diff --git a/terraform/README.md b/terraform/README.md index 1f40fadc..f771e7ae 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -24,6 +24,7 @@ Requirements: - Python pip - Python virtualenv # FIXME: Switch to `pipenv` - [azure cli](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) +- [powershell](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell?view=powershell-6) See below # tfenv `tfenv` will allow you to install TF versions. For example. @@ -39,6 +40,17 @@ To select a version to use tfenv use 0.12.18 ``` +# Powershell +Some things you need to use powershell. Specifically getting client profiles for the VPN. + +## Install powershell on Linux +Powershell on recent versions of Ubuntu is available through snap. + +For Ubuntu 19.10 +``` +snap install powershell --classic +``` + # Running Terraform First, you'll need to log in to Azure. With the Azure CLI installed, you can run the following. @@ -82,3 +94,23 @@ terraform plan -target=module.vpc ``` In the above example, this will only run a plan (plan/apply/destroy) on the specific module. This can be a module, or resource. You can get a list of module and resources by running `terraform show`. + +# VPN Setup +[Configure OpenVPN clients for Azure VPN Gateway](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-openvpn-clients#before-you-begin) +[About P2S VPN client profiles](https://docs.microsoft.com/en-us/azure/vpn-gateway/about-vpn-profile-download) +[Configure a VPN client for P2S OpenVPN protocol connections: Azure AD authentication (Preview)](https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client) +[Create an Azure Active Directory tenant for P2S OpenVPN protocol connections](https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant) + +The docs above should help with client configuration. The last doc (Create an Azure Active Directory..) is necessary to run the command to add the VPN app for AD. + +Copied here for convenience. Just enter this in your browser. +``` +# For Public Azure - Government has a different URL, see doc above +https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent +``` + +## Adding a client +TODO + +## Downloading a client profile +TODO \ No newline at end of file diff --git a/terraform/modules/keyvault/main.tf b/terraform/modules/keyvault/main.tf index 5df79ab3..53df7d85 100644 --- a/terraform/modules/keyvault/main.tf +++ b/terraform/modules/keyvault/main.tf @@ -23,7 +23,7 @@ resource "azurerm_key_vault_access_policy" "keyvault" { key_vault_id = azurerm_key_vault.keyvault.id tenant_id = "b5ab0e1e-09f8-4258-afb7-fb17654bc5b3" - object_id = "2ca63d41-d058-4e06-aef6-eb517a53b631" + object_id = "ca8cfc48-9995-4973-a8cc-6c7f755e84de" key_permissions = [ "get", diff --git a/terraform/modules/managed_identity/main.tf b/terraform/modules/managed_identity/main.tf index 84e186ce..2f186c87 100644 --- a/terraform/modules/managed_identity/main.tf +++ b/terraform/modules/managed_identity/main.tf @@ -8,4 +8,13 @@ resource "azurerm_user_assigned_identity" "identity" { location = azurerm_resource_group.identity.location name = "${var.name}-${var.environment}-${var.identity}" -} \ No newline at end of file +} + +data "azurerm_subscription" "primary" {} + +resource "azurerm_role_assignment" "roles" { + count = length(var.roles) + scope = data.azurerm_subscription.primary.id + role_definition_name = var.roles[count.index] + principal_id = azurerm_user_assigned_identity.identity.principal_id +} diff --git a/terraform/modules/managed_identity/outputs.tf b/terraform/modules/managed_identity/outputs.tf index e69de29b..14c7bf75 100644 --- a/terraform/modules/managed_identity/outputs.tf +++ b/terraform/modules/managed_identity/outputs.tf @@ -0,0 +1,11 @@ +output "id" { + value = azurerm_user_assigned_identity.identity.id +} + +output "principal_id" { + value = azurerm_user_assigned_identity.identity.principal_id +} + +output "client_id" { + value = azurerm_user_assigned_identity.identity.client_id +} diff --git a/terraform/modules/managed_identity/variables.tf b/terraform/modules/managed_identity/variables.tf index f2a1a758..e5ffc99c 100644 --- a/terraform/modules/managed_identity/variables.tf +++ b/terraform/modules/managed_identity/variables.tf @@ -22,3 +22,8 @@ variable "identity" { type = string description = "Name of the managed identity to create" } + +variable "roles" { + type = list + description = "List of roles by name" +} diff --git a/terraform/providers/dev/identities.tf b/terraform/providers/dev/identities.tf index 0def7ce6..5d8370cd 100644 --- a/terraform/providers/dev/identities.tf +++ b/terraform/providers/dev/identities.tf @@ -5,4 +5,6 @@ module "keyvault_reader_identity" { environment = var.environment region = var.region identity = "${var.name}-${var.environment}-vault-reader" + roles = ["Reader", "Managed Identity Operator"] + }