From deee58f798f68c733c5bb1e9650ad5e9160d0ab9 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Thu, 5 Oct 2023 16:52:15 -0400 Subject: [PATCH] add ssh key to module --- quickstart/201-azfw-with-ipgroups/main.tf | 78 ++++++++++--------- .../201-azfw-with-ipgroups/providers.tf | 4 + quickstart/201-azfw-with-ipgroups/readme.md | 4 +- quickstart/201-azfw-with-ipgroups/ssh.tf | 25 ++++++ .../201-azfw-with-ipgroups/variables.tf | 4 +- 5 files changed, 74 insertions(+), 41 deletions(-) create mode 100644 quickstart/201-azfw-with-ipgroups/ssh.tf diff --git a/quickstart/201-azfw-with-ipgroups/main.tf b/quickstart/201-azfw-with-ipgroups/main.tf index 6060d129..dde9749a 100644 --- a/quickstart/201-azfw-with-ipgroups/main.tf +++ b/quickstart/201-azfw-with-ipgroups/main.tf @@ -50,35 +50,35 @@ resource "azurerm_firewall_policy" "azfw_policy" { } resource "azurerm_firewall_policy_rule_collection_group" "prcg" { - name = "prcg" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 300 - application_rule_collection { - name = "app-rule-collection-1" - priority = 101 - action = "Allow" - rule { - name = "someAppRule" - protocols { - type = "Https" - port = 443 - } - destination_fqdns = [ "*bing.com" ] - source_ip_groups = [ azurerm_ip_group.ip_group_1.id ] + name = "prcg" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "app-rule-collection-1" + priority = 101 + action = "Allow" + rule { + name = "someAppRule" + protocols { + type = "Https" + port = 443 } + destination_fqdns = ["*bing.com"] + source_ip_groups = [azurerm_ip_group.ip_group_1.id] } - network_rule_collection { - name = "net-rule-collection-1" - priority = 200 - action = "Allow" - rule { - name = "someNetRule" - protocols = [ "TCP", "UDP", "ICMP" ] - source_ip_groups = [ azurerm_ip_group.ip_group_1.id ] - destination_ip_groups = [ azurerm_ip_group.ip_group_2.id ] - destination_ports = ["90"] - } + } + network_rule_collection { + name = "net-rule-collection-1" + priority = 200 + action = "Allow" + rule { + name = "someNetRule" + protocols = ["TCP", "UDP", "ICMP"] + source_ip_groups = [azurerm_ip_group.ip_group_1.id] + destination_ip_groups = [azurerm_ip_group.ip_group_2.id] + destination_ports = ["90"] } + } } resource "azurerm_firewall" "fw" { @@ -184,7 +184,7 @@ resource "azurerm_network_security_group" "vm_jump_nsg" { priority = 1000 direction = "Inbound" access = "Allow" - protocol = "Tcp" + protocol = "SSH" source_port_range = "*" destination_port_range = "22" source_address_prefix = "*" @@ -208,8 +208,10 @@ resource "azurerm_linux_virtual_machine" "vm_server" { location = azurerm_resource_group.rg.location size = var.virtual_machine_size admin_username = var.admin_username - admin_password = random_password.password.result - disable_password_authentication = false + admin_ssh_key { + username = var.admin_username + public_key = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey + } network_interface_ids = [azurerm_network_interface.vm_server_nic.id] os_disk { caching = "ReadWrite" @@ -227,18 +229,20 @@ resource "azurerm_linux_virtual_machine" "vm_server" { } resource "azurerm_linux_virtual_machine" "vm_jump" { - name = "jump-vm" - resource_group_name = azurerm_resource_group.rg.name - location = azurerm_resource_group.rg.location - size = var.virtual_machine_size - admin_username = var.admin_username - admin_password = random_password.password.result - disable_password_authentication = false - network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] + name = "jump-vm" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + size = var.virtual_machine_size + network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] + admin_username = var.admin_username os_disk { caching = "ReadWrite" storage_account_type = "Standard_LRS" } + admin_ssh_key { + username = var.admin_username + public_key = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey + } source_image_reference { publisher = "Canonical" offer = "UbuntuServer" diff --git a/quickstart/201-azfw-with-ipgroups/providers.tf b/quickstart/201-azfw-with-ipgroups/providers.tf index 18eea7b7..3b06585f 100644 --- a/quickstart/201-azfw-with-ipgroups/providers.tf +++ b/quickstart/201-azfw-with-ipgroups/providers.tf @@ -8,6 +8,10 @@ terraform { source = "hashicorp/random" version = "~>3.0" } + azapi = { + source = "azure/azapi" + version = "~>1.5" + } } } diff --git a/quickstart/201-azfw-with-ipgroups/readme.md b/quickstart/201-azfw-with-ipgroups/readme.md index c1c78059..36f7237b 100644 --- a/quickstart/201-azfw-with-ipgroups/readme.md +++ b/quickstart/201-azfw-with-ipgroups/readme.md @@ -29,8 +29,8 @@ This template deploys an [Azure Firewall](https://registry.terraform.io/provider |-|-|-| | `resource_group_location` | Location of the resource group | eastus | | `firewall_sku_tier` | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium | Premium | -| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | +| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | | `virtual_machine_size` | SKU size for your jump and workload VMs | Standard_D2_v3 | -| `admin_username` | THe admin username for the jump and workload VMs | azureuser | +| `admin_username` | The admin username for the jump and workload VMs | azureuser | ## Example \ No newline at end of file diff --git a/quickstart/201-azfw-with-ipgroups/ssh.tf b/quickstart/201-azfw-with-ipgroups/ssh.tf new file mode 100644 index 00000000..fcdb482b --- /dev/null +++ b/quickstart/201-azfw-with-ipgroups/ssh.tf @@ -0,0 +1,25 @@ +resource "random_pet" "ssh_key_name" { + prefix = "ssh" + separator = "" +} + +resource "azapi_resource_action" "ssh_public_key_gen" { + type = "Microsoft.Compute/sshPublicKeys@2022-11-01" + resource_id = azapi_resource.ssh_public_key.id + action = "generateKeyPair" + method = "POST" + + response_export_values = ["publicKey", "privateKey"] +} + +resource "azapi_resource" "ssh_public_key" { + type = "Microsoft.Compute/sshPublicKeys@2022-11-01" + name = random_pet.ssh_key_name.id + location = azurerm_resource_group.rg.location + parent_id = azurerm_resource_group.rg.id +} + +output "key_data" { + value = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey +} + diff --git a/quickstart/201-azfw-with-ipgroups/variables.tf b/quickstart/201-azfw-with-ipgroups/variables.tf index fd409122..11c23c95 100644 --- a/quickstart/201-azfw-with-ipgroups/variables.tf +++ b/quickstart/201-azfw-with-ipgroups/variables.tf @@ -27,7 +27,7 @@ variable "virtual_machine_size" { } variable "admin_username" { - type = string + type = string description = "value of the admin username." - default = "azureuser" + default = "azureuser" } \ No newline at end of file