	Log categories to send to destinations.	list(string)	null	no
logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character.	list(string)	n/a	yes
logs_metrics_categories	Metrics categories to send to destinations.	list(string)	null	no
name_prefix	Optional prefix for the generated name.	string	""	no
name_suffix	Optional suffix for the generated name.	string	""	no
network_resource_group_name	VNet and subnet Resource group name. To use only if you need to have a dedicated Resource Group for all Bastion resources (set via resource_group_name var).	string	""	no
public_ip_zones	Zones for public IP attached to the Bastion Host. Can be null if no zone distpatch.	list(number)	[ 1, 2, 3 ]	no
resource_group_name	Name of the resource group.	string	n/a	yes
scale_units	The number of scale units which to provision the Bastion Host. Possible values are between 2 and 50.	number	2	no
shareable_link_enabled	Is Shareable Link feature enabled for the Bastion Host.	bool	false	no
sku	The SKU of the Bastion Host. Accepted values are Basic and Standard.	string	"Standard"	no
stack	Project stack name.	string	n/a	yes
subnet_bastion_cidr	CIDR range for the dedicated Bastion subnet. Must be a range available in the VNet.	string	n/a	yes
tunneling_enabled	Is Tunneling feature enabled for the Bastion Host.	bool	true	no
virtual_network_name	Virtual Network Name where the dedicated Subnet and Bastion will be created.	string	n/a	yes

Outputs

Name	Description
fqdn	Azure Bastion FQDN / generated DNS name.
id	Azure Bastion ID.
module_diagnostics	Diagnostics settings module outputs.
module_subnet	Module subnet bastion object outputs.
name	Azure Bastion name.
public_ip_address	Azure Bastion public IP address.
public_ip_name	Azure Bastion public IP resource name.
resource	Azure Bastion resource object.
resource_public_ip	Azure Bastion public resource object.
subnet_cidr	Dedicated subnet CIDR for the Bastion.
subnet_id	Dedicated subnet id for the Bastion.

Related documentation

Azure Bastion documentation: docs.microsoft.com/en-us/azure/bastion/