From 9042a960bb2859a2a665ab61b7e0021f776df8e4 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Wed, 22 Jan 2020 19:35:19 -0500 Subject: [PATCH 01/16] Adds configurable service endpoints to subnets in the vpc module --- terraform/modules/vpc/main.tf | 2 ++ terraform/modules/vpc/variables.tf | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/terraform/modules/vpc/main.tf b/terraform/modules/vpc/main.tf index dbbe4bfa..a27f2139 100644 --- a/terraform/modules/vpc/main.tf +++ b/terraform/modules/vpc/main.tf @@ -39,6 +39,8 @@ resource "azurerm_subnet" "subnet" { lifecycle { ignore_changes = [route_table_id] } + + service_endpoints = split(",", var.service_endpoints[each.key]) #delegation { # name = "acctestdelegation" # diff --git a/terraform/modules/vpc/variables.tf b/terraform/modules/vpc/variables.tf index 9f331534..ac2dbac9 100644 --- a/terraform/modules/vpc/variables.tf +++ b/terraform/modules/vpc/variables.tf @@ -46,3 +46,9 @@ variable "gateway_subnet" { type = string description = "The Subnet CIDR that we'll use for the virtual_network_gateway 'GatewaySubnet'" } + +variable "service_endpoints" { + type = map + description = "A map of the service endpoints and its mapping to subnets" + +} From 01703b1488d6899ac149f92180f433e0f7e4e9ee Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Wed, 22 Jan 2020 19:35:54 -0500 Subject: [PATCH 02/16] Configures storage buckets to be optionally exposed via service endpoints --- terraform/modules/bucket/main.tf | 6 ++++++ terraform/modules/bucket/variables.tf | 11 +++++++++++ terraform/providers/dev/buckets.tf | 4 ++++ terraform/providers/dev/variables.tf | 8 ++++++++ terraform/providers/dev/vpc.tf | 21 +++++++++++---------- 5 files changed, 40 insertions(+), 10 deletions(-) diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index 13231685..f8e7b9d7 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -9,6 +9,12 @@ resource "azurerm_storage_account" "bucket" { location = azurerm_resource_group.bucket.location account_tier = "Standard" account_replication_type = "LRS" + + network_rules { + default_action = var.policy + virtual_network_subnet_ids = var.subnet_ids + #ip_rules = ["66.220.238.246/30"] + } } resource "azurerm_storage_container" "bucket" { diff --git a/terraform/modules/bucket/variables.tf b/terraform/modules/bucket/variables.tf index 6278355e..7b2ae300 100644 --- a/terraform/modules/bucket/variables.tf +++ b/terraform/modules/bucket/variables.tf @@ -29,3 +29,14 @@ variable "service_name" { description = "Name of the service using this bucket" type = string } + +variable "subnet_ids" { + description = "List of subnet_ids that will have access to this service" + type = list +} + +variable "policy" { + description = "The default policy for the network access rules (Allow/Deny)" + default = "Deny" + type = string +} diff --git a/terraform/providers/dev/buckets.tf b/terraform/providers/dev/buckets.tf index d58987fc..d798214f 100644 --- a/terraform/providers/dev/buckets.tf +++ b/terraform/providers/dev/buckets.tf @@ -5,6 +5,8 @@ module "task_order_bucket" { name = var.name environment = var.environment region = var.region + policy = "Deny" + subnet_ids = [module.vpc.subnets] } module "tf_state" { @@ -14,4 +16,6 @@ module "tf_state" { name = var.name environment = var.environment region = var.region + policy = "Allow" + subnet_ids = [] } diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf index 32ba5688..fc3afa30 100644 --- a/terraform/providers/dev/variables.tf +++ b/terraform/providers/dev/variables.tf @@ -36,6 +36,14 @@ variable "networks" { } } +variable "service_endpoints" { + type = map + default = { + public = "" + private = "Microsoft.Storage,Microsoft.KeyVault" + } +} + variable "gateway_subnet" { type = string default = "10.1.20.0/24" diff --git a/terraform/providers/dev/vpc.tf b/terraform/providers/dev/vpc.tf index b7fac8ae..44ecf35c 100644 --- a/terraform/providers/dev/vpc.tf +++ b/terraform/providers/dev/vpc.tf @@ -1,13 +1,14 @@ module "vpc" { - source = "../../modules/vpc/" - environment = var.environment - region = var.region - virtual_network = var.virtual_network - networks = var.networks - gateway_subnet = var.gateway_subnet - route_tables = var.route_tables - owner = var.owner - name = var.name - dns_servers = var.dns_servers + source = "../../modules/vpc/" + environment = var.environment + region = var.region + virtual_network = var.virtual_network + networks = var.networks + gateway_subnet = var.gateway_subnet + route_tables = var.route_tables + owner = var.owner + name = var.name + dns_servers = var.dns_servers + service_endpoints = var.service_endpoints } From 635ccb0fd349a60f495ad3f682cbfddd226097e2 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Wed, 22 Jan 2020 19:36:33 -0500 Subject: [PATCH 03/16] Fixes postgres character collation --- terraform/modules/postgres/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/postgres/main.tf b/terraform/modules/postgres/main.tf index 641c4102..c3252264 100644 --- a/terraform/modules/postgres/main.tf +++ b/terraform/modules/postgres/main.tf @@ -37,9 +37,9 @@ resource "azurerm_postgresql_virtual_network_rule" "sql" { } resource "azurerm_postgresql_database" "db" { - name = "${var.environment}-atat" + name = "${var.name}-${var.environment}-atat" resource_group_name = azurerm_resource_group.sql.name server_name = azurerm_postgresql_server.sql.name charset = "UTF8" - collation = "en_US.utf8" + collation = "en-US" } From d22357e6093bd175d23feeadca733cedebfdd9eb Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Wed, 22 Jan 2020 19:37:04 -0500 Subject: [PATCH 04/16] Adds step to manually configure MFA in AD --- terraform/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/README.md b/terraform/README.md index 40460cb9..ec0fbdeb 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -281,3 +281,4 @@ secrets-tool secrets --keyvault https://ops-jedidev-keyvault.vault.azure.net/ cr `terraform apply` +*[Configure AD for MFA](https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-mfa)* \ No newline at end of file From 48482785aca5b12e0f1eb68c1cf8c2a81dd79121 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Thu, 23 Jan 2020 10:02:31 -0500 Subject: [PATCH 05/16] Adds IP whitelisting to storage buckets --- terraform/modules/bucket/main.tf | 2 +- terraform/modules/bucket/variables.tf | 6 ++++++ terraform/providers/dev/buckets.tf | 12 ++++++++++-- terraform/providers/dev/variables.tf | 7 +++++++ 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index f8e7b9d7..a92dc84f 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -13,7 +13,7 @@ resource "azurerm_storage_account" "bucket" { network_rules { default_action = var.policy virtual_network_subnet_ids = var.subnet_ids - #ip_rules = ["66.220.238.246/30"] + ip_rules = values(var.whitelist) } } diff --git a/terraform/modules/bucket/variables.tf b/terraform/modules/bucket/variables.tf index 7b2ae300..82367ed7 100644 --- a/terraform/modules/bucket/variables.tf +++ b/terraform/modules/bucket/variables.tf @@ -40,3 +40,9 @@ variable "policy" { default = "Deny" type = string } + +variable "whitelist" { + type = map + description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32." + default = {} +} diff --git a/terraform/providers/dev/buckets.tf b/terraform/providers/dev/buckets.tf index d798214f..ad2c7ab5 100644 --- a/terraform/providers/dev/buckets.tf +++ b/terraform/providers/dev/buckets.tf @@ -1,3 +1,5 @@ +# Task order bucket is required to be accessible publicly by the users. +# which is why the policy here is "Allow" module "task_order_bucket" { source = "../../modules/bucket" service_name = "jeditasksatat" @@ -5,10 +7,15 @@ module "task_order_bucket" { name = var.name environment = var.environment region = var.region - policy = "Deny" + policy = "Allow" subnet_ids = [module.vpc.subnets] + whitelist = var.admin_user_whitelist } +# TF State should be restricted to admins only, but IP protected +# This has to be public due to a chicken/egg issue of VPN not +# existing until TF is run. If this bucket is private, you would +# not be able to access it when running TF without being on a VPN. module "tf_state" { source = "../../modules/bucket" service_name = "jedidevtfstate" @@ -16,6 +23,7 @@ module "tf_state" { name = var.name environment = var.environment region = var.region - policy = "Allow" + policy = "Deny" subnet_ids = [] + whitelist = var.admin_user_whitelist } diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf index fc3afa30..573b6cc9 100644 --- a/terraform/providers/dev/variables.tf +++ b/terraform/providers/dev/variables.tf @@ -87,3 +87,10 @@ variable "admin_users" { "Dan Corrigan" = "7e852ceb-eb0d-49b1-b71e-e9dcd1082ffc" } } + +variable "admin_user_whitelist" { + type = map + default = { + "Rob Gil" = "66.220.238.246" + } +} From c31d68a18c13a31e601779c66af366c39d37ce45 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Thu, 23 Jan 2020 10:50:16 -0500 Subject: [PATCH 06/16] Makes client vpn cidr range configurable --- terraform/modules/vpc/main.tf | 2 +- terraform/modules/vpc/variables.tf | 6 ++++++ terraform/providers/dev/variables.tf | 8 +++++++- terraform/providers/dev/vpc.tf | 1 + 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/terraform/modules/vpc/main.tf b/terraform/modules/vpc/main.tf index a27f2139..d0ea9a2a 100644 --- a/terraform/modules/vpc/main.tf +++ b/terraform/modules/vpc/main.tf @@ -110,7 +110,7 @@ resource "azurerm_virtual_network_gateway" "vnet_gateway" { } vpn_client_configuration { - address_space = ["172.16.1.0/24"] + address_space = var.vpn_client_cidr vpn_client_protocols = ["OpenVPN"] } } \ No newline at end of file diff --git a/terraform/modules/vpc/variables.tf b/terraform/modules/vpc/variables.tf index ac2dbac9..aae7ef45 100644 --- a/terraform/modules/vpc/variables.tf +++ b/terraform/modules/vpc/variables.tf @@ -52,3 +52,9 @@ variable "service_endpoints" { description = "A map of the service endpoints and its mapping to subnets" } + +variable "vpn_client_cidr" { + type = list + description = "The CIDR range used for clients on the VPN" + default = ["172.16.0.0/16"] +} diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf index 573b6cc9..467f806c 100644 --- a/terraform/providers/dev/variables.tf +++ b/terraform/providers/dev/variables.tf @@ -91,6 +91,12 @@ variable "admin_users" { variable "admin_user_whitelist" { type = map default = { - "Rob Gil" = "66.220.238.246" + "Rob Gil" = "66.220.238.246" + "Dan Corrigan Work" = "108.16.207.173" } } + +variable "vpn_client_cidr" { + type = list + default = ["172.16.255.0/24"] +} diff --git a/terraform/providers/dev/vpc.tf b/terraform/providers/dev/vpc.tf index 44ecf35c..8d43a82f 100644 --- a/terraform/providers/dev/vpc.tf +++ b/terraform/providers/dev/vpc.tf @@ -10,5 +10,6 @@ module "vpc" { name = var.name dns_servers = var.dns_servers service_endpoints = var.service_endpoints + vpn_client_cidr = var.vpn_client_cidr } From dab6cdb7dca7dce086d5a33e9674481f47688a37 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Thu, 23 Jan 2020 11:02:12 -0500 Subject: [PATCH 07/16] Locks down keyvaults to subnets and administrator ip addresses --- terraform/modules/keyvault/main.tf | 7 +++++++ terraform/modules/keyvault/variables.tf | 17 +++++++++++++++++ terraform/providers/dev/keyvault.tf | 3 +++ terraform/providers/dev/secrets.tf | 3 +++ 4 files changed, 30 insertions(+) diff --git a/terraform/modules/keyvault/main.tf b/terraform/modules/keyvault/main.tf index ddfb8465..1df84367 100644 --- a/terraform/modules/keyvault/main.tf +++ b/terraform/modules/keyvault/main.tf @@ -13,6 +13,13 @@ resource "azurerm_key_vault" "keyvault" { sku_name = "premium" + network_acls { + default_action = var.policy + bypass = "AzureServices" + virtual_network_subnet_ids = var.subnet_ids + ip_rules = values(var.whitelist) + } + tags = { environment = var.environment owner = var.owner diff --git a/terraform/modules/keyvault/variables.tf b/terraform/modules/keyvault/variables.tf index d2484793..56e7cc13 100644 --- a/terraform/modules/keyvault/variables.tf +++ b/terraform/modules/keyvault/variables.tf @@ -32,3 +32,20 @@ variable "admin_principals" { type = map description = "A list of user principals who need access to manage the keyvault" } + +variable "subnet_ids" { + description = "List of subnet_ids that will have access to this service" + type = list +} + +variable "policy" { + description = "The default policy for the network access rules (Allow/Deny)" + default = "Deny" + type = string +} + +variable "whitelist" { + type = map + description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32." + default = {} +} \ No newline at end of file diff --git a/terraform/providers/dev/keyvault.tf b/terraform/providers/dev/keyvault.tf index 75f7b13d..4d35fa0f 100644 --- a/terraform/providers/dev/keyvault.tf +++ b/terraform/providers/dev/keyvault.tf @@ -7,5 +7,8 @@ module "keyvault" { tenant_id = var.tenant_id principal_id = "f9bcbe58-8b73-4957-aee2-133dc3e58063" admin_principals = var.admin_users + policy = "Deny" + subnet_ids = [module.vpc.subnets] + whitelist = var.admin_user_whitelist } diff --git a/terraform/providers/dev/secrets.tf b/terraform/providers/dev/secrets.tf index bccdcf50..7a67205e 100644 --- a/terraform/providers/dev/secrets.tf +++ b/terraform/providers/dev/secrets.tf @@ -7,4 +7,7 @@ module "operator_keyvault" { tenant_id = var.tenant_id principal_id = "" admin_principals = var.admin_users + policy = "Deny" + subnet_ids = [module.vpc.subnets] + whitelist = var.admin_user_whitelist } From 536eccdb909d4b0596e4e7ec356ba4466a0e9e10 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Thu, 23 Jan 2020 13:13:56 -0500 Subject: [PATCH 08/16] Container registry private networking and bucket cidr range fix --- terraform/modules/bucket/main.tf | 26 +++++++++--- terraform/modules/container_registry/main.tf | 33 +++++++++++++++ .../modules/container_registry/variables.tf | 17 ++++++++ terraform/providers/dev/container_registry.tf | 3 ++ terraform/providers/dev/k8s-test.tf-old | 41 +++++++++++++++++++ terraform/providers/dev/variables.tf | 4 +- 6 files changed, 117 insertions(+), 7 deletions(-) create mode 100644 terraform/providers/dev/k8s-test.tf-old diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index a92dc84f..2e43e304 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -1,3 +1,11 @@ +#locals { +# whitelist = [ +# for cidr in values(var.whitelist): { +# ip = cidrhost(cidr, 0) +# } +# ] +#} + resource "azurerm_resource_group" "bucket" { name = "${var.name}-${var.environment}-${var.service_name}" location = var.region @@ -9,12 +17,20 @@ resource "azurerm_storage_account" "bucket" { location = azurerm_resource_group.bucket.location account_tier = "Standard" account_replication_type = "LRS" +} - network_rules { - default_action = var.policy - virtual_network_subnet_ids = var.subnet_ids - ip_rules = values(var.whitelist) - } +resource "azurerm_storage_account_network_rules" "acls" { + resource_group_name = azurerm_resource_group.bucket.name + storage_account_name = azurerm_storage_account.bucket.name + + default_action = var.policy + # Azure Storage CIDR ACLs do not accept /32 CIDR ranges, so + # it must be stripped to just the IP (no CIDR) + ip_rules = [ + for cidr in values(var.whitelist) : cidrhost(cidr, 0) + ] + virtual_network_subnet_ids = var.subnet_ids + bypass = ["AzureServices"] } resource "azurerm_storage_container" "bucket" { diff --git a/terraform/modules/container_registry/main.tf b/terraform/modules/container_registry/main.tf index a22bacf0..6ee6022d 100644 --- a/terraform/modules/container_registry/main.tf +++ b/terraform/modules/container_registry/main.tf @@ -1,3 +1,7 @@ +locals { + whitelist = values(var.whitelist) +} + resource "azurerm_resource_group" "acr" { name = "${var.name}-${var.environment}-acr" location = var.region @@ -10,4 +14,33 @@ resource "azurerm_container_registry" "acr" { sku = var.sku admin_enabled = var.admin_enabled #georeplication_locations = [azurerm_resource_group.acr.location, var.backup_region] + network_rule_set { + default_action = var.policy + + ip_rule = [ + for cidr in values(var.whitelist) : { + action = "Allow" + ip_range = cidr + } + ] + # Dynamic rule should work, but doesn't - See https://github.com/hashicorp/terraform/issues/22340#issuecomment-518779733 + #dynamic "ip_rule" { + # for_each = values(var.whitelist) + # content { + # action = "Allow" + # ip_range = ip_rule.value + # } + #} + + virtual_network = [ + for subnet in var.subnet_ids : { + action = "Allow" + subnet_id = subnet.value + } + ] + #virtual_network { + # action = "Allow" + # subnet_id = var.subnet_ids + #} + } } \ No newline at end of file diff --git a/terraform/modules/container_registry/variables.tf b/terraform/modules/container_registry/variables.tf index 6fe16ad5..48fbb64a 100644 --- a/terraform/modules/container_registry/variables.tf +++ b/terraform/modules/container_registry/variables.tf @@ -35,3 +35,20 @@ variable "admin_enabled" { default = false } + +variable "subnet_ids" { + description = "List of subnet_ids that will have access to this service" + type = list +} + +variable "policy" { + description = "The default policy for the network access rules (Allow/Deny)" + default = "Deny" + type = string +} + +variable "whitelist" { + type = map + description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32." + default = {} +} diff --git a/terraform/providers/dev/container_registry.tf b/terraform/providers/dev/container_registry.tf index 0bbf0901..805ef3e8 100644 --- a/terraform/providers/dev/container_registry.tf +++ b/terraform/providers/dev/container_registry.tf @@ -5,4 +5,7 @@ module "container_registry" { environment = var.environment owner = var.owner backup_region = var.backup_region + policy = "Deny" + subnet_ids = [] + whitelist = var.admin_user_whitelist } diff --git a/terraform/providers/dev/k8s-test.tf-old b/terraform/providers/dev/k8s-test.tf-old new file mode 100644 index 00000000..c681d2db --- /dev/null +++ b/terraform/providers/dev/k8s-test.tf-old @@ -0,0 +1,41 @@ +resource "azurerm_resource_group" "k8s" { + name = "${var.name}-${var.environment}-k8s-test" + location = var.region +} + +resource "azurerm_kubernetes_cluster" "k8s" { + name = "${var.name}-${var.environment}-k8s-test" + location = azurerm_resource_group.k8s.location + resource_group_name = azurerm_resource_group.k8s.name + dns_prefix = var.k8s_dns_prefix + + service_principal { + client_id = "f05a4457-bd5e-4c63-98e1-89aab42645d0" + client_secret = "19b69e2c-9f55-4850-87cb-88c67a8dc811" + } + + default_node_pool { + name = "default" + vm_size = "Standard_D1_v2" + os_disk_size_gb = 30 + vnet_subnet_id = module.vpc.subnets + enable_node_public_ip = true # Nodes need a public IP for external resources. FIXME: Switch to NAT Gateway if its available in our subscription + enable_auto_scaling = true + max_count = 2 + min_count = 1 + } + + identity { + type = "SystemAssigned" + } + lifecycle { + ignore_changes = [ + default_node_pool.0.node_count + ] + } + + tags = { + environment = var.environment + owner = var.owner + } +} diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf index 467f806c..99bd1b87 100644 --- a/terraform/providers/dev/variables.tf +++ b/terraform/providers/dev/variables.tf @@ -91,8 +91,8 @@ variable "admin_users" { variable "admin_user_whitelist" { type = map default = { - "Rob Gil" = "66.220.238.246" - "Dan Corrigan Work" = "108.16.207.173" + "Rob Gil" = "66.220.238.246/32" + "Dan Corrigan Work" = "108.16.207.173/32" } } From 38ce1ef2b269cb05d24ea8900f5c4e4361f49b06 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Thu, 23 Jan 2020 18:41:29 -0500 