add a windows VM as a jumpbox to Bastion RDP into the Hub network

src/core/saca-hub/main.tf

@@ -27,6 +27,9 @@ provider "azurerm" {
  log_analytics_workspace {
  permanently_delete_on_destroy = true
  }
+ key_vault {
+ purge_soft_delete_on_destroy = true
+ }
  }
 }
 
@@ -109,3 +112,52 @@ module "saca-firewall" {
  DeploymentName = var.deploymentname
  }
 }
+
+module "jumpbox-subnet" {
+ depends_on = [module.saca-hub-network, module.saca-firewall]
+ source = "../../modules/subnet"
+
+ name = var.jumpbox_subnet.name
+ location = var.mlz_location
+ resource_group_name = azurerm_resource_group.hub.name
+ virtual_network_name = var.saca_vnetname
+ address_prefixes = var.jumpbox_subnet.address_prefixes
+ service_endpoints = lookup(var.jumpbox_subnet, "service_endpoints", [])
+
+ enforce_private_link_endpoint_network_policies = lookup(var.jumpbox_subnet, "enforce_private_link_endpoint_network_policies", null)
+ enforce_private_link_service_network_policies = lookup(var.jumpbox_subnet, "enforce_private_link_service_network_policies", null)
+
+ nsg_name = var.jumpbox_subnet.nsg_name
+ nsg_rules = var.jumpbox_subnet.nsg_rules
+
+ routetable_name = var.jumpbox_subnet.routetable_name
+ firewall_ip_address = module.saca-firewall.firewall_public_ip
+
+ log_analytics_storage_id = module.saca-hub-network.log_analytics_storage_id
+ log_analytics_workspace_id = module.saca-hub-network.log_analytics_workspace_id
+
+ tags = {
+ DeploymentName = var.deploymentname
+ }
+}
+
+module "jumpbox" {
+ depends_on = [module.saca-hub-network, module.jumpbox-subnet]
+ source = "../../modules/jumpbox"
+
+ resource_group_name = azurerm_resource_group.hub.name
+ virtual_network_name = var.saca_vnetname
+ subnet_name = var.jumpbox_subnet.name
+ location = azurerm_resource_group.hub.location
+
+ keyvault_name = var.jumpbox_keyvault_name
+ tenant_id = var.mlz_tenantid
+ object_id = var.mlz_objectid
+
+ name = var.jumpbox_vm_name
+ size = var.jumpbox_vm_size
+ publisher = var.jumpbox_vm_publisher
+ offer = var.jumpbox_vm_offer
+ sku = var.jumpbox_vm_sku
+ image_version = var.jumpbox_vm_version
+}

src/core/saca-hub/saca-hub.front.json

@@ -177,6 +177,85 @@
  "default_val": "mlzDemoBastionHostIpCfg",
  "description": "The name of the Bastion Host IP Configuration",
  "options": []
+ },
+ {
+ "varname": "jumpbox_subnet.name",
+ "type": "text",
+ "default_val": "mlzDemoJumpboxSubnet",
+ "description": "The name of the jumpbox subnet",
+ "options": []
+ },
+ {
+ "varname": "jumpbox_subnet.address_prefixes",
+ "type": "list",
+ "default_val": [
+ "10.0.100.160/27"
+ ],
+ "description": "The address space(s) (new line seperated) to be used for the jumpbox subnet.",
+ "options": []
+ },
+ {
+ "varname": "jumpbox_subnet.nsg_name",
+ "type": "text",
+ "default_val": "mlzDemoJumpboxSubnetNsg",
+ "description": "The name of the jumpbox subnet route table network security group",
+ "options": []
+ },
+ {
+ "varname": "jumpbox_subnet.routetable_name",
+ "type": "text",
+ "default_val": "mlzDemoJumpboxSubnetRt",
+ "description": "The name of the jumpbox subnet route table",
+ "options": []
+ },
+ {
+ "varname": "jumpbox_keyvault_name",
+ "type": "text",
+ "default_val": "mlzDemoJumpboxVmKv",
+ "description": "The name of the jumpbox credentials Key Vault",
+ "options": []
+ },
+ {
+ "varname": "jumpbox_vm_name",
+ "type": "text",
+ "default_val": "mlzDemoJumpboxVm",
+ "description": "The name of the jumpbox virtual machine",
+ "options": []
+ },
+ {
+ "varname": "jumpbox_vm_size",
+ "type": "text",
+ "default_val": "Standard_DS1_v2",
+ "description": "The size of the jumpbox virtual machine",
+ "options": []
+ },
+ {
+ "varname": "jumpbox_vm_publisher",
+ "type": "text",
+ "default_val": "MicrosoftWindowsServer",
+ "description": "The publisher of the jumpbox virtual machine source image",
+ "options": []
+ },
+ {
+ "varname": "jumpbox_vm_offer",
+ "type": "text",
+ "default_val": "WindowsServer",
+ "description": "The offer of the jumpbox virtual machine source image",
+ "options": []
+ },
+ {
+ "varname": "jumpbox_vm_sku",
+ "type": "text",
+ "default_val": "2019-datacenter-gensecond",
+ "description": "The SKU of the jumpbox virtual machine source image",
+ "options": []
+ },
+ {
+ "varname": "jumpbox_vm_version",
+ "type": "text",
+ "default_val": "latest",
+ "description": "The version of the jumpbox virtual machine source image",
+ "options": []
  }
  ]
  }

