Merge pull request #380 from jensheerin/terraform-dnslink

Add Terraform Zero Trust scenario for AVD session host

workload/terraform/example/gamedevwm/main.tf

@@ -0,0 +1,259 @@
+resource "azurerm_resource_group" "res-0" {
+  location = var.region
+  name     = "rg-avd-${substr(var.region, 0, 5)}-gm"
+}
+
+resource "azurerm_virtual_machine_extension" "res-2" {
+  auto_upgrade_minor_version = true
+  name                       = "MDE.Windows"
+  publisher                  = "Microsoft.Azure.AzureDefenderForServers"
+  settings                   = "{\"azureResourceId\":\"/subscriptions/${var.spoke_subscription_id}/resourceGroups/RG-AVD-GM/providers/Microsoft.Compute/virtualMachines/vm-gmdev\",\"forceReOnboarding\":false,\"vNextEnabled\":false}"
+  type                       = "MDE.Windows"
+  type_handler_version       = "1.0"
+  virtual_machine_id         = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/azurerm_resource_group.res-0.name/providers/Microsoft.Compute/virtualMachines/vm-gmdev"
+  depends_on = [
+    azurerm_windows_virtual_machine.res-5,
+  ]
+}
+resource "azurerm_virtual_machine_extension" "res-1" {
+  auto_upgrade_minor_version = true
+  name                       = "MicrosoftMonitoringAgent"
+  publisher                  = "Microsoft.EnterpriseCloud.Monitoring"
+  settings                   = "{\"workspaceId\":\"964921b9-94c7-4d0c-8274-00f2708aca36\"}"
+  type                       = "MicrosoftMonitoringAgent"
+  type_handler_version       = "1.0"
+  virtual_machine_id         = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/azurerm_resource_group.res-0.name/providers/Microsoft.Compute/virtualMachines/vm-gmdev"
+  depends_on = [
+    azurerm_windows_virtual_machine.res-5,
+  ]
+}
+
+
+resource "azurerm_managed_disk" "res-4" {
+  create_option        = "FromImage"
+  image_reference_id   = "/Subscriptions/${var.spoke_subscription_id}/Providers/Microsoft.Compute/Locations/southcentralus/Publishers/microsoft-azure-gaming/ArtifactTypes/VMImage/Offers/game-dev-vm/Skus/win11_unreal_5_0/Versions/1.0.62"
+  location             = var.region
+  name                 = "vm-gmdev_lun_0_2_afed48d7a46d4d2287ae25ead2e6ff98"
+  resource_group_name  = azurerm_resource_group.res-0.name
+  storage_account_type = "Premium_LRS"
+  tags = {
+    engine         = "ue_5_0"
+    ostype         = "win11"
+    remotesoftware = "RDP"
+    solution       = "Game Development Virtual Machine"
+  }
+  depends_on = [
+    azurerm_resource_group.res-0,
+  ]
+}
+resource "azurerm_windows_virtual_machine" "res-5" {
+  admin_password        = "ChangeMe123!"
+  admin_username        = "localadmin"
+  location              = var.region
+  name                  = "vm-gmdev"
+  network_interface_ids = ["/subscriptions/${var.spoke_subscription_id}/resourceGroups/azurerm_resource_group.res-0.name/providers/Microsoft.Network/networkInterfaces/vm-gmdev-nic"]
+  resource_group_name   = azurerm_resource_group.res-0.name
+  size                  = "Standard_NC4as_T4_v3"
+  tags = {
+    engine         = "ue_5_0"
+    ostype         = "win11"
+    remotesoftware = "RDP"
+    solution       = "Game Development Virtual Machine"
+  }
+  identity {
+    type = "SystemAssigned"
+  }
+  os_disk {
+    caching              = "ReadWrite"
+    storage_account_type = "Premium_LRS"
+  }
+  plan {
+    name      = "win11_unreal_5_0"
