169163334 - Initial VPC TF and structure

169163334 - Make supernet configurable

169163334 - Makes DNS servers configurable

169163334 - Adds bucket for state storage

169163334 - Adds k8s, keyvault, azuread provider

169163334 - Adds route tables

169163334 - Adds route table associations

169163334 - Adds default routes to route tables and fixes route table association flapping

terraform/.gitignore

@@ -0,0 +1 @@
+.terraform

terraform/modules/k8s/main.tf

@@ -0,0 +1,35 @@
+resource "azurerm_resource_group" "k8s" {
+  name     = "${var.name}-${var.environment}-vpc"
+  location = var.region
+}
+
+resource "azurerm_kubernetes_cluster" "k8s" {
+  name                = "${var.name}-${var.environment}-k8s"
+  location            = azurerm_resource_group.k8s.location
+  resource_group_name = azurerm_resource_group.k8s.name
+  dns_prefix          = var.k8s_dns_prefix
+
+  service_principal {
+    client_id     = "f05a4457-bd5e-4c63-98e1-89aab42645d0"
+    client_secret = "19b69e2c-9f55-4850-87cb-88c67a8dc811"
+  }
+
+  default_node_pool {
+    name            = "default"
+    vm_size         = "Standard_D1_v2"
+    os_disk_size_gb = 30
+    vnet_subnet_id  = var.vnet_subnet_id
+    node_count      = 1
+  }
+
+  lifecycle {
+    ignore_changes = [
+      default_node_pool.0.node_count
+    ]
+  }
+
+  tags = {
+    environment = var.environment
+    owner       = var.owner
+  }
+}

terraform/modules/k8s/variables.tf

@@ -0,0 +1,35 @@
+variable "region" {
+  type        = string
+  description = "Region this module and resources will be created in"
+}
+
+variable "name" {
+  type        = string
+  description = "Unique name for the services in this module"
+}
+
+variable "environment" {
+  type        = string
+  description = "Environment these resources reside (prod, dev, staging, etc)"
+}
+
+variable "owner" {
+  type        = string
+  description = "Owner of the environment and resources created in this module"
+}
+
+variable "k8s_dns_prefix" {
+  type        = string
+  description = "A DNS prefix"
+}
+
+variable "k8s_node_size" {
+  type        = string
+  description = "The size of the instance to use in the node pools for k8s"
+  default     = "Standard_A1_v2"
+}
+
+variable "vnet_subnet_id" {
+  description = "Subnet to use for the default k8s pool"
+  type        = string
+}

terraform/modules/keyvault/main.tf

@@ -0,0 +1,44 @@
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "keyvault" {
+  name     = "${var.name}-${var.environment}-rg"
+  location = var.region
+}
+
+resource "random_id" "server" {
+  keepers = {
+    ami_id = 1
+  }
+
+  byte_length = 8
+}
+
+resource "azurerm_key_vault" "keyvault" {
+  name                = "${var.name}-${var.environment}-keyvault"
+  location            = azurerm_resource_group.keyvault.location
+  resource_group_name = azurerm_resource_group.keyvault.name
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+
+  sku_name = "premium"
+
+  access_policy {
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    object_id = data.azurerm_client_config.current.service_principal_object_id
+
+    key_permissions = [
+      "create",
+      "get",
+    ]
+
+    secret_permissions = [
+      "set",
+      "get",
+      "delete",
+    ]
+  }
+
+  tags = {
+    environment = var.environment
+    owner       = var.owner
+  }
+}

terraform/modules/keyvault/variables.tf

@@ -0,0 +1,19 @@
+variable "region" {
+  type        = string
+  description = "Region this module and resources will be created in"
+}
+
+variable "name" {
+  type        = string
+  description = "Unique name for the services in this module"
+}
+
+variable "environment" {
+  type        = string
+  description = "Environment these resources reside (prod, dev, staging, etc)"
+}
+
+variable "owner" {
+  type = string
+  description = "Owner of this environment"
+}

terraform/modules/vpc/main.tf

@@ -0,0 +1,72 @@
+resource "azurerm_resource_group" "vpc" {
+  name     = "${var.name}-${var.environment}-vpc"
+  location = var.region
+
+  tags = {
+    environment = var.environment
+    owner       = var.owner
+  }
+}
+
+resource "azurerm_network_ddos_protection_plan" "vpc" {
+  count               = var.ddos_enabled
+  name                = "${var.name}-${var.environment}-ddos"
+  location            = azurerm_resource_group.vpc.location
+  resource_group_name = azurerm_resource_group.vpc.name
+}
+
+resource "azurerm_virtual_network" "vpc" {
+  name                = "${var.name}-${var.environment}-network"
+  location            = azurerm_resource_group.vpc.location
+  resource_group_name = azurerm_resource_group.vpc.name
+  address_space       = ["${var.virtual_network}"]
+  dns_servers         = var.dns_servers
+
+  tags = {
+    environment = var.environment
+    owner       = var.owner
+  }
+}
+
+resource "azurerm_subnet" "subnet" {
+  for_each             = var.networks
+  name                 = "${var.name}-${var.environment}-${each.key}"
+  resource_group_name  = azurerm_resource_group.vpc.name
+  virtual_network_name = azurerm_virtual_network.vpc.name
+  address_prefix       = element(split(",", each.value), 0)
+
+  # See https://github.com/terraform-providers/terraform-provider-azurerm/issues/3471
+  lifecycle { 
+     ignore_changes = [route_table_id]
+  } 
+  #delegation {
+  #  name = "acctestdelegation"
+  #
+  #  service_delegation {
+  #    name    = "Microsoft.ContainerInstance/containerGroups"
+  #    actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+  #  }
+  #}
+}
+
+resource "azurerm_route_table" "route_table" {
+  for_each            = var.route_tables
+  name                = "${var.name}-${var.environment}-${each.key}"
+  location            = azurerm_resource_group.vpc.location
+  resource_group_name = azurerm_resource_group.vpc.name
+}
+
+resource "azurerm_subnet_route_table_association" "route_table" {
+  for_each      = var.networks
+  subnet_id     = azurerm_subnet.subnet[each.key].id
+  route_table_id = azurerm_route_table.route_table[each.key].id
+}
+
+resource "azurerm_route" "route" {
+  for_each      = var.route_tables
+  name          = "${var.name}-${var.environment}-default" 
+  resource_group_name = azurerm_resource_group.vpc.name
+  route_table_name = azurerm_route_table.route_table[each.key].name
+  address_prefix      = "0.0.0.0/0"
+  next_hop_type       = each.value
+}