src/core/saca-hub/saca-hub.orig.tfvars.json

@@ -25,5 +25,49 @@
  "bastion_host_name": "{BASTION_HOST_NAME}",
  "bastion_address_space": "{BASTION_ADDRESS_SPACE}",
  "bastion_public_ip_name": "{BASTION_PUBLIC_IP_NAME}",
- "bastion_ipconfig_name": "{BASTION_IPCONFIG_NAME}"
-}
+ "bastion_ipconfig_name": "{BASTION_IPCONFIG_NAME}",
+ "jumpbox_subnet": {
+ "name": "{JUMPBOX_SUBNET_NAME}",
+ "address_prefixes": [
+ "{JUMPBOX_SUBNET_SPACE}"
+ ],
+ "service_endpoints": [
+ "Microsoft.Storage"
+ ],
+ "enforce_private_link_endpoint_network_policies": false,
+ "enforce_private_link_service_network_policies": false,
+ "nsg_name": "{JUMPBOX_SUBNET_NSG_NAME}",
+ "nsg_rules": {
+ "allow_ssh": {
+ "name": "allow_ssh",
+ "priority": "100",
+ "direction": "Inbound",
+ "access": "Allow",
+ "protocol": "Tcp",
+ "source_port_range": "22",
+ "destination_port_range": "",
+ "source_address_prefix": "*",
+ "destination_address_prefix": ""
+ },
+ "allow_rdp": {
+ "name": "allow_rdp",
+ "priority": "200",
+ "direction": "Inbound",
+ "access": "Allow",
+ "protocol": "Tcp",
+ "source_port_range": "3389",
+ "destination_port_range": "",
+ "source_address_prefix": "*",
+ "destination_address_prefix": ""
+ }
+ },
+ "routetable_name": "{JUMPBOX_SUBNET_RT_NAME}"
+ },
+ "jumpbox_keyvault_name": "{JUMPBOX_KEYVAULT_NAME}",
+ "jumpbox_vm_name": "{JUMPBOX_VM_NAME}",
+ "jumpbox_vm_size": "{JUMPBOX_VM_SIZE}",
+ "jumpbox_vm_publisher": "{JUMPBOX_VM_PUBLISHER}",
+ "jumpbox_vm_offer": "{JUMPBOX_VM_OFFER}",
+ "jumpbox_vm_sku": "{JUMPBOX_VM_SKU}",
+ "jumpbox_vm_version": "{JUMPBOX_VM_VERSION}"
+}

src/core/saca-hub/saca-hub.tfvars.sample

@@ -38,3 +38,52 @@ bastion_host_name = "{BASTION_HOST_NAME}",
 bastion_address_space = "{BASTION_ADDRESS_SPACE}",
 bastion_public_ip_name = "{BASTION_PUBLIC_IP_NAME}",
 bastion_ipconfig_name = "{BASTION_IPCONFIG_NAME}"
+
+#################################
+# Jumpbox VM Configuration
+#################################
+
+jumpbox_subnet = {
+ name = "{JUMPBOX_SUBNET_NAME}"
+ address_prefixes = ["{JUMPBOX_SUBNET_SPACE}"]
+ service_endpoints = ["Microsoft.Storage"]
+
+ enforce_private_link_endpoint_network_policies = false
+ enforce_private_link_service_network_policies = false
+
+ nsg_name = "{JUMPBOX_SUBNET_NSG_NAME}"
+ nsg_rules = {
+ "allow_ssh" = {
+ name = "allow_ssh"
+ priority = "100"
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_port_range = "22"
+ destination_port_range = ""
+ source_address_prefix = "*"
+ destination_address_prefix = ""
+ },
+ "allow_rdp" = {
+ name = "allow_rdp"
+ priority = "200"
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_port_range = "3389"
+ destination_port_range = ""
+ source_address_prefix = "*"
+ destination_address_prefix = ""
+ }
+ }
+
+ routetable_name = "{JUMPBOX_SUBNET_RT_NAME}"
+}
+
+jumpbox_keyvault_name = "{JUMPBOX_KEYVAULT_NAME}"
+jumpbox_vm_name = "{JUMPBOX_VM_NAME}"
+jumpbox_vm_size = "{JUMPBOX_VM_SIZE}"
+jumpbox_vm_publisher = "{JUMPBOX_VM_PUBLISHER}"
+jumpbox_vm_offer = "{JUMPBOX_VM_OFFER}"
+jumpbox_vm_sku = "{JUMPBOX_VM_SKU}"
+jumpbox_vm_version = "{JUMPBOX_VM_VERSION}"

