diff --git a/AVS-Landing-Zone/GreenField/Terraform/gateway.tf b/AVS-Landing-Zone/GreenField/Terraform/gateway.tf index 32d4d09e..3c0366e3 100644 --- a/AVS-Landing-Zone/GreenField/Terraform/gateway.tf +++ b/AVS-Landing-Zone/GreenField/Terraform/gateway.tf @@ -2,7 +2,7 @@ resource "azurerm_public_ip" "gatewaypip" { name = "${var.prefix}-GW-pip" resource_group_name = azurerm_resource_group.network.name location = azurerm_resource_group.network.location - allocation_method = "Dynamic" + allocation_method = "Static" zones = ["1","2","3"] sku = "Standard" } diff --git a/AVS-Landing-Zone/GreenField/Terraform/jumpbox.tf b/AVS-Landing-Zone/GreenField/Terraform/jumpbox.tf index 8d9e8454..ce1cc8d8 100644 --- a/AVS-Landing-Zone/GreenField/Terraform/jumpbox.tf +++ b/AVS-Landing-Zone/GreenField/Terraform/jumpbox.tf @@ -17,7 +17,7 @@ resource "azurerm_windows_virtual_machine" "vm" { location = azurerm_resource_group.jumpbox.location size = var.jumpboxsku admin_username = var.adminusername - admin_password = var.adminpassword + admin_password = random_password.admin_password.result zone = 1 network_interface_ids = [ azurerm_network_interface.nic.id, @@ -34,4 +34,52 @@ resource "azurerm_windows_virtual_machine" "vm" { sku = "win11-21h2-avd" version = "latest" } +} + +resource "random_password" "admin_password" { + length = 23 + special = true + numeric = true + min_special = 1 + min_numeric = 1 + min_upper = 1 + min_lower = 1 +} + +resource "random_string" "namestring" { + length = 4 + special = false + upper = false + lower = true +} + +resource "azurerm_key_vault_secret" "admin_password" { + key_vault_id = module.avm_res_keyvault_vault.resource.id + name = "${var.prefix}-jumpbox-${var.adminusername}-password" + value = random_password.admin_password.result +} + +module "avm_res_keyvault_vault" { + source = "Azure/avm-res-keyvault-vault/azurerm" + version = "0.5.3" + tenant_id = data.azurerm_client_config.current.tenant_id + name = "${var.key_vault_name}-${random_string.namestring.result}" + resource_group_name = azurerm_resource_group.jumpbox.name + location = azurerm_resource_group.jumpbox.location + enabled_for_deployment = true + network_acls = { + default_action = "Allow" + bypass = "AzureServices" + } + + role_assignments = { + deployment_user_secrets = { + role_definition_id_or_name = "Key Vault Administrator" + principal_id = data.azurerm_client_config.current.object_id + } + } + + wait_for_rbac_before_secret_operations = { + create = "60s" + } } \ No newline at end of file diff --git a/AVS-Landing-Zone/GreenField/Terraform/network.tf b/AVS-Landing-Zone/GreenField/Terraform/network.tf index 3c528987..55d1d287 100644 --- a/AVS-Landing-Zone/GreenField/Terraform/network.tf +++ b/AVS-Landing-Zone/GreenField/Terraform/network.tf @@ -21,9 +21,51 @@ resource "azurerm_subnet" "azurebastionsubnet" { address_prefixes = [var.azurebastionsubnet] } +resource "azurerm_subnet_network_security_group_association" "this_bastion" { + subnet_id = azurerm_subnet.azurebastionsubnet.id + network_security_group_id = module.testnsg.nsg_resource.id +} + resource "azurerm_subnet" "jumpboxsubnet" { name = "JumpboxSubnet" resource_group_name = azurerm_resource_group.network.name virtual_network_name = azurerm_virtual_network.network.name - address_prefixes = [var.jumpboxsubnet] + address_prefixes = [var.jumpboxsubnet] +} + +resource "azurerm_subnet_network_security_group_association" "this_jumpbox" { + subnet_id = azurerm_subnet.jumpboxsubnet.id + network_security_group_id = module.testnsg.nsg_resource.id } + +module "testnsg" { + source = "Azure/avm-res-network-networksecuritygroup/azurerm" + version = "0.1.1" + + enable_telemetry = var.telemetry_enabled + location = azurerm_resource_group.network.location + resource_group_name = azurerm_resource_group.network.name + name = var.nsg_name + nsgrules = { #allow all in this example, but set your + "rule01" : { + "nsg_rule_access" : "Allow", + "nsg_rule_destination_address_prefix" : "*", + "nsg_rule_destination_port_range" : "*", + "nsg_rule_direction" : "Inbound", + "nsg_rule_priority" : 