127 lines
4.5 KiB
HCL
127 lines
4.5 KiB
HCL
resource "azurerm_public_ip" "azure_bastion" {
|
|
name = "pip-azure-bastion"
|
|
location = azurerm_resource_group.default.location
|
|
resource_group_name = azurerm_resource_group.hub_rg.name
|
|
allocation_method = "Static"
|
|
sku = "Standard"
|
|
}
|
|
|
|
resource "azurerm_network_security_group" "bastion_nsg" {
|
|
name = "nsg-bastion"
|
|
location = azurerm_resource_group.default.location
|
|
resource_group_name = azurerm_resource_group.hub_rg.name
|
|
|
|
security_rule {
|
|
name = "AllowHTTPSInbound"
|
|
priority = 100
|
|
direction = "Inbound"
|
|
access = "Allow"
|
|
protocol = "Tcp"
|
|
source_port_range = "*"
|
|
destination_port_range = "443"
|
|
source_address_prefix = "Internet"
|
|
destination_address_prefix = "*"
|
|
}
|
|
security_rule {
|
|
name = "AllowGatewayManagerInbound"
|
|
priority = 200
|
|
direction = "Inbound"
|
|
access = "Allow"
|
|
protocol = "Tcp"
|
|
source_port_range = "*"
|
|
destination_port_range = "443"
|
|
source_address_prefix = "GatewayManager"
|
|
destination_address_prefix = "*"
|
|
}
|
|
security_rule {
|
|
name = "AllowAzureLBInbound"
|
|
priority = 300
|
|
direction = "Inbound"
|
|
access = "Allow"
|
|
protocol = "Tcp"
|
|
source_port_range = "*"
|
|
destination_port_range = "443"
|
|
source_address_prefix = "AzureLoadBalancer"
|
|
destination_address_prefix = "*"
|
|
}
|
|
security_rule {
|
|
name = "AllowBastionHostCommunication"
|
|
priority = 400
|
|
direction = "Inbound"
|
|
access = "Allow"
|
|
protocol = "*"
|
|
source_port_range = "*"
|
|
destination_port_ranges = ["5701", "8080"]
|
|
source_address_prefix = "VirtualNetwork"
|
|
destination_address_prefix = "VirtualNetwork"
|
|
}
|
|
security_rule {
|
|
name = "AllowRdpSshOutbound"
|
|
priority = 100
|
|
direction = "Outbound"
|
|
access = "Allow"
|
|
protocol = "Tcp"
|
|
source_port_range = "*"
|
|
destination_port_ranges = ["22", "3389"]
|
|
source_address_prefix = "*"
|
|
destination_address_prefix = "VirtualNetwork"
|
|
}
|
|
security_rule {
|
|
name = "AllowBastionHostCommunicationOutbound"
|
|
priority = 110
|
|
direction = "Outbound"
|
|
access = "Allow"
|
|
protocol = "Tcp"
|
|
source_port_range = "*"
|
|
destination_port_ranges = ["5701", "8080"]
|
|
source_address_prefix = "VirtualNetwork"
|
|
destination_address_prefix = "VirtualNetwork"
|
|
}
|
|
security_rule {
|
|
name = "AllowAzureCloudOutbound"
|
|
priority = 120
|
|
direction = "Outbound"
|
|
access = "Allow"
|
|
protocol = "Tcp"
|
|
source_port_range = "*"
|
|
destination_port_ranges = ["443"]
|
|
source_address_prefix = "*"
|
|
destination_address_prefix = "AzureCloud"
|
|
}
|
|
security_rule {
|
|
name = "AllowGetSessionInformation"
|
|
priority = 130
|
|
direction = "Outbound"
|
|
access = "Allow"
|
|
protocol = "Tcp"
|
|
source_port_range = "*"
|
|
destination_port_ranges = ["80"]
|
|
source_address_prefix = "*"
|
|
destination_address_prefix = "Internet"
|
|
}
|
|
|
|
}
|
|
|
|
resource "azurerm_subnet_network_security_group_association" "bastion_nsg_assoc" {
|
|
subnet_id = azurerm_subnet.azure_bastion.id
|
|
network_security_group_id = azurerm_network_security_group.bastion_nsg.id
|
|
depends_on = [
|
|
azurerm_bastion_host.azure_bastion_instance,
|
|
azurerm_subnet_network_security_group_association.jumphost_nsg_assoc
|
|
]
|
|
}
|
|
|
|
|
|
resource "azurerm_bastion_host" "azure_bastion_instance" {
|
|
name = "bas-${var.name}-${var.environment}"
|
|
location = azurerm_resource_group.default.location
|
|
resource_group_name = azurerm_resource_group.hub_rg.name
|
|
|
|
ip_configuration {
|
|
name = "configuration"
|
|
subnet_id = azurerm_subnet.azure_bastion.id
|
|
public_ip_address_id = azurerm_public_ip.azure_bastion.id
|
|
}
|
|
}
|
|
|