Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(module/test_infrastructure): module creation and adjusted examples #10

Merged
merged 25 commits into from
Mar 28, 2024
Merged

refactor(module/test_infrastructure): module creation and adjusted examples #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
06f7fa6
Created test_infrastructure module and integrated w/ common example
acelebanski Jan 28, 2024
ccc4574
Added Terraform Registry & GitHub reference
acelebanski Jan 28, 2024
dbcdc95
Parametrised VM image and added minor fixes
acelebanski Jan 31, 2024
7aa9531
Apply suggestions from the comments
acelebanski Feb 23, 2024
9f02f9d
Changed the name of the aggregate variable in example
acelebanski Feb 27, 2024
a6e6c9b
Removed RG name property from VNET map
acelebanski Feb 29, 2024
6ba63f0
Merge branch 'refactor-modules' into refactor_test_infrastructure
acelebanski Mar 17, 2024
4a6b75d
Fix issues after merge
acelebanski Mar 17, 2024
23259de
Added NSGs for test infra
acelebanski Mar 17, 2024
fbe9c53
Refreshed module variables
acelebanski Mar 17, 2024
bc18657
Minor module update and adding test infra to other examples
acelebanski Mar 18, 2024
7eabd7a
Moved LB creation to the module and refactored GWLB example
acelebanski Mar 22, 2024
9334a22
Adjusted all examples to updated module
acelebanski Mar 22, 2024
f275fd3
Cosmetic changes in the module
acelebanski Mar 25, 2024
8991a91
Cosmetic changes in the module again
acelebanski Mar 25, 2024
a4b8caf
Added static IP support for test VMs
acelebanski Mar 25, 2024
c011c65
Removed standalone test_infrastructure example
acelebanski Mar 25, 2024
5f43df7
Update README header files text
acelebanski Mar 27, 2024
c44fdba
Update README files
acelebanski Mar 27, 2024
dc0cfbf
Update module's README file
acelebanski Mar 27, 2024
f681d95
Update common README.md
acelebanski Mar 28, 2024
e43b448
Update common_autoscale README.md
acelebanski Mar 28, 2024
0945dbd
Update dedicated README.md
acelebanski Mar 28, 2024
15a76f4
Update dedicated_autoscale README.md
acelebanski Mar 28, 2024
158eca6
Update README header files
acelebanski Mar 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions examples/common_vmseries/.header.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ and may present scale limitations with all traffic flowing through a single set
that occurs when traffic crosses virtual routers. This option is suitable for proof-of-concepts and smaller scale deployments
because the number of firewalls low. However, the technical integration complexity is high.

![Detailed Topology Diagram](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/assets/2110772/8e8da6e0-afba-4bb5-b2c7-a95c7250dab3)
![Detailed Topology Diagram](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/assets/135693994/9e330a37-3679-419a-8aa3-aa963cb4faf2)

This reference architecture consists of:

Expand All @@ -58,12 +58,20 @@ This reference architecture consists of:
- management interface
- public interface - due to use of a public Load Balancer this public IP is used mainly for outgoing traffic
- an Application Gateway, serving as a reverse proxy for incoming traffic, with a sample rule setting the XFF header properly
- _(optional)_ test workloads with accompanying infrastructure:
- 2 Spoke VNETs with Route Tables and Network Security Groups
- 2 Spoke VMs serving as WordPress-based web servers
- 2 Azure Bastion managed jump hosts

**NOTE!**
- In order to deploy the architecture without test workloads described above, empty the `test_infrastructure` map in
`example.tfvars` file.

