Tips-Of-Mine/terraform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #5 from ryhud/ryhud-301

Browse Source 
Ryhud 301
This commit is contained in:
Ryan Hudson 2021-11-12 16:23:58 -05:00 committed by GitHub
commit 7aa93d44bc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 256 additions and 256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
quickstart/101-machine-learning/main.tf
View File

@ -1,5 +1,5 @@
terraform { terraform {
required_version = ">=0.15.0" required_version = ">=1.0"
required_providers { required_providers {
azurerm = { azurerm = {

2
quickstart/201-machine-learning-moderately-secure/main.tf
View File

@ -1,5 +1,5 @@
terraform { terraform {
required_version = ">=0.15.0" required_version = ">=1.0"
required_providers { required_providers {
azurerm = { azurerm = {

2
quickstart/202-machine-learning-moderately-secure-existing-VNet/main.tf
View File

@ -1,5 +1,5 @@
terraform { terraform {
required_version = ">=0.15.0" required_version = ">=1.0"
required_providers { required_providers {
azurerm = { azurerm = {

156
quickstart/301-machine-learning-hub-spoke-secure/azure-firewall.tf
View File

@ -27,11 +27,11 @@ resource "azurerm_ip_group" "ip_group_dsvm_subnet" {
} }
resource "azurerm_public_ip" "azure_firewall" { resource "azurerm_public_ip" "azure_firewall" {
name = "pip-azfw" name = "pip-azfw"
location = azurerm_resource_group.default.location location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.hub_rg.name resource_group_name = azurerm_resource_group.hub_rg.name
allocation_method = "Static" allocation_method = "Static"
sku = "Standard" sku = "Standard"
} }
resource "azurerm_firewall_policy" "base_policy" { resource "azurerm_firewall_policy" "base_policy" {
@ -41,35 +41,35 @@ resource "azurerm_firewall_policy" "base_policy" {
dns { dns {
proxy_enabled = true proxy_enabled = true
} }
} }
resource "azurerm_firewall" "azure_firewall_instance" { resource "azurerm_firewall" "azure_firewall_instance" {
name = "afw-${var.name}-${var.environment}" name = "afw-${var.name}-${var.environment}"
location = azurerm_resource_group.default.location location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.hub_rg.name resource_group_name = azurerm_resource_group.hub_rg.name
firewall_policy_id = azurerm_firewall_policy.base_policy.id firewall_policy_id = azurerm_firewall_policy.base_policy.id
ip_configuration { ip_configuration {
name = "configuration" name = "configuration"
subnet_id = azurerm_subnet.azure_firewall.id subnet_id = azurerm_subnet.azure_firewall.id
public_ip_address_id = azurerm_public_ip.azure_firewall.id public_ip_address_id = azurerm_public_ip.azure_firewall.id
}
timeouts {
create = "60m"
delete = "2h"
} }
depends_on = [
timeouts {
create = "60m"
delete = "2h"
}
depends_on = [
azurerm_public_ip.azure_firewall, azurerm_public_ip.azure_firewall,
azurerm_subnet.azure_firewall, azurerm_subnet.azure_firewall,
azurerm_firewall_policy_rule_collection_group.azure_firewall_rules_collection azurerm_firewall_policy_rule_collection_group.azure_firewall_rules_collection
] ]
} }
resource "azurerm_monitor_diagnostic_setting" "azure_firewall_instance" { resource "azurerm_monitor_diagnostic_setting" "azure_firewall_instance" {
