/caravan-infra-azure

Terraform project to setup infrastructure on Azure

Primary LanguageHCLMozilla Public License 2.0MPL-2.0

Caravan Infra Azure

Caravan 2021 Azure

Setup

# SUBSCRIPTION_ID where to create resources
# PARENT_RESOURCE_GROUP that contains VM images and shared DNS
# LOCAITON where to create resources
# PREFIX prepended to all resources name 
./project-setup.sh SUBSCRIPTION_ID PARENT_RESOURCE_GROUP LOCATION PREFIX

Teardown

# SUBSCRIPTION_ID where to create resources
# PREFIX prepended to all resources name 
./project-cleanup.sh SUBSCRIPTION_ID PREFIX

Usage

terraform init
terraform apply -var-file azure.tfvars

Requirements

Name Version
terraform ~> 0.15.4
azuread ~> 1.0
azurerm ~> 2.0

Providers

Name Version
azuread 1.6.0
azurerm 2.69.0
local 2.1.0
null 3.1.0
random 3.1.0
tls 3.1.0

Modules

Name Source Version
caravan_bootstrap git::https://github.com/bitrockteam/caravan-bootstrap refs/tags/v0.2.13
cloud_init_control_plane git::https://github.com/bitrockteam/caravan-cloudinit refs/tags/v0.1.13
cloud_init_worker_plane git::https://github.com/bitrockteam/caravan-cloudinit refs/tags/v0.1.9
terraform_acme_le git::https://github.com/bitrockteam/caravan-acme-le refs/tags/v0.0.11

Resources

Name Type
azuread_application.vault resource
azuread_application_password.vault resource
azuread_service_principal.vault resource
azurerm_application_gateway.this resource
azurerm_application_security_group.control_plane resource
azurerm_application_security_group.monitoring resource
azurerm_application_security_group.worker_plane resource
azurerm_dns_a_record.control_plane_internal resource
azurerm_dns_a_record.star resource
azurerm_dns_ns_record.this resource
azurerm_dns_zone.this resource
azurerm_key_vault.key_vault resource
azurerm_key_vault_access_policy.control_plane resource
azurerm_key_vault_access_policy.self resource
azurerm_key_vault_key.key resource
azurerm_linux_virtual_machine.control_plane resource
azurerm_linux_virtual_machine.monitoring resource
azurerm_linux_virtual_machine_scale_set.worker_plane resource
azurerm_managed_disk.consul_data resource
azurerm_managed_disk.csi resource
azurerm_managed_disk.nomad_data resource
azurerm_managed_disk.vault_data resource
azurerm_network_interface.control_plane resource
azurerm_network_interface.monitoring resource
azurerm_network_interface_application_gateway_backend_address_pool_association.control_plane resource
azurerm_network_interface_application_gateway_backend_address_pool_association.monitoring resource
azurerm_network_interface_application_security_group_association.control_plane resource
azurerm_network_interface_application_security_group_association.monitoring resource
azurerm_network_interface_application_security_group_association.monitoring_2 resource
azurerm_network_security_group.app_gateway resource
azurerm_network_security_group.default resource
azurerm_network_security_rule.allow_in_icmp resource
azurerm_network_security_rule.allow_in_internal resource
azurerm_network_security_rule.allow_in_internal_2 resource
azurerm_network_security_rule.allow_in_lb resource
azurerm_network_security_rule.allow_in_lb_2 resource
azurerm_network_security_rule.allow_in_ssh resource
azurerm_network_security_rule.allow_nomad_consul_envoy resource
azurerm_network_security_rule.lb_default_rules resource
azurerm_network_security_rule.lb_default_rules-2 resource
azurerm_public_ip.control_plane resource
azurerm_public_ip.lb resource
azurerm_public_ip.monitoring resource
azurerm_role_assignment.control_plane_acr_read resource
azurerm_role_assignment.control_plane_key_vault_user resource
azurerm_role_assignment.control_plane_vault_auth resource
azurerm_role_assignment.vault resource
azurerm_role_assignment.worker_plane_acr_read resource
azurerm_subnet.app_gateway resource
azurerm_subnet.subnet resource
azurerm_subnet_network_security_group_association.default resource
azurerm_user_assigned_identity.control_plane resource
azurerm_user_assigned_identity.worker_plane resource
azurerm_virtual_machine_data_disk_attachment.consul_data resource
azurerm_virtual_machine_data_disk_attachment.nomad_data resource
azurerm_virtual_machine_data_disk_attachment.vault_data resource
azurerm_virtual_network.vnet resource
local_file.backend_tf_appsupport resource
local_file.backend_tf_platform resource
local_file.ssh_key resource
local_file.tfvars_appsupport resource
local_file.tfvars_platform resource
null_resource.ca_certs resource
null_resource.ca_certs_bundle resource
random_string.vault_password resource
tls_private_key.cert_private_key resource
tls_private_key.ssh_key resource
azuread_client_config.this data source
azurerm_client_config.this data source
azurerm_dns_zone.parent data source
azurerm_image.caravan data source
azurerm_resource_group.this data source
azurerm_role_definition.acr_pull data source
azurerm_role_definition.key_vault_user data source
azurerm_role_definition.owner data source
azurerm_storage_account.this data source
azurerm_subscription.this data source

