/
main.tf
297 lines (247 loc) · 8 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
# see https://github.com/hashicorp/terraform
terraform {
required_version = ">= 1.1.7"
required_providers {
random = "~> 3.1.2"
azurerm = "~> 3.24.0"
azuread = "~> 2.29.0"
}
}
# see https://github.com/terraform-providers/terraform-provider-azurerm
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "vault" {
name = "${var.environment}-vault-rg"
location = var.location
tags = {
environment = var.environment
}
}
resource "random_id" "keyvault" {
byte_length = 4
}
data "azurerm_client_config" "current" {
}
data "azuread_service_principal" "vault" {
application_id = var.client_id
}
resource "azurerm_key_vault" "vault" {
name = "${var.environment}-vault-${random_id.keyvault.hex}"
location = azurerm_resource_group.vault.location
resource_group_name = azurerm_resource_group.vault.name
tenant_id = var.tenant_id
# enable virtual machines to access this key vault.
# NB this identity is used in the example /tmp/azure_auth.sh file.
# vault is actually using the vault service principal.
enabled_for_deployment = true
sku_name = "standard"
tags = {
environment = var.environment
}
# access policy for the hashicorp vault service principal.
access_policy {
tenant_id = var.tenant_id
object_id = data.azuread_service_principal.vault.object_id
key_permissions = [
"Get",
"WrapKey",
"UnwrapKey",
]
}
# access policy for the user that is currently running terraform.
access_policy {
tenant_id = var.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get",
"List",
"Create",
"Delete",
"Update",
]
}
# TODO does this really need to be so broad? can it be limited to the vault vm?
network_acls {
default_action = "Allow"
bypass = "AzureServices"
}
}
# TODO the "generated" resource name is not very descriptive; why not use "vault" instead?
# hashicorp vault will use this azurerm_key_vault_key to wrap/encrypt its master key.
resource "azurerm_key_vault_key" "generated" {
name = var.key_name
key_vault_id = azurerm_key_vault.vault.id
key_type = "RSA"
key_size = 2048
key_opts = [
"wrapKey",
"unwrapKey",
]
}
output "key_vault_name" {
value = azurerm_key_vault.vault.name
}
# ---------------------
# Create Vault VM
# ---------------------
resource "azurerm_virtual_network" "tf_network" {
name = "network-${random_id.keyvault.hex}"
address_space = ["10.0.0.0/16"]
location = var.location
resource_group_name = azurerm_resource_group.vault.name
tags = {
environment = "${var.environment}-${random_id.keyvault.hex}"
}
}
resource "azurerm_subnet" "tf_subnet" {
name = "subnet-${random_id.keyvault.hex}"
resource_group_name = azurerm_resource_group.vault.name
virtual_network_name = azurerm_virtual_network.tf_network.name
address_prefixes = ["10.0.1.0/24"]
}
resource "azurerm_public_ip" "tf_publicip" {
name = "ip-${random_id.keyvault.hex}"
location = var.location
resource_group_name = azurerm_resource_group.vault.name
allocation_method = "Dynamic"
tags = {
environment = "${var.environment}-${random_id.keyvault.hex}"
}
}
resource "azurerm_network_security_group" "tf_nsg" {
name = "nsg-${random_id.keyvault.hex}"
location = var.location
resource_group_name = azurerm_resource_group.vault.name
security_rule {
name = "SSH"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "Vault"
priority = 1002
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "8200"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "Consul"
priority = 1003
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "8500"
source_address_prefix = "*"
destination_address_prefix = "*"
}
tags = {
environment = "${var.environment}-${random_id.keyvault.hex}"
}
}
resource "azurerm_network_interface" "tf_nic" {
name = "nic-${random_id.keyvault.hex}"
location = var.location
resource_group_name = azurerm_resource_group.vault.name
ip_configuration {
name = "nic-${random_id.keyvault.hex}"
subnet_id = azurerm_subnet.tf_subnet.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.tf_publicip.id
}
tags = {
environment = "${var.environment}-${random_id.keyvault.hex}"
}
}
resource "azurerm_network_interface_security_group_association" "tf_nisga" {
network_interface_id = azurerm_network_interface.tf_nic.id
network_security_group_id = azurerm_network_security_group.tf_nsg.id
}
resource "random_id" "tf_random_id" {
keepers = {
# Generate a new ID only when a new resource group is defined
resource_group = azurerm_resource_group.vault.name
}
byte_length = 8
}
resource "azurerm_storage_account" "tf_storageaccount" {
name = "sa${random_id.keyvault.hex}"
resource_group_name = azurerm_resource_group.vault.name
location = var.location
account_tier = "Standard"
account_replication_type = "LRS"
tags = {
environment = "${var.environment}-${random_id.keyvault.hex}"
}
}
# Create virtual machine
resource "azurerm_linux_virtual_machine" "tf_vm" {
name = var.vm_name
location = var.location
resource_group_name = azurerm_resource_group.vault.name
network_interface_ids = [azurerm_network_interface.tf_nic.id]
size = "Standard_DS1_v2"
custom_data = base64encode(templatefile("${abspath(path.module)}/setup.tpl", {
resource_group_name = "${var.environment}-vault-rg"
vm_name = var.vm_name
vault_version = var.vault_version
tenant_id = var.tenant_id
subscription_id = var.subscription_id
client_id = var.client_id
client_secret = var.client_secret
vault_name = azurerm_key_vault.vault.name
key_name = var.key_name
}))
computer_name = var.vm_name
admin_username = "azureuser"
admin_ssh_key {
username = "azureuser"
public_key = var.public_key
}
# NB this identity is used in the example /tmp/azure_auth.sh file.
# vault is actually using the vault service principal.
identity {
type = "SystemAssigned"
}
os_disk {
name = "${var.vm_name}-os"
caching = "ReadWrite" # TODO is this safe?
storage_account_type = "Premium_LRS"
}
source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "18.04-LTS"
version = "latest"
}
boot_diagnostics {
storage_account_uri = azurerm_storage_account.tf_storageaccount.primary_blob_endpoint
}
tags = {
environment = "${var.environment}-${random_id.keyvault.hex}"
}
}
data "azurerm_public_ip" "tf_publicip" {
name = azurerm_public_ip.tf_publicip.name
resource_group_name = azurerm_linux_virtual_machine.tf_vm.resource_group_name
}
output "ip" {
value = data.azurerm_public_ip.tf_publicip.ip_address
}
output "ssh-addr" {
value = <<SSH
Connect to your virtual machine via SSH:
$ ssh azureuser@${data.azurerm_public_ip.tf_publicip.ip_address}
SSH
}