From f131dccab91ab7ae60104c1da5e3d334ec80e96f Mon Sep 17 00:00:00 2001 From: Denis Cepun Date: Fri, 7 May 2021 09:46:40 +0300 Subject: [PATCH 01/11] commit original templates --- templates/base/shared/terraform/locals.tf | 16 + templates/base/shared/terraform/main.tf | 23 ++ templates/base/shared/terraform/network.tf | 44 +++ templates/base/shared/terraform/outputs.tf | 15 + .../base/shared/terraform/provider_azurerm.tf | 3 + templates/base/shared/terraform/variables.tf | 47 +++ templates/base/shared/terraform/webapp.tf | 221 +++++++++++++ .../workspaces/empty/terraform/locals.tf | 16 + templates/workspaces/empty/terraform/main.tf | 64 ++++ .../workspaces/empty/terraform/network.tf | 300 ++++++++++++++++++ .../workspaces/empty/terraform/outputs.tf | 12 + .../empty/terraform/provider_azurerm.tf | 3 + .../workspaces/empty/terraform/variables.tf | 74 +++++ 13 files changed, 838 insertions(+) create mode 100644 templates/base/shared/terraform/locals.tf create mode 100644 templates/base/shared/terraform/main.tf create mode 100644 templates/base/shared/terraform/network.tf create mode 100644 templates/base/shared/terraform/outputs.tf create mode 100644 templates/base/shared/terraform/provider_azurerm.tf create mode 100644 templates/base/shared/terraform/variables.tf create mode 100644 templates/base/shared/terraform/webapp.tf create mode 100644 templates/workspaces/empty/terraform/locals.tf create mode 100644 templates/workspaces/empty/terraform/main.tf create mode 100644 templates/workspaces/empty/terraform/network.tf create mode 100644 templates/workspaces/empty/terraform/outputs.tf create mode 100644 templates/workspaces/empty/terraform/provider_azurerm.tf create mode 100644 templates/workspaces/empty/terraform/variables.tf diff --git a/templates/base/shared/terraform/locals.tf b/templates/base/shared/terraform/locals.tf new file mode 100644 index 0000000000..e870764c35 --- /dev/null +++ b/templates/base/shared/terraform/locals.tf @@ -0,0 +1,16 @@ +data "azurerm_subscription" "current" { +} + +data "azurerm_client_config" "current" { +} + +locals { + shared_services_vnet_subnets = cidrsubnets(var.shared_services_vnet_address_space, 2, 4, 4, 2, 2) + firewall_subnet_address_space = local.shared_services_vnet_subnets[0] + app_gw_subnet_address_prefix = local.shared_services_vnet_subnets[1] + bastion_subnet_address_prefix = local.shared_services_vnet_subnets[2] + web_app_subnet_address_prefix = local.shared_services_vnet_subnets[3] + shared_services_subnet_address_prefix = local.shared_services_vnet_subnets[4] + + management_api_image_name = "${var.container_registry_dns_name}/tre-management-api:${var.container_image_tag}" +} diff --git a/templates/base/shared/terraform/main.tf b/templates/base/shared/terraform/main.tf new file mode 100644 index 0000000000..19e538dd3e --- /dev/null +++ b/templates/base/shared/terraform/main.tf @@ -0,0 +1,23 @@ +# Azure Provider source and version being used +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "=2.46.0" + } + } +} + +resource "azurerm_resource_group" "core" { + location = var.location + name = "${var.resource_group_prefix}-${var.tre_id}" +} + +resource "azurerm_log_analytics_workspace" "tre" { + name = "loganalytics-tre-${var.tre_id}" + resource_group_name = azurerm_resource_group.core.name + location = var.location + retention_in_days = 30 + sku = "pergb2018" + +} \ No newline at end of file diff --git a/templates/base/shared/terraform/network.tf b/templates/base/shared/terraform/network.tf new file mode 100644 index 0000000000..561104ed9a --- /dev/null +++ b/templates/base/shared/terraform/network.tf @@ -0,0 +1,44 @@ +resource "azurerm_virtual_network" "core" { + name = "vnet-core" + location = azurerm_resource_group.core.location + resource_group_name = azurerm_resource_group.core.name + address_space = [var.shared_services_vnet_address_space] +} + +resource "azurerm_subnet" "bastion" { + name = "AzureBastionSubnet" + virtual_network_name = azurerm_virtual_network.core.name + resource_group_name = azurerm_resource_group.core.name + address_prefixes = [local.bastion_subnet_address_prefix] + +} + +resource "azurerm_subnet" "azure_firewall" { + name = "AzureFirewallSubnet" + virtual_network_name = azurerm_virtual_network.core.name + resource_group_name = azurerm_resource_group.core.name + address_prefixes = [local.firewall_subnet_address_space] +} + +resource "azurerm_subnet" "app_gw" { + name = "appGwSubnet" + virtual_network_name = azurerm_virtual_network.core.name + resource_group_name = azurerm_resource_group.core.name + address_prefixes = [local.app_gw_subnet_address_prefix] +} + +resource "azurerm_subnet" "private_endpoints" { + name = "privateEndpointSubnet" + virtual_network_name = azurerm_virtual_network.core.name + resource_group_name = azurerm_resource_group.core.name + address_prefixes = [local.web_app_subnet_address_prefix] + enforce_private_link_endpoint_network_policies = true +} + +resource "azurerm_subnet" "shared_services" { + name = "sharedServicesSubnet" + virtual_network_name = azurerm_virtual_network.core.name + resource_group_name = azurerm_resource_group.core.name + address_prefixes = [local.shared_services_subnet_address_prefix] + enforce_private_link_endpoint_network_policies = true +} \ No newline at end of file diff --git a/templates/base/shared/terraform/outputs.tf b/templates/base/shared/terraform/outputs.tf new file mode 100644 index 0000000000..e25e7f1a54 --- /dev/null +++ b/templates/base/shared/terraform/outputs.tf @@ -0,0 +1,15 @@ +output "shared_services_resource_group_name" { + value = azurerm_resource_group.core.name +} + +output "shared_services_vnet_name" { + value = azurerm_virtual_network.core.name +} + +output "log_analytics_name" { + value = azurerm_log_analytics_workspace.tre.name +} + +output "tre_id" { + value = var.tre_id +} diff --git a/templates/base/shared/terraform/provider_azurerm.tf b/templates/base/shared/terraform/provider_azurerm.tf new file mode 100644 index 0000000000..ab91b24812 --- /dev/null +++ b/templates/base/shared/terraform/provider_azurerm.tf @@ -0,0 +1,3 @@ +provider "azurerm" { + features {} +} diff --git a/templates/base/shared/terraform/variables.tf b/templates/base/shared/terraform/variables.tf new file mode 100644 index 0000000000..9844c22366 --- /dev/null +++ b/templates/base/shared/terraform/variables.tf @@ -0,0 +1,47 @@ +variable "tre_name" { + description = "Name of the DRE" + type = string +} + +variable "tre_id" { + description = "Globally unique identifier for the DRE" + type = string +} +variable "resource_group_prefix" { + type = string + description = "resource group name prefix" +} + +variable "location" { + type = string + description = "Azure region for shared_services deployment" +} + +variable "tre_dns_suffix" { + type = string + description = "DNS suffix for the environment. E.g. .dre.myorg.com or .drelocal - must have >= 2 labels such as x.drelocal" + default = "internal.drelocal" +} +variable "shared_services_vnet_address_space" { + type = string + description = "shared_services Address Space" +} + +variable "container_image_tag" { + type = string + description = "The default tag for container images." + default = "master" +} +variable "container_registry_dns_name" { + type = string + description = "The DNS name of the container registry containing the image" + default = "marcusreg.azurecr.io" +} +variable "container_registry_username" { + type = string + description = "Username that has access to pull the image" +} +variable "container_registry_password" { + type = string + description = "Password that has access to pull the image" +} \ No newline at end of file diff --git a/templates/base/shared/terraform/webapp.tf b/templates/base/shared/terraform/webapp.tf new file mode 100644 index 0000000000..e746424c11 --- /dev/null +++ b/templates/base/shared/terraform/webapp.tf @@ -0,0 +1,221 @@ +resource "azurerm_app_service_plan" "core" { + + name = "asp-core" + resource_group_name = azurerm_resource_group.core.name + location = var.location + reserved = true + kind = "linux" + sku { + tier = "PremiumV3" + capacity = 1 + size = "P1v3" + } +} + +resource "azurerm_application_insights" "core" { + name = "ai-core" + resource_group_name = azurerm_resource_group.core.name + location = var.location + application_type = "web" + +} +resource "azurerm_app_service" "management_api" { + + name = "webapp-management-api-${var.tre_id}" + resource_group_name = azurerm_resource_group.core.name + location = var.location + app_service_plan_id = azurerm_app_service_plan.core.id + + identity { + type = "UserAssigned" + identity_ids = [azurerm_user_assigned_identity.management_api.id] + } + + https_only = true + app_settings = { + + "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.core.instrumentation_key + + "DOCKER_REGISTRY_SERVER_USERNAME" = var.container_registry_username + "DOCKER_REGISTRY_SERVER_URL" = "https://${var.container_registry_dns_name}" + "DOCKER_REGISTRY_SERVER_PASSWORD" = var.container_registry_password + + } + site_config { + linux_fx_version = "DOCKER|${local.management_api_image_name}" + remote_debugging_enabled = false + scm_use_main_ip_restriction = true + cors { + allowed_origins = [] + support_credentials = false + } + always_on = true + min_tls_version = "1.2" + ip_restriction { + action = "Deny" + ip_address = "0.0.0.0/0" + name = "Deny all" + priority = 2147483647 + } + websockets_enabled = false + } + + logs { + application_logs { + file_system_level = "Information" + } + + http_logs { + file_system { + retention_in_days = 7 + retention_in_mb = 100 + } + } + } + +} + + +resource "azurerm_user_assigned_identity" "management_api" { + name = "msi-management-api" + resource_group_name = azurerm_resource_group.core.name + location = azurerm_resource_group.core.location +} + +resource "azurerm_private_endpoint" "management_api_private_endpoint" { + name = "pe-management-api" + resource_group_name = azurerm_resource_group.core.name + location = azurerm_resource_group.core.location + subnet_id = azurerm_subnet.private_endpoints.id + private_service_connection { + private_connection_resource_id = azurerm_app_service.management_api.id + name = "pe-webapp-management-api" + subresource_names = ["sites"] + is_manual_connection = false + } + private_dns_zone_group { + name = "privatelink.azurewebsites.net" + private_dns_zone_ids = [azurerm_private_dns_zone.azurewebsites.id] + } +} + + +resource "azurerm_private_dns_zone" "azurewebsites" { + name = "privatelink.azurewebsites.net" + resource_group_name = azurerm_resource_group.core.name + +} + +resource "azurerm_private_dns_zone_virtual_network_link" "azurewebsites" { + resource_group_name = azurerm_resource_group.core.name + virtual_network_id = azurerm_virtual_network.core.id + private_dns_zone_name = azurerm_private_dns_zone.azurewebsites.name + name = "azurewebsites-link" + registration_enabled = false + + +} +resource "azurerm_monitor_diagnostic_setting" "webapp_management_api" { + name = "diagnostics-webapp-shared-api" + target_resource_id = azurerm_app_service.management_api.id + log_analytics_workspace_id = azurerm_log_analytics_workspace.tre.id + + log { + category = "AppServiceHTTPLogs" + enabled = true + + + retention_policy { + days = 1 + enabled = false + } + } + + log { + + category = "AppServiceConsoleLogs" + enabled = true + + retention_policy { + days = 1 + enabled = false + } + } + + + log { + + category = "AppServiceAppLogs" + enabled = true + + retention_policy { + days = 1 + enabled = false + } + } + + + + log { + + category = "AppServiceFileAuditLogs" + enabled = true + + retention_policy { + days = 1 + enabled = false + } + } + + log { + + category = "AppServiceAuditLogs" + enabled = true + + retention_policy { + days = 1 + enabled = false + } + } + + log { + + category = "AppServiceIPSecAuditLogs" + enabled = true + + retention_policy { + days = 1 + enabled = false + } + } + + log { + + category = "AppServicePlatformLogs" + enabled = true + + retention_policy { + days = 1 + enabled = false + } + } + + log { + category = "AppServiceAntivirusScanAuditLogs" + enabled = true + + retention_policy { + days = 1 + enabled = false + } + } + + metric { + category = "AllMetrics" + enabled = true + + retention_policy { + enabled = false + } + } +} \ No newline at end of file diff --git a/templates/workspaces/empty/terraform/locals.tf b/templates/workspaces/empty/terraform/locals.tf new file mode 100644 index 0000000000..30b67b04b6 --- /dev/null +++ b/templates/workspaces/empty/terraform/locals.tf @@ -0,0 +1,16 @@ + +data "azurerm_subscription" "current" { +} + +data "azurerm_client_config" "current" { +} + +locals { + storage_account_name = "wsstorage${var.workspace_id}" + + workspace_vnet_subnets = cidrsubnets(var.address_space, 3, 2, 4) + appgw_subnet_address_prefix = local.workspace_vnet_subnets[0] + appgw_private_ip = cidrhost(local.appgw_subnet_address_prefix, 5) + web_app_subnet_address_prefix = local.workspace_vnet_subnets[1] + services_subnet_address_prefix = local.workspace_vnet_subnets[2] +} diff --git a/templates/workspaces/empty/terraform/main.tf b/templates/workspaces/empty/terraform/main.tf new file mode 100644 index 0000000000..6557f8a950 --- /dev/null +++ b/templates/workspaces/empty/terraform/main.tf @@ -0,0 +1,64 @@ +# Azure Provider source and version being used +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "=2.46.1" + } + } +} + +resource "azurerm_resource_group" "workspace" { + location = var.location + name = "${var.resource_group_prefix}-${var.tre_id}-${var.workspace_id}" +} + +resource "azurerm_storage_account" "workspace" { + name = local.storage_account_name + resource_group_name = azurerm_resource_group.workspace.name + location = var.location + access_tier = "Hot" + enable_https_traffic_only = true + large_file_share_enabled = false + account_kind = "StorageV2" + account_tier = "Standard" + account_replication_type = "LRS" + + network_rules { + bypass = ["AzureServices"] + default_action = "Deny" + + } +} + + +resource "azurerm_private_endpoint" "workspace-storage-private-endpoint" { + name = "pe-wsstorage" + resource_group_name = azurerm_resource_group.workspace.name + location = azurerm_resource_group.workspace.location + subnet_id = azurerm_subnet.services.id + private_service_connection { + private_connection_resource_id = azurerm_storage_account.workspace.id + name = "pe-ws-storage" + subresource_names = ["file"] + is_manual_connection = false + } + private_dns_zone_group { + name = "privatelink.file.core.windows.net" + private_dns_zone_ids = [azurerm_private_dns_zone.files.id] + } +} + +resource "azurerm_private_dns_zone" "files" { + name = "privatelink.file.core.windows.net" + resource_group_name = azurerm_resource_group.workspace.name + +} + +resource "azurerm_private_dns_zone_virtual_network_link" "wsstorage" { + resource_group_name = azurerm_resource_group.workspace.name + virtual_network_id = azurerm_virtual_network.workspace.id + private_dns_zone_name = azurerm_private_dns_zone.files.name + name = "files-workspace-link" + registration_enabled = false +} diff --git a/templates/workspaces/empty/terraform/network.tf b/templates/workspaces/empty/terraform/network.tf new file mode 100644 index 0000000000..672d04ae98 --- /dev/null +++ b/templates/workspaces/empty/terraform/network.tf @@ -0,0 +1,300 @@ +resource "azurerm_virtual_network" "workspace" { + name = "vnet-workspace" + resource_group_name = azurerm_resource_group.workspace.name + location = var.location + address_space = [var.address_space] +} + + +resource "azurerm_subnet" "appgw" { + name = "appgwSubnet" + virtual_network_name = azurerm_virtual_network.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + address_prefixes = [local.appgw_subnet_address_prefix] +} + +resource "azurerm_subnet" "web_app" { + name = "web_appSubnet" + virtual_network_name = azurerm_virtual_network.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + address_prefixes = [local.web_app_subnet_address_prefix] + delegation { + name = "web_app" + service_delegation { + name = "Microsoft.Web/serverFarms" + actions = ["Microsoft.Network/virtualNetworks/subnets/action"] + } + } + +} + +resource "azurerm_subnet" "services" { + name = "servicesSubnet" + virtual_network_name = azurerm_virtual_network.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + address_prefixes = [local.services_subnet_address_prefix] + enforce_private_link_endpoint_network_policies = true +} + + + + + +resource "azurerm_subnet_network_security_group_association" "services" { + network_security_group_id = azurerm_network_security_group.workspace.id + subnet_id = azurerm_subnet.services.id +} + + +resource "azurerm_subnet_network_security_group_association" "web_app" { + network_security_group_id = azurerm_network_security_group.workspace.id + subnet_id = azurerm_subnet.web_app.id +} + +resource "azurerm_network_security_group" "workspace" { + name = "nsg-workspace" + resource_group_name = azurerm_resource_group.workspace.name + location = azurerm_resource_group.workspace.location + +} + + +resource "azurerm_network_security_rule" "allow_inbound_web_app_to_services" { + + name = "allow-inbound-web-app-to-services" + + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefixes = azurerm_subnet.web_app.address_prefixes + destination_address_prefixes = azurerm_subnet.services.address_prefixes + access = "Allow" + priority = 102 + direction = "Inbound" + + network_security_group_name = azurerm_network_security_group.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + +} + +resource "azurerm_network_security_rule" "allow_inbound_appgw_to_services" { + + name = "allow-inbound-appgw-to-services" + + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefixes = azurerm_subnet.appgw.address_prefixes + destination_address_prefixes = azurerm_subnet.services.address_prefixes + access = "Allow" + priority = 103 + direction = "Inbound" + + network_security_group_name = azurerm_network_security_group.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + +} + +resource "azurerm_network_security_rule" "allow_inbound_appgw_to_webapp" { + + name = "allow-inbound-appgw-to-webapp" + + protocol = "*" + source_port_range = "*" + destination_port_range = "443" + source_address_prefixes = azurerm_subnet.appgw.address_prefixes + destination_address_prefixes = azurerm_subnet.web_app.address_prefixes + access = "Allow" + priority = 104 + direction = "Inbound" + + network_security_group_name = azurerm_network_security_group.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + +} + + + +resource "azurerm_network_security_rule" "allow_inbound_within_services" { + + name = "allow-inbound-within-services" + + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefixes = azurerm_subnet.services.address_prefixes + destination_address_prefixes = azurerm_subnet.services.address_prefixes + access = "Allow" + priority = 105 + direction = "Inbound" + + network_security_group_name = azurerm_network_security_group.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + +} + +resource "azurerm_network_security_rule" "allow_inbound_from_bastion_to_services" { + + name = "allow-inbound-from-bastion-to-services" + + protocol = "Tcp" + source_port_range = "*" + destination_port_ranges = ["22", "3389"] + source_address_prefixes = data.azurerm_subnet.shared_services_bastion.address_prefixes + destination_address_prefixes = azurerm_subnet.services.address_prefixes + access = "Allow" + priority = 107 + direction = "Inbound" + + network_security_group_name = azurerm_network_security_group.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + +} + +resource "azurerm_network_security_rule" "deny_all_inbound_override" { + + name = "deny-all-inbound-override" + + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + access = "Deny" + priority = 900 + direction = "Inbound" + + network_security_group_name = azurerm_network_security_group.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + +} + + +resource "azurerm_network_security_rule" "to_internet" { + + name = "to-internet" + + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "INTERNET" + access = "Allow" + priority = 900 + direction = "Outbound" + + network_security_group_name = azurerm_network_security_group.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + +} + +resource "azurerm_network_security_rule" "allow_outbound_web_app_to_services" { + + name = "allow-outbound-web-app-to-services" + + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefixes = azurerm_subnet.web_app.address_prefixes + destination_address_prefixes = azurerm_subnet.services.address_prefixes + access = "Allow" + priority = 101 + direction = "Outbound" + + network_security_group_name = azurerm_network_security_group.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + +} + +resource "azurerm_network_security_rule" "allow_outbound_web_app_to_appgw" { + + name = "allow-outbound-webapp-to-appgw" + + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefixes = azurerm_subnet.web_app.address_prefixes + destination_address_prefixes = azurerm_subnet.appgw.address_prefixes + access = "Allow" + priority = 106 + direction = "Outbound" + + network_security_group_name = azurerm_network_security_group.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + +} + +resource "azurerm_network_security_rule" "allow-outbound-services-to-appgw" { + + name = "allow-outbound-services-to-appgw" + + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefixes = azurerm_subnet.services.address_prefixes + destination_address_prefixes = azurerm_subnet.appgw.address_prefixes + access = "Allow" + priority = 107 + direction = "Outbound" + + network_security_group_name = azurerm_network_security_group.