Skip to content

add a windows VM as a jumpbox to Bastion RDP into the Hub network #210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
glennmusa merged 13 commits into from
May 20, 2021
Merged

add a windows VM as a jumpbox to Bastion RDP into the Hub network #210

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
d102e09
add a bastion module
glennmusa May 14, 2021
4265d14
add bastion module to saca-hub configuration
glennmusa May 17, 2021
7dcc48a
fix bad argument in clean.sh
glennmusa May 17, 2021
a8da513
add windows-virtual-machine module
glennmusa May 17, 2021
6e6003c
replace example resource names
glennmusa May 17, 2021
c510dfd
create vm
glennmusa May 17, 2021
379a1db
add jumpbox subnet to vnet
glennmusa May 18, 2021
595198b
add keyvault to source vm username and password
glennmusa May 18, 2021
0e41e18
Merge branch 'main' into glennmusa/windowsvm
glennmusa May 18, 2021
aaeab3a
jumpbox module, add mlz_object_id to configurations
glennmusa May 18, 2021
632ebcc
deploy from the UI
glennmusa May 18, 2021
6acddc9
sensitive vars only available on terraform >0.14
glennmusa May 18, 2021
f934009
random keyvault name
glennmusa May 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions src/core/saca-hub/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ provider "azurerm" {
log_analytics_workspace {
permanently_delete_on_destroy = true
}
key_vault {
purge_soft_delete_on_destroy = true
}
}
}

Expand Down Expand Up @@ -109,3 +112,52 @@ module "saca-firewall" {
DeploymentName = var.deploymentname
}
}

module "jumpbox-subnet" {
depends_on = [module.saca-hub-network, module.saca-firewall]
source = "../../modules/subnet"

name = var.jumpbox_subnet.name
location = var.mlz_location
resource_group_name = azurerm_resource_group.hub.name
virtual_network_name = var.saca_vnetname
address_prefixes = var.jumpbox_subnet.address_prefixes
service_endpoints = lookup(var.jumpbox_subnet, "service_endpoints", [])

enforce_private_link_endpoint_network_policies = lookup(var.jumpbox_subnet, "enforce_private_link_endpoint_network_policies", null)
enforce_private_link_service_network_policies = lookup(var.jumpbox_subnet, "enforce_private_link_service_network_policies", null)

nsg_name = var.jumpbox_subnet.nsg_name
nsg_rules = var.jumpbox_subnet.nsg_rules

routetable_name = var.jumpbox_subnet.routetable_name
firewall_ip_address = module.saca-firewall.firewall_public_ip

log_analytics_storage_id = module.saca-hub-network.log_analytics_storage_id
log_analytics_workspace_id = module.saca-hub-network.log_analytics_workspace_id

tags = {
DeploymentName = var.deploymentname
}
}

module "jumpbox" {
depends_on = [module.saca-hub-network, module.jumpbox-subnet]
source = "../../modules/jumpbox"

resource_group_name = azurerm_resource_group.hub.name
virtual_network_name = var.saca_vnetname
subnet_name = var.jumpbox_subnet.name
location = azurerm_resource_group.hub.location

keyvault_name = var.jumpbox_keyvault_name
tenant_id = var.mlz_tenantid
object_id = var.mlz_objectid

