-
Notifications
You must be signed in to change notification settings - Fork 137
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Tier 3 Workload Templates and Stand Alone Script. (#220)
* Copy tier template for 3 * Bare minimum setup for deploying a tier 3 * Docs. * Update src/scripts/config/generate_config_file.sh Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com> * Update src/scripts/terraform/create_globals_from_config.sh Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com> * Update src/scripts/config/generate_config_file.sh Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com> * Link to workload doc from the getting started doc * fix tier3 var usage * Update src/docs/workload-deployment.md Co-authored-by: Brooke Hamilton <45323234+brooke-hamilton@users.noreply.github.com> * Update src/docs/workload-deployment.md Co-authored-by: Brooke Hamilton <45323234+brooke-hamilton@users.noreply.github.com> * Update src/docs/workload-deployment.md Co-authored-by: Brooke Hamilton <45323234+brooke-hamilton@users.noreply.github.com> * Fixed links * Fixed link Co-authored-by: Bree Stryker <b-s-no-reply@microsoft.com> Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com> Co-authored-by: Brooke Hamilton <brooke.hamilton@microsoft.com> Co-authored-by: Brooke Hamilton <45323234+brooke-hamilton@users.noreply.github.com>
- Loading branch information
1 parent
f83d387
commit 4ad561a
Showing
13 changed files
with
762 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,147 @@ | ||
# Copyright (c) Microsoft Corporation. | ||
# Licensed under the MIT License. | ||
terraform { | ||
backend "azurerm" {} | ||
|
||
required_providers { | ||
azurerm = { | ||
source = "hashicorp/azurerm" | ||
version = "= 2.55.0" | ||
} | ||
random = { | ||
source = "hashicorp/random" | ||
version = "= 3.1.0" | ||
} | ||
} | ||
} | ||
|
||
provider "azurerm" { | ||
environment = var.tf_environment | ||
metadata_host = var.mlz_metadatahost | ||
tenant_id = var.mlz_tenantid | ||
subscription_id = var.tier3_subid | ||
client_id = var.mlz_clientid | ||
client_secret = var.mlz_clientsecret | ||
|
||
features {} | ||
} | ||
|
||
provider "azurerm" { | ||
alias = "hub" | ||
environment = var.tf_environment | ||
metadata_host = var.mlz_metadatahost | ||
tenant_id = var.mlz_tenantid | ||
subscription_id = var.saca_subid | ||
client_id = var.mlz_clientid | ||
client_secret = var.mlz_clientsecret | ||
|
||
features {} | ||
} | ||
|
||
provider "random" { | ||
} | ||
|
||
data "azurerm_resource_group" "hub" { | ||
provider = azurerm.hub | ||
name = var.saca_rgname | ||
} | ||
|
||
data "azurerm_virtual_network" "hub" { | ||
provider = azurerm.hub | ||
name = var.saca_vnetname | ||
resource_group_name = data.azurerm_resource_group.hub.name | ||
} | ||
|
||
data "azurerm_log_analytics_workspace" "hub" { | ||
provider = azurerm.hub | ||
name = var.saca_lawsname | ||
resource_group_name = data.azurerm_resource_group.hub.name | ||
} | ||
|
||
data "azurerm_firewall" "firewall" { | ||
provider = azurerm.hub | ||
name = var.firewall_name | ||
resource_group_name = data.azurerm_resource_group.hub.name | ||
} | ||
|
||
resource "azurerm_resource_group" "t3" { | ||
location = var.mlz_location | ||
name = var.tier3_rgname | ||
|
||
tags = { | ||
DeploymentName = var.deploymentname | ||
} | ||
} | ||
|
||
module "t3-network" { | ||
depends_on = [azurerm_resource_group.t3, data.azurerm_log_analytics_workspace.hub] | ||
source = "../../modules/virtual-network" | ||
location = azurerm_resource_group.t3.location | ||
resource_group_name = azurerm_resource_group.t3.name | ||
vnet_name = var.tier3_vnetname | ||
vnet_address_space = var.tier3_vnet_address_space | ||
log_analytics_workspace_id = data.azurerm_log_analytics_workspace.hub.id | ||
|
||
tags = { | ||
DeploymentName = var.deploymentname | ||
} | ||
} | ||
|
||
module "t3-subnets" { | ||
