Skip to content

Latest commit

 

History

History
223 lines (193 loc) · 17.8 KB

README.md

File metadata and controls

223 lines (193 loc) · 17.8 KB

Azure - Claranet Support stack

Changelog Notice Apache V2 License OpenTofu Registry

Azure Support module. It creates a subnet, a Network Security Group and a bastion VM instance from a Claranet image by default. Included module documentation:

Global versioning rule for Claranet Azure modules

Module version Terraform version OpenTofu version AzureRM version
>= 8.x.x Unverified 1.8.x >= 4.0
>= 7.x.x 1.3.x >= 3.0
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

resource "tls_private_key" "bastion" {
  algorithm = "RSA"
}

module "support" {
  source = "git::ssh://[email protected]/claranet/projects/cloud/azure/terraform/module/support.git?ref=vX.X.X"

  client_name         = var.client_name
  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  environment         = var.environment
  stack               = var.stack
  resource_group_name = module.rg.name

  virtual_network_name = module.vnet.name

  # Bastion parameters
  bastion_vm_size         = "Standard_B1s"
  bastion_os_disk_size_gb = "32"

  admin_ssh_ips = var.admin_ssh_ips

  # Define your private ip bastion if you want to override it
  bastion_private_ip = "10.10.10.10"

  # Set to null to deactivate backup (not recommended)
  bastion_backup_policy_id = module.run.vm_backup_policy_id

  # Optional: Put your SSH key here
  ssh_public_key = tls_private_key.bastion.public_key_openssh

  # Define your subnets if you want to override it
  subnet = {
    cidrs = ["10.10.10.0/24"]
  }
  #  support_dns_zone_name = var.support_dns_zone_name

  # Diagnostics / logs
  diagnostics_storage_account_name      = module.run.logs_storage_account_name
  azure_monitor_data_collection_rule_id = module.run.data_collection_rule_id
  log_analytics_workspace_guid          = module.run.log_analytics_workspace_guid
}

Providers

Name Version
azurerm ~> 4.9
tls >= 3.0

Modules

Name Source Version
azure_region claranet/regions/azurerm ~> 7.3.0
bastion_vm claranet/linux-vm/azurerm ~> 8.0.0
claranet_gallery_images claranet/claranet-gallery-images/azapi ~> 8.0.0
support_nsg claranet/nsg/azurerm ~> 8.0.0
support_subnet claranet/subnet/azurerm ~> 8.0.1

Resources

Name Type
azurerm_subnet_network_security_group_association.subnet_bastion_association resource
tls_private_key.ssh resource
azurerm_client_config.current data source

Inputs

Name Description Type Default Required
admin_password Password for the administrator account of the virtual machine. string null no
admin_ssh_ips Claranet IPs allowed to use SSH on bastion. list(string) n/a yes
admin_username Name of the administrator user. string "claranet" no
azure_monitor_agent_auto_upgrade_enabled Automatically update agent when publisher releases a new version of the agent. bool false no
azure_monitor_agent_version Azure Monitor Agent extension version. string "1.12" no
azure_monitor_data_collection_rule_id Data Collection Rule ID from Azure Monitor for metrics and logs collection. Used with new monitoring agent, set to null if legacy agent is used. string n/a yes
bastion_backup_policy_id Backup policy ID from the Recovery Vault to attach the Virtual Machine to (value to null to disable backup). string n/a yes
bastion_custom_data The Base64-Encoded Custom Data which should be used for the bastion. Changing this forces a new resource to be created. string null no
bastion_custom_hostname Custom Bastion hostname. string "" no
bastion_custom_name VM Name as displayed on the console. string "" no
bastion_dcr_custom_name Custom name for Data Collection Rule. string null no
bastion_dns_label_custom_name Custom name for DNS label. string null no
bastion_extra_tags Additional tags to associate with your bastion instance. map(string) {} no
bastion_identity Map with identity block informations as described in documentation. 
object({
    type         = string
    identity_ids = list(string)
  })
 
