Terraform Resiliency Updates (#306)

* Reliability and Versioning updates

* Reliability and Versioning updates

* Reliability and Versioning updates

* version and output changes

* version and output changes

AVS-Landing-Zone/GreenField/Terraform/bastion.tf

@@ -4,6 +4,7 @@ resource "azurerm_public_ip" "bastionpip" {
   resource_group_name = azurerm_resource_group.jumpbox.name
   allocation_method   = "Static"
   sku                 = "Standard"
+  zones               = ["1","2","3"]
 }
 
 resource "azurerm_bastion_host" "bastion" {

AVS-Landing-Zone/GreenField/Terraform/gateway.tf

@@ -2,7 +2,9 @@ resource "azurerm_public_ip" "gatewaypip" {
   name                = "${var.prefix}-GW-pip"
   resource_group_name = azurerm_resource_group.network.name
   location            = azurerm_resource_group.network.location
-  allocation_method   = "Dynamic"
+  allocation_method   = "Static"
+  zones               = ["1","2","3"]
+  sku                 = "Standard"
 }
 
 resource "azurerm_virtual_network_gateway" "gateway" {
@@ -11,7 +13,7 @@ resource "azurerm_virtual_network_gateway" "gateway" {
   location            = azurerm_resource_group.network.location
 
   type = "ExpressRoute"
-  sku  = "Standard"
+  sku  = "ErGw1AZ"
 
   ip_configuration {
     name                          = "default"

AVS-Landing-Zone/GreenField/Terraform/hcx_addon.tf

@@ -4,12 +4,12 @@ resource "azapi_resource" "hcx_addon" {
   #Resource Name must match the addonType
   name      = "HCX"
   parent_id = azurerm_vmware_private_cloud.privatecloud.id
-  body = jsonencode({
+  body = {
     properties = {
       addonType = "HCX"
       offer     = "VMware MaaS Cloud Provider"
     }
-  })
+  }
 
   #adding lifecycle block to handle replacement issue with parent_id
   lifecycle {

AVS-Landing-Zone/GreenField/Terraform/jumpbox.tf

@@ -17,14 +17,15 @@ resource "azurerm_windows_virtual_machine" "vm" {
   location            = azurerm_resource_group.jumpbox.location
   size                = var.jumpboxsku
   admin_username      = var.adminusername
-  admin_password      = var.adminpassword
+  admin_password      = random_password.admin_password.result
+  zone                = 1
   network_interface_ids = [
     azurerm_network_interface.nic.id,
   ]
 
   os_disk {
     caching              = "ReadWrite"
-    storage_account_type = "Standard_LRS"
+    storage_account_type = "Premium_LRS"
   }
 
   source_image_reference {
@@ -33,4 +34,52 @@ resource "azurerm_windows_virtual_machine" "vm" {
     sku       = "win11-21h2-avd"
     version   = "latest"
   }
+}
+
+resource "random_password" "admin_password" {
+  length           = 23
+  special          = true
+  numeric          = true
+  min_special      = 1
+  min_numeric      = 1
+  min_upper        = 1
+  min_lower        = 1
+}
+
+resource "random_string" "namestring" {
+  length   = 4
+  special  = false
+  upper    = false
+  lower    = true
+}
+
+resource "azurerm_key_vault_secret" "admin_password" {
+  key_vault_id    = module.avm_res_keyvault_vault.resource.id
+  name            = "${var.prefix}-jumpbox-${var.adminusername}-password"
+  value           = random_password.admin_password.result
+}
+
+module "avm_res_keyvault_vault" {
+  source                 = "Azure/avm-res-keyvault-vault/azurerm"
+  version                = "0.5.3"
+  tenant_id              = data.azurerm_client_config.current.tenant_id
+  name                   = "${var.key_vault_name}-${random_string.namestring.result}"
+  resource_group_name    = azurerm_resource_group.jumpbox.name
+  location               = azurerm_resource_group.jumpbox.location
+  enabled_for_deployment = true
+  network_acls = {
+    default_action = "Allow"
+    bypass         = "AzureServices"
+  }
+
+  role_assignments = {
+    deployment_user_secrets = {
+      role_definition_id_or_name = "Key Vault Administrator"
+      principal_id               = data.azurerm_client_config.current.object_id
+    }
+  }
+
+  wait_for_rbac_before_secret_operations = {
+    create = "60s"
+  }
 }

AVS-Landing-Zone/GreenField/Terraform/main.tf

@@ -6,12 +6,12 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~>3.0.0"
+      version = "~>3.105"
     }
 
     azapi = {
-      source  = "azure/azapi"
-      version = "~>1.1.0"
+      source  = "Azure/azapi"
+      version = "~> 1.13, != 1.13.0"
     }
   }
 }

AVS-Landing-Zone/GreenField/Terraform/network.tf

@@ -21,9 +21,52 @@ resource "azurerm_subnet" "azurebastionsubnet" {
   address_prefixes     = [var.azurebastionsubnet]
 }
 
