Merge pull request #868 from dcasati/master

Add an example using FreeBSD as a jumpbox with SSH keys.
hashicorp · Feb 23, 2018 · 8367d5e · 8367d5e
2 parents 1381dde + d434d35
commit 8367d5e
Show file tree

Hide file tree

Showing 7 changed files with 358 additions and 0 deletions.
diff --git a/examples/freebsd-jumpbox/README.md b/examples/freebsd-jumpbox/README.md
@@ -0,0 +1,25 @@
+# A FreeBSD Jumpbox 
+
+This template allows you to deploy a simple FreeBSD jumpbox VM using the latest patched version. This will deploy an A0 size VM in the resource group location and return the FQDN of the VM.
+
+This template takes a minimum amount of parameters and deploys FreeBSD as a jumpbox VM on an isolated subnet (management subnet). A second subnet named Web is also created as a placeholder.
+
+## main.tf
+The `main.tf` file contains the actual resources that will be deployed. It also contains the Azure Resource Group definition and any defined variables.
+
+Azure requires that an application is added to Azure Active Directory to generate the `client_id`, `client_secret`, and `tenant_id` needed by Terraform (`subscription_id` can be recovered from your Azure account details). Please go [here](https://www.terraform.io/docs/providers/azurerm/) for full instructions on how to create this to populate the azurerm provider block or environment variables.
+
+## outputs.tf
+This data is outputted when `terraform apply` is called, and can be queried using the `terraform output` command.
+
+## terraform.tfvars
+If a `terraform.tfvars` or any `.auto.tfvars` files are present in the current directory, Terraform automatically loads them to populate variables. We don't recommend saving usernames and password to version control, but you can create a local secret variables file and use the `-var-file` flag or the `.auto.tfvars` extension to load it.
+
+## variables.tf
+The `variables.tf` file contains all of the input parameters that the user can specify when deploying this Terraform template.
+
+## Post-Deployment
+
+1. The FreeBSD jumpbox will have a public IP and can be accessed through SSH using public keys only. The default username is `vmadmin` but that can be changed on the variables.tf files.
+
+![graph](graph.png)
diff --git a/examples/freebsd-jumpbox/deploy.ci.sh b/examples/freebsd-jumpbox/deploy.ci.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -o errexit -o nounset
+
+docker run --rm -it \
+  -e ARM_CLIENT_ID \
+  -e ARM_CLIENT_SECRET \
+  -e ARM_SUBSCRIPTION_ID \
+  -e ARM_TENANT_ID \
+  -v $(pwd):/data \
+  --workdir=/data \
+  --entrypoint "/bin/sh" \
+  hashicorp/terraform:light \
+  -c "/bin/terraform get; \
+      /bin/terraform validate; \
+      /bin/terraform plan -out=out.tfplan -var dns_name=$KEY -var hostname=$KEY -var resource_group=$KEY -var ssh_key_data=\"$SSH_PUB_KEY\"; \
+      /bin/terraform apply out.tfplan; \
+      /bin/terraform show;"
+
+# cleanup deployed azure resources via azure-cli
+docker run --rm -it \
+  azuresdk/azure-cli-python:0.2.10 \
+  sh -c "az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID > /dev/null; \
+         az vm show -g $KEY -n rgvm"
+
+# cleanup deployed azure resources via terraform
+docker run --rm -it \
+  -e ARM_CLIENT_ID \
+  -e ARM_CLIENT_SECRET \
+  -e ARM_SUBSCRIPTION_ID \
+  -e ARM_TENANT_ID \
+  -v $(pwd):/data \
+  --workdir=/data \
+  --entrypoint "/bin/sh" \
+  hashicorp/terraform:light \
+  -c "/bin/terraform destroy -force -var dns_name=$KEY -var hostname=$KEY -var resource_group=$KEY -var ssh_key_data=$SSH_PUB_KEY;"
diff --git a/examples/freebsd-jumpbox/deploy.mac.sh b/examples/freebsd-jumpbox/deploy.mac.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -o errexit -o nounset
+
+if docker -v; then
+
+  # generate a unique string for CI deployment
+  export KEY=$(cat /dev/urandom | env LC_CTYPE=C tr -cd 'a-z' | head -c 12)
+  export PASSWORD=$KEY$(cat /dev/urandom | env LC_CTYPE=C tr -cd 'A-Z' | head -c 2)$(cat /dev/urandom | env LC_CTYPE=C tr -cd '0-9' | head -c 2)
+
+  /bin/sh ./deploy.ci.sh
+
+else
+  echo "Docker is used to run terraform commands, please install before run:  https://docs.docker.com/docker-for-mac/install/"
+fi
diff --git a/examples/freebsd-jumpbox/graph.png b/examples/freebsd-jumpbox/graph.png
diff --git a/examples/freebsd-jumpbox/main.tf b/examples/freebsd-jumpbox/main.tf
@@ -0,0 +1,186 @@
+# provider "azurerm" {
+#   subscription_id = "REPLACE-WITH-YOUR-SUBSCRIPTION-ID"
+#   client_id       = "REPLACE-WITH-YOUR-CLIENT-ID"