name = "diagnostics-${var.name}-${var.environment}-${random_string.fw_diag_prefix.result}" name = "diagnostics-${var.name}-${var.environment}-${random_string.fw_diag_prefix.result}"
target_resource_id = azurerm_firewall.azure_firewall_instance.id target_resource_id = azurerm_firewall.azure_firewall_instance.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.default.id log_analytics_workspace_id = azurerm_log_analytics_workspace.default.id
log { log {
category = "AzureFirewallApplicationRule" category = "AzureFirewallApplicationRule"
@ -95,7 +95,7 @@ resource "azurerm_monitor_diagnostic_setting" "azure_firewall_instance" {
enabled = false enabled = false
} }
} }
metric { metric {
category = "AllMetrics" category = "AllMetrics"
@ -112,7 +112,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "azure_firewall_rules_c
firewall_policy_id = azurerm_firewall_policy.base_policy.id firewall_policy_id = azurerm_firewall_policy.base_policy.id
priority = 100 priority = 100
application_rule_collection { application_rule_collection {
name = "afwp-base-app-rule-collection" name = "afwp-base-app-rule-collection"
priority = 200 priority = 200
action = "Allow" action = "Allow"
@ -125,9 +125,9 @@ application_rule_collection {
} }
protocols { protocols {
type = "Http" type = "Http"
port= 80 port = 80
} }
source_ip_groups = [azurerm_ip_group.ip_group_dsvm_subnet.id] source_ip_groups = [azurerm_ip_group.ip_group_dsvm_subnet.id]
destination_fqdns = ["*"] destination_fqdns = ["*"]
} }
@ -137,7 +137,7 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdn_tags = ["AzureKubernetesService"] destination_fqdn_tags = ["AzureKubernetesService"]
} }
@ -147,8 +147,8 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["api.snapcraft.io","motd.ubuntu.com",] destination_fqdns = ["api.snapcraft.io", "motd.ubuntu.com", ]
} }
rule { rule {
@ -157,11 +157,11 @@ application_rule_collection {
type = "Http" type = "Http"
port = 80 port = 80
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["crl.microsoft.com", destination_fqdns = ["crl.microsoft.com",
"mscrl.microsoft.com", "mscrl.microsoft.com",
"crl3.digicert.com", "crl3.digicert.com",
"ocsp.digicert.com"] "ocsp.digicert.com"]
} }
rule { rule {
@ -170,7 +170,7 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["github.com"] destination_fqdns = ["github.com"]
} }
@ -184,7 +184,7 @@ application_rule_collection {
type = "Http" type = "Http"
port = 80 port = 80
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["raw.githubusercontent.com"] destination_fqdns = ["raw.githubusercontent.com"]
} }
@ -194,7 +194,7 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["*.prod.microsoftmetrics.com"] destination_fqdns = ["*.prod.microsoftmetrics.com"]
} }
@ -204,11 +204,11 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["acs-mirror.azureedge.net", destination_fqdns = ["acs-mirror.azureedge.net",
"*.docker.io", "*.docker.io",
"production.cloudflare.docker.com", "production.cloudflare.docker.com",
"*.azurecr.io"] "*.azurecr.io"]
} }
rule { rule {
@ -217,11 +217,11 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["login.microsoftonline.com"] destination_fqdns = ["login.microsoftonline.com"]
} }
rule { rule {
name = "graph.windows.net" name = "graph.windows.net"
protocols { protocols {
type = "Http" type = "Http"