+resource "azurerm_subnet_network_security_group_association" "this_bastion" {
+  subnet_id                 = azurerm_subnet.azurebastionsubnet.id
+  network_security_group_id = module.testnsg.nsg_resource.id
+}
+
 resource "azurerm_subnet" "jumpboxsubnet" {
   name                 = "JumpboxSubnet"
   resource_group_name  = azurerm_resource_group.network.name
   virtual_network_name = azurerm_virtual_network.network.name
-  address_prefixes     = [var.jumpboxsubnet]
+  address_prefixes     = [var.jumpboxsubnet]  
+}
+
+resource "azurerm_subnet_network_security_group_association" "this_jumpbox" {
+  subnet_id                 = azurerm_subnet.jumpboxsubnet.id
+  network_security_group_id = module.testnsg.nsg_resource.id
+  depends_on = [ azurerm_virtual_network.network, azurerm_subnet.jumpboxsubnet, module.testnsg ]
 }
+
+module "testnsg" {
+  source  = "Azure/avm-res-network-networksecuritygroup/azurerm"
+  version = "0.1.1"
+
+  enable_telemetry    = var.telemetry_enabled
+  location            = azurerm_resource_group.network.location
+  resource_group_name = azurerm_resource_group.network.name
+  name                = var.nsg_name
+  nsgrules = { #allow all in this example, but set your 
+    "rule01" : {
+      "nsg_rule_access" : "Allow",
+      "nsg_rule_destination_address_prefix" : "*",
+      "nsg_rule_destination_port_range" : "*",
+      "nsg_rule_direction" : "Inbound",
+      "nsg_rule_priority" : 100,
+      "nsg_rule_protocol" : "Tcp",
+      "nsg_rule_source_address_prefix" : "*",
+      "nsg_rule_source_port_range" : "*"
+    },
+    "rule02" : {
+      "nsg_rule_access" : "Allow",
+      "nsg_rule_destination_address_prefix" : "*",
+      "nsg_rule_destination_port_range" : "*",
+      "nsg_rule_direction" : "Outbound",
+      "nsg_rule_priority" : 200,
+      "nsg_rule_protocol" : "Tcp",
+      "nsg_rule_source_address_prefix" : "*",
+      "nsg_rule_source_port_range" : "*"
+    }
+  }
+}

AVS-Landing-Zone/GreenField/Terraform/privatecloud.tf

@@ -51,4 +51,10 @@ resource "azurerm_vmware_private_cloud" "privatecloud" {
 resource "azurerm_vmware_express_route_authorization" "expressrouteauthkey" {
   name             = "${var.prefix}-AVS"
   private_cloud_id = azurerm_vmware_private_cloud.privatecloud.id
+}
+
+resource "azurerm_management_lock" "this_private_cloud" {
+  lock_level = "CanNotDelete"
+  name       = "${var.prefix}-lock"
+  scope      = azurerm_vmware_private_cloud.privatecloud.id
 }

AVS-Landing-Zone/GreenField/Terraform/terraform.tfvars

@@ -3,24 +3,26 @@
 prefix = "AVS"
 
 #Region to deploy the AVS Private Cloud and associated components
-region = "northeurope"
+region = "southafricanorth"
 
 #AVS requires a /22 CIDR range, this must not overlap with other networks to be used with AVS
-avs-networkblock = ""
-avs-sku          = "AV36P"
+avs-networkblock = "10.0.0.0/22"
+avs-sku          = "AV36"
 avs-hostcount    = 3
 hcx_key_names    = ["hcxsite1", "hcxsite2"]
 
 #Input the Jumpbox local username, password and SKU of your choice
-adminusername = ""
-adminpassword = ""
+
+key_vault_name = "jumpkeyvault"
+adminusername = "testuser"
 jumpboxsku    = "Standard_D2as_v4"
 
 #Virtual network address space and required subnets, can be any CIDR range
-vnetaddressspace   = ""
-gatewaysubnet      = ""
-azurebastionsubnet = ""
-jumpboxsubnet      = ""
+vnetaddressspace   = "192.168.1.0/24"
+gatewaysubnet      = "192.168.1.0/27"
+azurebastionsubnet = "192.168.1.64/26"
+jumpboxsubnet      = "192.168.1.128/25"
+nsg_name           = "testnsg"
 
 #Enable or Disable telemetry
 telemetry_enabled = true

AVS-Landing-Zone/GreenField/Terraform/variables.tf

@@ -29,10 +29,6 @@ variable "adminusername" {
   type = string
 }
 
-variable "adminpassword" {
-  type = string
-}
-
 variable "jumpboxsku" {
   type    = string
   default = "Standard_D2as_v4"
@@ -60,6 +56,16 @@ variable "hcx_key_names" {
   default     = []
 }
 
+variable "key_vault_name" {
+  type = string
+  description = "The name for the key vault used to store the jump virtual machine password."
+}
+
+variable "nsg_name" {
+  type = string
+  description = "The name to use for the default NSG deployed with the networks."
+}
+
 variable "telemetry_enabled" {
   type        = bool
   description = "toggle the telemetry on/off for this module"

BrownField/Monitoring/AVS-Dashboard/Terraform/main.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~>3.00"
+      version = "~>3.105"
     }
   }
 }

BrownField/Monitoring/AVS-Service-Health/Terraform/main.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~>2.68"
+      version = "~>3.105"
     }
   }
 }

BrownField/Monitoring/AVS-Utilization-Alerts/Terraform/main.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~>2.68"
+      version = "~>3.105"
     }
   }
 }

BrownField/Storage/AVS-to-ANFdatastore-NewVNet/Terraform/AVS-to-ANFdatastore-NewVNet.tfvars.sample

@@ -10,10 +10,10 @@ VNetAddressSpaceCIDR = ["10.4.0.0/16",]
 VNetGatewaySubnetCIDR = ["10.4.0.0/24",]
 VNetANFDelegatedSubnetCIDR = ["10.4.10.0/24",]
 GatewayName = "GatewayTF"
-GatewaySku = "UltraPerformance"
+GatewaySku = "ErGw3AZ"
 netappAccountName = "NetAppAccount-AVSdatastore"
 netappCapacityPoolName = "CapacityPool-AVSdatastore"
 netappCapacityPoolServiceLevel = "Premium"
 netappCapacityPoolSize = 4
 netappVolumeName = "ANFdatastore001"
-netappVolumeSize = 4398046511104
+netappVolumeSize = 100