Inputs

Name Description Type Default Required
client_id The Azure Service Principal Client ID which should be used. string n/a yes
client_secret The Azure Service Principal Client Secret which should be used. string n/a yes
external_domain The external domain to use for registering DNS names. string n/a yes
image_resource_group_name The Azure Resource Group name where Caravan images are available. string n/a yes
location The Azure location where to create resources. string n/a yes
parent_resource_group_name The Azure Resource Group name where a dns zone exists for external_domain. string n/a yes
prefix A string prefix prepended to resource names. string n/a yes
resource_group_name The Azure Resource Group name in which the objects will be created. string n/a yes
storage_account_name The Azure Storage Account which is used for Terraform state storage. string n/a yes
subscription_id The Azure Subscription ID which should be used. string n/a yes
tenant_id The Azure Tenant ID which should be used. string n/a yes
use_le_staging Whether to use Let's Encrypt staging endpoint. bool n/a yes
allowed_ssh_cidrs The list of CIDRs from which ssh is allowed. list(string) 
[
  "0.0.0.0/0"
]
 no
app_gateway_subnet_cidr The CIDR of the subnet created for the Application Gateway instance. string "10.0.2.0/24" no
ca_certs A group of certificate objects to download locally. This helps when using Let's Encrypt staging environment. 
map(object({
    filename = string
    pemurl   = string
  }))
 
{
  "fakeleintermediatex1": {
    "filename": "letsencrypt-stg-root-x1.pem",
    "pemurl": "https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem"
  },
  "fakelerootx1": {
    "filename": "letsencrypt-stg-int-r3.pem",
    "pemurl": "https://letsencrypt.org/certs/staging/letsencrypt-stg-int-r3.pem"
  }
}
 no
consul_license_file Path to Consul Enterprise license string null no
control_plane_disk_data_size The size of control plane instances data disk. number 20 no
control_plane_disk_data_type The type of control plane instances data disk. string "Standard_LRS" no
control_plane_disk_root_size The size of control plane instances root disk. number 30 no
control_plane_disk_root_type The type of control plane instances root disk. string "Standard_LRS" no
control_plane_instance_count The number of control plane instances. number 3 no
control_plane_size The size of control plane instances. string "Standard_B2s" no
csi_volumes Example:
{
"jenkins" : {
"storage_account_type" : "Standard_LRS"
"disk_size_gb" : "30"
}
}		 map(map(string)) {} no
dc_name The Consul DC name. string "azure-dc" no
enable_monitoring Whether to create an additional instance for monitoring purposes. bool true no
image_name_regex The Azure Compute image name regex string "caravan-centos-image-*" no
monitoring_disk_size The size of monitoring instance disk. string "40" no
monitoring_size The size of monitoring instance. string "Standard_B2s" no
nomad_license_file Path to Nomad Enterprise license string null no
subnet_cidr The CIDR of the subnet created for Compute instances. string "10.0.1.0/24" no
tags A set of key-value tags applied to all resources created by Terraform. map(string) 
{
  "project": "caravan"
}
 no
vault_auth_resource The Azure AD application to use for generating access tokens. string "https://management.azure.com/" no
vault_license_file Path to Vault Enterprise license string null no
vnet_cidrs The CIDR of the created Virtual Network. list(string) 
[
  "10.0.0.0/16"
]
 no
worker_plane_disk_size The size of worker plane instances disk. string "40" no
worker_plane_instance_count The number of worker plane instances. number 3 no
worker_plane_size The size of control plane instances. string "Standard_B2s" no

Outputs

Name Description
appsupport_backend n/a
appsupport_tfvars n/a
control_plane_role_name n/a
control_plane_service_principal_ids n/a
csi_volumes n/a
ips n/a
platform_backend n/a
platform_tfvars n/a
resource_group_name n/a
subscription_id n/a
tenant_id n/a
vault_client_id n/a
vault_client_secret n/a
vault_resource_name n/a
worker_plane_role_name n/a
worker_plane_service_principal_ids n/a
workload_backend n/a
workload_tfvars n/a
zzz_vault_ad_app n/a