From b072debc179dbedd71c7b7af2a13d97ad01b78a1 Mon Sep 17 00:00:00 2001 From: Houssem Dellai Date: Fri, 15 Mar 2024 14:03:43 +0100 Subject: [PATCH] proxy --- .infracost/pricing.gob | Bin 7970 -> 8478 bytes 57_filter_egress_traffic_fqdn/commands.ps1 | 9 +- 80_aks_backup_tf/Readme.md | 40 + 80_aks_backup_tf/aks-backup-extenstion.tf | 22 + 80_aks_backup_tf/aks.tf | 29 + 80_aks_backup_tf/backup_instance.tf | 22 + 80_aks_backup_tf/backup_policy.tf | 31 + 80_aks_backup_tf/backup_vault.tf | 23 + 80_aks_backup_tf/output.tf | 0 80_aks_backup_tf/providers.tf | 25 + 80_aks_backup_tf/rg.tf | 9 + 80_aks_backup_tf/storage_account.tf | 13 + 80_aks_backup_tf/trusted_access.tf | 6 + 80_aks_backup_tf/variables.tf | 7 + 85_prometheus_grafana/.infracost/pricing.gob | Bin 0 -> 1872 bytes 85_prometheus_grafana/providers.tf | 2 +- .../.infracost/pricing.gob | Bin 0 -> 3564 bytes .../terraform_modules/manifest.json | 2 +- 88_prometheus_grafana_ampls/grafana-mpe.tf | 6 +- .../ama-metrics-settings-configmap.yaml | 0 .../container-azm-ms-agentconfig.yaml | 0 .../{apps => k8s}/deploy-svc-ingress.yaml | 0 .../{apps => k8s}/diagnostic_setting.tf | 0 .../import_grafafana_dashboard.tf | 0 .../{apps => k8s}/ingress-nginx.tf | 0 .../{apps => k8s}/logger-pod.yaml | 0 .../log_analytics-dcr.tf | 18 +- 88_prometheus_grafana_ampls/providers.tf | 2 +- _egress_proxy/README.md | 12 + _egress_proxy/aci-mitmproxy.tf | 54 ++ _egress_proxy/aks-proxy-config.json | 9 + _egress_proxy/aks.tf | 65 ++ _egress_proxy/certificate/cert.crt | 21 + _egress_proxy/certificate/cert.key | 28 + _egress_proxy/certificate/cert.pem | 49 ++ _egress_proxy/certificate/generate-cert.sh | 4 + _egress_proxy/install-mitmproxy.sh | 25 + _egress_proxy/mitmproxy-ca-cert (22).p12 | Bin 0 -> 1035 bytes _egress_proxy/output.tf | 0 _egress_proxy/providers.tf | 19 + _egress_proxy/rg.tf | 4 + _egress_proxy/variables.tf | 5 + _egress_proxy/vm-linux-proxy-mitm.tf | 62 ++ _egress_proxy/vnet-hub.tf | 14 + _egress_proxy/vnet-spoke.tf | 13 + tmp/main.tf | 730 +++--------------- tmp/providers.tf | 17 + 47 files changed, 767 insertions(+), 630 deletions(-) create mode 100644 80_aks_backup_tf/Readme.md create mode 100644 80_aks_backup_tf/aks-backup-extenstion.tf create mode 100644 80_aks_backup_tf/aks.tf create mode 100644 80_aks_backup_tf/backup_instance.tf create mode 100644 80_aks_backup_tf/backup_policy.tf create mode 100644 80_aks_backup_tf/backup_vault.tf create mode 100644 80_aks_backup_tf/output.tf create mode 100644 80_aks_backup_tf/providers.tf create mode 100644 80_aks_backup_tf/rg.tf create mode 100644 80_aks_backup_tf/storage_account.tf create mode 100644 80_aks_backup_tf/trusted_access.tf create mode 100644 80_aks_backup_tf/variables.tf create mode 100644 85_prometheus_grafana/.infracost/pricing.gob create mode 100644 88_prometheus_grafana_ampls/.infracost/pricing.gob rename 88_prometheus_grafana_ampls/{apps => k8s}/ama-metrics-settings-configmap.yaml (100%) rename 88_prometheus_grafana_ampls/{apps => k8s}/container-azm-ms-agentconfig.yaml (100%) rename 88_prometheus_grafana_ampls/{apps => k8s}/deploy-svc-ingress.yaml (100%) rename 88_prometheus_grafana_ampls/{apps => k8s}/diagnostic_setting.tf (100%) rename 88_prometheus_grafana_ampls/{apps => k8s}/import_grafafana_dashboard.tf (100%) rename 88_prometheus_grafana_ampls/{apps => k8s}/ingress-nginx.tf (100%) rename 88_prometheus_grafana_ampls/{apps => k8s}/logger-pod.yaml (100%) create mode 100644 _egress_proxy/README.md create mode 100644 _egress_proxy/aci-mitmproxy.tf create mode 100644 _egress_proxy/aks-proxy-config.json create mode 100644 _egress_proxy/aks.tf create mode 100644 _egress_proxy/certificate/cert.crt create mode 100644 _egress_proxy/certificate/cert.key create mode 100644 _egress_proxy/certificate/cert.pem create mode 100644 _egress_proxy/certificate/generate-cert.sh create mode 100644 _egress_proxy/install-mitmproxy.sh create mode 100644 _egress_proxy/mitmproxy-ca-cert (22).p12 create mode 100644 _egress_proxy/output.tf create mode 100644 _egress_proxy/providers.tf create mode 100644 _egress_proxy/rg.tf create mode 100644 _egress_proxy/variables.tf create mode 100644 _egress_proxy/vm-linux-proxy-mitm.tf create mode 100644 _egress_proxy/vnet-hub.tf create mode 100644 _egress_proxy/vnet-spoke.tf create mode 100644 tmp/providers.tf diff --git a/.infracost/pricing.gob b/.infracost/pricing.gob index ce9e7d206655d2ac26d78ad5f4c132352e57fe5c..b000c02602c8c62474be6ab8140805d7b6263c95 100644 GIT binary patch delta 1394 zcmZvcTSyd97{~YKb=P)XH}9^iMcSsdXXc!_fcQ`m6+uOj7c7`-P(74XL}mFPWS0l) zl)FaS6-p}*lBgh&dhwyBAk+t=6v7@%DY`tw)|@l!HY2ewGvA&$-~a#n{^#6j99Z8o zlo@IN)9nEGM()*om&56IIvkE=(_Q@&(HDi|_;hJ+LDChl)F(4%pnx0m?q+rMPx?Yt zi+D%Itpekj)Ey0uUq!opBQ0w2dA#6<5uoZC9}{^LQv{X~7z7YfL|#)_USxnS;C-I@ zT2$S!*Z6g~ldeK*r}9r7kI0VPmf7crH+3_3yB9_TR#t_WC~AOH5eqp4kqmi`W!V^1 zc}cTowgBA7bGgIFs7n!*R3Q{R$Q6( z&E?*#G^C(PmgP94F;IrG1Xx8?7$k`Tuf!Om4v^t(Z7ocD^VC|~q`Y-}{&K9VspSIk zhTkr04m-20%TiF^Jso>Iwpg=(JHrqwWzCgIr)?-iHPQF#cuCv$w%^C;IySpCzu3AP z^#+#r20d#nWfRb>KOS^hS5L(zKMMFwMKA7id5vM4?_YCn8P5~ZC!GPj!F!hso`it( zE@|CggSU*<)86d`s`bB-fj!kNKdQ#4&0wiQ!?UJ-5m#53K_b+EVK2aWD zQYG^o^pIeNEH=zwo(tYf2lHo!`AquEdlNyIZT=KS(%rYjHJLO%8cx`IQWkT0iJ-?C z7841VA1_SWvPJP2NG=aw!v{(UJo7X)_zlsvm8R&eS@E!EDk@8hEHv4*hIO_ zWJ+mo(URL~hEvNE_+-Fq@TP*ucQ?-*yg2`?r-pnN;eambq6Bz}gGf}3BdE)~#wrNO z0CK!Wf?EDBsP3>;2?;88y80??