Reliability and Versioning updates

Azure · May 31, 2024 · 363d319 · 363d319
1 parent 7a84ea7
commit 363d319
Show file tree

Hide file tree

Showing 12 changed files with 132 additions and 17 deletions.
diff --git a/AVS-Landing-Zone/GreenField/Terraform/gateway.tf b/AVS-Landing-Zone/GreenField/Terraform/gateway.tf
@@ -2,7 +2,7 @@ resource "azurerm_public_ip" "gatewaypip" {
   name                = "${var.prefix}-GW-pip"
   resource_group_name = azurerm_resource_group.network.name
   location            = azurerm_resource_group.network.location
-  allocation_method   = "Dynamic"
+  allocation_method   = "Static"
   zones               = ["1","2","3"]
   sku                 = "Standard"
 }

diff --git a/AVS-Landing-Zone/GreenField/Terraform/jumpbox.tf b/AVS-Landing-Zone/GreenField/Terraform/jumpbox.tf
@@ -17,7 +17,7 @@ resource "azurerm_windows_virtual_machine" "vm" {
   location            = azurerm_resource_group.jumpbox.location
   size                = var.jumpboxsku
   admin_username      = var.adminusername
-  admin_password      = var.adminpassword
+  admin_password      = random_password.admin_password.result
   zone                = 1
   network_interface_ids = [
     azurerm_network_interface.nic.id,
@@ -34,4 +34,52 @@ resource "azurerm_windows_virtual_machine" "vm" {
     sku       = "win11-21h2-avd"
     version   = "latest"
   }
+}
+
+resource "random_password" "admin_password" {
+  length           = 23
+  special          = true
+  numeric          = true
+  min_special      = 1
+  min_numeric      = 1
+  min_upper        = 1
+  min_lower        = 1
+}
+
+resource "random_string" "namestring" {
+  length   = 4
+  special  = false
+  upper    = false
+  lower    = true
+}
+
+resource "azurerm_key_vault_secret" "admin_password" {
+  key_vault_id    = module.avm_res_keyvault_vault.resource.id
+  name            = "${var.prefix}-jumpbox-${var.adminusername}-password"
+  value           = random_password.admin_password.result
+}
+
+module "avm_res_keyvault_vault" {
+  source                 = "Azure/avm-res-keyvault-vault/azurerm"
+  version                = "0.5.3"
+  tenant_id              = data.azurerm_client_config.current.tenant_id
+  name                   = "${var.key_vault_name}-${random_string.namestring.result}"
+  resource_group_name    = azurerm_resource_group.jumpbox.name
+  location               = azurerm_resource_group.jumpbox.location
+  enabled_for_deployment = true
+  network_acls = {
+    default_action = "Allow"
+    bypass         = "AzureServices"
+  }
+
+  role_assignments = {
+    deployment_user_secrets = {
+      role_definition_id_or_name = "Key Vault Administrator"
+      principal_id               = data.azurerm_client_config.current.object_id
+    }
+  }
+
+  wait_for_rbac_before_secret_operations = {
+    create = "60s"
+  }
 }
diff --git a/AVS-Landing-Zone/GreenField/Terraform/network.tf b/AVS-Landing-Zone/GreenField/Terraform/network.tf
@@ -21,9 +21,51 @@ resource "azurerm_subnet" "azurebastionsubnet" {
   address_prefixes     = [var.azurebastionsubnet]
 }
 
