-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.bicep
222 lines (186 loc) · 10.3 KB
/
main.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
// Execute this main file to configure ASGs and NSGs for a given application
// Parameters
@description('Azure region used for the deployment resources.')
param location string = resourceGroup().location
//I had to add this, because the current naming doesn't seem to match Azure's Region IDs in all cases
@description('Azure region code used in naming convention')
param regionName string = 'usc'
@description('Business Unit Name (No Spaces)')
param businessUnitName string = 'MyBU'
@description('Application Name (No Spaces)')
param applicationName string = 'MyApplication'
@description('4 Digit Application Code')
param applicationCode string = 'MYAP'
@description('Environment (dev, prod, qa)')
param environment string = 'dev'
@description('Azure Bastion Subnet CIDR')
param bastionSubnet string = '10.16.11.192/26'
//Not Needed?
//@description('Active Directory Subnet CIDR')
//param activeDirectorySubnet string = '10.x.y.0/24'
@description('Monitoring Subnet CIDR')
param monitoringSubnet string = '10.16.3.0/26'
@description('Application Server Destination TCP Ports')
param applicationServerDestinationTcpPorts array = ['1024-49151']
@description('Application Server Destination UDP Ports')
param applicationServerDestinationUdpPorts array = ['1024-49151']
@description('Build Server Destination TCP Ports')
param buildServerDestinationTcpPorts array = ['3389']
@description('Build Server Destination UDP Ports')
param buildServerDestinationUdpPorts array = ['3389']
@description('Caching Server Destination TCP Ports')
param cachingServerDestinationTcpPorts array = ['6379-6380', '9443', '8080', '8000-8001']
@description('Caching Server Destination UDP Ports')
param cachingServerDestinationUdpPorts array = ['53', '5353']
@description('DataWarehouse Destination TCP Ports')
param dataWarehouseDestinationTcpPorts array = ['1433-1434']
@description('DataWarehouse Destination UDP Ports')
param dataWarehouseDestinationUdpPorts array = ['1434']
@description('Database Destination TCP Ports')
param databaseDestinationTcpPorts array = ['135', '139', '443', '445', '1433-1434', '2383', '2393-2394', '2725', '3882', '4022', '5022', '7022', '49152-65535']
@description('DatabaseDestination UDP Ports')
param databaseDestinationUdpPorts array = ['135', '138', '445', '500', '1434', '2382', '3343', '4500', '5000-5099', '8011-8031']
@description('Development Server Destination TCP Ports')
param developmentServerDestinationTcpPorts array = ['3389']
@description('Development Server Destination UDP Ports')
param developmentServerDestinationUdpPorts array = ['3389']
//TODO: Add Dynamic RPC port range or select a static port based on AD configuration
@description('Domain Controller Destination TCP Ports')
param domainControllerServerDestinationTcpPorts array = ['53', '88', '135', '389', '445', '636', '1723', '3268-3269']
@description('Domain Controller Destination UDP Ports')
param domainControllerServerDestinationUdpPorts array = ['53', '88', '389']
//TODO: Determine how to enable Active FTP
@description('FTP File Server Destination TCP Ports')
param ftpFileServerDestinationTcpPorts array = ['21']
@description('FTP File Server Destination UDP Ports')
param ftpFileServerDestinationUdpPorts array = ['21']
//Add 80 if required/allowed
@description('Object File Server (blobs, for example) Destination TCP Ports')
param objFileServerDestinationTcpPorts array = ['443']
@description('Object File Server (blobs, for example) Destination UDP Ports')
param objFileServerDestinationUdpPorts array = ['443']
@description('SCP (SSH/SFTP) File Server Destination TCP Ports')
param scpFileServerDestinationTcpPorts array = ['22']
@description('SCP (SSH/SFTP) File Server Destination UDP Ports')
param scpFileServerDestinationUdpPorts array = ['22']
@description('SMB/SAMBA/Windows File Server Destination TCP Ports')
param smbFileServerDestinationTcpPorts array = ['139', '445']
@description('SMB/SAMBA/Windows File Server Destination UDP Ports')
param smbFileServerDestinationUdpPorts array = ['137-138']
//Jump Servers shouldn't be used unless absolutely required. Use Azure bastion instead.
//Additional Configuration is required.
@description('Jump Server Destination TCP Ports')
param jumpServerDestinationTcpPorts array = ['3389']
@description('Jump Server Destination UDP Ports')
param jumpServerDestinationUdpPorts array = ['3389']
@description('Logging Server Destination TCP Ports')
param loggingServerDestinationTcpPorts array = ['601']
@description('Logging Server Destination UDP Ports')
param loggingServerDestinationUdpPorts array = ['514']
@description('Print Server Destination TCP Ports')
param printServerDestinationTcpPorts array = ['135', '139', '445', '49152-65535']
@description('Print Server Destination UDP Ports')
param printServerDestinationUdpPorts array = ['137-138']
@description('Proxy Server Destination TCP Ports')
param proxyServerDestinationTcpPorts array = ['22', '80', '443', '1080-1081', '3128', '8080', '8008']
@description('Proxy Server Destination UDP Ports')
param proxyServerDestinationUdpPorts array = ['16384 - 32767']
@description('Web Server Destination TCP Ports')
param webServerDestinationTcpPorts array = ['80', '443']
@description('Web Server Destination UDP Ports')
param webServerDestinationUdpPorts array = ['80', '443']
//I added these override switches just in case the naming convention for existing resources
//don't follow the standard.