src/core/saca-hub/variables.tf

@@ -32,6 +32,10 @@ variable "mlz_clientsecret" {
  description = "The account to deploy with"
 }
 
+variable "mlz_objectid" {
+ description = "The account to deploy with"
+}
+
 #################################
 # SACA Hub Configuration
 #################################
@@ -140,3 +144,112 @@ variable "bastion_ipconfig_name" {
  default = "mlzDemoBastionHostIpCfg"
  type = string
 }
+
+#################################
+# Jumpbox VM Configuration
+#################################
+
+variable "jumpbox_subnet" {
+ description = "The subnet for jumpboxes"
+ type = object({
+ name = string
+ address_prefixes = list(string)
+ service_endpoints = list(string)
+
+ enforce_private_link_endpoint_network_policies = bool
+ enforce_private_link_service_network_policies = bool
+
+ nsg_name = string
+ nsg_rules = map(object({
+ name = string
+ priority = string
+ direction = string
+ access = string
+ protocol = string
+ source_port_range = string
+ destination_port_range = string
+ source_address_prefix = string
+ destination_address_prefix = string
+ }))
+
+ routetable_name = string
+ })
+ default = {
+ name = "mlzDemoJumpboxSubnet"
+ address_prefixes = ["10.0.100.160/27"]
+ service_endpoints = ["Microsoft.Storage"]
+
+ enforce_private_link_endpoint_network_policies = false
+ enforce_private_link_service_network_policies = false
+
+ nsg_name = "mlzDemoJumpboxSubnetNsg"
+ nsg_rules = {
+ "allow_ssh" = {
+ name = "allow_ssh"
+ priority = "100"
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_port_range = "22"
+ destination_port_range = ""
+ source_address_prefix = "*"
+ destination_address_prefix = ""
+ },
+ "allow_rdp" = {
+ name = "allow_rdp"
+ priority = "200"
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_port_range = "3389"
+ destination_port_range = ""
+ source_address_prefix = "*"
+ destination_address_prefix = ""
+ }
+ }
+
+ routetable_name = "mlzDemoJumpboxSubnetRt"
+ }
+}
+
+variable "jumpbox_keyvault_name" {
+ description = "The name of the jumpbox virtual machine keyvault"
+ default = "mlzDemoJumpboxVmKv"
+ type = string
+}
+
+variable "jumpbox_vm_name" {
+ description = "The name of the jumpbox virtual machine"
+ default = "mlzDemoJumpboxVm"
+ type = string
+}
+
+variable "jumpbox_vm_size" {
+ description = "The size of the jumpbox virtual machine"
+ default = "Standard_DS1_v2"
+ type = string
+}
+
+variable "jumpbox_vm_publisher" {
+ description = "The publisher of the jumpbox virtual machine source image"
+ default = "MicrosoftWindowsServer"
+ type = string
+}
+
+variable "jumpbox_vm_offer" {
+ description = "The offer of the jumpbox virtual machine source image"
+ default = "WindowsServer"
+ type = string
+}
+
+variable "jumpbox_vm_sku" {
+ description = "The SKU of the jumpbox virtual machine source image"
+ default = "2019-datacenter-gensecond"
+ type = string
+}
+
+variable "jumpbox_vm_version" {
+ description = "The version of the jumpbox virtual machine source image"
+ default = "latest"
+ type = string
+}

src/core/tier-0/variables.tf

@@ -31,6 +31,10 @@ variable "mlz_clientsecret" {
  description = "The account to deploy with"
 }
 
+variable "mlz_objectid" {
+ description = "The account to deploy with"
+}
+
 #################################
 # Tier 0 Configuration
 #################################