`cipo9sTw$D|7HEo%!oRnOY^;s4F7u&73qj6JguQ zrZkAmp_k(7=-`L@^sbPg0#r@l0V6`BLRscTfLKXU87PWCmdRb=MEFP`M4VGyao_(_ zFpy1&P(mbGn{!g{^d#d;0h&5`1w3@w&-!G_TYFnbbJups#9Kt?V+=r|Aagp$bDAjY eoUThMl6Xdu8AiuDbL%28Afz!`uMaBL@cS1UdB-~d delta 1188 zcmZXTT}TvB6vtEK}PZXJ%)}q=G^pf`ZhgGTb}68_`1)8H6oC z2xU(#SN2Pa)g&bdf})3t*oSzdoKr1yJNIDM34@WAPDHYv`>hiRuX>L-r&!xrxt%CpXRhY;}g;YU9|#{x?*PIB<6rQ`JpWA7R0HXFf>Ubt!mmMB8U7cI|tdx`$~&LytiRjY1*+7n*bBX>+} z8iJjbYxp(Lx9&B%;^7xgQbwg>c=(J^NbHETrwn+QbrLcxD^3Y&l98vsP z%F3-#=FP&vY73@F)Ft%)QlaemmNSF-1BXt1e_gd7-C-yy0x205lAIXkWjP`N5ND%62C~Sd_*6oKkw8-g z-zthCEW2xwHSkHyddL1bdFMvF0_^H;G7CG*6yo+TOtzzTvk%I5%8QL(@l32WW>}G? zSyx4oHu=_xBRX;}#ke|D6n?}FwR0;_*`UG3*cPboYH_l}d$$d0m*' | awk '{print "-n "$1" "$2}' | xaRG_NAMEs -L 1 -r kubectl delete pod # make sure cilium CLI is installed on your machine (https://github.com/cilium/cilium-cli/releases/tag/v0.15.0) @@ -39,7 +40,7 @@ cilium status --wait cilium connectivity test # deploy sample online service, just to get public IP -$FQDN=(az container create -g $RG_NAME -n aci-app --image nginx:latest --ports 80 --ip-address public --dns-name-label aci-app-931 --query ipAddress.fqdn --output tsv) +$FQDN=(az container create -g $RG_NAME -n aci-app --image nginx:latest --ports 80 --ip-address public --dns-name-label aci-app-931 --query ipAddress.fqdn --output tsv) $FQDN # aci-app-931.westeurope.azurecontainer.io diff --git a/80_aks_backup_tf/Readme.md b/80_aks_backup_tf/Readme.md new file mode 100644 index 0000000..7fcc9e0 --- /dev/null +++ b/80_aks_backup_tf/Readme.md @@ -0,0 +1,40 @@ +# Private Azure Grafana, Prometheus and Log Analytics with AKS + +## Introduction + +With AKS, you can use `Azure Monitor Workspace for Prometheus` and `Azure Managed Grafana` to collect, query and visualize the metrics from AKS. +And to collect logs, you can use `Azure Log Analytics`. + +This lab will provide an implementation for monitoring and logging. + +## Architecture + +![](images/architecture.png) + +## Deploying the resources using Terraform + +To deploy the Terraform configuration files, run the following commands: + +```sh +terraform init + +terraform plan -out tfplan + +terraform apply tfplan +``` + +The following resources will be created. + +![](images/resources.png) + +## Cleanup resources + +To delete the creates resources, run the following command: + +```sh +terraform destroy +``` + +## More readings + +https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/azure-monitor-workspace-manage?tabs=azure-portal diff --git a/80_aks_backup_tf/aks-backup-extenstion.tf b/80_aks_backup_tf/aks-backup-extenstion.tf new file mode 100644 index 0000000..f2793b7 --- /dev/null +++ b/80_aks_backup_tf/aks-backup-extenstion.tf @@ -0,0 +1,22 @@ +resource "azurerm_kubernetes_cluster_extension" "extension" { + name = "backup-extension" + cluster_id = azurerm_kubernetes_cluster.aks.id + extension_type = "Microsoft.DataProtection.Kubernetes" + release_train = "stable" + release_namespace = "dataprotection-microsoft" + configuration_settings = { + "configuration.backupStorageLocation.bucket" = azurerm_storage_container.container.name + "configuration.backupStorageLocation.config.resourceGroup" = azurerm_storage_account.storage.resource_group_name + "configuration.backupStorageLocation.config.storageAccount" = azurerm_storage_account.storage.name + "configuration.backupStorageLocation.config.subscriptionId" = data.azurerm_client_config.current.subscription_id + "credentials.tenantId" = data.azurerm_client_config.current.tenant_id + } +} + +resource "azurerm_role_assignment" "extension_and_storage_account_permission" { + scope = azurerm_storage_account.storage.id + role_definition_name = "Storage Account Contributor" + principal_id = azurerm_kubernetes_cluster_extension.extension.aks_assigned_identity[0].principal_id +} + +data "azurerm_client_config" "current" {} \ No newline at end of file diff --git a/80_aks_backup_tf/aks.tf b/80_aks_backup_tf/aks.tf new file mode 100644 index 0000000..5e30630 --- /dev/null +++ b/80_aks_backup_tf/aks.tf @@ -0,0 +1,29 @@ +resource "azurerm_kubernetes_cluster" "aks" { + name = "aks-cluster" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + dns_prefix = "aks" + kubernetes_version = "1.29.0" + + network_profile { + network_plugin = "azure" + network_plugin_mode = "overlay" + ebpf_data_plane = "cilium" + } + + default_node_pool { + name = "systempool" + node_count = 3 + vm_size = "standard_b2als_v2" + } + + identity { + type = "SystemAssigned" + } +} + +resource "azurerm_role_assignment" "cluster_msi_contributor_on_snap_rg" { + scope = azurerm_resource_group.rg-backup.id + role_definition_name = "Contributor" + principal_id = azurerm_kubernetes_cluster.aks.identity[0].principal_id +} \ No newline at end of file diff --git a/80_aks_backup_tf/backup_instance.tf b/80_aks_backup_tf/backup_instance.tf new file mode 100644 index 0000000..0b390f7 --- /dev/null +++ b/80_aks_backup_tf/backup_instance.tf @@ -0,0 +1,22 @@ +resource "azurerm_data_protection_backup_instance_kubernetes_cluster" "backup-instance" { + name = "backup-instance" + location = azurerm_resource_group.rg.location + vault_id = azurerm_data_protection_backup_vault.backup-vault.id + kubernetes_cluster_id = azurerm_kubernetes_cluster.aks.id + snapshot_resource_group_name = azurerm_resource_group.rg-backup.name + backup_policy_id = azurerm_data_protection_backup_policy_kubernetes_cluster.backup-policy-aks.id + + backup_datasource_parameters { + excluded_namespaces = ["test-excluded-namespaces"] + excluded_resource_types = ["exvolumesnapshotcontents.snapshot.storage.k8s.io"] + cluster_scoped_resources_enabled = true + included_namespaces = ["*"] # ["test-included-namespaces"] + included_resource_types = ["*"] # ["involumesnapshotcontents.snapshot.storage.k8s.io"] + label_selectors = ["*"] # ["kubernetes.io/metadata.name:test"] + volume_snapshot_enabled = true + } + + depends_on = [ + azurerm_role_assignment.extension_and_storage_account_permission, + ] +} \ No newline at end of file diff --git a/80_aks_backup_tf/backup_policy.tf b/80_aks_backup_tf/backup_policy.tf new file mode 100644 index 0000000..50e7162 --- /dev/null +++ b/80_aks_backup_tf/backup_policy.tf @@ -0,0 +1,31 @@ +resource "azurerm_data_protection_backup_policy_kubernetes_cluster" "backup-policy-aks" { + name = "backup-policy-aks" + resource_group_name = azurerm_data_protection_backup_vault.backup-vault.resource_group_name + vault_name = azurerm_data_protection_backup_vault.backup-vault.name + + backup_repeating_time_intervals = ["R/2023-05-23T02:30:00+00:00/P1W"] + + retention_rule { + name = "Daily" + priority = 25 + + life_cycle { + duration = "P84D" + data_store_type = "OperationalStore" + } + + criteria { + days_of_week = ["Thursday"] + months_of_year = ["November"] + weeks_of_month = ["First"] + scheduled_backup_times = ["2023-05-23T02:30:00Z"] + } + } + + default_retention_rule { + life_cycle { + duration = "P14D" + data_store_type = "OperationalStore" + } + } +} \ No newline at end of file diff --git a/80_aks_backup_tf/backup_vault.tf b/80_aks_backup_tf/backup_vault.tf new file mode 100644 index 0000000..77bf993 --- /dev/null +++ b/80_aks_backup_tf/backup_vault.tf @@ -0,0 +1,23 @@ +resource "azurerm_data_protection_backup_vault" "backup-vault" { + name = "backup-vault" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + datastore_type = "VaultStore" + redundancy = "LocallyRedundant" + + identity { + type = "SystemAssigned" + } +} + +resource "azurerm_role_assignment" "vault_msi_read_on_cluster" { + scope = azurerm_kubernetes_cluster.aks.id + role_definition_name = "Reader" + principal_id = azurerm_data_protection_backup_vault.backup-vault.identity[0].principal_id +} + +resource "azurerm_role_assignment" "vault_msi_read_on_snap_rg" { + scope = azurerm_resource_group.rg-backup.id + role_definition_name = "Reader" + principal_id = azurerm_data_protection_backup_vault.backup-vault.identity[0].principal_id +} \ No newline at end of file diff --git a/80_aks_backup_tf/output.tf b/80_aks_backup_tf/output.tf new file mode 100644 index 0000000..e69de29 diff --git a/80_aks_backup_tf/providers.tf b/80_aks_backup_tf/providers.tf new file mode 100644 index 0000000..9f4bf2a --- /dev/null +++ b/80_aks_backup_tf/providers.tf @@ -0,0 +1,25 @@ +terraform { + + required_version = ">= 1.2.8" + + required_providers { + + azurerm = { + source = "hashicorp/azurerm" + version = "= 3.95.0" + } + + time = { + source = "hashicorp/time" + version = "0.10.0" + } + } +} + +provider "azurerm" { + features {} +} + +provider "time" { + # Configuration options +} diff --git a/80_aks_backup_tf/rg.tf b/80_aks_backup_tf/rg.tf new file mode 100644 index 0000000..db048fa --- /dev/null +++ b/80_aks_backup_tf/rg.tf @@ -0,0 +1,9 @@ +resource "azurerm_resource_group" "rg" { + name = "rg-akscluster-${var.prefix}" + location = var.location +} + +resource "azurerm_resource_group" "rg-backup" { + name = "rg-aks-backup-${var.prefix}" + location = var.location +} \ No newline at end of file diff --git a/80_aks_backup_tf/storage_account.tf b/80_aks_backup_tf/storage_account.tf new file mode 100644 index 0000000..4caaf58 --- /dev/null +++ b/80_aks_backup_tf/storage_account.tf @@ -0,0 +1,13 @@ +resource "azurerm_storage_account" "storage" { + name = "storage19753" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + account_tier = "Standard" + account_replication_type = "LRS" +} + +resource "azurerm_storage_container" "container" { + name = "backup-container" + storage_account_name = azurerm_storage_account.storage.name + container_access_type = "private" +} \ No newline at end of file diff --git a/80_aks_backup_tf/trusted_access.tf b/80_aks_backup_tf/trusted_access.tf new file mode 100644 index 0000000..4d20535 --- /dev/null +++ b/80_aks_backup_tf/trusted_access.tf @@ -0,0 +1,6 @@ +resource "azurerm_kubernetes_cluster_trusted_access_role_binding" "aks_cluster_trusted_access" { + kubernetes_cluster_id = azurerm_kubernetes_cluster.aks.id + name = "trusted-access" + roles = ["Microsoft.DataProtection/backupVaults/backup-operator"] + source_resource_id = azurerm_data_protection_backup_vault.backup-vault.id +} \ No newline at end of file diff --git a/80_aks_backup_tf/variables.tf b/80_aks_backup_tf/variables.tf new file mode 100644 index 0000000..462f1c9 --- /dev/null +++ b/80_aks_backup_tf/variables.tf @@ -0,0 +1,7 @@ +variable "prefix" { + default = "80" +} + +variable "location" { + default = "swedencentral" +} \ No newline at end of file diff --git a/85_prometheus_grafana/.infracost/pricing.gob b/85_prometheus_grafana/.infracost/pricing.gob new file mode 100644 index 0000000000000000000000000000000000000000..2f90f087c96e0bb0a521f455f1092d5ad7742521 GIT binary patch literal 1872 zcmbW2PiS049LL}6CTR`Yss*hgA`j7n+2uF?e-l(tD_D>oT6?huoIk&@0n>);hE`%t zv}qMDdeWi?Jt%_3tLGNHR}sAxPl}!ty!0ShXIFe~Fqd5(yqRI<&3xwj`~H6K;Na~U z)*8H1u{k!