Add Tier 3 Workload Templates and Stand Alone Script. (#220)

* Copy tier template for 3 * Bare minimum setup for deploying a tier 3 * Docs. * Update src/scripts/config/generate_config_file.sh Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com> * Update src/scripts/terraform/create_globals_from_config.sh Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com> * Update src/scripts/config/generate_config_file.sh Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com> * Link to workload doc from the getting started doc * fix tier3 var usage * Update src/docs/workload-deployment.md Co-authored-by: Brooke Hamilton <45323234+brooke-hamilton@users.noreply.github.com> * Update src/docs/workload-deployment.md Co-authored-by: Brooke Hamilton <45323234+brooke-hamilton@users.noreply.github.com> * Update src/docs/workload-deployment.md Co-authored-by: Brooke Hamilton <45323234+brooke-hamilton@users.noreply.github.com> * Fixed links * Fixed link Co-authored-by: Bree Stryker <b-s-no-reply@microsoft.com> Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com> Co-authored-by: Brooke Hamilton <brooke.hamilton@microsoft.com> Co-authored-by: Brooke Hamilton <45323234+brooke-hamilton@users.noreply.github.com>
Azure · May 26, 2021 · 4ad561a · 4ad561a
1 parent f83d387
commit 4ad561a
Show file tree

Hide file tree

Showing 13 changed files with 762 additions and 3 deletions.
diff --git a/src/core/tier-3/main.tf b/src/core/tier-3/main.tf
@@ -0,0 +1,147 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+terraform {
+  backend "azurerm" {}
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "= 2.55.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "= 3.1.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  environment     = var.tf_environment
+  metadata_host   = var.mlz_metadatahost
+  tenant_id       = var.mlz_tenantid
+  subscription_id = var.tier3_subid
+  client_id       = var.mlz_clientid
+  client_secret   = var.mlz_clientsecret
+
+  features {}
+}
+
+provider "azurerm" {
+  alias           = "hub"
+  environment     = var.tf_environment
+  metadata_host   = var.mlz_metadatahost
+  tenant_id       = var.mlz_tenantid
+  subscription_id = var.saca_subid
+  client_id       = var.mlz_clientid
+  client_secret   = var.mlz_clientsecret
+
+  features {}
+}
+
+provider "random" {
+}
+
+data "azurerm_resource_group" "hub" {
+  provider = azurerm.hub
+  name     = var.saca_rgname
+}
+
+data "azurerm_virtual_network" "hub" {
+  provider            = azurerm.hub
+  name                = var.saca_vnetname
+  resource_group_name = data.azurerm_resource_group.hub.name
+}
+
+data "azurerm_log_analytics_workspace" "hub" {
+  provider            = azurerm.hub
+  name                = var.saca_lawsname
+  resource_group_name = data.azurerm_resource_group.hub.name
+}
+
+data "azurerm_firewall" "firewall" {
+  provider            = azurerm.hub
+  name                = var.firewall_name
+  resource_group_name = data.azurerm_resource_group.hub.name
+}
+
+resource "azurerm_resource_group" "t3" {
+  location = var.mlz_location
+  name     = var.tier3_rgname
+
+  tags = {
+    DeploymentName = var.deploymentname
+  }
+}
+
+module "t3-network" {
+  depends_on                 = [azurerm_resource_group.t3, data.azurerm_log_analytics_workspace.hub]
+  source                     = "../../modules/virtual-network"
+  location                   = azurerm_resource_group.t3.location
+  resource_group_name        = azurerm_resource_group.t3.name
+  vnet_name                  = var.tier3_vnetname
+  vnet_address_space         = var.tier3_vnet_address_space
+  log_analytics_workspace_id = data.azurerm_log_analytics_workspace.hub.id
+
+  tags = {
+    DeploymentName = var.deploymentname
+  }
+}
+
+module "t3-subnets" {
+  depends_on = [module.t3-network, data.azurerm_log_analytics_workspace.hub]
+  source     = "../../modules/subnet"