@ -231,7 +231,7 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["graph.windows.net"] destination_fqdns = ["graph.windows.net"]
} }
@ -245,7 +245,7 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["anaconda.com", "*.anaconda.com"] destination_fqdns = ["anaconda.com", "*.anaconda.com"]
} }
@ -259,10 +259,10 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["*.anaconda.org"] destination_fqdns = ["*.anaconda.org"]
} }
rule { rule {
name = "pypi.org" name = "pypi.org"
protocols { protocols {
@ -273,7 +273,7 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["pypi.org"] destination_fqdns = ["pypi.org"]
} }
@ -287,7 +287,7 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["cloud.r-project.org"] destination_fqdns = ["cloud.r-project.org"]
} }
@ -301,7 +301,7 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["*pytorch.org"] destination_fqdns = ["*pytorch.org"]
} }
@ -315,7 +315,7 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["*.tensorflow.org"] destination_fqdns = ["*.tensorflow.org"]
} }
@ -329,7 +329,7 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["update.code.visualstudio.com", "*.vo.msecnd.net"] destination_fqdns = ["update.code.visualstudio.com", "*.vo.msecnd.net"]
} }
@ -343,7 +343,7 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["dc.applicationinsights.azure.com"] destination_fqdns = ["dc.applicationinsights.azure.com"]
} }
@ -357,7 +357,7 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["dc.applicationinsights.microsoft.com"] destination_fqdns = ["dc.applicationinsights.microsoft.com"]
} }
@ -371,7 +371,7 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["dc.services.visualstudio.com"] destination_fqdns = ["dc.services.visualstudio.com"]
} }
@ -385,12 +385,12 @@ application_rule_collection {
type = "Https" type = "Https"
port = 443 port = 443
} }
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_fqdns = ["*.instances.azureml.net", "*.instances.azureml.ms"] destination_fqdns = ["*.instances.azureml.net", "*.instances.azureml.ms"]
} }
} }
network_rule_collection { network_rule_collection {
name = "afwp-base-network-rule-collection" name = "afwp-base-network-rule-collection"
priority = 100 priority = 100
action = "Allow" action = "Allow"
@ -398,15 +398,15 @@ application_rule_collection {
rule { rule {
name = "hub-to-spoke-rule" name = "hub-to-spoke-rule"
protocols = ["Any"] protocols = ["Any"]
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id,azurerm_ip_group.ip_group_hub.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id, azurerm_ip_group.ip_group_hub.id]
destination_ip_groups = [azurerm_ip_group.ip_group_hub.id,azurerm_ip_group.ip_group_spoke.id] destination_ip_groups = [azurerm_ip_group.ip_group_hub.id, azurerm_ip_group.ip_group_spoke.id]
destination_ports = ["*"] destination_ports = ["*"]
} }
rule { rule {
name = "aks-global-network-rule" name = "aks-global-network-rule"
protocols = ["TCP"] protocols = ["TCP"]
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_addresses = ["AzureCloud"] destination_addresses = ["AzureCloud"]
destination_ports = ["443", "9000"] destination_ports = ["443", "9000"]
} }
@ -414,7 +414,7 @@ application_rule_collection {
rule { rule {
name = "aks-ntp-network-rule" name = "aks-ntp-network-rule"
protocols = ["UDP"] protocols = ["UDP"]