+resource "azurerm_subnet_network_security_group_association" "this_bastion" {
+  subnet_id                 = azurerm_subnet.azurebastionsubnet.id
+  network_security_group_id = module.testnsg.nsg_resource.id
+}
+
 resource "azurerm_subnet" "jumpboxsubnet" {
   name                 = "JumpboxSubnet"
   resource_group_name  = azurerm_resource_group.network.name
   virtual_network_name = azurerm_virtual_network.network.name
-  address_prefixes     = [var.jumpboxsubnet]
+  address_prefixes     = [var.jumpboxsubnet]  
+}
+
+resource "azurerm_subnet_network_security_group_association" "this_jumpbox" {
+  subnet_id                 = azurerm_subnet.jumpboxsubnet.id
+  network_security_group_id = module.testnsg.nsg_resource.id
 }
+
+module "testnsg" {
+  source  = "Azure/avm-res-network-networksecuritygroup/azurerm"
+  version = "0.1.1"
+
+  enable_telemetry    = var.telemetry_enabled
+  location            = azurerm_resource_group.network.location
+  resource_group_name = azurerm_resource_group.network.name
+  name                = var.nsg_name
+  nsgrules = { #allow all in this example, but set your 
+    "rule01" : {
+      "nsg_rule_access" : "Allow",
+      "nsg_rule_destination_address_prefix" : "*",
+      "nsg_rule_destination_port_range" : "*",
+      "nsg_rule_direction" : "Inbound",
+      "nsg_rule_priority" : 100,
+      "nsg_rule_protocol" : "Tcp",
+      "nsg_rule_source_address_prefix" : "*",
+      "nsg_rule_source_port_range" : "*"
+    },
+    "rule02" : {
+      "nsg_rule_access" : "Allow",
+      "nsg_rule_destination_address_prefix" : "*",
+      "nsg_rule_destination_port_range" : "*",
+      "nsg_rule_direction" : "Outbound",
+      "nsg_rule_priority" : 200,
+      "nsg_rule_protocol" : "Tcp",
+      "nsg_rule_source_address_prefix" : "*",
+      "nsg_rule_source_port_range" : "*"
+    }
+  }
+}
diff --git a/AVS-Landing-Zone/GreenField/Terraform/privatecloud.tf b/AVS-Landing-Zone/GreenField/Terraform/privatecloud.tf
@@ -51,4 +51,10 @@ resource "azurerm_vmware_private_cloud" "privatecloud" {
 resource "azurerm_vmware_express_route_authorization" "expressrouteauthkey" {
   name             = "${var.prefix}-AVS"
   private_cloud_id = azurerm_vmware_private_cloud.privatecloud.id
+}
+
+resource "azurerm_management_lock" "this_private_cloud" {
+  lock_level = "CanNotDelete"
+  name       = "${var.prefix}-lock"
+  scope      = azurerm_vmware_private_cloud.privatecloud.id
 }
diff --git a/AVS-Landing-Zone/GreenField/Terraform/terraform.tfvars b/AVS-Landing-Zone/GreenField/Terraform/terraform.tfvars
@@ -3,24 +3,25 @@
 prefix = "AVS"
 
 #Region to deploy the AVS Private Cloud and associated components
-region = "northeurope"
+region = "eastasia"
 
 #AVS requires a /22 CIDR range, this must not overlap with other networks to be used with AVS
 avs-networkblock = "10.1.0.0/22"
-avs-sku          = "AV36P"
+avs-sku          = "AV36"
 avs-hostcount    = 3
 hcx_key_names    = ["hcxsite1", "hcxsite2"]
 
 #Input the Jumpbox local username, password and SKU of your choice
-adminusername = "replace me"
-adminpassword = "replace me"
+key_vault_name = "jumpkeyvault"
+adminusername = "testuser"
 jumpboxsku    = "Standard_D2as_v4"
 
 #Virtual network address space and required subnets, can be any CIDR range
 vnetaddressspace   = "192.168.1.0/24"
 gatewaysubnet      = "192.168.1.0/27"
 azurebastionsubnet = "192.168.1.64/26"
 jumpboxsubnet      = "192.168.1.128/25"
+nsg_name           = "testnsg"
 
 #Enable or Disable telemetry
 telemetry_enabled = true
diff --git a/AVS-Landing-Zone/GreenField/Terraform/variables.tf b/AVS-Landing-Zone/GreenField/Terraform/variables.tf
@@ -29,10 +29,6 @@ variable "adminusername" {
   type = string
 }
 
-variable "adminpassword" {
-  type = string
-}
-
 variable "jumpboxsku" {
   type    = string
   default = "Standard_D2as_v4"
@@ -60,6 +56,16 @@ variable "hcx_key_names" {
   default     = []
 }
 