Subject: [PATCH 09/16] Adds list of users for access to storage and more service endpoints This sets up the rest of the service endpoints on the subnets. It also adds a variable map specifically to grant IP access to the storage buckets. This new variable map is necessary since the azure storage ip rules do not accept /32 CIDR ranges. The rest of the services do support cidr ranges. --- terraform/modules/bucket/main.tf | 6 +++--- terraform/providers/dev/buckets.tf | 4 ++-- terraform/providers/dev/variables.tf | 12 ++++++++++-- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index 2e43e304..3b2463ed 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -24,10 +24,10 @@ resource "azurerm_storage_account_network_rules" "acls" { storage_account_name = azurerm_storage_account.bucket.name default_action = var.policy - # Azure Storage CIDR ACLs do not accept /32 CIDR ranges, so - # it must be stripped to just the IP (no CIDR) + + # Azure Storage CIDR ACLs do not accept /32 CIDR ranges. ip_rules = [ - for cidr in values(var.whitelist) : cidrhost(cidr, 0) + for cidr in values(var.whitelist) : cidr ] virtual_network_subnet_ids = var.subnet_ids bypass = ["AzureServices"] diff --git a/terraform/providers/dev/buckets.tf b/terraform/providers/dev/buckets.tf index ad2c7ab5..36510f3e 100644 --- a/terraform/providers/dev/buckets.tf +++ b/terraform/providers/dev/buckets.tf @@ -9,7 +9,7 @@ module "task_order_bucket" { region = var.region policy = "Allow" subnet_ids = [module.vpc.subnets] - whitelist = var.admin_user_whitelist + whitelist = var.storage_admin_whitelist } # TF State should be restricted to admins only, but IP protected @@ -25,5 +25,5 @@ module "tf_state" { region = var.region policy = "Deny" subnet_ids = [] - whitelist = var.admin_user_whitelist + whitelist = var.storage_admin_whitelist } diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf index 99bd1b87..c4e0f338 100644 --- a/terraform/providers/dev/variables.tf +++ b/terraform/providers/dev/variables.tf @@ -39,8 +39,8 @@ variable "networks" { variable "service_endpoints" { type = map default = { - public = "" - private = "Microsoft.Storage,Microsoft.KeyVault" + public = "Microsoft.ContainerRegistry" # Not necessary but added to avoid infinite state loop + private = "Microsoft.Storage,Microsoft.KeyVault,Microsoft.ContainerRegistry,Microsoft.Sql" } } @@ -96,6 +96,14 @@ variable "admin_user_whitelist" { } } +variable "storage_admin_whitelist" { + type = map + default = { + "Rob Gil" = "66.220.238.246" + "Dan Corrigan Work" = "108.16.207.173" + } +} + variable "vpn_client_cidr" { type = list default = ["172.16.255.0/24"] From 0f5f5bd92604a9bdf0d3f8f18712753cceb93662 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Thu, 23 Jan 2020 19:16:00 -0500 Subject: [PATCH 10/16] Converts redis to use service_endpoints This is still a WIP. --- terraform/modules/postgres/variables.tf | 1 - terraform/modules/redis/main.tf | 1 + terraform/modules/redis/variables.tf | 10 +++++----- terraform/providers/dev/redis.tf | 3 +++ 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/terraform/modules/postgres/variables.tf b/terraform/modules/postgres/variables.tf index 2ee62685..f3366cdb 100644 --- a/terraform/modules/postgres/variables.tf +++ b/terraform/modules/postgres/variables.tf @@ -93,4 +93,3 @@ variable "ssl_enforcement" { description = "Enforce SSL (Enabled/Disable)" default = "Enabled" } - diff --git a/terraform/modules/redis/main.tf b/terraform/modules/redis/main.tf index 90a88a2b..b12bf92d 100644 --- a/terraform/modules/redis/main.tf +++ b/terraform/modules/redis/main.tf @@ -13,6 +13,7 @@ resource "azurerm_redis_cache" "redis" { sku_name = var.sku_name enable_non_ssl_port = var.enable_non_ssl_port minimum_tls_version = var.minimum_tls_version + subnet_id = var.subnet_id redis_configuration { enable_authentication = var.enable_authentication diff --git a/terraform/modules/redis/variables.tf