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_addresses = ["*"] destination_addresses = ["*"]
destination_ports = ["123"] destination_ports = ["123"]
} }
@ -422,7 +422,7 @@ application_rule_collection {
rule { rule {
name = "Azure-Active-Directory" name = "Azure-Active-Directory"
protocols = ["TCP"] protocols = ["TCP"]
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_addresses = ["AzureActiveDirectory"] destination_addresses = ["AzureActiveDirectory"]
destination_ports = ["*"] destination_ports = ["*"]
} }
@ -430,7 +430,7 @@ application_rule_collection {
rule { rule {
name = "Azure-Machine-Learning" name = "Azure-Machine-Learning"
protocols = ["TCP"] protocols = ["TCP"]
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_addresses = ["AzureMachineLearning"] destination_addresses = ["AzureMachineLearning"]
destination_ports = ["443"] destination_ports = ["443"]
} }
@ -438,7 +438,7 @@ application_rule_collection {
rule { rule {
name = "Azure-Resource-Manager" name = "Azure-Resource-Manager"
protocols = ["TCP"] protocols = ["TCP"]
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_addresses = ["AzureResourceManager"] destination_addresses = ["AzureResourceManager"]
destination_ports = ["443"] destination_ports = ["443"]
} }
@ -446,7 +446,7 @@ application_rule_collection {
rule { rule {
name = "Azure-Storage" name = "Azure-Storage"
protocols = ["TCP"] protocols = ["TCP"]
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_addresses = ["Storage"] destination_addresses = ["Storage"]
destination_ports = ["443"] destination_ports = ["443"]
} }
@ -454,15 +454,15 @@ application_rule_collection {
rule { rule {
name = "Azure-Front-Door-Frontend" name = "Azure-Front-Door-Frontend"
protocols = ["TCP"] protocols = ["TCP"]
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_addresses = ["AzureFrontDoor.Frontend","AzureFrontDoor.FirstParty"] destination_addresses = ["AzureFrontDoor.Frontend", "AzureFrontDoor.FirstParty"]
destination_ports = ["443"] destination_ports = ["443"]
} }
rule { rule {
name = "Azure-Container-Registry" name = "Azure-Container-Registry"
protocols = ["TCP"] protocols = ["TCP"]
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_addresses = ["AzureContainerRegistry"] destination_addresses = ["AzureContainerRegistry"]
destination_ports = ["443"] destination_ports = ["443"]
} }
@ -470,7 +470,7 @@ application_rule_collection {
rule { rule {
name = "Azure-Key-Vault" name = "Azure-Key-Vault"
protocols = ["TCP"] protocols = ["TCP"]
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_addresses = ["AzureKeyVault"] destination_addresses = ["AzureKeyVault"]
destination_ports = ["443"] destination_ports = ["443"]
} }
@ -478,13 +478,13 @@ application_rule_collection {
rule { rule {
name = "Microsoft-Container-Registry" name = "Microsoft-Container-Registry"
protocols = ["TCP"] protocols = ["TCP"]
source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]
destination_addresses = ["MicrosoftContainerRegistry"] destination_addresses = ["MicrosoftContainerRegistry"]
destination_ports = ["443"] destination_ports = ["443"]
} }
} }
depends_on = [ depends_on = [
azurerm_ip_group.ip_group_hub, azurerm_ip_group.ip_group_hub,
azurerm_ip_group.ip_group_spoke azurerm_ip_group.ip_group_spoke
] ]
} }

