From 6c172d2fb5e25b8766121191d0483b3ab17f7bbe Mon Sep 17 00:00:00 2001 From: abaumeister Date: Thu, 24 Sep 2020 12:19:59 +1000 Subject: [PATCH 1/5] Started on new non scaleset model --- docs/customization.md | 2 +- main.tf | 3 +- modules/vm/variables.tf | 4 + modules/vm/vmseries.tf | 245 ++++++------------ .../outputs.tf | 0 .../variables.tf | 0 .../vmseries.tf | 0 modules/{vm => vmss}/outputs.tf | 0 modules/vmss/variables.tf | 65 +++++ modules/vmss/vmseries.tf | 182 +++++++++++++ no-vmss/example.tfvars | 19 ++ no-vmss/main.tf | 108 ++++++++ no-vmss/variables.tf | 101 ++++++++ 13 files changed, 568 insertions(+), 161 deletions(-) rename modules/{vm-no-bootstrap => vmss-no-bootstrap}/outputs.tf (100%) rename modules/{vm-no-bootstrap => vmss-no-bootstrap}/variables.tf (100%) rename modules/{vm-no-bootstrap => vmss-no-bootstrap}/vmseries.tf (100%) rename modules/{vm => vmss}/outputs.tf (100%) create mode 100644 modules/vmss/variables.tf create mode 100644 modules/vmss/vmseries.tf create mode 100644 no-vmss/example.tfvars create mode 100644 no-vmss/main.tf create mode 100644 no-vmss/variables.tf diff --git a/docs/customization.md b/docs/customization.md index a8aa79a..c9ca579 100644 --- a/docs/customization.md +++ b/docs/customization.md @@ -35,7 +35,7 @@ to use *vm-no-bootstrap* in main.tf as below: ``` module "vm-series" { - source = "./modules/vm-no-bootstrap" + source = "./modules/vmss-no-bootstrap" location = var.location name_prefix = var.name_prefix diff --git a/main.tf b/main.tf index 373b73b..252daa4 100644 --- a/main.tf +++ b/main.tf @@ -58,9 +58,10 @@ module "outbound-lb" { backend-subnet = module.networks.subnet-private.id } + # Create the inbound and outbound VM Scale sets module "vm-series" { - source = "./modules/vm" + source = "modules/vmss" location = var.location name_prefix = var.name_prefix diff --git a/modules/vm/variables.tf b/modules/vm/variables.tf index fb7ea8b..21ec19a 100644 --- a/modules/vm/variables.tf +++ b/modules/vm/variables.tf @@ -62,4 +62,8 @@ variable "public_backend_pool_id" { } variable "private_backend_pool_id" { description = "The LB pool to associate the private interface with." +} + +variable "resource_group" { + description = "The resource group for VM series deployment" } \ No newline at end of file diff --git a/modules/vm/vmseries.tf b/modules/vm/vmseries.tf index 560dc11..ae0c3ba 100644 --- a/modules/vm/vmseries.tf +++ b/modules/vm/vmseries.tf @@ -1,182 +1,109 @@ -## All the config required for a single VM series Firewall in Azure -# Base resource group -resource "azurerm_resource_group" "vmseries" { - location = var.location - name = "${var.name_prefix}-vmseries-rg" -} -# inbound -resource "azurerm_virtual_machine_scale_set" "inbound-scale-set" { - location = azurerm_resource_group.vmseries.location - name = "${var.name_prefix}-inbound-scaleset" - resource_group_name = azurerm_resource_group.vmseries.name - upgrade_policy_mode = "Manual" - network_profile { - name = "${var.name_prefix}-inbound-nic-fw-mgmt-profile" - primary = true - ip_configuration { - name = "${var.name_prefix}-inbound-nic-fw-mgmt" - primary = true - subnet_id = var.subnet-mgmt.id - public_ip_address_configuration { - idle_timeout = 4 - name = "${var.name_prefix}-inbound-fw-mgmt-pip" - domain_name_label = "${var.name_prefix}-inbound-vm-mgmt" - } - } - ip_forwarding = true +# Create a public IP for management +resource "azurerm_public_ip" "pip-fw-mgmt" { + allocation_method = "Static" + location = var.resource_group.location + name = "${var.name_prefix}-fw-pip" + sku = "standard" + resource_group_name = var.resource_group.name +} +# Create another PIP for the outside interface so we can talk outbound +resource "azurerm_public_ip" "pip-fw-public" { + allocation_method = "Static" + location = var.resource_group.location + name = "${var.name_prefix}-outside-fw-pip" + sku = "standard" + resource_group_name = var.resource_group.name +} +resource "azurerm_network_interface" "nic-fw-mgmt" { + location = var.resource_group.location + name = "${var.name_prefix}-nic-fw-mgmt" + resource_group_name = var.resource_group.name + ip_configuration { + subnet_id = var.subnet-mgmt.id + name = "${var.name_prefix}-fw-ip-mgmt" + private_ip_address_allocation = "dynamic" + public_ip_address_id = azurerm_public_ip.pip-fw-mgmt.id } - network_profile { - name = "${var.name_prefix}-inbound-nic-fw-public-profile" - primary = false - ip_configuration { - name = "${var.name_prefix}-inbound-nic-fw-public" - primary = false - subnet_id = var.subnet-public.id - load_balancer_backend_address_pool_ids = [ - var.public_backend_pool_id] - } - ip_forwarding = true +} - } +resource "azurerm_network_interface" "nic-fw-private" { + location = var.resource_group.location + name = "${var.name_prefix}-nic-fw-private" + resource_group_name = var.resource_group.name + ip_configuration { + subnet_id = var.subnet-private.id + name = "${var.name_prefix}-fw-ip-inside" + private_ip_address_allocation = "dynamic" + //private_ip_address = "172.16.1.10" + } + enable_ip_forwarding = true +} + +resource "azurerm_network_interface" "nic-fw-public" { + location = var.resource_group.location + name = "${var.name_prefix}-nic-fw-public" + resource_group_name = var.resource_group.name + ip_configuration { + subnet_id = var.subnet-public.id + name = "${var.name_prefix}-fw-ip-outside" + private_ip_address_allocation = "dynamic" + //private_ip_address = "172.16.2.10" + public_ip_address_id = azurerm_public_ip.pip-fw-public.id - network_profile { - name = "${var.name_prefix}-inbound-nic-fw-private-profile" - primary = false - ip_configuration { - name = "${var.name_prefix}-inbound-nic-fw-private" - primary = false - subnet_id = var.subnet-private.id - } - ip_forwarding = true } + enable_ip_forwarding = true - os_profile { - admin_username = var.username - computer_name_prefix = "${var.name_prefix}-inbound-fw" - admin_password = var.password +} - custom_data = join( - ",", - [ - "storage-account=${var.bootstrap-storage-account.name}", - "access-key=${var.bootstrap-storage-account.primary_access_key}", - "file-share=${var.inbound-bootstrap-share-name}", - "share-directory=None" - ] - ) - } - storage_profile_image_reference { + +resource "azurerm_virtual_machine" "inbound-fw" { + location = var.resource_group.location + name = "${var.name_prefix}-fw" + network_interface_ids = [ + azurerm_network_interface.nic-fw-mgmt.id, + azurerm_network_interface.nic-fw-public.id, + azurerm_network_interface.nic-fw-private.id + ] + resource_group_name = var.resource_group.name + vm_size = var.vmseries_size + storage_image_reference { publisher = "paloaltonetworks" offer = "vmseries1" sku = var.vm_series_sku version = var.vm_series_version } - sku { - capacity = 1 - name = var.vmseries_size - } - storage_profile_os_disk { - create_option = "FromImage" - name = "${var.name_prefix}-vhd-profile" - caching = "ReadWrite" - vhd_containers = ["${var.bootstrap-storage-account.primary_blob_endpoint}${var.vhd-container}"] - } - plan { - name = "bundle2" - publisher = "paloaltonetworks" - product = "vmseries1" - } -} - -# Outbound -resource "azurerm_virtual_machine_scale_set" "outbound-scale-set" { - location = azurerm_resource_group.vmseries.location - name = "${var.name_prefix}-outbound-scaleset" - resource_group_name = azurerm_resource_group.vmseries.name - upgrade_policy_mode = "Manual" - - network_profile { - name = "${var.name_prefix}-outbound-nic-fw-mgmt-profile" - primary = true - ip_configuration { - name = "${var.name_prefix}-outbound-nic-fw-mgmt" - primary = true - subnet_id = var.subnet-mgmt.id - public_ip_address_configuration { - idle_timeout = 4 - name = "${var.name_prefix}-outbound-fw-mgmt-pip" - domain_name_label = "${var.name_prefix}-outbound-vm-mgmt" - } - } - ip_forwarding = true - - } - network_profile { - name = "${var.name_prefix}-outbound-nic-fw-public-profile" - primary = false - ip_configuration { - name = "${var.name_prefix}-outbound-nic-fw-public" - primary = false - subnet_id = var.subnet-public.id - public_ip_address_configuration { - idle_timeout = 4 - name = "${var.name_prefix}-outbound-fw-public-pip" - domain_name_label = "${var.name_prefix}-outbound-vm-public" - } - } - ip_forwarding = true + storage_os_disk { + create_option = "FromImage" + name = "${var.name_prefix}-vhd-fw" + caching = "ReadWrite" + vhd_uri = "${var.bootstrap-storage-account.primary_blob_endpoint}vhds/${var.name_prefix}-fw.vhd" } - network_profile { - name = "${var.name_prefix}-outbound-nic-fw-private-profile" - primary = false - ip_configuration { - name = "${var.name_prefix}-outbound-nic-fw-private" - primary = false - subnet_id = var.subnet-private.id - load_balancer_backend_address_pool_ids = [var.private_backend_pool_id] - - } - ip_forwarding = true - } + primary_network_interface_id = azurerm_network_interface.nic-fw-mgmt.id os_profile { - admin_username = var.username - computer_name_prefix = "${var.name_prefix}-outbound-fw" - admin_password = var.password - + admin_username = var.username + computer_name = "${var.name_prefix}-fw" + admin_password = var.password custom_data = join( - ",", - [ - "storage-account=${var.bootstrap-storage-account.name}", - "access-key=${var.bootstrap-storage-account.primary_access_key}", - "file-share=${var.outbound-bootstrap-share-name}", - "share-directory=None" - ] - ) - } - storage_profile_image_reference { - publisher = "paloaltonetworks" - offer = "vmseries1" - sku = var.vm_series_sku - version = var.vm_series_version - } - sku { - capacity = 1 - name = var.vmseries_size + ",", + [ + "storage-account=${var.bootstrap-storage-account.name}", + "access-key=${var.bootstrap-storage-account.primary_access_key}", + "file-share=${var.inbound-bootstrap-share-name}", + "share-directory=None" + ] + ) + } + os_profile_linux_config { + disable_password_authentication = false } plan { - name = "bundle2" + name = var.vm_series_sku publisher = "paloaltonetworks" - product = "vmseries1" + product = "vmseries1" } - storage_profile_os_disk { - create_option = "FromImage" - name = "${var.name_prefix}-vhd-profile" - caching = "ReadWrite" - vhd_containers = ["${var.bootstrap-storage-account.primary_blob_endpoint}${var.vhd-container}"] - } -} \ No newline at end of file +} diff --git a/modules/vm-no-bootstrap/outputs.tf b/modules/vmss-no-bootstrap/outputs.tf similarity index 100% rename from modules/vm-no-bootstrap/outputs.tf rename to modules/vmss-no-bootstrap/outputs.tf diff --git a/modules/vm-no-bootstrap/variables.tf b/modules/vmss-no-bootstrap/variables.tf similarity index 100% rename from modules/vm-no-bootstrap/variables.tf rename to modules/vmss-no-bootstrap/variables.tf diff --git a/modules/vm-no-bootstrap/vmseries.tf b/modules/vmss-no-bootstrap/vmseries.tf similarity index 100% rename from modules/vm-no-bootstrap/vmseries.tf rename to modules/vmss-no-bootstrap/vmseries.tf diff --git a/modules/vm/outputs.tf b/modules/vmss/outputs.tf similarity index 100% rename from modules/vm/outputs.tf rename to modules/vmss/outputs.tf diff --git a/modules/vmss/variables.tf b/modules/vmss/variables.tf new file mode 100644 index 0000000..fb7ea8b --- /dev/null +++ b/modules/vmss/variables.tf @@ -0,0 +1,65 @@ +variable "location" { + description = "Region to install vm-series and dependencies." +} + +variable "name_prefix" { + description = "Prefix to add to all the object names here" +} + +variable "vmseries_size" { + description = "Default size for VM series" + default = "Standard_D5_v2" +} + +variable "subnet-mgmt" { + description = "Management subnet." +} + +variable "subnet-public" { + description = "External/public subnet" +} + +variable "subnet-private" { + description = "internal/private subnet" +} + +variable "bootstrap-storage-account" { + description = "Storage account setup for bootstrapping" +} + +variable "inbound-bootstrap-share-name" { + description = "File share for bootstrap config" +} + +variable "outbound-bootstrap-share-name" { + description = "File share for bootstrap config" +} + +variable "username" { + description = "Username" + default = "panadmin" +} + +variable "password" { + description = "Password for VM Series firewalls" +} +variable "vm_series_sku" { + default = "bundle2" +} +variable "vm_series_version" { + default = "9.0.4" +} + +variable "vm_series_count" { + default = 1 +} + +variable "vhd-container" { +} + +variable "public_backend_pool_id" { + description = "The LB pool to associate the public interface with." +} +variable "private_backend_pool_id" { + description = "The LB pool to associate the private interface with." +} \ No newline at end of file diff --git a/modules/vmss/vmseries.tf b/modules/vmss/vmseries.tf new file mode 100644 index 0000000..26d0ec0 --- /dev/null +++ b/modules/vmss/vmseries.tf @@ -0,0 +1,182 @@ +## All the config required for a single VM series Firewall in Azure +# Base resource group +resource "azurerm_resource_group" "vmseries" { + location = var.location + name = "${var.name_prefix}-vmseries-rg" +} + +# inbound +resource "azurerm_virtual_machine_scale_set" "inbound-scale-set" { + location = azurerm_resource_group.vmseries.location + name = "${var.name_prefix}-inbound-scaleset" + resource_group_name = azurerm_resource_group.vmseries.name + upgrade_policy_mode = "Manual" + network_profile { + name = "${var.name_prefix}-inbound-nic-fw-mgmt-profile" + primary = true + ip_configuration { + name = "${var.name_prefix}-inbound-nic-fw-mgmt" + primary = true + subnet_id = var.subnet-mgmt.id + public_ip_address_configuration { + idle_timeout = 4 + name = "${var.name_prefix}-inbound-fw-mgmt-pip" + domain_name_label = "${var.name_prefix}-inbound-vm-mgmt" + } + } + ip_forwarding = true + + } + network_profile { + name = "${var.name_prefix}-inbound-nic-fw-public-profile" + primary = false + ip_configuration { + name = "${var.name_prefix}-inbound-nic-fw-public" + primary = false + subnet_id = var.subnet-public.id + load_balancer_backend_address_pool_ids = [ + var.public_backend_pool_id] + } + ip_forwarding = true + + } + + network_profile { + name = "${var.name_prefix}-inbound-nic-fw-private-profile" + primary = false + ip_configuration { + name = "${var.name_prefix}-inbound-nic-fw-private" + primary = false + subnet_id = var.subnet-private.id + } + ip_forwarding = true + } + + os_profile { + admin_username = var.username + computer_name_prefix = "${var.name_prefix}-inbound-fw" + admin_password = var.password + + custom_data = join( + ",", + [ + "storage-account=${var.bootstrap-storage-account.name}", + "access-key=${var.bootstrap-storage-account.primary_access_key}", + "file-share=${var.inbound-bootstrap-share-name}", + "share-directory=None" + ] + ) + } + storage_profile_image_reference { + publisher = "paloaltonetworks" + offer = "vmseries1" + sku = var.vm_series_sku + version = var.vm_series_version + } + sku { + capacity = 1 + name = var.vmseries_size + } + storage_profile_os_disk { + create_option = "FromImage" + name = "${var.name_prefix}-vhd-profile" + caching = "ReadWrite" + vhd_containers = ["${var.bootstrap-storage-account.primary_blob_endpoint}${var.vhd-container}"] + } + plan { + name = var.vm_series_sku + publisher = "paloaltonetworks" + product = "vmseries1" + } +} + +# Outbound +resource "azurerm_virtual_machine_scale_set" "outbound-scale-set" { + location = azurerm_resource_group.vmseries.location + name = "${var.name_prefix}-outbound-scaleset" + resource_group_name = azurerm_resource_group.vmseries.name + upgrade_policy_mode = "Manual" + + network_profile { + name = "${var.name_prefix}-outbound-nic-fw-mgmt-profile" + primary = true + ip_configuration { + name = "${var.name_prefix}-outbound-nic-fw-mgmt" + primary = true + subnet_id = var.subnet-mgmt.id + public_ip_address_configuration { + idle_timeout = 4 + name = "${var.name_prefix}-outbound-fw-mgmt-pip" + domain_name_label = "${var.name_prefix}-outbound-vm-mgmt" + } + } + ip_forwarding = true + + } + network_profile { + name = "${var.name_prefix}-outbound-nic-fw-public-profile" + primary = false + ip_configuration { + name = "${var.name_prefix}-outbound-nic-fw-public" + primary = false + subnet_id = var.subnet-public.id + public_ip_address_configuration { + idle_timeout = 4 + name = "${var.name_prefix}-outbound-fw-public-pip" + domain_name_label = "${var.name_prefix}-outbound-vm-public" + } + } + ip_forwarding = true + + } + + network_profile { + name = "${var.name_prefix}-outbound-nic-fw-private-profile" + primary = false + ip_configuration { + name = "${var.name_prefix}-outbound-nic-fw-private" + primary = false + subnet_id = var.subnet-private.id + load_balancer_backend_address_pool_ids = [var.private_backend_pool_id] + + } + ip_forwarding = true + } + + os_profile { + admin_username = var.username + computer_name_prefix = "${var.name_prefix}-outbound-fw" + admin_password = var.password + + custom_data = join( + ",", + [ + "storage-account=${var.bootstrap-storage-account.name}", + "access-key=${var.bootstrap-storage-account.primary_access_key}", + "file-share=${var.outbound-bootstrap-share-name}", + "share-directory=None" + ] + ) + } + storage_profile_image_reference { + publisher = "paloaltonetworks" + offer = "vmseries1" + sku = var.vm_series_sku + version = var.vm_series_version + } + sku { + capacity = 1 + name = var.vmseries_size + } + plan { + name = var.vm_series_sku + publisher = "paloaltonetworks" + product = "vmseries1" + } + storage_profile_os_disk { + create_option = "FromImage" + name = "${var.name_prefix}-vhd-profile" + caching = "ReadWrite" + vhd_containers = ["${var.bootstrap-storage-account.primary_blob_endpoint}${var.vhd-container}"] + } +} \ No newline at end of file diff --git a/no-vmss/example.tfvars b/no-vmss/example.tfvars new file mode 100644 index 0000000..20d85b2 --- /dev/null +++ b/no-vmss/example.tfvars @@ -0,0 +1,19 @@ +# Priority map of security rules for your management IP addresses. +# Each key is the public IP, and the number is the priority it gets in the relevant network security groups (NSGs). +management_ips = { + "199.199.199.199" : 100, +} + +# Optional Load Balancer (LB) rules +# These will automatically create a public Azure IP and associate to LB configuration. +rules = [ + { + port = 22 + name = "testssh" + } +] + +# Admin password, used to login to the firewalls. +## !!IMPORTANT!! CHANGE ME! +# You can also pass this on the command line or via stdin to avoid putting it in a file. +password = "Don'tUseThisPassword,it'sForDemoPurposesOnly" \ No newline at end of file diff --git a/no-vmss/main.tf b/no-vmss/main.tf new file mode 100644 index 0000000..2474483 --- /dev/null +++ b/no-vmss/main.tf @@ -0,0 +1,108 @@ +# Configure the Azure provider +provider "azurerm" { + # whilst the `version` attribute is optional, we recommend pinning to a given version of the Provider + version = "=2.20.0" + features {} +} + + +# Setup all the networks required for the topology +module "networks" { + source = "../modules/networks" + location = var.location + management_ips = var.management_ips + name_prefix = var.name_prefix + + management_vnet_prefix = var.management_vnet_prefix + management_subnet = var.management_subnet + + olb_private_ip = var.olb_private_ip + + firewall_vnet_prefix = var.firewall_vnet_prefix + private_subnet = var.private_subnet + public_subnet = var.public_subnet + vm_management_subnet = var.vm_management_subnet +} + +# Create a panorama instance +module "panorama" { + source = "../modules/panorama" + + location = var.location + name_prefix = var.name_prefix + subnet_mgmt = module.networks.panorama-mgmt-subnet + + username = var.username + password = var.password + + panorama_sku = var.panorama_sku + panorama_version = var.panorama_version +} + +# Deploy the inbound load balancer for traffic into the azure environment +module "inbound-lb" { + source = "../modules/lbs" + + location = var.location + name_prefix = var.name_prefix + rules = var.rules + +} + +# Deploy the outbound load balancer for traffic out of the azure environment +module "outbound-lb" { + source = "../modules/olb" + location = var.location + name_prefix = var.name_prefix + private-ip = var.olb_private_ip + backend-subnet = module.networks.subnet-private.id +} + +# Create the vm-series RG outside of the module and pass it in. +## All the config required for a single VM series Firewall in Azure +# Base resource group +resource "azurerm_resource_group" "vmseries" { + location = var.location + name = "${var.name_prefix}-vmseries-rg" +} + +# Create the inbound and outbound VM Scale sets +module "vm-series" { + source = "../modules/vm" + + resource_group = azurerm_resource_group.vmseries + + location = var.location + name_prefix = var.name_prefix + username = var.username + password = var.password + + subnet-mgmt = module.networks.subnet-mgmt + subnet-private = module.networks.subnet-private + subnet-public = module.networks.subnet-public + + bootstrap-storage-account = module.panorama.bootstrap-storage-account + inbound-bootstrap-share-name = module.panorama.inbound-bootstrap-share-name + outbound-bootstrap-share-name = module.panorama.outbound-bootstrap-share-name + + depends_on = [module.panorama] + + vhd-container = module.panorama.storage-container-name + private_backend_pool_id = module.outbound-lb.backend-pool-id + public_backend_pool_id = module.inbound-lb.backend-pool-id +} + +# Create a test VNET +module "test-host" { + source = "../modules/test-vnet" + admin-password = var.password + location = var.location + name_prefix = var.name_prefix + peer-vnet = module.networks.transit-vnet + route-table-id = module.networks.outbound-route-table +} + + +output "PANORAMA-IP" { + value = module.panorama.panorama-publicip +} diff --git a/no-vmss/variables.tf b/no-vmss/variables.tf new file mode 100644 index 0000000..083342b --- /dev/null +++ b/no-vmss/variables.tf @@ -0,0 +1,101 @@ +#----------------------# +# Global Variables # +#----------------------# +variable "location" { + type = string + description = "The Azure region to use." + default = "Australia Central" +} +variable "name_prefix" { + type = string + description = "A prefix for all naming conventions - used globally" + default = "pantf" +} + +variable "username" { + default = "panadmin" + description = "Username to use for all systems" +} + +variable "password" { + description = "Admin password to use for all systems" +} + +#----------------------# +# Networking # +#----------------------# +variable "management_ips" { + type = map(any) + description = "A list of IP addresses and/or subnets that are permitted to access the out of band Management network." +} + +# Subnet definitions +# All subnet defs are joined with their vnet prefix to form a full CIDR prefix +# ex. for management, ${management_vnet_prefix}${management_subnet} +# Thus to change the VNET addressing you only need to update the relevent _vnet_prefix variable. + +variable "management_vnet_prefix" { + default = "10.255." + description = "The private prefix used for the management virtual network" +} + +variable "management_subnet" { + default = "0.0/24" + description = "The private network that terminates all FW and Panorama IP addresses." +} + +variable "firewall_vnet_prefix" { + default = "10.110." + description = "The private prefix used for all firewall networks" +} + +variable "vm_management_subnet" { + default = "255.0/24" + description = "The subnet used for the management NICs on the vm-series" +} + +variable "public_subnet" { + default = "129.0/24" + description = "The private network that is the external or public side of the VM series firewalls (eth1/1)" +} + +variable "private_subnet" { + default = "0.0/24" + description = "The private network behind or on the internal side of the VM series firewalls (eth1/2)" +} + +variable "olb_private_ip" { + # !! This IP MUST fall in the private-subnet network. !! + description = "The private IP address to assign to the Outgoing Load balancer frontend" + default = "10.110.0.21" +} +variable "rules" { + description = "Inbound Load balancer rules. Largely used for testing the environment, these are mapped to PIPs and then the inbound LB." + type = list(object({ + port = number + name = string + })) + default = [] +} + +#----------------------# +# VM Options # +#----------------------# +# Total number of VM series per direction (inbound/outbound) to deploy +variable "vm_series_count" { + default = 1 +} + +variable "panorama_sku" { + default = "byol" +} +variable "panorama_version" { + default = "9.0.5" +} + +variable "vm_series_sku" { + default = "bundle2" +} +variable "vm_series_version" { + default = "9.0.4" +} From 1684887be252113a76485ff03475408108a0ca69 Mon Sep 17 00:00:00 2001 From: abaumeister Date: Thu, 24 Sep 2020 16:59:07 +1000 Subject: [PATCH 2/5] Create vm module and update LB configs to match --- modules/lbs/lb.tf | 12 -------- modules/lbs/outputs.tf | 3 ++ modules/olb/outputs.tf | 4 +++ modules/vm/outputs.tf | 7 +++++ modules/vm/variables.tf | 15 ++++----- modules/vm/vmseries.tf | 13 ++++++++ no-vmss/main.tf | 67 +++++++++++++++++++++++++---------------- 7 files changed, 76 insertions(+), 45 deletions(-) create mode 100644 modules/vm/outputs.tf diff --git a/modules/lbs/lb.tf b/modules/lbs/lb.tf index 51f46ab..d31d4c9 100644 --- a/modules/lbs/lb.tf +++ b/modules/lbs/lb.tf @@ -15,14 +15,6 @@ resource "azurerm_public_ip" "lb-fip-pip" { resource_group_name = azurerm_resource_group.rg-lb.name } -resource "azurerm_public_ip" "lb-inbound-fip-pip" { - allocation_method = "Static" - sku = "standard" - location = azurerm_resource_group.rg-lb.location - name = "${var.name_prefix}-inbound-fip-pip" - resource_group_name = azurerm_resource_group.rg-lb.name -} - resource "azurerm_lb" "lb" { location = var.location name = "${var.name_prefix}-lb" @@ -35,10 +27,6 @@ resource "azurerm_lb" "lb" { public_ip_address_id = frontend_ip_configuration.value.id } } - frontend_ip_configuration { - name = "${var.name_prefix}-outbound-fip" - public_ip_address_id = azurerm_public_ip.lb-inbound-fip-pip.id - } } resource "azurerm_lb_backend_address_pool" "lb-backend" { diff --git a/modules/lbs/outputs.tf b/modules/lbs/outputs.tf index b800dde..16fe267 100644 --- a/modules/lbs/outputs.tf +++ b/modules/lbs/outputs.tf @@ -11,4 +11,7 @@ output "pip" { output "backend-pool-id" { value = azurerm_lb_backend_address_pool.lb-backend.id +} +output "frontend-ip-configs" { + value = toset([for c in azurerm_lb.lb.frontend_ip_configuration : c.name]) } \ No newline at end of file diff --git a/modules/olb/outputs.tf b/modules/olb/outputs.tf index 70f0ea1..90bc3bb 100644 --- a/modules/olb/outputs.tf +++ b/modules/olb/outputs.tf @@ -1,3 +1,7 @@ output "backend-pool-id" { value = azurerm_lb_backend_address_pool.lb-backend.id +} + +output "frontend-ip-configs" { + value = toset([for c in azurerm_lb.lb.frontend_ip_configuration : c.name]) } \ No newline at end of file diff --git a/modules/vm/outputs.tf b/modules/vm/outputs.tf new file mode 100644 index 0000000..be01dce --- /dev/null +++ b/modules/vm/outputs.tf @@ -0,0 +1,7 @@ +output "vm-public-nic" { + value = azurerm_network_interface.nic-fw-public.id +} + +output "vm-private-nic" { + value = azurerm_network_interface.nic-fw-private.id +} \ No newline at end of file diff --git a/modules/vm/variables.tf b/modules/vm/variables.tf index 21ec19a..fed13e0 100644 --- a/modules/vm/variables.tf +++ b/modules/vm/variables.tf @@ -57,13 +57,14 @@ variable "vm_series_count" { variable "vhd-container" { } -variable "public_backend_pool_id" { - description = "The LB pool to associate the public interface with." +variable "resource_group" { + description = "The resource group for VM series deployment" } -variable "private_backend_pool_id" { - description = "The LB pool to associate the private interface with." + +variable "inbound_lb_backend_pool_ids" { + default = {} } -variable "resource_group" { - description = "The resource group for VM series deployment" -} \ No newline at end of file +variable "outbound_lb_backend_pool_ids" { + default = {} +} diff --git a/modules/vm/vmseries.tf b/modules/vm/vmseries.tf index ae0c3ba..8be0b8e 100644 --- a/modules/vm/vmseries.tf +++ b/modules/vm/vmseries.tf @@ -57,6 +57,19 @@ resource "azurerm_network_interface" "nic-fw-public" { } +resource "azurerm_network_interface_backend_address_pool_association" "inbound-pool-assoc" { + for_each = var.inbound_lb_backend_pool_ids + backend_address_pool_id = each.value + ip_configuration_name = azurerm_network_interface.nic-fw-public.ip_configuration[0].name + network_interface_id = azurerm_network_interface.nic-fw-public.id +} + +resource "azurerm_network_interface_backend_address_pool_association" "outbound-pool-assoc" { + for_each = var.outbound_lb_backend_pool_ids + backend_address_pool_id = each.value + ip_configuration_name = azurerm_network_interface.nic-fw-private.ip_configuration[0].name + network_interface_id = azurerm_network_interface.nic-fw-private.id +} resource "azurerm_virtual_machine" "inbound-fw" { location = var.resource_group.location diff --git a/no-vmss/main.tf b/no-vmss/main.tf index 2474483..eb071bd 100644 --- a/no-vmss/main.tf +++ b/no-vmss/main.tf @@ -39,14 +39,21 @@ module "panorama" { panorama_version = var.panorama_version } +# Create the vm-series RG outside of the module and pass it in. +## All the config required for a single VM series Firewall in Azure +# Base resource group +resource "azurerm_resource_group" "vmseries" { + location = var.location + name = "${var.name_prefix}-vmseries-rg" +} + # Deploy the inbound load balancer for traffic into the azure environment module "inbound-lb" { source = "../modules/lbs" - location = var.location - name_prefix = var.name_prefix - rules = var.rules - + location = var.location + name_prefix = var.name_prefix + rules = var.rules } # Deploy the outbound load balancer for traffic out of the azure environment @@ -58,22 +65,41 @@ module "outbound-lb" { backend-subnet = module.networks.subnet-private.id } -# Create the vm-series RG outside of the module and pass it in. -## All the config required for a single VM series Firewall in Azure -# Base resource group -resource "azurerm_resource_group" "vmseries" { - location = var.location - name = "${var.name_prefix}-vmseries-rg" +# Create the inbound VM Series Firewalls +module "inbound-vm-series" { + source = "../modules/vm" + count = 2 + + resource_group = azurerm_resource_group.vmseries + + location = var.location + name_prefix = "${var.name_prefix}-ib-${count.index}" + username = var.username + password = var.password + + subnet-mgmt = module.networks.subnet-mgmt + subnet-private = module.networks.subnet-private + subnet-public = module.networks.subnet-public + + bootstrap-storage-account = module.panorama.bootstrap-storage-account + inbound-bootstrap-share-name = module.panorama.inbound-bootstrap-share-name + outbound-bootstrap-share-name = module.panorama.outbound-bootstrap-share-name + + depends_on = [module.panorama] + + vhd-container = module.panorama.storage-container-name + inbound_lb_backend_pool_ids = toset([module.inbound-lb.backend-pool-id]) } -# Create the inbound and outbound VM Scale sets -module "vm-series" { +# Create the