100, + "nsg_rule_protocol" : "Tcp", + "nsg_rule_source_address_prefix" : "*", + "nsg_rule_source_port_range" : "*" + }, + "rule02" : { + "nsg_rule_access" : "Allow", + "nsg_rule_destination_address_prefix" : "*", + "nsg_rule_destination_port_range" : "*", + "nsg_rule_direction" : "Outbound", + "nsg_rule_priority" : 200, + "nsg_rule_protocol" : "Tcp", + "nsg_rule_source_address_prefix" : "*", + "nsg_rule_source_port_range" : "*" + } + } +} \ No newline at end of file diff --git a/AVS-Landing-Zone/GreenField/Terraform/privatecloud.tf b/AVS-Landing-Zone/GreenField/Terraform/privatecloud.tf index 15fa7c5a..008a1f48 100644 --- a/AVS-Landing-Zone/GreenField/Terraform/privatecloud.tf +++ b/AVS-Landing-Zone/GreenField/Terraform/privatecloud.tf @@ -51,4 +51,10 @@ resource "azurerm_vmware_private_cloud" "privatecloud" { resource "azurerm_vmware_express_route_authorization" "expressrouteauthkey" { name = "${var.prefix}-AVS" private_cloud_id = azurerm_vmware_private_cloud.privatecloud.id +} + +resource "azurerm_management_lock" "this_private_cloud" { + lock_level = "CanNotDelete" + name = "${var.prefix}-lock" + scope = azurerm_vmware_private_cloud.privatecloud.id } \ No newline at end of file diff --git a/AVS-Landing-Zone/GreenField/Terraform/terraform.tfvars b/AVS-Landing-Zone/GreenField/Terraform/terraform.tfvars index 49ea5c80..01c99bb5 100644 --- a/AVS-Landing-Zone/GreenField/Terraform/terraform.tfvars +++ b/AVS-Landing-Zone/GreenField/Terraform/terraform.tfvars @@ -3,17 +3,17 @@ prefix = "AVS" #Region to deploy the AVS Private Cloud and associated components -region = "northeurope" +region = "eastasia" #AVS requires a /22 CIDR range, this must not overlap with other networks to be used with AVS avs-networkblock = "10.1.0.0/22" -avs-sku = "AV36P" +avs-sku = "AV36" avs-hostcount = 3 hcx_key_names = ["hcxsite1", "hcxsite2"] #Input the Jumpbox local username, password and SKU of your choice -adminusername = "replace me" -adminpassword = "replace me" +key_vault_name = "jumpkeyvault" +adminusername = "testuser" jumpboxsku = "Standard_D2as_v4" #Virtual network address space and required subnets, can be any CIDR range @@ -21,6 +21,7 @@ vnetaddressspace = "192.168.1.0/24" gatewaysubnet = "192.168.1.0/27" azurebastionsubnet = "192.168.1.64/26" jumpboxsubnet = "192.168.1.128/25" +nsg_name = "testnsg" #Enable or Disable telemetry telemetry_enabled = true diff --git a/AVS-Landing-Zone/GreenField/Terraform/variables.tf b/AVS-Landing-Zone/GreenField/Terraform/variables.tf index 23dddc34..d10cd15d 100644 --- a/AVS-Landing-Zone/GreenField/Terraform/variables.tf +++ b/AVS-Landing-Zone/GreenField/Terraform/variables.tf @@ -29,10 +29,6 @@ variable "adminusername" { type = string } -variable "adminpassword" { - type = string -} - variable "jumpboxsku" { type = string default = "Standard_D2as_v4" @@ -60,6 +56,16 @@ variable "hcx_key_names" { default = [] } +variable "key_vault_name" { + type = string + description = "The name for the key vault used to store the jump virtual machine password." +} + +variable "nsg_name" { + type = string + description = "The name to use for the default NSG deployed with the networks." +} + variable "telemetry_enabled" { type = bool description = "toggle the telemetry on/off for this module" diff --git a/BrownField/Storage/AVS-to-ANFdatastore-NewVNet/Terraform/main.tf b/BrownField/Storage/AVS-to-ANFdatastore-NewVNet/Terraform/main.tf index aa2d0339..388e1055 100644 --- a/BrownField/Storage/AVS-to-ANFdatastore-NewVNet/Terraform/main.tf +++ b/BrownField/Storage/AVS-to-ANFdatastore-NewVNet/Terraform/main.tf @@ -65,7 +65,7 @@ resource "azurerm_public_ip" "gatewayIP" { name = "${var.GatewayName}-PIP" resource_group_name = azurerm_resource_group.deploymentRG.name location = azurerm_resource_group.deploymentRG.location - allocation_method = "Dynamic" + allocation_method = "Static" sku = "Standard" sku_tier = "Regional" zones = ["1","2","3"] diff --git a/terraform/modules/avs_expressroute_gateway/main.tf b/terraform/modules/avs_expressroute_gateway/main.tf index 7fc8700c..8fe957e2 100644 --- a/terraform/modules/avs_expressroute_gateway/main.tf +++ b/terraform/modules/avs_expressroute_gateway/main.tf @@ -2,7 +2,7 @@ resource "azurerm_public_ip" "gatewaypip" { name = var.expressroute_pip_name resource_group_name = var.rg_name location = var.rg_location - allocation_method = "Dynamic" + allocation_method = "Static" sku = "Standard" tags = var.tags zones = ["1","2","3"] diff --git a/terraform/modules/avs_expressroute_gateway_old/main.tf b/terraform/modules/avs_expressroute_gateway_old/main.tf index db50d945..f0d22aa5 100644 --- a/terraform/modules/avs_expressroute_gateway_old/main.tf +++ b/terraform/modules/avs_expressroute_gateway_old/main.tf @@ -2,8 +2,9 @@ resource "azurerm_public_ip" "gatewaypip" { name = var.expressroute_pip_name resource_group_name = var.rg_name location = var.rg_location - allocation_method = "Dynamic" - sku = "Basic" #required for an ultraperformance gateway + allocation_method = "Static" + sku = "Standard" #required for an ultraperformance gateway + zones = ["1","2","3"] } resource "azurerm_virtual_network_gateway" "gateway" { diff --git a/terraform/modules/avs_private_cloud_single_management_cluster_no_internet_conn/main.tf b/terraform/modules/avs_private_cloud_single_management_cluster_no_internet_conn/main.tf index 9e919d29..95e1ac52 100644 --- a/terraform/modules/avs_private_cloud_single_management_cluster_no_internet_conn/main.tf +++ b/terraform/modules/avs_private_cloud_single_management_cluster_no_internet_conn/main.tf @@ -82,6 +82,12 @@ module "hcx_addon" { ] } +resource "azurerm_management_lock" "this_private_cloud" { + lock_level = "CanNotDelete" + name = "${azurerm_vmware_private_cloud.privatecloud.name}-lock" + scope = azurerm_vmware_private_cloud.privatecloud.id +} + ############################################################################################# # Telemetry Section - Toggled on and off with the telemetry variable # This allows us to get deployment frequency statistics for deployments diff --git a/terraform/modules/avs_private_cloud_single_management_cluster_no_internet_conn_w_exr/main.tf b/terraform/modules/avs_private_cloud_single_management_cluster_no_internet_conn_w_exr/main.tf index f2f9d03a..8c27aa92 100644 --- a/terraform/modules/avs_private_cloud_single_management_cluster_no_internet_conn_w_exr/main.tf +++ b/terraform/modules/avs_private_cloud_single_management_cluster_no_internet_conn_w_exr/main.tf @@ -104,6 +104,11 @@ resource "azurerm_virtual_network_gateway_connection" "avs" { authorization_key = azurerm_vmware_express_route_authorization.expressrouteauthkey[0].express_route_authorization_key } +resource "azurerm_management_lock" "this_private_cloud" { + lock_level = "CanNotDelete" + name = "${azurerm_vmware_private_cloud.privatecloud.name}-lock" + scope = azurerm_vmware_private_cloud.privatecloud.id +} ############################################################################################# # Telemetry Section - Toggled on and off with the telemetry variable # This allows us to get deployment frequency statistics for deployments diff --git a/terraform/modules/avs_vpn_gateway/main.tf b/terraform/modules/avs_vpn_gateway/main.tf index e3bef25a..96abeed3 100644 --- a/terraform/modules/avs_vpn_gateway/main.tf +++ b/terraform/modules/avs_vpn_gateway/main.tf @@ -2,7 +2,7 @@ resource "azurerm_public_ip" "gatewaypip_1" { name = var.vpn_pip_name_1 resource_group_name = var.rg_name location = var.rg_location - allocation_method = "Dynamic" + allocation_method = "Static" sku = "Standard" zones = ["1","2","3"] } @@ -11,7 +11,7 @@ resource "azurerm_public_ip" "gatewaypip_2" { name = var.vpn_pip_name_2 resource_group_name = var.rg_name location = var.rg_location - allocation_method = "Dynamic" + allocation_method = "Static" sku = "Standard" zones = ["1","2","3"] }