From 1323ddded107d1d2c1b3354cf6421155797bd243 Mon Sep 17 00:00:00 2001
From: Chris Jaimon <chris.jaimon@quantum.security>
Date: Thu, 7 Jul 2022 12:03:04 +0530
Subject: [PATCH] EN-949: wrap mutually exclusive objects (patch)

---
 modules/azure-local-network-gateway/README.md |   7 +-
 modules/azure-local-network-gateway/main.tf   |   4 +-
 .../{variables.tf => vars.tf}                 |  29 ++--
 modules/azure-network-security-rule/README.md |  12 +-
 modules/azure-network-security-rule/main.tf   |  17 +--
 modules/azure-network-security-rule/vars.tf   | 132 +++++++++++-------
 .../{variables.tf => vars.tf}                 |   0
 7 files changed, 119 insertions(+), 82 deletions(-)
 rename modules/azure-local-network-gateway/{variables.tf => vars.tf} (64%)
 rename modules/azure-virtual-network-gateway-connection/{variables.tf => vars.tf} (100%)

diff --git a/modules/azure-local-network-gateway/README.md b/modules/azure-local-network-gateway/README.md
index 0838949..bbf8100 100644
--- a/modules/azure-local-network-gateway/README.md
+++ b/modules/azure-local-network-gateway/README.md
@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | n/a |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.12.0 |
 
 ## Modules
 
@@ -26,9 +26,8 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_address_space"></a> [address\_space](#input\_address\_space) | The list of string CIDRs representing the address spaces the gateway exposes. | `list(string)` | `[]` | no |
-| <a name="input_bgp_settings"></a> [bgp\_settings](#input\_bgp\_settings) | The Local Network Gateway's BGP speaker settings. | <pre>list(object({<br>    asn = number<br>    bgp_peering_address = string<br>    peer_weight = optional(number)<br>  }))</pre> | `[]` | no |
-| <a name="input_gateway_address"></a> [gateway\_address](#input\_gateway\_address) | The gateway IP address to connect with. | `string` | `null` | no |
-| <a name="input_gateway_fqdn"></a> [gateway\_fqdn](#input\_gateway\_fqdn) | The gateway FQDN to connect with. | `string` | `null` | no |
+| <a name="input_bgp_settings"></a> [bgp\_settings](#input\_bgp\_settings) | The Local Network Gateway's BGP speaker settings. | <pre>list(object({<br>    asn                 = number<br>    bgp_peering_address = string<br>    peer_weight         = optional(number)<br>  }))</pre> | `[]` | no |
+| <a name="input_gateway"></a> [gateway](#input\_gateway) | gateway\_address - The gateway IP address to connect with.<br>gateway\_fqdn - The gateway FQDN to connect with. | <pre>object({<br>    address  = optional(string)<br>    fqdn = optional(string)<br>  })</pre> | <pre>{<br>  "address": null,<br>  "fqdn": null<br>}</pre> | no |
 | <a name="input_location"></a> [location](#input\_location) | The location in which this network security group will be provisioned. | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | The name of the connection. | `string` | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which this resource will be provisioned. | `string` | n/a | yes |
diff --git a/modules/azure-local-network-gateway/main.tf b/modules/azure-local-network-gateway/main.tf
index e4bdd7e..ddb2174 100644
--- a/modules/azure-local-network-gateway/main.tf
+++ b/modules/azure-local-network-gateway/main.tf
@@ -21,7 +21,7 @@ resource "azurerm_local_network_gateway" "remote" {
       peer_weight         = bgp_settings.value["peer_weight"]
     }
   }
-  gateway_address = var.gateway_address
-  gateway_fqdn    = var.gateway_fqdn
+  gateway_address = var.gateway.address
+  gateway_fqdn    = var.gateway.fqdn
   tags            = var.tags
 }
diff --git a/modules/azure-local-network-gateway/variables.tf b/modules/azure-local-network-gateway/vars.tf
similarity index 64%
rename from modules/azure-local-network-gateway/variables.tf
rename to modules/azure-local-network-gateway/vars.tf
index 4c6cbc5..8d43616 100644
--- a/modules/azure-local-network-gateway/variables.tf
+++ b/modules/azure-local-network-gateway/vars.tf
@@ -29,18 +29,23 @@ variable "bgp_settings" {
   default = []
 }
 