+#   client_secret   = "REPLACE-WITH-YOUR-CLIENT-SECRET"
+#   tenant_id       = "REPLACE-WITH-YOUR-TENANT-ID"
+# }
+
+# ***************************** FreeBSD Jumpbox **************************** #
+resource "azurerm_resource_group" "rg" {
+  name     = "${var.resource_group}"
+  location = "${var.location}"
+}
+
+# ***************************** VNET / SUBNET ****************************** #
+resource "azurerm_virtual_network" "vnet" {
+  name                = "${var.virtual_network_name}"
+  location            = "${var.location}"
+  address_space       = ["${var.address_space}"]
+  resource_group_name = "${azurerm_resource_group.rg.name}"
+}
+
+resource "azurerm_subnet" "mgmt-subnet" {
+  name                 = "${azurerm_resource_group.rg.name}-mgmt-subnet"
+  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
+  resource_group_name  = "${azurerm_resource_group.rg.name}"
+  address_prefix       = "${var.mgmt-subnet_prefix}"
+}
+
+resource "azurerm_subnet" "web-subnet" {
+  name                 = "${azurerm_resource_group.rg.name}-web-subnet"
+  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
+  resource_group_name  = "${azurerm_resource_group.rg.name}"
+  address_prefix       = "${var.web-subnet_prefix}"
+  network_security_group_id = "${azurerm_network_security_group.web-nsg.id}"
+}
+
+# ********************** NETWORK SECURITY GROUP **************************** #
+resource "azurerm_network_security_group" "mgmt-nsg" {
+  name                = "${azurerm_resource_group.rg.name}-mgmt-nsg"
+  resource_group_name = "${azurerm_resource_group.rg.name}"
+  location            = "${azurerm_resource_group.rg.location}"
+
+  security_rule {
+    name                       = "allow-ssh"
+    description                = "Allow SSH"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "22"
+    source_address_prefix      = "Internet"
+    destination_address_prefix = "*"
+  }
+
+  tags {
+    environment = "Management"
+  }
+}
+
+resource "azurerm_network_security_group" "web-nsg" {
+  name                = "${azurerm_resource_group.rg.name}-web-nsg"
+  resource_group_name = "${azurerm_resource_group.rg.name}"
+  location            = "${azurerm_resource_group.rg.location}"
+
+   security_rule {
+    name                       = "allow-www"
+    description                = "Allow HTTP Traffic"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "80"
+    source_address_prefix      = "Internet"
+    destination_address_prefix = "*"
+  }
+
+  tags {
+    environment = "Web"
+  }
+}
+
+# ************************** NETWORK INTERFACES **************************** #
+resource "azurerm_network_interface" "nic" {
+  name                = "${azurerm_resource_group.rg.name}-nic"
+  location            = "${var.location}"
+  resource_group_name = "${azurerm_resource_group.rg.name}"
+  network_security_group_id = "${azurerm_network_security_group.mgmt-nsg.id}"
+
+  ip_configuration {
+    name                          = "${var.hostname}-ipconfig"
+    subnet_id                     = "${azurerm_subnet.mgmt-subnet.id}"
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = "${azurerm_public_ip.pip.id}"
+  }
+
+  tags {
+    environment = "Management"
+  }
+}
+
+# ************************** PUBLIC IP ADDRESSES **************************** #
+resource "azurerm_public_ip" "pip" {
+  name                         = "${azurerm_resource_group.rg.name}-pip"
+  location                     = "${var.location}"
+  resource_group_name          = "${azurerm_resource_group.rg.name}"
+  public_ip_address_allocation = "Dynamic"
+  domain_name_label            = "${var.dns_name}"
+
+  tags {
+    environment = "Management"
+  }
+}
+
+# ***************************** STORAGE ACCOUNT **************************** #
+resource "azurerm_storage_account" "stor" {
+  name                     = "${var.dns_name}stor"
+  location                 = "${var.location}"
+  resource_group_name      = "${azurerm_resource_group.rg.name}"
+  account_tier             = "${var.storage_account_tier}"
+  account_replication_type = "${var.storage_replication_type}"
+}
+
+resource "azurerm_managed_disk" "datadisk" {
+  name                 = "${var.hostname}-datadisk"
+  location             = "${var.location}"
+  resource_group_name  = "${azurerm_resource_group.rg.name}"
+  storage_account_type = "Standard_LRS"
+  create_option        = "Empty"
+  disk_size_gb         = "1023"
+}
+
+# ***************************** VIRTUAL MACHINE **************************** #
