diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 54c15774..95d9c82b 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -35,6 +35,7 @@ on: description: Terraform module to target required: false options: + - all - acr - runner - network @@ -57,7 +58,7 @@ jobs: terraform_version: 1.9.5 - name: 'Terraform Init' - if: ${{ github.event.inputs.directory != '' }} + if: github.event.inputs.directory != '' working-directory: ${{ github.event.inputs.directory }} env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} @@ -91,8 +92,11 @@ jobs: ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} run: | - terraform plan -target=module.${{ github.event.inputs.module }} -out main.tfplan - + if [${{ github.event.inputs.module }} == "all"]; then + terraform plan -out.main.tfplan + else + terraform plan -target=module.${{ github.event.inputs.module }} -out main.tfplan + fi - name: 'Terraform apply' if: | diff --git a/terraform/modules.tf b/terraform/modules.tf index 2b11941b..1321450d 100644 --- a/terraform/modules.tf +++ b/terraform/modules.tf @@ -12,7 +12,8 @@ module "runner" { resource_group_location = var.resource_group_location resource_group_name = module.network.resource_group.name resource_group_id = module.network.resource_group.id - subnet_id = module.network.azurerm_subnet.id + public_subnet_id = module.network.public_subnet.id + private_subnet_id = module.network.private_subnet.id } @@ -23,7 +24,7 @@ module "acr" { resource_group_location = var.resource_group_location resource_group_name = module.network.resource_group.name virtual_network = module.network.azurerm_virtual_network - subnet_id = module.network.azurerm_subnet.id + subnet_id = module.network.private_subnet.id } module "acg" { @@ -32,6 +33,6 @@ module "acg" { prefix = local.prefix resource_group_location = var.resource_group_location resource_group_name = module.network.resource_group.name - subnet_id = module.network.azurerm_subnet.id + subnet_id = module.network.private_subnet.id virtual_network = module.network.azurerm_virtual_network } diff --git a/terraform/modules/acg/main.tf b/terraform/modules/acg/main.tf index d3d3f7de..d79b8d1d 100644 --- a/terraform/modules/acg/main.tf +++ b/terraform/modules/acg/main.tf @@ -2,7 +2,7 @@ # Azure Compute Gallery and its Private Endpoint resource "azurerm_shared_image_gallery" "factory_image_gallery" { - name = "cariadImageFactoryGallery" + name = "wp10ImageFactoryGallery" resource_group_name = var.resource_group_name location = var.resource_group_location description = "Gallery for storing golden images" diff --git a/terraform/modules/network/network.tf b/terraform/modules/network/network.tf index db48a6ce..29883306 100644 --- a/terraform/modules/network/network.tf +++ b/terraform/modules/network/network.tf @@ -12,9 +12,47 @@ resource "azurerm_virtual_network" "wp10_vnet" { } # Create subnet -resource "azurerm_subnet" "wp10_subnet" { - name = "${var.prefix}-subnet" +resource "azurerm_subnet" "wp10_public_subnet" { + name = "${var.prefix}-public-subnet" resource_group_name = azurerm_resource_group.wp10_rg.name virtual_network_name = azurerm_virtual_network.wp10_vnet.name address_prefixes = ["10.0.1.0/24"] } + +# Create a private subnet +resource "azurerm_subnet" "wp10_private_subnet" { + name = "${var.prefix}-private-subnet" + resource_group_name = azurerm_resource_group.wp10_rg.name + virtual_network_name = azurerm_virtual_network.wp10_vnet.name + address_prefixes = ["10.0.2.0/24"] + default_outbound_access_enabled = false +} + + +# Create the Network Security Group +resource "azurerm_network_security_group" "ssh" { + name = "${var.prefix}-ssh-nsg" + location = azurerm_resource_group.wp10_rg.location + resource_group_name = azurerm_resource_group.wp10_rg.name +} + +# Create an NSG rule to allow SSH communication +resource "azurerm_network_security_rule" "ssh_rule" { + name = "SSH" + priority = 1001 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_address_prefix = "10.0.1.0/24" # Public subnet + source_port_range = "*" + destination_address_prefix = "*" + destination_port_range = "22" + resource_group_name = azurerm_resource_group.wp10_rg.name + network_security_group_name = azurerm_network_security_group.ssh.name +} + +# Associate the NSG with the private subnet +resource "azurerm_subnet_network_security_group_association" "private_association" { + subnet_id = azurerm_subnet.wp10_private_subnet.id + network_security_group_id = azurerm_network_security_group.ssh.id +} \ No newline at end of file diff --git a/terraform/modules/network/outputs.tf b/terraform/modules/network/outputs.tf index fdee9018..34bc2465 100644 --- a/terraform/modules/network/outputs.tf +++ b/terraform/modules/network/outputs.tf @@ -4,6 +4,10 @@ output "resource_group" { output "azurerm_virtual_network" { value = azurerm_virtual_network.wp10_vnet } -output "azurerm_subnet" { - value = azurerm_subnet.wp10_subnet +output "public_subnet" { + value = azurerm_subnet.wp10_public_subnet +} + +output "private_subnet" { + value = azurerm_subnet.wp10_private_subnet } diff --git a/terraform/modules/runner/jumphost.tf b/terraform/modules/runner/jumphost.tf new file mode 100644 index 00000000..3d55a706 --- /dev/null +++ b/terraform/modules/runner/jumphost.tf @@ -0,0 +1,54 @@ +# Create public IPs - development purposes only +resource "azurerm_public_ip" "development_public_ip" { + name = "${var.prefix}-public-ip" + location = var.resource_group_location + resource_group_name = var.resource_group_name + allocation_method = "Dynamic" +} + +# Create network interface +resource "azurerm_network_interface" "jumphost_nic" { + name = "${var.prefix}-jumphost-nic" + location = var.resource_group_location + resource_group_name = var.resource_group_name + + ip_configuration { + name = "my_nic_configuration" + subnet_id = var.public_subnet_id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.development_public_ip.id + } +} + +# Jumphost +resource "azurerm_linux_virtual_machine" "jumphost" { + name = "${var.prefix}-jumphost-vm" + admin_username = var.username + location = var.resource_group_location + resource_group_name = var.resource_group_name + network_interface_ids = [azurerm_network_interface.jumphost_nic.id] + size = "Standard_B2ms" + computer_name = "jumphost" + + os_disk { + name = "${var.prefix}-jumphost-vm-OsDisk" + caching = "ReadWrite" + storage_account_type = "Premium_LRS" + } + + source_image_reference { + publisher = "Canonical" + offer = "ubuntu-24_04-lts" + sku = "server" + version = "latest" + } + + admin_ssh_key { + username = var.username + public_key = azapi_resource_action.ssh_public_key_gen.output.publicKey + } + + boot_diagnostics { + storage_account_uri = azurerm_storage_account.boot_diagnostics_storage_account.primary_blob_endpoint + } +} \ No newline at end of file diff --git a/terraform/modules/runner/outputs.tf b/terraform/modules/runner/outputs.tf index bd346953..0508f18c 100644 --- a/terraform/modules/runner/outputs.tf +++ b/terraform/modules/runner/outputs.tf @@ -1,5 +1,9 @@ output "public_ip_address" { - value = azurerm_linux_virtual_machine.main.public_ip_address + value = azurerm_linux_virtual_machine.jumphost.public_ip_address +} + +output "private_ip_address" { + value = azurerm_linux_virtual_machine.runner.private_ip_address } output "key_data" { diff --git a/terraform/modules/runner/runner.tf b/terraform/modules/runner/runner.tf index 271a5c84..baea2ca8 100644 --- a/terraform/modules/runner/runner.tf +++ b/terraform/modules/runner/runner.tf @@ -1,65 +1,28 @@ -# Create public IPs - development purposes only -resource "azurerm_public_ip" "development_public_ip" { - name = "${var.prefix}-public-ip" - location = var.resource_group_location - resource_group_name = var.resource_group_name - allocation_method = "Dynamic" -} - # Create network interface resource "azurerm_network_interface" "runner_nic" { - name = "${var.prefix}-nic" + name = "${var.prefix}-runner-nic" location = var.resource_group_location resource_group_name = var.resource_group_name ip_configuration { name = "my_nic_configuration" - subnet_id = var.subnet_id + subnet_id = var.private_subnet_id private_ip_address_allocation = "Dynamic" - public_ip_address_id = azurerm_public_ip.development_public_ip.id } } -# Create Network Security Group and rules -resource "azurerm_network_security_group" "ssh_nsg" { - name = "${var.prefix}-nsg" - location = var.resource_group_location - resource_group_name = var.resource_group_name - - security_rule { - name = "SSH" - priority = 1000 - direction = "Inbound" - access = "Allow" - protocol = "*" - source_port_range = "*" - destination_port_range = "22" - source_address_prefix = "*" - destination_address_prefix = "*" - } -} - -# Connect the security group to the network interface -resource "azurerm_network_interface_security_group_association" "example" { - network_interface_id = azurerm_network_interface.runner_nic.id - network_security_group_id = azurerm_network_security_group.ssh_nsg.id -} - - # Create virtual machine -resource "azurerm_linux_virtual_machine" "main" { - name = "${var.prefix}-vm" +resource "azurerm_linux_virtual_machine" "runner" { + name = "${var.prefix}-runner-vm" admin_username = var.username location = var.resource_group_location resource_group_name = var.resource_group_name network_interface_ids = [azurerm_network_interface.runner_nic.id] size = "Standard_B2ms" - - computer_name = "hostname" - + computer_name = "runner" os_disk { - name = "runnerOsDisk" + name = "${var.prefix}-runner-vm-OsDisk" caching = "ReadWrite" storage_account_type = "Premium_LRS" } @@ -90,12 +53,36 @@ resource "azurerm_storage_account" "boot_diagnostics_storage_account" { account_replication_type = "LRS" } -# Generate random text for a unique storage account name resource "random_id" "random_id" { keepers = { - # Generate a new ID only when a new resource group is defined resource_group_name = var.resource_group_name } - byte_length = 8 +} + + + +# Create Network Security Group and rules +resource "azurerm_network_security_group" "ssh_nsg" { + name = "${var.prefix}-nsg" + location = var.resource_group_location + resource_group_name = var.resource_group_name + + security_rule { + name = "SSH" + priority = 1000 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +# Connect the security group to the network interface +resource "azurerm_network_interface_security_group_association" "example" { + network_interface_id = azurerm_network_interface.jumphost_nic.id + network_security_group_id = azurerm_network_security_group.ssh_nsg.id } \ No newline at end of file diff --git a/terraform/modules/runner/variables.tf b/terraform/modules/runner/variables.tf index 6a720271..ae5649e3 100644 --- a/terraform/modules/runner/variables.tf +++ b/terraform/modules/runner/variables.tf @@ -18,7 +18,12 @@ variable "resource_group_id" { description = "Id of the resource group." } -variable "subnet_id" { +variable "public_subnet_id" { + type = string + description = "Id of the subnet." +} + +variable "private_subnet_id" { type = string description = "Id of the subnet." } diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 9c92c03a..95033650 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -1,7 +1,7 @@ -output "resource_group_name" { - value = module.network +output "network_name" { + value = module.network.resource_group.name } -output "key_data" { - value = module.runner.key_data -} \ No newline at end of file +output "runner_data" { + value = module.runner +} \ No newline at end of file