216
quickstart/301-machine-learning-hub-spoke-secure/bastion.tf
View File

@ -1,126 +1,126 @@
resource "azurerm_public_ip" "azure_bastion" { resource "azurerm_public_ip" "azure_bastion" {
name = "pip-azure-bastion" name = "pip-azure-bastion"
location = azurerm_resource_group.default.location location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.hub_rg.name resource_group_name = azurerm_resource_group.hub_rg.name
allocation_method = "Static" allocation_method = "Static"
sku = "Standard" sku = "Standard"
} }
resource "azurerm_network_security_group" "bastion_nsg" { resource "azurerm_network_security_group" "bastion_nsg" {
name = "nsg-bastion" name = "nsg-bastion"
location = azurerm_resource_group.default.location location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.hub_rg.name resource_group_name = azurerm_resource_group.hub_rg.name
security_rule { security_rule {
name = "AllowHTTPSInbound" name = "AllowHTTPSInbound"
priority = 100 priority = 100
direction = "Inbound" direction = "Inbound"
access = "Allow" access = "Allow"
protocol = "Tcp" protocol = "Tcp"
source_port_range = "*" source_port_range = "*"
destination_port_range = "443" destination_port_range = "443"
source_address_prefix = "Internet" source_address_prefix = "Internet"
destination_address_prefix = "*" destination_address_prefix = "*"
}
security_rule {
name = "AllowGatewayManagerInbound"
priority = 200
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "GatewayManager"
destination_address_prefix = "*"
}
security_rule {
name = "AllowAzureLBInbound"
priority = 300
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "AzureLoadBalancer"
destination_address_prefix = "*"
}
security_rule {
name = "AllowBastionHostCommunication"
priority = 400
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_ranges = ["5701","8080"]
source_address_prefix = "VirtualNetwork"
destination_address_prefix = "VirtualNetwork"
}
security_rule {
name = "AllowRdpSshOutbound"
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["22", "3389"]
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
}
security_rule {
name = "AllowBastionHostCommunicationOutbound"
priority = 110
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["5701", "8080"]
source_address_prefix = "VirtualNetwork"
destination_address_prefix = "VirtualNetwork"
} }
security_rule { security_rule {
name = "AllowAzureCloudOutbound" name = "AllowGatewayManagerInbound"
priority = 120 priority = 200
direction = "Outbound" direction = "Inbound"
access = "Allow" access = "Allow"
protocol = "Tcp" protocol = "Tcp"
source_port_range = "*" source_port_range = "*"
destination_port_ranges = ["443"] destination_port_range = "443"
source_address_prefix = "*" source_address_prefix = "GatewayManager"
destination_address_prefix = "AzureCloud" destination_address_prefix = "*"
} }
security_rule { security_rule {
name = "AllowGetSessionInformation" name = "AllowAzureLBInbound"
priority = 130 priority = 300
direction = "Outbound" direction = "Inbound"
access = "Allow" access = "Allow"
protocol = "Tcp" protocol = "Tcp"
source_port_range = "*" source_port_range = "*"
destination_port_ranges = ["80"] destination_port_range = "443"
source_address_prefix = "*" source_address_prefix = "AzureLoadBalancer"
destination_address_prefix = "Internet" destination_address_prefix = "*"
} }
security_rule {
name = "AllowBastionHostCommunication"
priority = 400
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_ranges = ["5701", "8080"]
source_address_prefix = "VirtualNetwork"
destination_address_prefix = "VirtualNetwork"
}
security_rule {
name = "AllowRdpSshOutbound"
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["22", "3389"]
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
}
security_rule {
name = "AllowBastionHostCommunicationOutbound"
priority = 110
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["5701", "8080"]
source_address_prefix = "VirtualNetwork"
destination_address_prefix = "VirtualNetwork"
}
security_rule {
name = "AllowAzureCloudOutbound"
priority = 120
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["443"]
source_address_prefix = "*"
destination_address_prefix = "AzureCloud"
}
security_rule {
name = "AllowGetSessionInformation"
priority = 130
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["80"]
source_address_prefix = "*"
destination_address_prefix = "Internet"
}
} }
resource "azurerm_subnet_network_security_group_association" "bastion_nsg_assoc" { resource "azurerm_subnet_network_security_group_association" "bastion_nsg_assoc" {
subnet_id = azurerm_subnet.azure_bastion.id subnet_id = azurerm_subnet.azure_bastion.id
network_security_group_id = azurerm_network_security_group.bastion_nsg.id network_security_group_id = azurerm_network_security_group.bastion_nsg.id
depends_on = [ depends_on = [
azurerm_bastion_host.azure_bastion_instance, azurerm_bastion_host.azure_bastion_instance,
azurerm_subnet_network_security_group_association.jumphost_nsg_assoc azurerm_subnet_network_security_group_association.jumphost_nsg_assoc
] ]
} }
resource "azurerm_bastion_host" "azure_bastion_instance" { resource "azurerm_bastion_host" "azure_bastion_instance" {
name = "bas-${var.name}-${var.environment}" name = "bas-${var.name}-${var.environment}"
location = azurerm_resource_group.default.location location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.hub_rg.name resource_group_name = azurerm_resource_group.hub_rg.name
ip_configuration { ip_configuration {
name = "configuration" name = "configuration"
subnet_id = azurerm_subnet.azure_bastion.id subnet_id = azurerm_subnet.azure_bastion.id
public_ip_address_id = azurerm_public_ip.azure_bastion.id public_ip_address_id = azurerm_public_ip.azure_bastion.id
} }
} }