+resource "azurerm_virtual_machine" "vm" {
+  name                  = "${azurerm_resource_group.rg.name}-vm"
+  location              = "${var.location}"
+  resource_group_name   = "${azurerm_resource_group.rg.name}"
+  vm_size               = "${var.vm_size}"
+  network_interface_ids = ["${azurerm_network_interface.nic.id}"]
+
+  storage_image_reference {
+    publisher = "${var.image_publisher}"
+    offer     = "${var.image_offer}"
+    sku       = "${var.image_sku}"
+    version   = "${var.image_version}"
+  }
+
+  storage_os_disk {
+    name              = "${var.hostname}-osdisk"
+    managed_disk_type = "Standard_LRS"
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+  }
+
+  storage_data_disk {
+    name              = "${var.hostname}-datadisk"
+    managed_disk_id   = "${azurerm_managed_disk.datadisk.id}"
+    managed_disk_type = "Standard_LRS"
+    disk_size_gb      = "1023"
+    create_option     = "Attach"
+    lun               = 0
+  }
+
+  os_profile {
+    computer_name  = "${var.hostname}"
+    admin_username = "${var.admin_username}"
+  }
+
+  os_profile_linux_config {
+    disable_password_authentication = true
+    ssh_keys {
+      path = "/home/${var.admin_username}/.ssh/authorized_keys"
+      key_data = "${var.ssh_key_data}"
+    }
+  }
+
+  boot_diagnostics {
+    enabled     = true
+    storage_uri = "${azurerm_storage_account.stor.primary_blob_endpoint}"
+  }
+
+  tags {
+    environment = "Management"
+  }
+}
diff --git a/examples/freebsd-jumpbox/outputs.tf b/examples/freebsd-jumpbox/outputs.tf
@@ -0,0 +1,11 @@
+output "hostname" {
+  value = "${var.hostname}"
+}
+
+output "vm_fqdn" {
+  value = "${azurerm_public_ip.pip.fqdn}"
+}
+
+output "ssh_command" {
+  value = "ssh ${var.admin_username}@${azurerm_public_ip.pip.fqdn}"
+}
diff --git a/examples/freebsd-jumpbox/variables.tf b/examples/freebsd-jumpbox/variables.tf
@@ -0,0 +1,85 @@
+variable "resource_group" {
+  description = "The name of the resource group in which to create the virtual network."
+}
+
+variable "rg_prefix" {
+  description = "The shortened abbreviation to represent your resource group that will go on the front of some resources."
+  default     = "rg"
+}
+
+variable "hostname" {
+  description = "VM name referenced also in storage-related names."
+}
+
+variable "dns_name" {
+  description = " Label for the Domain Name. Will be used to make up the FQDN. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system."
+}
+
+variable "location" {
+  description = "The location/region where the virtual network is created. Changing this forces a new resource to be created."
+  default     = "southcentralus"
+}
+
+variable "virtual_network_name" {
+  description = "The name for the virtual network."
+  default     = "vnet"
+}
+
+variable "address_space" {
+  description = "The address space that is used by the virtual network. You can supply more than one address space. Changing this forces a new resource to be created."
+  default     = "10.0.0.0/16"
+}
+
+variable "mgmt-subnet_prefix" {
+  description = "The address prefix to use for the management subnet."
+  default     = "10.0.0.128/25"
+}
+
+variable "web-subnet_prefix" {
+  description = "The address prefix to use for the management subnet."
+  default     = "10.0.1.0/24"
+}
+
+variable "storage_account_tier" {
+  description = "Defines the Tier of storage account to be created. Valid options are Standard and Premium."
+  default     = "Standard"
+}
+
+variable "storage_replication_type" {
+  description = "Defines the Replication Type to use for this storage account. Valid options include LRS, GRS etc."
+  default     = "LRS"
+}
+
+variable "vm_size" {
+  description = "Specifies the size of the virtual machine."
+  default     = "Standard_A0"
+}
+
+variable "image_publisher" {
+  description = "name of the publisher of the image (az vm image list)"
+  default     = "MicrosoftOSTC"
+}
+
+variable "image_offer" {
+  description = "the name of the offer (az vm image list)"
+  default     = "FreeBSD"
+}
+
+variable "image_sku" {
+  description = "image sku to apply (az vm image list)"
+  default     = "11.1"
+}
+
+variable "image_version" {
+  description = "version of the image to apply (az vm image list)"
+  default     = "latest"
+}
+
+variable "admin_username" {
+  description = "administrator user name"
+  default     = "vmadmin"
+}
+
+variable "ssh_key_data" {
+  description = "administrator ssh public key"
+}