depends_on = [module.t3-network, data.azurerm_log_analytics_workspace.hub] | ||
source = "../../modules/subnet" | ||
for_each = var.subnets | ||
|
||
name = each.value.name | ||
location = var.mlz_location | ||
resource_group_name = module.t3-network.resource_group_name | ||
virtual_network_name = module.t3-network.virtual_network_name | ||
address_prefixes = each.value.address_prefixes | ||
service_endpoints = lookup(each.value, "service_endpoints", []) | ||
|
||
enforce_private_link_endpoint_network_policies = lookup(each.value, "enforce_private_link_endpoint_network_policies", null) | ||
enforce_private_link_service_network_policies = lookup(each.value, "enforce_private_link_service_network_policies", null) | ||
|
||
nsg_name = each.value.nsg_name | ||
nsg_rules = each.value.nsg_rules | ||
|
||
routetable_name = each.value.routetable_name | ||
firewall_ip_address = data.azurerm_firewall.firewall.ip_configuration[0].private_ip_address | ||
|
||
log_analytics_storage_id = module.t3-network.log_analytics_storage_id | ||
log_analytics_workspace_id = data.azurerm_log_analytics_workspace.hub.id | ||
|
||
tags = { | ||
DeploymentName = var.deploymentname | ||
} | ||
} | ||
|
||
module "t3-outbound-peering" { | ||
source = "../../modules/virtual-network-peering" | ||
|
||
source_rg_name = module.t3-network.resource_group_name | ||
source_vnet_name = module.t3-network.virtual_network_name | ||
destination_vnet_name = data.azurerm_virtual_network.hub.name | ||
destination_rg_name = data.azurerm_resource_group.hub.name | ||
destination_subscription_id = var.saca_subid | ||
|
||
tags = { | ||
DeploymentName = var.deploymentname | ||
} | ||
} | ||
|
||
module "t3-inbound-peering" { | ||
source = "../../modules/virtual-network-peering" | ||
providers = { | ||
azurerm = azurerm.hub | ||
} | ||
source_vnet_name = data.azurerm_virtual_network.hub.name | ||
source_rg_name = data.azurerm_resource_group.hub.name | ||
destination_vnet_name = module.t3-network.virtual_network_name | ||
destination_rg_name = module.t3-network.resource_group_name | ||
destination_subscription_id = var.tier3_subid | ||
|
||
tags = { | ||
DeploymentName = var.deploymentname | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# Copyright (c) Microsoft Corporation. | ||
# Licensed under the MIT License. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
{ | ||
"tier-3": { | ||
"str_maps": { | ||
"TIER3_SUBNETVM_NAME": "subnets.{TIER3_SUBNETVM_NAME}.name" | ||
}, | ||
"form": [ | ||
{ | ||
"varname": "saca_subid", | ||
"type": "text", | ||
"default_val": "${env:HUB_SUBSCRIPTION_ID}", | ||
"description": "Saca Hub Subscription ID", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "saca_rgname", | ||
"type": "text", | ||
"default_val": "rg-${env:MLZ_LOCATION}-mlz-saca", | ||
"description": "Saca Hub Resource Group Name", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "saca_vnetname", | ||
"type": "text", | ||
"default_val": "vn-${env:MLZ_LOCATION}-mlz-saca", | ||
"description": "Saca Virtual Network Name", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "firewall_name", | ||
"type": "text", | ||
"default_val": "DemoFirewall", | ||
"description": "Saca Firewall Name", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "lawsname", | ||
"type": "text", | ||
"default_val": "laws-${env:MLZ_LOCATION}-mlz", | ||
"description": "Log Analytic Workspace Name", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "tier3_subid", | ||
"type": "text", | ||
"default_val": "${env:TIER3_SUBSCRIPTION_ID}", | ||
"description": "Tier0 Subscription Id", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "tier3_rgname", | ||
"type": "text", | ||
"default_val": "rg-${env:MLZ_LOCATION}-mlz-t3", | ||
"description": "TIer3 Resource Group Name", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "tier3_vnetname", | ||
"type": "text", | ||
