├── modules ├── bastion │ ├── outputs.tf │ ├── README.md │ ├── variables.tf │ └── main.tf ├── k8s_cluster │ ├── outputs.tf │ ├── README.md │ └── variables.tf ├── tt_backend │ ├── outputs.tf │ ├── variables.tf │ ├── README.md │ └── main.tf ├── key_vault │ ├── outputs.tf │ ├── README.md │ ├── variables.tf │ └── main.tf ├── linux_web_app │ ├── outputs.tf │ ├── README.md │ ├── variables.tf │ └── main.tf ├── domain_controllers │ ├── outputs.tf │ ├── README.md │ └── variables.tf ├── logs │ ├── outputs.tf │ ├── variables.tf │ ├── README.md │ └── main.tf ├── container_registry │ ├── outputs.tf │ ├── main.tf │ ├── variables.tf │ └── README.md ├── windows_jumpbox │ ├── outputs.tf │ ├── README.md │ └── variables.tf ├── aks_agic │ ├── templates │ │ ├── aadpodidentity.yaml │ │ ├── aadpodbinding.yaml │ │ ├── aspnetapp.yaml │ │ └── helm-config.yaml │ └── outputs.tf ├── network_spoke │ └── outputs.tf ├── network_isolated │ ├── outputs.tf │ ├── main.tf │ ├── variables.tf │ └── README.md ├── network_hub │ ├── outputs.tf │ ├── README.md │ └── variables.tf └── aks_baseline │ └── outputs.tf ├── environments ├── prod │ ├── outputs.tf │ ├── terraform.tfvars │ ├── providers.tf │ ├── README.md │ └── variables.tf ├── dev │ ├── outputs.tf │ ├── terraform.tfvars │ ├── providers.tf │ ├── variables.tf │ ├── README.md │ └── main.tf ├── test │ ├── outputs.tf │ ├── providers.tf │ ├── terraform.tfvars │ ├── README.md │ ├── main.tf │ └── variables.tf └── shared-services │ ├── terraform.tfvars │ ├── providers.tf │ ├── outputs.tf │ ├── main.tf │ ├── variables.tf │ └── README.md ├── templates ├── template_module │ ├── outputs.tf │ ├── main.tf │ ├── variables.tf │ └── README.md ├── template_resource │ ├── outputs.tf │ ├── main.tf │ ├── README.md │ └── variables.tf └── template_environment │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── README.md ├── resources ├── network │ ├── firewall_network_rule_collection │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── README.md │ │ └── variables.tf │ ├── subnet_network_security_group_association │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── variables.tf │ │ └── README.md │ ├── route │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── README.md │ │ └── variables.tf │ ├── lb │ │ ├── outputs.tf │ │ ├── main.tf │ │ └── README.md │ ├── subnet_route_table_association │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── variables.tf │ │ └── README.md │ ├── lb_backend_address_pool │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── variables.tf │ │ └── README.md │ ├── virtual_network_peering │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── README.md │ │ └── variables.tf │ ├── dns_zone │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── README.md │ ├── network_security_rule │ │ ├── outputs.tf │ │ ├── README.md │ │ ├── main.tf │ │ └── variables.tf │ ├── application_gateway │ │ ├── outputs.tf │ │ ├── README.md │ │ ├── variables.tf │ │ └── main.tf │ ├── virtual_network_gateway │ │ ├── outputs.tf │ │ └── main.tf │ ├── dns_a_record │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── README.md │ │ └── variables.tf │ ├── bastion_host │ │ ├── outputs.tf │ │ ├── README.md │ │ ├── main.tf │ │ └── variables.tf │ ├── network_interface_backend_address_pool_association │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── variables.tf │ │ └── README.md │ ├── network_security_group │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── variables.tf │ │ └── README.md │ ├── firewall │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── README.md │ │ └── variables.tf │ ├── network_interface │ │ ├── outputs.tf │ │ └── main.tf │ ├── virtual_network │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── README.md │ ├── route_table │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── README.md │ ├── public_ip │ │ ├── main.tf │ │ └── outputs.tf │ └── subnet │ │ ├── outputs.tf │ │ └── main.tf ├── cosmosdb │ └── cosmosdb_account │ │ ├── outputs.tf │ │ ├── README.md │ │ ├── main.tf │ │ └── variables.tf ├── authorization │ ├── role_assignment │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── variables.tf │ │ └── README.md │ └── user_assigned_identity │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── README.md ├── container │ ├── kubernetes_cluster_node_pool │ │ ├── outputs.tf │ │ └── main.tf │ ├── container_registry │ │ ├── outputs.tf │ │ ├── main.tf │ │ └── README.md │ └── kubernetes_cluster │ │ └── outputs.tf ├── compute │ ├── managed_disk │ │ ├── outputs.tf │ │ └── main.tf │ ├── virtual_machine_data_disk_attachment │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── variables.tf │ │ └── README.md │ ├── linux_virtual_machine │ │ └── outputs.tf │ └── windows_virtual_machine │ │ └── outputs.tf ├── app_service │ ├── app_service_plan │ │ ├── outputs.tf │ │ ├── main.tf │ │ └── README.md │ └── app_service │ │ └── outputs.tf ├── key_vault │ ├── key_vault_access_policy │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── README.md │ │ └── variables.tf │ ├── key_vault │ │ ├── outputs.tf │ │ ├── main.tf │ │ └── README.md │ └── key_vault_certificate │ │ ├── outputs.tf │ │ └── main.tf ├── recovery_services │ └── recovery_services_vault │ │ ├── outputs.tf │ │ ├── main.tf │ │ ├── README.md │ │ └── variables.tf ├── base │ └── resource_group │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── README.md ├── storage │ └── storage_account │ │ └── outputs.tf └── log_analytics │ └── log_analytics │ ├── outputs.tf │ ├── main.tf │ ├── variables.tf │ └── README.md ├── bin ├── terraform-variables-generator.exe ├── terraform-validate.sh ├── update-README.sh ├── cert-gen-p2s.ps1 ├── terraform-plan.sh ├── terraform-destroy.sh └── terraform-apply.sh ├── .devcontainer ├── library-scripts │ ├── README.md │ └── azcli-debian.sh ├── devcontainer.json └── Dockerfile ├── Dockerfile ├── .gitignore ├── LICENSE ├── .github └── workflows │ ├── aks-staging.yaml │ └── aks-prod.yaml └── azure-pipelines.yml /modules/bastion/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module outputs 3 | ### -------------------------------------------------------------------------------- /modules/k8s_cluster/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module outputs 3 | ### -------------------------------------------------------------------------------- /modules/tt_backend/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module outputs 3 | ### -------------------------------------------------------------------------------- /environments/prod/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment outputs 3 | ### -------------------------------------------------------------------------------- /modules/key_vault/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module outputs 3 | ### 4 | -------------------------------------------------------------------------------- /modules/linux_web_app/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module outputs 3 | ### -------------------------------------------------------------------------------- /environments/dev/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment outputs 3 | ### 4 | -------------------------------------------------------------------------------- /environments/test/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment outputs 3 | ### 4 | -------------------------------------------------------------------------------- /modules/domain_controllers/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### -------------------------------------------------------------------------------- /templates/template_module/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module outputs 3 | ### -------------------------------------------------------------------------------- /templates/template_resource/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### -------------------------------------------------------------------------------- /templates/template_environment/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment composition 3 | ### -------------------------------------------------------------------------------- /templates/template_environment/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment outputs 3 | ### -------------------------------------------------------------------------------- /templates/template_resource/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | -------------------------------------------------------------------------------- /resources/network/firewall_network_rule_collection/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### -------------------------------------------------------------------------------- /resources/network/subnet_network_security_group_association/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### -------------------------------------------------------------------------------- /resources/network/route/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_route.base.id 7 | } -------------------------------------------------------------------------------- /bin/terraform-variables-generator.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kuhlman-labs/terraform-azurerm-landing-zone/HEAD/bin/terraform-variables-generator.exe -------------------------------------------------------------------------------- /resources/cosmosdb/cosmosdb_account/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_cosmosdb_account.base.id 7 | } -------------------------------------------------------------------------------- /resources/authorization/role_assignment/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_role_assignment.base.id 7 | } -------------------------------------------------------------------------------- /resources/network/lb/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_lb.base.id 7 | description = "The Load Balancer ID." 8 | } -------------------------------------------------------------------------------- /resources/container/kubernetes_cluster_node_pool/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_kubernetes_cluster_node_pool.base.id 7 | } -------------------------------------------------------------------------------- /resources/network/subnet_route_table_association/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_subnet_route_table_association.base.id 7 | } 8 | -------------------------------------------------------------------------------- /modules/logs/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module outputs 3 | ### 4 | 5 | output "log_analytics_id" { 6 | value = module.log_analytics.id 7 | description = "Log Analytics Workspace id" 8 | } -------------------------------------------------------------------------------- /resources/compute/managed_disk/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_managed_disk.base[*].id 7 | description = "The ID of the Managed Disk." 8 | } -------------------------------------------------------------------------------- /modules/container_registry/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module outputs 3 | ### 4 | 5 | output "container_registry_id" { 6 | value = module.container_registry.id 7 | description = "The ID of the Container Registry." 8 | } -------------------------------------------------------------------------------- /modules/windows_jumpbox/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "virtual_machine_id" { 6 | value = module.virtual_machine.id 7 | description = "The ID of the Windows Virtual Machine." 8 | } -------------------------------------------------------------------------------- /resources/app_service/app_service_plan/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_app_service_plan.base.id 7 | description = "The ID of the App Service Plan." 8 | } -------------------------------------------------------------------------------- /resources/container/container_registry/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_container_registry.base.id 7 | description = "The ID of the Container Registry." 8 | } -------------------------------------------------------------------------------- /resources/key_vault/key_vault_access_policy/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_key_vault_access_policy.base.id 7 | description = "Key Vault Access Policy ID." 8 | } -------------------------------------------------------------------------------- /resources/network/lb_backend_address_pool/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_lb_backend_address_pool.base.id 7 | description = "The ID of the Backend Address Pool." 8 | } -------------------------------------------------------------------------------- /resources/network/virtual_network_peering/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_virtual_network_peering.base.id 7 | description = "The ID of the Virtual Network Peering." 8 | } -------------------------------------------------------------------------------- /modules/aks_agic/templates/aadpodidentity.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "aadpodidentity.k8s.io/v1" 2 | kind: AzureIdentity 3 | metadata: 4 | name: ${name} 5 | spec: 6 | type: 0 7 | resourceID: ${identity_resource_id} 8 | clientID: ${identity_client_id} -------------------------------------------------------------------------------- /resources/network/dns_zone/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | resource "azurerm_dns_zone" "base" { 6 | name = var.domain_name 7 | resource_group_name = var.resource_group 8 | tags = var.tags 9 | } -------------------------------------------------------------------------------- /resources/network/network_security_rule/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_network_security_rule.base[*].id 7 | description = "The ID of the Network Security Rule." 8 | } 9 | 10 | -------------------------------------------------------------------------------- /modules/aks_agic/templates/aadpodbinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "aadpodidentity.k8s.io/v1" 2 | kind: AzureIdentityBinding 3 | metadata: 4 | name: ${name}-binding 5 | spec: 6 | azureIdentity: ${name} 7 | selector: application-gateway-kubernetes-ingress-azure -------------------------------------------------------------------------------- /resources/network/application_gateway/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_application_gateway.base.id 7 | } 8 | 9 | output "name" { 10 | value = azurerm_application_gateway.base.name 11 | } -------------------------------------------------------------------------------- /resources/network/virtual_network_gateway/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_virtual_network_gateway.base.id 7 | description = "The ID of the Virtual Network Gateway." 8 | } 9 | 10 | -------------------------------------------------------------------------------- /resources/recovery_services/recovery_services_vault/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_recovery_services_vault.base.id 7 | description = "The ID of the Recovery Services Vault." 8 | } 9 | 10 | -------------------------------------------------------------------------------- /resources/compute/virtual_machine_data_disk_attachment/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_virtual_machine_data_disk_attachment.base[*].id 7 | description = "The ID of the Virtual Machine Data Disk attachment." 8 | } -------------------------------------------------------------------------------- /resources/network/lb_backend_address_pool/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | resource "azurerm_lb_backend_address_pool" "base" { 6 | resource_group_name = var.resource_group 7 | loadbalancer_id = var.loadbalancer_id 8 | name = var.name 9 | } -------------------------------------------------------------------------------- /resources/network/subnet_route_table_association/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #route table association 6 | 7 | resource "azurerm_subnet_route_table_association" "base" { 8 | subnet_id = var.subnet_id 9 | route_table_id = var.route_table_id 10 | } -------------------------------------------------------------------------------- /resources/authorization/role_assignment/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | resource "azurerm_role_assignment" "base" { 6 | scope = var.scope 7 | role_definition_name = var.role_definition_name 8 | principal_id = var.principal_id 9 | } 10 | -------------------------------------------------------------------------------- /templates/template_module/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module composition 3 | ### 4 | 5 | #resource group 6 | 7 | module "resource_group" { 8 | source = "../../resources/base/resource_group" 9 | service_name = "" 10 | region = var.region 11 | environment = var.environment 12 | } 13 | -------------------------------------------------------------------------------- /resources/base/resource_group/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #resource group 6 | 7 | resource "azurerm_resource_group" "base" { 8 | name = "${var.name_prefix}-${var.service_name}-${var.environment}-${var.region}" 9 | location = var.region 10 | tags = var.tags 11 | } -------------------------------------------------------------------------------- /resources/network/subnet_network_security_group_association/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | resource "azurerm_subnet_network_security_group_association" "base" { 6 | subnet_id = var.subnet_id 7 | network_security_group_id = var.network_security_group_id 8 | } 9 | 10 | -------------------------------------------------------------------------------- /resources/network/dns_zone/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_dns_zone.base.id 7 | description = "The DNS Zone ID." 8 | } 9 | 10 | output "name" { 11 | value = azurerm_dns_zone.base.name 12 | description = "The DNS Zone Name." 13 | } 14 | 15 | -------------------------------------------------------------------------------- /resources/network/dns_a_record/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_dns_a_record.base.id 7 | description = "The DNS A Record ID." 8 | } 9 | 10 | output "fqdn" { 11 | value = azurerm_dns_a_record.base.fqdn 12 | description = "The FQDN of the DNS A Record." 13 | } 14 | 15 | -------------------------------------------------------------------------------- /resources/network/bastion_host/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_bastion_host.base.id 7 | description = "The ID of the Bastion Host." 8 | } 9 | 10 | output "dns_name" { 11 | value = azurerm_bastion_host.base.dns_name 12 | description = "The FQDN for the Bastion Host." 13 | } -------------------------------------------------------------------------------- /resources/authorization/user_assigned_identity/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #user assigned identity 6 | 7 | resource "azurerm_user_assigned_identity" "base" { 8 | resource_group_name = var.resource_group 9 | location = var.region 10 | name = "${var.name_prefix}-${var.environment}-${var.region}" 11 | } 12 | -------------------------------------------------------------------------------- /bin/terraform-validate.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | modules="environments/* modules/* resources/*" 5 | 6 | for dir in $(find ${modules} -type d); do 7 | cd "$dir"; 8 | if [ -f main.tf ]; 9 | then 10 | terraform init -input=false -upgrade=true -backend=false; 11 | terraform validate; 12 | echo "Validation Completed"; 13 | fi; 14 | cd -; 15 | done -------------------------------------------------------------------------------- /resources/network/network_interface_backend_address_pool_association/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_network_interface_backend_address_pool_association.base[*].id 7 | description = "The (Terraform specific) ID of the Association between the Network Interface and the Load Balancers Backend Address Pool." 8 | } 9 | -------------------------------------------------------------------------------- /resources/app_service/app_service/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "default_site_hostname" { 6 | value = azurerm_app_service.base.default_site_hostname 7 | description = "The Name of this Resource Group." 8 | } 9 | 10 | output "id" { 11 | value = azurerm_app_service.base.id 12 | description = "The ID of the App Service." 13 | } -------------------------------------------------------------------------------- /resources/key_vault/key_vault/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_key_vault.base.id 7 | description = "Key Vault resource id" 8 | } 9 | 10 | output "vault_uri" { 11 | value = azurerm_key_vault.base.vault_uri 12 | description = "The URI of the Key Vault, used for performing operations on keys and secrets." 13 | } -------------------------------------------------------------------------------- /resources/network/network_security_group/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_network_security_group.base.id 7 | description = "The ID of the Network Security Group." 8 | } 9 | 10 | output "name" { 11 | value = azurerm_network_security_group.base.name 12 | description = "The Name of the Network Security Group." 13 | } -------------------------------------------------------------------------------- /resources/compute/linux_virtual_machine/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_linux_virtual_machine.base[*].id 7 | description = "The ID of the Linux Virtual Machine." 8 | } 9 | 10 | output "name" { 11 | value = azurerm_linux_virtual_machine.base[*].name 12 | description = "The Name of the Linux Virtual Machine." 13 | } 14 | -------------------------------------------------------------------------------- /resources/network/network_security_group/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #network security group 6 | 7 | resource "azurerm_network_security_group" "base" { 8 | name = "${var.name_prefix}-${var.policy_name}-${var.environment}" 9 | location = var.region 10 | resource_group_name = var.resource_group 11 | tags = var.tags 12 | } -------------------------------------------------------------------------------- /resources/network/firewall/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_firewall.base.id 7 | description = "The Resource ID of the Azure Firewall." 8 | } 9 | 10 | output "private_ip_address" { 11 | value = azurerm_firewall.base.ip_configuration.0.private_ip_address 12 | description = "The private IP address of the Azure Firewall." 13 | } -------------------------------------------------------------------------------- /resources/compute/windows_virtual_machine/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_windows_virtual_machine.base[*].id 7 | description = "The ID of the Windows Virtual Machine." 8 | } 9 | 10 | output "name" { 11 | value = azurerm_windows_virtual_machine.base[*].name 12 | description = "The Name of the Windows Virtual Machine." 13 | } 14 | -------------------------------------------------------------------------------- /bin/update-README.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | modules="environments/* modules/* resources/*" 5 | 6 | for dir in $(find ${modules} -type d); do 7 | cd "$dir/"; 8 | if [ -f main.tf ]; 9 | then 10 | cd -; 11 | echo "$dir"; 12 | echo | terraform-docs md "$dir" > "$dir/"README.md 13 | else 14 | cd -; 15 | echo skipping $dir, because it does not contain a terraform module 16 | fi; 17 | done -------------------------------------------------------------------------------- /resources/network/network_interface/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_network_interface.base[*].id 7 | description = "The ID of the Network Interface." 8 | } 9 | 10 | output "ip_configuration_name" { 11 | value = azurerm_network_interface.base[*].ip_configuration[0].name 12 | description = "The name used for this IP Configuration." 13 | } -------------------------------------------------------------------------------- /resources/storage/storage_account/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_storage_account.base.id 7 | description = "The storage account Resource ID." 8 | } 9 | 10 | output "primary_blob_endpoint" { 11 | value = azurerm_storage_account.base.primary_blob_endpoint 12 | description = "The endpoint URL for blob storage in the primary location." 