From e19de864d0c6b3bea7f76c63f640459215cc1095 Mon Sep 17 00:00:00 2001 From: Tim Payne Date: Fri, 21 May 2021 14:57:06 +0100 Subject: [PATCH] Modulise bastion logic as used a lot --- .../Azure/templates/bastionhost/bastion.tf | 73 ++------ .../Azure/templates/bastionhost/outputs.tf | 2 +- .../modules/bastionproxyhost/main.tf | 101 +++++++++++ .../modules/bastionproxyhost/outputs.tf | 26 +++ .../modules/bastionproxyhost/variables.tf | 157 ++++++++++++++++++ .../templates/modules/pgdatabase/dbproxy.tf | 76 ++------- .../templates/modules/pgdatabase/main.tf | 8 +- .../templates/modules/pgdatabase/outputs.tf | 5 +- .../Azure/templates/vpn-classic/bastion.tf | 76 ++------- .../Azure/templates/vpn-classic/outputs.tf | 3 +- 10 files changed, 337 insertions(+), 190 deletions(-) create mode 100644 samples/Azure/templates/modules/bastionproxyhost/main.tf create mode 100644 samples/Azure/templates/modules/bastionproxyhost/outputs.tf create mode 100644 samples/Azure/templates/modules/bastionproxyhost/variables.tf diff --git a/samples/Azure/templates/bastionhost/bastion.tf b/samples/Azure/templates/bastionhost/bastion.tf index 2f13b58..e28fcdd 100644 --- a/samples/Azure/templates/bastionhost/bastion.tf +++ b/samples/Azure/templates/bastionhost/bastion.tf @@ -31,64 +31,23 @@ #------------------------------ # Frontend bastion host... #------------------------------ -# Create public IP -resource "azurerm_public_ip" "fepublicip001" { - name = "${var.project}-PubIpAddr001" - location = azurerm_resource_group.resourceGroup.location - resource_group_name = azurerm_resource_group.resourceGroup.name - allocation_method = "Static" +# + +module "bastionhost" { + source = "../modules/bastionproxyhost" + name = "${var.project}bastionhost" + + resource_group = azurerm_resource_group.resourceGroup.name + location = azurerm_resource_group.resourceGroup.location + subnet_id = azurerm_subnet.frontend_subnet.id + machine_type = var.machine_types.micro + tags = var.tags + image = var.images.ubunto18 + custom_data = null + storage_endpoint = module.mig.vmss-storage-endpoint + admin_user = var.admin_user + admin_pwd = var.admin_pwd } -# Create network interface -resource "azurerm_network_interface" "fe_nic01" { - name = "NIC001" - location = azurerm_resource_group.resourceGroup.location - resource_group_name = azurerm_resource_group.resourceGroup.name - - ip_configuration { - name = "nic001" - subnet_id = azurerm_subnet.frontend_subnet.id - private_ip_address_allocation = "dynamic" - public_ip_address_id = azurerm_public_ip.fepublicip001.id - } -} - -resource "azurerm_virtual_machine" "bastionhost" { - name = "${var.project}-bastionhost" - location = azurerm_resource_group.resourceGroup.location - resource_group_name = azurerm_resource_group.resourceGroup.name - network_interface_ids = [azurerm_network_interface.fe_nic01.id] - vm_size = var.machine_types.micro - tags = var.tags - - storage_os_disk { - name = "bastionhost" - caching = "ReadWrite" - create_option = "FromImage" - managed_disk_type = var.sku_storage.localrs - } - - storage_image_reference { - publisher = "Canonical" - offer = "UbuntuServer" - sku = lookup(var.sku, azurerm_resource_group.resourceGroup.location) - version = "latest" - } - - os_profile { - computer_name = "bastionhost" - admin_username = var.admin_user - admin_password = var.admin_pwd - } - - os_profile_linux_config { - disable_password_authentication = false - } - - boot_diagnostics { - enabled = true - storage_uri = module.mig.vmss-storage-endpoint - } -} diff --git a/samples/Azure/templates/bastionhost/outputs.tf b/samples/Azure/templates/bastionhost/outputs.tf index d8404d8..a4742c3 100644 --- a/samples/Azure/templates/bastionhost/outputs.tf +++ b/samples/Azure/templates/bastionhost/outputs.tf @@ -20,7 +20,7 @@ * SOFTWARE. */ output "bastionhost-ip" { - value = azurerm_public_ip.fepublicip001.ip_address + value = module.bastionhost.proxyhost-ip } output "loadbalancer-ip" { diff --git a/samples/Azure/templates/modules/bastionproxyhost/main.tf