feat: air-gap (#7)

Already deployed on dev, Runner Host VM has no access to the internet
comsysto · Sep 19, 2024 · b976d29 · b976d29
1 parent e9e8338
commit b976d29
Show file tree

Hide file tree

Showing 10 changed files with 161 additions and 64 deletions.
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -35,6 +35,7 @@ on:
  description: Terraform module to target
  required: false
  options: 
+ - all
  - acr
  - runner
  - network
@@ -57,7 +58,7 @@ jobs:
  terraform_version: 1.9.5
 
  - name: 'Terraform Init'
- if: ${{ github.event.inputs.directory != '' }}
+ if: github.event.inputs.directory != ''
  working-directory: ${{ github.event.inputs.directory }}
  env: 
  ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
@@ -91,8 +92,11 @@ jobs:
  ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
  run: |
- terraform plan -target=module.${{ github.event.inputs.module }} -out main.tfplan
-
+ if [${{ github.event.inputs.module }} == "all"]; then
+ terraform plan -out.main.tfplan
+ else
+ terraform plan -target=module.${{ github.event.inputs.module }} -out main.tfplan
+ fi
 
  - name: 'Terraform apply'
  if: |

diff --git a/terraform/modules.tf b/terraform/modules.tf
@@ -12,7 +12,8 @@ module "runner" {
  resource_group_location = var.resource_group_location
  resource_group_name = module.network.resource_group.name
  resource_group_id = module.network.resource_group.id
- subnet_id = module.network.azurerm_subnet.id
+ public_subnet_id = module.network.public_subnet.id
+ private_subnet_id = module.network.private_subnet.id
 }
 
 
@@ -23,7 +24,7 @@ module "acr" {
  resource_group_location = var.resource_group_location
  resource_group_name = module.network.resource_group.name
  virtual_network = module.network.azurerm_virtual_network
- subnet_id = module.network.azurerm_subnet.id
+ subnet_id = module.network.private_subnet.id
 }
 
 module "acg" {
@@ -32,6 +33,6 @@ module "acg" {
  prefix = local.prefix
  resource_group_location = var.resource_group_location
  resource_group_name = module.network.resource_group.name
- subnet_id = module.network.azurerm_subnet.id
+ subnet_id = module.network.private_subnet.id
  virtual_network = module.network.azurerm_virtual_network
 }
diff --git a/terraform/modules/acg/main.tf b/terraform/modules/acg/main.tf
@@ -2,7 +2,7 @@
 
 # Azure Compute Gallery and its Private Endpoint
 resource "azurerm_shared_image_gallery" "factory_image_gallery" {
- name = "cariadImageFactoryGallery"
+ name = "wp10ImageFactoryGallery"
  resource_group_name = var.resource_group_name
  location = var.resource_group_location
  description = "Gallery for storing golden images"

diff --git a/terraform/modules/network/network.tf b/terraform/modules/network/network.tf
@@ -12,9 +12,47 @@ resource "azurerm_virtual_network" "wp10_vnet" {
 }
 