13 | } -------------------------------------------------------------------------------- /resources/network/subnet_network_security_group_association/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #nsg-assocation 6 | 7 | variable "subnet_id" { 8 | description = "Subnet the NSG will apply to" 9 | type = string 10 | } 11 | 12 | variable "network_security_group_id" { 13 | description = "Subnet names the NSG will apply to. Used for count" 14 | type = string 15 | } 16 | 17 | -------------------------------------------------------------------------------- /environments/dev/terraform.tfvars: -------------------------------------------------------------------------------- 1 | ### 2 | # environment variables 3 | ### 4 | 5 | #common 6 | 7 | environment = "dev" 8 | region = "eastus" 9 | 10 | #virtual_network 11 | 12 | address_space = ["10.1.0.0/16"] 13 | 14 | #subnet 15 | 16 | address_prefix_k8s_master = ["10.1.3.0/24"] 17 | address_prefix_k8s_node = ["10.1.4.0/24"] 18 | 19 | 20 | 21 | #tags 22 | 23 | tags = { 24 | terraform_managed = true 25 | } -------------------------------------------------------------------------------- /resources/network/dns_a_record/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | resource "azurerm_dns_a_record" "base" { 6 | name = var.a_record_name 7 | resource_group_name = var.resource_group 8 | zone_name = var.zone_name 9 | ttl = var.ttl 10 | records = var.records 11 | target_resource_id = var.target_resource_id 12 | tags = var.tags 13 | } -------------------------------------------------------------------------------- /.devcontainer/library-scripts/README.md: -------------------------------------------------------------------------------- 1 | # Warning: Folder contents may be replaced 2 | 3 | The contents of this folder will be automatically replaced with a file of the same name in the repository's [script-library folder](https://github.com/microsoft/vscode-dev-containers/tree/master/script-library) whenever the repository is packaged. 4 | 5 | To retain your edits, move the file to a different location. You may also delete the files if they are not needed. 6 | -------------------------------------------------------------------------------- /resources/network/virtual_network/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #vnet 6 | 7 | resource "azurerm_virtual_network" "base" { 8 | name = "${var.name_prefix}-${var.environment}-${var.region}" 9 | resource_group_name = var.resource_group 10 | address_space = var.address_space 11 | location = var.region 12 | dns_servers = var.dns_servers 13 | 14 | tags = var.tags 15 | 16 | } 17 | 18 | -------------------------------------------------------------------------------- /resources/authorization/user_assigned_identity/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_user_assigned_identity.base.id 7 | } 8 | 9 | output "principal_id" { 10 | value = azurerm_user_assigned_identity.base.principal_id 11 | } 12 | 13 | output "client_id" { 14 | value = azurerm_user_assigned_identity.base.client_id 15 | } 16 | 17 | output "name" { 18 | value = azurerm_user_assigned_identity.base.name 19 | } 20 | -------------------------------------------------------------------------------- /resources/network/route_table/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #route table 6 | 7 | resource "azurerm_route_table" "base" { 8 | name = "${var.name_prefix}-${var.environment}-${var.region}" 9 | location = var.region 10 | resource_group_name = var.resource_group 11 | disable_bgp_route_propagation = var.disable_bgp_route_propagation 12 | tags = var.tags 13 | } -------------------------------------------------------------------------------- /environments/shared-services/terraform.tfvars: -------------------------------------------------------------------------------- 1 | ### 2 | # environment variables 3 | ### 4 | 5 | #common 6 | 7 | environment = "shared-services" 8 | region = "eastus" 9 | 10 | #virtual_network 11 | 12 | address_space = ["10.0.0.0/16"] 13 | 14 | #subnets 15 | 16 | address_prefix_agw = ["10.0.10.0/27"] 17 | address_prefix_fw = ["10.0.11.0/26"] 18 | address_prefix_bastion = ["10.0.14.0/24"] 19 | 20 | 21 | #tags 22 | 23 | tags = { 24 | terraform_managed = true 25 | } -------------------------------------------------------------------------------- /modules/network_spoke/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module outputs 3 | ### 4 | 5 | output "virtual_network_name" { 6 | value = module.virtual_network.name 7 | description = "resource name of virtual network" 8 | } 9 | 10 | output "virtual_network_id" { 11 | value = module.virtual_network.id 12 | description = "resource id of virtual network" 13 | } 14 | 15 | output "virtual_network_resource_group_name" { 16 | value = module.virtual_network.resource_group_name 17 | } -------------------------------------------------------------------------------- /resources/network/route/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #route table 6 | 7 | resource "azurerm_route" "base" { 8 | name = "${var.route_name}-${var.environment}-${var.region}" 9 | resource_group_name = var.resource_group 10 | route_table_name = var.route_table_name 11 | address_prefix = var.address_prefix 12 | next_hop_type = var.next_hop_type 13 | next_hop_in_ip_address = var.next_hop_in_ip_address 14 | } -------------------------------------------------------------------------------- /resources/base/resource_group/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "name" { 6 | value = azurerm_resource_group.base.name 7 | description = "The Name of this Resource Group." 8 | } 9 | 10 | output "id" { 11 | value = azurerm_resource_group.base.id 12 | description = "The ID of the Resource Group." 13 | } 14 | 15 | output "location" { 16 | value = azurerm_resource_group.base.location 17 | description = "The location of the Resource Group." 18 | } -------------------------------------------------------------------------------- /resources/network/route_table/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | description = "The Route Table ID." 7 | value = azurerm_route_table.base.id 8 | } 9 | 10 | output "name" { 11 | description = "The Route Table Name." 12 | value = azurerm_route_table.base.name 13 | } 14 | 15 | output "subnets" { 16 | description = "The collection of Subnets associated with this route table." 17 | value = azurerm_route_table.base.subnets 18 | } 19 | -------------------------------------------------------------------------------- /environments/prod/terraform.tfvars: -------------------------------------------------------------------------------- 1 | ### 2 | # environment variables 3 | ### 4 | 5 | #common 6 | 7 | environment = "prod" 8 | region = "eastus" 9 | 10 | #virtual_network 11 | 12 | address_space = ["10.2.0.0/16"] 13 | 14 | #subnet 15 | 16 | address_prefix_aks = ["10.2.1.0/24"] 17 | 18 | #aks 19 | 20 | service_cidr = "10.2.3.0/24" 21 | dns_service_ip = "10.2.3.10" 22 | docker_bridge_cidr = "172.18.0.1/16" 23 | 24 | 25 | #tags 26 | 27 | tags = { 28 | terraform_managed = true 29 | } -------------------------------------------------------------------------------- /resources/recovery_services/recovery_services_vault/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #recovery services vault 6 | 7 | resource "azurerm_recovery_services_vault" "base" { 8 | name = "${var.name_prefix}-${var.environment}-${var.region}" 9 | location = var.region 10 | resource_group_name = var.resource_group 11 | sku = var.sku 12 | soft_delete_enabled = var.soft_delete_enabled 13 | tags = var.tags 14 | } 15 | 16 | -------------------------------------------------------------------------------- /environments/test/providers.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment providers 3 | ### 4 | 5 | terraform { 6 | required_version = ">= 0.14" 7 | required_providers { 8 | azurerm = { 9 | source = "hashicorp/azurerm" 10 | version = ">=2.46.0" 11 | } 12 | } 13 | } 14 | 15 | provider "azurerm" { 16 | features {} 17 | subscription_id = "0fd6b65c-0ee2-4bb4-957d-1b92fff9d1b4" 18 | client_id = var.client_id 19 | client_secret = var.client_secret 20 | tenant_id = var.tenant_id 21 | } -------------------------------------------------------------------------------- /resources/network/subnet_route_table_association/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #route table association 6 | 7 | variable "subnet_id" { 8 | description = "The ID of the Subnet. Changing this forces a new resource to be created." 9 | type = string 10 | } 11 | 12 | variable "route_table_id" { 13 | description = "The ID of the Route Table which should be associated with the Subnet. Changing this forces a new resource to be created." 14 | type = string 15 | } 16 | 17 | -------------------------------------------------------------------------------- /resources/network/network_interface_backend_address_pool_association/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #network interface backend address pool association 6 | 7 | resource "azurerm_network_interface_backend_address_pool_association" "base" { 8 | count = length(var.network_interface_id) 9 | 10 | network_interface_id = element(var.network_interface_id, count.index) 11 | ip_configuration_name = element(var.ip_configuration_name, count.index) 12 | backend_address_pool_id = var.backend_address_pool_id 13 | } -------------------------------------------------------------------------------- /modules/logs/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic Region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #tags 18 | 19 | variable "tags" { 20 | description = "A map of tags to add to all resources" 21 | type = map(any) 22 | default = {} 23 | } 24 | -------------------------------------------------------------------------------- /modules/network_isolated/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module outputs 3 | ### 4 | 5 | output "virtual_network_name" { 6 | value = module.virtual_network.name 7 | description = "resource name of virtual network" 8 | } 9 | 10 | output "virtual_network_id" { 11 | value = module.virtual_network.id 12 | description = "resource id of virtual network" 13 | } 14 | 15 | output "virtual_network_resource_group_name" { 16 | value = module.virtual_network.resource_group_name 17 | description = "resource group name of virtual network" 18 | } -------------------------------------------------------------------------------- /modules/tt_backend/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic Region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #tags 18 | 19 | variable "tags" { 20 | description = "A map of tags to add to all resources" 21 | type = map(any) 22 | default = {} 23 | } 24 | -------------------------------------------------------------------------------- /templates/template_environment/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic Region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | variable "tags" { 18 | description = "A map of tags to add to all resources" 19 | type = map(any) 20 | default = {} 21 | } 22 | -------------------------------------------------------------------------------- /templates/template_module/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic Region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #tags 18 | 19 | variable "tags" { 20 | description = "A map of tags to add to all resources" 21 | type = map(any) 22 | default = {} 23 | } 24 | -------------------------------------------------------------------------------- /resources/network/dns_zone/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | #dns 13 | 14 | variable "domain_name" { 15 | description = "(Required) The name of the DNS Zone. Must be a valid domain name." 16 | type = string 17 | } 18 | 19 | #tags 20 | 21 | variable "tags" { 22 | description = "A map of tags to add to all resources" 23 | type = map(any) 24 | default = {} 25 | } -------------------------------------------------------------------------------- /modules/bastion/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 15 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 16 | 17 | ## Outputs 18 | 19 | No output. 20 | 21 | -------------------------------------------------------------------------------- /modules/logs/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 15 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 16 | 17 | ## Outputs 18 | 19 | No output. 20 | 21 | -------------------------------------------------------------------------------- /modules/k8s_cluster/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 15 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 16 | 17 | ## Outputs 18 | 19 | No output. 20 | 21 | -------------------------------------------------------------------------------- /modules/tt_backend/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 15 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 16 | 17 | ## Outputs 18 | 19 | No output. 20 | 21 | -------------------------------------------------------------------------------- /resources/network/subnet_network_security_group_association/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | network\_security\_group\_id | Subnet names the NSG will apply to. Used for count | `string` | n/a | yes | 16 | | subnet\_id | Subnet the NSG will apply to | `string` | n/a | yes | 17 | 18 | ## Outputs 19 | 20 | No output. 21 | 22 | -------------------------------------------------------------------------------- /resources/compute/virtual_machine_data_disk_attachment/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | resource "azurerm_virtual_machine_data_disk_attachment" "base" { 6 | count = length(var.managed_disk_id) 7 | 8 | managed_disk_id = element(var.managed_disk_id, count.index) 9 | virtual_machine_id = element(var.virtual_machine_id, count.index) 10 | lun = var.lun 11 | caching = var.caching 12 | create_option = var.create_option 13 | write_accelerator_enabled = var.write_accelerator_enabled 14 | } -------------------------------------------------------------------------------- /templates/template_module/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 15 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 16 | 17 | ## Outputs 18 | 19 | No output. 20 | 21 | -------------------------------------------------------------------------------- /bin/cert-gen-p2s.ps1: -------------------------------------------------------------------------------- 1 | $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature ` 2 | -Subject "CN=AzureP2SRoot" -KeyExportPolicy Exportable ` 3 | -HashAlgorithm sha256 -KeyLength 2048 ` 4 | -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign 5 | 6 | New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature ` 7 | -Subject "CN=AzureP2SChild" -KeyExportPolicy Exportable ` 8 | -HashAlgorithm sha256 -KeyLength 2048 ` 9 | -CertStoreLocation "Cert:\CurrentUser\My" ` 10 | -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2") -------------------------------------------------------------------------------- /templates/template_environment/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 15 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 16 | 17 | ## Outputs 18 | 19 | No output. 20 | 21 | -------------------------------------------------------------------------------- /resources/network/lb_backend_address_pool/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | #lb backend address pool 13 | 14 | variable "name" { 15 | description = "(Required) Specifies the name of the Backend Address Pool." 16 | type = string 17 | } 18 | 19 | variable "loadbalancer_id" { 20 | description = "(Required) The ID of the Load Balancer in which to create the Backend Address Pool." 21 | type = string 22 | } -------------------------------------------------------------------------------- /resources/log_analytics/log_analytics/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_log_analytics_workspace.base.id 7 | description = "Log Analytics Workspace id" 8 | } 9 | 10 | output "primary_shared_key" { 11 | value = azurerm_log_analytics_workspace.base.primary_shared_key 12 | description = "Primary shared key for the Log Analytics Workspace" 13 | } 14 | 15 | output "workspace_id" { 16 | value = azurerm_log_analytics_workspace.base.workspace_id 17 | description = "Workspace (or Customer) ID for the Log Analytics Workspace" 18 | } 19 | 20 | -------------------------------------------------------------------------------- /resources/log_analytics/log_analytics/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #random string 6 | 7 | resource "random_string" "base" { 8 | length = 6 9 | special = false 10 | } 11 | 12 | #log analytics workspace 13 | 14 | resource "azurerm_log_analytics_workspace" "base" { 15 | name = lower("${var.name_prefix}${random_string.base.result}-${var.environment}-${var.region}") 16 | location = var.region 17 | resource_group_name = var.resource_group 18 | sku = var.sku 19 | retention_in_days = var.retention_in_days 20 | tags = var.tags 21 | } 22 | 23 | -------------------------------------------------------------------------------- /modules/network_hub/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module outputs 3 | ### 4 | 5 | output "virtual_network_name" { 6 | value = module.virtual_network.name 7 | description = "resource name of vnet hub" 8 | } 9 | 10 | output "virtual_network_id" { 11 | value = module.virtual_network.id 12 | description = "resource id of vnet hub" 13 | } 14 | 15 | output "virtual_network_resource_group_name" { 16 | value = module.virtual_network.resource_group_name 17 | } 18 | 19 | output "firewall_private_ip_address" { 20 | value = module.firewall.private_ip_address 21 | description = "The private IP address of the Azure Firewall." 22 | } -------------------------------------------------------------------------------- /resources/key_vault/key_vault_access_policy/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | data "azurerm_client_config" "current" { 6 | } 7 | 8 | #key vault access policy 9 | 10 | resource "azurerm_key_vault_access_policy" "base" { 11 | key_vault_id = var.key_vault_id 12 | tenant_id = data.azurerm_client_config.current.tenant_id 13 | object_id = var.object_id 14 | application_id = var.application_id 15 | certificate_permissions = var.certificate_permissions 16 | key_permissions = var.key_permissions 17 | secret_permissions = var.secret_permissions 18 | } 19 | -------------------------------------------------------------------------------- /environments/test/terraform.tfvars: -------------------------------------------------------------------------------- 1 | ### 2 | # environment values 3 | ### 4 | 5 | #common 6 | 7 | environment = "test" 8 | region = "eastus" 9 | 10 | #virtual_network 11 | 12 | address_space = ["10.100.0.0/16"] 13 | 14 | #subnet 15 | 16 | address_prefix_aks = ["10.100.1.0/24"] 17 | address_prefix_agw = ["10.100.10.0/27"] 18 | address_prefix_fw = ["10.100.11.0/26"] 19 | address_prefix_bastion = ["10.100.14.0/24"] 20 | 21 | #aks 22 | 23 | service_cidr = "10.100.3.0/24" 24 | dns_service_ip = "10.100.3.10" 25 | docker_bridge_cidr = "172.18.0.1/16" 26 | 27 | #tags 28 | 29 | tags = { 30 | terraform_managed = true 31 | } -------------------------------------------------------------------------------- /resources/key_vault/key_vault_certificate/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_key_vault_certificate.base.id 7 | description = "The Key Vault Certificate ID." 8 | } 9 | 10 | output "certificate_data" { 11 | value = azurerm_key_vault_certificate.base.certificate_data 12 | description = "The raw Key Vault Certificate data represented as a hexadecimal string." 13 | } 14 | 15 | output "thumbprint" { 16 | value = azurerm_key_vault_certificate.base.thumbprint 17 | description = "The X509 Thumbprint of the Key Vault Certificate represented as a hexadecimal string." 18 | } 19 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:latest 2 | 3 | ENV TERRAFORM_VERSION=0.12.26 4 | 5 | 6 | RUN apt-get update && \ 7 | apt-get install -y unzip curl wget bash git && \ 8 | rm -rf /var/lib/apt/lists/* && \ 9 | wget --no-check-certificate https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \ 10 | unzip ./terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \ 11 | mv terraform /usr/local/bin && \ 12 | rm ./terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \ 13 | curl -sL https://aka.ms/InstallAzureCLIDeb | bash && \ 14 | az aks install-cli && \ 15 | apt-get remove -y unzip curl wget 16 | -------------------------------------------------------------------------------- /modules/network_isolated/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module composition 3 | ### 4 | 5 | #resource group 6 | 7 | module "resource_group" { 8 | source = "../../resources/base/resource_group" 9 | service_name = "network-isolated" 10 | region = var.region 11 | environment = var.environment 12 | tags = var.tags 13 | } 14 | 15 | #vnet 16 | 17 | module "virtual_network" { 18 | source = "../../resources/network/virtual_network" 19 | resource_group = module.resource_group.name 20 | region = module.resource_group.location 21 | environment = var.environment 22 | name_prefix = "vnet-isolated" 23 | address_space = var.address_space 24 | tags = var.tags 25 | } -------------------------------------------------------------------------------- /resources/authorization/user_assigned_identity/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | variable "name_prefix" { 13 | description = "A short pre-defined text to identify the resource type" 14 | type = string 15 | default = "umi" 16 | } 17 | 18 | variable "environment" { 19 | description = "Development environment for resource; prod, non-prod, shared-services" 20 | type = string 21 | } 22 | 23 | variable "region" { 24 | description = "Geographic Region resource will be deployed into" 25 | type = string 26 | } 27 | -------------------------------------------------------------------------------- /modules/network_isolated/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic Region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #vnet 18 | 19 | variable "address_space" { 20 | description = "This is a list of the ip address ranges for the vnet" 21 | type = list(any) 22 | } 23 | 24 | #tags 25 | 26 | variable "tags" { 27 | description = "A map of tags to add to all resources" 28 | type = map(any) 29 | default = {} 30 | } 31 | -------------------------------------------------------------------------------- /modules/container_registry/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module composition 3 | ### 4 | 5 | #resource group 6 | 7 | module "resource_group" { 8 | source = "../../resources/base/resource_group" 9 | service_name = "container-registry" 10 | region = var.region 11 | environment = var.environment 12 | tags = var.tags 13 | } 14 | 15 | #container registry 16 | 17 | module "container_registry" { 18 | source = "../../resources/container/container_registry" 19 | resource_group = module.resource_group.name 20 | region = module.resource_group.location 21 | environment = var.environment 22 | admin_enabled = true 23 | sku = var.sku 24 | tags = var.tags 25 | } 26 | -------------------------------------------------------------------------------- /resources/network/subnet_route_table_association/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | route\_table\_id | The ID of the Route Table which should be associated with the Subnet. Changing this forces a new resource to be created. | `string` | n/a | yes | 16 | | subnet\_id | The ID of the Subnet. Changing this forces a new resource to be created. | `string` | n/a | yes | 17 | 18 | ## Outputs 19 | 20 | | Name | Description | 21 | |------|-------------| 22 | | id | n/a | 23 | 24 | -------------------------------------------------------------------------------- /environments/prod/providers.