yves-vogl/infra.tf

## infra.tf
resource "azurerm_public_ip" "infra" {
  name                = "infra"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

  allocation_method = "Static"

  tags = var.tags
}

resource "azurerm_lb" "infra" {
  name                = "infra"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

  sku = "Basic"

  frontend_ip_configuration {
    name                 = "main"
    public_ip_address_id = azurerm_public_ip.infra.id
  }

  tags = var.tags
}

resource "azurerm_lb_backend_address_pool" "infra" {
  resource_group_name = azurerm_resource_group.main.name
  loadbalancer_id     = azurerm_lb.infra.id
  name                = "infra"
}

resource "azurerm_network_interface_backend_address_pool_association" "infra" {
  count = var.openshift_azure_infra_vm_count

  network_interface_id    = element(azurerm_network_interface.infra.*.id, count.index)
  ip_configuration_name   = "primary"
  backend_address_pool_id = azurerm_lb_backend_address_pool.infra.id
}

resource "azurerm_lb_probe" "infra_http" {
  resource_group_name = azurerm_lb.infra.resource_group_name
  loadbalancer_id     = azurerm_lb.infra.id
  name                = "HTTP"
  port                = 80
}

resource "azurerm_lb_rule" "infra_http" {
  resource_group_name            = azurerm_lb.infra.resource_group_name
  loadbalancer_id                = azurerm_lb.infra.id
  name                           = "HTTP"
  protocol                       = "TCP"
  frontend_port                  = 80
  backend_port                   = 80
  frontend_ip_configuration_name = "main"
  probe_id                       = azurerm_lb_probe.infra_http.id
  backend_address_pool_id        = azurerm_lb_backend_address_pool.infra.id
}

resource "azurerm_lb_rule" "infra_https" {
  resource_group_name            = azurerm_lb.infra.resource_group_name
  loadbalancer_id                = azurerm_lb.infra.id
  name                           = "HTTPS"
  protocol                       = "TCP"
  frontend_port                  = 443
  backend_port                   = 443
  frontend_ip_configuration_name = "main"
  probe_id                       = azurerm_lb_probe.infra_http.id
  backend_address_pool_id        = azurerm_lb_backend_address_pool.infra.id
}

resource "azurerm_network_interface" "infra" {

  count = var.openshift_azure_infra_vm_count

  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

  name                    = format("infra-%03d", count.index + 1)
  internal_dns_name_label = format("infra-%03d", count.index + 1)
  enable_ip_forwarding    = false

  ip_configuration {
    primary                       = true
    name                          = "primary"
    subnet_id                     = azurerm_subnet.infra.id
    private_ip_address_allocation = "Dynamic"
  }

  tags = var.tags
}

resource "azurerm_availability_set" "infra" {
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  name                = "infra"
  managed             = true
  tags                = var.tags
}

resource "azurerm_virtual_machine" "infra" {
  count = var.openshift_azure_infra_vm_count

  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

  name                         = element(azurerm_network_interface.infra.*.name, count.index)
  network_interface_ids        = [element(azurerm_network_interface.infra.*.id, count.index)]
  primary_network_interface_id = element(azurerm_network_interface.infra.*.id, count.index)
  vm_size                      = var.openshift_azure_infra_vm_size

  availability_set_id = azurerm_availability_set.infra.id

  delete_os_disk_on_termination    = true
  delete_data_disks_on_termination = true

  storage_os_disk {
    name              = format("%s-os", element(azurerm_network_interface.infra.*.name, count.index))
    caching           = "ReadWrite"
    create_option     = "FromImage"
    managed_disk_type = "StandardSSD_LRS"
  }

  # az vm image list --all --offer CentOS --output table
  storage_image_reference {
    publisher = "OpenLogic"
    offer     = "CentOS"
    sku       = "7.7"
    version   = "latest"
  }

  os_profile {
    computer_name  = element(azurerm_network_interface.infra.*.name, count.index)
    admin_username = var.linux_vm_admin_username
    admin_password = random_password.main.result
  }

  os_profile_linux_config {
    disable_password_authentication = true

    ssh_keys {
      path     = "/home/${var.linux_vm_admin_username}/.ssh/authorized_keys"
      key_data = tls_private_key.main.public_key_openssh
    }
  }