 # Create subnet
-resource "azurerm_subnet" "wp10_subnet" {
- name = "${var.prefix}-subnet"
+resource "azurerm_subnet" "wp10_public_subnet" {
+ name = "${var.prefix}-public-subnet"
  resource_group_name = azurerm_resource_group.wp10_rg.name
  virtual_network_name = azurerm_virtual_network.wp10_vnet.name
  address_prefixes = ["10.0.1.0/24"]
 }
+
+# Create a private subnet
+resource "azurerm_subnet" "wp10_private_subnet" {
+ name = "${var.prefix}-private-subnet"
+ resource_group_name = azurerm_resource_group.wp10_rg.name
+ virtual_network_name = azurerm_virtual_network.wp10_vnet.name
+ address_prefixes = ["10.0.2.0/24"]
+ default_outbound_access_enabled = false
+}
+
+
+# Create the Network Security Group
+resource "azurerm_network_security_group" "ssh" {
+ name = "${var.prefix}-ssh-nsg"
+ location = azurerm_resource_group.wp10_rg.location
+ resource_group_name = azurerm_resource_group.wp10_rg.name
+}
+
+# Create an NSG rule to allow SSH communication
+resource "azurerm_network_security_rule" "ssh_rule" {
+ name = "SSH"
+ priority = 1001
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_address_prefix = "10.0.1.0/24" # Public subnet
+ source_port_range = "*"
+ destination_address_prefix = "*"
+ destination_port_range = "22"
+ resource_group_name = azurerm_resource_group.wp10_rg.name
+ network_security_group_name = azurerm_network_security_group.ssh.name
+}
+
+# Associate the NSG with the private subnet
+resource "azurerm_subnet_network_security_group_association" "private_association" {
+ subnet_id = azurerm_subnet.wp10_private_subnet.id
+ network_security_group_id = azurerm_network_security_group.ssh.id
+}
diff --git a/terraform/modules/network/outputs.tf b/terraform/modules/network/outputs.tf
@@ -4,6 +4,10 @@ output "resource_group" {
 output "azurerm_virtual_network" {
  value = azurerm_virtual_network.wp10_vnet
 }
-output "azurerm_subnet" {
- value = azurerm_subnet.wp10_subnet
+output "public_subnet" {
+ value = azurerm_subnet.wp10_public_subnet
+}
+
+output "private_subnet" {
+ value = azurerm_subnet.wp10_private_subnet
 }
diff --git a/terraform/modules/runner/jumphost.tf b/terraform/modules/runner/jumphost.tf
@@ -0,0 +1,54 @@
+# Create public IPs - development purposes only
+resource "azurerm_public_ip" "development_public_ip" {
+ name = "${var.prefix}-public-ip"
+ location = var.resource_group_location
+ resource_group_name = var.resource_group_name
+ allocation_method = "Dynamic"
+}
+
+# Create network interface
+resource "azurerm_network_interface" "jumphost_nic" {
+ name = "${var.prefix}-jumphost-nic"
+ location = var.resource_group_location
+ resource_group_name = var.resource_group_name
+
+ ip_configuration {
+ name = "my_nic_configuration"
+ subnet_id = var.public_subnet_id
+ private_ip_address_allocation = "Dynamic"
+ public_ip_address_id = azurerm_public_ip.development_public_ip.id
+ }
+}
+
+# Jumphost
+resource "azurerm_linux_virtual_machine" "jumphost" {
+ name = "${var.prefix}-jumphost-vm"
+ admin_username = var.username
+ location = var.resource_group_location
+ resource_group_name = var.resource_group_name
+ network_interface_ids = [azurerm_network_interface.jumphost_nic.id]
+ size = "Standard_B2ms"
+ computer_name = "jumphost"
+
+ os_disk {
+ name = "${var.prefix}-jumphost-vm-OsDisk"
+ caching = "ReadWrite"
+ storage_account_type = "Premium_LRS"
+ }
+
+ source_image_reference {
+ publisher = "Canonical"
+ offer = "ubuntu-24_04-lts"
+ sku = "server"
+ version = "latest"
+ }
+
+ admin_ssh_key {
+ username = var.username
+ public_key = azapi_resource_action.ssh_public_key_gen.output.publicKey
+ }
+
+ boot_diagnostics {
+ storage_account_uri = azurerm_storage_account.boot_diagnostics_storage_account.primary_blob_endpoint
+ }
+}
diff --git a/terraform/modules/runner/outputs.tf b/terraform/modules/runner/outputs.tf
@@ -1,5 +1,9 @@
 output "public_ip_address" {
- value = azurerm_linux_virtual_machine.main.public_ip_address
+ value = azurerm_linux_virtual_machine.jumphost.public_ip_address
+}
+
+output "private_ip_address" {
+ value = azurerm_linux_virtual_machine.runner.private_ip_address
 }
 