+    product   = "game-dev-vm"
+    publisher = "microsoft-azure-gaming"
+  }
+  source_image_reference {
+    offer     = "game-dev-vm"
+    publisher = "microsoft-azure-gaming"
+    sku       = "win11_unreal_5_0"
+    version   = "1.0.62"
+  }
+  depends_on = [
+    azurerm_network_interface.res-14,
+  ]
+}
+resource "azurerm_virtual_machine_data_disk_attachment" "res-6" {
+  caching            = "ReadOnly"
+  create_option      = "Attach"
+  lun                = 0
+  managed_disk_id    = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/rg-avd-gm/providers/Microsoft.Compute/disks/vm-gmdev_lun_0_2_afed48d7a46d4d2287ae25ead2e6ff98"
+  virtual_machine_id = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/rg-avd-gm/providers/Microsoft.Compute/virtualMachines/vm-gmdev"
+  depends_on = [
+    azurerm_managed_disk.res-4,
+    azurerm_windows_virtual_machine.res-5,
+  ]
+}
+resource "azurerm_virtual_machine_extension" "res-7" {
+  auto_upgrade_minor_version = true
+  name                       = "AADLoginForWindows"
+  publisher                  = "Microsoft.Azure.ActiveDirectory"
+  type                       = "AADLoginForWindows"
+  type_handler_version       = "1.0"
+  virtual_machine_id         = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/rg-avd-gm/providers/Microsoft.Compute/virtualMachines/vm-gmdev"
+  depends_on = [
+    azurerm_windows_virtual_machine.res-5,
+  ]
+}
+resource "azurerm_virtual_machine_extension" "res-8" {
+  auto_upgrade_minor_version = true
+  name                       = "GDVMCustomization"
+  publisher                  = "Microsoft.Compute"
+  settings                   = "{\"fileUris\":[\"https://catalogartifact.azureedge.net/publicartifacts/microsoft-azure-gaming.azure-gamedev-vm-22e9a75e-a70c-4cdb-a26e-d477a9e73c71-gamedev-vm/Artifacts/Controller-Initialization.ps1\",\"https://catalogartifact.azureedge.net/publicartifacts/microsoft-azure-gaming.azure-gamedev-vm-22e9a75e-a70c-4cdb-a26e-d477a9e73c71-gamedev-vm/Artifacts/Task-CompleteUESetup.ps1\",\"https://catalogartifact.azureedge.net/publicartifacts/microsoft-azure-gaming.azure-gamedev-vm-22e9a75e-a70c-4cdb-a26e-d477a9e73c71-gamedev-vm/Artifacts/Task-ConfigureLoginScripts.ps1\",\"https://catalogartifact.azureedge.net/publicartifacts/microsoft-azure-gaming.azure-gamedev-vm-22e9a75e-a70c-4cdb-a26e-d477a9e73c71-gamedev-vm/Artifacts/Task-CreateDataDisk.ps1\",\"https://catalogartifact.azureedge.net/publicartifacts/microsoft-azure-gaming.azure-gamedev-vm-22e9a75e-a70c-4cdb-a26e-d477a9e73c71-gamedev-vm/Artifacts/Task-MountFileShare.ps1\",\"https://catalogartifact.azureedge.net/publicartifacts/microsoft-azure-gaming.azure-gamedev-vm-22e9a75e-a70c-4cdb-a26e-d477a9e73c71-gamedev-vm/Artifacts/Task-SyncP4Depot.ps1\",\"https://catalogartifact.azureedge.net/publicartifacts/microsoft-azure-gaming.azure-gamedev-vm-22e9a75e-a70c-4cdb-a26e-d477a9e73c71-gamedev-vm/Artifacts/Task-SetupIncredibuild.ps1\",\"https://catalogartifact.azureedge.net/publicartifacts/microsoft-azure-gaming.azure-gamedev-vm-22e9a75e-a70c-4cdb-a26e-d477a9e73c71-gamedev-vm/Artifacts/Task-AvdRegistration.ps1\",\"https://catalogartifact.azureedge.net/publicartifacts/microsoft-azure-gaming.azure-gamedev-vm-22e9a75e-a70c-4cdb-a26e-d477a9e73c71-gamedev-vm/Artifacts/Task-RegisterTeradici.ps1\",\"https://catalogartifact.azureedge.net/publicartifacts/microsoft-azure-gaming.azure-gamedev-vm-22e9a75e-a70c-4cdb-a26e-d477a9e73c71-gamedev-vm/Artifacts/Task-SetupParsec.ps1\",\"https://catalogartifact.azureedge.net/publicartifacts/microsoft-azure-gaming.azure-gamedev-vm-22e9a75e-a70c-4cdb-a26e-d477a9e73c71-gamedev-vm/Artifacts/PreInstall.zip\"]}"