+  for_each   = var.subnets
+
+  name                 = each.value.name
+  location             = var.mlz_location
+  resource_group_name  = module.t3-network.resource_group_name
+  virtual_network_name = module.t3-network.virtual_network_name
+  address_prefixes     = each.value.address_prefixes
+  service_endpoints    = lookup(each.value, "service_endpoints", [])
+
+  enforce_private_link_endpoint_network_policies = lookup(each.value, "enforce_private_link_endpoint_network_policies", null)
+  enforce_private_link_service_network_policies  = lookup(each.value, "enforce_private_link_service_network_policies", null)
+
+  nsg_name  = each.value.nsg_name
+  nsg_rules = each.value.nsg_rules
+
+  routetable_name     = each.value.routetable_name
+  firewall_ip_address = data.azurerm_firewall.firewall.ip_configuration[0].private_ip_address
+
+  log_analytics_storage_id   = module.t3-network.log_analytics_storage_id
+  log_analytics_workspace_id = data.azurerm_log_analytics_workspace.hub.id
+
+  tags = {
+    DeploymentName = var.deploymentname
+  }
+}
+
+module "t3-outbound-peering" {
+  source = "../../modules/virtual-network-peering"
+
+  source_rg_name              = module.t3-network.resource_group_name
+  source_vnet_name            = module.t3-network.virtual_network_name
+  destination_vnet_name       = data.azurerm_virtual_network.hub.name
+  destination_rg_name         = data.azurerm_resource_group.hub.name
+  destination_subscription_id = var.saca_subid
+
+  tags = {
+    DeploymentName = var.deploymentname
+  }
+}
+
+module "t3-inbound-peering" {
+  source = "../../modules/virtual-network-peering"
+  providers = {
+    azurerm = azurerm.hub
+  }
+  source_vnet_name            = data.azurerm_virtual_network.hub.name
+  source_rg_name              = data.azurerm_resource_group.hub.name
+  destination_vnet_name       = module.t3-network.virtual_network_name
+  destination_rg_name         = module.t3-network.resource_group_name
+  destination_subscription_id = var.tier3_subid
+
+  tags = {
+    DeploymentName = var.deploymentname
+  }
+}
diff --git a/src/core/tier-3/output.tf b/src/core/tier-3/output.tf
@@ -0,0 +1,2 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
diff --git a/src/core/tier-3/tier-3.front.json b/src/core/tier-3/tier-3.front.json
@@ -0,0 +1,134 @@
+{
+	"tier-3": {
+		"str_maps": {
+			"TIER3_SUBNETVM_NAME": "subnets.{TIER3_SUBNETVM_NAME}.name"
+		},
+		"form": [
+			{
+				"varname": "saca_subid",
+				"type": "text",
+				"default_val": "${env:HUB_SUBSCRIPTION_ID}",
+				"description": "Saca Hub Subscription ID",
+				"options": []
+			},
+			{
+				"varname": "saca_rgname",
+				"type": "text",
+				"default_val": "rg-${env:MLZ_LOCATION}-mlz-saca",
+				"description": "Saca Hub Resource Group Name",
+				"options": []
+			},
+			{
+				"varname": "saca_vnetname",
+				"type": "text",
+				"default_val": "vn-${env:MLZ_LOCATION}-mlz-saca",
+				"description": "Saca Virtual Network Name",
+				"options": []
+			},
+			{
+				"varname": "firewall_name",
+				"type": "text",
+				"default_val": "DemoFirewall",
+				"description": "Saca Firewall Name",
+				"options": []
+			},
+			{
+				"varname": "lawsname",
+				"type": "text",
+				"default_val": "laws-${env:MLZ_LOCATION}-mlz",
+				"description": "Log Analytic Workspace Name",
+				"options": []
+			},
+			{
+				"varname": "tier3_subid",
+				"type": "text",
+				"default_val": "${env:TIER3_SUBSCRIPTION_ID}",
+				"description": "Tier0 Subscription Id",
+				"options": []
+			},
+			{
+				"varname": "tier3_rgname",
+				"type": "text",
+				"default_val": "rg-${env:MLZ_LOCATION}-mlz-t3",
+				"description": "TIer3 Resource Group Name",
+				"options": []
+			},
+			{
+				"varname": "tier3_vnetname",
+				"type": "text",
+				"default_val": "vn-${env:MLZ_LOCATION}-mlz-t3",
+				"description": "TIer3 Virtual Network Name",