b/terraform/modules/redis/variables.tf index dac8819b..06ddd36d 100644 --- a/terraform/modules/redis/variables.tf +++ b/terraform/modules/redis/variables.tf @@ -22,35 +22,30 @@ variable "capacity" { type = string default = 2 description = "The capacity of the redis cache" - } variable "family" { type = string default = "C" description = "The subscription family for redis" - } variable "sku_name" { type = string default = "Standard" description = "The sku to use" - } variable "enable_non_ssl_port" { type = bool default = false description = "Enable non TLS port (default: false)" - } variable "minimum_tls_version" { type = string default = "1.2" description = "Minimum TLS version to use" - } variable "enable_authentication" { @@ -58,3 +53,8 @@ variable "enable_authentication" { default = true description = "Enable or disable authentication (default: true)" } + +variable "subnet_id" { + type = string + description = "Subnet ID that the service_endpoint should reside" +} diff --git a/terraform/providers/dev/redis.tf b/terraform/providers/dev/redis.tf index bfe47a84..78cb4b2b 100644 --- a/terraform/providers/dev/redis.tf +++ b/terraform/providers/dev/redis.tf @@ -4,4 +4,7 @@ module "redis" { environment = var.environment region = var.region name = var.name + subnet_id = module.vpc.subnets + sku_name = "Premium" + family = "P" } From 9f0904c201954eb6c340215aa43f2579472e7337 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Thu, 23 Jan 2020 19:57:45 -0500 Subject: [PATCH 11/16] Adds dedicated redis subnet --- terraform/providers/dev/variables.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf index c4e0f338..42890a31 100644 --- a/terraform/providers/dev/variables.tf +++ b/terraform/providers/dev/variables.tf @@ -32,7 +32,8 @@ variable "networks" { #format #name = "CIDR, route table, Security Group Name" public = "10.1.1.0/24,public" # LBs - private = "10.1.2.0/24,private" # k8s, postgres, redis, dns, ad + private = "10.1.2.0/24,private" # k8s, postgres, keyvault + redis = "10.1.3.0/24,private" # Redis } } @@ -41,6 +42,7 @@ variable "service_endpoints" { default = { public = "Microsoft.ContainerRegistry" # Not necessary but added to avoid infinite state loop private = "Microsoft.Storage,Microsoft.KeyVault,Microsoft.ContainerRegistry,Microsoft.Sql" + redis = "Microsoft.Storage,Microsoft.Sql" # FIXME: There is no Microsoft.Redis } } @@ -56,6 +58,7 @@ variable "route_tables" { default = { public = "Internet" private = "Internet" + redis = "VnetLocal" #private = "VnetLocal" } } From 3f5bbf2c5e5a970e73355e68e0d559648231e239 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Thu, 23 Jan 2020 19:58:06 -0500 Subject: [PATCH 12/16] Cleans out comments --- terraform/modules/container_registry/main.tf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/terraform/modules/container_registry/main.tf b/terraform/modules/container_registry/main.tf index 6ee6022d..30b2b1cc 100644 --- a/terraform/modules/container_registry/main.tf +++ b/terraform/modules/container_registry/main.tf @@ -14,6 +14,7 @@ resource "azurerm_container_registry" "acr" { sku = var.sku admin_enabled = var.admin_enabled #georeplication_locations = [azurerm_resource_group.acr.location, var.backup_region] + network_rule_set { default_action = var.policy @@ -38,9 +39,5 @@ resource "azurerm_container_registry" "acr" { subnet_id = subnet.value } ] - #virtual_network { - # action = "Allow" - # subnet_id = var.subnet_ids - #} } } \ No newline at end of file From e0d59eb1662ffba4b417aa5374c6bf81dd89a70f Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Thu, 23 Jan 2020 20:22:53 -0500 Subject: [PATCH 13/16] Finally fixes subnet list output This finally fixes the output coming from the vpc module so that it returns a full list of subnets. Now they can be referenced just like the redis module is using in this commit. --- terraform/modules/vpc/outputs.tf | 8 +++++++- terraform/providers/dev/redis.tf | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/terraform/modules/vpc/outputs.tf b/terraform/modules/vpc/outputs.tf index eedaab6c..baa32935 100644 --- a/terraform/modules/vpc/outputs.tf +++ b/terraform/modules/vpc/outputs.tf @@ -1,3 +1,9 @@ output "subnets" { - value = azurerm_subnet.subnet["private"].id #FIXME - output should be a map + value = azurerm_subnet.subnet["private"].id #FIXED: this is now legacy, use subnet_list } + +output "subnet_list" { + value = { + for k, id in azurerm_subnet.subnet : k => id + } +} \ No newline at end of file diff --git a/terraform/providers/dev/redis.tf b/terraform/providers/dev/redis.tf index 78cb4b2b..8c89dc92 100644 --- a/terraform/providers/dev/redis.tf +++ b/terraform/providers/dev/redis.tf @@ -4,7 +4,7 @@ module "redis" { environment = var.environment region = var.region name = var.name - subnet_id = module.vpc.subnets + subnet_id = module.vpc.subnet_list["redis"].id sku_name = "Premium" family = "P" } From daa07f8631bd62338b0e3fc999145eebb821a112 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Thu, 23 Jan 2020 20:26:27 -0500 Subject: [PATCH 14/16] Removes unnecessary locals in the bucket module --- terraform/modules/bucket/main.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index 3b2463ed..e2f91f58 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -1,11 +1,3 @@ -#locals { -# whitelist = [ -# for cidr in values(var.whitelist): { -# ip = cidrhost(cidr, 0) -# } -# ] -#} - resource "azurerm_resource_group" "bucket" { name = "${var.name}-${var.environment}-${var.service_name}" location = var.region From 7b2523254d59ecb9d2f8a10e5cfd72ca378e2708 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Fri, 24 Jan 2020 07:36:02 -0500 Subject: [PATCH 15/16] Adds Dans home ip --- terraform/providers/dev/variables.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf index 42890a31..b13c0d57 100644 --- a/terraform/providers/dev/variables.tf +++ b/terraform/providers/dev/variables.tf @@ -96,6 +96,7 @@ variable "admin_user_whitelist" { default = { "Rob Gil" = "66.220.238.246/32" "Dan Corrigan Work" = "108.16.207.173/32" + "Dan Corrigan Home" = "71.162.221.27/32" } } @@ -104,6 +105,7 @@ variable "storage_admin_whitelist" { default = { "Rob Gil" = "66.220.238.246" "Dan Corrigan Work" = "108.16.207.173" + "Dan Corrigan Home" = "71.162.221.27" } } From 76465e978acc55fea319392aa1d9c92c7e5a3707 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Fri, 24 Jan 2020 07:36:24 -0500 Subject: [PATCH 16/16] Remove k8s test tf --- terraform/providers/dev/k8s-test.tf-old | 41 ------------------------- 1 file changed, 41 deletions(-) delete mode 100644 terraform/providers/dev/k8s-test.tf-old diff --git a/terraform/providers/dev/k8s-test.tf-old b/terraform/providers/dev/k8s-test.tf-old deleted file mode 100644 index c681d2db..00000000 --- a/terraform/providers/dev/k8s-test.tf-old +++ /dev/null @@ -1,41 +0,0 @@ -resource "azurerm_resource_group" "k8s" { - name = "${var.name}-${var.environment}-k8s-test" - location = var.region -} - -resource "azurerm_kubernetes_cluster" "k8s" { - name = "${var.name}-${var.environment}-k8s-test" - location = azurerm_resource_group.k8s.location - resource_group_name = azurerm_resource_group.k8s.name - dns_prefix = var.k8s_dns_prefix - - service_principal { - client_id = "f05a4457-bd5e-4c63-98e1-89aab42645d0" - client_secret = "19b69e2c-9f55-4850-87cb-88c67a8dc811" - } - - default_node_pool { - name = "default" - vm_size = "Standard_D1_v2" - os_disk_size_gb = 30 - vnet_subnet_id = module.vpc.subnets - enable_node_public_ip = true # Nodes need a public IP for external resources. FIXME: Switch to NAT Gateway if its available in our subscription - enable_auto_scaling = true - max_count = 2 - min_count = 1 - } - - identity { - type = "SystemAssigned" - } - lifecycle { - ignore_changes = [ - default_node_pool.0.node_count - ] - } - - tags = { - environment = var.environment - owner = var.owner - } -}