+  type                       = "CustomScriptExtension"
+  type_handler_version       = "1.10"
+  virtual_machine_id         = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/rg-avd-gm/providers/Microsoft.Compute/virtualMachines/vm-gmdev"
+  depends_on = [
+    azurerm_windows_virtual_machine.res-5,
+  ]
+}
+resource "azurerm_virtual_desktop_application_group" "res-9" {
+  default_desktop_display_name = "SessionDesktop"
+  description                  = "Desktop Application Group created through the Hostpool Wizard"
+  friendly_name                = "Default Desktop"
+  host_pool_id                 = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/rg-avd-gm/providers/Microsoft.DesktopVirtualization/hostPools/vdpool-gm"
+  location                     = var.region
+  name                         = "vdpool-gm-DAG"
+  resource_group_name          = azurerm_resource_group.res-0.name
+  tags = {
+    cm-resource-parent = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/rg-avd-gm/providers/Microsoft.DesktopVirtualization/vdpool-gm"
+  }
+  type = "Desktop"
+  depends_on = [
+    azurerm_virtual_desktop_host_pool.res-10,
+  ]
+}
+resource "azurerm_virtual_desktop_host_pool" "res-10" {
+  custom_rdp_properties    = "drivestoredirect:s:*;audiomode:i:0;videoplaybackmode:i:1;redirectclipboard:i:1;redirectprinters:i:1;devicestoredirect:s:*;redirectcomports:i:1;redirectsmartcards:i:1;usbdevicestoredirect:s:*;enablecredsspsupport:i:1;redirectwebauthn:i:1;use multimon:i:0;enablerdsaadauth:i:1;autoreconnection enabled:i:1;targetisaadjoined:i:1;"
+  description              = "Created through the Azure Virtual Desktop extension"
+  load_balancer_type       = "BreadthFirst"
+  location                 = var.region
+  maximum_sessions_allowed = 5
+  name                     = "vdpool-gm"
+  resource_group_name      = azurerm_resource_group.res-0.name
+  type                     = "Pooled"
+  depends_on = [
+    azurerm_resource_group.res-0,
+  ]
+}
+resource "azurerm_virtual_desktop_workspace" "res-11" {
+  friendly_name       = "GPU"
+  location            = "northcentralus"
+  name                = "ws-gmd"
+  resource_group_name = azurerm_resource_group.res-0.name
+  tags = {
+    cm-resource-parent = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/rg-avd-gm/providers/Microsoft.DesktopVirtualization/vdpool-gm"
+  }
+  depends_on = [
+    azurerm_resource_group.res-0,
+  ]
+}
+resource "azurerm_virtual_desktop_workspace_application_group_association" "res-12" {
+  application_group_id = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/rg-avd-gm/providers/Microsoft.DesktopVirtualization/applicationGroups/vdpool-gm-DAG"
+  workspace_id         = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/rg-avd-gm/providers/Microsoft.DesktopVirtualization/workspaces/ws-gmd"
+  depends_on = [
+    azurerm_virtual_desktop_application_group.res-9,
+    azurerm_virtual_desktop_workspace.res-11,
+  ]
+}
+
+resource "azurerm_network_interface" "res-14" {
+  enable_accelerated_networking = true