  tags = var.tags

  lifecycle {
    ignore_changes = [
      storage_data_disk
    ]
  }

}

resource "azurerm_public_ip" "nat_gateway" {
  name                = format("%s-nat-gateway", azurerm_nat_gateway.main.name)
  location            = azurerm_virtual_network.gateway.location
  resource_group_name = azurerm_resource_group.main.name
  allocation_method   = "Static"
  sku                 = "Standard"
}

resource "azurerm_nat_gateway" "main" {
  name                = "main"
  location            = azurerm_virtual_network.gateway.location
  resource_group_name = azurerm_resource_group.main.name
  sku_name            = "Standard"
}

resource "azurerm_nat_gateway_public_ip_association" "main" {
  nat_gateway_id       = azurerm_nat_gateway.main.id
  public_ip_address_id = azurerm_public_ip.nat_gateway.id
}

resource "azurerm_subnet_nat_gateway_association" "main" {
  nat_gateway_id = azurerm_nat_gateway.main.id
  subnet_id      = azurerm_subnet.nat_gateway.id
}

## security.tf
# Management Network
resource "azurerm_network_security_group" "management" {
  name                = "management"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location
  tags                = var.tags
}

resource "azurerm_subnet_network_security_group_association" "management" {
  subnet_id                 = azurerm_subnet.management.id
  network_security_group_id = azurerm_network_security_group.management.id
}

resource "azurerm_network_security_rule" "allow_ssh_to_bastion_host_from_trusted_networks" {
  name                        = "AllowSSHToBastionHost"
  resource_group_name         = azurerm_resource_group.main.name
  network_security_group_name = azurerm_network_security_group.management.name
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = 22
  source_address_prefixes     = values(var.trusted_networks)
  destination_address_prefix  = azurerm_network_interface.bastion.private_ip_address
}

# Master Network
resource "azurerm_network_security_group" "master" {
  name                = "master"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location
  tags                = var.tags
}

resource "azurerm_subnet_network_security_group_association" "master" {
  subnet_id                 = azurerm_subnet.master.id
  network_security_group_id = azurerm_network_security_group.master.id
}

resource "azurerm_network_security_rule" "allow_openshift_api_to_master_subnet_from_trusted_networks" {
  name                        = "AllowOpenShiftAPIFromTrustedNetworks"
  resource_group_name         = azurerm_resource_group.main.name
  network_security_group_name = azurerm_network_security_group.master.name
  priority                    = 120
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = 443
  source_address_prefixes     = values(var.trusted_networks)
  destination_address_prefix  = azurerm_subnet.master.address_prefix
}

# Nodes are accessing the OpenShift API over the external Load balancer.
# To avoid using a NAT gateway (private preview at the moment) we allow the outgoing NAT'ed traffic to access the API
resource "azurerm_network_security_rule" "allow_openshift_api_to_master_subnet_from_azure_westeurope" {
  name                        = "AllowOpenShiftAPIFromAzureWestEurope"
  resource_group_name         = azurerm_resource_group.main.name
  network_security_group_name = azurerm_network_security_group.master.name
  priority                    = 150
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = 443
  source_address_prefix       = "AzureCloud.WestEurope"
  destination_address_prefix  = azurerm_subnet.master.address_prefix
}

# Infrastucture Nodes (Router, Registry etc.)
resource "azurerm_network_security_group" "infra" {
  name                = "infra"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location
  tags                = var.tags
}

resource "azurerm_subnet_network_security_group_association" "infra" {
  subnet_id                 = azurerm_subnet.infra.id
  network_security_group_id = azurerm_network_security_group.infra.id
}

resource "azurerm_network_security_rule" "allow_http_to_infra_subnet_from_trusted_networks" {
  name                        = "AllowHTTPFromTrustedNetworks"
  resource_group_name         = azurerm_resource_group.main.name
  network_security_group_name = azurerm_network_security_group.infra.name
  priority                    = 120
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = 80
  source_address_prefixes     = values(var.trusted_networks)
  destination_address_prefix  = azurerm_subnet.infra.address_prefix
}

# Nodes are accessing the OpenShift API over the external Load balancer.
# To avoid using a NAT gateway (private preview at the moment) we allow the outgoing NAT'ed traffic to access the API
resource "azurerm_network_security_rule" "allow_http_to_infra_subnet_from_azure_westeurope" {
  name                        = "AllowHTTPFromAzureWestEurope"
  resource_group_name         = azurerm_resource_group.main.name
  network_security_group_name = azurerm_network_security_group.infra.name
  priority                    = 121
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = 80
  source_address_prefix       = "AzureCloud.WestEurope"
  destination_address_prefix  = azurerm_subnet.infra.address_prefix
}

resource "azurerm_network_security_rule" "allow_https_to_infra_subnet_from_trusted_networks" {
  name                        = "AllowHTTPSFromTrustedNetworks"
  resource_group_name         = azurerm_resource_group.main.name
  network_security_group_name = azurerm_network_security_group.infra.name
  priority                    = 130
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = 443
  source_address_prefixes     = values(var.trusted_networks)
  destination_address_prefix  = azurerm_subnet.infra.address_prefix
}