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + +} + +resource "azurerm_network_security_rule" "deny-outbound-override" { + + name = "deny-outbound-override" + + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + access = "Deny" + priority = 4096 + direction = "Outbound" + + network_security_group_name = azurerm_network_security_group.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + +} + +resource "azurerm_network_security_rule" "to-shared_services-services" { + + name = "to-shared_services-services" + + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = data.azurerm_subnet.shared_services.address_prefix + access = "Allow" + priority = 120 + direction = "Outbound" + + network_security_group_name = azurerm_network_security_group.workspace.name + resource_group_name = azurerm_resource_group.workspace.name + +} + +resource "azurerm_virtual_network_peering" "core-vnet" { + name = "to-core-vnet" + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + resource_group_name = azurerm_resource_group.workspace.name + remote_virtual_network_id = data.azurerm_virtual_network.core.id + virtual_network_name = azurerm_virtual_network.workspace.name +} + +resource "azurerm_virtual_network_peering" "workspace-vnet" { + name = "to-${var.workspace_id}-vnet" + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + resource_group_name = data.azurerm_resource_group.core.name + remote_virtual_network_id = azurerm_virtual_network.workspace.id + virtual_network_name = data.azurerm_virtual_network.core.name +} + diff --git a/templates/workspaces/empty/terraform/outputs.tf b/templates/workspaces/empty/terraform/outputs.tf new file mode 100644 index 0000000000..e9e2f1369c --- /dev/null +++ b/templates/workspaces/empty/terraform/outputs.tf @@ -0,0 +1,12 @@ +output "name" { + value = var.name +} + +output "workspace_id" { + value = var.workspace_id +} + +output "address_space" { + value = azurerm_virtual_network.workspace.address_space[0] +} + diff --git a/templates/workspaces/empty/terraform/provider_azurerm.tf b/templates/workspaces/empty/terraform/provider_azurerm.tf new file mode 100644 index 0000000000..ab91b24812 --- /dev/null +++ b/templates/workspaces/empty/terraform/provider_azurerm.tf @@ -0,0 +1,3 @@ +provider "azurerm" { + features {} +} diff --git a/templates/workspaces/empty/terraform/variables.tf b/templates/workspaces/empty/terraform/variables.tf new file mode 100644 index 0000000000..269add9781 --- /dev/null +++ b/templates/workspaces/empty/terraform/variables.tf @@ -0,0 +1,74 @@ +variable "resource_group_prefix" { + type = string + description = "Resource group prefix" +} + +data "azurerm_resource_group" "core" { + name = "${var.resource_group_prefix}-${var.tre_id}" +} + +variable "core_vnet_name" { + type = string + description = "shared_services vnet name" + default = "vnet-core" +} +variable "dns_name" { + type = string + description = "Workspace DNS name" +} + +data "azurerm_virtual_network" "core" { + name = var.core_vnet_name + resource_group_name = data.azurerm_resource_group.core.name +} + +data "azurerm_subnet" "shared_services_appgw" { + name = "appGwSubnet" + virtual_network_name = data.azurerm_virtual_network.core.name + resource_group_name = data.azurerm_resource_group.core.name +} + +data "azurerm_subnet" "shared_services_bastion" { + name = "AzureBastionSubnet" + virtual_network_name = data.azurerm_virtual_network.core.name + resource_group_name = data.azurerm_resource_group.core.name +} + +data "azurerm_subnet" "shared_services" { + name = "sharedServicesSubnet" + virtual_network_name = data.azurerm_virtual_network.core.name + resource_group_name = data.azurerm_resource_group.core.name +} + +variable "address_space" { + type = string + description = "Workspace VNet address space" +} + +variable "name" { + type = string + + description = "Name of the workspace" +} + +variable "tre_id" { + type = string + + description = "Unique DRE instance id" +} + +variable "workspace_id" { + type = string + description = "Unique workspace id" +} + +variable "tre_dns_suffix" { + type = string + description = "DNS suffix for the environment. E.g. .dre.myorg.com or x.drelocal, must be >=2 segments in the suffix" +} + +variable "location" { + type = string + + description = "Azure region to deploy to" +} \ No newline at end of file From 18677837e8f5d1c794a2dc10b2dbb993684c17aa Mon Sep 17 00:00:00 2001 From: Denis Cepun Date: Fri, 7 May 2021 12:28:23 +0300 Subject: [PATCH 02/11] refactored --- templates/base/shared/terraform/locals.tf | 16 ------ templates/base/shared/terraform/main.tf | 23 -------- templates/base/shared/terraform/outputs.tf | 15 ----- .../base/shared/terraform/provider_azurerm.tf | 3 - templates/base/shared/terraform/variables.tf | 47 ---------------- templates/core/terraform/.terraform.lock.hcl | 38 +++++++++++++ .../terraform/api-webapp/api-webapp.tf} | 55 ++++++++----------- .../core/terraform/api-webapp/variables.tf | 9 +++ templates/core/terraform/locals.tf | 13 +++++ templates/core/terraform/main.tf | 49 +++++++++++++++++ templates/core/terraform/network/locals.tf | 8 +++ .../terraform/network}/network.tf | 29 +++++----- templates/core/terraform/network/output.tf | 23 ++++++++ templates/core/terraform/network/variables.tf | 6 ++ templates/core/terraform/outputs.tf | 7 +++ templates/core/terraform/variables.tf | 26 +++++++++ 16 files changed, 215 insertions(+), 152 deletions(-) delete mode 100644 templates/base/shared/terraform/locals.tf delete mode 100644 templates/base/shared/terraform/main.tf delete mode 100644 templates/base/shared/terraform/outputs.tf delete mode 100644 templates/base/shared/terraform/provider_azurerm.tf delete mode 100644 templates/base/shared/terraform/variables.tf create mode 100644 templates/core/terraform/.terraform.lock.hcl rename templates/{base/shared/terraform/webapp.tf => core/terraform/api-webapp/api-webapp.tf} (74%) create mode 100644 templates/core/terraform/api-webapp/variables.tf create mode 100644 templates/core/terraform/locals.tf create mode 100644 templates/core/terraform/main.tf create mode 100644 templates/core/terraform/network/locals.tf rename templates/{base/shared/terraform => core/terraform/network}/network.tf (56%) create mode 100644 templates/core/terraform/network/output.tf create mode 100644 templates/core/terraform/network/variables.tf create mode 100644 templates/core/terraform/outputs.tf create mode 100644 templates/core/terraform/variables.tf diff --git a/templates/base/shared/terraform/locals.tf b/templates/base/shared/terraform/locals.tf deleted file mode 100644 index e870764c35..0000000000 --- a/templates/base/shared/terraform/locals.tf +++ /dev/null @@ -1,16 +0,0 @@ -data "azurerm_subscription" "current" { -} - -data "azurerm_client_config" "current" { -} - -locals { - shared_services_vnet_subnets = cidrsubnets(var.shared_services_vnet_address_space, 2, 4, 4, 2, 2) - firewall_subnet_address_space = local.shared_services_vnet_subnets[0] - app_gw_subnet_address_prefix = local.shared_services_vnet_subnets[1] - bastion_subnet_address_prefix = local.shared_services_vnet_subnets[2] - web_app_subnet_address_prefix = local.shared_services_vnet_subnets[3] - shared_services_subnet_address_prefix = local.shared_services_vnet_subnets[4] - - management_api_image_name = "${var.container_registry_dns_name}/tre-management-api:${var.container_image_tag}" -} diff --git a/templates/base/shared/terraform/main.tf b/templates/base/shared/terraform/main.tf deleted file mode 100644 index 19e538dd3e..0000000000 --- a/templates/base/shared/terraform/main.tf +++ /dev/null @@ -1,23 +0,0 @@ -# Azure Provider source and version being used -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "=2.46.0" - } - } -} - -resource "azurerm_resource_group" "core" { - location = var.location - name = "${var.resource_group_prefix}-${var.tre_id}" -} - -resource "azurerm_log_analytics_workspace" "tre" { - name = "loganalytics-tre-${var.tre_id}" - resource_group_name = azurerm_resource_group.core.name - location = var.location - retention_in_days = 30 - sku = "pergb2018" - -} \ No newline at end of file diff --git a/templates/base/shared/terraform/outputs.tf b/templates/base/shared/terraform/outputs.tf deleted file mode 100644 index e25e7f1a54..0000000000 --- a/templates/base/shared/terraform/outputs.tf +++ /dev/null @@ -1,15 +0,0 @@ -output "shared_services_resource_group_name" { - value = azurerm_resource_group.core.name -} - -output "shared_services_vnet_name" { - value = azurerm_virtual_network.core.name -} - -output "log_analytics_name" { - value = azurerm_log_analytics_workspace.tre.name -} - -output "tre_id" { - value = var.tre_id -} diff --git a/templates/base/shared/terraform/provider_azurerm.tf b/templates/base/shared/terraform/provider_azurerm.tf deleted file mode 100644 index ab91b24812..0000000000 --- a/templates/base/shared/terraform/provider_azurerm.tf +++ /dev/null @@ -1,3 +0,0 @@ -provider "azurerm" { - features {} -} diff --git a/templates/base/shared/terraform/variables.tf b/templates/base/shared/terraform/variables.tf deleted file mode 100644 index 9844c22366..0000000000 --- a/templates/base/shared/terraform/variables.tf +++ /dev/null @@ -1,47 +0,0 @@ -variable "tre_name" { - description = "Name of the DRE" - type = string -} - -variable "tre_id" { - description = "Globally unique identifier for the DRE" - type = string -} -variable "resource_group_prefix" { - type = string - description = "resource group name prefix" -} - -variable "location" { - type = string - description = "Azure region for shared_services deployment" -} - -variable "tre_dns_suffix" { - type = string - description = "DNS suffix for the environment. E.g. .dre.myorg.com or .drelocal - must have >= 2 labels such as x.drelocal" - default = "internal.drelocal" -} -variable "shared_services_vnet_address_space" { - type = string - description = "shared_services Address Space" -} - -variable "container_image_tag" { - type = string - description = "The default tag for container images." - default = "master" -} -variable "container_registry_dns_name" { - type = string - description = "The DNS name of the container registry containing the image" - default = "marcusreg.azurecr.io" -} -variable "container_registry_username" { - type = string - description = "Username that has access to pull the image" -} -variable "container_registry_password" { - type = string - description = "Password that has access to pull the image" -} \ No newline at end of file diff --git a/templates/core/terraform/.terraform.lock.hcl b/templates/core/terraform/.terraform.lock.hcl new file mode 100644 index 0000000000..0b5b2e4693 --- /dev/null +++ b/templates/core/terraform/.terraform.lock.hcl @@ -0,0 +1,38 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "2.46.0" + constraints = "2.46.0" + hashes = [ + "h1:lWovJczej2IP+aL24Fs4mz6brz7eoMxuqzxhEa2I/rc=", + "zh:049938dab6f78a642a7c4147f99f146dc25824c738d0b18d448c665880d105fa", + "zh:139de4a46bbfc18b5403fa2264878a056fd8593d860942233913e54233c7327d", + "zh:19ceb7fc964265cb7e7f708e32b72a00089ed0398ae1f0014b5832078bd5be79", + "zh:6bf0b5ed0313188af6347354d8fe693abc708199eb732c19d876ae9cbef202ab", + "zh:ab2bb2f60e3daba204d3d8d47905b4815921a1455197bbd7530d71c604720a14", + "zh:c08b5cd280cb73504ace949f086db8420a7aee054833c6761d406829c18c6a15", + "zh:d5eccbc19d62c57c69d15c7f84b9ea3d83d1b78856fe4bc52b31dda8f91480cf", + "zh:e2b29b094a1ce46356dcc3e13693c0c651afc2a47d213d68ed6973b9fb40bae7", + "zh:f353830b47cced07d20dac1f2158962002f644a0240d3aa21fd5ec5e9e42c119", + "zh:f36ff78ae9de95f4216bb420ee4365cee7d70e95fac608fb650ae5aed5c04c1d", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.1.0" + hashes = [ + "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=", + "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc", + "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626", + "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff", + "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2", + "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992", + "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427", + "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc", + "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f", + "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b", + "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7", + "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a", + ] +} diff --git a/templates/base/shared/terraform/webapp.tf b/templates/core/terraform/api-webapp/api-webapp.tf similarity index 74% rename from templates/base/shared/terraform/webapp.tf rename to templates/core/terraform/api-webapp/api-webapp.tf index e746424c11..86dc60d49b 100644 --- a/templates/base/shared/terraform/webapp.tf +++ b/templates/core/terraform/api-webapp/api-webapp.tf @@ -1,7 +1,6 @@ resource "azurerm_app_service_plan" "core" { - - name = "asp-core" - resource_group_name = azurerm_resource_group.core.name + name = "plan-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + resource_group_name = var.resource_group_name location = var.location reserved = true kind = "linux" @@ -13,16 +12,15 @@ resource "azurerm_app_service_plan" "core" { } resource "azurerm_application_insights" "core" { - name = "ai-core" - resource_group_name = azurerm_resource_group.core.name + name = "appi-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + resource_group_name = var.resource_group_name location = var.location application_type = "web" - } -resource "azurerm_app_service" "management_api" { - name = "webapp-management-api-${var.tre_id}" - resource_group_name = azurerm_resource_group.core.name +resource "azurerm_app_service" "management_api" { + name = "api-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + resource_group_name = var.resource_group_name location = var.location app_service_plan_id = azurerm_app_service_plan.core.id @@ -35,14 +33,10 @@ resource "azurerm_app_service" "management_api" { app_settings = { "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.core.instrumentation_key - - "DOCKER_REGISTRY_SERVER_USERNAME" = var.container_registry_username - "DOCKER_REGISTRY_SERVER_URL" = "https://${var.container_registry_dns_name}" - "DOCKER_REGISTRY_SERVER_PASSWORD" = var.container_registry_password - } + site_config { - linux_fx_version = "DOCKER|${local.management_api_image_name}" + app_command_line = "gunicorn -w 2 -k uvicorn.workers.UvicornWorker main:app" remote_debugging_enabled = false scm_use_main_ip_restriction = true cors { @@ -72,21 +66,19 @@ resource "azurerm_app_service" "management_api" { } } } - } - resource "azurerm_user_assigned_identity" "management_api" { - name = "msi-management-api" - resource_group_name = azurerm_resource_group.core.name - location = azurerm_resource_group.core.location + name = "id-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + resource_group_name = var.resource_group_name + location = var.location } resource "azurerm_private_endpoint" "management_api_private_endpoint" { - name = "pe-management-api" - resource_group_name = azurerm_resource_group.core.name - location = azurerm_resource_group.core.location - subnet_id = azurerm_subnet.private_endpoints.id + name = "pe-api-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + resource_group_name = var.resource_group_name + location = var.location + subnet_id = var.shared_subnet private_service_connection { private_connection_resource_id = azurerm_app_service.management_api.id name = "pe-webapp-management-api" @@ -99,26 +91,23 @@ resource "azurerm_private_endpoint" "management_api_private_endpoint" { } } - resource "azurerm_private_dns_zone" "azurewebsites" { name = "privatelink.azurewebsites.net" - resource_group_name = azurerm_resource_group.core.name - + resource_group_name = var.resource_group_name } resource "azurerm_private_dns_zone_virtual_network_link" "azurewebsites" { - resource_group_name = azurerm_resource_group.core.name - virtual_network_id = azurerm_virtual_network.core.id + resource_group_name = var.resource_group_name + virtual_network_id = var.core_vnet private_dns_zone_name = azurerm_private_dns_zone.azurewebsites.name name = "azurewebsites-link" registration_enabled = false - - } + resource "azurerm_monitor_diagnostic_setting" "webapp_management_api" { - name = "diagnostics-webapp-shared-api" + name = "diag-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" target_resource_id = azurerm_app_service.management_api.id - log_analytics_workspace_id = azurerm_log_analytics_workspace.tre.id + log_analytics_workspace_id = var.log_analytics_workspace_id log { category = "AppServiceHTTPLogs" diff --git a/templates/core/terraform/api-webapp/variables.tf b/templates/core/terraform/api-webapp/variables.tf new file mode 100644 index 0000000000..1f26d6ae7b --- /dev/null +++ b/templates/core/terraform/api-webapp/variables.tf @@ -0,0 +1,9 @@ +variable "resource_name_prefix" {} +variable "environment" {} +variable "tre_id" {} +variable "location" {} +variable "resource_group_name" {} +variable "web_app_subnet" {} +variable "core_vnet" {} +variable "shared_subnet" {} +variable "log_analytics_workspace_id" {} \ No newline at end of file diff --git a/templates/core/terraform/locals.tf b/templates/core/terraform/locals.tf new file mode 100644 index 0000000000..4b1052c3cd --- /dev/null +++ b/templates/core/terraform/locals.tf @@ -0,0 +1,13 @@ +data "azurerm_subscription" "current" {} + +data "azurerm_client_config" "current" {} + +# Random unique id +resource "random_string" "unique_id" { + length = 4 + min_numeric = 4 +} + +locals { + tre_id = random_string.unique_id.result +} diff --git a/templates/core/terraform/main.tf b/templates/core/terraform/main.tf new file mode 100644 index 0000000000..da984af3f2 --- /dev/null +++ b/templates/core/terraform/main.tf @@ -0,0 +1,49 @@ +# Azure Provider source and version being used +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "=2.46.0" + } + } +} + +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "core" { + location = var.location + name = "rg-${var.resource_name_prefix}-${var.environment}-${local.tre_id}" +} + +resource "azurerm_log_analytics_workspace" "tre" { + name = "log-${var.resource_name_prefix}-${var.environment}-${local.tre_id}" + resource_group_name = azurerm_resource_group.core.name + location = var.location + retention_in_days = 30 + sku = "pergb2018" +} + +module "network" { + source = "./network" + resource_name_prefix = var.resource_name_prefix + environment = var.environment + tre_id = local.tre_id + location = var.location + resource_group_name = azurerm_resource_group.core.name + address_space = var.address_space +} + +module "api-webapp" { + source = "./api-webapp" + resource_name_prefix = var.resource_name_prefix + environment = var.environment + tre_id = local.tre_id + location = var.location + resource_group_name = azurerm_resource_group.core.name + web_app_subnet = module.network.web_app + shared_subnet = module.network.shared + core_vnet = module.network.core + log_analytics_workspace_id = azurerm_log_analytics_workspace.tre.id +} diff --git a/templates/core/terraform/network/locals.tf b/templates/core/terraform/network/locals.tf new file mode 100644 index 0000000000..aad3625baf --- /dev/null +++ b/templates/core/terraform/network/locals.tf @@ -0,0 +1,8 @@ +locals { + core_services_vnet_subnets = cidrsubnets(var.address_space, 2, 4, 4, 2, 2) + firewall_subnet_address_space = local.core_services_vnet_subnets[0] + app_gw_subnet_address_prefix = local.core_services_vnet_subnets[1] + bastion_subnet_address_prefix = local.core_services_vnet_subnets[2] + web_app_subnet_address_prefix = local.core_services_vnet_subnets[3] + shared_services_subnet_address_prefix = local.core_services_vnet_subnets[4] +} diff --git a/templates/base/shared/terraform/network.tf b/templates/core/terraform/network/network.tf similarity index 56% rename from templates/base/shared/terraform/network.tf rename to templates/core/terraform/network/network.tf index 561104ed9a..371893877a 100644 --- a/templates/base/shared/terraform/network.tf +++ b/templates/core/terraform/network/network.tf @@ -1,44 +1,43 @@ resource "azurerm_virtual_network" "core" { - name = "vnet-core" - location = azurerm_resource_group.core.location - resource_group_name = azurerm_resource_group.core.name - address_space = [var.shared_services_vnet_address_space] + name = "vnet-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + location = var.location + resource_group_name = var.resource_group_name + address_space = [var.address_space] } resource "azurerm_subnet" "bastion" { name = "AzureBastionSubnet" virtual_network_name = azurerm_virtual_network.core.name - resource_group_name = azurerm_resource_group.core.name + resource_group_name = var.resource_group_name address_prefixes = [local.bastion_subnet_address_prefix] - } resource "azurerm_subnet" "azure_firewall" { name = "AzureFirewallSubnet" virtual_network_name = azurerm_virtual_network.core.name - resource_group_name = azurerm_resource_group.core.name + resource_group_name = var.resource_group_name address_prefixes = [local.firewall_subnet_address_space] } resource "azurerm_subnet" "app_gw" { - name = "appGwSubnet" + name = "AppGwSubnet" virtual_network_name = azurerm_virtual_network.core.name - resource_group_name = azurerm_resource_group.core.name + resource_group_name = var.resource_group_name address_prefixes = [local.app_gw_subnet_address_prefix] } -resource "azurerm_subnet" "private_endpoints" { - name = "privateEndpointSubnet" +resource "azurerm_subnet" "web_app" { + name = "WebAppSubnet" virtual_network_name = azurerm_virtual_network.core.name - resource_group_name = azurerm_resource_group.core.name + resource_group_name = var.resource_group_name address_prefixes = [local.web_app_subnet_address_prefix] enforce_private_link_endpoint_network_policies = true } -resource "azurerm_subnet" "shared_services" { - name = "sharedServicesSubnet" +resource "azurerm_subnet" "shared" { + name = "SharedSubnet" virtual_network_name = azurerm_virtual_network.core.name - resource_group_name = azurerm_resource_group.core.name + resource_group_name = var.resource_group_name address_prefixes = [local.shared_services_subnet_address_prefix] enforce_private_link_endpoint_network_policies = true } \ No newline at end of file diff --git a/templates/core/terraform/network/output.tf b/templates/core/terraform/network/output.tf new file mode 100644 index 0000000000..12452098bf --- /dev/null +++ b/templates/core/terraform/network/output.tf @@ -0,0 +1,23 @@ +output "core" { + value = azurerm_virtual_network.core.id +} + +output "bastion" { + value = azurerm_subnet.bastion.id +} + +output "azure_firewall" { + value = azurerm_subnet.azure_firewall.id +} + +output "app_gw" { + value = azurerm_subnet.app_gw.id +} + +output "web_app" { + value = azurerm_subnet.web_app.id +} + +output "shared" { + value = azurerm_subnet.shared.id +} diff --git a/templates/core/terraform/network/variables.tf b/templates/core/terraform/network/variables.tf new file mode 100644 index 0000000000..f9f740ae48 --- /dev/null +++ b/templates/core/terraform/network/variables.tf @@ -0,0 +1,6 @@ +variable "resource_name_prefix" {} +variable "environment" {} +variable "tre_id" {} +variable "location" {} +variable "resource_group_name" {} +variable "address_space" {} diff --git a/templates/core/terraform/outputs.tf b/templates/core/terraform/outputs.tf new file mode 100644 index 0000000000..06dc04c663 --- /dev/null +++ b/templates/core/terraform/outputs.tf @@ -0,0 +1,7 @@ +output "core_resource_group_name" { + value = azurerm_resource_group.core.name +} + +output "log_analytics_name" { + value = azurerm_log_analytics_workspace.tre.name +} diff --git a/templates/core/terraform/variables.tf b/templates/core/terraform/variables.tf new file mode 100644 index 0000000000..fca2e06a97 --- /dev/null +++ b/templates/core/terraform/variables.tf @@ -0,0 +1,26 @@ +variable "resource_name_prefix" { + type = string + description = "Resource name prefix" +} + +variable "environment" { + type = string + description = "The stage of the development lifecycle for the workload that the resource supports. Examples: prod, dev, qa, stage, test" +} + +variable "tag" {} + +variable "location" { + type = string + description = "Azure region for deployment of core TRE services" +} + +variable "tre_dns_suffix" { + type = string + description = "DNS suffix for the environment. E.g. .dre.myorg.com or .drelocal - must have >= 2 labels such as x.drelocal" +} + +variable "address_space" { + type = string + description = "Core services VNET Address Space" +} From 5a1cbff90cb28f546e1b0c9b014657b59109b110 Mon Sep 17 00:00:00 2001 From: Denis Cepun Date: Fri, 7 May 2021 12:30:43 +0300 Subject: [PATCH 03/11] add tfvars.tmpl --- templates/core/terraform/terraform.tfvars.tmpl | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 templates/core/terraform/terraform.tfvars.tmpl diff --git a/templates/core/terraform/terraform.tfvars.tmpl b/templates/core/terraform/terraform.tfvars.tmpl new file mode 100644 index 0000000000..c2f31ddd46 --- /dev/null +++ b/templates/core/terraform/terraform.tfvars.tmpl @@ -0,0 +1,6 @@ +resource_name_prefix = "tre" +environment = "dev" +tag = "Azure Trusted Research Environment" +location = "westeurope" +address_space = "10.1.0.0/16" +tre_dns_suffix = "internal.drelocal" \ No newline at end of file From 7ff319570397fee6fd74376095e13a9733479acd Mon Sep 17 00:00:00 2001 From: Denis Cepun Date: Fri, 7 May 2021 12:45:27 +0300 Subject: [PATCH 04/11] web integrated into VNET --- templates/core/terraform/api-webapp/api-webapp.tf | 5 +++++ templates/core/terraform/network/network.tf | 10 ++++++++++ 2 files changed, 15 insertions(+) diff --git a/templates/core/terraform/api-webapp/api-webapp.tf b/templates/core/terraform/api-webapp/api-webapp.tf index 86dc60d49b..4c0f4b4188 100644 --- a/templates/core/terraform/api-webapp/api-webapp.tf +++ b/templates/core/terraform/api-webapp/api-webapp.tf @@ -104,6 +104,11 @@ resource "azurerm_private_dns_zone_virtual_network_link" "azurewebsites" { registration_enabled = false } +resource "azurerm_app_service_virtual_network_swift_connection" "api-integrated-vnet" { + app_service_id = azurerm_app_service.management_api.id + subnet_id = var.web_app_subnet +} + resource "azurerm_monitor_diagnostic_setting" "webapp_management_api" { name = "diag-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" target_resource_id = azurerm_app_service.management_api.id diff --git a/templates/core/terraform/network/network.tf b/templates/core/terraform/network/network.tf index 371893877a..1e873efa38 100644 --- a/templates/core/terraform/network/network.tf +++ b/templates/core/terraform/network/network.tf @@ -32,6 +32,16 @@ resource "azurerm_subnet" "web_app" { resource_group_name = var.resource_group_name address_prefixes = [local.web_app_subnet_address_prefix] enforce_private_link_endpoint_network_policies = true + enforce_private_link_service_network_policies = true + + delegation { + name = "delegation" + + service_delegation { + name = "Microsoft.Web/serverFarms" + actions = ["Microsoft.Network/virtualNetworks/subnets/action"] + } + } } resource "azurerm_subnet" "shared" { From 8b3f2d41076ef7d75062b93da846c5ed0f06fe87 Mon Sep 17 00:00:00 2001 From: Denis Cepun Date: Fri, 7 May 2021 13:05:35 +0300 Subject: [PATCH 05/11] adds keyvault w/ PE --- .../core/terraform/api-webapp/api-webapp.tf | 2 +- templates/core/terraform/keyvault/keyvault.tf | 39 +++++++++++++++++++ .../core/terraform/keyvault/variables.tf | 8 ++++ templates/core/terraform/main.tf | 12 ++++++ 4 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 templates/core/terraform/keyvault/keyvault.tf create mode 100644 templates/core/terraform/keyvault/variables.tf diff --git a/templates/core/terraform/api-webapp/api-webapp.tf b/templates/core/terraform/api-webapp/api-webapp.tf index 4c0f4b4188..50aeb3f069 100644 --- a/templates/core/terraform/api-webapp/api-webapp.tf +++ b/templates/core/terraform/api-webapp/api-webapp.tf @@ -81,7 +81,7 @@ resource "azurerm_private_endpoint" "management_api_private_endpoint" { subnet_id = var.shared_subnet private_service_connection { private_connection_resource_id = azurerm_app_service.management_api.id - name = "pe-webapp-management-api" + name = "psc-api-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" subresource_names = ["sites"] is_manual_connection = false } diff --git a/templates/core/terraform/keyvault/keyvault.tf b/templates/core/terraform/keyvault/keyvault.tf new file mode 100644 index 0000000000..c85b5fdaf9 --- /dev/null +++ b/templates/core/terraform/keyvault/keyvault.tf @@ -0,0 +1,39 @@ +resource "azurerm_key_vault" "kv" { + name = "kv-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + location = var.location + resource_group_name = var.resource_group_name + sku_name = "standard" + purge_protection_enabled = true + tenant_id = var.tenant_id +} + +resource "azurerm_private_dns_zone" "vaultcore" { + name = "privatelink.vaultcore.azure.net" + resource_group_name = var.resource_group_name +} + +resource "azurerm_private_dns_zone_virtual_network_link" "vaultcorelink" { + name = "vaultcorelink" + resource_group_name = var.resource_group_name + private_dns_zone_name = azurerm_private_dns_zone.vaultcore.name + virtual_network_id = var.core_vnet +} + +resource "azurerm_private_endpoint" "kvpe" { + name = "pe-kv-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + location = var.location + resource_group_name = var.resource_group_name + subnet_id = var.shared_subnet + + private_dns_zone_group { + name = "private-dns-zone-group" + private_dns_zone_ids = [azurerm_private_dns_zone.vaultcore.id] + } + + private_service_connection { + name = "psc-kv-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + private_connection_resource_id = azurerm_key_vault.kv.id + is_manual_connection = false + subresource_names = ["Vault"] + } +} \ No newline at end of file diff --git a/templates/core/terraform/keyvault/variables.tf b/templates/core/terraform/keyvault/variables.tf new file mode 100644 index 0000000000..295fd96bdd --- /dev/null +++ b/templates/core/terraform/keyvault/variables.tf @@ -0,0 +1,8 @@ +variable "resource_name_prefix" {} +variable "environment" {} +variable "tre_id" {} +variable "location" {} +variable "resource_group_name" {} +variable "core_vnet" {} +variable "shared_subnet" {} +variable "tenant_id" {} \ No newline at end of file diff --git a/templates/core/terraform/main.tf b/templates/core/terraform/main.tf index da984af3f2..821a9ea8c3 100644 --- a/templates/core/terraform/main.tf +++ b/templates/core/terraform/main.tf @@ -47,3 +47,15 @@ module "api-webapp" { core_vnet = module.network.core log_analytics_workspace_id = azurerm_log_analytics_workspace.tre.id } + +module "keyvault" { + source = "./keyvault" + resource_name_prefix = var.resource_name_prefix + environment = var.environment + tre_id = local.tre_id + location = var.location + resource_group_name = azurerm_resource_group.core.name + shared_subnet = module.network.shared + core_vnet = module.network.core + tenant_id = data.azurerm_client_config.current.tenant_id +} From ebaddd29856fd7cc3f01a856100478d5925ef8b5 Mon Sep 17 00:00:00 2001 From: Denis Cepun Date: Fri, 7 May 2021 13:28:07 +0300 Subject: [PATCH 06/11] adds firewall --- templates/core/terraform/firewall/firewall.tf | 38 +++++++++++++++++++ .../core/terraform/firewall/variables.tf | 7 ++++ templates/core/terraform/main.tf | 11 ++++++ 3 files changed, 56 insertions(+) create mode 100644 templates/core/terraform/firewall/firewall.tf create mode 100644 templates/core/terraform/firewall/variables.tf diff --git a/templates/core/terraform/firewall/firewall.tf b/templates/core/terraform/firewall/firewall.tf new file mode 100644 index 0000000000..1863b6efe7 --- /dev/null +++ b/templates/core/terraform/firewall/firewall.tf @@ -0,0 +1,38 @@ +resource "azurerm_public_ip" "fwpip" { + name = "pip-fw-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + resource_group_name = var.resource_group_name + location = var.location + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_firewall" "fw" { + depends_on = [azurerm_public_ip.fwpip] + name = "fw-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + resource_group_name = var.resource_group_name + location = var.location + ip_configuration { + name = "fw-ip-configuration" + subnet_id = var.firewall_subnet + public_ip_address_id = azurerm_public_ip.fwpip.id + } +} + +resource "azurerm_route_table" "rt" { + name = "rt-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + resource_group_name = var.resource_group_name + location = var.location + disable_bgp_route_propagation = false + + route { + name = "DefaultRoute" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration.0.private_ip_address + } +} + +resource "azurerm_subnet_route_table_association" "rt_shared_subnet_association" { + subnet_id = var.shared_subnet + route_table_id = azurerm_route_table.rt.id +} diff --git