## Prerequisites

A list of requirements might vary depending on the platform used to deploy the infrastructure but a minimum one includes:

- (in case of non cloud shell deployment) credentials and (optionally) tools required to authenticate against Azure Cloud,
- _(in case of non cloud shell deployment)_ credentials and (optionally) tools required to authenticate against Azure Cloud,
see [AzureRM provider documentation for details](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#authenticating-to-azure)
- [supported](#requirements) version of [`Terraform`](<https://developer.hashicorp.com/terraform/downloads>)
- if you have not run Palo Alto NGFW images in a subscription it might be necessary to accept the license first
Expand All @@ -82,14 +90,14 @@ A list of requirements might vary depending on the platform used to deploy the i
- checkout the code locally (if you haven't done so yet)
- copy the [`example.tfvars`](./example.tfvars) file, rename it to `terraform.tfvars` and adjust it to your needs
(take a closer look at the `TODO` markers)
- (optional) authenticate to AzureRM, switch to the Subscription of your choice if necessary
- _(optional)_ authenticate to AzureRM, switch to the Subscription of your choice if necessary
- initialize the Terraform module:

```bash
terraform init
```

- (optional) plan you infrastructure to see what will be actually deployed:
- _(optional)_ plan you infrastructure to see what will be actually deployed:

```bash
terraform plan
Expand Down
249 changes: 245 additions & 4 deletions examples/common_vmseries/README.md
View file
Open in desktop

Large diffs are not rendered by default.

137 changes: 137 additions & 0 deletions examples/common_vmseries/example.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,3 +283,140 @@ vmseries = {
]
}
}

# TEST INFRASTRUCTURE

test_infrastructure = {
"app1_testenv" = {
vnets = {
"app1" = {
name = "app1-vnet"
address_space = ["10.100.0.0/25"]
hub_vnet_name = "example-transit"
network_security_groups = {
"app1" = {
name = "app1-nsg"
rules = {
web_inbound = {
name = "app1-web-allow-inbound"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_address_prefixes = ["134.238.135.14", "134.238.135.140"]
source_port_range = "*"
destination_address_prefix = "10.100.0.0/25"
destination_port_ranges = ["80", "443"]
}
}
}
}
route_tables = {
acelebanski marked this conversation as resolved.
Show resolved Hide resolved
nva = {
name = "app1-rt"
routes = {
"toNVA" = {
name = "toNVA-udr"
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_ip_address = "10.0.0.30"
}
}
}
}
subnets = {
"vms" = {
name = "vms-snet"
address_prefixes = ["10.100.0.0/26"]
network_security_group_key = "app1"
route_table_key = "nva"
}
"bastion" = {
name = "AzureBastionSubnet"
address_prefixes = ["10.100.0.64/26"]
}
}
}
}
spoke_vms = {
"app1_vm" = {
name = "app1-vm"
vnet_key = "app1"
subnet_key = "vms"
}
}
bastions = {
"app1_bastion" = {
name = "app1-bastion"
vnet_key = "app1"
subnet_key = "bastion"
}
}
}
"app2_testenv" = {
vnets = {
"app2" = {
name = "app2-vnet"
address_space = ["10.100.1.0/25"]
hub_vnet_name = "example-transit"
network_security_groups = {
"app2" = {
name = "app2-nsg"
rules = {
web_inbound = {
name = "app2-web-allow-inbound"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_address_prefixes = ["134.238.135.14", "134.238.135.140"]
source_port_range = "*"
destination_address_prefix = "10.100.1.0/25"
destination_port_ranges = ["80", "443"]
}
}
}
}
route_tables = {
nva = {
name = "app2-rt"
routes = {
"toNVA" = {
name = "toNVA-udr"
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_ip_address = "10.0.0.30"
}
}
}
}
subnets = {
"vms" = {
name = "vms-snet"
address_prefixes = ["10.100.1.0/26"]
network_security_group_key = "app2"
route_table_key = "nva"
}
"bastion" = {
name = "AzureBastionSubnet"