name = var.jumpbox_vm_name
size = var.jumpbox_vm_size
publisher = var.jumpbox_vm_publisher
offer = var.jumpbox_vm_offer
sku = var.jumpbox_vm_sku
image_version = var.jumpbox_vm_version
}
79 changes: 79 additions & 0 deletions src/core/saca-hub/saca-hub.front.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,85 @@
"default_val": "mlzDemoBastionHostIpCfg",
"description": "The name of the Bastion Host IP Configuration",
"options": []
},
{
"varname": "jumpbox_subnet.name",
"type": "text",
"default_val": "mlzDemoJumpboxSubnet",
"description": "The name of the jumpbox subnet",
"options": []
},
{
"varname": "jumpbox_subnet.address_prefixes",
"type": "list",
"default_val": [
"10.0.100.160/27"
],
"description": "The address space(s) (new line seperated) to be used for the jumpbox subnet.",
"options": []
},
{
"varname": "jumpbox_subnet.nsg_name",
"type": "text",
"default_val": "mlzDemoJumpboxSubnetNsg",
"description": "The name of the jumpbox subnet route table network security group",
"options": []
},
{
"varname": "jumpbox_subnet.routetable_name",
"type": "text",
"default_val": "mlzDemoJumpboxSubnetRt",
"description": "The name of the jumpbox subnet route table",
"options": []
},
{
"varname": "jumpbox_keyvault_name",
"type": "text",
"default_val": "mlzDemoJumpboxVmKv",
Comment thread
glennmusa marked this conversation as resolved.
"description": "The name of the jumpbox credentials Key Vault",
"options": []
},
{
"varname": "jumpbox_vm_name",
"type": "text",
"default_val": "mlzDemoJumpboxVm",
"description": "The name of the jumpbox virtual machine",
"options": []
},
{
"varname": "jumpbox_vm_size",
"type": "text",
"default_val": "Standard_DS1_v2",
"description": "The size of the jumpbox virtual machine",
"options": []
},
{
"varname": "jumpbox_vm_publisher",
"type": "text",
"default_val": "MicrosoftWindowsServer",
"description": "The publisher of the jumpbox virtual machine source image",
"options": []
},
{
"varname": "jumpbox_vm_offer",
"type": "text",
"default_val": "WindowsServer",
"description": "The offer of the jumpbox virtual machine source image",
"options": []
},
{
"varname": "jumpbox_vm_sku",
"type": "text",
"default_val": "2019-datacenter-gensecond",
"description": "The SKU of the jumpbox virtual machine source image",
"options": []
},
{
"varname": "jumpbox_vm_version",
"type": "text",
"default_val": "latest",
"description": "The version of the jumpbox virtual machine source image",
"options": []
}
]
}
Expand Down
48 changes: 46 additions & 2 deletions src/core/saca-hub/saca-hub.orig.tfvars.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,49 @@
"bastion_host_name": "{BASTION_HOST_NAME}",
"bastion_address_space": "{BASTION_ADDRESS_SPACE}",
"bastion_public_ip_name": "{BASTION_PUBLIC_IP_NAME}",
"bastion_ipconfig_name": "{BASTION_IPCONFIG_NAME}"
}
"bastion_ipconfig_name": "{BASTION_IPCONFIG_NAME}",
"jumpbox_subnet": {
"name": "{JUMPBOX_SUBNET_NAME}",
"address_prefixes": [
"{JUMPBOX_SUBNET_SPACE}"
],
"service_endpoints": [
"Microsoft.Storage"
],
"enforce_private_link_endpoint_network_policies": false,
"enforce_private_link_service_network_policies": false,
"nsg_name": "{JUMPBOX_SUBNET_NSG_NAME}",
"nsg_rules": {
"allow_ssh": {
"name": "allow_ssh",
"priority": "100",
"direction": "Inbound",
"access": "Allow",
"protocol": "Tcp",
"source_port_range": "22",
"destination_port_range": "",
"source_address_prefix": "*",
"destination_address_prefix": ""
},
"allow_rdp": {
"name": "allow_rdp",
"priority": "200",
"direction": "Inbound",
"access": "Allow",
"protocol": "Tcp",
"source_port_range": "3389",
"destination_port_range": "",
"source_address_prefix": "*",
"destination_address_prefix": ""
}
},
"routetable_name": "{JUMPBOX_SUBNET_RT_NAME}"
},
"jumpbox_keyvault_name": "{JUMPBOX_KEYVAULT_NAME}",
"jumpbox_vm_name": "{JUMPBOX_VM_NAME}",
"jumpbox_vm_size": "{JUMPBOX_VM_SIZE}",
"jumpbox_vm_publisher": "{JUMPBOX_VM_PUBLISHER}",
"jumpbox_vm_offer": "{JUMPBOX_VM_OFFER}",
"jumpbox_vm_sku": "{JUMPBOX_VM_SKU}",
"jumpbox_vm_version": "{JUMPBOX_VM_VERSION}"
}
49 changes: 49 additions & 0 deletions src/core/saca-hub/saca-hub.tfvars.sample
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,52 @@ bastion_host_name = "{BASTION_HOST_NAME}",
bastion_address_space = "{BASTION_ADDRESS_SPACE}",
bastion_public_ip_name = "{BASTION_PUBLIC_IP_NAME}",
bastion_ipconfig_name = "{BASTION_IPCONFIG_NAME}"