a/templates/core/terraform/firewall/variables.tf b/templates/core/terraform/firewall/variables.tf new file mode 100644 index 0000000000..16b1530a68 --- /dev/null +++ b/templates/core/terraform/firewall/variables.tf @@ -0,0 +1,7 @@ +variable "resource_name_prefix" {} +variable "environment" {} +variable "tre_id" {} +variable "location" {} +variable "resource_group_name" {} +variable "firewall_subnet" {} +variable "shared_subnet" {} \ No newline at end of file diff --git a/templates/core/terraform/main.tf b/templates/core/terraform/main.tf index 821a9ea8c3..26c2f978f4 100644 --- a/templates/core/terraform/main.tf +++ b/templates/core/terraform/main.tf @@ -59,3 +59,14 @@ module "keyvault" { core_vnet = module.network.core tenant_id = data.azurerm_client_config.current.tenant_id } + +module "firewall" { + source = "./firewall" + resource_name_prefix = var.resource_name_prefix + environment = var.environment + tre_id = local.tre_id + location = var.location + resource_group_name = azurerm_resource_group.core.name + firewall_subnet = module.network.azure_firewall + shared_subnet = module.network.shared +} From 87d225484b51c155258839a7f14653de63d79d23 Mon Sep 17 00:00:00 2001 From: Denis Cepun Date: Fri, 7 May 2021 13:42:33 +0300 Subject: [PATCH 07/11] adds acr --- templates/core/terraform/acr/acr.tf | 38 +++++++++++++++++++ templates/core/terraform/acr/variables.tf | 7 ++++ templates/core/terraform/main.tf | 19 +++++++++- .../core/terraform/terraform.tfvars.tmpl | 1 - templates/core/terraform/variables.tf | 2 - 5 files changed, 62 insertions(+), 5 deletions(-) create mode 100644 templates/core/terraform/acr/acr.tf create mode 100644 templates/core/terraform/acr/variables.tf diff --git a/templates/core/terraform/acr/acr.tf b/templates/core/terraform/acr/acr.tf new file mode 100644 index 0000000000..26e1c674bf --- /dev/null +++ b/templates/core/terraform/acr/acr.tf @@ -0,0 +1,38 @@ +resource "azurerm_container_registry" "acr" { + name = "acr${var.resource_name_prefix}${var.environment}${var.tre_id}" + resource_group_name = var.resource_group_name + location = var.location + sku = "Premium" + admin_enabled = false +} + +resource "azurerm_private_dns_zone" "azurecr" { + name = "privatelink.azurecr.io" + resource_group_name = var.resource_group_name +} + +resource "azurerm_private_dns_zone_virtual_network_link" "acrlink" { + name = "acr-link" + resource_group_name = var.resource_group_name + private_dns_zone_name = azurerm_private_dns_zone.azurecr.name + virtual_network_id = var.core_vnet +} + +resource "azurerm_private_endpoint" "acrpe" { + name = "pe-acr-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + location = var.location + resource_group_name = var.resource_group_name + subnet_id = var.shared_subnet + + private_dns_zone_group { + name = "private-dns-zone-group" + private_dns_zone_ids = [azurerm_private_dns_zone.azurecr.id] + } + + private_service_connection { + name = "psc-acr-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + private_connection_resource_id = azurerm_container_registry.acr.id + is_manual_connection = false + subresource_names = ["registry"] + } +} diff --git a/templates/core/terraform/acr/variables.tf b/templates/core/terraform/acr/variables.tf new file mode 100644 index 0000000000..5b8ed9dc12 --- /dev/null +++ b/templates/core/terraform/acr/variables.tf @@ -0,0 +1,7 @@ +variable "resource_name_prefix" {} +variable "environment" {} +variable "tre_id" {} +variable "location" {} +variable "resource_group_name" {} +variable "core_vnet" {} +variable "shared_subnet" {} diff --git a/templates/core/terraform/main.tf b/templates/core/terraform/main.tf index 26c2f978f4..16c6827a56 100644 --- a/templates/core/terraform/main.tf +++ b/templates/core/terraform/main.tf @@ -13,8 +13,12 @@ provider "azurerm" { } resource "azurerm_resource_group" "core" { - location = var.location - name = "rg-${var.resource_name_prefix}-${var.environment}-${local.tre_id}" + location = var.location + name = "rg-${var.resource_name_prefix}-${var.environment}-${local.tre_id}" + tags = { + environment = "Azure Trusted Research Environment" + Source = "https://github.com/microsoft/AzureTRE/" + } } resource "azurerm_log_analytics_workspace" "tre" { @@ -70,3 +74,14 @@ module "firewall" { firewall_subnet = module.network.azure_firewall shared_subnet = module.network.shared } + +module "acr" { + source = "./acr" + resource_name_prefix = var.resource_name_prefix + environment = var.environment + tre_id = local.tre_id + location = var.location + resource_group_name = azurerm_resource_group.core.name + core_vnet = module.network.core + shared_subnet = module.network.shared +} diff --git a/templates/core/terraform/terraform.tfvars.tmpl b/templates/core/terraform/terraform.tfvars.tmpl index c2f31ddd46..e2902cff4b 100644 --- a/templates/core/terraform/terraform.tfvars.tmpl +++ b/templates/core/terraform/terraform.tfvars.tmpl @@ -1,6 +1,5 @@ resource_name_prefix = "tre" environment = "dev" -tag = "Azure Trusted Research Environment" location = "westeurope" address_space = "10.1.0.0/16" tre_dns_suffix = "internal.drelocal" \ No newline at end of file diff --git a/templates/core/terraform/variables.tf b/templates/core/terraform/variables.tf index fca2e06a97..2fd675188d 100644 --- a/templates/core/terraform/variables.tf +++ b/templates/core/terraform/variables.tf @@ -8,8 +8,6 @@ variable "environment" { description = "The stage of the development lifecycle for the workload that the resource supports. Examples: prod, dev, qa, stage, test" } -variable "tag" {} - variable "location" { type = string description = "Azure region for deployment of core TRE services" From 1ad9ac75389c07b30290ee3dca03b512eae85b5b Mon Sep 17 00:00:00 2001 From: Denis Cepun Date: Fri, 7 May 2021 15:36:41 +0300 Subject: [PATCH 08/11] adds appgateway --- .../core/terraform/api-webapp/api-webapp.tf | 2 +- .../core/terraform/api-webapp/variables.tf | 1 + .../core/terraform/appgateway/appgateway.tf | 61 ++++ templates/core/terraform/appgateway/locals.tf | 9 + .../core/terraform/appgateway/variables.tf | 6 + templates/core/terraform/main.tf | 11 + .../workspaces/empty/terraform/locals.tf | 16 - templates/workspaces/empty/terraform/main.tf | 64 ---- .../workspaces/empty/terraform/network.tf | 300 ------------------ .../workspaces/empty/terraform/outputs.tf | 12 - .../empty/terraform/provider_azurerm.tf | 3 - .../workspaces/empty/terraform/variables.tf | 74 ----- 12 files changed, 89 insertions(+), 470 deletions(-) create mode 100644 templates/core/terraform/appgateway/appgateway.tf create mode 100644 templates/core/terraform/appgateway/locals.tf create mode 100644 templates/core/terraform/appgateway/variables.tf delete mode 100644 templates/workspaces/empty/terraform/locals.tf delete mode 100644 templates/workspaces/empty/terraform/main.tf delete mode 100644 templates/workspaces/empty/terraform/network.tf delete mode 100644 templates/workspaces/empty/terraform/outputs.tf delete mode 100644 templates/workspaces/empty/terraform/provider_azurerm.tf delete mode 100644 templates/workspaces/empty/terraform/variables.tf diff --git a/templates/core/terraform/api-webapp/api-webapp.tf b/templates/core/terraform/api-webapp/api-webapp.tf index 50aeb3f069..11d07892ab 100644 --- a/templates/core/terraform/api-webapp/api-webapp.tf +++ b/templates/core/terraform/api-webapp/api-webapp.tf @@ -212,4 +212,4 @@ resource "azurerm_monitor_diagnostic_setting" "webapp_management_api" { enabled = false } } -} \ No newline at end of file +} diff --git a/templates/core/terraform/api-webapp/variables.tf b/templates/core/terraform/api-webapp/variables.tf index 1f26d6ae7b..40b942b06c 100644 --- a/templates/core/terraform/api-webapp/variables.tf +++ b/templates/core/terraform/api-webapp/variables.tf @@ -6,4 +6,5 @@ variable "resource_group_name" {} variable "web_app_subnet" {} variable "core_vnet" {} variable "shared_subnet" {} +variable "app_gw_subnet" {} variable "log_analytics_workspace_id" {} \ No newline at end of file diff --git a/templates/core/terraform/appgateway/appgateway.tf b/templates/core/terraform/appgateway/appgateway.tf new file mode 100644 index 0000000000..136917231b --- /dev/null +++ b/templates/core/terraform/appgateway/appgateway.tf @@ -0,0 +1,61 @@ +resource "azurerm_public_ip" "appgwpip" { + name = "pip-agw-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + resource_group_name = var.resource_group_name + location = var.location + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_application_gateway" "agw" { + name = "agw-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + resource_group_name = var.resource_group_name + location = var.location + + sku { + name = "Standard_Small" + tier = "Standard_v2" + capacity = 2 + } + + gateway_ip_configuration { + name = "gateway-ip-configuration" + subnet_id = var.app_gw_subnet + } + + frontend_port { + name = local.frontend_port_name + port = 80 + } + + frontend_ip_configuration { + name = local.frontend_ip_configuration_name + public_ip_address_id = azurerm_public_ip.appgwpip.id + } + + backend_address_pool { + name = local.backend_address_pool_name + } + + backend_http_settings { + name = local.http_setting_name + cookie_based_affinity = "Disabled" + port = 80 + protocol = "Http" + request_timeout = 60 + } + + http_listener { + name = local.listener_name + frontend_ip_configuration_name = local.frontend_ip_configuration_name + frontend_port_name = local.frontend_port_name + protocol = "Http" + } + + request_routing_rule { + name = local.request_routing_rule_name + rule_type = "Basic" + http_listener_name = local.listener_name + backend_address_pool_name = local.backend_address_pool_name + backend_http_settings_name = local.http_setting_name + } +} \ No newline at end of file diff --git a/templates/core/terraform/appgateway/locals.tf b/templates/core/terraform/appgateway/locals.tf new file mode 100644 index 0000000000..ea23b0c0cc --- /dev/null +++ b/templates/core/terraform/appgateway/locals.tf @@ -0,0 +1,9 @@ +locals { + backend_address_pool_name = "beap-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + frontend_port_name = "feport-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + frontend_ip_configuration_name = "feip-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + http_setting_name = "be-htst-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + listener_name = "httplstn-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + request_routing_rule_name = "rqrt-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + redirect_configuration_name = "rdrcfg-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" +} \ No newline at end of file diff --git a/templates/core/terraform/appgateway/variables.tf b/templates/core/terraform/appgateway/variables.tf new file mode 100644 index 0000000000..c6349bf3ee --- /dev/null +++ b/templates/core/terraform/appgateway/variables.tf @@ -0,0 +1,6 @@ +variable "resource_name_prefix" {} +variable "environment" {} +variable "tre_id" {} +variable "location" {} +variable "resource_group_name" {} +variable "app_gw_subnet" {} \ No newline at end of file diff --git a/templates/core/terraform/main.tf b/templates/core/terraform/main.tf index 16c6827a56..c1cec6bf16 100644 --- a/templates/core/terraform/main.tf +++ b/templates/core/terraform/main.tf @@ -39,6 +39,16 @@ module "network" { address_space = var.address_space } +module "appgateway" { + source = "./appgateway" + resource_name_prefix = var.resource_name_prefix + environment = var.environment + tre_id = local.tre_id + location = var.location + resource_group_name = azurerm_resource_group.core.name + app_gw_subnet = module.network.app_gw +} + module "api-webapp" { source = "./api-webapp" resource_name_prefix = var.resource_name_prefix @@ -48,6 +58,7 @@ module "api-webapp" { resource_group_name = azurerm_resource_group.core.name web_app_subnet = module.network.web_app shared_subnet = module.network.shared + app_gw_subnet = module.network.app_gw core_vnet = module.network.core log_analytics_workspace_id = azurerm_log_analytics_workspace.tre.id } diff --git a/templates/workspaces/empty/terraform/locals.tf b/templates/workspaces/empty/terraform/locals.tf deleted file mode 100644 index 30b67b04b6..0000000000 --- a/templates/workspaces/empty/terraform/locals.tf +++ /dev/null @@ -1,16 +0,0 @@ - -data "azurerm_subscription" "current" { -} - -data "azurerm_client_config" "current" { -} - -locals { - storage_account_name = "wsstorage${var.workspace_id}" - - workspace_vnet_subnets = cidrsubnets(var.address_space, 3, 2, 4) - appgw_subnet_address_prefix = local.workspace_vnet_subnets[0] - appgw_private_ip = cidrhost(local.appgw_subnet_address_prefix, 5) - web_app_subnet_address_prefix = local.workspace_vnet_subnets[1] - services_subnet_address_prefix = local.workspace_vnet_subnets[2] -} diff --git a/templates/workspaces/empty/terraform/main.tf b/templates/workspaces/empty/terraform/main.tf deleted file mode 100644 index 6557f8a950..0000000000 --- a/templates/workspaces/empty/terraform/main.tf +++ /dev/null @@ -1,64 +0,0 @@ -# Azure Provider source and version being used -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "=2.46.1" - } - } -} - -resource "azurerm_resource_group" "workspace" { - location = var.location - name = "${var.resource_group_prefix}-${var.tre_id}-${var.workspace_id}" -} - -resource "azurerm_storage_account" "workspace" { - name = local.storage_account_name - resource_group_name = azurerm_resource_group.workspace.name - location = var.location - access_tier = "Hot" - enable_https_traffic_only = true - large_file_share_enabled = false - account_kind = "StorageV2" - account_tier = "Standard" - account_replication_type = "LRS" - - network_rules { - bypass = ["AzureServices"] - default_action = "Deny" - - } -} - - -resource "azurerm_private_endpoint" "workspace-storage-private-endpoint" { - name = "pe-wsstorage" - resource_group_name = azurerm_resource_group.workspace.name - location = azurerm_resource_group.workspace.location - subnet_id = azurerm_subnet.services.id - private_service_connection { - private_connection_resource_id = azurerm_storage_account.workspace.id - name = "pe-ws-storage" - subresource_names = ["file"] - is_manual_connection = false - } - private_dns_zone_group { - name = "privatelink.file.core.windows.net" - private_dns_zone_ids = [azurerm_private_dns_zone.files.id] - } -} - -resource "azurerm_private_dns_zone" "files" { - name = "privatelink.file.core.windows.net" - resource_group_name = azurerm_resource_group.workspace.name - -} - -resource "azurerm_private_dns_zone_virtual_network_link" "wsstorage" { - resource_group_name = azurerm_resource_group.workspace.name - virtual_network_id = azurerm_virtual_network.workspace.id - private_dns_zone_name = azurerm_private_dns_zone.files.name - name = "files-workspace-link" - registration_enabled = false -} diff --git a/templates/workspaces/empty/terraform/network.tf b/templates/workspaces/empty/terraform/network.tf deleted file mode 100644 index 672d04ae98..0000000000 --- a/templates/workspaces/empty/terraform/network.tf +++ /dev/null @@ -1,300 +0,0 @@ -resource "azurerm_virtual_network" "workspace" { - name = "vnet-workspace" - resource_group_name = azurerm_resource_group.workspace.name - location = var.location - address_space = [var.address_space] -} - - -resource "azurerm_subnet" "appgw" { - name = "appgwSubnet" - virtual_network_name = azurerm_virtual_network.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - address_prefixes = [local.appgw_subnet_address_prefix] -} - -resource "azurerm_subnet" "web_app" { - name = "web_appSubnet" - virtual_network_name = azurerm_virtual_network.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - address_prefixes = [local.web_app_subnet_address_prefix] - delegation { - name = "web_app" - service_delegation { - name = "Microsoft.Web/serverFarms" - actions = ["Microsoft.Network/virtualNetworks/subnets/action"] - } - } - -} - -resource "azurerm_subnet" "services" { - name = "servicesSubnet" - virtual_network_name = azurerm_virtual_network.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - address_prefixes = [local.services_subnet_address_prefix] - enforce_private_link_endpoint_network_policies = true -} - - - - - -resource "azurerm_subnet_network_security_group_association" "services" { - network_security_group_id = azurerm_network_security_group.workspace.id - subnet_id = azurerm_subnet.services.id -} - - -resource "azurerm_subnet_network_security_group_association" "web_app" { - network_security_group_id = azurerm_network_security_group.workspace.id - subnet_id = azurerm_subnet.web_app.id -} - -resource "azurerm_network_security_group" "workspace" { - name = "nsg-workspace" - resource_group_name = azurerm_resource_group.workspace.name - location = azurerm_resource_group.workspace.location - -} - - -resource "azurerm_network_security_rule" "allow_inbound_web_app_to_services" { - - name = "allow-inbound-web-app-to-services" - - protocol = "*" - source_port_range = "*" - destination_port_range = "*" - source_address_prefixes = azurerm_subnet.web_app.address_prefixes - destination_address_prefixes = azurerm_subnet.services.address_prefixes - access = "Allow" - priority = 102 - direction = "Inbound" - - network_security_group_name = azurerm_network_security_group.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - -} - -resource "azurerm_network_security_rule" "allow_inbound_appgw_to_services" { - - name = "allow-inbound-appgw-to-services" - - protocol = "*" - source_port_range = "*" - destination_port_range = "*" - source_address_prefixes = azurerm_subnet.appgw.address_prefixes - destination_address_prefixes = azurerm_subnet.services.address_prefixes - access = "Allow" - priority = 103 - direction = "Inbound" - - network_security_group_name = azurerm_network_security_group.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - -} - -resource "azurerm_network_security_rule" "allow_inbound_appgw_to_webapp" { - - name = "allow-inbound-appgw-to-webapp" - - protocol = "*" - source_port_range = "*" - destination_port_range = "443" - source_address_prefixes = azurerm_subnet.appgw.address_prefixes - destination_address_prefixes = azurerm_subnet.web_app.address_prefixes - access = "Allow" - priority = 104 - direction = "Inbound" - - network_security_group_name = azurerm_network_security_group.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - -} - - - -resource "azurerm_network_security_rule" "allow_inbound_within_services" { - - name = "allow-inbound-within-services" - - protocol = "*" - source_port_range = "*" - destination_port_range = "*" - source_address_prefixes = azurerm_subnet.services.address_prefixes - destination_address_prefixes = azurerm_subnet.services.address_prefixes - access = "Allow" - priority = 105 - direction = "Inbound" - - network_security_group_name = azurerm_network_security_group.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - -} - -resource "azurerm_network_security_rule" "allow_inbound_from_bastion_to_services" { - - name = "allow-inbound-from-bastion-to-services" - - protocol = "Tcp" - source_port_range = "*" - destination_port_ranges = ["22", "3389"] - source_address_prefixes = data.azurerm_subnet.shared_services_bastion.address_prefixes - destination_address_prefixes = azurerm_subnet.services.address_prefixes - access = "Allow" - priority = 107 - direction = "Inbound" - - network_security_group_name = azurerm_network_security_group.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - -} - -resource "azurerm_network_security_rule" "deny_all_inbound_override" { - - name = "deny-all-inbound-override" - - protocol = "*" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" - access = "Deny" - priority = 900 - direction = "Inbound" - - network_security_group_name = azurerm_network_security_group.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - -} - - -resource "azurerm_network_security_rule" "to_internet" { - - name = "to-internet" - - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "443" - source_address_prefix = "*" - destination_address_prefix = "INTERNET" - access = "Allow" - priority = 900 - direction = "Outbound" - - network_security_group_name = azurerm_network_security_group.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - -} - -resource "azurerm_network_security_rule" "allow_outbound_web_app_to_services" { - - name = "allow-outbound-web-app-to-services" - - protocol = "*" - source_port_range = "*" - destination_port_range = "*" - source_address_prefixes = azurerm_subnet.web_app.address_prefixes - destination_address_prefixes = azurerm_subnet.services.address_prefixes - access = "Allow" - priority = 101 - direction = "Outbound" - - network_security_group_name = azurerm_network_security_group.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - -} - -resource "azurerm_network_security_rule" "allow_outbound_web_app_to_appgw" { - - name = "allow-outbound-webapp-to-appgw" - - protocol = "*" - source_port_range = "*" - destination_port_range = "*" - source_address_prefixes = azurerm_subnet.web_app.address_prefixes - destination_address_prefixes = azurerm_subnet.appgw.address_prefixes - access = "Allow" - priority = 106 - direction = "Outbound" - - network_security_group_name = azurerm_network_security_group.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - -} - -resource "azurerm_network_security_rule" "allow-outbound-services-to-appgw" { - - name = "allow-outbound-services-to-appgw" - - protocol = "*" - source_port_range = "*" - destination_port_range = "*" - source_address_prefixes = azurerm_subnet.services.address_prefixes - destination_address_prefixes = azurerm_subnet.appgw.address_prefixes - access = "Allow" - priority = 107 - direction = "Outbound" - - network_security_group_name = azurerm_network_security_group.