From a5ea2e3757dfe27658ef4a02cac8fa6cd7214766 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Mon, 6 Jan 2020 18:21:48 -0500 Subject: [PATCH 1/3] Testing k8s config --- terraform/modules/keyvault/main.tf | 2 +- terraform/modules/managed_identity/outputs.tf | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/terraform/modules/keyvault/main.tf b/terraform/modules/keyvault/main.tf index 5df79ab3..53df7d85 100644 --- a/terraform/modules/keyvault/main.tf +++ b/terraform/modules/keyvault/main.tf @@ -23,7 +23,7 @@ resource "azurerm_key_vault_access_policy" "keyvault" { key_vault_id = azurerm_key_vault.keyvault.id tenant_id = "b5ab0e1e-09f8-4258-afb7-fb17654bc5b3" - object_id = "2ca63d41-d058-4e06-aef6-eb517a53b631" + object_id = "ca8cfc48-9995-4973-a8cc-6c7f755e84de" key_permissions = [ "get", diff --git a/terraform/modules/managed_identity/outputs.tf b/terraform/modules/managed_identity/outputs.tf index e69de29b..14c7bf75 100644 --- a/terraform/modules/managed_identity/outputs.tf +++ b/terraform/modules/managed_identity/outputs.tf @@ -0,0 +1,11 @@ +output "id" { + value = azurerm_user_assigned_identity.identity.id +} + +output "principal_id" { + value = azurerm_user_assigned_identity.identity.principal_id +} + +output "client_id" { + value = azurerm_user_assigned_identity.identity.client_id +} From f76934eaafd38c0c945943496cdc05d1d2b53899 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Mon, 6 Jan 2020 19:45:46 -0500 Subject: [PATCH 2/3] Adds initial OpenVPN configuration docs and powershell instructions --- terraform/README.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/terraform/README.md b/terraform/README.md index 1f40fadc..f771e7ae 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -24,6 +24,7 @@ Requirements: - Python pip - Python virtualenv # FIXME: Switch to `pipenv` - [azure cli](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) +- [powershell](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell?view=powershell-6) See below # tfenv `tfenv` will allow you to install TF versions. For example. @@ -39,6 +40,17 @@ To select a version to use tfenv use 0.12.18 ``` +# Powershell +Some things you need to use powershell. Specifically getting client profiles for the VPN. + +## Install powershell on Linux +Powershell on recent versions of Ubuntu is available through snap. + +For Ubuntu 19.10 +``` +snap install powershell --classic +``` + # Running Terraform First, you'll need to log in to Azure. With the Azure CLI installed, you can run the following. @@ -82,3 +94,23 @@ terraform plan -target=module.vpc ``` In the above example, this will only run a plan (plan/apply/destroy) on the specific module. This can be a module, or resource. You can get a list of module and resources by running `terraform show`. + +# VPN Setup +[Configure OpenVPN clients for Azure VPN Gateway](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-openvpn-clients#before-you-begin) +[About P2S VPN client profiles](https://docs.microsoft.com/en-us/azure/vpn-gateway/about-vpn-profile-download) +[Configure a VPN client for P2S OpenVPN protocol connections: Azure AD authentication (Preview)](https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client) +[Create an Azure Active Directory tenant for P2S OpenVPN protocol connections](https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant) + +The docs above should help with client configuration. The last doc (Create an Azure Active Directory..) is necessary to run the command to add the VPN app for AD. + +Copied here for convenience. Just enter this in your browser. +``` +# For Public Azure - Government has a different URL, see doc above +https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent +``` + +## Adding a client +TODO + +## Downloading a client profile +TODO \ No newline at end of file From 11404a6e5b686290f4ff5c7650eb4a1f7811aff3 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Tue, 7 Jan 2020 14:00:27 -0500 Subject: [PATCH 3/3] Adds IAM roles for the Managed Identity Module This adds the ability to pass in a list of roles to be assigned to the managed identity user. --- terraform/modules/managed_identity/main.tf | 11 ++++++++++- terraform/modules/managed_identity/variables.tf | 5 +++++ terraform/providers/dev/identities.tf | 2 ++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/terraform/modules/managed_identity/main.tf b/terraform/modules/managed_identity/main.tf index 84e186ce..2f186c87 100644 --- a/terraform/modules/managed_identity/main.tf +++ b/terraform/modules/managed_identity/main.tf @@ -8,4 +8,13 @@ resource "azurerm_user_assigned_identity" "identity" { location = azurerm_resource_group.identity.location name = "${var.name}-${var.environment}-${var.identity}" -} \ No newline at end of file +} + +data "azurerm_subscription" "primary" {} + +resource "azurerm_role_assignment" "roles" { + count = length(var.roles) + scope = data.azurerm_subscription.primary.id + role_definition_name = var.roles[count.index] + principal_id = azurerm_user_assigned_identity.identity.principal_id +} diff --git a/terraform/modules/managed_identity/variables.tf b/terraform/modules/managed_identity/variables.tf index f2a1a758..e5ffc99c 100644 --- a/terraform/modules/managed_identity/variables.tf +++ b/terraform/modules/managed_identity/variables.tf @@ -22,3 +22,8 @@ variable "identity" { type = string description = "Name of the managed identity to create" } + +variable "roles" { + type = list + description = "List of roles by name" +} diff --git a/terraform/providers/dev/identities.tf b/terraform/providers/dev/identities.tf index 0def7ce6..5d8370cd 100644 --- a/terraform/providers/dev/identities.tf +++ b/terraform/providers/dev/identities.tf @@ -5,4 +5,6 @@ module "keyvault_reader_identity" { environment = var.environment region = var.region identity = "${var.name}-${var.environment}-vault-reader" + roles = ["Reader", "Managed Identity Operator"] + }