{
  "identity_ids": [],
  "type": "SystemAssigned"
}
 no
bastion_ipconfig_custom_name Custom name for IP Configuration. string null no
bastion_maintenance_configurations_ids List of maintenance configurations to attach to this VM. list(string) [] no
bastion_nic_accelerated_networking_enabled Should Accelerated Networking be enabled? Defaults to false. bool false no
bastion_nic_custom_name Custom name for NIC. string null no
bastion_os_disk_account_type The Type of Storage Account which should back this the Internal OS Disk. Possible values are Standard_LRS, StandardSSD_LRS, Premium_LRS, StandardSSD_ZRS and Premium_ZRS. string "Premium_ZRS" no
bastion_os_disk_caching Specifies the caching requirements for the OS Disk. string "ReadWrite" no
bastion_os_disk_custom_name Custom name for Bastion OS disk. string "" no
bastion_os_disk_extra_tags Additional tags to set on the OS disk. map(string) {} no
bastion_os_disk_size_gb Specifies the size of the OS Disk in gigabytes. string n/a yes
bastion_os_disk_tagging_enabled Should OS disk tagging be enabled? Defaults to true. bool true no
bastion_patch_mode Specifies the mode of in-guest patching to this Linux Virtual Machine. Possible values are AutomaticByPlatform and ImageDefault. string "AutomaticByPlatform" no
bastion_private_ip Allows to define the private IP to associate with the bastion. string null no
bastion_public_ip_custom_name Custom name for public IP. string null no
bastion_public_ip_enabled Should a Public IP be attached to the Virtual Machine? bool true no
bastion_public_ip_zones Zones for public IP attached to the Virtual Machine. Can be null if no zone distpatch. list(number) 
[
  1,
  2,
  3
]
 no
bastion_user_data The Base64-Encoded User Data which should be used for the bastion. string null no
bastion_vm_image Bastion Virtual Machine source image information. See documentation. This variable cannot be used if vm_image_id is already defined. Defaults to Claranet image. 
object({
    publisher = string
    offer     = string
    sku       = string
    version   = string
  })
 null no
bastion_vm_image_id The ID of the Image which this Virtual Machine should be created from. This variable supersedes the vm_image variable if not null. Defaults to Claranet image. string null no
bastion_vm_size Bastion virtual machine size. string n/a yes
client_name Client name/account used in naming. string n/a yes
default_outbound_access_enabled Enable or disable default_outbound_access. See documentation. bool false no
default_tags_enabled Option to enable or disable default tags. bool true no
diagnostics_storage_account_name Name of the Storage Account in which store VM diagnostics. string n/a yes
disable_password_authentication Option to disable or enable password authentication if admin password is not set. bool true no
encryption_at_host_enabled Should all disks (including the temporary disk) attached to the Virtual Machine be encrypted by enabling Encryption at Host? List of compatible Virtual Machine sizes. bool true no
entra_ssh_login_admin_objects_ids Entra ID (aka AAD) objects IDs allowed to connect as administrator on the Virtual Machine. list(string) [] no
entra_ssh_login_enabled Enable SSH logins with Entra ID (aka AAD). bool false no
entra_ssh_login_extension_version Virtual Machine extension version for Entra ID (aka AAD) SSH Login extension. string "1.0" no
entra_ssh_login_user_objects_ids Entra ID (aka AAD) objects IDs allowed to connect as standard user on the Virtual Machine. list(string) [] no
environment Project environment. string n/a yes
extensions_extra_tags Extra tags to set on the VM extensions. map(string) {} no
flow_log_enabled Provision network watcher flow logs. bool false no
flow_log_location The location where the Network Watcher Flow Log resides. Changing this forces a new resource to be created. Defaults to the location of the Network Watcher. string null no
flow_log_logging_enabled Enable Network Flow Logging. bool true no
flow_log_retention_policy_days The number of days to retain flow log records. number 31 no
flow_log_retention_policy_enabled Boolean flag to enable/disable retention. bool true no
flow_log_storage_account_id Network watcher flow log storage account ID. string null no
flow_log_traffic_analytics_enabled Boolean flag to enable/disable traffic analytics. bool true no
flow_log_traffic_analytics_interval_in_minutes How frequently service should do flow analytics in minutes. number 10 no
location Azure location. string n/a yes
location_short Short string for Azure location. string n/a yes
log_analytics_workspace_guid The resource GUID of the attached workspace. string null no
log_analytics_workspace_id The resource ID of the attached workspace. string null no
log_analytics_workspace_location The location of the attached workspace. string null no
name_prefix Optional prefix for the generated name. string "bastion" no
name_suffix Optional suffix for the generated name. string "" no
network_security_group_custom_name Custom name for Network Security Group. string null no
network_watcher_name The name of the Network Watcher. Changing this forces a new resource to be created. string null no
network_watcher_resource_group_name The name of the resource group in which the Network Watcher was deployed. Changing this forces a new resource to be created. string null no
nic_extra_tags Additional tags to associate with your network interface. map(string) {} no
nsg_additional_rules Additional network security group rules to add. For arguments please refer to documentation. 
list(object({
    priority  = number
    name      = string
    direction = optional(string)
    access    = optional(string)
    protocol  = optional(string)