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment providers 3 | ### 4 | 5 | terraform { 6 | required_version = ">= 0.14" 7 | backend "azurerm" { 8 | resource_group_name = "rg-terraform-state" 9 | storage_account_name = "sttfstate000eus" 10 | container_name = "tfstate" 11 | key = "prod.tfstate" 12 | } 13 | required_providers { 14 | azurerm = { 15 | source = "hashicorp/azurerm" 16 | version = ">=2.46.0" 17 | } 18 | } 19 | } 20 | 21 | provider "azurerm" { 22 | features {} 23 | subscription_id = "f43de08a-5e35-4ea9-8ca1-11fc231ace6a" 24 | client_id = var.client_id 25 | client_secret = var.client_secret 26 | tenant_id = var.tenant_id 27 | } -------------------------------------------------------------------------------- /resources/network/virtual_network_peering/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #virtual network peering 6 | 7 | resource "azurerm_virtual_network_peering" "base" { 8 | name = "${var.virtual_network_name}-to-${var.remote_virtual_network_name}" 9 | resource_group_name = var.resource_group_name 10 | virtual_network_name = var.virtual_network_name 11 | remote_virtual_network_id = var.remote_virtual_network_id 12 | allow_virtual_network_access = var.allow_virtual_network_access 13 | allow_forwarded_traffic = var.allow_forwarded_traffic 14 | allow_gateway_transit = var.allow_gateway_transit 15 | use_remote_gateways = var.use_remote_gateways 16 | } -------------------------------------------------------------------------------- /resources/network/virtual_network/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "resource_group_name" { 6 | value = azurerm_virtual_network.base.resource_group_name 7 | description = "The name of the resource group in which to create the virtual network." 8 | } 9 | 10 | output "name" { 11 | value = azurerm_virtual_network.base.name 12 | description = "The name of the virtual network." 13 | } 14 | 15 | output "id" { 16 | value = azurerm_virtual_network.base.id 17 | description = "The virtual NetworkConfiguration ID." 18 | } 19 | 20 | output "address_space" { 21 | value = azurerm_virtual_network.base.address_space 22 | description = "The address space that is used the virtual network." 23 | } -------------------------------------------------------------------------------- /modules/linux_web_app/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 15 | | sku\_size | (Required) Specifies the plan's instance size. | `string` | `"F1"` | no | 16 | | sku\_tier | (Required) Specifies the plan's pricing tier. | `string` | `"Free"` | no | 17 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 18 | 19 | ## Outputs 20 | 21 | No output. 22 | 23 | -------------------------------------------------------------------------------- /resources/app_service/app_service_plan/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | resource "azurerm_app_service_plan" "base" { 6 | name = "${var.name_prefix}-${var.environment}-${var.region}" 7 | location = var.region 8 | resource_group_name = var.resource_group 9 | kind = var.kind 10 | maximum_elastic_worker_count = var.maximum_elastic_worker_count 11 | app_service_environment_id = var.app_service_environment_id 12 | reserved = var.reserved 13 | per_site_scaling = var.per_site_scaling 14 | sku { 15 | tier = var.sku_tier 16 | size = var.sku_size 17 | capacity = var.sku_capacity 18 | } 19 | tags = var.tags 20 | } -------------------------------------------------------------------------------- /resources/network/dns_zone/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `""` | no | 15 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 16 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 17 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 18 | 19 | ## Outputs 20 | 21 | No output. 22 | 23 | -------------------------------------------------------------------------------- /resources/network/bastion_host/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `""` | no | 15 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 16 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 17 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 18 | 19 | ## Outputs 20 | 21 | No output. 22 | 23 | -------------------------------------------------------------------------------- /resources/network/dns_a_record/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `""` | no | 15 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 16 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 17 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 18 | 19 | ## Outputs 20 | 21 | No output. 22 | 23 | -------------------------------------------------------------------------------- /resources/network/public_ip/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #public ip 6 | 7 | resource "azurerm_public_ip" "base" { 8 | name = "${var.name_prefix}-${var.environment}-${var.region}" 9 | resource_group_name = var.resource_group 10 | location = var.region 11 | allocation_method = var.allocation_method 12 | sku = var.sku 13 | ip_version = var.ip_version 14 | idle_timeout_in_minutes = var.idle_timeout_in_minutes 15 | domain_name_label = var.domain_name_label 16 | reverse_fqdn = var.reverse_fqdn 17 | public_ip_prefix_id = var.public_ip_prefix_id 18 | zones = var.zones 19 | tags = var.tags 20 | } 21 | -------------------------------------------------------------------------------- /templates/template_resource/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `""` | no | 15 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 16 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 17 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 18 | 19 | ## Outputs 20 | 21 | No output. 22 | 23 | -------------------------------------------------------------------------------- /resources/cosmosdb/cosmosdb_account/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `""` | no | 15 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 16 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 17 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 18 | 19 | ## Outputs 20 | 21 | No output. 22 | 23 | -------------------------------------------------------------------------------- /resources/network/lb_backend_address_pool/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | loadbalancer\_id | (Required) The ID of the Load Balancer in which to create the Backend Address Pool. | `string` | n/a | yes | 16 | | name | (Required) Specifies the name of the Backend Address Pool. | `string` | n/a | yes | 17 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 18 | 19 | ## Outputs 20 | 21 | | Name | Description | 22 | |------|-------------| 23 | | id | The ID of the Backend Address Pool. | 24 | 25 | -------------------------------------------------------------------------------- /modules/key_vault/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | object\_id | The object ID for the Service Principal | `string` | n/a | yes | 15 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 16 | | sku\_name | The Name of the sku used for this Key Vault. Possible values are standard and premium. | `string` | `"standard"` | no | 17 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 18 | 19 | ## Outputs 20 | 21 | No output. 22 | 23 | -------------------------------------------------------------------------------- /environments/dev/providers.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment providers 3 | ### 4 | 5 | terraform { 6 | required_version = ">= 0.14" 7 | backend "azurerm" { 8 | resource_group_name = "rg-terraform-state" 9 | storage_account_name = "sttfstate000eus" 10 | container_name = "tfstate" 11 | key = "dev.tfstate" 12 | subscription_id = "f43de08a-5e35-4ea9-8ca1-11fc231ace6a" 13 | } 14 | required_providers { 15 | azurerm = { 16 | source = "hashicorp/azurerm" 17 | version = ">=2.46.0" 18 | } 19 | } 20 | } 21 | 22 | provider "azurerm" { 23 | features {} 24 | subscription_id = "e88ea632-290e-402f-9bbb-a72f1c07208b" 25 | client_id = var.client_id 26 | client_secret = var.client_secret 27 | tenant_id = var.tenant_id 28 | } 29 | -------------------------------------------------------------------------------- /resources/network/bastion_host/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | resource "azurerm_subnet" "base" { 6 | name = "AzureBastionSubnet" 7 | resource_group_name = var.virtual_network_resource_group 8 | virtual_network_name = var.virtual_network_name 9 | address_prefixes = var.address_prefix_bastion 10 | } 11 | 12 | resource "azurerm_bastion_host" "base" { 13 | name = "${var.name_prefix}-${var.environment}-${var.region}" 14 | location = var.region 15 | resource_group_name = var.resource_group 16 | 17 | ip_configuration { 18 | name = "ip-${var.name_prefix}-${var.environment}-${var.region}" 19 | subnet_id = azurerm_subnet.base.id 20 | public_ip_address_id = var.public_ip_address_id 21 | } 22 | 23 | tags = var.tags 24 | } -------------------------------------------------------------------------------- /resources/network/firewall/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #firewall 6 | 7 | resource "azurerm_subnet" "base" { 8 | name = "AzureFirewallSubnet" 9 | resource_group_name = var.resource_group 10 | virtual_network_name = var.virtual_network_name 11 | address_prefixes = var.address_prefixes 12 | } 13 | 14 | resource "azurerm_firewall" "base" { 15 | name = "${var.name_prefix}-${var.environment}-${var.region}" 16 | location = var.region 17 | resource_group_name = var.resource_group 18 | zones = var.zones 19 | 20 | ip_configuration { 21 | name = "ip-${var.name_prefix}-${var.environment}-${var.region}" 22 | subnet_id = azurerm_subnet.base.id 23 | public_ip_address_id = var.public_ip_address_id 24 | } 25 | tags = var.tags 26 | } -------------------------------------------------------------------------------- /resources/network/public_ip/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_public_ip.base.id 7 | description = "The Public IP ID." 8 | } 9 | 10 | output "ip_address" { 11 | value = azurerm_public_ip.base.ip_address 12 | description = "The IP address value that was allocated. Note Dynamic Public IP Addresses aren't allocated until they're attached to a device" 13 | } 14 | 15 | output "fqdn" { 16 | value = azurerm_public_ip.base.fqdn 17 | description = "Fully qualified domain name of the A DNS record associated with the public IP. domain_name_label must be specified to get the fqdn. This is the concatenation of the domain_name_label and the regionalized DNS zone" 18 | } 19 | 20 | output "name" { 21 | value = azurerm_public_ip.base.name 22 | description = "The Public IP Name." 23 | } -------------------------------------------------------------------------------- /templates/template_resource/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | variable "name_prefix" { 13 | description = "A short pre-defined text to identify the resource type" 14 | type = string 15 | default = "" 16 | } 17 | 18 | variable "environment" { 19 | description = "Development environment for resource; prod, non-prod, shared-services" 20 | type = string 21 | } 22 | 23 | variable "region" { 24 | description = "Geographic Region resource will be deployed into" 25 | type = string 26 | } 27 | 28 | #tags 29 | 30 | variable "tags" { 31 | description = "A map of tags to add to all resources" 32 | type = map(any) 33 | default = {} 34 | } 35 | 36 | -------------------------------------------------------------------------------- /resources/network/subnet/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_subnet.base[*].id 7 | description = "The subnet ID." 8 | } 9 | 10 | output "name" { 11 | value = azurerm_subnet.base[*].name 12 | description = "The name of the subnet." 13 | } 14 | 15 | output "resource_group_name" { 16 | value = azurerm_subnet.base[*].resource_group_name 17 | description = "The name of the resource group in which the subnet is created in." 18 | } 19 | 20 | output "virtual_network_name" { 21 | value = azurerm_subnet.base[*].virtual_network_name 22 | description = "The name of the virtual network in which the subnet is created in" 23 | } 24 | 25 | output "address_prefixes" { 26 | value = azurerm_subnet.base[*].address_prefixes 27 | description = "The address prefixes for the subnet" 28 | } -------------------------------------------------------------------------------- /resources/network/firewall_network_rule_collection/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #firewall network rule collection 6 | 7 | resource "azurerm_firewall_network_rule_collection" "base" { 8 | name = "${var.name_prefix}-${var.environment}-${var.region}" 9 | azure_firewall_name = var.azure_firewall_name 10 | resource_group_name = var.resource_group 11 | priority = var.priority 12 | action = var.action 13 | 14 | dynamic "rule" { 15 | for_each = var.rule 16 | content { 17 | name = rule.value.name 18 | source_addresses = rule.value.source_addresses 19 | destination_ports = rule.value.destination_ports 20 | destination_addresses = rule.value.destination_addresses 21 | protocols = rule.value.protocols 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /resources/network/lb/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | resource "azurerm_lb" "base" { 6 | name = "${var.name_prefix}-${var.environment}-${var.region}" 7 | location = var.region 8 | resource_group_name = var.resource_group 9 | sku = var.sku 10 | 11 | frontend_ip_configuration { 12 | name = "feip-config-${var.name_prefix}" 13 | subnet_id = var.subnet_id 14 | private_ip_address = var.private_ip_address 15 | private_ip_address_allocation = var.private_ip_address_allocation 16 | private_ip_address_version = var.private_ip_address_version 17 | public_ip_address_id = var.public_ip_address_id 18 | public_ip_prefix_id = var.public_ip_prefix_id 19 | zones = var.zones 20 | } 21 | } -------------------------------------------------------------------------------- /modules/container_registry/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic Region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #container registry 18 | 19 | variable "sku" { 20 | description = "(Optional) The SKU name of the container registry. Possible values are Basic, Standard and Premium. Classic (which was previously Basic) is supported only for existing resources." 21 | type = string 22 | default = "Standard" 23 | } 24 | 25 | #tags 26 | 27 | variable "tags" { 28 | description = "A map of tags to add to all resources" 29 | type = map(any) 30 | default = {} 31 | } 32 | -------------------------------------------------------------------------------- /modules/network_hub/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | address\_space | This is a list of the ip address ranges for the vnet | `list` | n/a | yes | 14 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 15 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 16 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 17 | 18 | ## Outputs 19 | 20 | | Name | Description | 21 | |------|-------------| 22 | | virtual\_network\_id | resource id of vnet hub | 23 | | virtual\_network\_name | resource name of vnet hub | 24 | | virtual\_network\_resource\_group\_name | n/a | 25 | 26 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | 8 | # Crash log files 9 | crash.log 10 | 11 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most 12 | # .tfvars files are managed as part of configuration and so should be included in 13 | # version control. 14 | # 15 | secrets.auto.tfvars 16 | 17 | # Ignore override files as they are usually used to override resources locally and so 18 | # are not checked in 19 | override.tf 20 | override.tf.json 21 | *_override.tf 22 | *_override.tf.json 23 | 24 | # Include override files you do wish to add to version control using negated pattern 25 | # 26 | # !example_override.tf 27 | 28 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 29 | # example: *tfplan* 30 | *tfplan 31 | 32 | .terraform.lock.hcl -------------------------------------------------------------------------------- /modules/linux_web_app/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic Region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #asp 18 | 19 | variable "sku_tier" { 20 | description = "(Required) Specifies the plan's pricing tier." 21 | type = string 22 | default = "Free" 23 | } 24 | 25 | variable "sku_size" { 26 | description = "(Required) Specifies the plan's instance size." 27 | type = string 28 | default = "F1" 29 | } 30 | 31 | #tags 32 | 33 | variable "tags" { 34 | description = "A map of tags to add to all resources" 35 | type = map(any) 36 | default = {} 37 | } 38 | -------------------------------------------------------------------------------- /resources/authorization/user_assigned_identity/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 16 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `"umi"` | no | 17 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 18 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 19 | 20 | ## Outputs 21 | 22 | | Name | Description | 23 | |------|-------------| 24 | | client\_id | n/a | 25 | | id | n/a | 26 | | name | n/a | 27 | | principal\_id | n/a | 28 | 29 | -------------------------------------------------------------------------------- /modules/container_registry/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 14 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 15 | | sku | (Optional) The SKU name of the container registry. Possible values are Basic, Standard and Premium. Classic (which was previously Basic) is supported only for existing resources. | `string` | `"Standard"` | no | 16 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 17 | 18 | ## Outputs 19 | 20 | | Name | Description | 21 | |------|-------------| 22 | | container\_registry\_id | The ID of the Container Registry. | 23 | 24 | -------------------------------------------------------------------------------- /resources/network/network_interface_backend_address_pool_association/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #network interface backend address pool association 6 | 7 | variable "network_interface_id" { 8 | description = "The ID of the Subnet. Changing this forces a new resource to be created." 9 | type = list(any) 10 | } 11 | 12 | variable "ip_configuration_name" { 13 | description = "(Required) The Name of the IP Configuration within the Network Interface which should be connected to the Backend Address Pool. Changing this forces a new resource to be created." 14 | type = list(any) 15 | } 16 | 17 | variable "backend_address_pool_id" { 18 | description = "(Required) The ID of the Load Balancer Backend Address Pool which this Network Interface which should be connected to. Changing this forces a new resource to be created." 19 | type = string 20 | } 21 | 22 | -------------------------------------------------------------------------------- /modules/aks_agic/templates/aspnetapp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: aspnetapp 5 | labels: 6 | app: aspnetapp 7 | spec: 8 | containers: 9 | - image: "mcr.microsoft.com/dotnet/core/samples:aspnetapp" 10 | name: aspnetapp-image 11 | ports: 12 | - containerPort: 80 13 | protocol: TCP 14 | 15 | --- 16 | 17 | apiVersion: v1 18 | kind: Service 19 | metadata: 20 | name: aspnetapp 21 | spec: 22 | selector: 23 | app: aspnetapp 24 | ports: 25 | - protocol: TCP 26 | port: 80 27 | targetPort: 80 28 | 29 | --- 30 | 31 | apiVersion: extensions/v1beta1 32 | kind: Ingress 33 | metadata: 34 | name: aspnetapp 35 | annotations: 36 | kubernetes.io/ingress.class: azure/application-gateway 37 | spec: 38 | rules: 39 | - http: 40 | paths: 41 | - path: / 42 | backend: 43 | serviceName: aspnetapp 44 | servicePort: 80 -------------------------------------------------------------------------------- /resources/cosmosdb/cosmosdb_account/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #random string 6 | 7 | resource "random_string" "base" { 8 | length = 4 9 | special = false 10 | } 11 | 12 | #cosmosdb_account 13 | 14 | resource "azurerm_cosmosdb_account" "base" { 15 | name = lower("${var.name_prefix}-${random_string.base.result}-${var.environment}-${var.region}") 16 | location = var.region 17 | resource_group_name = var.resource_group 18 | offer_type = var.offer_type 19 | kind = var.kind 20 | enable_free_tier = var.enable_free_tier 21 | 22 | consistency_policy { 23 | consistency_level = var.consistency_level 24 | } 25 | 26 | geo_location { 27 | location = var.region 28 | failover_priority = 0 29 | } 30 | 31 | tags = var.tags 32 | } -------------------------------------------------------------------------------- /modules/key_vault/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic Region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #key vault 18 | 19 | variable "sku_name" { 20 | description = "The Name of the sku used for this Key Vault. Possible values are standard and premium." 21 | type = string 22 | default = "standard" 23 | } 24 | 25 | #key vault policy 26 | 27 | variable "object_id" { 28 | description = "The object ID for the Service Principal" 29 | type = string 30 | } 31 | 32 | #tags 33 | 34 | variable "tags" { 35 | description = "A map of tags to add to all resources" 36 | type = map(any) 37 | default = {} 38 | } 39 | -------------------------------------------------------------------------------- /modules/network_isolated/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | address\_space | This is a list of the ip address ranges for the vnet | `list` | n/a | yes | 14 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 15 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 16 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 17 | 18 | ## Outputs 19 | 20 | | Name | Description | 21 | |------|-------------| 22 | | virtual\_network\_id | resource id of virtual network | 23 | | virtual\_network\_name | resource name of virtual network | 24 | | virtual\_network\_resource\_group\_name | resource group name of virtual network | 25 | 26 | -------------------------------------------------------------------------------- /resources/base/resource_group/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #resource-group 6 | 7 | variable "name_prefix" { 8 | description = "A short pre-defined text to identify the resource type" 9 | type = string 10 | default = "rg" 11 | } 12 | 13 | variable "service_name" { 14 | description = "Name of the application, service, or workload the resource group is housing." 15 | type = string 16 | } 17 | 18 | variable "region" { 19 | description = "Geographic region resource will be deployed into" 20 | type = string 21 | } 22 | 23 | variable "environment" { 24 | description = "Development environment for resource; prod, non-prod, shared-services" 25 | type = string 26 | } 27 | 28 | #tags 29 | 30 | variable "tags" { 31 | description = "(Optional) A mapping of tags which should be assigned to the Resource Group." 32 | type = map(any) 33 | default = {} 34 | } -------------------------------------------------------------------------------- /environments/shared-services/providers.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment providers 3 | ### 4 | 5 | terraform { 6 | required_version = ">= 0.14" 7 | backend "azurerm" { 8 | resource_group_name = "rg-terraform-state" 9 | storage_account_name = "sttfstate000eus" 10 | container_name = "tfstate" 11 | key = "shared-services.tfstate" 12 | } 13 | required_providers { 14 | azurerm = { 15 | source = "hashicorp/azurerm" 16 | version = ">=2.46.0" 17 | } 18 | helm = { 19 | source = "hashicorp/helm" 20 | version = ">=2.0.0" 21 | } 22 | kubernetes = { 23 | source = "hashicorp/kubernetes" 24 | version = ">=2.0.0" 25 | } 26 | } 27 | } 28 | 29 | provider "azurerm" { 30 | features {} 31 | subscription_id = "f43de08a-5e35-4ea9-8ca1-11fc231ace6a" 32 | client_id = var.client_id 33 | client_secret = var.client_secret 34 | tenant_id = var.tenant_id 35 | } 36 | -------------------------------------------------------------------------------- /environments/shared-services/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment outputs 3 | ### 4 | 5 | output "network_hub_name" { 6 | value = module.network_hub.virtual_network_name 7 | description = "Generated name of the transit hub virtual network" 8 | } 9 | 10 | output "network_hub_id" { 11 | value = module.network_hub.virtual_network_id 12 | description = "Resource id of the transit hub virtual network" 13 | } 14 | 15 | output "network_hub_resource_group_name" { 16 | value = module.network_hub.virtual_network_resource_group_name 17 | description = "Generated name of the resource group for the transit hub virtual network" 18 | } 19 | 20 | output "log_analytics_id" { 21 | value = module.logging.log_analytics_id 22 | description = "Log Analytics Workspace ID" 23 | } 24 | 25 | output "firewall_private_ip_address" { 26 | value = module.network_hub.firewall_private_ip_address 27 | description = "The private IP address of the Azure Firewall." 