_s;Wme+hw>_u@;*1*!l|FU$NPvXA+$suGlx~QI8F_%VviL7h8asT-})fEa@W->JEs|&FJv2a@_k<~Zq%!5XVZG@ z_v*z{!@+W-vF>xece-AzeYRW~Ov2@W0Z4L-)<~hbEepWQt6%!u;x zWRy~ADV=sX2kp7_St^sX&UuJ0C{02MV3husbfZ?=IXKMHiqf?zJM=N<@!$*B zkj^aZMf%N;3x}^B{dg+U>>O&e!Yc2|8=_7!VL%>HI4`h60=0EK7&19g{ z!9XXL8EFf(DhY(ya8xw7*(2Q8xn*$WR;h~WFa&->;=>gMjEBHOOI zTJB9kP-22Y2O|l*2q_{^sH=#IQm?|BN+c?8A_;MNW^#7FfxYk>26n!WdFR{T{GaFl zf1Wwj*E_Pd>KmnOT2>t`l~#_li~~cj3})3srEL1M`}+I##DTSVd$d$4 zZKxh>&zeq5%Q`mi?~hqWDQn;8_GUBjebeBc`g`xt&g}kD*13Kc#C^3B_tmfBKvo^Y zht01ZZp*UHt=sx`;p4|jc%t+`^+;!ikL=qS|NoD7X01WW1-HIju<5jefpY(z-7pje2g<9r)^7Sj%w0b326mKJm$jBcaOR{_jBu*KNf`oI8>I0@ zu!gw!g-D`NG9d zF5Z0PuU6_GoN|T>r-DntMh#LM;Q|BeQv^jT(U~9wHfI!65(XhgNjQ&`DVpE+`A2&@R-vs6*fq2xgT>&j_VNCDMfHWK+;eD{t@sC6e06 z6T$qVc}q=}zFE)iN7o*&mA<_9iG}lb{`OrfZHgJH6FMd&5{W}E8;l=9j6oB*m}H@h z%C~8gq76fxcnxOE8o&KTufP)0%_cyEf3=IvCQX}R3LYo{$e z?|d-2`}nq2NWGR`Ds7zCAS@UGLP~*2fFX~(uHped!Y)qO5tLYyxMp~%u^)^JDNSS) z>7gtaQr%OLR!^QiBNsh(piWva_ z)bY(5PQAMH*ql~Sagqba#L}$}$y*<`PdDhrNLbmc&H$X^+Gmps}B1 zv-6TRNZ*E+=bk%pXGfj1Xhz{A63PIx$s121?ov3<(PY|ckKJ3uQB&*LNc^v^bT2-) z{@s?`l&m$+0?c$uV cert.pem +``` \ No newline at end of file diff --git a/_egress_proxy/aci-mitmproxy.tf b/_egress_proxy/aci-mitmproxy.tf new file mode 100644 index 0000000..3df5e1c --- /dev/null +++ b/_egress_proxy/aci-mitmproxy.tf @@ -0,0 +1,54 @@ +resource "azurerm_container_group" "aci-mitmproxy" { + name = "aci-mitmproxy" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + ip_address_type = "Public" + os_type = "Linux" + + container { + name = "mitmproxy" + image = "mitmproxy/mitmproxy:latest" + cpu = "1.0" + memory = "1.0" + + commands = [ + "/bin/bash", + "-c", + "mitmweb --listen-port 8080 --web-host 0.0.0.0 --web-port 8081 --set block_global=false" + ] + + ports { + port = 8080 + protocol = "TCP" + } + + ports { + port = 8081 + protocol = "TCP" + } + } + + exposed_port = [ + { + port = 8080 + protocol = "TCP" + }, + { + port = 8081 + protocol = "TCP" + }] +} + +resource "terraform_data" "aci-mitmproxy-get-certificate" { + triggers_replace = [ + azurerm_container_group.aci-mitmproxy.id + ] + + provisioner "local-exec" { + command = "az container exec -g ${azurerm_container_group.aci-mitmproxy.resource_group_name} --name ${azurerm_container_group.aci-mitmproxy.name} --exec-command 'cat ~/.mitmproxy/mitmproxy-ca-cert.pem | base64'" + } +} + +output "aci-mitmproxy-public_ip" { + value = azurerm_container_group.aci-mitmproxy.ip_address +} diff --git a/_egress_proxy/aks-proxy-config.json b/_egress_proxy/aks-proxy-config.json new file mode 100644 index 0000000..6c4185d --- /dev/null +++ b/_egress_proxy/aks-proxy-config.json @@ -0,0 +1,9 @@ +{ + "httpProxy": "http://20.76.37.30:8080/", + "httpsProxy": "https://20.76.37.30:8080/", + "noProxy": [ + "localhost", + "127.0.0.1" + ], + "trustedCA": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUROVENDQWgyZ0F3SUJBZ0lVRmVpUGVORDkweFNtNXlRWVJnT1E1cUplOEdjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERVNNQkFHQTFVRUF3d0piV2wwYlhCeWIzaDVNUkl3RUFZRFZRUUtEQWx0YVhSdGNISnZlSGt3SGhjTgpNalF3TXpFek1EY3pPVFF4V2hjTk16UXdNekV6TURjek9UUXhXakFvTVJJd0VBWURWUVFEREFsdGFYUnRjSEp2CmVIa3hFakFRQmdOVkJBb01DVzFwZEcxd2NtOTRlVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBTWJXVnRTKzM5aVd2RFc4bWFVVFhSYi82WlJvN1ZZZ3J2RVpwTFRSOFRIUUpUS3FGT0s0MFVzMgpzL0NZZUVqa2F4WWZFVGZJVGc4YURKVGJGaVpSZElGUklSM1Y5NWJsazV0bVFCb2kzaTVNb0Jhd05sTzgxL0V2CkZRZUZoZlkvdWJja0R4K1ZDRUxNVy9pSEFPUFRpYjRkbE94Y0gxQ3lEVi80TEVnc3JIL2tXN2hJWVo1bXRMblMKcFdHb1FqVlUvVW9tUnNaOXBNb2g1Y1pvbCtlZFNnY1ZlNzdOUiswYWwrdWYzYWpvYnkrcnZZSGdnbjg4bnYrKwpENGpUa01DVUkwMy81KzVxelhaUzR5VDNQbHd1SzA0WEZjMTVDTVJQY3gza3p0ekVYcHIxSDhXMm44QndCMzNiCnYxTnN5WXRGbnNXcFZmVFZKTG5zQWE1NDNTNHZzck1DQXdFQUFhTlhNRlV3RHdZRFZSMFRBUUgvQkFVd0F3RUIKL3pBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0hRWURWUjBPQkJZRQpGRyt0NGp4NGovWjQyWjNGZW9zdHpOOWk5NFdjTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDcGZLRlkyRnJOClFoMEo4cENSanE5UGdOekh3N3YzbWpnQTdINXlRWEpDK0VTdmkrMmJiT2NkNTNjdGo1TlpkN3ZjcWVmT3JtRS8KWXNvcElHa0l5dDdqdzV3d1FSNDFDVEhRbjRQTXA5akEySkthWnZqT1I0US9lUGlZSGgxSUozSklUQ25KYVNBRQpIbURTbjVybXlMZlVNSHFKVTdSKzFabDUyNUF4Vk9YeEdDMUZteElTWWhqNG1IcXVwRlBtMm15N3NOYWY2Nm03CjQreW5LZ2ttS3FyS3htZ0pFZk5zK1FPanpGWFlKTzBxczFwNXRJOUszYXF5QnBnVzU5cEJHa0dRMkVLMWduSXMKdlA1K3JjUUV0dTcrcWJGT08yYnByamJlZ1VGbkxuSXlzem5SOHRLdThzWU9vL2pGOFdZNVJsQ1pqQnNvNGxlQgo0MUxLUS9lTU84MjQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" +} \ No newline at end of file diff --git a/_egress_proxy/aks.tf b/_egress_proxy/aks.tf new file mode 100644 index 0000000..18e36bb --- /dev/null +++ b/_egress_proxy/aks.tf @@ -0,0 +1,65 @@ +resource "azurerm_kubernetes_cluster" "aks" { + name = "aks-cluster1" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + dns_prefix = "aks" + kubernetes_version = "1.29.0" + + network_profile { + network_plugin = "azure" + network_plugin_mode = "overlay" + ebpf_data_plane = "cilium" + outbound_type = "loadBalancer" + } + + default_node_pool { + name = "systempool" + node_count = 3 + vm_size = "standard_b2als_v2" + vnet_subnet_id = azurerm_subnet.snet-aks.id + } + + identity { + type = "SystemAssigned" + } + + http_proxy_config { + http_proxy = "http://${azurerm_container_group.aci-mitmproxy.ip_address}:8080/" # "http://20.76.37.30:8080/" + https_proxy = "http://${azurerm_container_group.aci-mitmproxy.ip_address}:8080/" # "http://20.76.37.30:8080/" + no_proxy = ["localhost","127.0.0.1"] #, azurerm_subnet.snet-aks.address_prefixes[0]] + trusted_ca = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUROVENDQWgyZ0F3SUJBZ0lVRmVpUGVORDkweFNtNXlRWVJnT1E1cUplOEdjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERVNNQkFHQTFVRUF3d0piV2wwYlhCeWIzaDVNUkl3RUFZRFZRUUtEQWx0YVhSdGNISnZlSGt3SGhjTgpNalF3TXpFek1EY3pPVFF4V2hjTk16UXdNekV6TURjek9UUXhXakFvTVJJd0VBWURWUVFEREFsdGFYUnRjSEp2CmVIa3hFakFRQmdOVkJBb01DVzFwZEcxd2NtOTRlVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBTWJXVnRTKzM5aVd2RFc4bWFVVFhSYi82WlJvN1ZZZ3J2RVpwTFRSOFRIUUpUS3FGT0s0MFVzMgpzL0NZZUVqa2F4WWZFVGZJVGc4YURKVGJGaVpSZElGUklSM1Y5NWJsazV0bVFCb2kzaTVNb0Jhd05sTzgxL0V2CkZRZUZoZlkvdWJja0R4K1ZDRUxNVy9pSEFPUFRpYjRkbE94Y0gxQ3lEVi80TEVnc3JIL2tXN2hJWVo1bXRMblMKcFdHb1FqVlUvVW9tUnNaOXBNb2g1Y1pvbCtlZFNnY1ZlNzdOUiswYWwrdWYzYWpvYnkrcnZZSGdnbjg4bnYrKwpENGpUa01DVUkwMy81KzVxelhaUzR5VDNQbHd1SzA0WEZjMTVDTVJQY3gza3p0ekVYcHIxSDhXMm44QndCMzNiCnYxTnN5WXRGbnNXcFZmVFZKTG5zQWE1NDNTNHZzck1DQXdFQUFhTlhNRlV3RHdZRFZSMFRBUUgvQkFVd0F3RUIKL3pBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0hRWURWUjBPQkJZRQpGRyt0NGp4NGovWjQyWjNGZW9zdHpOOWk5NFdjTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDcGZLRlkyRnJOClFoMEo4cENSanE5UGdOekh3N3YzbWpnQTdINXlRWEpDK0VTdmkrMmJiT2NkNTNjdGo1TlpkN3ZjcWVmT3JtRS8KWXNvcElHa0l5dDdqdzV3d1FSNDFDVEhRbjRQTXA5akEySkthWnZqT1I0US9lUGlZSGgxSUozSklUQ25KYVNBRQpIbURTbjVybXlMZlVNSHFKVTdSKzFabDUyNUF4Vk9YeEdDMUZteElTWWhqNG1IcXVwRlBtMm15N3NOYWY2Nm03CjQreW5LZ2ttS3FyS3htZ0pFZk5zK1FPanpGWFlKTzBxczFwNXRJOUszYXF5QnBnVzU5cEJHa0dRMkVLMWduSXMKdlA1K3JjUUV0dTcrcWJGT08yYnByamJlZ1VGbkxuSXlzem5SOHRLdThzWU9vL2pGOFdZNVJsQ1pqQnNvNGxlQgo0MUxLUS9lTU84MjQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" + } + + # http_proxy_config { + # http_proxy = "http://${azurerm_container_group.aci-mitmproxy.ip_address}:8080/" + # https_proxy = "https://${azurerm_container_group.aci-mitmproxy.ip_address}:8080/" + # no_proxy = ["localhost", "127.0.0.1"] #, azurerm_subnet.snet-aks.address_prefixes[0]] + # trusted_ca = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUROVENDQWgyZ0F3SUJBZ0lVR0greHNoSzVYOUZaMDR1WVk0WWZSU0tTdS93d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERVNNQkFHQTFVRUF3d0piV2wwYlhCeWIzaDVNUkl3RUFZRFZRUUtEQWx0YVhSdGNISnZlSGt3SGhjTgpNalF3TXpFeU1UWXlPVEkxV2hjTk16UXdNekV5TVRZeU9USTFXakFvTVJJd0VBWURWUVFEREFsdGFYUnRjSEp2CmVIa3hFakFRQmdOVkJBb01DVzFwZEcxd2NtOTRlVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBS2hwUE0xMHJ5aGFWQzVDVllNeDdETFlEV2Y2TTcvSDVkQXdmWFlEQ0JWbm4zOFhFbVV6ZGp3NApKRzhjczRJRHBPUFlBY2pCazBscVpWZWd5UkYraDByNk5zcjQ1NENTejRqb2YvcWJKTHAwSkhDWEhmTCtNbDFPCkNEL3ZBcHVoTHRSYlIvdXp1cVU5MnJWOWpNMUExVDRyaVhVQ0xMcmNHMVFOakhMcVRGSkxwR3l3NDdnOGxXUlYKVGcwSkpzK0ZFYXZibjBEQ3JvVDFpem1ZMmNYendQY3JDZHpDbUxpWVR0cVJYaldqZ2NtSWtuWEt6ZlIxVnJ4Vwo1WFNidTVyMExCRzYwQzZxeEtQZlNqQ3EvQm5sTjVMNW8xRlBOekR4NEVCelJvbks4VjA4ZzhqNlRqQUpTakxJClN6VVRYUjMrV1cxR2FHRTdvcmJ0OHdwNGYvbzBPSGtDQXdFQUFhTlhNRlV3RHdZRFZSMFRBUUgvQkFVd0F3RUIKL3pBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0hRWURWUjBPQkJZRQpGS3c5akdTVS95dlV3cTllaURuSnZ6eXJVOXpFTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDTUJIU3U0QmlLCkhsdzlzbkV6ejQrTXl2RzdUVzBmdXRyNE5SZ0RyOTZieVBtRXlkWFlLUE85ZlVkQUI2S1J5QTlYWlNMQW4vWlUKWWFsSHlIMzU0NHY3WG1MRG11ZjhPWm8vMjdXdm9WVytGYWFxWnoybldsR1NsbW5XMTZ3SlpMUUpCSSs0U0NsRApTMmxkTnhmOHJFMDh1K2xNY0ZvZmphRG1TbERLNHQ2RXovQ3RmdEcxTWtUUk81N0JhbDlCY0t5RjIzV3ljRXVyCjFHVWt0N29JYWJHaXpkSW84RXFzbnNJSnJyTTRUS1A0NFVMei9aczlpQzUvWUVCUVNrZTg4T3RTc21TQjM5NHIKMEltU2dDOFVJMFB1UzF1YTI2MnNtMUI1dE11Yml6bUVFY3lTQ1pEUDRYTWhCdjBzSU10eldNaGFDazVNY3FvZAoxVXd4ZjRYSEEyU3kKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" + # } + + # oms_agent { + # log_analytics_workspace_id = azurerm_log_analytics_workspace.workspace.id + # msi_auth_for_monitoring_enabled = true + # } + + # monitor_metrics { + # annotations_allowed = null + # labels_allowed = null + # } + + lifecycle { + ignore_changes = [ + default_node_pool.0.upgrade_settings, + ] + } +} + +resource "terraform_data" "aks-get-credentials" { + triggers_replace = [ + azurerm_kubernetes_cluster.aks.id + ] + + provisioner "local-exec" { + command = "az aks get-credentials --resource-group ${azurerm_kubernetes_cluster.aks.resource_group_name} --name ${azurerm_kubernetes_cluster.aks.name} --overwrite-existing" + } +} diff --git a/_egress_proxy/certificate/cert.crt b/_egress_proxy/certificate/cert.crt new file mode 100644 index 0000000..d4e5652 --- /dev/null +++ b/_egress_proxy/certificate/cert.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDazCCAlOgAwIBAgIUWaI/Mxw392v2DN8tIL0/mpdmTXQwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDAzMTUxMjU2MjRaFw0yNDA0 +MTQxMjU2MjRaMEUxCzAJBgNVBAYTAkZSMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCEtJyn4u/4EQIHDSdP6+yJzxxc04bxBe4Fx9JKXcEG +mlYLy5ltMtK1ZIR2CKnRyyczyHhodIh8Gf6Z/OikYJMtjkQS7RqvOhvKDIvipt32 +FLvOQ2Kwga1quA6+Tzi13HvWMz096dsTajMZQu+HdBG65sYjLMvTav1EPdD9z0QM +hsLRDKLstYF3jcrC1e9SRz4nNJBgKhCpCGBCyED87TiTB+hXoILNWdjda5w9rE3k +rGII+il904KO/pGotWGYZ8zbTnhi7Mig8Q7tXV7MwJLuFSxKCj9CA+Gx64XCX154 +jIE5Uq6n+/h3eKAkj08ofY3nEUMxzD5OtBWlwZscgVCFAgMBAAGjUzBRMB0GA1Ud +DgQWBBR9HJnnahCLUn4xr/k4gXOKJfdtMzAfBgNVHSMEGDAWgBR9HJnnahCLUn4x +r/k4gXOKJfdtMzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAe +OWKSnZgDXETHlvuyqaqmH2Qcn/WGq+dhzQjc4vRH5FA6nDpPtC6+BvlW+5/wprXf +hg0HFemgYjTjrtPDUzaBR/Z3hLCkk0gY9cKlk9+e2YhOZqvLa/2XFnE/E5DZEuwF +LtwGz9PQzB5O/Q8PieBsMocrkLNYpem4k21AeOkX/EUglnePb4N3lVuWuz6ehzJA +1v5nPZGATU9jXNszYtLtg0fXaZY1nN9EUCMCQ15lMRJcWl13MxxK7ueKJVweIMJz +TzsBzqV2G8tSOi6Pq6784M9/4nQEOmNFbiJD42VnFr1Kw+/RaJpzDraY3COT1PCz +WhfrRMcsNED+BLp0Cy8E +-----END CERTIFICATE----- diff --git a/_egress_proxy/certificate/cert.key b/_egress_proxy/certificate/cert.key new file mode 100644 index 0000000..2799774 --- /dev/null +++ b/_egress_proxy/certificate/cert.