# Nodes are accessing the OpenShift API over the external Load balancer.
# To avoid using a NAT gateway (private preview at the moment) we allow the outgoing NAT'ed traffic to access the API
resource "azurerm_network_security_rule" "allow_https_to_infra_subnet_from_azure_westeurope" {
  name                        = "AllowHTTPSFromAzureWestEurope"
  resource_group_name         = azurerm_resource_group.main.name
  network_security_group_name = azurerm_network_security_group.infra.name
  priority                    = 131
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = 443
  source_address_prefix       = "AzureCloud.WestEurope"
  destination_address_prefix  = azurerm_subnet.infra.address_prefix
}

# Node
resource "azurerm_network_security_group" "node" {
  name                = "node"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location
  tags                = var.tags
}

resource "azurerm_subnet_network_security_group_association" "node" {
  subnet_id                 = azurerm_subnet.node.id
  network_security_group_id = azurerm_network_security_group.node.id
}
	resource "azurerm_public_ip" "infra" {
	name = "infra"
	location = azurerm_resource_group.main.location
	resource_group_name = azurerm_resource_group.main.name

	allocation_method = "Static"

	tags = var.tags
	}

	resource "azurerm_lb" "infra" {
	name = "infra"
	location = azurerm_resource_group.main.location
	resource_group_name = azurerm_resource_group.main.name

	sku = "Basic"

	frontend_ip_configuration {
	name = "main"
	public_ip_address_id = azurerm_public_ip.infra.id
	}

	tags = var.tags
	}

	resource "azurerm_lb_backend_address_pool" "infra" {
	resource_group_name = azurerm_resource_group.main.name
	loadbalancer_id = azurerm_lb.infra.id
	name = "infra"
	}

	resource "azurerm_network_interface_backend_address_pool_association" "infra" {
	count = var.openshift_azure_infra_vm_count

	network_interface_id = element(azurerm_network_interface.infra.*.id, count.index)
	ip_configuration_name = "primary"
	backend_address_pool_id = azurerm_lb_backend_address_pool.infra.id
	}

	resource "azurerm_lb_probe" "infra_http" {
	resource_group_name = azurerm_lb.infra.resource_group_name
	loadbalancer_id = azurerm_lb.infra.id
	name = "HTTP"
	port = 80
	}

	resource "azurerm_lb_rule" "infra_http" {
	resource_group_name = azurerm_lb.infra.resource_group_name
	loadbalancer_id = azurerm_lb.infra.id
	name = "HTTP"
	protocol = "TCP"
	frontend_port = 80
	backend_port = 80
	frontend_ip_configuration_name = "main"
	probe_id = azurerm_lb_probe.infra_http.id
	backend_address_pool_id = azurerm_lb_backend_address_pool.infra.id
	}

	resource "azurerm_lb_rule" "infra_https" {
	resource_group_name = azurerm_lb.infra.resource_group_name
	loadbalancer_id = azurerm_lb.infra.id
	name = "HTTPS"
	protocol = "TCP"
	frontend_port = 443
	backend_port = 443
	frontend_ip_configuration_name = "main"
	probe_id = azurerm_lb_probe.infra_http.id
	backend_address_pool_id = azurerm_lb_backend_address_pool.infra.id
	}

	resource "azurerm_network_interface" "infra" {

	count = var.openshift_azure_infra_vm_count

	location = azurerm_resource_group.main.location
	resource_group_name = azurerm_resource_group.main.name

	name = format("infra-%03d", count.index + 1)
	internal_dns_name_label = format("infra-%03d", count.index + 1)
	enable_ip_forwarding = false

	ip_configuration {
	primary = true
	name = "primary"
	subnet_id = azurerm_subnet.infra.id
	private_ip_address_allocation = "Dynamic"
	}

	tags = var.tags
	}

	resource "azurerm_availability_set" "infra" {
	location = azurerm_resource_group.main.location
	resource_group_name = azurerm_resource_group.main.name
	name = "infra"
	managed = true
	tags = var.tags
	}