56
quickstart/301-machine-learning-hub-spoke-secure/dsvm.tf
View File

@ -1,48 +1,48 @@
resource "azurerm_network_interface" "dsvm" { resource "azurerm_network_interface" "dsvm" {
name = "nic-${var.dsvm_name}" name = "nic-${var.dsvm_name}"
location = azurerm_resource_group.default.location location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name resource_group_name = azurerm_resource_group.default.name
ip_configuration { ip_configuration {
name = "configuration" name = "configuration"
subnet_id = azurerm_subnet.snet-jumphost.id subnet_id = azurerm_subnet.snet-jumphost.id
private_ip_address_allocation = "Dynamic" private_ip_address_allocation = "Dynamic"
} }
} }
resource "azurerm_windows_virtual_machine" "dsvm" { resource "azurerm_windows_virtual_machine" "dsvm" {
name = var.dsvm_name name = var.dsvm_name
location = azurerm_resource_group.default.location location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name resource_group_name = azurerm_resource_group.default.name
network_interface_ids = [ network_interface_ids = [
azurerm_network_interface.dsvm.id azurerm_network_interface.dsvm.id
] ]
size = "Standard_DS3_v2" size = "Standard_DS3_v2"
source_image_reference { source_image_reference {
publisher = "microsoft-dsvm" publisher = "microsoft-dsvm"
offer = "dsvm-win-2019" offer = "dsvm-win-2019"
sku = "server-2019" sku = "server-2019"
version = "latest" version = "latest"
} }
os_disk { os_disk {
name = "osdisk-${var.dsvm_name}" name = "osdisk-${var.dsvm_name}"
caching = "ReadWrite" caching = "ReadWrite"
storage_account_type = "Premium_LRS" storage_account_type = "Premium_LRS"
} }
identity { identity {
type = "SystemAssigned" type = "SystemAssigned"
} }
computer_name = var.dsvm_name computer_name = var.dsvm_name
admin_username = var.dsvm_admin_username admin_username = var.dsvm_admin_username
admin_password = var.dsvm_host_password admin_password = var.dsvm_host_password
provision_vm_agent = true provision_vm_agent = true
timeouts { timeouts {
create = "60m" create = "60m"
delete = "2h" delete = "2h"
} }
} }

4
quickstart/301-machine-learning-hub-spoke-secure/main.tf
View File

@ -1,5 +1,5 @@
terraform { terraform {
required_version = ">=0.15.0" required_version = ">=1.0"
required_providers { required_providers {
azurerm = { azurerm = {
@ -24,5 +24,5 @@ resource "azurerm_resource_group" "default" {
resource "azurerm_resource_group" "hub_rg" { resource "azurerm_resource_group" "hub_rg" {
name = "rg-hub-${var.name}-${var.environment}" name = "rg-hub-${var.name}-${var.environment}"
location = var.location location = var.location
} }