 output "key_data" {

diff --git a/terraform/modules/runner/runner.tf b/terraform/modules/runner/runner.tf
@@ -1,65 +1,28 @@
-# Create public IPs - development purposes only
-resource "azurerm_public_ip" "development_public_ip" {
- name = "${var.prefix}-public-ip"
- location = var.resource_group_location
- resource_group_name = var.resource_group_name
- allocation_method = "Dynamic"
-}
-
 # Create network interface
 resource "azurerm_network_interface" "runner_nic" {
- name = "${var.prefix}-nic"
+ name = "${var.prefix}-runner-nic"
  location = var.resource_group_location
  resource_group_name = var.resource_group_name
 
  ip_configuration {
  name = "my_nic_configuration"
- subnet_id = var.subnet_id
+ subnet_id = var.private_subnet_id
  private_ip_address_allocation = "Dynamic"
- public_ip_address_id = azurerm_public_ip.development_public_ip.id
  }
 }
 
-# Create Network Security Group and rules
-resource "azurerm_network_security_group" "ssh_nsg" {
- name = "${var.prefix}-nsg"
- location = var.resource_group_location
- resource_group_name = var.resource_group_name
-
- security_rule {
- name = "SSH"
- priority = 1000
- direction = "Inbound"
- access = "Allow"
- protocol = "*"
- source_port_range = "*"
- destination_port_range = "22"
- source_address_prefix = "*"
- destination_address_prefix = "*"
- }
-}
-
-# Connect the security group to the network interface
-resource "azurerm_network_interface_security_group_association" "example" {
- network_interface_id = azurerm_network_interface.runner_nic.id
- network_security_group_id = azurerm_network_security_group.ssh_nsg.id
-}
-
-
 # Create virtual machine
-resource "azurerm_linux_virtual_machine" "main" {
- name = "${var.prefix}-vm"
+resource "azurerm_linux_virtual_machine" "runner" {
+ name = "${var.prefix}-runner-vm"
  admin_username = var.username
  location = var.resource_group_location
  resource_group_name = var.resource_group_name
  network_interface_ids = [azurerm_network_interface.runner_nic.id]
  size = "Standard_B2ms"
-
- computer_name = "hostname"
-
+ computer_name = "runner"
 
  os_disk {
- name = "runnerOsDisk"
+ name = "${var.prefix}-runner-vm-OsDisk"
  caching = "ReadWrite"
  storage_account_type = "Premium_LRS"
  }
@@ -90,12 +53,36 @@ resource "azurerm_storage_account" "boot_diagnostics_storage_account" {
  account_replication_type = "LRS"
 }
 
-# Generate random text for a unique storage account name
 resource "random_id" "random_id" {
  keepers = {
- # Generate a new ID only when a new resource group is defined
  resource_group_name = var.resource_group_name
  }
-
  byte_length = 8
+}
+
+
+
+# Create Network Security Group and rules
+resource "azurerm_network_security_group" "ssh_nsg" {
+ name = "${var.prefix}-nsg"
+ location = var.resource_group_location
+ resource_group_name = var.resource_group_name
+
+ security_rule {
+ name = "SSH"
+ priority = 1000
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "*"
+ source_port_range = "*"
+ destination_port_range = "22"
+ source_address_prefix = "*"
+ destination_address_prefix = "*"
+ }
+}
+
+# Connect the security group to the network interface
+resource "azurerm_network_interface_security_group_association" "example" {
+ network_interface_id = azurerm_network_interface.jumphost_nic.id
+ network_security_group_id = azurerm_network_security_group.ssh_nsg.id
 }
diff --git a/terraform/modules/runner/variables.tf b/terraform/modules/runner/variables.tf
@@ -18,7 +18,12 @@ variable "resource_group_id" {
  description = "Id of the resource group."
 }
 
-variable "subnet_id" {
+variable "public_subnet_id" {
+ type = string
+ description = "Id of the subnet."
+}
+
+variable "private_subnet_id" {
  type = string
  description = "Id of the subnet."
 }

diff --git a/terraform/outputs.tf b/terraform/outputs.tf
@@ -1,7 +1,7 @@
-output "resource_group_name" {
- value = module.network
+output "network_name" {
+ value = module.network.resource_group.name
 }
 
-output "key_data" {
- value = module.runner.key_data
-}
+output "runner_data" {
+ value = module.runner
+}