"default_val": "vn-${env:MLZ_LOCATION}-mlz-t3", | ||
"description": "TIer3 Virtual Network Name", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "tier3_vnet_address_space", | ||
"type": "list", | ||
"default_val": [ | ||
"10.0.120.0/26" | ||
], | ||
"description": "A list of values (NewLine Separated) for vnet address space", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "tier3_create_network_watcher", | ||
"type": "boolean", | ||
"default_val": false, | ||
"description": "Whether to create the network watcher in this tier vnet.", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "subnets.{TIER3_SUBNETVM_NAME}.name", | ||
"type": "text", | ||
"default_val": "tier3vms", | ||
"description": "A unique name for the Tier0 Subnet", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "subnets.{TIER3_SUBNETVM_NAME}.address_prefixes", | ||
"type": "list", | ||
"default_val": [ | ||
"10.0.120.0/27" | ||
], | ||
"description": "A list of values (NewLine Separated) for vnet address space", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "subnets.{TIER3_SUBNETVM_NAME}.service_endpoints", | ||
"type": "list", | ||
"default_val": [ | ||
"Microsoft.Storage" | ||
], | ||
"description": "A list of values (NewLine Separated) for service endpoints", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "subnets.{TIER3_SUBNETVM_NAME}.enforce_private_link_endpoint_network_policies", | ||
"type": "boolean", | ||
"default_val": false, | ||
"description": "Enforce Private Link Endpoint Policies", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "subnets.{TIER3_SUBNETVM_NAME}.enforce_private_link_service_network_policies", | ||
"type": "boolean", | ||
"default_val": false, | ||
"description": "Enforce private link service network policies", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "subnets.{TIER3_SUBNETVM_NAME}.nsg_name", | ||
"type": "text", | ||
"default_val": "tier3vmsnsg", | ||
"description": "Unique name for Network Security Group", | ||
"options": [] | ||
}, | ||
{ | ||
"varname": "subnets.{TIER3_SUBNETVM_NAME}.routetable_name", | ||
"type": "text", | ||
"default_val": "tier3vmsrt", | ||
"description": "Tier 0 Routeable Subnet Name", | ||
"options": [] | ||
} | ||
] | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
{ | ||
"deploymentname":"{TIER3_DEPLOYMENTNAME}", | ||
"saca_subid":"{SACA_SUBID}", | ||
"saca_rgname":"{SACA_RGNAME}", | ||
"saca_vnetname":"{SACA_VNETNAME}", | ||
"firewall_name":"{firewall_name}", | ||
"saca_lawsname":"{SACA_LAWSNAME}", | ||
"tier3_subid":"{TIER3_SUBID}", | ||
"tier3_rgname":"{TIER3_RGNAME}", | ||
"tier3_vnetname":"{TIER3_VNETNAME}", | ||
"tier3_vnet_address_space":["{TIER3_VNETSPACE}"], | ||
"subnets": { | ||
"{TIER3_SUBNETVM_NAME}": { | ||
"name": "{TIER3_SUBNETVM_NAME}", | ||
"address_prefixes": [ | ||
"{TIER3_SUBNETVM_ADDRESSPREFIXLIST}" | ||
], | ||
"service_endpoints": [ | ||
"{TIER3_SUBNETVM_SERVICEENDPOINTLIST}" | ||
], | ||
"enforce_private_link_endpoint_network_policies": false, | ||
"enforce_private_link_service_network_policies": false, | ||
"nsg_name": "{TIER3_SUBNETVM_NSGNAME}", | ||
"nsg_rules": { | ||
"allow_ssh": { | ||
"name": "allow_ssh", | ||
"priority": "100", | ||
"direction": "Inbound", | ||
"access": "Allow", | ||
"protocol": "Tcp", | ||
"source_port_range": "", | ||
"destination_port_range": "22", | ||
"source_address_prefix": "*", | ||
"destination_address_prefix": "" | ||
}, | ||
"allow_rdp": { | ||
"name": "allow_rdp", | ||
"priority": "200", | ||
"direction": "Inbound", | ||
"access": "Allow", | ||
"protocol": "Tcp", | ||
"source_port_range": "", | ||
"destination_port_range": "3389", | ||
"source_address_prefix": "*", | ||
"destination_address_prefix": "" | ||
} | ||
}, | ||
"routetable_name": "{TIER3_SUBNETVM_RTNAME}" | ||
} | ||
}, | ||
"create_network_watcher": false | ||
} |
Oops, something went wrong.