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQCEtJyn4u/4EQIH +DSdP6+yJzxxc04bxBe4Fx9JKXcEGmlYLy5ltMtK1ZIR2CKnRyyczyHhodIh8Gf6Z +/OikYJMtjkQS7RqvOhvKDIvipt32FLvOQ2Kwga1quA6+Tzi13HvWMz096dsTajMZ +Qu+HdBG65sYjLMvTav1EPdD9z0QMhsLRDKLstYF3jcrC1e9SRz4nNJBgKhCpCGBC +yED87TiTB+hXoILNWdjda5w9rE3krGII+il904KO/pGotWGYZ8zbTnhi7Mig8Q7t +XV7MwJLuFSxKCj9CA+Gx64XCX154jIE5Uq6n+/h3eKAkj08ofY3nEUMxzD5OtBWl +wZscgVCFAgMBAAECgf8Iju9DxdIp09BA3Hwk4R8GhsLz57BoWuKBbZJDms1k2n/g +M4E5P2dw/o0bvbXZ2YVUG9moFhlQ3VxOHEaIfEuQ+Qnq3KJKAb+a+N0hH5y7NUQQ +XdJogFrfZccSwX7zl7zp7SF5LBQbQ3j4zn6zfaJppjXeemPTvB91d9kKR+q3uwpb +KRrwKx7yhy+aNzRjlXWgK3zLZiFb3PL8pjEWp2A9WE80tQGkmxaEtNrrXu0aBi95 +JXXC/7t7gOpvAkMjdBiElxrFEz2Jr3LhyRa8/xRGF0CZLxb9UZwZ02dpeC26YDfO +GVgni3WOPpK7ioZ32skzMn4Ho/qHLykkEWq/3FECgYEAu31fs/PgTDXjupm20nAx +OvQNLl4kIbu3dHxek1L4KjUS3KQuyhg9zYf49LPzaaKzyGzJT4sjX+7L6cSieGRD +9JtYajpIWTfCNViz3fL0FMdqb+AAIO6Nbtz1iW30exCnFnzIyKGx3PBCShLNn6bs +c+1DsAoRCkZtT76KacdgSpUCgYEAtTJ6NYr+xzsDUyNcGJ/mbvkEcjiA+VmmFBcR +eKuTnIBduYHhe3WAWgm2DLMHuqoCaeSTQ0Mt0ueWYsdRJxzyeGbxNbJ+If2jqT6K +A6kvTcUip83MlsB9b+QR+eIWX1X+wMdwelxcMTreIHdAtgeJv/iDa/iMta6b6zFa +RMDuYjECgYEAuaZ1o3zzNsON0fHvZAUP2m5atvUlFfoIuGGGTJ81eKXBHZW9dwP1 +/pSLYdLmTk17dBS0af0+c/nDFKFOt6Og3o8MR3OavC1IMwa4ZCf0pLapoEnQFsvg +ZEyLHSAxm8JrkQrSzke+FSYanbpsvY/ORyRDiAcPxHrkNrhX2lI/+NkCgYAqxNBd +xQIgKoi9XfJGCbANb4+iGj4vHP77bPp9vhnobdAxkjuTtYdnOTWUR8nCQJCzR/WO +gdPWHT288Qjxr3539uxmXUwyX7j6oL1Y4d09gROOAiCRULwK5g1sKvZW6GhqPmkJ +KLXGFPwLM7q9fIgCHPmASbmExMMev5Zr9hIOcQKBgHvsheeZv7nS//Vvzwstvy5v +SEAPx4zBtdITHM18BPAF8WI7f8TD4Tutlwq7caSdDHVcoSd+KsLJcR1SIJV+aqfh +w1qWOyK2zvs8gpBWP124H7Rv9D/aMua7DwyBPG14IMk2IpMV+NSCbVqHJqbK8kJK +TQpFmmyywRTsC2fxSKyS +-----END PRIVATE KEY----- diff --git a/_egress_proxy/certificate/cert.pem b/_egress_proxy/certificate/cert.pem new file mode 100644 index 0000000..b0fd505 --- /dev/null +++ b/_egress_proxy/certificate/cert.pem @@ -0,0 +1,49 @@ +-----BEGIN PRIVATE KEY----- +MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQCEtJyn4u/4EQIH +DSdP6+yJzxxc04bxBe4Fx9JKXcEGmlYLy5ltMtK1ZIR2CKnRyyczyHhodIh8Gf6Z +/OikYJMtjkQS7RqvOhvKDIvipt32FLvOQ2Kwga1quA6+Tzi13HvWMz096dsTajMZ +Qu+HdBG65sYjLMvTav1EPdD9z0QMhsLRDKLstYF3jcrC1e9SRz4nNJBgKhCpCGBC +yED87TiTB+hXoILNWdjda5w9rE3krGII+il904KO/pGotWGYZ8zbTnhi7Mig8Q7t +XV7MwJLuFSxKCj9CA+Gx64XCX154jIE5Uq6n+/h3eKAkj08ofY3nEUMxzD5OtBWl +wZscgVCFAgMBAAECgf8Iju9DxdIp09BA3Hwk4R8GhsLz57BoWuKBbZJDms1k2n/g +M4E5P2dw/o0bvbXZ2YVUG9moFhlQ3VxOHEaIfEuQ+Qnq3KJKAb+a+N0hH5y7NUQQ +XdJogFrfZccSwX7zl7zp7SF5LBQbQ3j4zn6zfaJppjXeemPTvB91d9kKR+q3uwpb +KRrwKx7yhy+aNzRjlXWgK3zLZiFb3PL8pjEWp2A9WE80tQGkmxaEtNrrXu0aBi95 +JXXC/7t7gOpvAkMjdBiElxrFEz2Jr3LhyRa8/xRGF0CZLxb9UZwZ02dpeC26YDfO +GVgni3WOPpK7ioZ32skzMn4Ho/qHLykkEWq/3FECgYEAu31fs/PgTDXjupm20nAx +OvQNLl4kIbu3dHxek1L4KjUS3KQuyhg9zYf49LPzaaKzyGzJT4sjX+7L6cSieGRD +9JtYajpIWTfCNViz3fL0FMdqb+AAIO6Nbtz1iW30exCnFnzIyKGx3PBCShLNn6bs +c+1DsAoRCkZtT76KacdgSpUCgYEAtTJ6NYr+xzsDUyNcGJ/mbvkEcjiA+VmmFBcR +eKuTnIBduYHhe3WAWgm2DLMHuqoCaeSTQ0Mt0ueWYsdRJxzyeGbxNbJ+If2jqT6K +A6kvTcUip83MlsB9b+QR+eIWX1X+wMdwelxcMTreIHdAtgeJv/iDa/iMta6b6zFa +RMDuYjECgYEAuaZ1o3zzNsON0fHvZAUP2m5atvUlFfoIuGGGTJ81eKXBHZW9dwP1 +/pSLYdLmTk17dBS0af0+c/nDFKFOt6Og3o8MR3OavC1IMwa4ZCf0pLapoEnQFsvg +ZEyLHSAxm8JrkQrSzke+FSYanbpsvY/ORyRDiAcPxHrkNrhX2lI/+NkCgYAqxNBd +xQIgKoi9XfJGCbANb4+iGj4vHP77bPp9vhnobdAxkjuTtYdnOTWUR8nCQJCzR/WO +gdPWHT288Qjxr3539uxmXUwyX7j6oL1Y4d09gROOAiCRULwK5g1sKvZW6GhqPmkJ +KLXGFPwLM7q9fIgCHPmASbmExMMev5Zr9hIOcQKBgHvsheeZv7nS//Vvzwstvy5v +SEAPx4zBtdITHM18BPAF8WI7f8TD4Tutlwq7caSdDHVcoSd+KsLJcR1SIJV+aqfh +w1qWOyK2zvs8gpBWP124H7Rv9D/aMua7DwyBPG14IMk2IpMV+NSCbVqHJqbK8kJK +TQpFmmyywRTsC2fxSKyS +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIDazCCAlOgAwIBAgIUWaI/Mxw392v2DN8tIL0/mpdmTXQwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDAzMTUxMjU2MjRaFw0yNDA0 +MTQxMjU2MjRaMEUxCzAJBgNVBAYTAkZSMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCEtJyn4u/4EQIHDSdP6+yJzxxc04bxBe4Fx9JKXcEG +mlYLy5ltMtK1ZIR2CKnRyyczyHhodIh8Gf6Z/OikYJMtjkQS7RqvOhvKDIvipt32 +FLvOQ2Kwga1quA6+Tzi13HvWMz096dsTajMZQu+HdBG65sYjLMvTav1EPdD9z0QM +hsLRDKLstYF3jcrC1e9SRz4nNJBgKhCpCGBCyED87TiTB+hXoILNWdjda5w9rE3k +rGII+il904KO/pGotWGYZ8zbTnhi7Mig8Q7tXV7MwJLuFSxKCj9CA+Gx64XCX154 +jIE5Uq6n+/h3eKAkj08ofY3nEUMxzD5OtBWlwZscgVCFAgMBAAGjUzBRMB0GA1Ud +DgQWBBR9HJnnahCLUn4xr/k4gXOKJfdtMzAfBgNVHSMEGDAWgBR9HJnnahCLUn4x +r/k4gXOKJfdtMzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAe +OWKSnZgDXETHlvuyqaqmH2Qcn/WGq+dhzQjc4vRH5FA6nDpPtC6+BvlW+5/wprXf +hg0HFemgYjTjrtPDUzaBR/Z3hLCkk0gY9cKlk9+e2YhOZqvLa/2XFnE/E5DZEuwF +LtwGz9PQzB5O/Q8PieBsMocrkLNYpem4k21AeOkX/EUglnePb4N3lVuWuz6ehzJA +1v5nPZGATU9jXNszYtLtg0fXaZY1nN9EUCMCQ15lMRJcWl13MxxK7ueKJVweIMJz +TzsBzqV2G8tSOi6Pq6784M9/4nQEOmNFbiJD42VnFr1Kw+/RaJpzDraY3COT1PCz +WhfrRMcsNED+BLp0Cy8E +-----END CERTIFICATE----- diff --git a/_egress_proxy/certificate/generate-cert.sh b/_egress_proxy/certificate/generate-cert.sh new file mode 100644 index 0000000..bf5e191 --- /dev/null +++ b/_egress_proxy/certificate/generate-cert.sh @@ -0,0 +1,4 @@ +openssl genrsa -out cert.key 2048 +# (Specify the mitm domain as Common Name, e.g. \*.google.com) +openssl req -new -x509 -key cert.key -out cert.crt +cat cert.key cert.crt > cert.pem diff --git a/_egress_proxy/install-mitmproxy.sh b/_egress_proxy/install-mitmproxy.sh new file mode 100644 index 0000000..1f4fc0c --- /dev/null +++ b/_egress_proxy/install-mitmproxy.