terraform/modules/vpc/outputs.tf

@@ -0,0 +1,3 @@
+output "subnets" {
+  value = azurerm_subnet.subnet["private"].id #FIXME - output should be a map
+}

terraform/modules/vpc/variables.tf

@@ -0,0 +1,43 @@
+variable "environment" {
+  description = "Environment (Prod,Dev,etc)"
+}
+
+variable "region" {
+  description = "Region (useast2, etc)"
+
+}
+
+variable "name" {
+  description = "Name or prefix to use for all resources created by this module"
+}
+
+variable "owner" {
+  description = "Owner of these resources"
+
+}
+
+variable "ddos_enabled" {
+  description = "Enable or disable DDoS Protection (1,0)"
+  default     = "0"
+}
+
+variable "virtual_network" {
+  description = "The supernet used for this VPC a.k.a Virtual Network"
+  type        = string
+}
+
+variable "networks" {
+  description = "A map of lists describing the network topology"
+  type        = map
+}
+
+variable "dns_servers" {
+  description = "DNS Server IPs for internal and public DNS lookups (must be on a defined subnet)"
+  type        = list
+
+}
+
+variable "route_tables" {
+  type        = map
+  description = "A map with the route tables to create"
+}

terraform/providers/dev/k8s.tf

@@ -0,0 +1,11 @@
+module "k8s" {
+  source         = "../../modules/k8s"
+  region         = var.region
+  name           = var.name
+  environment    = var.environment
+  owner          = var.owner
+  k8s_dns_prefix = var.k8s_dns_prefix
+  k8s_node_size  = var.k8s_node_size
+  vnet_subnet_id = module.vpc.subnets #FIXME - output from module.vpc.subnets should be map
+}
+

terraform/providers/dev/keyvault.tf

@@ -0,0 +1,7 @@
+#module "keyvault" {
+#  source      = "../../modules/keyvault"
+#  name        = var.name
+#  region      = var.region
+#  owner       = var.owner
+#  environment = var.environment
+#}

terraform/providers/dev/provider.tf

@@ -0,0 +1,17 @@
+provider "azurerm" {
+  version = "=1.38.0"
+}
+
+provider "azuread" {
+  # Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
+  version = "=0.7.0"
+}
+
+terraform {
+  backend "azurerm" {
+    resource_group_name  = "cloudzero-dev-tfstate"
+    storage_account_name = "cloudzerodevtfstate"
+    container_name       = "tfstate"
+    key                  = "dev.terraform.tfstate"
+  }
+}

terraform/providers/dev/variables.tf

@@ -0,0 +1,56 @@
+variable "environment" {
+  default = "dev"
+}
+
+variable "region" {
+  default = "eastus2"
+
+}
+
+variable "owner" {
+  default = "dev"
+}
+
+variable "name" {
+  default = "cloudzero"
+}
+
+variable "virtual_network" {
+  type    = string
+  default = "10.1.0.0/16"
+}
+
+
+variable "networks" {
+  type = map
+  default = {
+    #format
+    #name         = "CIDR, route table, Security Group Name"
+    public  = "10.1.1.0/24,public"  # LBs
+    private = "10.1.2.0/24,private" # k8s, postgres, redis, dns, ad
+  }
+}
+
+variable "route_tables" {
+  description = "Route tables and their default routes"
+  type        = map
+  default = {
+    public  = "Internet"
+    private = "VnetLocal"
+  }
+}
+
+variable "dns_servers" {
+  type    = list
+  default = ["10.1.2.4", "10.1.2.5"]
+}
+
+variable "k8s_node_size" {
+  type    = string
+  default = "Standard_A1_v2"
+}
+
+variable "k8s_dns_prefix" {
+  type    = string
+  default = "atat"
+}

terraform/providers/dev/vpc.tf

@@ -0,0 +1,12 @@
+module "vpc" {
+  source          = "../../modules/vpc/"
+  environment     = var.environment
+  region          = var.region
+  virtual_network = var.virtual_network
+  networks        = var.networks
+  route_tables    = var.route_tables
+  owner           = var.owner
+  name            = var.name
+  dns_servers     = var.dns_servers
+}
+