54
quickstart/301-machine-learning-hub-spoke-secure/network-hub.tf
View File

@ -8,28 +8,28 @@ resource "azurerm_virtual_network" "hub" {
} }
resource "azurerm_subnet" "snet-jumphost" { resource "azurerm_subnet" "snet-jumphost" {
name = "snet-jumphost" name = "snet-jumphost"
resource_group_name = azurerm_resource_group.hub_rg.name resource_group_name = azurerm_resource_group.hub_rg.name
virtual_network_name = azurerm_virtual_network.hub.name virtual_network_name = azurerm_virtual_network.hub.name
address_prefixes = var.jumphost_subnet_address_space address_prefixes = var.jumphost_subnet_address_space
} }
resource "azurerm_subnet" "azure_bastion" { resource "azurerm_subnet" "azure_bastion" {
name = "AzureBastionSubnet" name = "AzureBastionSubnet"
resource_group_name = azurerm_resource_group.hub_rg.name resource_group_name = azurerm_resource_group.hub_rg.name
virtual_network_name = azurerm_virtual_network.hub.name virtual_network_name = azurerm_virtual_network.hub.name
address_prefixes = var.bastion_subnet_address_space address_prefixes = var.bastion_subnet_address_space
} }
resource "azurerm_subnet" "azure_firewall" { resource "azurerm_subnet" "azure_firewall" {
name = "AzureFirewallSubnet" name = "AzureFirewallSubnet"
resource_group_name = azurerm_resource_group.hub_rg.name resource_group_name = azurerm_resource_group.hub_rg.name
virtual_network_name = azurerm_virtual_network.hub.name virtual_network_name = azurerm_virtual_network.hub.name
address_prefixes = var.firewall_subnet_address_space address_prefixes = var.firewall_subnet_address_space
} }
#Vnet Peering #Vnet Peering
@ -62,7 +62,7 @@ resource "azurerm_virtual_network_peering" "direction2" {
azurerm_virtual_network.hub, azurerm_virtual_network.hub,
azurerm_virtual_network.default azurerm_virtual_network.default
] ]
} }
# Private DNS Zones # Private DNS Zones
@ -140,14 +140,14 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinknbs" {
# NSG for jump_host Subnet # NSG for jump_host Subnet
resource "azurerm_network_security_group" "jump_host" { resource "azurerm_network_security_group" "jump_host" {
name = "nsg-jumphost-subnet" name = "nsg-jumphost-subnet"
location = azurerm_resource_group.hub_rg.location location = azurerm_resource_group.hub_rg.location
resource_group_name = azurerm_resource_group.hub_rg.name resource_group_name = azurerm_resource_group.hub_rg.name
} }
resource "azurerm_subnet_network_security_group_association" "jumphost_nsg_assoc" { resource "azurerm_subnet_network_security_group_association" "jumphost_nsg_assoc" {
subnet_id = azurerm_subnet.snet-jumphost.id subnet_id = azurerm_subnet.snet-jumphost.id
network_security_group_id = azurerm_network_security_group.jump_host.id network_security_group_id = azurerm_network_security_group.jump_host.id
depends_on = [ depends_on = [
azurerm_network_interface.dsvm azurerm_network_interface.dsvm
@ -162,11 +162,11 @@ resource "azurerm_route_table" "jumphost_rt" {
} }
resource "azurerm_route" "jumphost-fw-route" { resource "azurerm_route" "jumphost-fw-route" {
name = "udr-Default" name = "udr-Default"
resource_group_name = azurerm_resource_group.default.name resource_group_name = azurerm_resource_group.default.name
route_table_name = azurerm_route_table.jumphost_rt.name route_table_name = azurerm_route_table.jumphost_rt.name
address_prefix = "0.0.0.0/0" address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance" next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = azurerm_firewall.azure_firewall_instance.ip_configuration[0].private_ip_address next_hop_in_ip_address = azurerm_firewall.azure_firewall_instance.ip_configuration[0].private_ip_address
} }

20
quickstart/301-machine-learning-hub-spoke-secure/network-spoke.tf
View File

@ -93,11 +93,11 @@ resource "azurerm_route_table" "rt-training" {
} }
resource "azurerm_route" "training-Internet-Route" { resource "azurerm_route" "training-Internet-Route" {
name = "udr-Default" name = "udr-Default"
resource_group_name = azurerm_resource_group.default.name resource_group_name = azurerm_resource_group.default.name
route_table_name = azurerm_route_table.rt-training.name route_table_name = azurerm_route_table.rt-training.name
address_prefix = "0.0.0.0/0" address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance" next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = azurerm_firewall.azure_firewall_instance.ip_configuration[0].private_ip_address next_hop_in_ip_address = azurerm_firewall.azure_firewall_instance.ip_configuration[0].private_ip_address
} }
@ -130,11 +130,11 @@ resource "azurerm_route_table" "rt-aks" {
} }
resource "azurerm_route" "aks-default-Route" { resource "azurerm_route" "aks-default-Route" {
name = "udr-Default" name = "udr-Default"
resource_group_name = azurerm_resource_group.default.name resource_group_name = azurerm_resource_group.default.name
route_table_name = azurerm_route_table.rt-aks.name route_table_name = azurerm_route_table.rt-aks.name
address_prefix = "0.0.0.0/0" address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance" next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = azurerm_firewall.azure_firewall_instance.ip_configuration[0].private_ip_address next_hop_in_ip_address = azurerm_firewall.azure_firewall_instance.ip_configuration[0].private_ip_address
} }