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +# sudo apt update -y + +# wget https://downloads.mitmproxy.org/10.2.2/mitmproxy-10.2.2-linux-x86_64.tar.gz + +# tar -xvf mitmproxy-10.2.2-linux-x86_64.tar.gz + +# # start the proxy; this is also needed to generate the certificates + +# ./mitmproxy + +sudo apt update -y + +sudo apt install python3-pip -y + +pip3 install mitmproxy + +# mitmproxy --listen-port 8080 --web-host 0.0.0.0 --web-port 8081 --set block_global=false + +mitmweb --listen-port 8080 --web-host 0.0.0.0 --web-port 8081 --certs *=cert.pem --set block_global=false + +# screen -d -m mitmweb --listen-port 8080 --web-host 0.0.0.0 --web-port 8081 --set block_global=false + +# install the cert in: mitm.it \ No newline at end of file diff --git a/_egress_proxy/mitmproxy-ca-cert (22).p12 b/_egress_proxy/mitmproxy-ca-cert (22).p12 new file mode 100644 index 0000000000000000000000000000000000000000..5da363b52219a02a2ab5217833fec5f908094670 GIT binary patch literal 1035 zcmXqLVqs@uWHxAG-pj_R)#lOmotKfFaX}OFI+iBpRY2ioK)eW5YBEr&A1K@n#O-X{ zP+dG+jLblNfj~iDHZG_jrx?gATc8F@ptz|)6O-%$W+p}^CJ~AHjhlpa#$SxQ+&v?? zP2N>$((XS7yl{&cxmg(uGz^6d1lX8ES(te^b2CeF3ySh9Dq&(=NMZ(Z;=D#C2F8X) zhGs^VMy65XyvE2}5=?4hR6=$JBP#=Q6C*!^K@%evQxhX2!-`CsvnA^_qC)hXLYocW z7~SAa|7E=Y_|pppwPnm4qUrPN#f4Ih%WN!E@?|zRF)w+1gYm?{$(~uM;R{X**0p>6 zGCTF-dBddh9WUyC%~sh}qEawj_R~M3SU(Q?_e`@F>RpL;|GjzFQrlZwYkST*T(#5g zEM?N!bw@gcx2NcpPmuSLoDGk6*i20c_2cDKJKrj}`u2Q>L+e_;c3aN4dGzyv@7kPq z4$asx!|&F_IMcF44= ze{+M64;+f!I!}F!wP`-_%g=z*%jkr+sc@|9zsOv-j6~~2+unZWs;K{EVo}M&%*epF zINTuAfFBq$vcimv|5;cKn1PgmFi1d^g~x!4jYFG_k(HI5nbCj`B*+g^#R80YHUn7@ zpN~b1MP!X_Ps)`4+E)&(kL$2Jx!-1W@SP*bK@Us;z@TSj=wT^Y_dudcF2;6Kq4D|t zo>L!p`{v5;y7j|Uf_eSD*(ZLsoVtA$zKF8(JMZXO zx7V(j9Z!3x@A$Qi80T06oBk{Qv*} literal 0 HcmV?d00001 diff --git a/_egress_proxy/output.tf b/_egress_proxy/output.tf new file mode 100644 index 0000000..e69de29 diff --git a/_egress_proxy/providers.tf b/_egress_proxy/providers.tf new file mode 100644 index 0000000..ab397d4 --- /dev/null +++ b/_egress_proxy/providers.tf @@ -0,0 +1,19 @@ +terraform { + + required_version = ">= 1.7" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">= 3.96.0" + } + } +} + +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false + } + } +} diff --git a/_egress_proxy/rg.tf b/_egress_proxy/rg.tf new file mode 100644 index 0000000..713cf37 --- /dev/null +++ b/_egress_proxy/rg.tf @@ -0,0 +1,4 @@ +resource "azurerm_resource_group" "rg" { + name = "rg-aks-proxy-${var.prefix}" + location = "westeurope" +} \ No newline at end of file diff --git a/_egress_proxy/variables.tf b/_egress_proxy/variables.tf new file mode 100644 index 0000000..dfd32b7 --- /dev/null +++ b/_egress_proxy/variables.tf @@ -0,0 +1,5 @@ +variable "prefix" { + description = "Prefix for resources" + type = string + default = "67" +} \ No newline at end of file diff --git a/_egress_proxy/vm-linux-proxy-mitm.tf b/_egress_proxy/vm-linux-proxy-mitm.tf new file mode 100644 index 0000000..7dffe4b --- /dev/null +++ b/_egress_proxy/vm-linux-proxy-mitm.tf @@ -0,0 +1,62 @@ +resource "azurerm_public_ip" "pip-vm-proxy" { + name = "pip-vm-proxy" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_network_interface" "nic-vm-proxy" { + name = "nic-vm-proxy" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + + enable_ip_forwarding = true + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.subnet-vm.id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.pip-vm-proxy.id + } +} + +resource "azurerm_linux_virtual_machine" "vm-proxy" { + name = "vm-linux-mitmproxy" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + size = "Standard_B2ats_v2" + disable_password_authentication = false + admin_username = "azureuser" + admin_password = "@Aa123456789" + network_interface_ids = [azurerm_network_interface.nic-vm-proxy.id] + priority = "Spot" + eviction_policy = "Deallocate" + + custom_data = filebase64("./install-mitmproxy.sh") + + os_disk { + name = "os-disk-vm" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + + source_image_reference { + publisher = "canonical" + offer = "0001-com-ubuntu-server-jammy" + sku = "22_04-lts-gen2" + version = "latest" + } + + boot_diagnostics { + storage_account_uri = null + } +} + +output "vm_ublic_ip" { + value = azurerm_public_ip.pip-vm-proxy.ip_address +} + +output "vm_private_ip" { + value = azurerm_network_interface.nic-vm-proxy.private_ip_address +} \ No newline at end of file diff --git a/_egress_proxy/vnet-hub.tf b/_egress_proxy/vnet-hub.tf new file mode 100644 index 0000000..7633566 --- /dev/null +++ b/_egress_proxy/vnet-hub.tf @@ -0,0 +1,14 @@ +resource "azurerm_virtual_network" "vnet-hub" { + name = "vnet-hub-weu" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + address_space = ["10.0.0.0/16"] + dns_servers = null +} + +resource "azurerm_subnet" "subnet-vm" { + name = "subnet-vm" + resource_group_name = azurerm_virtual_network.vnet-hub.resource_group_name + virtual_network_name = azurerm_virtual_network.vnet-hub.name + address_prefixes = ["10.0.0.0/24"] +} \ No newline at end of file diff --git