This project utilize the Terraform project model to create a complete environment that is enabled to run Azure Cloud Shell in a private Virtual Network.
The Terraform project can both connect to an existing Virtual Network or create a whole new environment that is isolated as a Cloud Shell environment.
By default an Azure Cloud Shell session runs in a Microsoft Azure network separate from your other resources. This causes issues if you want to access/configure resources in your Azure environment that is not publicly accessible like e.g. a Virtual Machine with private IP or a storage account that is locked down.
To encounter this issue Microsoft has made it possible to set up an environment that enables the Cloud Shell to communicate with other resources using a Virtual Network.
An environment to run Terraform projects against Azure. Refer to the Terraform on Azure documentation and the Get started for more information on how to set up Terraform for Azure in different environments.
If Cloud Shell has been used in the past or when executing this terraform project, the existing cloud drive must be unmounted. To do this run
clouddrive unmountfrom an active Cloud Shell session after the terraform has been done.
The Azure Container Instance Resource provider needs to be registered in the subscription that holds the Virtual Network you want to use.
Register this using:
- Azure CLI
az provider register --namespace Microsoft.ContainerInstance
- Azure PowerShell
Register-AzResourceProvider -ProviderNamespace Microsoft.ContainerInstance.
To be able to execute this terraform project, you need to set the following required variables
tenant_id- The id of the tenant for your Azure account
subscription_id- The id of the subscription where you want the resources to live
virtual_network_name- Required if the Cloud Shell should connect to an existing Virtual Network
- The name of the existing Virtual Network
virtual_network_resource_group_name- Required if
virtual_network_nameis specified. - The name of the resource group where
virtual_network_nameexists.
- Required if
virtual_network_cloudshell_subnet_address,virtual_network_relay_subnet_address,virtual_network_storage_subnet_address- Needs to be defined with subnet CIDR that is valid within the existing Virtual Network.
region- The Azure region you want to locate the cloud shell environment
- All Cloud shell primary regions except the one below is currently supported
- Azure Central India (Azure Cloud Shell limitation)
- Azure Germany (may work, not tested)
- Azure US Government (not implemented)
In addition to the required variables there is several optional variables as well
resource_name- The default name of all resources that is create is
cloudshell, to override this set theresource_namevariable.
- The default name of all resources that is create is
resource_suffix- Certain resources requires to have unique name. By default, the unique name is a combination of
resource_nameand a 8 character suffix. To override this suffix set theresource_suffixparameter. The combinationresource_nameandresource_suffixmust be guaranteed unique for the Azure Storage and Azure Relay services used.
- Certain resources requires to have unique name. By default, the unique name is a combination of
tags- Optional tags that can be added to the environment
virtual_network_address,virtual_network_cloudshell_subnet_address,virtual_network_relay_subnet_address,virtual_network_storage_subnet_address- By default the ip configuration of the Virtual Network for the cloud shell is based on the
192.168.0.0/24class c address range. Override this by using these variables.
- By default the ip configuration of the Virtual Network for the cloud shell is based on the
- Clone this project to a local folder
- Set the required and optional variables
- See required and optional variables section for the required and optional based desired configuration.
- Refer to Terraform documentation on setting variables.
- Run the
terraform applycommand, review the changes an confirm the changes by enteringyeswhen questioned.
When the terraform operation is done, the project returns the following parameters
vnetid- The resource id of the newly created virtual net. Use this to peer this network to other Virtual Networks where the Cloud Shell should have access to resources.
When this Terraform project is applied you will need to connect it to the Cloud Shell.
To do this you need to follow the following steps:
- Open the Cloud Shell in the portal or following this link.
- Select either
BashorPowerShell. - On the
You have no storage mountedpage selectShow advanced settingsand theShow VNET isolation settings. - In
Cloud Shell Regionselect the same region as you configured with theregionvariable.- Normally this should be set accordingly, but for some reason when selecting the
Show VNET isolation settingsvariable the region is changed toAustralia Centralsecondary region (unsupported). See this bug for more information.
- Normally this should be set accordingly, but for some reason when selecting the
- In the
Resource groupselect the group that was created by the script (the same name as theresource_namevariable).- Normally, this should fill out all other parameters like
Storage account,Virtual network,Network profileandRelay namespace, but if it doesn't you will notice that the three latter parameters is disabled. If this is the case, switch the resource group to a another and back and the parameters should be filled accordingly. See this bug for more information.
- Normally, this should fill out all other parameters like
- In the
File shareenter thecloudshellas the share name (this is created during the terraform).
You will now have a Cloud Shell attached either to a Virtual Network that you specified or you can peer the newly created Virtual Network with other Virtual Networks for accessing these.
When working with other Terraform projects you should peer this Virtual Network to the one in those Terraform projects. Be sure that resources that isn't publicly accessible has a depends_on the peering configuration like this.
# The cloudshell Virtual Network peering
resource "azurerm_virtual_network_peering" "cloudshell_peering" {
# ...
}
# Denies external access and connect the storage to the storage Virtual Network.
resource "azurerm_storage_account_network_rules" "allow_virtual" {
storage_account_id = azurerm_storage_account.storage.id
bypass = ["None"]
default_action = "Deny"
virtual_network_subnet_ids = [azurerm_subnet.storage.id]
depends_on = [
# Ensure that the peering is created before this resource is created.
azurerm_virtual_network_peering.peering
]
}