address_prefixes = ["10.100.1.64/26"]
}
}
}
}
spoke_vms = {
"app2_vm" = {
name = "app2-vm"
vnet_key = "app2"
subnet_key = "vms"
}
}
bastions = {
"app2_bastion" = {
name = "app2-bastion"
vnet_key = "app2"
subnet_key = "bastion"
}
}
}
}
58 changes: 55 additions & 3 deletions examples/common_vmseries/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@

# https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password
resource "random_password" "this" {
count = anytrue([
for _, v in var.vmseries : v.authentication.password == null
]) ? 1 : 0
count = anytrue([for _, v in var.vmseries : v.authentication.password == null]) ? (
anytrue([for _, v in var.test_infrastructure : v.authentication.password == null]) ? 2 : 1
) : 0

length = 16
min_lower = 16 - 4
Expand Down Expand Up @@ -390,3 +390,55 @@ module "vmseries" {
module.bootstrap,
]
}

# Create test infrastructure

locals {
test_vm_authentication = {
for k, v in var.test_infrastructure : k =>
merge(
v.authentication,
{
password = coalesce(v.authentication.password, try(random_password.this[1].result, null))
}
)
}
}

module "test_infrastructure" {
source = "../../modules/test_infrastructure"

for_each = var.test_infrastructure

resource_group_name = try(
"${var.name_prefix}${each.value.resource_group_name}", "${local.resource_group.name}-testenv"
)
region = var.region
vnets = { for k, v in each.value.vnets : k => merge(v, {
acelebanski marked this conversation as resolved.
Show resolved Hide resolved
name = "${var.name_prefix}${v.name}"
hub_resource_group_name = coalesce(v.hub_resource_group_name, local.resource_group.name)
network_security_groups = { for kv, vv in v.network_security_groups : kv => merge(vv, {
name = "${var.name_prefix}${vv.name}" })
}
route_tables = { for kv, vv in v.route_tables : kv => merge(vv, {
name = "${var.name_prefix}${vv.name}" })
}
}) }
load_balancers = { for k, v in each.value.load_balancers : k => merge(v, {
name = "${var.name_prefix}${v.name}"
backend_name = coalesce(v.backend_name, "${v.name}-backend")
}) }
authentication = local.test_vm_authentication[each.key]
spoke_vms = { for k, v in each.value.spoke_vms : k => merge(v, {
name = "${var.name_prefix}${v.name}"
interface_name = "${var.name_prefix}${coalesce(v.interface_name, "${v.name}-nic")}"
disk_name = "${var.name_prefix}${coalesce(v.disk_name, "${v.name}-osdisk")}"
}) }
bastions = { for k, v in each.value.bastions : k => merge(v, {
name = "${var.name_prefix}${v.name}"
public_ip_name = "${var.name_prefix}${coalesce(v.public_ip_name, "${v.name}-pip")}"
}) }

tags = var.tags
depends_on = [module.vnet]
}
27 changes: 27 additions & 0 deletions examples/common_vmseries/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,30 @@ output "bootstrap_storage_urls" {
value = length(var.bootstrap_storages) > 0 ? { for k, v in module.bootstrap : k => v.file_share_urls } : null
sensitive = true
}

output "test_vms_usernames" {
description = "Initial administrative username to use for test VMs."
value = length(var.test_infrastructure) > 0 ? {
for k, v in local.test_vm_authentication : k => v.username
} : null
}

output "test_vms_passwords" {
description = "Initial administrative password to use for test VMs."
value = length(var.test_infrastructure) > 0 ? {
for k, v in local.test_vm_authentication : k => v.password
} : null
sensitive = true
}

output "test_vms_ips" {
description = "IP Addresses of the test VMs."
value = length(var.test_infrastructure) > 0 ? { for k, v in module.test_infrastructure : k => v.vm_private_ips } : null
}

output "app_lb_frontend_ips" {
description = "IP Addresses of the load balancers."
value = length({ for k, v in var.test_infrastructure : k => v if v.load_balancers != null }) > 0 ? {
for k, v in module.test_infrastructure : k => v.frontend_ip_configs
} : null
}
Loading