outbound VM Series Firewalls +module "outbound-vm-series" { source = "../modules/vm" + count = 2 resource_group = azurerm_resource_group.vmseries location = var.location - name_prefix = var.name_prefix + name_prefix = "${var.name_prefix}-ob-${count.index}" username = var.username password = var.password @@ -87,22 +113,11 @@ module "vm-series" { depends_on = [module.panorama] - vhd-container = module.panorama.storage-container-name - private_backend_pool_id = module.outbound-lb.backend-pool-id - public_backend_pool_id = module.inbound-lb.backend-pool-id -} + vhd-container = module.panorama.storage-container-name + outbound_lb_backend_pool_ids = toset([module.outbound-lb.backend-pool-id]) -# Create a test VNET -module "test-host" { - source = "../modules/test-vnet" - admin-password = var.password - location = var.location - name_prefix = var.name_prefix - peer-vnet = module.networks.transit-vnet - route-table-id = module.networks.outbound-route-table } - output "PANORAMA-IP" { value = module.panorama.panorama-publicip } From 1097ea414c552e815da9bb442fb11fc922aaff69 Mon Sep 17 00:00:00 2001 From: Adam Baumeister Date: Fri, 25 Sep 2020 12:02:55 +1000 Subject: [PATCH 3/5] Fixed several aspecs of the non-vmss build --- docs/customization.md | 15 ++++- modules/vm/ob-vmseries.tf | 128 ++++++++++++++++++++++++++++++++++++++ modules/vm/outputs.tf | 6 -- modules/vm/variables.tf | 12 ++-- modules/vm/vmseries.tf | 122 +++++++++++++++++++----------------- no-vmss/example.tfvars | 5 +- no-vmss/main.tf | 42 +++---------- 7 files changed, 227 insertions(+), 103 deletions(-) create mode 100644 modules/vm/ob-vmseries.tf diff --git a/docs/customization.md b/docs/customization.md index c9ca579..96f1ea4 100644 --- a/docs/customization.md +++ b/docs/customization.md @@ -64,4 +64,17 @@ data "external" "panorama_bootstrap" { ... } ``` -This will still deploy the bootstrap and VHD storage requirements, but it won't add any of the bootstrap files. \ No newline at end of file +This will still deploy the bootstrap and VHD storage requirements, but it won't add any of the bootstrap files. + +# Deploying Without ScaleSets +In some cases you may want to deploy an environment that uses dedicated virtual machines and not VMSS. + +A second terraform deployment is provided under the *no-vmss* directory. This deployment is otherwise identical to the +normal deployment model using VMSS. + +To use it, simply change directory to *no-vmss* before running terraform as normal. +```bash +terraform init +terraform apply --var-file=example.tfvars +``` + diff --git a/modules/vm/ob-vmseries.tf b/modules/vm/ob-vmseries.tf new file mode 100644 index 0000000..af6f44f --- /dev/null +++ b/modules/vm/ob-vmseries.tf @@ -0,0 +1,128 @@ + +resource "azurerm_availability_set" "ob-az" { + location = var.location + name = "${var.name_prefix}-ob-vm-az" + resource_group_name = var.resource_group.name +} + +# Create a public IP for management +resource "azurerm_public_ip" "ob-pip-fw-mgmt" { + count = var.vm_count + allocation_method = "Static" + location = var.resource_group.location + name = "${var.name_prefix}--ob-fw-pip-${count.index}" + sku = "standard" + resource_group_name = var.resource_group.name +} +# Create another PIP for the outside interface so we can talk outbound +resource "azurerm_public_ip" "ob-pip-fw-public" { + count = var.vm_count + allocation_method = "Static" + location = var.resource_group.location + name = "${var.name_prefix}-ob-outside-fw-pip-${count.index}" + sku = "standard" + resource_group_name = var.resource_group.name +} + +resource "azurerm_network_interface" "ob-nic-fw-mgmt" { + count = var.vm_count + location = var.resource_group.location + name = "${var.name_prefix}-ob-nic-fw-mgmt-${count.index}" + resource_group_name = var.resource_group.name + ip_configuration { + subnet_id = var.subnet-mgmt.id + name = "${var.name_prefix}-ob-fw-ip-mgmt" + private_ip_address_allocation = "dynamic" + public_ip_address_id = azurerm_public_ip.ob-pip-fw-mgmt[count.index].id + } +} + +resource "azurerm_network_interface" "ob-nic-fw-private" { + count = var.vm_count + location = var.resource_group.location + name = "${var.name_prefix}-ob-nic-fw-private-${count.index}" + resource_group_name = var.resource_group.name + ip_configuration { + subnet_id = var.subnet-private.id + name = "${var.name_prefix}-ob-fw-ip-inside-${count.index}" + private_ip_address_allocation = "dynamic" + //private_ip_address = "172.16.1.10" + } + enable_ip_forwarding = true +} + +resource "azurerm_network_interface" "ob-nic-fw-public" { + count = var.vm_count + location = var.resource_group.location + name = "${var.name_prefix}-ob-nic-fw-public-${count.index}" + resource_group_name = var.resource_group.name + ip_configuration { + subnet_id = var.subnet-public.id + name = "${var.name_prefix}-ob-fw-ip-outside-${count.index}" + private_ip_address_allocation = "dynamic" + //private_ip_address = "172.16.2.10" + public_ip_address_id = azurerm_public_ip.ob-pip-fw-public[count.index].id + + } + enable_ip_forwarding = true + +} + +resource "azurerm_network_interface_backend_address_pool_association" "outbound-pool-assoc" { + count = var.vm_count + backend_address_pool_id = var.outbound_lb_backend_pool_id + ip_configuration_name = azurerm_network_interface.ob-nic-fw-private[count.index].ip_configuration[0].name + network_interface_id = azurerm_network_interface.ob-nic-fw-private[count.index].id +} + +resource "azurerm_virtual_machine" "outbound-fw" { + count = var.vm_count + location = var.resource_group.location + name = "${var.name_prefix}-ob-fw-${count.index}" + network_interface_ids = [ + azurerm_network_interface.ob-nic-fw-mgmt[count.index].id, + azurerm_network_interface.ob-nic-fw-public[count.index].id, + azurerm_network_interface.ob-nic-fw-private[count.index].id + ] + resource_group_name = var.resource_group.name + vm_size = var.vmseries_size + storage_image_reference { + publisher = "paloaltonetworks" + offer = "vmseries1" + sku = var.vm_series_sku + version = var.vm_series_version + } + + storage_os_disk { + create_option = "FromImage" + name = "${var.name_prefix}-vhd-ob-fw-${count.index}" + caching = "ReadWrite" + vhd_uri = "${var.bootstrap-storage-account.primary_blob_endpoint}vhds/${var.name_prefix}-ob-fw-${count.index}.vhd" + } + + + primary_network_interface_id = azurerm_network_interface.ob-nic-fw-mgmt[count.index].id + os_profile { + admin_username = var.username + computer_name = "${var.name_prefix}-ob-fw-${count.index}" + admin_password = var.password + custom_data = join( + ",", + [ + "storage-account=${var.bootstrap-storage-account.name}", + "access-key=${var.bootstrap-storage-account.primary_access_key}", + "file-share=${var.outbound-bootstrap-share-name}", + "share-directory=None" + ] + ) + } + os_profile_linux_config { + disable_password_authentication = false + } + plan { + name = var.vm_series_sku + publisher = "paloaltonetworks" + product = "vmseries1" + } + availability_set_id = azurerm_availability_set.ob-az.id +} \ No newline at end of file diff --git a/modules/vm/outputs.tf b/modules/vm/outputs.tf index be01dce..8b13789 100644 --- a/modules/vm/outputs.tf +++ b/modules/vm/outputs.tf @@ -1,7 +1 @@ -output "vm-public-nic" { - value = azurerm_network_interface.nic-fw-public.id -} -output "vm-private-nic" { - value = azurerm_network_interface.nic-fw-private.id -} \ No newline at end of file diff --git a/modules/vm/variables.tf b/modules/vm/variables.tf index fed13e0..93b1bad 100644 --- a/modules/vm/variables.tf +++ b/modules/vm/variables.tf @@ -61,10 +61,14 @@ variable "resource_group" { description = "The resource group for VM series deployment" } -variable "inbound_lb_backend_pool_ids" { - default = {} +variable "inbound_lb_backend_pool_id" { + default = "" } -variable "outbound_lb_backend_pool_ids" { - default = {} +variable "outbound_lb_backend_pool_id" { + default = "" } + +variable "vm_count" { + default = 2 +} \ No newline at end of file diff --git a/modules/vm/vmseries.tf b/modules/vm/vmseries.tf index 8be0b8e..1b99c14 100644 --- a/modules/vm/vmseries.tf +++ b/modules/vm/vmseries.tf @@ -1,56 +1,67 @@ +resource "azurerm_availability_set" "ib-az" { + location = var.location + name = "${var.name_prefix}-ib-vm-az" + resource_group_name = var.resource_group.name +} + # Create a public IP for management -resource "azurerm_public_ip" "pip-fw-mgmt" { - allocation_method = "Static" - location = var.resource_group.location - name = "${var.name_prefix}-fw-pip" - sku = "standard" +resource "azurerm_public_ip" "ib-pip-fw-mgmt" { + count = var.vm_count + allocation_method = "Static" + location = var.resource_group.location + name = "${var.name_prefix}--ib-fw-pip-${count.index}" + sku = "standard" resource_group_name = var.resource_group.name } # Create another PIP for the outside interface so we can talk outbound -resource "azurerm_public_ip" "pip-fw-public" { - allocation_method = "Static" - location = var.resource_group.location - name = "${var.name_prefix}-outside-fw-pip" - sku = "standard" +resource "azurerm_public_ip" "ib-pip-fw-public" { + count = var.vm_count + allocation_method = "Static" + location = var.resource_group.location + name = "${var.name_prefix}-ib-outside-fw-pip-${count.index}" + sku = "standard" resource_group_name = var.resource_group.name } -resource "azurerm_network_interface" "nic-fw-mgmt" { - location = var.resource_group.location - name = "${var.name_prefix}-nic-fw-mgmt" +resource "azurerm_network_interface" "ib-nic-fw-mgmt" { + count = var.vm_count + location = var.resource_group.location + name = "${var.name_prefix}-ib-nic-fw-mgmt-${count.index}" resource_group_name = var.resource_group.name ip_configuration { - subnet_id = var.subnet-mgmt.id - name = "${var.name_prefix}-fw-ip-mgmt" + subnet_id = var.subnet-mgmt.id + name = "${var.name_prefix}-ib-fw-ip-mgmt" private_ip_address_allocation = "dynamic" - public_ip_address_id = azurerm_public_ip.pip-fw-mgmt.id + public_ip_address_id = azurerm_public_ip.ib-pip-fw-mgmt[count.index].id } } -resource "azurerm_network_interface" "nic-fw-private" { - location = var.resource_group.location - name = "${var.name_prefix}-nic-fw-private" +resource "azurerm_network_interface" "ib-nic-fw-private" { + count = var.vm_count + location = var.resource_group.location + name = "${var.name_prefix}-ib-nic-fw-private-${count.index}" resource_group_name = var.resource_group.name ip_configuration { - subnet_id = var.subnet-private.id - name = "${var.name_prefix}-fw-ip-inside" + subnet_id = var.subnet-private.id + name = "${var.name_prefix}-ib-fw-ip-inside-${count.index}" private_ip_address_allocation = "dynamic" //private_ip_address = "172.16.1.10" } enable_ip_forwarding = true } -resource "azurerm_network_interface" "nic-fw-public" { - location = var.resource_group.location - name = "${var.name_prefix}-nic-fw-public" +resource "azurerm_network_interface" "ib-nic-fw-public" { + count = var.vm_count + location = var.resource_group.location + name = "${var.name_prefix}-ib-nic-fw-public-${count.index}" resource_group_name = var.resource_group.name ip_configuration { - subnet_id = var.subnet-public.id - name = "${var.name_prefix}-fw-ip-outside" + subnet_id = var.subnet-public.id + name = "${var.name_prefix}-ib-fw-ip-outside-${count.index}" private_ip_address_allocation = "dynamic" //private_ip_address = "172.16.2.10" - public_ip_address_id = azurerm_public_ip.pip-fw-public.id + public_ip_address_id = azurerm_public_ip.ib-pip-fw-public[count.index].id } enable_ip_forwarding = true @@ -58,29 +69,23 @@ resource "azurerm_network_interface" "nic-fw-public" { } resource "azurerm_network_interface_backend_address_pool_association" "inbound-pool-assoc" { - for_each = var.inbound_lb_backend_pool_ids - backend_address_pool_id = each.value - ip_configuration_name = azurerm_network_interface.nic-fw-public.ip_configuration[0].name - network_interface_id = azurerm_network_interface.nic-fw-public.id -} - -resource "azurerm_network_interface_backend_address_pool_association" "outbound-pool-assoc" { - for_each = var.outbound_lb_backend_pool_ids - backend_address_pool_id = each.value - ip_configuration_name = azurerm_network_interface.nic-fw-private.ip_configuration[0].name - network_interface_id = azurerm_network_interface.nic-fw-private.id + count = var.vm_count + backend_address_pool_id = var.inbound_lb_backend_pool_id + ip_configuration_name = azurerm_network_interface.ib-nic-fw-public[count.index].ip_configuration[0].name + network_interface_id = azurerm_network_interface.ib-nic-fw-public[count.index].id } resource "azurerm_virtual_machine" "inbound-fw" { + count = var.vm_count location = var.resource_group.location - name = "${var.name_prefix}-fw" + name = "${var.name_prefix}-ib-fw-${count.index}" network_interface_ids = [ - azurerm_network_interface.nic-fw-mgmt.id, - azurerm_network_interface.nic-fw-public.id, - azurerm_network_interface.nic-fw-private.id + azurerm_network_interface.ib-nic-fw-mgmt[count.index].id, + azurerm_network_interface.ib-nic-fw-public[count.index].id, + azurerm_network_interface.ib-nic-fw-private[count.index].id ] resource_group_name = var.resource_group.name - vm_size = var.vmseries_size + vm_size = var.vmseries_size storage_image_reference { publisher = "paloaltonetworks" offer = "vmseries1" @@ -90,33 +95,34 @@ resource "azurerm_virtual_machine" "inbound-fw" { storage_os_disk { create_option = "FromImage" - name = "${var.name_prefix}-vhd-fw" - caching = "ReadWrite" - vhd_uri = "${var.bootstrap-storage-account.primary_blob_endpoint}vhds/${var.name_prefix}-fw.vhd" + name = "${var.name_prefix}-ib-vhd-fw-${count.index}" + caching = "ReadWrite" + vhd_uri = "${var.bootstrap-storage-account.primary_blob_endpoint}vhds/${var.name_prefix}-ib-fw-${count.index}.vhd" } - primary_network_interface_id = azurerm_network_interface.nic-fw-mgmt.id + primary_network_interface_id = azurerm_network_interface.ib-nic-fw-mgmt[count.index].id os_profile { admin_username = var.username - computer_name = "${var.name_prefix}-fw" + computer_name = "${var.name_prefix}-fw-${count.index}" admin_password = var.password custom_data = join( - ",", - [ - "storage-account=${var.bootstrap-storage-account.name}", - "access-key=${var.bootstrap-storage-account.primary_access_key}", - "file-share=${var.inbound-bootstrap-share-name}", - "share-directory=None" - ] - ) + ",", + [ + "storage-account=${var.bootstrap-storage-account.name}", + "access-key=${var.bootstrap-storage-account.primary_access_key}", + "file-share=${var.inbound-bootstrap-share-name}", + "share-directory=None" + ] + ) } os_profile_linux_config { disable_password_authentication = false } plan { - name = var.vm_series_sku + name = var.vm_series_sku publisher = "paloaltonetworks" - product = "vmseries1" + product = "vmseries1" } + availability_set_id = azurerm_availability_set.ib-az.id } diff --git a/no-vmss/example.tfvars b/no-vmss/example.tfvars index 20d85b2..d59d324 100644 --- a/no-vmss/example.tfvars +++ b/no-vmss/example.tfvars @@ -16,4 +16,7 @@ rules = [ # Admin password, used to login to the firewalls. ## !!IMPORTANT!! CHANGE ME! # You can also pass this on the command line or via stdin to avoid putting it in a file. -password = "Don'tUseThisPassword,it'sForDemoPurposesOnly" \ No newline at end of file +password = "Don'tUseThisPassword,it'sForDemoPurposesOnly" + +# The count here defines how many VM-series are deployed PER VM direction (inbound/outbound) +vm_series_count = 2 \ No newline at end of file diff --git a/no-vmss/main.tf b/no-vmss/main.tf index eb071bd..e9c8021 100644 --- a/no-vmss/main.tf +++ b/no-vmss/main.tf @@ -44,16 +44,16 @@ module "panorama" { # Base resource group resource "azurerm_resource_group" "vmseries" { location = var.location - name = "${var.name_prefix}-vmseries-rg" + name = "${var.name_prefix}-vmseries-rg" } # Deploy the inbound load balancer for traffic into the azure environment module "inbound-lb" { source = "../modules/lbs" - location = var.location - name_prefix = var.name_prefix - rules = var.rules + location = var.location + name_prefix = var.name_prefix + rules = var.rules } # Deploy the outbound load balancer for traffic out of the azure environment @@ -68,38 +68,11 @@ module "outbound-lb" { # Create the inbound VM Series Firewalls module "inbound-vm-series" { source = "../modules/vm" - count = 2 resource_group = azurerm_resource_group.vmseries location = var.location - name_prefix = "${var.name_prefix}-ib-${count.index}" - username = var.username - password = var.password - - subnet-mgmt = module.networks.subnet-mgmt - subnet-private = module.networks.subnet-private - subnet-public = module.networks.subnet-public - - bootstrap-storage-account = module.panorama.bootstrap-storage-account - inbound-bootstrap-share-name = module.panorama.inbound-bootstrap-share-name - outbound-bootstrap-share-name = module.panorama.outbound-bootstrap-share-name - - depends_on = [module.panorama] - - vhd-container = module.panorama.storage-container-name - inbound_lb_backend_pool_ids = toset([module.inbound-lb.backend-pool-id]) -} - -# Create the outbound VM Series Firewalls -module "outbound-vm-series" { - source = "../modules/vm" - count = 2 - - resource_group = azurerm_resource_group.vmseries - - location = var.location - name_prefix = "${var.name_prefix}-ob-${count.index}" + name_prefix = var.name_prefix username = var.username password = var.password @@ -114,10 +87,13 @@ module "outbound-vm-series" { depends_on = [module.panorama] vhd-container = module.panorama.storage-container-name - outbound_lb_backend_pool_ids = toset([module.outbound-lb.backend-pool-id]) + inbound_lb_backend_pool_id = module.inbound-lb.backend-pool-id + outbound_lb_backend_pool_id = module.outbound-lb.backend-pool-id + vm_count = var.vm_series_count } + output "PANORAMA-IP" { value = module.panorama.panorama-publicip } From 9ce3724d62523c7799de9a6ea903b32fe89a50c8 Mon Sep 17 00:00:00 2001 From: Adam Baumeister Date: Fri, 25 Sep 2020 12:03:53 +1000 Subject: [PATCH 4/5] Fix readme image sizes --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a224360..2275dd4 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@
- TF Logo - Azure Logo + TF Logo + Azure Logo
From 4f9105bff6f53face03a42e967db3551330dc56b Mon Sep 17 00:00:00 2001 From: Adam Baumeister Date: Fri, 25 Sep 2020 12:07:38 +1000 Subject: [PATCH 5/5] Fix module path in main --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 252daa4..1a64004 100644 --- a/main.tf +++ b/main.tf @@ -61,7 +61,7 @@ module "outbound-lb" { # Create the inbound and outbound VM Scale sets module "vm-series" { - source = "modules/vmss" + source = "./modules/vmss" location = var.location name_prefix = var.name_prefix