@description('Override vNet Name?')
param overrideVnet bool = false
@description('vNet Name. Set the appropriate BU, Region Code & Environment')
param overrideVnetName string = 'vnet-{bu}-{regionCode}-{env}'
@description('Override subnet Name?')
param overrideSubnet bool = false
@description('Subnet Name. Set the appropriate BU, Application, Region Code & Environment')
param overrideSubnetName string = 'snet-{application}-{regionCode}-{env}'
@description('Set of tags to apply to all resources.')
param tags object = {}
// Variables
var vnetName = 'vnet-${businessUnitName}-${regionName}-${environment}'
var subnetName = 'snet-${applicationName}-${regionName}-${environment}'
var nsgName = 'nsg-${applicationName}-${regionName}-${environment}'
var applicationId = toLower(applicationCode)
//Modules
module setAsgByFunction 'modules/asg.bicep' = {
name: 'asg-${applicationName}-${environment}-deployment'
params: {
location: location
applicationId: applicationId
environment: environment
}
}
module setNsgByApplication 'modules/nsg.bicep' = {
name: '${nsgName}-deployment'
params: {
location: location
applicationName: applicationName
environment: environment
regionName: regionName
bastionSubnet: bastionSubnet
monitoringSubnet: monitoringSubnet
tags: tags
mainApplicationAsgId: setAsgByFunction.outputs.mainApplicationAsgId
applicationServerAsgId: setAsgByFunction.outputs.applicationServerAsgId
buildServerAsgId: setAsgByFunction.outputs.buildServerAsgId
cachingServerAsgId: setAsgByFunction.outputs.cachingServerAsgId
dataWarehouseAsgId: setAsgByFunction.outputs.dataWarehouseAsgId
databaseAsgId: setAsgByFunction.outputs.databaseAsgId
developmentServerAsgId: setAsgByFunction.outputs.developmentServerAsgId
domainControllerServerAsgId: setAsgByFunction.outputs.domainControllerServerAsgId
ftpFileServerAsgId: setAsgByFunction.outputs.ftpFileServerAsgId
objFileServerAsgId: setAsgByFunction.outputs.objFileServerAsgId
scpFileServerAsgId: setAsgByFunction.outputs.scpFileServerAsgId
smbFileServerAsgId: setAsgByFunction.outputs.smbFileServerAsgId
jumpServerAsgId: setAsgByFunction.outputs.jumpServerAsgId
loggingServerAsgId: setAsgByFunction.outputs.loggingServerAsgId
printServerAsgId: setAsgByFunction.outputs.printServerAsgId
proxyServerAsgId: setAsgByFunction.outputs.proxyServerAsgId
webServerAsgId: setAsgByFunction.outputs.webServerAsgId
applicationServerDestinationTcpPorts: applicationServerDestinationTcpPorts
buildServerDestinationTcpPorts: buildServerDestinationTcpPorts
cachingServerDestinationTcpPorts: cachingServerDestinationTcpPorts
dataWarehouseDestinationTcpPorts: dataWarehouseDestinationTcpPorts
databaseDestinationTcpPorts: databaseDestinationTcpPorts
developmentServerDestinationTcpPorts: developmentServerDestinationTcpPorts
domainControllerServerDestinationTcpPorts: domainControllerServerDestinationTcpPorts
ftpFileServerDestinationTcpPorts: ftpFileServerDestinationTcpPorts
objFileServerDestinationTcpPorts: objFileServerDestinationTcpPorts
scpFileServerDestinationTcpPorts: scpFileServerDestinationTcpPorts
smbFileServerDestinationTcpPorts: smbFileServerDestinationTcpPorts
jumpServerDestinationTcpPorts: jumpServerDestinationTcpPorts
loggingServerDestinationTcpPorts: loggingServerDestinationTcpPorts
printServerDestinationTcpPorts: printServerDestinationTcpPorts
proxyServerDestinationTcpPorts: proxyServerDestinationTcpPorts
webServerDestinationTcpPorts: webServerDestinationTcpPorts
applicationServerDestinationUdpPorts: applicationServerDestinationUdpPorts
buildServerDestinationUdpPorts: buildServerDestinationUdpPorts
cachingServerDestinationUdpPorts: cachingServerDestinationUdpPorts
dataWarehouseDestinationUdpPorts: dataWarehouseDestinationUdpPorts
databaseDestinationUdpPorts: databaseDestinationUdpPorts
developmentServerDestinationUdpPorts: developmentServerDestinationUdpPorts
domainControllerServerDestinationUdpPorts: domainControllerServerDestinationUdpPorts
ftpFileServerDestinationUdpPorts: ftpFileServerDestinationUdpPorts
objFileServerDestinationUdpPorts: objFileServerDestinationUdpPorts
scpFileServerDestinationUdpPorts: scpFileServerDestinationUdpPorts
smbFileServerDestinationUdpPorts: smbFileServerDestinationUdpPorts
jumpServerDestinationUdpPorts: jumpServerDestinationUdpPorts
loggingServerDestinationUdpPorts: loggingServerDestinationUdpPorts
printServerDestinationUdpPorts: printServerDestinationUdpPorts
proxyServerDestinationUdpPorts: proxyServerDestinationUdpPorts
webServerDestinationUdpPorts: webServerDestinationUdpPorts
}
}
module setSubnetWithNsg 'modules/assignNsgToSubnet.bicep' = {
name: 'subnetNsgAssignment-${applicationName}-${environment}-deployment'
params: {
nsgId: setNsgByApplication.outputs.nsgId
vnetName: (overrideVnet) ? overrideVnetName : vnetName
subnetName: (overrideSubnet) ? overrideSubnetName : subnetName
}
}