-# This is required if `gateway_fqdn` is not specified.
-variable "gateway_address" {
-  description = "The gateway IP address to connect with."
-  type        = string
-  default     = null
-}
-
-# This is required if `gateway_address` is not specified.
-variable "gateway_fqdn" {
-  description = "The gateway FQDN to connect with."
-  type        = string
-  default     = null
+variable "gateway" {
+  description = <<EOF
+gateway_address - The gateway IP address to connect with.
+gateway_fqdn - The gateway FQDN to connect with.
+EOF
+  type = object({
+    address = optional(string)
+    fqdn    = optional(string)
+  })
+  default = {
+    address = null
+    fqdn    = null
+  }
+  validation {
+    condition     = !(var.gateway.address == null && var.gateway.fqdn == null)
+    error_message = "Either of \"gateway_address\" or \"gateway_fqdn\" is required if the other is not specified."
+  }
 }
 
 variable "tags" {
diff --git a/modules/azure-network-security-rule/README.md b/modules/azure-network-security-rule/README.md
index ecd9404..9a5e753 100644
--- a/modules/azure-network-security-rule/README.md
+++ b/modules/azure-network-security-rule/README.md
@@ -27,22 +27,18 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_access"></a> [access](#input\_access) | Specifies whether network traffic is allowed or denied. | `string` | n/a | yes |
 | <a name="input_description"></a> [description](#input\_description) | A description for this rule. | `string` | `null` | no |
-| <a name="input_destination_address_prefix"></a> [destination\_address\_prefix](#input\_destination\_address\_prefix) | CIDR or destination IP range or * to match any IP. | `string` | `null` | no |
-| <a name="input_destination_address_prefixes"></a> [destination\_address\_prefixes](#input\_destination\_address\_prefixes) | List of destination address prefixes. | `set(string)` | `null` | no |
+| <a name="input_destination_address"></a> [destination\_address](#input\_destination\_address) | destination\_address\_prefix - CIDR or destination IP range or `*` to match any IP. Tags such as `VirtualNetwork`, `AzureLoadBalancer` and `Internet` can also be used.<br>destination\_address\_prefixes - List of destination address prefixes. Tags may not be used. | <pre>object({<br>    prefix   = optional(string)<br>    prefixes = optional(set(string))<br>  })</pre> | <pre>{<br>  "prefix": null,<br>  "prefixes": null<br>}</pre> | no |
 | <a name="input_destination_application_security_group_ids"></a> [destination\_application\_security\_group\_ids](#input\_destination\_application\_security\_group\_ids) | List of destination Application Security Group ID's. | `set(string)` | `null` | no |
-| <a name="input_destination_port_range"></a> [destination\_port\_range](#input\_destination\_port\_range) | Destination Port or Range. | `string` | `null` | no |
-| <a name="input_destination_port_ranges"></a> [destination\_port\_ranges](#input\_destination\_port\_ranges) | List of destination ports or port ranges. | `set(string)` | `null` | no |
+| <a name="input_destination_port"></a> [destination\_port](#input\_destination\_port) | destination\_port\_range - Destination Port or Range. Integer or range between `0` and `65535` or `*` to match any.<br>destination\_port\_ranges - List of destination ports or port ranges. | <pre>object({<br>    range  = optional(string)<br>    ranges = optional(set(string))<br>  })</pre> | <pre>{<br>  "range": null,<br>  "ranges": null<br>}</pre> | no |
 | <a name="input_direction"></a> [direction](#input\_direction) | Specifies whether the rule will be evaluated on incoming or outgoing traffic. | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | The name of the network security rule. | `string` | n/a | yes |
 | <a name="input_network_security_group_name"></a> [network\_security\_group\_name](#input\_network\_security\_group\_name) | The name of the network security group to which this rule will be attached. | `string` | n/a | yes |
 | <a name="input_priority"></a> [priority](#input\_priority) | Specifies the priority of the rule. | `number` | n/a | yes |
 | <a name="input_protocol"></a> [protocol](#input\_protocol) | The network protocol to which this rule applies. | `string` | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which this resource will be provisioned. | `string` | n/a | yes |
-| <a name="input_source_address_prefix"></a> [source\_address\_prefix](#input\_source\_address\_prefix) | CIDR or source IP range or * to match any IP. | `string` | `null` | no |
-| <a name="input_source_address_prefixes"></a> [source\_address\_prefixes](#input\_source\_address\_prefixes) | List of source address prefixes. | `set(string)` | `null` | no |
+| <a name="input_source_address"></a> [source\_address](#input\_source\_address) | source\_address\_prefix - CIDR or source IP range or `*` to match any IP. Tags such as `VirtualNetwork`, `AzureLoadBalancer` and `Internet` can also be used.<br>source\_address\_prefixes - List of source address prefixes. Tags may not be used. | <pre>object({<br>    prefix   = optional(string)<br>    prefixes = optional(set(string))<br>  })</pre> | <pre>{<br>  "prefix": null,<br>  "prefixes": null<br>}</pre> | no |
 | <a name="input_source_application_security_group_ids"></a> [source\_application\_security\_group\_ids](#input\_source\_application\_security\_group\_ids) | List of source Application Security Group ID's. | `set(string)` | `null` | no |
-| <a name="input_source_port_range"></a> [source\_port\_range](#input\_source\_port\_range) | Source Port or Range. | `string` | `null` | no |
-| <a name="input_source_port_ranges"></a> [source\_port\_ranges](#input\_source\_port\_ranges) | List of source ports or port ranges. | `set(string)` | `null` | no |
+| <a name="input_source_port"></a> [source\_port](#input\_source\_port) | source\_port\_range - Source Port or Range. Integer or range between `0` and `65535` or `*` to match any.<br>source\_port\_ranges - List of source ports or port ranges. | <pre>object({<br>    range  = optional(string)<br>    ranges = optional(set(string))<br>  })</pre> | <pre>{<br>  "range": "*",<br>  "ranges": null<br>}</pre> | no |
 