	resource "azurerm_virtual_machine" "infra" {
	count = var.openshift_azure_infra_vm_count

	location = azurerm_resource_group.main.location
	resource_group_name = azurerm_resource_group.main.name

	name = element(azurerm_network_interface.infra.*.name, count.index)
	network_interface_ids = [element(azurerm_network_interface.infra.*.id, count.index)]
	primary_network_interface_id = element(azurerm_network_interface.infra.*.id, count.index)
	vm_size = var.openshift_azure_infra_vm_size

	availability_set_id = azurerm_availability_set.infra.id

	delete_os_disk_on_termination = true
	delete_data_disks_on_termination = true

	storage_os_disk {
	name = format("%s-os", element(azurerm_network_interface.infra.*.name, count.index))
	caching = "ReadWrite"
	create_option = "FromImage"
	managed_disk_type = "StandardSSD_LRS"
	}

	# az vm image list --all --offer CentOS --output table
	storage_image_reference {
	publisher = "OpenLogic"
	offer = "CentOS"
	sku = "7.7"
	version = "latest"
	}

	os_profile {
	computer_name = element(azurerm_network_interface.infra.*.name, count.index)
	admin_username = var.linux_vm_admin_username
	admin_password = random_password.main.result
	}

	os_profile_linux_config {
	disable_password_authentication = true

	ssh_keys {
	path = "/home/${var.linux_vm_admin_username}/.ssh/authorized_keys"
	key_data = tls_private_key.main.public_key_openssh
	}
	}

	tags = var.tags

	lifecycle {
	ignore_changes = [
	storage_data_disk
	]
	}

	}

	resource "azurerm_public_ip" "nat_gateway" {
	name = format("%s-nat-gateway", azurerm_nat_gateway.main.name)
	location = azurerm_virtual_network.gateway.location
	resource_group_name = azurerm_resource_group.main.name
	allocation_method = "Static"
	sku = "Standard"
	}

	resource "azurerm_nat_gateway" "main" {
	name = "main"
	location = azurerm_virtual_network.gateway.location
	resource_group_name = azurerm_resource_group.main.name
	sku_name = "Standard"
	}

	resource "azurerm_nat_gateway_public_ip_association" "main" {
	nat_gateway_id = azurerm_nat_gateway.main.id
	public_ip_address_id = azurerm_public_ip.nat_gateway.id
	}

	resource "azurerm_subnet_nat_gateway_association" "main" {
	nat_gateway_id = azurerm_nat_gateway.main.id
	subnet_id = azurerm_subnet.nat_gateway.id
	}
	# Management Network
	resource "azurerm_network_security_group" "management" {
	name = "management"
	resource_group_name = azurerm_resource_group.main.name
	location = azurerm_resource_group.main.location
	tags = var.tags
	}

	resource "azurerm_subnet_network_security_group_association" "management" {
	subnet_id = azurerm_subnet.management.id
	network_security_group_id = azurerm_network_security_group.management.id
	}

	resource "azurerm_network_security_rule" "allow_ssh_to_bastion_host_from_trusted_networks" {
	name = "AllowSSHToBastionHost"
	resource_group_name = azurerm_resource_group.main.name
	network_security_group_name = azurerm_network_security_group.management.name
	priority = 100
	direction = "Inbound"
	access = "Allow"
	protocol = "Tcp"
	source_port_range = "*"
	destination_port_range = 22
	source_address_prefixes = values(var.trusted_networks)
	destination_address_prefix = azurerm_network_interface.bastion.private_ip_address
	}

	# Master Network
	resource "azurerm_network_security_group" "master" {
	name = "master"
	resource_group_name = azurerm_resource_group.main.name
	location = azurerm_resource_group.main.location
	tags = var.tags
	}

	resource "azurerm_subnet_network_security_group_association" "master" {
	subnet_id = azurerm_subnet.master.id
	network_security_group_id = azurerm_network_security_group.master.id
	}

	resource "azurerm_network_security_rule" "allow_openshift_api_to_master_subnet_from_trusted_networks" {
	name = "AllowOpenShiftAPIFromTrustedNetworks"
	resource_group_name = azurerm_resource_group.main.name
	network_security_group_name = azurerm_network_security_group.master.name
	priority = 120
	direction = "Inbound"
	access = "Allow"
	protocol = "Tcp"
	source_port_range = "*"
	destination_port_range = 443
	source_address_prefixes = values(var.trusted_networks)
	destination_address_prefix = azurerm_subnet.master.address_prefix
	}