+				"options": []
+			},
+			{
+				"varname": "tier3_vnet_address_space",
+				"type": "list",
+				"default_val": [
+					"10.0.120.0/26"
+				],
+				"description": "A list of values (NewLine Separated) for vnet address space",
+				"options": []
+			},
+			{
+				"varname": "tier3_create_network_watcher",
+				"type": "boolean",
+				"default_val": false,
+				"description": "Whether to create the network watcher in this tier vnet.",
+				"options": []
+			},
+			{
+				"varname": "subnets.{TIER3_SUBNETVM_NAME}.name",
+				"type": "text",
+				"default_val": "tier3vms",
+				"description": "A unique name for the Tier0 Subnet",
+				"options": []
+			},
+			{
+				"varname": "subnets.{TIER3_SUBNETVM_NAME}.address_prefixes",
+				"type": "list",
+				"default_val": [
+					"10.0.120.0/27"
+				],
+				"description": "A list of values (NewLine Separated) for vnet address space",
+				"options": []
+			},
+			{
+				"varname": "subnets.{TIER3_SUBNETVM_NAME}.service_endpoints",
+				"type": "list",
+				"default_val": [
+					"Microsoft.Storage"
+				],
+				"description": "A list of values (NewLine Separated) for service endpoints",
+				"options": []
+			},
+			{
+				"varname": "subnets.{TIER3_SUBNETVM_NAME}.enforce_private_link_endpoint_network_policies",
+				"type": "boolean",
+				"default_val": false,
+				"description": "Enforce Private Link Endpoint Policies",
+				"options": []
+			},
+			{
+				"varname": "subnets.{TIER3_SUBNETVM_NAME}.enforce_private_link_service_network_policies",
+				"type": "boolean",
+				"default_val": false,
+				"description": "Enforce private link service network policies",
+				"options": []
+			},
+			{
+				"varname": "subnets.{TIER3_SUBNETVM_NAME}.nsg_name",
+				"type": "text",
+				"default_val": "tier3vmsnsg",
+				"description": "Unique name for Network Security Group",
+				"options": []
+			},
+			{
+				"varname": "subnets.{TIER3_SUBNETVM_NAME}.routetable_name",
+				"type": "text",
+				"default_val": "tier3vmsrt",
+				"description": "Tier 0 Routeable Subnet Name",
+				"options": []
+			}
+		]
+	}
+}
diff --git a/src/core/tier-3/tier-3.orig.tfvars.json b/src/core/tier-3/tier-3.orig.tfvars.json
@@ -0,0 +1,52 @@
+{
+  "deploymentname":"{TIER3_DEPLOYMENTNAME}",
+  "saca_subid":"{SACA_SUBID}",
+  "saca_rgname":"{SACA_RGNAME}",
+  "saca_vnetname":"{SACA_VNETNAME}",
+  "firewall_name":"{firewall_name}",
+  "saca_lawsname":"{SACA_LAWSNAME}",
+  "tier3_subid":"{TIER3_SUBID}",
+  "tier3_rgname":"{TIER3_RGNAME}",
+  "tier3_vnetname":"{TIER3_VNETNAME}",
+  "tier3_vnet_address_space":["{TIER3_VNETSPACE}"],
+  "subnets": {
+    "{TIER3_SUBNETVM_NAME}": {
+      "name": "{TIER3_SUBNETVM_NAME}",
+      "address_prefixes": [
+        "{TIER3_SUBNETVM_ADDRESSPREFIXLIST}"
+      ],
+      "service_endpoints": [
+        "{TIER3_SUBNETVM_SERVICEENDPOINTLIST}"
+      ],
+      "enforce_private_link_endpoint_network_policies": false,
+      "enforce_private_link_service_network_policies": false,
+      "nsg_name": "{TIER3_SUBNETVM_NSGNAME}",
+      "nsg_rules": {
+        "allow_ssh": {
+          "name": "allow_ssh",
+          "priority": "100",
+          "direction": "Inbound",
+          "access": "Allow",
+          "protocol": "Tcp",
+          "source_port_range": "",
+          "destination_port_range": "22",
+          "source_address_prefix": "*",
+          "destination_address_prefix": ""
+        },
+        "allow_rdp": {
+          "name": "allow_rdp",
+          "priority": "200",
+          "direction": "Inbound",
+          "access": "Allow",
+          "protocol": "Tcp",
+          "source_port_range": "",
+          "destination_port_range": "3389",
+          "source_address_prefix": "*",
+          "destination_address_prefix": ""
+        }
+      },
+      "routetable_name": "{TIER3_SUBNETVM_RTNAME}"
+    }
+  },
+  "create_network_watcher": false
+}