28 | } -------------------------------------------------------------------------------- /resources/authorization/role_assignment/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #role-assignment 6 | 7 | variable "role_definition_name" { 8 | description = " The name of a built-in Role. Changing this forces a new resource to be created." 9 | type = string 10 | } 11 | 12 | variable "scope" { 13 | description = "The scope at which the Role Assignment applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. Changing this forces a new resource to be created." 14 | type = string 15 | } 16 | 17 | variable "principal_id" { 18 | description = "The ID of the Principal (User, Group, Service Principal, or Application) to assign the Role Definition to. Changing this forces a new resource to be created." 19 | type = string 20 | } 21 | -------------------------------------------------------------------------------- /resources/network/network_security_group/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "This is the resource group to which the resources will be deployed" 9 | type = string 10 | } 11 | 12 | variable "name_prefix" { 13 | description = "A short pre-defined text to identify the resource type" 14 | type = string 15 | default = "nsg" 16 | } 17 | 18 | variable "environment" { 19 | description = "Development environment for resource; prod, non-prod, shared-services" 20 | type = string 21 | } 22 | 23 | variable "region" { 24 | description = "Geographic Region resource will be deployed into" 25 | type = string 26 | } 27 | 28 | #nsg 29 | 30 | variable "policy_name" { 31 | description = "policy name or app name" 32 | type = string 33 | } 34 | 35 | #tags 36 | 37 | variable "tags" { 38 | description = "A map of tags to add to all resources" 39 | type = map(any) 40 | default = {} 41 | } -------------------------------------------------------------------------------- /resources/recovery_services/recovery_services_vault/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | name\_prefix | Short prefix to identify resource | `string` | `"rsv"` | no | 16 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 17 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 18 | | sku | (Required) Sets the vault's SKU. Possible values include: Standard, RS0. | `string` | n/a | yes | 19 | | soft\_delete\_enabled | (Optional) Is soft delete enable for this Vault? Defaults to true. | `bool` | `null` | no | 20 | | tags | tags to be added to resource | `map` | `{}` | no | 21 | 22 | ## Outputs 23 | 24 | | Name | Description | 25 | |------|-------------| 26 | | id | The ID of the Recovery Services Vault. | 27 | 28 | -------------------------------------------------------------------------------- /resources/network/network_security_rule/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `"nsg"` | no | 16 | | network\_security\_group\_name | (Required) The name of the Network Security Group that we want to attach the rule to. Changing this forces a new resource to be created. | `string` | n/a | yes | 17 | | network\_security\_rules | List of network security rules | `list` | `[]` | no | 18 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 19 | | resource\_group | This is the resource group to which the resources will be deployed | `string` | n/a | yes | 20 | 21 | ## Outputs 22 | 23 | | Name | Description | 24 | |------|-------------| 25 | | id | The ID of the Network Security Rule. | 26 | 27 | -------------------------------------------------------------------------------- /environments/test/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | | Name | Version | 4 | |------|---------| 5 | | terraform | >= 0.13 | 6 | | azurerm | ~> 2.14.0 | 7 | 8 | ## Providers 9 | 10 | No provider. 11 | 12 | ## Inputs 13 | 14 | | Name | Description | Type | Default | Required | 15 | |------|-------------|------|---------|:--------:| 16 | | address\_prefix\_app | The address prefix to use for the app subnet. | `list(string)` | n/a | yes | 17 | | address\_prefix\_data | The address prefix to use for the data subnet. | `list(string)` | n/a | yes | 18 | | address\_prefix\_glusterfs | The address prefix to use for the glusterfs subnet. | `list(string)` | n/a | yes | 19 | | address\_space | This is a list of the ip address ranges for the vnet | `list` | n/a | yes | 20 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 21 | | region | Geographic region resource will be deployed into | `string` | n/a | yes | 22 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 23 | 24 | ## Outputs 25 | 26 | No output. 27 | 28 | -------------------------------------------------------------------------------- /resources/network/network_security_group/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 16 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `"nsg"` | no | 17 | | policy\_name | policy name or app name | `string` | n/a | yes | 18 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 19 | | resource\_group | This is the resource group to which the resources will be deployed | `string` | n/a | yes | 20 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 21 | 22 | ## Outputs 23 | 24 | | Name | Description | 25 | |------|-------------| 26 | | id | The ID of the Network Security Group. | 27 | | name | The Name of the Network Security Group. | 28 | 29 | -------------------------------------------------------------------------------- /resources/recovery_services/recovery_services_vault/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | variable "name_prefix" { 13 | description = "Short prefix to identify resource" 14 | type = string 15 | default = "rsv" 16 | } 17 | 18 | variable "region" { 19 | description = "Geographic Region resource will be deployed into" 20 | type = string 21 | } 22 | 23 | #recovery services vault 24 | 25 | variable "sku" { 26 | description = "(Required) Sets the vault's SKU. Possible values include: Standard, RS0." 27 | type = string 28 | } 29 | 30 | variable "soft_delete_enabled" { 31 | description = "(Optional) Is soft delete enable for this Vault? Defaults to true." 32 | type = bool 33 | default = null 34 | } 35 | 36 | #tags 37 | 38 | variable "tags" { 39 | description = "tags to be added to resource" 40 | type = map(any) 41 | default = {} 42 | } 43 | 44 | -------------------------------------------------------------------------------- /resources/base/resource_group/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 16 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `"rg"` | no | 17 | | region | Geographic region resource will be deployed into | `string` | n/a | yes | 18 | | service\_name | Name of the application, service, or workload the resource group is housing. | `string` | n/a | yes | 19 | | tags | (Optional) A mapping of tags which should be assigned to the Resource Group. | `map` | `{}` | no | 20 | 21 | ## Outputs 22 | 23 | | Name | Description | 24 | |------|-------------| 25 | | id | The ID of the Resource Group. | 26 | | location | The location of the Resource Group. | 27 | | name | The Name of this Resource Group. | 28 | 29 | -------------------------------------------------------------------------------- /modules/bastion/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic Region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #bastion 18 | 19 | variable "address_prefix_bastion" { 20 | description = "(Required) The address prefix for the bastion subnet" 21 | type = list(any) 22 | } 23 | 24 | variable "virtual_network_name" { 25 | description = "(Required) The Name of the Virtual Network where this subnet should be located in." 26 | type = string 27 | } 28 | 29 | variable "virtual_network_resource_group" { 30 | description = "(Required) The Name of the Virtual Network where this subnet should be located in." 31 | type = string 32 | } 33 | 34 | #tags 35 | 36 | variable "tags" { 37 | description = "A map of tags to add to all resources" 38 | type = map(any) 39 | default = {} 40 | } 41 | -------------------------------------------------------------------------------- /environments/shared-services/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment composition 3 | ### 4 | 5 | module "network_hub" { 6 | source = "../../modules/network_hub" 7 | environment = var.environment 8 | region = var.region 9 | address_space = var.address_space 10 | address_prefix_bastion = var.address_prefix_bastion 11 | address_prefix_agw = var.address_prefix_agw 12 | address_prefix_fw = var.address_prefix_fw 13 | tags = var.tags 14 | } 15 | 16 | module "container_registry" { 17 | source = "../../modules/container_registry" 18 | environment = var.environment 19 | region = var.region 20 | tags = var.tags 21 | sku = "premium" 22 | } 23 | 24 | module "key_vault" { 25 | source = "../../modules/key_vault" 26 | environment = var.environment 27 | region = var.region 28 | object_id = var.object_id 29 | tags = var.tags 30 | sku_name = "premium" 31 | } 32 | 33 | module "logging" { 34 | source = "../../modules/logs" 35 | environment = var.environment 36 | region = var.region 37 | } -------------------------------------------------------------------------------- /resources/network/subnet/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #subnet 6 | 7 | resource "azurerm_subnet" "base" { 8 | name = "${element(var.name_prefixes, count.index)}-${var.environment}-${var.region}" 9 | count = length(var.name_prefixes) 10 | 11 | resource_group_name = var.resource_group 12 | address_prefixes = [element(var.address_prefixes, count.index)] 13 | virtual_network_name = var.virtual_network_name 14 | service_endpoints = var.service_endpoints 15 | enforce_private_link_endpoint_network_policies = var.enforce_private_link_endpoint_network_policies 16 | enforce_private_link_service_network_policies = var.enforce_private_link_service_network_policies 17 | 18 | dynamic "delegation" { 19 | for_each = var.delegation 20 | content { 21 | name = delegation.value.name 22 | service_delegation { 23 | name = delegation.value.service_delegation_name 24 | actions = delegation.value.service_delegation_actions 25 | } 26 | } 27 | } 28 | } 29 | 30 | 31 | -------------------------------------------------------------------------------- /resources/network/network_interface_backend_address_pool_association/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | backend\_address\_pool\_id | (Required) The ID of the Load Balancer Backend Address Pool which this Network Interface which should be connected to. Changing this forces a new resource to be created. | `string` | n/a | yes | 16 | | ip\_configuration\_name | (Required) The Name of the IP Configuration within the Network Interface which should be connected to the Backend Address Pool. Changing this forces a new resource to be created. | `list` | n/a | yes | 17 | | network\_interface\_id | The ID of the Subnet. Changing this forces a new resource to be created. | `list` | n/a | yes | 18 | 19 | ## Outputs 20 | 21 | | Name | Description | 22 | |------|-------------| 23 | | id | The (Terraform specific) ID of the Association between the Network Interface and the Load Balancers Backend Address Pool. | 24 | 25 | -------------------------------------------------------------------------------- /resources/network/route_table/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | variable "region" { 13 | description = "Geographic Region resource will be deployed into" 14 | type = string 15 | } 16 | 17 | variable "name_prefix" { 18 | description = "A short pre-defined text to identify the resource type" 19 | type = string 20 | default = "route" 21 | } 22 | 23 | variable "environment" { 24 | description = "Development environment for resource; prod, non-prod, shared-services" 25 | type = string 26 | } 27 | 28 | #route-table 29 | 30 | variable "disable_bgp_route_propagation" { 31 | description = "(Optional) Boolean flag which controls propagation of routes learned by BGP on that route table. True means disable." 32 | type = bool 33 | default = null 34 | } 35 | 36 | #tags 37 | 38 | variable "tags" { 39 | description = "A map of tags to add to all resources" 40 | type = map(any) 41 | default = {} 42 | } 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /resources/authorization/role_assignment/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | principal\_id | The ID of the Principal (User, Group, Service Principal, or Application) to assign the Role Definition to. Changing this forces a new resource to be created. | `string` | n/a | yes | 16 | | role\_definition\_name | The name of a built-in Role. Changing this forces a new resource to be created. | `string` | n/a | yes | 17 | | scope | The scope at which the Role Assignment applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. Changing this forces a new resource to be created. | `string` | n/a | yes | 18 | 19 | ## Outputs 20 | 21 | | Name | Description | 22 | |------|-------------| 23 | | id | n/a | 24 | 25 | -------------------------------------------------------------------------------- /resources/container/container_registry/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #random string 6 | 7 | resource "random_string" "base" { 8 | length = 4 9 | special = false 10 | } 11 | 12 | #container registry 13 | 14 | resource "azurerm_container_registry" "base" { 15 | name = lower("${var.name_prefix}${substr(var.environment, 0, 2)}${random_string.base.result}${var.region}") 16 | resource_group_name = var.resource_group 17 | location = var.region 18 | sku = var.sku 19 | admin_enabled = var.admin_enabled 20 | georeplication_locations = var.georeplication_locations 21 | 22 | dynamic "network_rule_set" { 23 | for_each = var.network_rule_set 24 | content { 25 | default_action = network_rule_set.value.default_action 26 | ip_rule { 27 | action = network_rule_set.value.ip_rule_action 28 | ip_range = network_rule_set.value.ip_rule_ip_range 29 | } 30 | virtual_network { 31 | action = network_rule_set.value.virtual_network_action 32 | subnet_id = network_rule_set.value.subnet_id 33 | } 34 | } 35 | } 36 | } -------------------------------------------------------------------------------- /modules/linux_web_app/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module composition 3 | ### 4 | 5 | #resource group 6 | 7 | module "resource_group" { 8 | source = "../../resources/base/resource_group" 9 | service_name = "linux-web-app" 10 | region = var.region 11 | environment = var.environment 12 | tags = var.tags 13 | } 14 | 15 | module "app_service_plan" { 16 | source = "../../resources/app_service/app_service_plan" 17 | name_prefix = "asp-linux" 18 | resource_group = module.resource_group.name 19 | region = module.resource_group.location 20 | environment = var.environment 21 | reserved = true 22 | kind = "Linux" 23 | sku_tier = var.sku_tier 24 | sku_size = var.sku_size 25 | tags = var.tags 26 | } 27 | 28 | module "app_service" { 29 | source = "../../resources/app_service/app_service" 30 | name_prefix = "app-test" 31 | resource_group = module.resource_group.name 32 | region = module.resource_group.location 33 | environment = var.environment 34 | app_service_plan_id = module.app_service_plan.id 35 | tags = var.tags 36 | } 37 | -------------------------------------------------------------------------------- /resources/network/network_security_rule/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #network security rule 6 | 7 | resource "azurerm_network_security_rule" "base" { 8 | count = length(var.network_security_rules) 9 | 10 | name = var.network_security_rules[count.index]["name"] 11 | priority = var.network_security_rules[count.index]["priority"] 12 | direction = var.network_security_rules[count.index]["direction"] 13 | access = var.network_security_rules[count.index]["access"] 14 | protocol = var.network_security_rules[count.index]["protocol"] 15 | source_port_range = var.network_security_rules[count.index]["source_port_range"] 16 | destination_port_range = var.network_security_rules[count.index]["destination_port_range"] 17 | source_address_prefix = var.network_security_rules[count.index]["source_address_prefix"] 18 | destination_address_prefix = var.network_security_rules[count.index]["destination_address_prefix"] 19 | resource_group_name = var.resource_group 20 | network_security_group_name = var.network_security_group_name 21 | } -------------------------------------------------------------------------------- /bin/terraform-plan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | environments="environments/audit/ environments/shared-services/ environments/dev/ environments/prod/ environments/test/" 5 | 6 | for dir in ${environments}; do 7 | cd "$dir"; 8 | if [ -f terraform.tfvars ]; 9 | then 10 | environment=$(echo ${dir#environments/}); 11 | echo $environment; 12 | solution=${environment%/}; 13 | echo $environment; 14 | export STATE_KEY="$environment.tfstate"; 15 | echo $STATE_KEY; 16 | 17 | terraform init -input=false -upgrade=true -backend=true -backend-config="access_key=$ACCESS_KEY" -backend-config="storage_account_name=$STORAGE_ACCOUNT_NAME" -backend-config="key=$STATE_KEY" -var "storage_account_name=$STORAGE_ACCOUNT_NAME" -var "access_key=$ACCESS_KEY" -var "state_key=$STATE_KEY"; 18 | terraform plan -out=tfplan -var-file=terraform.tfvars -var "subscription_id=$SUBSCRIPTION_ID" -var "tenant_id=$TENANT_ID" -var "client_secret=$CLIENT_SECRET" -var "app_id=$APP_ID" -var "storage_account_name=$STORAGE_ACCOUNT_NAME" -var "access_key=$ACCESS_KEY" -var "state_key=$STATE_KEY" -var "shared_services_subscription_id=$SHARED_SERVICES_SUBSCRIPTION_ID"; 19 | fi; 20 | cd -; 21 | done -------------------------------------------------------------------------------- /resources/network/route_table/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | disable\_bgp\_route\_propagation | (Optional) Boolean flag which controls propagation of routes learned by BGP on that route table. True means disable. | `bool` | `null` | no | 16 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 17 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `"route"` | no | 18 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 19 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 20 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 21 | 22 | ## Outputs 23 | 24 | | Name | Description | 25 | |------|-------------| 26 | | id | The Route Table ID. | 27 | | name | The Route Table Name. | 28 | | subnets | The collection of Subnets associated with this route table. | 29 | 30 | -------------------------------------------------------------------------------- /resources/network/virtual_network/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | variable "name_prefix" { 13 | description = "A short pre-defined text to identify the resource type" 14 | type = string 15 | default = "vnet" 16 | } 17 | 18 | variable "region" { 19 | description = "Geographic Region resource will be deployed into" 20 | type = string 21 | } 22 | 23 | variable "environment" { 24 | description = "Development environment for resource; prod, non-prod, shared-services" 25 | type = string 26 | } 27 | 28 | #network 29 | 30 | variable "address_space" { 31 | description = "This is a list of the ip address ranges for the vnet" 32 | type = list(any) 33 | } 34 | 35 | variable "dns_servers" { 36 | description = "(Optional) List of IP addresses of DNS servers" 37 | type = list(any) 38 | default = null 39 | } 40 | 41 | #tags 42 | 43 | variable "tags" { 44 | description = "A map of tags to add to all resources" 45 | type = map(any) 46 | default = {} 47 | } 48 | 49 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE -------------------------------------------------------------------------------- /modules/logs/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module composition 3 | ### 4 | 5 | #resource group 6 | 7 | module "resource_group" { 8 | source = "../../resources/base/resource_group" 9 | service_name = "logs" 10 | region = var.region 11 | environment = var.environment 12 | tags = var.tags 13 | } 14 | 15 | module "log_analytics" { 16 | source = "../../resources/log_analytics/log_analytics" 17 | name_prefix = "log" 18 | resource_group = module.resource_group.name 19 | region = module.resource_group.location 20 | environment = var.environment 21 | sku = "PerGB2018" 22 | retention_in_days = 30 23 | tags = var.tags 24 | } 25 | 26 | module "archive_storage_account" { 27 | source = "../../resources/storage/storage_account" 28 | resource_group = module.resource_group.name 29 | region = module.resource_group.location 30 | environment = var.environment 31 | name_prefix = "starchivelogs" 32 | access_tier = "Hot" 33 | account_tier = "Standard" 34 | account_replication_type = "LRS" 35 | tags = var.tags 36 | } -------------------------------------------------------------------------------- /modules/bastion/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module composition 3 | ### 4 | 5 | #resource group 6 | 7 | module "resource_group" { 8 | source = "../../resources/base/resource_group" 9 | service_name = "bastion" 10 | region = var.region 11 | environment = var.environment 12 | } 13 | 14 | module "public_ip" { 15 | source = "../../resources/network/public_ip" 16 | resource_group = module.resource_group.name 17 | region = module.resource_group.location 18 | environment = var.environment 19 | name_prefix = "pip-bastion" 20 | allocation_method = "Static" 21 | sku = "Standard" 22 | tags = var.tags 23 | } 24 | 25 | module "bastion" { 26 | source = "../../resources/network/bastion_host" 27 | resource_group = module.resource_group.name 28 | region = module.resource_group.location 29 | address_prefix_bastion = var.address_prefix_bastion 30 | environment = var.environment 31 | virtual_network_name = var.virtual_network_name 32 | virtual_network_resource_group = var.virtual_network_resource_group 33 | public_ip_address_id = module.public_ip.id 34 | } -------------------------------------------------------------------------------- /.devcontainer/devcontainer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Azure Terraform (Community)", 3 | "build": { 4 | "dockerfile": "Dockerfile", 5 | "args": { 6 | "TERRAFORM_VERSION": "0.14.5", 7 | "TFLINT_VERSION": "0.18.0", 8 | "INSTALL_AZURE_CLI": "true", 9 | "INSTALL_DOCKER": "true", 10 | "INSTALL_NODE": "true" 11 | } 12 | }, 13 | "mounts": [ "source=/var/run/docker.sock,target=/var/run/docker-host.sock,type=bind" ], 14 | "overrideCommand": false, 15 | 16 | // Set *default* container specific settings.json values on container create. 17 | "settings": { 18 | "terminal.integrated.shell.linux": "/bin/bash" 19 | }, 20 | 21 | // Add the IDs of extensions you want installed when the container is created. 22 | "extensions": [ 23 | "hashicorp.terraform", 24 | "ms-azuretools.vscode-azureterraform", 25 | "ms-vscode.azurecli", 26 | "ms-azuretools.vscode-docker" 27 | ], 28 | 29 | // Use 'forwardPorts' to make a list of ports inside the container available locally. 30 | // "forwardPorts": [], 31 | 32 | // Use 'postCreateCommand' to run commands after the container is created. 