+  location                      = var.region
+  name                          = "vm-gmdev-nic"
+  resource_group_name           = azurerm_resource_group.res-0.name
+  ip_configuration {
+    name                          = "vm-gmdev-ipconf"
+    private_ip_address_allocation = "Dynamic"
+    subnet_id                     = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/rg-avd-gm/providers/Microsoft.Network/virtualNetworks/vm-gmdev-vnet/subnets/gamedevvms"
+  }
+  depends_on = [
+    azurerm_subnet.res-22,
+  ]
+}
+resource "azurerm_network_interface_security_group_association" "res-15" {
+  network_interface_id      = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/rg-avd-gm/providers/Microsoft.Network/networkInterfaces/vm-gmdev-nic"
+  network_security_group_id = "/subscriptions/${var.spoke_subscription_id}/resourceGroups/rg-avd-gm/providers/Microsoft.Network/networkSecurityGroups/vm-gmdev-nsg"
+  depends_on = [
+    azurerm_network_interface.res-14,
+    azurerm_network_security_group.res-16,
+  ]
+}
+resource "azurerm_network_security_group" "res-16" {
+  location            = var.region
+  name                = "vm-gmdev-nsg"
+  resource_group_name = azurerm_resource_group.res-0.name
+  depends_on = [
+    azurerm_resource_group.res-0,
+  ]
+}
+resource "azurerm_network_security_rule" "res-17" {
+  access                      = "Allow"
+  destination_address_prefix  = "*"
+  destination_port_range      = "80"
+  direction                   = "Inbound"
+  name                        = "PixelStream"
+  network_security_group_name = "vm-gmdev-nsg"
+  priority                    = 1020
+  protocol                    = "*"
+  resource_group_name         = azurerm_resource_group.res-0.name
+  source_address_prefix       = "*"
+  source_port_range           = "*"
+  depends_on = [
+    azurerm_network_security_group.res-16,
+  ]
+}
+resource "azurerm_network_security_rule" "res-18" {
+  access                      = "Allow"
+  destination_address_prefix  = "*"
+  destination_port_range      = "3389"
+  direction                   = "Inbound"
+  name                        = "RDP"
+  network_security_group_name = "vm-gmdev-nsg"
+  priority                    = 1010
+  protocol                    = "*"
+  resource_group_name         = azurerm_resource_group.res-0.name
+  source_address_prefix       = "*"
+  source_port_range           = "*"
+  depends_on = [
+    azurerm_network_security_group.res-16,
+  ]
+}
+resource "azurerm_public_ip" "res-19" {
+  allocation_method   = "Static"
+  location            = var.region
+  name                = "vm-gmdev-vnet-ip"
+  resource_group_name = azurerm_resource_group.res-0.name
+  sku                 = "Standard"
+  depends_on = [
+    azurerm_resource_group.res-0,
+  ]
+}
+resource "azurerm_virtual_network" "res-20" {
+  address_space       = ["10.1.0.0/24"]
+  location            = var.region
+  name                = "vm-gmdev-vnet"
+  resource_group_name = azurerm_resource_group.res-0.name
+  depends_on = [
+    azurerm_resource_group.res-0,
+  ]
+}
+
+resource "azurerm_subnet" "res-22" {
+  address_prefixes     = ["10.1.0.0/26"]
+  name                 = "gamedevvms"
+  resource_group_name  = azurerm_resource_group.res-0.name
+  virtual_network_name = "vm-gmdev-vnet"
+  depends_on = [
+    azurerm_virtual_network.res-20,
+  ]
+}