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - -} - -resource "azurerm_network_security_rule" "deny-outbound-override" { - - name = "deny-outbound-override" - - protocol = "*" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" - access = "Deny" - priority = 4096 - direction = "Outbound" - - network_security_group_name = azurerm_network_security_group.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - -} - -resource "azurerm_network_security_rule" "to-shared_services-services" { - - name = "to-shared_services-services" - - protocol = "*" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = data.azurerm_subnet.shared_services.address_prefix - access = "Allow" - priority = 120 - direction = "Outbound" - - network_security_group_name = azurerm_network_security_group.workspace.name - resource_group_name = azurerm_resource_group.workspace.name - -} - -resource "azurerm_virtual_network_peering" "core-vnet" { - name = "to-core-vnet" - allow_forwarded_traffic = false - allow_gateway_transit = false - allow_virtual_network_access = true - resource_group_name = azurerm_resource_group.workspace.name - remote_virtual_network_id = data.azurerm_virtual_network.core.id - virtual_network_name = azurerm_virtual_network.workspace.name -} - -resource "azurerm_virtual_network_peering" "workspace-vnet" { - name = "to-${var.workspace_id}-vnet" - allow_forwarded_traffic = false - allow_gateway_transit = false - allow_virtual_network_access = true - resource_group_name = data.azurerm_resource_group.core.name - remote_virtual_network_id = azurerm_virtual_network.workspace.id - virtual_network_name = data.azurerm_virtual_network.core.name -} - diff --git a/templates/workspaces/empty/terraform/outputs.tf b/templates/workspaces/empty/terraform/outputs.tf deleted file mode 100644 index e9e2f1369c..0000000000 --- a/templates/workspaces/empty/terraform/outputs.tf +++ /dev/null @@ -1,12 +0,0 @@ -output "name" { - value = var.name -} - -output "workspace_id" { - value = var.workspace_id -} - -output "address_space" { - value = azurerm_virtual_network.workspace.address_space[0] -} - diff --git a/templates/workspaces/empty/terraform/provider_azurerm.tf b/templates/workspaces/empty/terraform/provider_azurerm.tf deleted file mode 100644 index ab91b24812..0000000000 --- a/templates/workspaces/empty/terraform/provider_azurerm.tf +++ /dev/null @@ -1,3 +0,0 @@ -provider "azurerm" { - features {} -} diff --git a/templates/workspaces/empty/terraform/variables.tf b/templates/workspaces/empty/terraform/variables.tf deleted file mode 100644 index 269add9781..0000000000 --- a/templates/workspaces/empty/terraform/variables.tf +++ /dev/null @@ -1,74 +0,0 @@ -variable "resource_group_prefix" { - type = string - description = "Resource group prefix" -} - -data "azurerm_resource_group" "core" { - name = "${var.resource_group_prefix}-${var.tre_id}" -} - -variable "core_vnet_name" { - type = string - description = "shared_services vnet name" - default = "vnet-core" -} -variable "dns_name" { - type = string - description = "Workspace DNS name" -} - -data "azurerm_virtual_network" "core" { - name = var.core_vnet_name - resource_group_name = data.azurerm_resource_group.core.name -} - -data "azurerm_subnet" "shared_services_appgw" { - name = "appGwSubnet" - virtual_network_name = data.azurerm_virtual_network.core.name - resource_group_name = data.azurerm_resource_group.core.name -} - -data "azurerm_subnet" "shared_services_bastion" { - name = "AzureBastionSubnet" - virtual_network_name = data.azurerm_virtual_network.core.name - resource_group_name = data.azurerm_resource_group.core.name -} - -data "azurerm_subnet" "shared_services" { - name = "sharedServicesSubnet" - virtual_network_name = data.azurerm_virtual_network.core.name - resource_group_name = data.azurerm_resource_group.core.name -} - -variable "address_space" { - type = string - description = "Workspace VNet address space" -} - -variable "name" { - type = string - - description = "Name of the workspace" -} - -variable "tre_id" { - type = string - - description = "Unique DRE instance id" -} - -variable "workspace_id" { - type = string - description = "Unique workspace id" -} - -variable "tre_dns_suffix" { - type = string - description = "DNS suffix for the environment. E.g. .dre.myorg.com or x.drelocal, must be >=2 segments in the suffix" -} - -variable "location" { - type = string - - description = "Azure region to deploy to" -} \ No newline at end of file From 58fcc982230eb7bc07edbf92acab2b6cc2963acb Mon Sep 17 00:00:00 2001 From: Denis Cepun Date: Fri, 7 May 2021 15:38:01 +0300 Subject: [PATCH 09/11] change appgw sku --- templates/core/terraform/appgateway/appgateway.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/core/terraform/appgateway/appgateway.tf b/templates/core/terraform/appgateway/appgateway.tf index 136917231b..8710ae0b9d 100644 --- a/templates/core/terraform/appgateway/appgateway.tf +++ b/templates/core/terraform/appgateway/appgateway.tf @@ -12,7 +12,7 @@ resource "azurerm_application_gateway" "agw" { location = var.location sku { - name = "Standard_Small" + name = "Standard_v2" tier = "Standard_v2" capacity = 2 } From 6b727257033446926d3cf4a84b585273b99c8590 Mon Sep 17 00:00:00 2001 From: Denis Cepun Date: Mon, 10 May 2021 08:52:14 +0300 Subject: [PATCH 10/11] splitting out routetable --- templates/core/terraform/firewall/firewall.tf | 18 ------------------ templates/core/terraform/firewall/output.tf | 7 +++++++ templates/core/terraform/main.tf | 11 +++++++++++ templates/core/terraform/network/network.tf | 2 +- .../core/terraform/routetable/routetable.tf | 18 ++++++++++++++++++ .../core/terraform/routetable/variables.tf | 7 +++++++ 6 files changed, 44 insertions(+), 19 deletions(-) create mode 100644 templates/core/terraform/firewall/output.tf create mode 100644 templates/core/terraform/routetable/routetable.tf create mode 100644 templates/core/terraform/routetable/variables.tf diff --git a/templates/core/terraform/firewall/firewall.tf b/templates/core/terraform/firewall/firewall.tf index 1863b6efe7..53d121c0fc 100644 --- a/templates/core/terraform/firewall/firewall.tf +++ b/templates/core/terraform/firewall/firewall.tf @@ -18,21 +18,3 @@ resource "azurerm_firewall" "fw" { } } -resource "azurerm_route_table" "rt" { - name = "rt-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" - resource_group_name = var.resource_group_name - location = var.location - disable_bgp_route_propagation = false - - route { - name = "DefaultRoute" - address_prefix = "0.0.0.0/0" - next_hop_type = "VirtualAppliance" - next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration.0.private_ip_address - } -} - -resource "azurerm_subnet_route_table_association" "rt_shared_subnet_association" { - subnet_id = var.shared_subnet - route_table_id = azurerm_route_table.rt.id -} diff --git a/templates/core/terraform/firewall/output.tf b/templates/core/terraform/firewall/output.tf new file mode 100644 index 0000000000..b7d53d90c7 --- /dev/null +++ b/templates/core/terraform/firewall/output.tf @@ -0,0 +1,7 @@ +output "firewall_private_ip_address" { + value = azurerm_firewall.fw.ip_configuration.0.private_ip_address +} + +output "firewall_public_ip" { + value = azurerm_public_ip.fwpip.ip_address +} diff --git a/templates/core/terraform/main.tf b/templates/core/terraform/main.tf index c1cec6bf16..b050bfd165 100644 --- a/templates/core/terraform/main.tf +++ b/templates/core/terraform/main.tf @@ -86,6 +86,17 @@ module "firewall" { shared_subnet = module.network.shared } +module "routetable" { + source = "./routetable" + resource_name_prefix = var.resource_name_prefix + environment = var.environment + tre_id = local.tre_id + location = var.location + resource_group_name = azurerm_resource_group.core.name + shared_subnet = module.network.shared + firewall_private_ip_address = module.firewall.firewall_private_ip_address +} + module "acr" { source = "./acr" resource_name_prefix = var.resource_name_prefix diff --git a/templates/core/terraform/network/network.tf b/templates/core/terraform/network/network.tf index 1e873efa38..782a3af2f0 100644 --- a/templates/core/terraform/network/network.tf +++ b/templates/core/terraform/network/network.tf @@ -50,4 +50,4 @@ resource "azurerm_subnet" "shared" { resource_group_name = var.resource_group_name address_prefixes = [local.shared_services_subnet_address_prefix] enforce_private_link_endpoint_network_policies = true -} \ No newline at end of file +} diff --git a/templates/core/terraform/routetable/routetable.tf b/templates/core/terraform/routetable/routetable.tf new file mode 100644 index 0000000000..b2d6360f54 --- /dev/null +++ b/templates/core/terraform/routetable/routetable.tf @@ -0,0 +1,18 @@ +resource "azurerm_route_table" "rt" { + name = "rt-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" + resource_group_name = var.resource_group_name + location = var.location + disable_bgp_route_propagation = false + + route { + name = "DefaultRoute" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = var.firewall_private_ip_address + } +} + +resource "azurerm_subnet_route_table_association" "rt_shared_subnet_association" { + subnet_id = var.shared_subnet + route_table_id = azurerm_route_table.rt.id +} diff --git a/templates/core/terraform/routetable/variables.tf b/templates/core/terraform/routetable/variables.tf new file mode 100644 index 0000000000..f9b1b83268 --- /dev/null +++ b/templates/core/terraform/routetable/variables.tf @@ -0,0 +1,7 @@ +variable "resource_name_prefix" {} +variable "environment" {} +variable "tre_id" {} +variable "location" {} +variable "resource_group_name" {} +variable "firewall_private_ip_address" {} +variable "shared_subnet" {} \ No newline at end of file From 28efd184a60c19dab1e843de06c9e97c2fbc11a2 Mon Sep 17 00:00:00 2001 From: Denis Cepun Date: Mon, 10 May 2021 10:33:36 +0300 Subject: [PATCH 11/11] removed user managed identity --- templates/core/terraform/api-webapp/api-webapp.tf | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/templates/core/terraform/api-webapp/api-webapp.tf b/templates/core/terraform/api-webapp/api-webapp.tf index 11d07892ab..4821e801d7 100644 --- a/templates/core/terraform/api-webapp/api-webapp.tf +++ b/templates/core/terraform/api-webapp/api-webapp.tf @@ -24,10 +24,6 @@ resource "azurerm_app_service" "management_api" { location = var.location app_service_plan_id = azurerm_app_service_plan.core.id - identity { - type = "UserAssigned" - identity_ids = [azurerm_user_assigned_identity.management_api.id] - } https_only = true app_settings = { @@ -68,12 +64,6 @@ resource "azurerm_app_service" "management_api" { } } -resource "azurerm_user_assigned_identity" "management_api" { - name = "id-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" - resource_group_name = var.resource_group_name - location = var.location -} - resource "azurerm_private_endpoint" "management_api_private_endpoint" { name = "pe-api-${var.resource_name_prefix}-${var.environment}-${var.tre_id}" resource_group_name = var.resource_group_name