33 | // "postCreateCommand": "terraform --version", 34 | 35 | // Comment out connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root. 36 | "remoteUser": "vscode" 37 | } -------------------------------------------------------------------------------- /resources/container/kubernetes_cluster/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource outputs 3 | ### 4 | 5 | output "id" { 6 | value = azurerm_kubernetes_cluster.base.id 7 | } 8 | 9 | output "name" { 10 | value = azurerm_kubernetes_cluster.base.name 11 | } 12 | 13 | output "fqdn" { 14 | value = azurerm_kubernetes_cluster.base.fqdn 15 | } 16 | 17 | output "node_resource_group" { 18 | value = azurerm_kubernetes_cluster.base.node_resource_group 19 | } 20 | 21 | output "kube_config_raw" { 22 | value = azurerm_kubernetes_cluster.base.kube_config_raw 23 | } 24 | 25 | output "kube_config_client_key" { 26 | value = azurerm_kubernetes_cluster.base.kube_config.0.client_key 27 | } 28 | 29 | output "kube_config_client_certificate" { 30 | value = azurerm_kubernetes_cluster.base.kube_config.0.client_certificate 31 | } 32 | 33 | output "kube_config_cluster_ca_certificate" { 34 | value = azurerm_kubernetes_cluster.base.kube_config.0.cluster_ca_certificate 35 | } 36 | 37 | output "kube_config_host" { 38 | value = azurerm_kubernetes_cluster.base.kube_config.0.host 39 | } 40 | 41 | output "kube_config_username" { 42 | value = azurerm_kubernetes_cluster.base.kube_config.0.username 43 | } 44 | 45 | output "kube_config_password" { 46 | value = azurerm_kubernetes_cluster.base.kube_config.0.password 47 | } 48 | -------------------------------------------------------------------------------- /resources/network/network_interface/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #network interface 6 | 7 | resource "azurerm_network_interface" "base" { 8 | count = var.nic_count 9 | 10 | name = "${var.name_prefix}-${format("%02d", count.index)}-${var.environment}-${var.region}" 11 | location = var.region 12 | resource_group_name = var.resource_group 13 | dns_servers = var.dns_servers 14 | enable_ip_forwarding = var.enable_ip_forwarding 15 | enable_accelerated_networking = var.enable_accelerated_networking 16 | internal_dns_name_label = var.internal_dns_name_label 17 | 18 | ip_configuration { 19 | name = "ip-${var.name_prefix}-${format("%02d", count.index)}-${var.environment}-${var.region}" 20 | subnet_id = var.subnet_id 21 | private_ip_address_version = var.private_ip_address_version 22 | private_ip_address_allocation = var.private_ip_address_allocation 23 | public_ip_address_id = var.public_ip_address_id 24 | primary = var.primary 25 | private_ip_address = var.private_ip_address_allocation != "Static" ? null : element(var.private_ip_address, count.index) 26 | } 27 | } -------------------------------------------------------------------------------- /resources/network/virtual_network/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | address\_space | This is a list of the ip address ranges for the vnet | `list` | n/a | yes | 16 | | dns\_servers | (Optional) List of IP addresses of DNS servers | `list` | `null` | no | 17 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 18 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `"vnet"` | no | 19 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 20 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 21 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 22 | 23 | ## Outputs 24 | 25 | | Name | Description | 26 | |------|-------------| 27 | | address\_space | The address space that is used the virtual network. | 28 | | id | The virtual NetworkConfiguration ID. | 29 | | name | The name of the virtual network. | 30 | | resource\_group\_name | The name of the resource group in which to create the virtual network. | 31 | 32 | -------------------------------------------------------------------------------- /resources/network/dns_a_record/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | #a_record 13 | 14 | variable "a_record_name" { 15 | description = "(Required) The name of the DNS A Record." 16 | type = string 17 | } 18 | 19 | variable "zone_name" { 20 | description = "(Required) Specifies the DNS Zone where the resource exists. Changing this forces a new resource to be created." 21 | type = string 22 | } 23 | 24 | variable "ttl" { 25 | description = "(Required) The Time To Live (TTL) of the DNS record in seconds." 26 | type = string 27 | } 28 | 29 | #either records OR target_resource_id must be specified, but not both. 30 | 31 | variable "records" { 32 | description = "(Optional) List of IPv4 Addresses. Conflicts with target_resource_id." 33 | type = list(any) 34 | default = null 35 | } 36 | 37 | variable "target_resource_id" { 38 | description = "(Optional) The Azure resource id of the target object. Conflicts with records" 39 | type = string 40 | default = null 41 | } 42 | 43 | #tags 44 | 45 | variable "tags" { 46 | description = "A map of tags to add to all resources" 47 | type = map(any) 48 | default = {} 49 | } 50 | -------------------------------------------------------------------------------- /bin/terraform-destroy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | environments="environments/prod/ environments/pre-prod/ environments/audit/ environments/test/ environments/shared-services/" 5 | 6 | for dir in ${environments}; do 7 | cd "$dir"; 8 | if [ -f terraform.tfvars ]; 9 | then 10 | git_branch=$(git rev-parse --abbrev-ref HEAD); 11 | echo $git_branch; 12 | formatted_branch=$(echo ${git_branch#feature/} | tr '[:upper:]' '[:lower:]'); 13 | echo $formatted_branch; 14 | export ENVIRONMENT=$formatted_branch; 15 | echo $dir; 16 | solution=$(echo ${dir#environments/}); 17 | echo $solution; 18 | solution=${solution%/}; 19 | echo $solution; 20 | export STATE_KEY="$formatted_branch.$solution.tfstate"; 21 | echo $STATE_KEY; 22 | 23 | terraform init -input=false -upgrade=true -backend=true -backend-config="access_key=$ACCESS_KEY" -backend-config="storage_account_name=$STORAGE_ACCOUNT_NAME" -backend-config="key=$STATE_KEY"; 24 | terraform destroy -auto-approve -var-file=terraform.tfvars -var "subscription_id=$SUBSCRIPTION_ID" -var "tenant_id=$TENANT_ID" -var "client_secret=$CLIENT_SECRET" -var "app_id=$APP_ID" -var "storage_account_name=$STORAGE_ACCOUNT_NAME" -var "access_key=$ACCESS_KEY" -var "state_key=$STATE_KEY" -var "shared_services_subscription_id=$SHARED_SERVICES_SUBSCRIPTION_ID"; 25 | fi; 26 | cd -; 27 | done -------------------------------------------------------------------------------- /modules/network_hub/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic Region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #virtual network 18 | 19 | variable "address_space" { 20 | description = "This is a list of the ip address ranges for the vnet" 21 | type = list(any) 22 | } 23 | 24 | variable "dns_servers" { 25 | description = "(Optional) List of IP addresses of DNS servers" 26 | type = list(any) 27 | default = null 28 | } 29 | 30 | #subnet 31 | 32 | variable "address_prefix_fw" { 33 | description = "The address prefixe to use for the fw subnet." 34 | type = list(any) 35 | } 36 | 37 | variable "address_prefix_bastion" { 38 | description = "(Required) The address prefix for the bastion subnet" 39 | type = list(any) 40 | } 41 | 42 | variable "address_prefix_agw" { 43 | description = "The subnet address prefix to use for the agw." 44 | type = list(string) 45 | } 46 | 47 | #tags 48 | 49 | variable "tags" { 50 | description = "A map of tags to add to all resources" 51 | type = map(any) 52 | default = {} 53 | } 54 | 55 | -------------------------------------------------------------------------------- /resources/network/firewall_network_rule_collection/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | action | (Required) Specifies the action the rule will apply to matching traffic. Possible values are Allow and Deny. | `string` | n/a | yes | 16 | | azure\_firewall\_name | (Required) Specifies the name of the Firewall in which the Network Rule Collection should be created. Changing this forces a new resource to be created. | `string` | n/a | yes | 17 | | name\_prefix | Specifies the name of the Firewall. Changing this forces a new resource to be created. | `string` | `"firewall-network-rule-collection"` | no | 18 | | priority | (Required) Specifies the priority of the rule collection. Possible values are between 100 - 65000. | `string` | n/a | yes | 19 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 20 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 21 | | rule | (Required) One or more rule blocks as defined below. | `list` | `[]` | no | 22 | | tags | Optional tags to be added to resource | `map` | `{}` | no | 23 | 24 | ## Outputs 25 | 26 | No output. 27 | 28 | -------------------------------------------------------------------------------- /environments/test/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment composition 3 | ### 4 | 5 | module "network_hub" { 6 | source = "../../modules/network_hub" 7 | environment = var.environment 8 | region = var.region 9 | address_space = var.address_space 10 | tags = var.tags 11 | address_prefix_agw = var.address_prefix_agw 12 | address_prefix_fw = var.address_prefix_fw 13 | address_prefix_bastion = var.address_prefix_bastion 14 | } 15 | 16 | module "audit_logs" { 17 | source = "../../modules/logs" 18 | environment = var.environment 19 | region = var.region 20 | } 21 | 22 | module "aks_baseline" { 23 | source = "../../modules/aks_baseline" 24 | environment = var.environment 25 | region = var.region 26 | virtual_network_resource_group = module.network_hub.virtual_network_resource_group_name 27 | virtual_network_name = module.network_hub.virtual_network_name 28 | address_prefix_aks = var.address_prefix_aks 29 | dns_service_ip = var.dns_service_ip 30 | docker_bridge_cidr = var.docker_bridge_cidr 31 | service_cidr = var.service_cidr 32 | tags = var.tags 33 | log_analytics_workspace_id = module.audit_logs.log_analytics_id 34 | } 35 | -------------------------------------------------------------------------------- /resources/log_analytics/log_analytics/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | variable "name_prefix" { 13 | description = "a short pre-defined text to identify resource type" 14 | type = string 15 | default = "log" 16 | } 17 | 18 | variable "environment" { 19 | description = "Development environment for resource; prod, non-prod, shared-services" 20 | type = string 21 | } 22 | 23 | variable "region" { 24 | description = "Geographic Region resource will be deployed into" 25 | type = string 26 | } 27 | 28 | #log analytics 29 | 30 | variable "sku" { 31 | description = "(Required) Specifies the Sku of the Log Analytics Workspace. Possible values are Free, PerNode, Premium, Standard, Standalone, Unlimited, and PerGB2018 (new Sku as of 2018-04-03)." 32 | type = string 33 | } 34 | 35 | variable "retention_in_days" { 36 | description = "(Optional) The workspace data retention in days. Possible values are either 7 (Free Tier only) or range between 30 and 730." 37 | type = number 38 | default = null 39 | } 40 | 41 | #tags 42 | 43 | variable "tags" { 44 | description = "Optional tags to be added to resource" 45 | type = map(any) 46 | default = {} 47 | } 48 | 49 | -------------------------------------------------------------------------------- /modules/domain_controllers/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | address\_prefix\_adds | (Required) The address prefix for the adds subnet | `list` | n/a | yes | 14 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 15 | | private\_ip\_address\_adds | (Required) The Static IP address for the aads Servers | `list` | n/a | yes | 16 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 17 | | storage\_account\_uri | (Required) The Primary/Secondary Endpoint for the Azure Storage Account which should be used to store Boot Diagnostics, including Console Output and Screenshots from the Hypervisor. | `string` | n/a | yes | 18 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 19 | | virtual\_network\_name | (Required) The Name of the Virtual Network where this subnet should be located in. | `string` | n/a | yes | 20 | | virtual\_network\_resource\_group | (Required) The Name of the Virtual Network where this subnet should be located in. | `string` | n/a | yes | 21 | | vm\_size | (Required) The SKU which should be used for this Virtual Machine, such as Standard\_F2. | `string` | `"Standard_B2s"` | no | 22 | 23 | ## Outputs 24 | 25 | No output. 26 | 27 | -------------------------------------------------------------------------------- /modules/windows_jumpbox/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | No provider. 8 | 9 | ## Inputs 10 | 11 | | Name | Description | Type | Default | Required | 12 | |------|-------------|------|---------|:--------:| 13 | | address\_prefix\_jumpbox | (Required) The address prefix for the aads subnet | `list` | n/a | yes | 14 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 15 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 16 | | storage\_account\_uri | (Required) The Primary/Secondary Endpoint for the Azure Storage Account which should be used to store Boot Diagnostics, including Console Output and Screenshots from the Hypervisor. | `string` | n/a | yes | 17 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 18 | | virtual\_network\_name | (Required) The Name of the Virtual Network where this subnet should be located in. | `string` | n/a | yes | 19 | | virtual\_network\_resource\_group | (Required) The Name of the Virtual Network where this subnet should be located in. | `string` | n/a | yes | 20 | | vm\_size | (Required) The SKU which should be used for this Virtual Machine, such as Standard\_F2. | `string` | `"Standard_B2s"` | no | 21 | 22 | ## Outputs 23 | 24 | | Name | Description | 25 | |------|-------------| 26 | | virtual\_machine\_id | The ID of the Windows Virtual Machine. | 27 | 28 | -------------------------------------------------------------------------------- /resources/container/kubernetes_cluster_node_pool/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #kubernetes_cluster_node_pool 6 | 7 | resource "azurerm_kubernetes_cluster_node_pool" "base" { 8 | orchestrator_version = var.kubernetes_version 9 | name = var.node_pool_name 10 | kubernetes_cluster_id = var.kubernetes_cluster_id 11 | vm_size = var.vm_size 12 | availability_zones = var.availability_zones 13 | enable_auto_scaling = var.enable_auto_scaling 14 | enable_node_public_ip = var.enable_node_public_ip 15 | max_pods = var.max_pods 16 | max_count = var.max_count 17 | min_count = var.min_count 18 | node_count = var.node_count 19 | priority = var.priority 20 | spot_max_price = var.spot_max_price 21 | eviction_policy = var.eviction_policy 22 | mode = var.mode 23 | node_labels = var.node_labels 24 | node_taints = var.node_taints 25 | os_disk_size_gb = var.os_disk_size_gb 26 | os_disk_type = var.os_disk_type 27 | os_type = var.os_type 28 | proximity_placement_group_id = var.proximity_placement_group_id 29 | vnet_subnet_id = var.vnet_subnet_id 30 | tags = var.tags 31 | } 32 | -------------------------------------------------------------------------------- /resources/log_analytics/log_analytics/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | | random | n/a | 11 | 12 | ## Inputs 13 | 14 | | Name | Description | Type | Default | Required | 15 | |------|-------------|------|---------|:--------:| 16 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 17 | | name\_prefix | a short pre-defined text to identify resource type | `string` | `"log"` | no | 18 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 19 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 20 | | retention\_in\_days | (Optional) The workspace data retention in days. Possible values are either 7 (Free Tier only) or range between 30 and 730. | `number` | `null` | no | 21 | | sku | (Required) Specifies the Sku of the Log Analytics Workspace. Possible values are Free, PerNode, Premium, Standard, Standalone, Unlimited, and PerGB2018 (new Sku as of 2018-04-03). | `string` | n/a | yes | 22 | | tags | Optional tags to be added to resource | `map` | `{}` | no | 23 | 24 | ## Outputs 25 | 26 | | Name | Description | 27 | |------|-------------| 28 | | id | Log Analytics Workspace id | 29 | | primary\_shared\_key | Primary shared key for the Log Analytics Workspace | 30 | | workspace\_id | Workspace (or Customer) ID for the Log Analytics Workspace | 31 | 32 | -------------------------------------------------------------------------------- /bin/terraform-apply.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | environments="environments/audit/ environments/shared-services/ environments/pre-prod/ environments/prod/ environments/test/" 5 | 6 | for dir in ${environments}; do 7 | cd "$dir"; 8 | if [ -f terraform.tfvars ]; 9 | then 10 | git_branch=$(git rev-parse --abbrev-ref HEAD); 11 | echo $git_branch; 12 | formatted_branch=$(echo ${git_branch#feature/} | tr '[:upper:]' '[:lower:]'); 13 | echo $formatted_branch; 14 | export ENVIRONMENT=$formatted_branch; 15 | echo $dir; 16 | solution=$(echo ${dir#environments/}); 17 | echo $solution; 18 | solution=${solution%/}; 19 | echo $solution; 20 | export STATE_KEY="$formatted_branch.$solution.tfstate"; 21 | echo $STATE_KEY; 22 | 23 | terraform init -input=false -upgrade=true -backend=true -backend-config="access_key=$ACCESS_KEY" -backend-config="storage_account_name=$STORAGE_ACCOUNT_NAME" -backend-config="key=$STATE_KEY" -var "storage_account_name=$STORAGE_ACCOUNT_NAME" -var "access_key=$ACCESS_KEY" -var "state_key=$STATE_KEY"; 24 | terraform plan -out=tfplan -var-file=terraform.tfvars -var "subscription_id=$SUBSCRIPTION_ID" -var "tenant_id=$TENANT_ID" -var "client_secret=$CLIENT_SECRET" -var "app_id=$APP_ID" -var "storage_account_name=$STORAGE_ACCOUNT_NAME" -var "access_key=$ACCESS_KEY" -var "state_key=$STATE_KEY" -var "shared_services_subscription_id=$SHARED_SERVICES_SUBSCRIPTION_ID"; 25 | terraform apply tfplan; 26 | fi; 27 | cd -; 28 | done -------------------------------------------------------------------------------- /resources/key_vault/key_vault_certificate/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | resource "azurerm_key_vault_certificate" "base" { 6 | name = var.certificate_name 7 | key_vault_id = var.key_vault_id 8 | 9 | dynamic "certificate" { 10 | for_each = var.certificate 11 | content { 12 | contents = certificate.value.contents 13 | password = certificate.value.password 14 | } 15 | } 16 | 17 | certificate_policy { 18 | issuer_parameters { 19 | name = var.issuer_name 20 | } 21 | 22 | key_properties { 23 | exportable = var.exportable 24 | key_size = var.key_size 25 | key_type = var.key_type 26 | reuse_key = var.reuse_key 27 | } 28 | lifetime_action { 29 | action { 30 | action_type = var.action_type 31 | } 32 | 33 | trigger { 34 | days_before_expiry = var.days_before_expiry 35 | lifetime_percentage = var.lifetime_percentage 36 | } 37 | } 38 | 39 | secret_properties { 40 | content_type = var.content_type 41 | } 42 | x509_certificate_properties { 43 | extended_key_usage = var.extended_key_usage 44 | key_usage = var.key_usage 45 | subject_alternative_names { 46 | dns_names = var.dns_names 47 | emails = var.emails 48 | upns = var.upns 49 | } 50 | subject = var.subject 51 | validity_in_months = var.validity_in_months 52 | } 53 | } 54 | } 55 | 56 | -------------------------------------------------------------------------------- /resources/container/container_registry/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | | random | n/a | 11 | 12 | ## Inputs 13 | 14 | | Name | Description | Type | Default | Required | 15 | |------|-------------|------|---------|:--------:| 16 | | admin\_enabled | (Optional) Specifies whether the admin user is enabled. Defaults to false. | `bool` | `null` | no | 17 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 18 | | georeplication\_locations | (Optional) A list of Azure locations where the container registry should be geo-replicated. | `list` | `null` | no | 19 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `"acr"` | no | 20 | | network\_rule\_set | (Optional) A network\_rule\_set block as documented below. | `list` | `[]` | no | 21 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 22 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 23 | | sku | (Optional) The SKU name of the container registry. Possible values are Basic, Standard and Premium. Classic (which was previously Basic) is supported only for existing resources. | `string` | `null` | no | 24 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 25 | 26 | ## Outputs 27 | 28 | | Name | Description | 29 | |------|-------------| 30 | | id | The ID of the Container Registry. | 31 | 32 | -------------------------------------------------------------------------------- /resources/network/route/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | address\_prefix | (Required) The destination CIDR to which the route applies, such as 10.1.0.0/16 | `string` | n/a | yes | 16 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 17 | | next\_hop\_in\_ip\_address | (Optional) Contains the IP address packets should be forwarded to. Next hop values are only allowed in routes where the next hop type is VirtualAppliance. | `string` | `null` | no | 18 | | next\_hop\_type | (Required) The type of Azure hop the packet should be sent to. Possible values are VirtualNetworkGateway, VnetLocal, Internet, VirtualAppliance and None | `string` | n/a | yes | 19 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 20 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 21 | | route\_name | (Required) The name of the route. Changing this forces a new resource to be created. | `string` | n/a | yes | 22 | | route\_table\_name | (Required) The name of the route table within which create the route. Changing this forces a new resource to be created. | `string` | n/a | yes | 23 | 24 | ## Outputs 25 | 26 | | Name | Description | 27 | |------|-------------| 28 | | id | n/a | 29 | 30 | -------------------------------------------------------------------------------- /resources/compute/virtual_machine_data_disk_attachment/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | variable "managed_disk_id" { 6 | description = "(Required) The ID of an existing Managed Disk which should be attached. Changing this forces a new resource to be created." 7 | type = list(any) 8 | } 9 | 10 | variable "virtual_machine_id" { 11 | description = "(Required) The ID of the Virtual Machine to which the Data Disk should be attached. Changing this forces a new resource to be created." 12 | type = list(any) 13 | } 14 | 15 | variable "lun" { 16 | description = "(Required) The Logical Unit Number of the Data Disk, which needs to be unique within the Virtual Machine. Changing this forces a new resource to be created." 17 | type = string 18 | } 19 | 20 | variable "caching" { 21 | description = "(Required) Specifies the caching requirements for this Data Disk. Possible values include None, ReadOnly and ReadWrite." 22 | type = string 23 | } 24 | 25 | variable "create_option" { 26 | description = "(Optional) The Create Option of the Data Disk, such as Empty or Attach. Defaults to Attach. Changing this forces a new resource to be created." 27 | type = string 28 | default = null 29 | } 30 | 31 | variable "write_accelerator_enabled" { 32 | description = "(Optional) Specifies if Write Accelerator is enabled on the disk. This can only be enabled on Premium_LRS managed disks with no caching and M-Series VMs. Defaults to false." 33 | type = bool 34 | default = null 35 | } -------------------------------------------------------------------------------- /resources/network/firewall/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | address\_prefixes | (Required) The address prefixes to use for the azfw subnet. | `list` | n/a | yes | 16 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 17 | | name\_prefix | Specifies the name of the Firewall. Changing this forces a new resource to be created. | `string` | `"azfw"` | no | 18 | | public\_ip\_address\_id | (Required) The Resource ID of the Public IP Address associated with the firewall. | `string` | n/a | yes | 19 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 20 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 21 | | tags | Optional tags to be added to resource | `map` | `{}` | no | 22 | | virtual\_network\_name | (Required) The name of the virtual network to which to attach the subnet. Changing this forces a new resource to be created. | `string` | n/a | yes | 23 | | zones | (Optional) Specifies the availability zones in which the Azure Firewall should be created. | `list` | `null` | no | 24 | 25 | ## Outputs 26 | 27 | | Name | Description | 28 | |------|-------------| 29 | | id | The Resource ID of the Azure Firewall. | 30 | | private\_ip\_address | The private IP address of the Azure Firewall. | 31 | 32 | -------------------------------------------------------------------------------- /modules/windows_jumpbox/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic Region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #windows jumpbox 18 | 19 | variable "storage_account_uri" { 20 | description = "(Required) The Primary/Secondary Endpoint for the Azure Storage Account which should be used to store Boot Diagnostics, including Console Output and Screenshots from the Hypervisor." 