#################################
# Jumpbox VM Configuration
#################################

jumpbox_subnet = {
name = "{JUMPBOX_SUBNET_NAME}"
address_prefixes = ["{JUMPBOX_SUBNET_SPACE}"]
service_endpoints = ["Microsoft.Storage"]

enforce_private_link_endpoint_network_policies = false
enforce_private_link_service_network_policies = false

nsg_name = "{JUMPBOX_SUBNET_NSG_NAME}"
nsg_rules = {
"allow_ssh" = {
name = "allow_ssh"
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "22"
destination_port_range = ""
source_address_prefix = "*"
destination_address_prefix = ""
},
"allow_rdp" = {
name = "allow_rdp"
priority = "200"
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "3389"
destination_port_range = ""
source_address_prefix = "*"
destination_address_prefix = ""
}
}

routetable_name = "{JUMPBOX_SUBNET_RT_NAME}"
}

jumpbox_keyvault_name = "{JUMPBOX_KEYVAULT_NAME}"
jumpbox_vm_name = "{JUMPBOX_VM_NAME}"
jumpbox_vm_size = "{JUMPBOX_VM_SIZE}"
jumpbox_vm_publisher = "{JUMPBOX_VM_PUBLISHER}"
jumpbox_vm_offer = "{JUMPBOX_VM_OFFER}"
jumpbox_vm_sku = "{JUMPBOX_VM_SKU}"
jumpbox_vm_version = "{JUMPBOX_VM_VERSION}"
113 changes: 113 additions & 0 deletions src/core/saca-hub/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ variable "mlz_clientsecret" {
description = "The account to deploy with"
}

variable "mlz_objectid" {
description = "The account to deploy with"
}

#################################
# SACA Hub Configuration
#################################
Expand Down Expand Up @@ -140,3 +144,112 @@ variable "bastion_ipconfig_name" {
default = "mlzDemoBastionHostIpCfg"
type = string
}

#################################
# Jumpbox VM Configuration
#################################

variable "jumpbox_subnet" {
description = "The subnet for jumpboxes"
type = object({
name = string
address_prefixes = list(string)
service_endpoints = list(string)

enforce_private_link_endpoint_network_policies = bool
enforce_private_link_service_network_policies = bool

nsg_name = string
nsg_rules = map(object({
name = string
priority = string
direction = string
access = string
protocol = string
source_port_range = string
destination_port_range = string
source_address_prefix = string
destination_address_prefix = string
}))

routetable_name = string
})
default = {
name = "mlzDemoJumpboxSubnet"
address_prefixes = ["10.0.100.160/27"]
service_endpoints = ["Microsoft.Storage"]

enforce_private_link_endpoint_network_policies = false
enforce_private_link_service_network_policies = false

nsg_name = "mlzDemoJumpboxSubnetNsg"
nsg_rules = {
"allow_ssh" = {
name = "allow_ssh"
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "22"
destination_port_range = ""
source_address_prefix = "*"
destination_address_prefix = ""
},
"allow_rdp" = {
name = "allow_rdp"
priority = "200"
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "3389"
destination_port_range = ""
source_address_prefix = "*"
destination_address_prefix = ""
}
}

routetable_name = "mlzDemoJumpboxSubnetRt"
}
}

variable "jumpbox_keyvault_name" {
description = "The name of the jumpbox virtual machine keyvault"
default = "mlzDemoJumpboxVmKv"
Comment thread
glennmusa marked this conversation as resolved.
type = string
}

variable "jumpbox_vm_name" {
description = "The name of the jumpbox virtual machine"
default = "mlzDemoJumpboxVm"
type = string
}

variable "jumpbox_vm_size" {
description = "The size of the jumpbox virtual machine"
default = "Standard_DS1_v2"
type = string
}

variable "jumpbox_vm_publisher" {
description = "The publisher of the jumpbox virtual machine source image"
default = "MicrosoftWindowsServer"
type = string
}

variable "jumpbox_vm_offer" {
description = "The offer of the jumpbox virtual machine source image"
default = "WindowsServer"
type = string
}

variable "jumpbox_vm_sku" {
description = "The SKU of the jumpbox virtual machine source image"
default = "2019-datacenter-gensecond"
type = string
}

variable "jumpbox_vm_version" {
description = "The version of the jumpbox virtual machine source image"
default = "latest"
type = string
}
4 changes: 4 additions & 0 deletions src/core/tier-0/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ variable "mlz_clientsecret" {
description = "The account to deploy with"
}

variable "mlz_objectid" {
description = "The account to deploy with"
}

#################################
# Tier 0 Configuration
#################################
Expand Down
Loading