+variable "key_vault_name" {
+  type = string
+  description = "The name for the key vault used to store the jump virtual machine password."
+}
+
+variable "nsg_name" {
+  type = string
+  description = "The name to use for the default NSG deployed with the networks."
+}
+
 variable "telemetry_enabled" {
   type        = bool
   description = "toggle the telemetry on/off for this module"

diff --git a/BrownField/Storage/AVS-to-ANFdatastore-NewVNet/Terraform/main.tf b/BrownField/Storage/AVS-to-ANFdatastore-NewVNet/Terraform/main.tf
@@ -65,7 +65,7 @@ resource "azurerm_public_ip" "gatewayIP" {
   name                = "${var.GatewayName}-PIP"
   resource_group_name = azurerm_resource_group.deploymentRG.name
   location            = azurerm_resource_group.deploymentRG.location
-  allocation_method   = "Dynamic"
+  allocation_method   = "Static"
   sku                 = "Standard"
   sku_tier            = "Regional"
   zones               = ["1","2","3"]

diff --git a/terraform/modules/avs_expressroute_gateway/main.tf b/terraform/modules/avs_expressroute_gateway/main.tf
@@ -2,7 +2,7 @@ resource "azurerm_public_ip" "gatewaypip" {
   name                = var.expressroute_pip_name
   resource_group_name = var.rg_name
   location            = var.rg_location
-  allocation_method   = "Dynamic"
+  allocation_method   = "Static"
   sku                 = "Standard" 
   tags                = var.tags
   zones               = ["1","2","3"]

diff --git a/terraform/modules/avs_expressroute_gateway_old/main.tf b/terraform/modules/avs_expressroute_gateway_old/main.tf
@@ -2,8 +2,9 @@ resource "azurerm_public_ip" "gatewaypip" {
   name                = var.expressroute_pip_name
   resource_group_name = var.rg_name
   location            = var.rg_location
-  allocation_method   = "Dynamic"
-  sku                 = "Basic" #required for an ultraperformance gateway
+  allocation_method   = "Static"
+  sku                 = "Standard" #required for an ultraperformance gateway
+  zones               = ["1","2","3"]
 }
 
 resource "azurerm_virtual_network_gateway" "gateway" {

diff --git a/terraform/modules/avs_private_cloud_single_management_cluster_no_internet_conn/main.tf b/terraform/modules/avs_private_cloud_single_management_cluster_no_internet_conn/main.tf
@@ -82,6 +82,12 @@ module "hcx_addon" {
   ]
 }
 
+resource "azurerm_management_lock" "this_private_cloud" {
+  lock_level = "CanNotDelete"
+  name       = "${azurerm_vmware_private_cloud.privatecloud.name}-lock"
+  scope      = azurerm_vmware_private_cloud.privatecloud.id
+}
+
 #############################################################################################
 # Telemetry Section - Toggled on and off with the telemetry variable
 # This allows us to get deployment frequency statistics for deployments

diff --git a/terraform/modules/avs_private_cloud_single_management_cluster_no_internet_conn_w_exr/main.tf b/terraform/modules/avs_private_cloud_single_management_cluster_no_internet_conn_w_exr/main.tf
@@ -104,6 +104,11 @@ resource "azurerm_virtual_network_gateway_connection" "avs" {
   authorization_key          = azurerm_vmware_express_route_authorization.expressrouteauthkey[0].express_route_authorization_key
 }
 
+resource "azurerm_management_lock" "this_private_cloud" {
+  lock_level = "CanNotDelete"
+  name       = "${azurerm_vmware_private_cloud.privatecloud.name}-lock"
+  scope      = azurerm_vmware_private_cloud.privatecloud.id
+}
 #############################################################################################
 # Telemetry Section - Toggled on and off with the telemetry variable
 # This allows us to get deployment frequency statistics for deployments

diff --git a/terraform/modules/avs_vpn_gateway/main.tf b/terraform/modules/avs_vpn_gateway/main.tf
@@ -2,7 +2,7 @@ resource "azurerm_public_ip" "gatewaypip_1" {
   name                = var.vpn_pip_name_1
   resource_group_name = var.rg_name
   location            = var.rg_location
-  allocation_method   = "Dynamic"
+  allocation_method   = "Static"
   sku                 = "Standard"
   zones               = ["1","2","3"]
 }
@@ -11,7 +11,7 @@ resource "azurerm_public_ip" "gatewaypip_2" {
   name                = var.vpn_pip_name_2
   resource_group_name = var.rg_name
   location            = var.rg_location
-  allocation_method   = "Dynamic"
+  allocation_method   = "Static"
   sku                 = "Standard"
   zones               = ["1","2","3"]
 }