    source_port_range  = optional(string)
    source_port_ranges = optional(list(string))

    destination_port_range  = optional(string)
    destination_port_ranges = optional(list(string))

    source_address_prefix   = optional(string)
    source_address_prefixes = optional(list(string))

    destination_address_prefix   = optional(string)
    destination_address_prefixes = optional(list(string))
  }))
 [] no
nsg_extra_tags Additional tags to associate with your Network Security Group. map(string) {} no
private_link_endpoint_enabled Enable or disable network policies for the Private Endpoint on the subnet. bool true no
private_link_service_enabled Enable or disable network policies for the Private Link Service on the subnet. bool true no
public_ip_extra_tags Additional tags to associate with your public IP. map(string) {} no
resource_group_name Resource group name. string n/a yes
route_table_name The Route Table name to associate with the subnet. string null no
route_table_rg The Route Table RG to associate with the subnet. Default is the same RG than the subnet. string null no
service_endpoint_policy_ids The list of IDs of Service Endpoint Policies to associate with the subnet. list(string) null no
service_endpoints The list of Service endpoints to associate with the subnet. list(string) [] no
ssh_public_key SSH public key, generated if empty. string null no
stack Project stack name. string n/a yes
subnet The ID of the existing subnet or the address prefixes to use for the new subnet. 
object({
    id    = optional(string)
    cidrs = optional(list(string), [])
  })
 n/a yes
subnet_custom_name Custom name for Subnet. string null no
virtual_network_name Bastion VM virtual network name. string n/a yes
virtual_network_resource_group_name Bastion VM virtual network resource group name, default to resource_group_name if empty. string "" no
vtpm_enabled Specifies if vTPM (virtual Trusted Platform Module) and Trusted Launch is enabled for the Virtual Machine. Defaults to true. Changing this forces a new resource to be created. bool true no

Outputs

Name Description
bastion_admin_password Password of the admin user.
bastion_admin_username Username of the admin user.
bastion_hostname Bastion hostname.
bastion_maintenance_configurations_assignments Maintenance configurations assignments configurations.
bastion_network_interface_id Bastion network interface ID.
bastion_network_interface_private_ip Bastion private IP.
bastion_network_public_ip Bastion public IP.
bastion_network_public_ip_id Bastion public IP ID.
bastion_public_domain_name_label Bastion public DNS.
bastion_ssh_private_key Bastion SSH private key.
bastion_ssh_public_key Bastion SSH public key.
bastion_virtual_machine_id Bastion virtual machine ID.
bastion_virtual_machine_name Bastion virtual machine name.
bastion_virtual_machine_os_disk Bastion virtual machine OS disk object.
module_bastion_vm Module bastion Virtual Machine object.
module_network_security_group Module network security group object.
module_subnet Module subnet object.
network_security_group_id Network security group ID.
network_security_group_name Network security group name.
subnet_cidrs CIDR list of the created subnet.
subnet_id ID of the created subnet.
terraform_module Information about this Terraform module.