a/_egress_proxy/vnet-spoke.tf b/_egress_proxy/vnet-spoke.tf new file mode 100644 index 0000000..f2bb548 --- /dev/null +++ b/_egress_proxy/vnet-spoke.tf @@ -0,0 +1,13 @@ +resource "azurerm_virtual_network" "vnet" { + name = "vnet-aks" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + address_space = ["10.10.0.0/16"] +} + +resource "azurerm_subnet" "snet-aks" { + name = "snet-aks" + virtual_network_name = azurerm_virtual_network.vnet.name + resource_group_name = azurerm_virtual_network.vnet.resource_group_name + address_prefixes = ["10.10.0.0/24"] +} \ No newline at end of file diff --git a/tmp/main.tf b/tmp/main.tf index eac9b69..a93747f 100644 --- a/tmp/main.tf +++ b/tmp/main.tf @@ -1,660 +1,156 @@ -resource "azurerm_resource_group" "rg" { - location = var.resource_group_location - name = "defaultPrometheusOnboardingResourceGroup" -} - -resource "azurerm_kubernetes_cluster" "k8s" { - location = azurerm_resource_group.rg.location - name = var.cluster_name - resource_group_name = azurerm_resource_group.rg.name - - - dns_prefix = var.dns_prefix - tags = { - Environment = "Development" - } +data "azurerm_client_config" "current" {} - default_node_pool { - name = "agentpool" - vm_size = "Standard_D2_v2" - node_count = var.agent_count - } +resource "azurerm_resource_group" "example" { + name = "example" + location = "West Europe" +} - monitor_metrics { - annotations_allowed = var.metric_annotations_allowlist - labels_allowed = var.metric_labels_allowlist - } +resource "azurerm_resource_group" "snap" { + name = "example-snap" + location = "West Europe" +} - network_profile { - network_plugin = "kubenet" - load_balancer_sku = "standard" - } +resource "azurerm_data_protection_backup_vault" "example" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + datastore_type = "VaultStore" + redundancy = "LocallyRedundant" identity { type = "SystemAssigned" } } -resource "azurerm_monitor_workspace" "amw" { - name = var.monitor_workspace_name - resource_group_name = azurerm_resource_group.rg.name - location = azurerm_resource_group.rg.location -} - -resource "azurerm_monitor_data_collection_endpoint" "dce" { - name = "MSProm-${azurerm_resource_group.rg.location}-${var.cluster_name}" - resource_group_name = azurerm_resource_group.rg.name - location = azurerm_resource_group.rg.location - kind = "Linux" -} - -resource "azurerm_monitor_data_collection_rule" "dcr" { - name = "MSProm-${azurerm_resource_group.rg.location}-${var.cluster_name}" - resource_group_name = azurerm_resource_group.rg.name - location = azurerm_resource_group.rg.location - data_collection_endpoint_id = azurerm_monitor_data_collection_endpoint.dce.id - kind = "Linux" +resource "azurerm_kubernetes_cluster" "example" { + name = "example" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "dns" - destinations { - monitor_account { - monitor_account_id = azurerm_monitor_workspace.amw.id - name = "MonitoringAccount1" - } - } - - data_flow { - streams = ["Microsoft-PrometheusMetrics"] - destinations = ["MonitoringAccount1"] - } - - - data_sources { - prometheus_forwarder { - streams = ["Microsoft-PrometheusMetrics"] - name = "PrometheusDataSource" - } + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_DS2_v2" + # enable_host_encryption = true } - description = "DCR for Azure Monitor Metrics Profile (Managed Prometheus)" - depends_on = [ - azurerm_monitor_data_collection_endpoint.dce - ] -} - -resource "azurerm_monitor_data_collection_rule_association" "dcra" { - name = "MSProm-${azurerm_resource_group.rg.location}-${var.cluster_name}" - target_resource_id = azurerm_kubernetes_cluster.k8s.id - data_collection_rule_id = azurerm_monitor_data_collection_rule.dcr.id - description = "Association of data collection rule. Deleting this association will break the data collection for this AKS Cluster." - depends_on = [ - azurerm_monitor_data_collection_rule.dcr - ] -} - -resource "azurerm_dashboard_grafana" "grafana" { - name = var.grafana_name - resource_group_name = azurerm_resource_group.rg.name - location = var.grafana_location - identity { type = "SystemAssigned" } - - azure_monitor_workspace_integrations { - resource_id = azurerm_monitor_workspace.amw.id - } } -resource "azurerm_role_assignment" "datareaderrole" { - scope = azurerm_monitor_workspace.amw.id - role_definition_id = "/subscriptions/${split("/", azurerm_monitor_workspace.amw.id)[2]}/providers/Microsoft.Authorization/roleDefinitions/b0d8363b-8ddd-447d-831f-62ca05bff136" - principal_id = azurerm_dashboard_grafana.grafana.identity.0.principal_id +resource "azurerm_kubernetes_cluster_trusted_access_role_binding" "aks_cluster_trusted_access" { + kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id + name = "example" + roles = ["Microsoft.DataProtection/backupVaults/backup-operator"] + source_resource_id = azurerm_data_protection_backup_vault.example.id } -resource "azurerm_monitor_alert_prometheus_rule_group" "node_recording_rules_rule_group" { - name = "NodeRecordingRulesRuleGroup-${var.cluster_name}" - location = azurerm_resource_group.rg.location - resource_group_name = azurerm_resource_group.rg.name - cluster_name = var.cluster_name - description = "Node Recording Rules Rule Group" - rule_group_enabled = true - interval = "PT1M" - scopes = [azurerm_monitor_workspace.amw.id,azurerm_kubernetes_cluster.k8s.id] - - rule { - enabled = true - record = "instance:node_num_cpu:sum" - expression = <