	# Nodes are accessing the OpenShift API over the external Load balancer.
	# To avoid using a NAT gateway (private preview at the moment) we allow the outgoing NAT'ed traffic to access the API
	resource "azurerm_network_security_rule" "allow_openshift_api_to_master_subnet_from_azure_westeurope" {
	name = "AllowOpenShiftAPIFromAzureWestEurope"
	resource_group_name = azurerm_resource_group.main.name
	network_security_group_name = azurerm_network_security_group.master.name
	priority = 150
	direction = "Inbound"
	access = "Allow"
	protocol = "Tcp"
	source_port_range = "*"
	destination_port_range = 443
	source_address_prefix = "AzureCloud.WestEurope"
	destination_address_prefix = azurerm_subnet.master.address_prefix
	}

	# Infrastucture Nodes (Router, Registry etc.)
	resource "azurerm_network_security_group" "infra" {
	name = "infra"
	resource_group_name = azurerm_resource_group.main.name
	location = azurerm_resource_group.main.location
	tags = var.tags
	}

	resource "azurerm_subnet_network_security_group_association" "infra" {
	subnet_id = azurerm_subnet.infra.id
	network_security_group_id = azurerm_network_security_group.infra.id
	}

	resource "azurerm_network_security_rule" "allow_http_to_infra_subnet_from_trusted_networks" {
	name = "AllowHTTPFromTrustedNetworks"
	resource_group_name = azurerm_resource_group.main.name
	network_security_group_name = azurerm_network_security_group.infra.name
	priority = 120
	direction = "Inbound"
	access = "Allow"
	protocol = "Tcp"
	source_port_range = "*"
	destination_port_range = 80
	source_address_prefixes = values(var.trusted_networks)
	destination_address_prefix = azurerm_subnet.infra.address_prefix
	}

	# Nodes are accessing the OpenShift API over the external Load balancer.
	# To avoid using a NAT gateway (private preview at the moment) we allow the outgoing NAT'ed traffic to access the API
	resource "azurerm_network_security_rule" "allow_http_to_infra_subnet_from_azure_westeurope" {
	name = "AllowHTTPFromAzureWestEurope"
	resource_group_name = azurerm_resource_group.main.name
	network_security_group_name = azurerm_network_security_group.infra.name
	priority = 121
	direction = "Inbound"
	access = "Allow"
	protocol = "Tcp"
	source_port_range = "*"
	destination_port_range = 80
	source_address_prefix = "AzureCloud.WestEurope"
	destination_address_prefix = azurerm_subnet.infra.address_prefix
	}

	resource "azurerm_network_security_rule" "allow_https_to_infra_subnet_from_trusted_networks" {
	name = "AllowHTTPSFromTrustedNetworks"
	resource_group_name = azurerm_resource_group.main.name
	network_security_group_name = azurerm_network_security_group.infra.name
	priority = 130
	direction = "Inbound"
	access = "Allow"
	protocol = "Tcp"
	source_port_range = "*"
	destination_port_range = 443
	source_address_prefixes = values(var.trusted_networks)
	destination_address_prefix = azurerm_subnet.infra.address_prefix
	}

	# Nodes are accessing the OpenShift API over the external Load balancer.
	# To avoid using a NAT gateway (private preview at the moment) we allow the outgoing NAT'ed traffic to access the API
	resource "azurerm_network_security_rule" "allow_https_to_infra_subnet_from_azure_westeurope" {
	name = "AllowHTTPSFromAzureWestEurope"
	resource_group_name = azurerm_resource_group.main.name
	network_security_group_name = azurerm_network_security_group.infra.name
	priority = 131
	direction = "Inbound"
	access = "Allow"
	protocol = "Tcp"
	source_port_range = "*"
	destination_port_range = 443
	source_address_prefix = "AzureCloud.WestEurope"
	destination_address_prefix = azurerm_subnet.infra.address_prefix
	}

	# Node
	resource "azurerm_network_security_group" "node" {
	name = "node"
	resource_group_name = azurerm_resource_group.main.name
	location = azurerm_resource_group.main.location
	tags = var.tags
	}

	resource "azurerm_subnet_network_security_group_association" "node" {
	subnet_id = azurerm_subnet.node.id
	network_security_group_id = azurerm_network_security_group.node.id
	}