 ## Outputs
 
diff --git a/modules/azure-network-security-rule/main.tf b/modules/azure-network-security-rule/main.tf
index bcf629d..a8a9cfb 100644
--- a/modules/azure-network-security-rule/main.tf
+++ b/modules/azure-network-security-rule/main.tf
@@ -4,6 +4,7 @@
 
 terraform {
   required_version = ">= 0.12"
+  experiments      = [module_variable_optional_attrs]
 }
 
 resource "azurerm_network_security_rule" "rule" {
@@ -16,15 +17,15 @@ resource "azurerm_network_security_rule" "rule" {
   priority                    = var.priority
   direction                   = var.direction
 
-  source_port_range                     = var.source_port_range
-  source_port_ranges                    = var.source_port_ranges
-  source_address_prefix                 = var.source_address_prefix
-  source_address_prefixes               = var.source_address_prefixes
+  source_port_range                     = var.source_port.range
+  source_port_ranges                    = var.source_port.ranges
+  source_address_prefix                 = var.source_address.prefix
+  source_address_prefixes               = var.source_address.prefixes
   source_application_security_group_ids = var.source_application_security_group_ids
 
-  destination_port_range                     = var.destination_port_range
-  destination_port_ranges                    = var.destination_port_ranges
-  destination_address_prefix                 = var.destination_address_prefix
-  destination_address_prefixes               = var.destination_address_prefixes
+  destination_port_range                     = var.destination_port.range
+  destination_port_ranges                    = var.destination_port.ranges
+  destination_address_prefix                 = var.destination_address.prefix
+  destination_address_prefixes               = var.destination_address.prefixes
   destination_application_security_group_ids = var.destination_application_security_group_ids
 }
diff --git a/modules/azure-network-security-rule/vars.tf b/modules/azure-network-security-rule/vars.tf
index b6abf08..fcaef58 100644
--- a/modules/azure-network-security-rule/vars.tf
+++ b/modules/azure-network-security-rule/vars.tf
@@ -66,32 +66,50 @@ variable "direction" {
   }
 }
 
-# This is required if `source_port_ranges` is not specified.
-variable "source_port_range" {
-  description = "Source Port or Range."
-  type        = string
-  default     = null
-}
-
-# This is required if `source_port_range` is not specified.
-variable "source_port_ranges" {
-  description = "List of source ports or port ranges."
-  type        = set(string)
-  default     = null
-}
-
-# This is required if `source_address_prefixes` is not specified.
-variable "source_address_prefix" {
-  description = "CIDR or source IP range or * to match any IP."
-  type        = string
-  default     = null
+variable "source_port" {
+  description = <<EOF
+source_port_range - Source Port or Range. Integer or range between `0` and `65535` or `*` to match any.
+source_port_ranges - List of source ports or port ranges.
+EOF
+  type = object({
+    range  = optional(string)
+    ranges = optional(set(string))
+  })
+  default = {
+    range  = "*"
+    ranges = null
+  }
+  validation {
+    condition     = !(var.source_port.range == null && var.source_port.ranges == null)
+    error_message = "Either of \"source_port_range\" or \"source_port_ranges\" is required if the other is not specified."
+  }
+  validation {
+    condition     = !(var.source_port.range != null && var.source_port.ranges != null)
+    error_message = "\"source_port_range\" and \"source_port_ranges\" are mutually exclusive."
+  }
 }
 