21 | type = string 22 | } 23 | 24 | variable "virtual_network_name" { 25 | description = "(Required) The Name of the Virtual Network where this subnet should be located in." 26 | type = string 27 | } 28 | 29 | variable "virtual_network_resource_group" { 30 | description = "(Required) The Name of the Virtual Network where this subnet should be located in." 31 | type = string 32 | } 33 | 34 | variable "vm_size" { 35 | description = "(Required) The SKU which should be used for this Virtual Machine, such as Standard_F2." 36 | type = string 37 | default = "Standard_B2s" 38 | } 39 | 40 | variable "address_prefix_jumpbox" { 41 | description = "(Required) The address prefix for the aads subnet" 42 | type = list(any) 43 | } 44 | 45 | #tags 46 | 47 | variable "tags" { 48 | description = "A map of tags to add to all resources" 49 | type = map(any) 50 | default = {} 51 | } 52 | 53 | -------------------------------------------------------------------------------- /resources/compute/virtual_machine_data_disk_attachment/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | caching | (Required) Specifies the caching requirements for this Data Disk. Possible values include None, ReadOnly and ReadWrite. | `string` | n/a | yes | 16 | | create\_option | (Optional) The Create Option of the Data Disk, such as Empty or Attach. Defaults to Attach. Changing this forces a new resource to be created. | `string` | `null` | no | 17 | | lun | (Required) The Logical Unit Number of the Data Disk, which needs to be unique within the Virtual Machine. Changing this forces a new resource to be created. | `string` | n/a | yes | 18 | | managed\_disk\_id | (Required) The ID of an existing Managed Disk which should be attached. Changing this forces a new resource to be created. | `list` | n/a | yes | 19 | | virtual\_machine\_id | (Required) The ID of the Virtual Machine to which the Data Disk should be attached. Changing this forces a new resource to be created. | `list` | n/a | yes | 20 | | write\_accelerator\_enabled | (Optional) Specifies if Write Accelerator is enabled on the disk. This can only be enabled on Premium\_LRS managed disks with no caching and M-Series VMs. Defaults to false. | `bool` | `null` | no | 21 | 22 | ## Outputs 23 | 24 | | Name | Description | 25 | |------|-------------| 26 | | id | The ID of the Virtual Machine Data Disk attachment. | 27 | 28 | -------------------------------------------------------------------------------- /resources/compute/managed_disk/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | resource "azurerm_managed_disk" "base" { 6 | count = var.disk_count 7 | 8 | name = "${var.name_prefix}-${format("%02d", count.index)}-${var.environment}-${var.region}" 9 | location = var.region 10 | resource_group_name = var.resource_group 11 | storage_account_type = var.storage_account_type 12 | create_option = var.create_option 13 | disk_size_gb = var.disk_size_gb 14 | disk_encryption_set_id = var.disk_encryption_set_id 15 | disk_iops_read_write = var.disk_iops_read_write 16 | image_reference_id = var.image_reference_id 17 | os_type = var.os_type 18 | source_resource_id = var.source_resource_id 19 | source_uri = var.source_uri 20 | storage_account_id = var.storage_account_id 21 | zones = var.enable_zones == false ? null : [element(var.zones, count.index)] 22 | dynamic "encryption_settings" { 23 | for_each = var.encryption_settings 24 | content { 25 | enabled = encryption_settings.value.enabled 26 | disk_encryption_key { 27 | secret_url = encryption_settings.value.disk_encryption_key_secret_url 28 | source_vault_id = encryption_settings.value.disk_encryption_key_source_vault_id 29 | } 30 | key_encryption_key { 31 | key_url = encryption_settings.value.key_encryption_key_key_url 32 | source_vault_id = encryption_settings.value.key_encryption_key_source_vault_id 33 | } 34 | } 35 | } 36 | tags = var.tags 37 | 38 | } -------------------------------------------------------------------------------- /resources/network/route/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | variable "region" { 13 | description = "Geographic Region resource will be deployed into" 14 | type = string 15 | } 16 | 17 | variable "environment" { 18 | description = "Development environment for resource; prod, non-prod, shared-services" 19 | type = string 20 | } 21 | 22 | #route 23 | 24 | variable "route_name" { 25 | description = "(Required) The name of the route. Changing this forces a new resource to be created." 26 | type = string 27 | } 28 | 29 | variable "route_table_name" { 30 | description = "(Required) The name of the route table within which create the route. Changing this forces a new resource to be created." 31 | type = string 32 | } 33 | 34 | variable "address_prefix" { 35 | description = "(Required) The destination CIDR to which the route applies, such as 10.1.0.0/16" 36 | type = string 37 | } 38 | 39 | variable "next_hop_type" { 40 | description = "(Required) The type of Azure hop the packet should be sent to. Possible values are VirtualNetworkGateway, VnetLocal, Internet, VirtualAppliance and None" 41 | type = string 42 | } 43 | 44 | variable "next_hop_in_ip_address" { 45 | description = "(Optional) Contains the IP address packets should be forwarded to. Next hop values are only allowed in routes where the next hop type is VirtualAppliance." 46 | type = string 47 | default = null 48 | } 49 | 50 | 51 | -------------------------------------------------------------------------------- /modules/key_vault/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module composition 3 | ### 4 | 5 | #resource group 6 | 7 | module "resource_group" { 8 | source = "../../resources/base/resource_group" 9 | service_name = "key-vault" 10 | region = var.region 11 | environment = var.environment 12 | tags = var.tags 13 | } 14 | 15 | module "key_vault" { 16 | source = "../../resources/key_vault/key_vault" 17 | resource_group = module.resource_group.name 18 | region = module.resource_group.location 19 | environment = var.environment 20 | sku_name = var.sku_name 21 | tags = var.tags 22 | } 23 | 24 | module "key_vault_access_policy" { 25 | source = "../../resources/key_vault/key_vault_access_policy" 26 | key_vault_id = module.key_vault.id 27 | object_id = var.object_id 28 | certificate_permissions = [ 29 | "create", 30 | "delete", 31 | "deleteissuers", 32 | "get", 33 | "getissuers", 34 | "import", 35 | "list", 36 | "listissuers", 37 | "managecontacts", 38 | "manageissuers", 39 | "setissuers", 40 | "update", 41 | ] 42 | key_permissions = [ 43 | "backup", 44 | "create", 45 | "decrypt", 46 | "delete", 47 | "encrypt", 48 | "get", 49 | "import", 50 | "list", 51 | "purge", 52 | "recover", 53 | "restore", 54 | "sign", 55 | "unwrapKey", 56 | "update", 57 | "verify", 58 | "wrapKey", 59 | ] 60 | secret_permissions = [ 61 | "backup", 62 | "delete", 63 | "get", 64 | "list", 65 | "purge", 66 | "recover", 67 | "restore", 68 | "set", 69 | ] 70 | 71 | } -------------------------------------------------------------------------------- /.devcontainer/library-scripts/azcli-debian.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | #------------------------------------------------------------------------------------------------------------- 3 | # Copyright (c) Microsoft Corporation. All rights reserved. 4 | # Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. 5 | #------------------------------------------------------------------------------------------------------------- 6 | # 7 | # Docs: https://github.com/microsoft/vscode-dev-containers/blob/master/script-library/docs/azcli.md 8 | # 9 | # Syntax: ./azcli-debian.sh 10 | 11 | set -e 12 | 13 | if [ "$(id -u)" -ne 0 ]; then 14 | echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' 15 | exit 1 16 | fi 17 | 18 | export DEBIAN_FRONTEND=noninteractive 19 | 20 | # Install curl, apt-transport-https, lsb-release, or gpg if missing 21 | if ! dpkg -s apt-transport-https curl ca-certificates lsb-release > /dev/null 2>&1 || ! type gpg > /dev/null 2>&1; then 22 | if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then 23 | apt-get update 24 | fi 25 | apt-get -y install --no-install-recommends apt-transport-https curl ca-certificates lsb-release gnupg2 26 | fi 27 | 28 | # Install the Azure CLI 29 | echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/azure-cli.list 30 | curl -sL https://packages.microsoft.com/keys/microsoft.asc | (OUT=$(apt-key add - 2>&1) || echo $OUT) 31 | apt-get update 32 | apt-get install -y azure-cli 33 | echo "Done!" -------------------------------------------------------------------------------- /modules/tt_backend/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module composition 3 | ### 4 | 5 | #resource group 6 | 7 | module "resource_group" { 8 | source = "../../resources/base/resource_group" 9 | service_name = "tt-backend" 10 | region = var.region 11 | environment = var.environment 12 | } 13 | 14 | module "cosmosdb_shopping" { 15 | source = "../../resources/cosmosdb/cosmosdb_account" 16 | resource_group = module.resource_group.name 17 | region = module.resource_group.location 18 | environment = var.environment 19 | name_prefix = "cosmos-shopping" 20 | kind = "GlobalDocumentDB" 21 | consistency_level = "BoundedStaleness" 22 | tags = var.tags 23 | } 24 | 25 | module "cosmosdb_coupon" { 26 | source = "../../resources/cosmosdb/cosmosdb_account" 27 | resource_group = module.resource_group.name 28 | region = module.resource_group.location 29 | environment = var.environment 30 | name_prefix = "cosmos-coupon" 31 | kind = "MongoDB" 32 | consistency_level = "BoundedStaleness" 33 | tags = var.tags 34 | } 35 | 36 | module "storage_account_tt_backend" { 37 | source = "../../resources/storage/storage_account" 38 | resource_group = module.resource_group.name 39 | region = module.resource_group.location 40 | environment = var.environment 41 | name_prefix = "stttbackend" 42 | access_tier = "Hot" 43 | account_tier = "Standard" 44 | account_replication_type = "LRS" 45 | tags = var.tags 46 | } -------------------------------------------------------------------------------- /.github/workflows/aks-staging.yaml: -------------------------------------------------------------------------------- 1 | name: Build and push the latest build to staging 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | 7 | jobs: 8 | build_push_image: 9 | runs-on: ubuntu-latest 10 | 11 | steps: 12 | - uses: actions/checkout@v2 13 | 14 | - name: Build and push staging image 15 | uses: docker/build-push-action@v1.1.1 16 | with: 17 | username: ${{ secrets.ACR_LOGIN }} 18 | password: ${{ secrets.ACR_PASSWORD }} 19 | registry: ${{ secrets.ACR_NAME }} 20 | repository: contoso-website 21 | tags: latest 22 | 23 | deploy: 24 | runs-on: ubuntu-latest 25 | needs: build_push_image 26 | 27 | steps: 28 | - uses: actions/checkout@v2 29 | 30 | - name: Install Helm 31 | uses: Azure/setup-helm@v1 32 | with: 33 | version: v3.3.1 34 | 35 | - name: Get AKS Credentials 36 | uses: Azure/aks-set-context@v1 37 | with: 38 | creds: ${{ secrets.AZURE_CREDENTIALS }} 39 | # Resource Group Name 40 | resource-group: rg-aks-demo 41 | # AKS Cluster Name 42 | cluster-name: rg-aks-demo 43 | 44 | - name: Run Helm Deploy 45 | run: | 46 | helm upgrade \ 47 | --install \ 48 | --create-namespace \ 49 | --atomic \ 50 | --wait \ 51 | --namespace production \ 52 | contoso-website \ 53 | ./kubernetes/contoso-website \ 54 | --set image.repository=${{ secrets.ACR_NAME }} \ 55 | --set dns.name=${{ secrets.DNS_NAME }} \ 56 | --set image.tag=latest -------------------------------------------------------------------------------- /azure-pipelines.yml: -------------------------------------------------------------------------------- 1 | name: $(Date:yyyyMMdd)$(Rev:.r) 2 | variables: 3 | - group: terraform_variables 4 | 5 | trigger: 6 | - develop 7 | 8 | pr: 9 | - develop 10 | - master 11 | 12 | resources: 13 | containers: 14 | - container: terraform 15 | image: brettkuhlman/terraform:latest 16 | 17 | stages: 18 | 19 | - stage: Terraform_Fmt 20 | displayName: Check Terraform Format 21 | jobs: 22 | - job: Format_Terraform 23 | pool: 24 | vmImage: 'ubuntu-16.04' 25 | container: terraform 26 | steps: 27 | - script: terraform fmt -recursive -check -list=true 28 | 29 | - stage: Terraform_Validate 30 | displayName: Validate Terraform Syntax 31 | jobs: 32 | - job: Validate_Terraform 33 | pool: 34 | vmImage: 'ubuntu-16.04' 35 | container: terraform 36 | steps: 37 | - task: Bash@3 38 | inputs: 39 | filePath: './bin/validate_terraform.sh' 40 | dependsOn: Terraform_Fmt 41 | 42 | - stage: Terraform_Apply 43 | displayName: Run Terraform apply for solutions 44 | jobs: 45 | - job: Apply_Terraform 46 | pool: 47 | vmImage: 'ubuntu-16.04' 48 | container: terraform 49 | steps: 50 | - task: Bash@3 51 | inputs: 52 | filePath: './bin/plan-apply.sh' 53 | dependsOn: Terraform_Validate 54 | 55 | - stage: Terraform_Destroy 56 | displayName: Run Terraform destroy for solutions 57 | jobs: 58 | - job: Destroy_Terraform 59 | pool: 60 | vmImage: 'ubuntu-16.04' 61 | container: terraform 62 | steps: 63 | - task: Bash@3 64 | inputs: 65 | filePath: './bin/destroy.sh' 66 | dependsOn: Terraform_Apply 67 | -------------------------------------------------------------------------------- /.github/workflows/aks-prod.yaml: -------------------------------------------------------------------------------- 1 | name: Build and push the tagged build to production 2 | 3 | on: 4 | push: 5 | tags: 6 | - 'v*' 7 | 8 | jobs: 9 | build_push_image: 10 | runs-on: ubuntu-latest 11 | 12 | steps: 13 | - uses: actions/checkout@v2 14 | 15 | - name: Build and Push production image 16 | uses: docker/build-push-action@v1.1.1 17 | with: 18 | username: ${{secrets.ACR_LOGIN}} 19 | password: ${{secrets.ACR_PASSWORD}} 20 | registry: ${{ secrets.ACR_NAME }} 21 | repository: contoso-website 22 | tag_with_ref: true 23 | 24 | deploy: 25 | runs-on: ubuntu-latest 26 | needs: build_push_image 27 | 28 | steps: 29 | - uses: actions/checkout@v2 30 | 31 | - name: Install Helm 32 | uses: Azure/setup-helm@v1 33 | with: 34 | version: v3.3.1 35 | 36 | - name: Get AKS Credentials 37 | uses: Azure/aks-set-context@v1 38 | with: 39 | creds: ${{ secrets.AZURE_CREDENTIALS }} 40 | # Resource group name 41 | resource-group: rg-aks-demo 42 | # AKS cluster name 43 | cluster-name: aks-demo 44 | 45 | - name: Run Helm Deploy 46 | run: | 47 | helm upgrade \ 48 | --install \ 49 | --create-namespace \ 50 | --atomic \ 51 | --wait \ 52 | --namespace production \ 53 | contoso-website \ 54 | ./kubernetes/contoso-website \ 55 | --set image.repository=${{ secrets.ACR_NAME }} \ 56 | --set dns.name=${{ secrets.DNS_NAME }} \ 57 | --set image.tag=${GITHUB_REF##*/} -------------------------------------------------------------------------------- /resources/key_vault/key_vault/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | data "azurerm_client_config" "current" { 6 | } 7 | 8 | #random string 9 | 10 | resource "random_string" "base" { 11 | length = 4 12 | special = false 13 | } 14 | 15 | #key vault 16 | 17 | resource "azurerm_key_vault" "base" { 18 | name = lower("${var.name_prefix}${substr(var.environment, 0, 2)}${random_string.base.result}${var.region}") 19 | location = var.region 20 | resource_group_name = var.resource_group 21 | tenant_id = data.azurerm_client_config.current.tenant_id 22 | enabled_for_deployment = var.enabled_for_deployment 23 | enabled_for_disk_encryption = var.enabled_for_disk_encryption 24 | enabled_for_template_deployment = var.enabled_for_template_deployment 25 | sku_name = var.sku_name 26 | dynamic "network_acls" { 27 | for_each = var.network_acls 28 | content { 29 | bypass = network_acls.value.bypass 30 | default_action = network_acls.value.default_action 31 | ip_rules = network_acls.value.ip_rules 32 | virtual_network_subnet_ids = network_acls.value.virtual_network_subnet_ids 33 | } 34 | } 35 | purge_protection_enabled = var.purge_protection_enabled 36 | #[DEPRECATED] Azure has removed support for disabling Soft Delete as of 2020-12-15, as such this field is no longer configurable and can be safely removed. This field will be removed in version 3.0 of the Azure Provider. 37 | #soft_delete_enabled = var.soft_delete_enabled 38 | 39 | 40 | tags = var.tags 41 | } 42 | 43 | -------------------------------------------------------------------------------- /modules/k8s_cluster/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic Region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #kubernetes_cluster 18 | 19 | variable "virtual_network_name" { 20 | description = "(Required) The Name of the Virtual Network where this subnet should be located in." 21 | type = string 22 | } 23 | 24 | variable "virtual_network_resource_group" { 25 | description = "(Required) The Name of the Virtual Network where this subnet should be located in." 26 | type = string 27 | } 28 | 29 | variable "address_prefix_k8s_master" { 30 | description = "(Required) The address prefix for the k8s master subnet" 31 | type = list(any) 32 | } 33 | 34 | variable "address_prefix_k8s_node" { 35 | description = "(Required) The address prefix for the k8s_node subnet" 36 | type = list(any) 37 | } 38 | 39 | variable "vm_size_k8s_master" { 40 | description = "(Required) The SKU which should be used for this Virtual Machine, such as Standard_F2." 41 | type = string 42 | default = "Standard_B2s" 43 | } 44 | 45 | variable "vm_size_k8s_node" { 46 | description = "(Required) The SKU which should be used for this Virtual Machine, such as Standard_F2." 47 | type = string 48 | default = "Standard_B2s" 49 | } 50 | 51 | #tags 52 | 53 | variable "tags" { 54 | description = "A map of tags to add to all resources" 55 | type = map(any) 56 | default = {} 57 | } 58 | -------------------------------------------------------------------------------- /modules/domain_controllers/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic Region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #domain controllers 18 | 19 | variable "storage_account_uri" { 20 | description = "(Required) The Primary/Secondary Endpoint for the Azure Storage Account which should be used to store Boot Diagnostics, including Console Output and Screenshots from the Hypervisor." 21 | type = string 22 | } 23 | 24 | variable "virtual_network_name" { 25 | description = "(Required) The Name of the Virtual Network where this subnet should be located in." 26 | type = string 27 | } 28 | 29 | variable "virtual_network_resource_group" { 30 | description = "(Required) The Name of the Virtual Network where this subnet should be located in." 31 | type = string 32 | } 33 | 34 | variable "vm_size" { 35 | description = "(Required) The SKU which should be used for this Virtual Machine, such as Standard_F2." 36 | type = string 37 | default = "Standard_B2s" 38 | } 39 | 40 | variable "private_ip_address_adds" { 41 | description = "(Required) The Static IP address for the aads Servers" 42 | type = list(any) 43 | } 44 | 45 | variable "address_prefix_adds" { 46 | description = "(Required) The address prefix for the adds subnet" 47 | type = list(any) 48 | } 49 | 50 | #tags 51 | 52 | variable "tags" { 53 | description = "A map of tags to add to all resources" 54 | type = map(any) 55 | default = {} 56 | } 57 | 58 | -------------------------------------------------------------------------------- /environments/dev/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #authentication 18 | 19 | variable "client_id" { 20 | description = "The client ID for the Service Principal" 21 | type = string 22 | } 23 | 24 | variable "client_secret" { 25 | description = "The secret for the Service Principal authentication" 26 | type = string 27 | } 28 | 29 | variable "subscription_id" { 30 | description = "The Subscription ID in which the Storage Account exists. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable." 31 | type = string 32 | } 33 | 34 | variable "tenant_id" { 35 | description = "The Tenant ID in which the Subscription exists. This can also be sourced from the ARM_TENANT_ID environment variable." 36 | type = string 37 | } 38 | 39 | 40 | #network 41 | 42 | variable "address_space" { 43 | description = "This is a list of the ip address ranges for the vnet" 44 | type = list(any) 45 | } 46 | 47 | variable "address_prefix_k8s_master" { 48 | description = "The address prefixe to use for the k8s_master subnet." 49 | type = list(string) 50 | } 51 | 52 | variable "address_prefix_k8s_node" { 53 | description = "The address prefixe to use for the k8s_node subnet." 54 | type = list(string) 55 | } 56 | 57 | #tags 58 | 59 | variable "tags" { 60 | description = "A map of tags to add to all resources" 61 | type = map(any) 62 | default = {} 63 | } 64 | 65 | -------------------------------------------------------------------------------- /resources/network/firewall/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | variable "name_prefix" { 13 | description = "Specifies the name of the Firewall. Changing this forces a new resource to be created." 14 | type = string 15 | default = "azfw" 16 | } 17 | 18 | variable "environment" { 19 | description = "Development environment for resource; prod, non-prod, shared-services" 20 | type = string 21 | } 22 | 23 | variable "region" { 24 | description = "Geographic Region resource will be deployed into" 25 | type = string 26 | } 27 | 28 | #firewall 29 | 30 | variable "virtual_network_name" { 31 | description = "(Required) The name of the virtual network to which to attach the subnet. Changing this forces a new resource to be created." 32 | type = string 33 | } 34 | 35 | #The Subnet used for the Firewall must have the name AzureFirewallSubnet and the subnet mask must be at least /26. 36 | variable "address_prefixes" { 37 | description = "(Required) The address prefixes to use for the azfw subnet." 38 | type = list(any) 39 | } 40 | 41 | variable "public_ip_address_id" { 42 | description = "(Required) The Resource ID of the Public IP Address associated with the firewall." 43 | type = string 44 | } 45 | 46 | variable "zones" { 47 | description = "(Optional) Specifies the availability zones in which the Azure Firewall should be created." 48 | type = list(any) 49 | default = null 50 | } 51 | 52 | #tags 53 | 54 | variable "tags" { 55 | description = "Optional tags to be added to resource" 56 | type = map(any) 57 | default = {} 58 | } -------------------------------------------------------------------------------- /resources/network/bastion_host/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | variable "name_prefix" { 13 | description = "A short pre-defined text to identify the resource type" 14 | type = string 15 | default = "bastion" 16 | } 17 | 18 | variable "environment" { 19 | description = "Development environment for resource; prod, non-prod, shared-services" 20 | type = string 21 | } 22 | 23 | variable "region" { 24 | description = "Geographic Region resource will be deployed into" 25 | type = string 26 | } 27 | 28 | #bastion_host 29 | 30 | #The Subnet used for the Bastion host must have the name AzureBastionSubnet. 31 | 32 | variable "virtual_network_name" { 33 | description = "(Required) The name of the virtual network to which to attach the subnet. Changing this forces a new resource to be created." 34 | type = string 35 | } 36 | 37 | variable "virtual_network_resource_group" { 38 | description = "(Required) The name of the virtual network resource group which to attach the subnet. Changing this forces a new resource to be created." 39 | type = string 40 | } 41 | 42 | variable "address_prefix_bastion" { 43 | description = "(Required) The address prefixes to use for the bastion subnet." 