b/samples/Azure/templates/modules/bastionproxyhost/main.tf new file mode 100644 index 0000000..be0b344 --- /dev/null +++ b/samples/Azure/templates/modules/bastionproxyhost/main.tf @@ -0,0 +1,101 @@ +/** + * MIT License + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +# This section will declare the providers needed... +# terraform init -upgrade +# DEBUG - export TF_LOG=DEBUG + +############################## +# Create compute resources... +############################## + + +#------------------------------ +# Frontend bastion host... +#------------------------------ +# Create public IP +resource "azurerm_public_ip" "proxyip" { + name = var.name + location = var.location + resource_group_name = var.resource_group + allocation_method = "Static" +} + +# Create network interface +resource "azurerm_network_interface" "proxynic01" { + name = var.name + location = var.location + resource_group_name = var.resource_group + + ip_configuration { + name = var.name + subnet_id = var.subnet_id + private_ip_address_allocation = "dynamic" + public_ip_address_id = azurerm_public_ip.proxyip.id + } +} + +resource "azurerm_virtual_machine" "proxyvm" { + name = var.name + location = var.location + resource_group_name = var.resource_group + network_interface_ids = [azurerm_network_interface.proxynic01.id] + vm_size = var.machine_type + tags = var.tags + + storage_os_disk { + name = var.name + caching = "ReadWrite" + create_option = "FromImage" + managed_disk_type = var.sku_storage.localrs + } + + dynamic "storage_image_reference" { + + for_each = [1] + + content { + publisher = var.profile_image[lower(var.image)]["publisher"] + offer = var.profile_image[lower(var.image)]["offer"] + sku = var.profile_image[lower(var.image)]["sku"] + version = var.profile_image[lower(var.image)]["version"] + } + } + + os_profile { + computer_name = var.name + admin_username = var.admin_user + admin_password = var.admin_pwd + custom_data = var.custom_data + } + + os_profile_linux_config { + disable_password_authentication = false + } + + boot_diagnostics { + enabled = true + storage_uri = var.storage_endpoint + } +} + + diff --git a/samples/Azure/templates/modules/bastionproxyhost/outputs.tf b/samples/Azure/templates/modules/bastionproxyhost/outputs.tf new file mode 100644 index 0000000..b7afeb3 --- /dev/null +++ b/samples/Azure/templates/modules/bastionproxyhost/outputs.tf @@ -0,0 +1,26 @@ +/** + * MIT License + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +output "proxyhost-ip" { + description = "The IP of the proxy/bastion host" + value = azurerm_public_ip.proxyip.ip_address +} \ No newline at end of file diff --git a/samples/Azure/templates/modules/bastionproxyhost/variables.tf b/samples/Azure/templates/modules/bastionproxyhost/variables.tf new file mode 100644 index 0000000..949aec4 --- /dev/null +++ b/samples/Azure/templates/modules/bastionproxyhost/variables.tf @@ -0,0 +1,157 @@ +/** + * MIT License + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ +# Declare variables that can be used. They do not need to be populated... + +variable "name" { + type = string # Type - not needed, but showing it... + default = "" +} + +variable "resource_group" { + type = string # Type - not needed, but showing it... + default = "" +} + +variable "location" { + type = string # Type - not needed, but showing it... + default = "" +} + +variable "subnet_id" { + description = "Name of the subnetwork to create resources in." + default = "" +} + +variable "sku_storage" { + type = map(any) + default = { + localrs = "Standard_LRS" + } +} + +variable "image" { + description = "The image to use" + default = "" +} + +variable "profile_image" { + + type = map(object({ + publisher = string + offer = string + sku = string + version = string + })) + + default = { + ubuntu1604 = { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "16.04-LTS" + version = "latest" + } + + ubuntu1804 = { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "18.04-LTS" + version = "latest" + } + + centos8 = { + publisher = "OpenLogic" + offer = "CentOS" + sku = "7.5" + version = "latest" + } + + coreos = { + publisher = "CoreOS" + offer = "CoreOS" + sku = "Stable" + version = "latest" + } + + windows2012r2dc = { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2012-R2-Datacenter" + version = "latest" + } + + windows2016dc = { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2016-Datacenter" + version = "latest" + } + + windows2019dc = { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + mssql2017exp = { + publisher = "MicrosoftSQLServer" + offer = "SQL2017-WS2016" + sku = "Express" + version = "latest" + } + } +} + +variable "machine_type" { + description = "The type to use" + default = "" +} + +variable "storage_endpoint" { + description = "The log endpoint to use" + default = "" +} + +variable "custom_data" { + description = "The custom start data to use" + default = "" +} + +variable "tags" { + type = map(any) + default = { + } +} + +variable "admin_user" { + type = string # Type - not needed, but showing it... + default = "" +} + +variable "admin_pwd" { + type = string # Type - not needed, but showing it... + default = "" +} + + + + diff --git a/samples/Azure/templates/modules/pgdatabase/dbproxy.tf b/samples/Azure/templates/modules/pgdatabase/dbproxy.tf index 1f26e27..07f5f2d 100644 --- a/samples/Azure/templates/modules/pgdatabase/dbproxy.tf +++ b/samples/Azure/templates/modules/pgdatabase/dbproxy.tf @@ -35,70 +35,22 @@ data "template_file" "dbproxy-startup-script" { #------------------------------ # Frontend bastion host... #------------------------------ -# Create public IP -resource "azurerm_public_ip" "dbproxy_ip" { - name = "${var.name}-DbPubIpAddr001" - location = var.location - resource_group_name = var.resource_group - allocation_method = "Static" +module "dbproxy" { + source = "../../modules/bastionproxyhost" + name = "${var.name}dbproxy" + + resource_group = var.resource_group + location = var.location + subnet_id = var.subnet_id + machine_type = var.machine_type + tags = var.tags + image = var.image + custom_data = data.template_file.dbproxy-startup-script.rendered + storage_endpoint = var.storage_endpoint + admin_user = var.admin_user + admin_pwd = var.admin_pwd } -# Create network interface -resource "azurerm_network_interface" "db_nic01" { - name = "${var.name}dbnic01" - location = var.location - resource_group_name = var.resource_group - ip_configuration { - name = "${var.name}dbnic01" - subnet_id = var.subnet_id - private_ip_address_allocation = "dynamic" - public_ip_address_id = azurerm_public_ip.dbproxy_ip.id - } -} - -resource "azurerm_virtual_machine" "dbproxy" { - name = "${var.name}-dbproxy" - location = var.location - resource_group_name = var.resource_group - network_interface_ids = [azurerm_network_interface.db_nic01.id] - vm_size = var.machine_type - tags = var.tags - - storage_os_disk { - name = "dbproxy" - caching = "ReadWrite" - create_option = "FromImage" - managed_disk_type = var.sku_storage.localrs - } - - dynamic "storage_image_reference" { - - for_each = [1] - - content { - publisher = var.profile_image[lower(var.image)]["publisher"] - offer = var.profile_image[lower(var.image)]["offer"] - sku = var.profile_image[lower(var.image)]["sku"] - version = var.profile_image[lower(var.image)]["version"] - } - } - - os_profile { - computer_name = "dbproxy" - admin_username = var.admin_user - admin_password = var.admin_pwd - custom_data = data.template_file.dbproxy-startup-script.rendered - } - - os_profile_linux_config { - disable_password_authentication = false - } - - boot_diagnostics { - enabled = true - storage_uri = var.storage_endpoint - } -} diff --git a/samples/Azure/templates/modules/pgdatabase/main.tf b/samples/Azure/templates/modules/pgdatabase/main.tf index fa3c9c5..4c8cae7 100644 --- a/samples/Azure/templates/modules/pgdatabase/main.tf +++ b/samples/Azure/templates/modules/pgdatabase/main.tf @@ -35,8 +35,8 @@ resource "azurerm_postgresql_server" "dbserver" { administrator_login = var.admin_user administrator_login_password = var.admin_pwd - sku_name = var.sku - version = var.dbversion + sku_name = var.sku + version = var.dbversion backup_retention_days = 7 geo_redundant_backup_enabled = true @@ -51,8 +51,8 @@ resource "azurerm_postgresql_server" "dbserver" { } threat_detection_policy { - enabled = true - storage_endpoint = var.storage_endpoint + enabled = true + storage_endpoint = var.storage_endpoint storage_account_access_key = var.storage_accesskey } diff --git a/samples/Azure/templates/modules/pgdatabase/outputs.tf b/samples/Azure/templates/modules/pgdatabase/outputs.tf index 8a9de8b..81aa9be 100644 --- a/samples/Azure/templates/modules/pgdatabase/outputs.tf +++ b/samples/Azure/templates/modules/pgdatabase/outputs.tf @@ -37,5 +37,6 @@ output "dbserver-ip" { output "dbproxy-ip" { description = "The IP of the PostgreSQL proxy" - value = azurerm_public_ip.dbproxy_ip.ip_address -} \ No newline at end of file + value = module.dbproxy.proxyhost-ip +} + diff --git a/samples/Azure/templates/vpn-classic/bastion.tf b/samples/Azure/templates/vpn-classic/bastion.tf index b6695fc..c023da3 100644 --- a/samples/Azure/templates/vpn-classic/bastion.tf +++ b/samples/Azure/templates/vpn-classic/bastion.tf @@ -27,69 +27,21 @@ ############################## # Create compute resources... ############################## - -#------------------------------ -# Frontend bastion host... -#------------------------------ - -# Create public IP -resource "azurerm_public_ip" "fepublicip001" { - name = "${var.project}-PubIpAddr001" - location = azurerm_resource_group.resourceGroup.location - resource_group_name = azurerm_resource_group.resourceGroup.name - allocation_method = "Static" -} - -# Create network interface -resource "azurerm_network_interface" "fe_nic01" { - name = "NIC001" - location = azurerm_resource_group.resourceGroup.location - resource_group_name = azurerm_resource_group.resourceGroup.name - - ip_configuration { - name = "nic001" - subnet_id = azurerm_subnet.frontend_subnet.id - private_ip_address_allocation = "dynamic" - public_ip_address_id = azurerm_public_ip.fepublicip001.id - } +module "bastionhost" { + source = "../modules/bastionproxyhost" + name = "${var.project}bastionhost" + + resource_group = azurerm_resource_group.resourceGroup.name + location = azurerm_resource_group.resourceGroup.location + subnet_id = azurerm_subnet.frontend_subnet.id + machine_type = var.machine_types.micro + tags = var.tags + image = var.images.ubunto18 + custom_data = null + storage_endpoint = module.mig.vmss-storage-endpoint + admin_user = var.admin_user + admin_pwd = var.admin_pwd } -resource "azurerm_virtual_machine" "bastionhost" { - name = "${var.project}-bastionhost" - location = azurerm_resource_group.resourceGroup.location - resource_group_name = azurerm_resource_group.resourceGroup.name - network_interface_ids = [azurerm_network_interface.fe_nic01.id] - vm_size = var.machine_types.micro - tags = var.tags - - storage_os_disk { - name = "bastionhost" - caching = "ReadWrite" - create_option = "FromImage" - managed_disk_type = var.sku_storage.localrs - } - - storage_image_reference { - publisher = "Canonical" - offer = "UbuntuServer" - sku = lookup(var.sku, azurerm_resource_group.resourceGroup.location) - version = "latest" - } - - os_profile { - computer_name = "bastionhost" - admin_username = var.admin_user - admin_password = var.admin_pwd - } - - os_profile_linux_config { - disable_password_authentication = false - } - - boot_diagnostics { - enabled = true - storage_uri = module.mig.vmss-storage-endpoint - } -} diff --git a/samples/Azure/templates/vpn-classic/outputs.tf b/samples/Azure/templates/vpn-classic/outputs.tf index cbb62e1..e205a9d 100644 --- a/samples/Azure/templates/vpn-classic/outputs.tf +++ b/samples/Azure/templates/vpn-classic/outputs.tf @@ -21,8 +21,7 @@ */ output "bastionhost-ip" { - // value = azurerm_network_interface.fe_nic01.*.private_ip_address - value = azurerm_public_ip.fepublicip001.ip_address + value = module.bastionhost.proxyhost-ip } output "loadbalancer-ip" {