-
Notifications
You must be signed in to change notification settings - Fork 4
/
vpn.tf
157 lines (135 loc) · 7.1 KB
/
vpn.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
resource "azurerm_resource_group" "vpn" {
name = "vpn"
location = var.location
tags = local.default_tags
}
resource "azurerm_public_ip" "public" {
name = "${azurerm_resource_group.vpn.name}-public-ip"
resource_group_name = azurerm_resource_group.vpn.name
location = azurerm_resource_group.vpn.location
allocation_method = "Static"
sku = "Basic"
tags = local.default_tags
}
resource "azurerm_dns_a_record" "vpn" {
name = local.vpn.shorthostname
zone_name = data.azurerm_dns_zone.jenkinsio.name
resource_group_name = data.azurerm_resource_group.proddns_jenkinsio.name
ttl = 300
records = [azurerm_public_ip.public.ip_address]
tags = local.default_tags
}
resource "azurerm_network_interface" "main" {
name = "${azurerm_virtual_network.private.name}-vpn-nic-main"
location = azurerm_resource_group.vpn.location
resource_group_name = azurerm_resource_group.vpn.name
ip_configuration {
name = "main"
subnet_id = azurerm_subnet.dmz.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.public.id
}
tags = local.default_tags
}
resource "azurerm_network_interface" "internal" {
name = "${azurerm_virtual_network.private.name}-vpn-nic-internal"
location = azurerm_resource_group.vpn.location
resource_group_name = azurerm_resource_group.vpn.name
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.private_vnet_data_tier.id
private_ip_address_allocation = "Dynamic"
}
tags = local.default_tags
}
resource "azurerm_network_security_rule" "allow_ssh_from_admins_to_vpn" {
for_each = module.jenkins_infra_shared_data.admin_public_ips
name = "allow-ssh-from-${each.key}-to-vpn"
priority = 101 + (index(keys(module.jenkins_infra_shared_data.admin_public_ips), each.key))
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefixes = each.value
destination_address_prefix = azurerm_network_interface.main.private_ip_address
resource_group_name = azurerm_resource_group.private.name
network_security_group_name = azurerm_network_security_group.private_dmz.name
}
resource "azurerm_network_security_rule" "allow_openvpn_from_internet_to_vpn" {
name = "allow-openvpn-from-internet-to-vpn"
priority = 200
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "Internet"
destination_address_prefix = azurerm_network_interface.main.private_ip_address
resource_group_name = azurerm_resource_group.private.name
network_security_group_name = azurerm_network_security_group.private_dmz.name
}
resource "azurerm_network_security_rule" "allow_puppet_from_vpn_to_puppetmasters" {
for_each = local.vpn.puppet_outbound_ips
name = "allow-puppet-from-vpn-to-${each.key}"
priority = 2100 + index(keys(local.vpn.puppet_outbound_ips), each.key)
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "8140"
source_address_prefix = azurerm_network_interface.main.private_ip_address
destination_address_prefix = azurerm_network_interface.main.private_ip_address
resource_group_name = azurerm_resource_group.private.name
network_security_group_name = azurerm_network_security_group.private_dmz.name
}
resource "azurerm_network_security_rule" "allow_https_from_vpn_to_Internet" {
name = "allow-https-from-vpn-to-Internet"
priority = 2200
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = azurerm_network_interface.main.private_ip_address
destination_address_prefix = "Internet"
resource_group_name = azurerm_resource_group.private.name
network_security_group_name = azurerm_network_security_group.private_dmz.name
}
resource "azurerm_linux_virtual_machine" "vpn" {
name = "${azurerm_virtual_network.private.name}-vpn"
resource_group_name = azurerm_resource_group.vpn.name
location = azurerm_resource_group.vpn.location
size = "Standard_B2s"
admin_username = local.vpn.username
network_interface_ids = [
azurerm_network_interface.main.id,
azurerm_network_interface.internal.id,
]
admin_ssh_key {
username = local.vpn.username
# Private key stored as AZURE_NET_VPN_PRIVATE_KEY in https://github.com/jenkins-infra/charts-secrets/blob/main/config/infra.ci.jenkins.io/jenkins-secrets.yaml
public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3mnu4alSfeWuKBDQjVZn0sSogh5Cf31SlV3CbbHhjmJ9ZKIe4KKGRNhgtrVosDwQ4QeW8bE2QwzExII6UOZQ8uEeLJHpjHR6DJNFCmUM24dvZD5eSTdLi89JcY1EGAIsVue+a7vdPDadPWQLb8eiYBuGfA4ydmFTIJEoCsNDZk6bOYyFxQPnYgKIuw9qxQhMvq55sMch+Fh+eMO4Sc0I5V0MMDl/UaC3hbpT9gegqwMw6hPC0OMhpEe3b/G/cW0buQf7pXSW4RN7ukyoeTTYXmjVKMB5K5qLAznSepe+p4qkGNdfQd1BcKNd72L8jEfc/Nbs8ZP34PHwsjFSTDC1WJWrwhzxCLinJ+WisB4JyWoY8S7ziOi4Rb7sevneYFjjVcY1kxvsM+dnzQxleRlPibV/1kzNtH/pqLFIX8eM+m6lTDgc6phhtQnWlPsLyrKbILAI6wP1MHvwz9SaKqKFXx+4Dnrz3my3L9U8v/oBCbHjhjjFSW3jT1ZAsXe553PmF7xYoFnSxrbXwjuVSfHrS2KEldfB116Acw5IMSTre+q7woP7XvocLZEi9AOE/+nQjL0R7XOCXI8ODOfk9BSQ1EOqyf1ONDIVf3ugAKoEQ22lBt8pLdFZjY2Mc5UbMzOT/MUYgLI/zKGg8+XGRXlYelEivMf3PBrit9FVucHhyfQ== jenkins-infra-team@googlegroups.com"
}
user_data = base64encode(templatefile("./.shared-tools/terraform/cloudinit.tftpl", { hostname = join(".", [local.vpn.shorthostname, data.azurerm_dns_zone.jenkinsio.name]) }))
# Force VM recreation when the VPN URL change
computer_name = replace(join(".", [local.vpn.shorthostname, data.azurerm_dns_zone.jenkinsio.name]), ".", "-")
# Encrypt all disks (ephemeral, temp dirs and data volumes) - https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell
encryption_at_host_enabled = true
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "Canonical"
offer = "0001-com-ubuntu-server-jammy"
sku = "22_04-lts-gen2"
// TODO: use fixed version + updatecli manifest if it recreates the VM
# az vm image list --all --publisher="Canonical" --sku="22_04-lts-gen2" --offer="0001-com-ubuntu-server-jammy"
version = "22.04.202211160"
}
tags = local.default_tags
}
output "vpn_public_ip_address" {
value = azurerm_public_ip.public.ip_address
}