workload/terraform/example/gamedevwm/provider.tf

@@ -0,0 +1,4 @@
+provider "azurerm" {
+  features {
+  }
+}

workload/terraform/example/gamedevwm/variables.tf

@@ -0,0 +1,10 @@
+
+variable "region" {
+  description = "Region location of the resource group."
+}
+
+
+variable "spoke_subscription_id" {
+  type        = string
+  description = "Spoke Subscription id"
+}

workload/terraform/greenfield/AADDSscenario/afstorage.tf

@@ -0,0 +1,93 @@
+resource "azurerm_user_assigned_identity" "mi" {
+  name                = "id-avd-fslogix-eus-${var.prefix}"
+  resource_group_name = azurerm_resource_group.rg_storage.name
+  location            = azurerm_resource_group.rg_storage.location
+}
+
+## Azure Storage Accounts requires a globally unique names
+## https://docs.microsoft.com/azure/storage/common/storage-account-overview
+## Create a File Storage Account 
+resource "azurerm_storage_account" "storage" {
+  name                      = local.storage_name
+  resource_group_name       = azurerm_resource_group.rg_storage.name
+  location                  = azurerm_resource_group.rg_storage.location
+  min_tls_version           = "TLS1_2"
+  account_tier              = "Premium"
+  account_replication_type  = "LRS"
+  account_kind              = "FileStorage"
+  enable_https_traffic_only = true
+  tags                      = local.tags
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+resource "azurerm_storage_share" "FSShare" {
+  name             = "fslogix"
+  quota            = "100"
+  enabled_protocol = "SMB"
+
+
+  storage_account_name = azurerm_storage_account.storage.name
+  depends_on           = [azurerm_storage_account.storage]
+}
+
+
+## Azure built-in roles
+## https://docs.microsoft.com/azure/role-based-access-control/built-in-roles
+data "azurerm_role_definition" "storage_role" {
+  name = "Storage File Data SMB Share Contributor"
+}
+
+resource "azurerm_role_assignment" "af_role" {
+  scope              = azurerm_storage_account.storage.id
+  role_definition_id = data.azurerm_role_definition.storage_role.id
+  principal_id       = data.azuread_group.adds_group.id
+}
+
+# Get Private DNS Zone for the Storage Private Endpoints
+data "azurerm_private_dns_zone" "pe-filedns-zone" {
+  name                = "privatelink.file.core.windows.net"
+  resource_group_name = var.hub_dns_zone_rg
+  provider            = azurerm.hub
+}
+
+resource "azurerm_private_endpoint" "afpe" {
+  name                = "pe-${local.storage_name}-file"
+  location            = azurerm_resource_group.rg_storage.location
+  resource_group_name = azurerm_resource_group.rg_storage.name
+  subnet_id           = data.azurerm_subnet.subnet.id
+  tags                = local.tags
+
+  private_service_connection {
+    name                           = "psc-file-${var.prefix}"
+    private_connection_resource_id = azurerm_storage_account.storage.id
+    is_manual_connection           = false
+    subresource_names              = ["file"]
+  }
+  private_dns_zone_group {
+    name                 = "dns-file-${var.prefix}"
+    private_dns_zone_ids = data.azurerm_private_dns_zone.pe-filedns-zone.*.id
+  }
+}
+
+# Deny Traffic from Public Networks with white list exceptions
+resource "azurerm_storage_account_network_rules" "stfw" {
+  storage_account_id = azurerm_storage_account.storage.id
+  default_action     = "Deny"
+  bypass             = ["AzureServices", "Metrics", "Logging"]
+  ip_rules           = local.allow_list_ip
+  depends_on = [azurerm_storage_share.FSShare,
+    azurerm_private_endpoint.afpe,
+  azurerm_role_assignment.af_role]
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "filelink" {
+  name                  = "azfilelink-${var.prefix}"
+  resource_group_name   = var.hub_dns_zone_rg
+  private_dns_zone_name = data.azurerm_private_dns_zone.pe-filedns-zone.name
+  virtual_network_id    = data.azurerm_virtual_network.vnet.id
+
+  lifecycle { ignore_changes = [tags] }
+}
+

workload/terraform/greenfield/AADDSscenario/appsecgrp.tf

@@ -0,0 +1,9 @@
+data "azurerm_client_config" "cfg" {}
+
+resource "azurerm_application_security_group" "example" {
+  name                = "avdasg-${var.avdLocation}-${var.prefix}"
+  location            = azurerm_resource_group.shrg.location
+  resource_group_name = azurerm_resource_group.shrg.name
+
+  tags = local.tags
+}