44 | type = list(any) 45 | } 46 | 47 | variable "public_ip_address_id" { 48 | description = "(Required) Reference to a Public IP Address to associate with this Bastion Host." 49 | type = string 50 | } 51 | 52 | #tags 53 | 54 | variable "tags" { 55 | description = "A map of tags to add to all resources" 56 | type = map(any) 57 | default = {} 58 | } 59 | 60 | -------------------------------------------------------------------------------- /environments/shared-services/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment variables 3 | ### 4 | 5 | #common 6 | 7 | variable "environment" { 8 | description = "Development environment for resource; prod, non-prod, shared-services" 9 | type = string 10 | } 11 | 12 | variable "region" { 13 | description = "Geographic region resource will be deployed into" 14 | type = string 15 | } 16 | 17 | #authentication 18 | 19 | variable "client_id" { 20 | description = "The client ID for the Service Principal" 21 | type = string 22 | } 23 | 24 | variable "client_secret" { 25 | description = "The secret for the Service Principal authentication" 26 | type = string 27 | } 28 | 29 | variable "object_id" { 30 | description = "The object ID for the Service Principal" 31 | type = string 32 | } 33 | 34 | variable "tenant_id" { 35 | description = "The Tenant ID in which the Subscription exists. This can also be sourced from the ARM_TENANT_ID environment variable." 36 | type = string 37 | } 38 | 39 | #network 40 | 41 | variable "address_space" { 42 | description = "This is a list of the ip address ranges for the vnet" 43 | type = list(any) 44 | } 45 | 46 | variable "address_prefix_agw" { 47 | description = "The address prefix to use for the vgw subnet." 48 | type = list(any) 49 | } 50 | 51 | variable "address_prefix_fw" { 52 | description = "The address prefixe to use for the fw subnet." 53 | type = list(any) 54 | } 55 | 56 | 57 | variable "address_prefix_bastion" { 58 | description = "The address prefixe to use for the bastion subnet." 59 | type = list(any) 60 | } 61 | 62 | #tags 63 | 64 | variable "tags" { 65 | description = "A map of tags to add to all resources" 66 | type = map(any) 67 | default = {} 68 | } 69 | 70 | -------------------------------------------------------------------------------- /environments/shared-services/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | | Name | Version | 4 | |------|---------| 5 | | terraform | >= 0.13 | 6 | 7 | ## Providers 8 | 9 | No provider. 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | address\_prefix\_adds | The address prefixe to use for the aads subnet. | `list` | n/a | yes | 16 | | address\_prefix\_fw | The address prefixe to use for the fw subnet. | `list` | n/a | yes | 17 | | address\_prefix\_jumpbox | The address prefixe to use for the jumpbox subnet. | `list` | n/a | yes | 18 | | address\_prefix\_vgw | The address prefix to use for the vgw subnet. | `list` | n/a | yes | 19 | | address\_space | This is a list of the ip address ranges for the vnet | `list` | n/a | yes | 20 | | app\_id | The client ID for the Service Principal | `string` | n/a | yes | 21 | | client\_secret | The secret for the Service Principal authentication | `string` | n/a | yes | 22 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 23 | | object\_id | The object ID for the Service Principal | `string` | n/a | yes | 24 | | private\_ip\_address\_adds | (Required) The Static IP address for the aads Servers | `list` | n/a | yes | 25 | | region | Geographic region resource will be deployed into | `string` | n/a | yes | 26 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 27 | 28 | ## Outputs 29 | 30 | | Name | Description | 31 | |------|-------------| 32 | | network\_transit\_hub\_id | Resource id of the transit hub virtual network | 33 | | network\_transit\_hub\_name | Generated name of the transit hub virtual network | 34 | | network\_transit\_hub\_resource\_group\_name | Generated name of the resource group for the transit hub virtual network | 35 | 36 | -------------------------------------------------------------------------------- /resources/network/application_gateway/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 16 | | name\_prefix | Short prefix to identify resource | `string` | `"agw"` | no | 17 | | private\_ip\_address | (Optional) The Private IP Address to use for the Application Gateway. | `string` | `null` | no | 18 | | public\_ip\_address\_id | (Optional) The ID of a Public IP Address which the Application Gateway should use. | `string` | n/a | yes | 19 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 20 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 21 | | sku\_capacity | (Required) The Capacity of the SKU to use for this Application Gateway - which must be between 1 and 10, optional if autoscale\_configuration is set | `string` | `1` | no | 22 | | sku\_name | The Name of the SKU to use for this Application Gateway. Possible values are Standard\_Small, Standard\_Medium, Standard\_Large, Standard\_v2, WAF\_Medium, WAF\_Large, and WAF\_v2. | `string` | n/a | yes | 23 | | sku\_tier | The Tier of the SKU to use for this Application Gateway. Possible values are Standard, Standard\_v2, WAF and WAF\_v2. | `string` | n/a | yes | 24 | | subnet\_id | The ID of a Subnet. | `string` | n/a | yes | 25 | | tags | Optional tags to be added to resource | `map` | `{}` | no | 26 | | zones | (Optional) A collection of availability zones to spread the Application Gateway over. | `list` | `null` | no | 27 | 28 | ## Outputs 29 | 30 | | Name | Description | 31 | |------|-------------| 32 | | id | n/a | 33 | | name | n/a | 34 | 35 | -------------------------------------------------------------------------------- /resources/network/virtual_network_gateway/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #subnet 6 | 7 | resource "azurerm_subnet" "base" { 8 | name = "GatewaySubnet" 9 | resource_group_name = var.resource_group 10 | virtual_network_name = var.virtual_network_name 11 | address_prefixes = var.address_prefixes 12 | } 13 | 14 | #virtual network gateway 15 | 16 | resource "azurerm_virtual_network_gateway" "base" { 17 | name = "${var.name_prefix}-${var.environment}-${var.region}" 18 | location = var.region 19 | resource_group_name = var.resource_group 20 | 21 | type = var.type 22 | vpn_type = var.vpn_type 23 | 24 | active_active = var.active_active 25 | enable_bgp = var.enable_bgp 26 | default_local_network_gateway_id = var.default_local_network_gateway_id 27 | sku = var.sku 28 | generation = var.generation 29 | 30 | ip_configuration { 31 | name = var.public_ip_name 32 | public_ip_address_id = var.public_ip_address_id 33 | private_ip_address_allocation = var.private_ip_address_allocation 34 | subnet_id = azurerm_subnet.base.id 35 | } 36 | 37 | vpn_client_configuration { 38 | address_space = var.address_space 39 | vpn_client_protocols = var.vpn_client_protocols 40 | 41 | root_certificate { 42 | name = var.root_certificate_name 43 | public_cert_data = base64encode(var.public_cert_data) 44 | } 45 | /* 46 | dynamic "revoked_certificate" { 47 | for_each = var.revoked_certificate 48 | content { 49 | name = var.revoked_certificate.value.name 50 | thumbprint = var.revoked_certificate.value.thumbprint 51 | } 52 | } 53 | */ 54 | } 55 | tags = var.tags 56 | } 57 | 58 | -------------------------------------------------------------------------------- /resources/cosmosdb/cosmosdb_account/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | variable "name_prefix" { 13 | description = "A short pre-defined text to identify the resource type" 14 | type = string 15 | default = "cosmos" 16 | } 17 | 18 | variable "environment" { 19 | description = "Development environment for resource; prod, non-prod, shared-services" 20 | type = string 21 | } 22 | 23 | variable "region" { 24 | description = "Geographic Region resource will be deployed into" 25 | type = string 26 | } 27 | 28 | #cosmosdb_account 29 | 30 | variable "offer_type" { 31 | description = "(Required) Specifies the Offer Type to use for this CosmosDB Account - currently this can only be set to Standard." 32 | type = string 33 | default = "Standard" 34 | } 35 | 36 | variable "kind" { 37 | description = "(Optional) Specifies the Kind of CosmosDB to create - possible values are GlobalDocumentDB and MongoDB. Defaults to GlobalDocumentDB. Changing this forces a new resource to be created." 38 | type = string 39 | default = null 40 | } 41 | 42 | variable "enable_free_tier" { 43 | description = "(Optional) Enable Free Tier pricing option for this Cosmos DB account. Defaults to false. Changing this forces a new resource to be created." 44 | type = bool 45 | default = null 46 | } 47 | 48 | variable "consistency_level" { 49 | description = "(Required) The Consistency Level to use for this CosmosDB Account - can be either BoundedStaleness, Eventual, Session, Strong or ConsistentPrefix." 50 | type = string 51 | } 52 | 53 | #tags 54 | 55 | variable "tags" { 56 | description = "A map of tags to add to all resources" 57 | type = map(any) 58 | default = {} 59 | } -------------------------------------------------------------------------------- /resources/network/network_security_rule/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "This is the resource group to which the resources will be deployed" 9 | type = string 10 | } 11 | 12 | variable "name_prefix" { 13 | description = "A short pre-defined text to identify the resource type" 14 | type = string 15 | default = "nsg" 16 | } 17 | 18 | variable "region" { 19 | description = "Geographic Region resource will be deployed into" 20 | type = string 21 | } 22 | 23 | #nsg 24 | 25 | variable "network_security_group_name" { 26 | description = "(Required) The name of the Network Security Group that we want to attach the rule to. Changing this forces a new resource to be created." 27 | type = string 28 | } 29 | 30 | variable "network_security_rules" { 31 | description = "List of network security rules" 32 | type = list(any) 33 | default = [] 34 | /* 35 | example: 36 | [ 37 | { 38 | name = "SSH" 39 | priority = 100 40 | direction = "Inbound" 41 | access = "Allow" 42 | protocol = "*" 43 | source_port_range = "22" 44 | destination_port_range = "22" 45 | source_address_prefix = "VirtualNetwork" 46 | destination_address_prefix = "*" 47 | }, 48 | { 49 | name = "RDP" 50 | priority = 110 51 | direction = "Inbound" 52 | access = "Allow" 53 | protocol = "*" 54 | source_port_range = "3389" 55 | destination_port_range = "3389" 56 | source_address_prefix = "VirtualNetwork" 57 | destination_address_prefix = "*" 58 | }, 59 | ] 60 | */ 61 | } 62 | 63 | -------------------------------------------------------------------------------- /modules/aks_agic/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module outputs 3 | ### 4 | 5 | output "aks_id" { 6 | value = module.aks.id 7 | description = "The ID of the Kubernetes Managed Cluster." 8 | } 9 | 10 | output "aks_fqdn" { 11 | value = module.aks.fqdn 12 | description = "The FQDN of the Azure Kubernetes Managed Cluster." 13 | } 14 | 15 | output "aks_node_resource_group" { 16 | value = module.aks.node_resource_group 17 | description = "Auto-generated Resource Group containing AKS Cluster resources." 18 | } 19 | 20 | output "aks_kube_config_raw" { 21 | value = module.aks.kube_config_raw 22 | description = "Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools." 23 | } 24 | 25 | output "aks_kube_config_client_key" { 26 | value = module.aks.kube_config_client_key 27 | description = "Base64 encoded private key used by clients to authenticate to the Kubernetes cluster." 28 | } 29 | 30 | output "aks_kube_config_client_certificate" { 31 | value = module.aks.kube_config_client_certificate 32 | description = "Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster." 33 | } 34 | 35 | output "aks_kube_config_cluster_ca_certificate" { 36 | value = module.aks.kube_config_cluster_ca_certificate 37 | description = "Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster." 38 | } 39 | 40 | output "aks_kube_config_host" { 41 | value = module.aks.kube_config_host 42 | description = "The Kubernetes cluster server host." 43 | } 44 | 45 | output "aks_kube_config_username" { 46 | value = module.aks.kube_config_username 47 | description = "A username used to authenticate to the Kubernetes cluster." 48 | } 49 | 50 | output "aks_kube_config_password" { 51 | value = module.aks.kube_config_password 52 | description = "A password or token used to authenticate to the Kubernetes cluster." 53 | } 54 | -------------------------------------------------------------------------------- /modules/aks_baseline/outputs.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # module outputs 3 | ### 4 | 5 | output "aks_id" { 6 | value = module.aks.id 7 | description = "The ID of the Kubernetes Managed Cluster." 8 | } 9 | 10 | output "aks_fqdn" { 11 | value = module.aks.fqdn 12 | description = "The FQDN of the Azure Kubernetes Managed Cluster." 13 | } 14 | 15 | output "aks_node_resource_group" { 16 | value = module.aks.node_resource_group 17 | description = "Auto-generated Resource Group containing AKS Cluster resources." 18 | } 19 | 20 | output "aks_kube_config_raw" { 21 | value = module.aks.kube_config_raw 22 | description = "Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools." 23 | } 24 | 25 | output "aks_kube_config_client_key" { 26 | value = module.aks.kube_config_client_key 27 | description = "Base64 encoded private key used by clients to authenticate to the Kubernetes cluster." 28 | } 29 | 30 | output "aks_kube_config_client_certificate" { 31 | value = module.aks.kube_config_client_certificate 32 | description = "Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster." 33 | } 34 | 35 | output "aks_kube_config_cluster_ca_certificate" { 36 | value = module.aks.kube_config_cluster_ca_certificate 37 | description = "Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster." 38 | } 39 | 40 | output "aks_kube_config_host" { 41 | value = module.aks.kube_config_host 42 | description = "The Kubernetes cluster server host." 43 | } 44 | 45 | output "aks_kube_config_username" { 46 | value = module.aks.kube_config_username 47 | description = "A username used to authenticate to the Kubernetes cluster." 48 | } 49 | 50 | output "aks_kube_config_password" { 51 | value = module.aks.kube_config_password 52 | description = "A password or token used to authenticate to the Kubernetes cluster." 53 | } 54 | -------------------------------------------------------------------------------- /resources/key_vault/key_vault_access_policy/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | application\_id | (Optional) The object ID of an Application in Azure Active Directory. | `string` | `null` | no | 16 | | certificate\_permissions | (Optional) List of certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update. | `list` | `null` | no | 17 | | key\_permissions | (Required) List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey. | `list` | n/a | yes | 18 | | key\_vault\_id | (Required) Specifies the id of the Key Vault resource. Changing this forces a new resource to be created. | `string` | n/a | yes | 19 | | object\_id | (Required) The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created. | `string` | n/a | yes | 20 | | secret\_permissions | (Required) List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set. | `list` | n/a | yes | 21 | | storage\_permissions | (Optional) List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update. | `list` | `null` | no | 22 | 23 | ## Outputs 24 | 25 | | Name | Description | 26 | |------|-------------| 27 | | id | Key Vault Access Policy ID. | 28 | 29 | -------------------------------------------------------------------------------- /environments/dev/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | | Name | Version | 4 | |------|---------| 5 | | terraform | >= 0.12 | 6 | | azurerm | >= 2.0.0 | 7 | | helm | 1.1.1 | 8 | 9 | ## Providers 10 | 11 | | Name | Version | 12 | |------|---------| 13 | | terraform | n/a | 14 | 15 | ## Inputs 16 | 17 | | Name | Description | Type | Default | Required | 18 | |------|-------------|------|---------|:--------:| 19 | | address\_prefix\_agw | The address prefixe to use for the agw subnet. | `list(string)` | n/a | yes | 20 | | address\_prefix\_aks | The address prefixe to use for the aks subnet. | `list(string)` | n/a | yes | 21 | | address\_space | This is a list of the ip address ranges for the vnet | `list` | n/a | yes | 22 | | app\_id | The client ID for the Service Principal | `string` | n/a | yes | 23 | | client\_secret | The secret for the Service Principal authentication | `string` | n/a | yes | 24 | | dns\_service\_ip | IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). This is required when network\_plugin is set to azure. Changing this forces a new resource to be created. | `string` | n/a | yes | 25 | | docker\_bridge\_cidr | IP address (in CIDR notation) used as the Docker bridge IP address on nodes. This is required when network\_plugin is set to azure. Changing this forces a new resource to be created. | `string` | n/a | yes | 26 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 27 | | object\_id | The object ID for the Service Principal | `string` | n/a | yes | 28 | | region | Geographic region resource will be deployed into | `string` | n/a | yes | 29 | | service\_cidr | The Network Range used by the Kubernetes service. This is required when network\_plugin is set to azure. Changing this forces a new resource to be created. | `string` | n/a | yes | 30 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 31 | 32 | ## Outputs 33 | 34 | No output. 35 | 36 | -------------------------------------------------------------------------------- /environments/prod/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | | Name | Version | 4 | |------|---------| 5 | | terraform | >= 0.12 | 6 | | azurerm | >= 2.0.0 | 7 | | helm | 1.1.1 | 8 | 9 | ## Providers 10 | 11 | | Name | Version | 12 | |------|---------| 13 | | terraform | n/a | 14 | 15 | ## Inputs 16 | 17 | | Name | Description | Type | Default | Required | 18 | |------|-------------|------|---------|:--------:| 19 | | address\_prefix\_agw | The address prefixe to use for the agw subnet. | `list(string)` | n/a | yes | 20 | | address\_prefix\_aks | The address prefixe to use for the aks subnet. | `list(string)` | n/a | yes | 21 | | address\_space | This is a list of the ip address ranges for the vnet | `list` | n/a | yes | 22 | | app\_id | The client ID for the Service Principal | `string` | n/a | yes | 23 | | client\_secret | The secret for the Service Principal authentication | `string` | n/a | yes | 24 | | dns\_service\_ip | IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). This is required when network\_plugin is set to azure. Changing this forces a new resource to be created. | `string` | n/a | yes | 25 | | docker\_bridge\_cidr | IP address (in CIDR notation) used as the Docker bridge IP address on nodes. This is required when network\_plugin is set to azure. Changing this forces a new resource to be created. | `string` | n/a | yes | 26 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 27 | | object\_id | The object ID for the Service Principal | `string` | n/a | yes | 28 | | region | Geographic region resource will be deployed into | `string` | n/a | yes | 29 | | service\_cidr | The Network Range used by the Kubernetes service. This is required when network\_plugin is set to azure. Changing this forces a new resource to be created. | `string` | n/a | yes | 30 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 31 | 32 | ## Outputs 33 | 34 | No output. 35 | 36 | -------------------------------------------------------------------------------- /resources/key_vault/key_vault_access_policy/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #key vault access policy 6 | 7 | variable "key_vault_id" { 8 | description = "(Required) Specifies the id of the Key Vault resource. Changing this forces a new resource to be created." 9 | type = string 10 | } 11 | 12 | variable "object_id" { 13 | description = "(Required) The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created." 14 | type = string 15 | } 16 | 17 | variable "application_id" { 18 | description = "(Optional) The object ID of an Application in Azure Active Directory." 19 | type = string 20 | default = null 21 | } 22 | 23 | variable "certificate_permissions" { 24 | description = "(Optional) List of certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update." 25 | type = list(any) 26 | default = null 27 | } 28 | 29 | variable "key_permissions" { 30 | description = "(Required) List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey." 31 | type = list(any) 32 | } 33 | 34 | variable "secret_permissions" { 35 | description = "(Required) List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set." 36 | type = list(any) 37 | } 38 | 39 | variable "storage_permissions" { 40 | description = "(Optional) List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update." 41 | type = list(any) 42 | default = null 43 | } -------------------------------------------------------------------------------- /resources/network/virtual_network_peering/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | allow\_forwarded\_traffic | (Optional) Controls if forwarded traffic from VMs in the remote virtual network is allowed. Defaults to false. | `bool` | `null` | no | 16 | | allow\_gateway\_transit | (Optional) Controls gatewayLinks can be used in the remote virtual network’s link to the local virtual network. | `bool` | `null` | no | 17 | | allow\_virtual\_network\_access | (Optional) Controls if the VMs in the remote virtual network can access VMs in the local virtual network. Defaults to true. | `bool` | `null` | no | 18 | | remote\_virtual\_network\_id | (Required) The full Azure resource ID of the remote virtual network. Changing this forces a new resource to be created. | `string` | n/a | yes | 19 | | remote\_virtual\_network\_name | (Required) The name of the remote virtual network. Changing this forces a new resource to be created. | `string` | n/a | yes | 20 | | resource\_group\_name | (Required) The name of the resource group in which to create the virtual network. Changing this forces a new resource to be created. | `string` | n/a | yes | 21 | | use\_remote\_gateways | (Optional) Controls if remote gateways can be used on the local virtual network. If the flag is set to true, and allow\_gateway\_transit on the remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Defaults to false. | `bool` | `null` | no | 22 | | virtual\_network\_name | (Required) The name of the virtual network. Changing this forces a new resource to be created. | `string` | n/a | yes | 23 | 24 | ## Outputs 25 | 26 | | Name | Description | 27 | |------|-------------| 28 | | id | The ID of the Virtual Network Peering. | 29 | 30 | -------------------------------------------------------------------------------- /resources/network/firewall_network_rule_collection/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | variable "name_prefix" { 13 | description = "Specifies the name of the Firewall. Changing this forces a new resource to be created." 14 | type = string 15 | default = "firewall-network-rule-collection" 16 | } 17 | 18 | variable "region" { 19 | description = "Geographic Region resource will be deployed into" 20 | type = string 21 | } 22 | 23 | #firewall network rule collection 24 | 25 | variable "azure_firewall_name" { 26 | description = "(Required) Specifies the name of the Firewall in which the Network Rule Collection should be created. Changing this forces a new resource to be created." 27 | type = string 28 | } 29 | 30 | variable "priority" { 31 | description = "(Required) Specifies the priority of the rule collection. Possible values are between 100 - 65000." 32 | type = string 33 | } 34 | 35 | variable "action" { 36 | description = "(Required) Specifies the action the rule will apply to matching traffic. Possible values are Allow and Deny." 37 | type = string 38 | } 39 | 40 | variable "rule" { 41 | description = "(Required) One or more rule blocks as defined below." 42 | type = list(any) 43 | default = [] 44 | /* 45 | A rule block supports the following: 46 | name - (Required) Specifies the name of the rule. 47 | description - (Optional) Specifies a description for the rule. 48 | source_addresses - (Required) A list of source IP addresses and/or IP ranges. 