-# This is required if `source_address_prefix` is not specified.
-variable "source_address_prefixes" {
-  description = "List of source address prefixes."
-  type        = set(string)
-  default     = null
+variable "source_address" {
+  description = <<EOF
+source_address_prefix - CIDR or source IP range or `*` to match any IP. Tags such as `VirtualNetwork`, `AzureLoadBalancer` and `Internet` can also be used.
+source_address_prefixes - List of source address prefixes. Tags may not be used.
+EOF
+  type = object({
+    prefix   = optional(string)
+    prefixes = optional(set(string))
+  })
+  default = {
+    prefix   = null
+    prefixes = null
+  }
+  validation {
+    condition     = !(var.source_address.prefix == null && var.source_address.prefixes == null)
+    error_message = "Either of \"source_address_prefix\" or \"source_address_prefixes\" is required if the other is not specified."
+  }
+  validation {
+    condition     = !(var.source_address.prefix != null && var.source_address.prefixes != null)
+    error_message = "\"source_address_prefix\" and \"source_address_prefixes\" are mutually exclusive."
+  }
 }
 
 variable "source_application_security_group_ids" {
@@ -100,32 +118,50 @@ variable "source_application_security_group_ids" {
   default     = null
 }
 
-# This is required if `destination_port_ranges` is not specified.
-variable "destination_port_range" {
-  description = "Destination Port or Range."
-  type        = string
-  default     = null
-}
-
-# This is required if `destination_port_range` is not specified.
-variable "destination_port_ranges" {
-  description = "List of destination ports or port ranges."
-  type        = set(string)
-  default     = null
-}
-
-# This is required if `destination_address_prefixes` is not specified.
-variable "destination_address_prefix" {
-  description = "CIDR or destination IP range or * to match any IP."
-  type        = string
-  default     = null
+variable "destination_port" {
+  description = <<EOF
+destination_port_range - Destination Port or Range. Integer or range between `0` and `65535` or `*` to match any.
+destination_port_ranges - List of destination ports or port ranges.
+EOF
+  type = object({
+    range  = optional(string)
+    ranges = optional(set(string))
+  })
+  default = {
+    range  = null
+    ranges = null
+  }
+  validation {
+    condition     = !(var.destination_port.range == null && var.destination_port.ranges == null)
+    error_message = "Either of \"destination_port_range\" or \"destination_port_ranges\" is required if the other is not specified."
+  }
+  validation {
+    condition     = !(var.destination_port.range != null && var.destination_port.ranges != null)
+    error_message = "\"destination_port_range\" and \"destination_port_ranges\" are mutually exclusive."
+  }
 }
 
-# This is required if `destination_address_prefix` is not specified.
-variable "destination_address_prefixes" {
-  description = "List of destination address prefixes."
-  type        = set(string)
-  default     = null
+variable "destination_address" {
+  description = <<EOF
+destination_address_prefix - CIDR or destination IP range or `*` to match any IP. Tags such as `VirtualNetwork`, `AzureLoadBalancer` and `Internet` can also be used.
+destination_address_prefixes - List of destination address prefixes. Tags may not be used.
+EOF
+  type = object({
+    prefix   = optional(string)
+    prefixes = optional(set(string))
+  })
+  default = {
+    prefix   = null
+    prefixes = null
+  }
+  validation {
+    condition     = !(var.destination_address.prefix == null && var.destination_address.prefixes == null)
+    error_message = "Either of \"destination_address_prefix\" or \"destination_address_prefixes\" is required if the other is not specified."
+  }
+  validation {
+    condition     = !(var.destination_address.prefix != null && var.destination_address.prefixes != null)
+    error_message = "\"destination_address_prefix\" and \"destination_address_prefixes\" are mutually exclusive."
+  }
 }
 
 variable "destination_application_security_group_ids" {
diff --git a/modules/azure-virtual-network-gateway-connection/variables.tf b/modules/azure-virtual-network-gateway-connection/vars.tf
similarity index 100%
rename from modules/azure-virtual-network-gateway-connection/variables.tf
rename to modules/azure-virtual-network-gateway-connection/vars.tf