49 | destination_addresses - (Required) A list of destination IP addresses and/or IP ranges. 50 | destination_ports - (Required) A list of destination ports. 51 | protocols - (Required) A list of protocols. Possible values are Any, ICMP, TCP and UDP. 52 | */ 53 | } 54 | 55 | #tags 56 | 57 | variable "tags" { 58 | description = "Optional tags to be added to resource" 59 | type = map(any) 60 | default = {} 61 | } -------------------------------------------------------------------------------- /resources/key_vault/key_vault/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | | random | n/a | 11 | 12 | ## Inputs 13 | 14 | | Name | Description | Type | Default | Required | 15 | |------|-------------|------|---------|:--------:| 16 | | enabled\_for\_deployment | (Optional) Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false. | `bool` | `null` | no | 17 | | enabled\_for\_disk\_encryption | (Optional) Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false. | `bool` | `null` | no | 18 | | enabled\_for\_template\_deployment | (Optional) Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false. | `bool` | `null` | no | 19 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 20 | | name\_prefix | a short pre-defined text to identify resource type | `string` | `"kv"` | no | 21 | | network\_acls | (Optional) A network\_acls block as defined below. | `list` | `[]` | no | 22 | | purge\_protection\_enabled | (Optional) Is Purge Protection enabled for this Key Vault? Defaults to false. | `bool` | `null` | no | 23 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 24 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 25 | | sku\_name | The Name of the sku used for this Key Vault. Possible values are standard and premium. | `string` | n/a | yes | 26 | | soft\_delete\_enabled | (Optional) Should Soft Delete be enabled for this Key Vault? Defaults to false. | `bool` | `null` | no | 27 | | tags | tags to be added to resource | `map` | `{}` | no | 28 | 29 | ## Outputs 30 | 31 | | Name | Description | 32 | |------|-------------| 33 | | id | Key Vault resource id | 34 | | vault\_uri | The URI of the Key Vault, used for performing operations on keys and secrets. | 35 | 36 | -------------------------------------------------------------------------------- /environments/test/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment variables 3 | ### 4 | 5 | #common 6 | 7 | variable "environment" { 8 | description = "Development environment for resource; prod, non-prod, shared-services" 9 | type = string 10 | } 11 | 12 | variable "region" { 13 | description = "Geographic region resource will be deployed into" 14 | type = string 15 | } 16 | 17 | #network 18 | 19 | variable "address_space" { 20 | description = "This is a list of the ip address ranges for the vnet" 21 | type = list(any) 22 | } 23 | 24 | variable "address_prefix_aks" { 25 | description = "The address prefix to use for the aks node subnet." 26 | type = list(string) 27 | } 28 | 29 | variable "address_prefix_agw" { 30 | description = "The address prefix to use for the agw subnet." 31 | type = list(any) 32 | } 33 | 34 | variable "address_prefix_fw" { 35 | description = "The address prefixe to use for the fw subnet." 36 | type = list(any) 37 | } 38 | 39 | variable "address_prefix_bastion" { 40 | description = "The address prefixe to use for the bastion subnet." 41 | type = list(any) 42 | } 43 | 44 | variable "dns_service_ip" { 45 | description = "IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). This is required when network_plugin is set to azure. Changing this forces a new resource to be created." 46 | type = string 47 | } 48 | 49 | variable "docker_bridge_cidr" { 50 | description = "IP address (in CIDR notation) used as the Docker bridge IP address on nodes. This is required when network_plugin is set to azure. Changing this forces a new resource to be created." 51 | type = string 52 | } 53 | 54 | variable "service_cidr" { 55 | description = "The Network Range used by the Kubernetes service. This is required when network_plugin is set to azure. Changing this forces a new resource to be created." 56 | type = string 57 | } 58 | 59 | #tags 60 | 61 | variable "tags" { 62 | description = "A map of tags to add to all resources" 63 | type = map(any) 64 | default = {} 65 | } -------------------------------------------------------------------------------- /resources/app_service/app_service_plan/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | app\_service\_environment\_id | (Optional) The ID of the App Service Environment where the App Service Plan should be located. Changing forces a new resource to be created. | `string` | `null` | no | 16 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 17 | | kind | (Optional) The kind of the App Service Plan to create. Possible values are Windows (also available as App), Linux, elastic (for Premium Consumption) and FunctionApp (for a Consumption Plan). Defaults to Windows. Changing this forces a new resource to be created. | `string` | `null` | no | 18 | | maximum\_elastic\_worker\_count | The maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | `number` | `null` | no | 19 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `"plan"` | no | 20 | | per\_site\_scaling | (Optional) Can Apps assigned to this App Service Plan be scaled independently? If set to false apps assigned to this plan will scale to all instances of the plan. Defaults to false. | `bool` | `null` | no | 21 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 22 | | reserved | (Optional) Is this App Service Plan Reserved. Defaults to false. | `bool` | `null` | no | 23 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 24 | | sku\_capacity | (Optional) Specifies the number of workers associated with this App Service Plan. | `number` | `null` | no | 25 | | sku\_size | (Required) Specifies the plan's instance size. | `string` | n/a | yes | 26 | | sku\_tier | (Required) Specifies the plan's pricing tier. | `string` | n/a | yes | 27 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 28 | 29 | ## Outputs 30 | 31 | | Name | Description | 32 | |------|-------------| 33 | | id | The ID of the App Service Plan. | 34 | 35 | -------------------------------------------------------------------------------- /resources/network/virtual_network_peering/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group_name" { 8 | description = "(Required) The name of the resource group in which to create the virtual network. Changing this forces a new resource to be created." 9 | type = string 10 | } 11 | 12 | #virtual_network_peering 13 | 14 | variable "virtual_network_name" { 15 | description = "(Required) The name of the virtual network. Changing this forces a new resource to be created." 16 | type = string 17 | } 18 | 19 | variable "remote_virtual_network_name" { 20 | description = "(Required) The name of the remote virtual network. Changing this forces a new resource to be created." 21 | type = string 22 | } 23 | 24 | variable "remote_virtual_network_id" { 25 | description = "(Required) The full Azure resource ID of the remote virtual network. Changing this forces a new resource to be created." 26 | type = string 27 | } 28 | 29 | variable "allow_virtual_network_access" { 30 | description = "(Optional) Controls if the VMs in the remote virtual network can access VMs in the local virtual network. Defaults to true." 31 | type = bool 32 | default = null 33 | } 34 | 35 | variable "allow_forwarded_traffic" { 36 | description = "(Optional) Controls if forwarded traffic from VMs in the remote virtual network is allowed. Defaults to false." 37 | type = bool 38 | default = null 39 | } 40 | 41 | variable "allow_gateway_transit" { 42 | description = "(Optional) Controls gatewayLinks can be used in the remote virtual network’s link to the local virtual network." 43 | type = bool 44 | default = null 45 | } 46 | 47 | variable "use_remote_gateways" { 48 | description = "(Optional) Controls if remote gateways can be used on the local virtual network. If the flag is set to true, and allow_gateway_transit on the remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Defaults to false." 49 | type = bool 50 | default = null 51 | } 52 | 53 | -------------------------------------------------------------------------------- /modules/aks_agic/templates/helm-config.yaml: -------------------------------------------------------------------------------- 1 | # This file contains the essential configs for the ingress controller helm chart 2 | 3 | # Verbosity level of the App Gateway Ingress Controller 4 | verbosityLevel: 5 5 | 6 | ################################################################################ 7 | # Specify which application gateway the ingress controller will manage 8 | # 9 | appgw: 10 | subscriptionId: ${subscription_id} 11 | resourceGroup: ${resource_group_name} 12 | name: ${applicationgateway_name} 13 | usePrivateIP: false 14 | 15 | # Setting appgw.shared to "true" will create an AzureIngressProhibitedTarget CRD. 16 | # This prohibits AGIC from applying config for any host/path. 17 | # Use "kubectl get AzureIngressProhibitedTargets" to view and change this. 18 | shared: false 19 | 20 | ################################################################################ 21 | # Specify which kubernetes namespace the ingress controller will watch 22 | # Default value is "default" 23 | # Leaving this variable out or setting it to blank or empty string would 24 | # result in Ingress Controller observing all acessible namespaces. 25 | # 26 | # kubernetes: 27 | # watchNamespace: 28 | 29 | ################################################################################ 30 | # Specify the authentication with Azure Resource Manager 31 | # 32 | # Two authentication methods are available: 33 | # - Option 1: AAD-Pod-Identity (https://github.com/Azure/aad-pod-identity) 34 | armAuth: 35 | type: aadPodIdentity 36 | identityResourceID: ${identity_resource_id} 37 | identityClientID: ${identity_client_id} 38 | 39 | ## Alternatively you can use Service Principal credentials 40 | # armAuth: 41 | # type: servicePrincipal 42 | # secretJSON: < --sdk-auth | base64 -w0" >> 43 | 44 | ################################################################################ 45 | # Specify if the cluster is RBAC enabled or not 46 | rbac: 47 | enabled: false # true/false 48 | 49 | # Specify aks cluster related information. THIS IS BEING DEPRECATED. 50 | aksClusterConfiguration: 51 | apiServerAddress: ${aks-api-server-address} -------------------------------------------------------------------------------- /resources/network/application_gateway/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource variables 3 | ### 4 | 5 | #common 6 | 7 | variable "resource_group" { 8 | description = "The name of the target resource group" 9 | type = string 10 | } 11 | 12 | variable "name_prefix" { 13 | description = "Short prefix to identify resource" 14 | type = string 15 | default = "agw" 16 | } 17 | 18 | variable "environment" { 19 | description = "Development environment for resource; prod, non-prod, shared-services" 20 | type = string 21 | } 22 | 23 | variable "region" { 24 | description = "Geographic Region resource will be deployed into" 25 | type = string 26 | } 27 | 28 | #app_gw 29 | 30 | variable "sku_name" { 31 | description = "The Name of the SKU to use for this Application Gateway. Possible values are Standard_Small, Standard_Medium, Standard_Large, Standard_v2, WAF_Medium, WAF_Large, and WAF_v2." 32 | type = string 33 | } 34 | 35 | variable "sku_tier" { 36 | description = "The Tier of the SKU to use for this Application Gateway. Possible values are Standard, Standard_v2, WAF and WAF_v2." 37 | type = string 38 | } 39 | 40 | variable "sku_capacity" { 41 | description = "(Required) The Capacity of the SKU to use for this Application Gateway - which must be between 1 and 10, optional if autoscale_configuration is set" 42 | type = string 43 | default = 1 44 | } 45 | 46 | variable "zones" { 47 | description = "(Optional) A collection of availability zones to spread the Application Gateway over." 48 | type = list(any) 49 | default = null 50 | } 51 | 52 | variable "subnet_id" { 53 | description = "The ID of a Subnet." 54 | type = string 55 | } 56 | 57 | variable "public_ip_address_id" { 58 | description = "(Optional) The ID of a Public IP Address which the Application Gateway should use." 59 | type = string 60 | } 61 | 62 | variable "private_ip_address" { 63 | description = "(Optional) The Private IP Address to use for the Application Gateway." 64 | type = string 65 | default = null 66 | } 67 | 68 | 69 | #tags 70 | 71 | variable "tags" { 72 | description = "Optional tags to be added to resource" 73 | type = map(any) 74 | default = {} 75 | } -------------------------------------------------------------------------------- /environments/dev/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment composition 3 | ### 4 | 5 | data "terraform_remote_state" "shared_services" { 6 | backend = "azurerm" 7 | config = { 8 | resource_group_name = "rg-terraform-state" 9 | storage_account_name = "sttfstate000eus" 10 | container_name = "tfstate" 11 | key = "shared-services.tfstate" 12 | subscription_id = var.subscription_id 13 | client_id = var.client_id 14 | client_secret = var.client_secret 15 | tenant_id = var.tenant_id 16 | } 17 | } 18 | 19 | module "network_spoke" { 20 | source = "../../modules/network_spoke" 21 | environment = var.environment 22 | region = var.region 23 | address_space = var.address_space 24 | subscription_id = var.subscription_id 25 | client_id = var.client_id 26 | client_secret = var.client_secret 27 | tenant_id = var.tenant_id 28 | virtual_network_hub_resource_group_name = data.terraform_remote_state.shared_services.outputs.network_hub_resource_group_name 29 | virtual_network_hub_name = data.terraform_remote_state.shared_services.outputs.network_hub_name 30 | virtual_network_hub_id = data.terraform_remote_state.shared_services.outputs.network_hub_id 31 | allow_gateway_transit_hub = false 32 | allow_gateway_transit_spoke = false 33 | use_remote_gateways_spoke = false 34 | use_remote_gateways_hub = false 35 | tags = var.tags 36 | } 37 | 38 | module "k8s_cluster" { 39 | source = "../../modules/k8s_cluster" 40 | environment = var.environment 41 | region = var.region 42 | virtual_network_resource_group = module.network_spoke.virtual_network_resource_group_name 43 | virtual_network_name = module.network_spoke.virtual_network_name 44 | address_prefix_k8s_master = var.address_prefix_k8s_master 45 | address_prefix_k8s_node = var.address_prefix_k8s_node 46 | } 47 | -------------------------------------------------------------------------------- /resources/network/lb/README.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | No requirements. 4 | 5 | ## Providers 6 | 7 | | Name | Version | 8 | |------|---------| 9 | | azurerm | n/a | 10 | 11 | ## Inputs 12 | 13 | | Name | Description | Type | Default | Required | 14 | |------|-------------|------|---------|:--------:| 15 | | environment | Development environment for resource; prod, non-prod, shared-services | `string` | n/a | yes | 16 | | frontend\_ip\_configuration | (Optional) One or multiple frontend\_ip\_configuration blocks as documented below. | `list` | `[]` | no | 17 | | name\_prefix | A short pre-defined text to identify the resource type | `string` | `"lb"` | no | 18 | | private\_ip\_address | (Optional) Private IP Address to assign to the Load Balancer. The last one and first four IPs in any range are reserved and cannot be manually assigned. | `string` | `null` | no | 19 | | private\_ip\_address\_allocation | (Optional) The allocation method for the Private IP Address used by this Load Balancer. Possible values as Dynamic and Static. | `string` | `null` | no | 20 | | private\_ip\_address\_version | The version of IP that the Private IP Address is. Possible values are IPv4 or IPv6. | `string` | `"IPv4"` | no | 21 | | public\_ip\_address\_id | (Optional) The ID of a Public IP Address which should be associated with the Load Balancer. | `string` | `null` | no | 22 | | public\_ip\_prefix\_id | (Optional) The ID of a Public IP Prefix which should be associated with the Load Balancer. Public IP Prefix can only be used with outbound rules. | `string` | `null` | no | 23 | | region | Geographic Region resource will be deployed into | `string` | n/a | yes | 24 | | resource\_group | The name of the target resource group | `string` | n/a | yes | 25 | | sku | (Optional) The SKU of the Azure Load Balancer. Accepted values are Basic and Standard. Defaults to Basic. | `string` | `null` | no | 26 | | subnet\_id | The ID of the Subnet which should be associated with the IP Configuration. | `string` | `null` | no | 27 | | tags | A map of tags to add to all resources | `map` | `{}` | no | 28 | | zones | (Optional) A list of Availability Zones which the Load Balancer's IP Addresses should be created in. | `list` | `null` | no | 29 | 30 | ## Outputs 31 | 32 | | Name | Description | 33 | |------|-------------| 34 | | id | The Load Balancer ID. | 35 | 36 | -------------------------------------------------------------------------------- /.devcontainer/Dockerfile: -------------------------------------------------------------------------------- 1 | # You can pick any Debian/Ubuntu-based image. 😊 2 | FROM mcr.microsoft.com/vscode/devcontainers/base:buster 3 | 4 | COPY library-scripts/*.sh /tmp/library-scripts/ 5 | 6 | # [Option] Install zsh 7 | ARG INSTALL_ZSH="true" 8 | # [Option] Upgrade OS packages to their latest versions 9 | ARG UPGRADE_PACKAGES="false" 10 | 11 | # Install needed packages and setup non-root user. Use a separate RUN statement to add your own dependencies. 12 | ARG USERNAME=vscode 13 | ARG USER_UID=1000 14 | ARG USER_GID=$USER_UID 15 | RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \ 16 | && bash /tmp/library-scripts/common-debian.sh "${INSTALL_ZSH}" "${USERNAME}" "${USER_UID}" "${USER_GID}" "${UPGRADE_PACKAGES}" \ 17 | && apt-get install -y graphviz \ 18 | && apt-get clean -y && rm -rf /var/lib/apt/lists/* 19 | 20 | # [Option] Install Azure CLI 21 | ARG INSTALL_AZURE_CLI="true" 22 | # [Option] Install Docker CLI 23 | ARG INSTALL_DOCKER="true" 24 | # [Option] Install Node.js 25 | ARG INSTALL_NODE="true" 26 | ARG NODE_VERSION="lts/*" 27 | ENV NVM_DIR=/usr/local/share/nvm 28 | ENV NVM_SYMLINK_CURRENT=true \ 29 | PATH=${NVM_DIR}/current/bin:${PATH} 30 | RUN if [ "${INSTALL_AZURE_CLI}" = "true" ]; then bash /tmp/library-scripts/azcli-debian.sh; fi \ 31 | && if [ "${INSTALL_NODE}" = "true" ]; then bash /tmp/library-scripts/node-debian.sh "${NVM_DIR}" "${NODE_VERSION}" "${USERNAME}"; fi \ 32 | && if [ "${INSTALL_DOCKER}" = "true" ]; then \ 33 | bash /tmp/library-scripts/docker-debian.sh "true" "/var/run/docker-host.sock" "/var/run/docker.sock" "${USERNAME}"; \ 34 | else \ 35 | echo '#!/bin/bash\n"$@"' > /usr/local/share/docker-init.sh && chmod +x /usr/local/share/docker-init.sh; \ 36 | fi \ 37 | && rm -rf /var/lib/apt/lists/* 38 | 39 | # Install Terraform, tflint 40 | ARG TERRAFORM_VERSION=0.12.16 41 | ARG TFLINT_VERSION=0.8.2 42 | RUN bash /tmp/library-scripts/terraform-debian.sh "${TERRAFORM_VERSION}" "${TFLINT_VERSION}" \ 43 | && rm -rf /tmp/library-scripts 44 | 45 | 46 | ENTRYPOINT [ "/usr/local/share/docker-init.sh" ] 47 | CMD [ "sleep", "infinity" ] 48 | 49 | # [Optional] Uncomment this section to install additional OS packages. 50 | # RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \ 51 | # && apt-get -y install --no-install-recommends 52 | -------------------------------------------------------------------------------- /resources/network/application_gateway/main.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # resource composition 3 | ### 4 | 5 | #locals 6 | 7 | locals { 8 | backend_address_pool_name = "${var.name_prefix}-beap" 9 | frontend_port_name = "${var.name_prefix}-feport" 10 | frontend_ip_configuration_name = "${var.name_prefix}-feip" 11 | http_setting_name = "${var.name_prefix}-be-htst" 12 | listener_name = "${var.name_prefix}-httplstn" 13 | request_routing_rule_name = "${var.name_prefix}-rqrt" 14 | } 15 | 16 | #application gateway 17 | 18 | resource "azurerm_application_gateway" "base" { 19 | name = "${var.name_prefix}-${var.environment}-${var.region}" 20 | resource_group_name = var.resource_group 21 | location = var.region 22 | 23 | sku { 24 | name = var.sku_name 25 | tier = var.sku_tier 26 | capacity = var.sku_capacity 27 | } 28 | 29 | zones = var.zones 30 | 31 | frontend_ip_configuration { 32 | name = local.frontend_ip_configuration_name 33 | public_ip_address_id = var.public_ip_address_id 34 | private_ip_address = var.private_ip_address 35 | } 36 | 37 | gateway_ip_configuration { 38 | name = "appGatewayIpConfig" 39 | subnet_id = var.subnet_id 40 | } 41 | 42 | frontend_port { 43 | name = local.frontend_port_name 44 | port = 80 45 | } 46 | 47 | backend_address_pool { 48 | name = local.backend_address_pool_name 49 | } 50 | 51 | backend_http_settings { 52 | name = local.http_setting_name 53 | cookie_based_affinity = "Disabled" 54 | port = 80 55 | protocol = "Http" 56 | request_timeout = 1 57 | } 58 | 59 | http_listener { 60 | name = local.listener_name 61 | frontend_ip_configuration_name = local.frontend_ip_configuration_name 62 | frontend_port_name = local.frontend_port_name 63 | protocol = "Http" 64 | } 65 | 66 | request_routing_rule { 67 | name = local.request_routing_rule_name 68 | rule_type = "Basic" 69 | http_listener_name = local.listener_name 70 | backend_address_pool_name = local.backend_address_pool_name 71 | backend_http_settings_name = local.http_setting_name 72 | } 73 | tags = var.tags 74 | } -------------------------------------------------------------------------------- /environments/prod/variables.tf: -------------------------------------------------------------------------------- 1 | ### 2 | # environment variables 3 | ### 4 | 5 | #common 6 | 7 | variable "region" { 8 | description = "Geographic region resource will be deployed into" 9 | type = string 10 | } 11 | 12 | variable "environment" { 13 | description = "Development environment for resource; prod, non-prod, shared-services" 14 | type = string 15 | } 16 | 17 | #authentication 18 | 19 | variable "client_id" { 20 | description = "The client ID for the Service Principal" 21 | type = string 22 | } 23 | 24 | variable "client_secret" { 25 | description = "The secret for the Service Principal authentication" 26 | type = string 27 | } 28 | 29 | variable "subscription_id" { 30 | description = "The Subscription ID in which the Storage Account exists. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable." 31 | type = string 32 | } 33 | 34 | variable "tenant_id" { 35 | description = "The Tenant ID in which the Subscription exists. This can also be sourced from the ARM_TENANT_ID environment variable." 36 | type = string 37 | } 38 | 39 | #network 40 | 41 | variable "address_space" { 42 | description = "This is a list of the ip address ranges for the vnet" 43 | type = list(any) 44 | } 45 | 46 | variable "address_prefix_aks" { 47 | description = "The address prefixe to use for the aks subnet." 48 | type = list(string) 49 | } 50 | 51 | #aks 52 | 53 | variable "dns_service_ip" { 54 | description = "IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). This is required when network_plugin is set to azure. Changing this forces a new resource to be created." 55 | type = string 56 | } 57 | 58 | variable "docker_bridge_cidr" { 59 | description = "IP address (in CIDR notation) used as the Docker bridge IP address on nodes. This is required when network_plugin is set to azure. Changing this forces a new resource to be created." 60 | type = string 61 | } 62 | 63 | variable "service_cidr" { 64 | description = "The Network Range used by the Kubernetes service. This is required when network_plugin is set to azure. Changing this forces a new resource to be created." 65 | type = string 66 | } 67 | 68 | 69 | #tags 70 | 71 | variable "tags" { 72 | description = "A map of tags to add to all resources" 73 | type = map(any) 74 | default = {} 75 | } --------------------------------------------------------------------------------