├── .gitignore
├── 1-main-vnet
    ├── commands.txt
    └── main.tf
├── 10-arm-template
    ├── azuredeploy.json
    ├── commands.txt
    ├── subnet_delegation.tf
    └── template-deploy.tf
├── 2-sec-vnet
    ├── commands.txt
    └── main.tf
├── 3-vnet-peering
    ├── commands.txt
    └── vnet-peering.tf
├── 4-remote-state-prep
    ├── commands.txt
    └── main.tf
├── 5-remote-state
    ├── backend.tf
    └── commands.txt
├── 6-azuredevops
    ├── azure-pipelines.yaml
    ├── production-pipeline.yaml
    └── uat-pipeline.yaml
├── 7-azure-devops-workspaces
    ├── backend.tf
    ├── commands.txt
    ├── main.tf
    ├── terraform.tfvars.example
    ├── vnet-peering.tf
    └── workspacetest.sh
├── 8-app-remote-state
    ├── backend-config-example.txt
    ├── commands.txt
    └── main.tf
├── 9-app-deploy
    ├── commands.txt
    ├── main.tf
    └── terraform.tfvars.example
├── CHANGELOG.md
├── LICENSE
├── README.md
└── zz-terraform-vm
    ├── commands.txt
    ├── terraform-vm.tmpl
    ├── terraform.tf
    ├── variables.tf
    └── vm.tf


/.gitignore:
--------------------------------------------------------------------------------
 1 | #  Local .terraform directories
 2 | **/.terraform/*
 3 | 
 4 | # .tfstate files
 5 | *.tfstate
 6 | *.tfstate.*
 7 | 
 8 | # .tfvars files
 9 | *.tfvars
10 | 
11 | # .tfplan files
12 | *.tfplan
13 | 
14 | *next-step.txt
15 | 


--------------------------------------------------------------------------------
/1-main-vnet/commands.txt:
--------------------------------------------------------------------------------
1 | # First we are going to deploy resources in our networking subscription
2 | # Be sure to select the networking subscription for your subname
3 | az account show
4 | az account set --subscription SUB_NAME
5 | 
6 | terraform init
7 | terraform plan -var resource_group_name=main-vnet -out vnet.tfplan
8 | terraform apply "vnet.tfplan"


--------------------------------------------------------------------------------
/1-main-vnet/main.tf:
--------------------------------------------------------------------------------
 1 | #############################################################################
 2 | # TERRAFORM CONFIG
 3 | #############################################################################
 4 | 
 5 | terraform {
 6 |   required_providers {
 7 |     azurerm = {
 8 |       source  = "hashicorp/azurerm"
 9 |       version = "~> 2.0"
10 |     }
11 |   }
12 | }
13 | 
14 | #############################################################################
15 | # VARIABLES
16 | #############################################################################
17 | 
18 | variable "resource_group_name" {
19 |   type = string
20 | }
21 | 
22 | variable "location" {
23 |   type    = string
24 |   default = "eastus"
25 | }
26 | 
27 | 
28 | variable "vnet_cidr_range" {
29 |   type    = string
30 |   default = "10.0.0.0/16"
31 | }
32 | 
33 | variable "subnet_prefixes" {
34 |   type    = list(string)
35 |   default = ["10.0.0.0/24", "10.0.1.0/24"]
36 | }
37 | 
38 | variable "subnet_names" {
39 |   type    = list(string)
40 |   default = ["web", "database"]
41 | }
42 | 
43 | #############################################################################
44 | # PROVIDERS
45 | #############################################################################
46 | 
47 | provider "azurerm" {
48 |   features {}
49 | }
50 | 
51 | #############################################################################
52 | # RESOURCES
53 | #############################################################################
54 | 
55 | resource "azurerm_resource_group" "vnet_main" {
56 |   name     = var.resource_group_name
57 |   location = var.location
58 | }
59 | 
60 | module "vnet-main" {
61 |   source              = "Azure/vnet/azurerm"
62 |   version             = "~> 2.0"
63 |   resource_group_name = azurerm_resource_group.vnet_main.name
64 |   vnet_name           = var.resource_group_name
65 |   address_space       = [var.vnet_cidr_range]
66 |   subnet_prefixes     = var.subnet_prefixes
67 |   subnet_names        = var.subnet_names
68 |   nsg_ids             = {}
69 | 
70 |   tags = {
71 |     environment = "dev"
72 |     costcenter  = "it"
73 | 
74 |   }
75 | 
76 |   depends_on = [azurerm_resource_group.vnet_main]
77 | }
78 | 
79 | #############################################################################
80 | # OUTPUTS
81 | #############################################################################
82 | 
83 | output "vnet_id" {
84 |   value = module.vnet-main.vnet_id
85 | }
86 | 


--------------------------------------------------------------------------------
/10-arm-template/azuredeploy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
 3 |     "contentVersion": "1.0.0.0",
 4 |     "parameters": {
 5 |         "webAppName": {
 6 |             "type": "string",
 7 |             "metadata": {
 8 |                 "description": "Base name of the resource such as web app name and app service plan"
 9 |             },
10 |             "minLength": 2
11 |         },
12 |         "sku": {
13 |             "type": "string",
14 |             "defaultValue": "S1",
15 |             "metadata": {
16 |                 "description": "The SKU of App Service Plan, by default is Standard S1"
17 |             }
18 |         },
19 |         "location": {
20 |             "type": "string",
21 |             "defaultValue": "[resourceGroup().location]",
22 |             "metadata": {
23 |                 "description": "Location for all resources"
24 |             }
25 |         },
26 |         "vnetName": {
27 |             "type": "string",
28 |             "metadata": {
29 |                 "description": "Vnet Name that contains the subnet to allow for access"
30 |             }
31 |         },
32 |         "subnetRef": {
33 |           "type": "string",
34 |             "metadata": {
35 |                 "description": "Resource ID of the delegated subnet"
36 |             }
37 |         }
38 |     },
39 |     "variables": {
40 |         "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
41 |         "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
42 |     },
43 |     "resources": [
44 |         {
45 |             "apiVersion": "2018-02-01",
46 |             "type": "Microsoft.Web/serverfarms",
47 |             "kind": "app",
48 |             "name": "[variables('appServicePlanName')]",
49 |             "location": "[parameters('location')]",
50 |             "properties": {},
51 |             "dependsOn": [],
52 |             "sku": {
53 |                 "name": "[parameters('sku')]"
54 |             }
55 |         },
56 |         {
57 |             "apiVersion": "2018-11-01",
58 |             "type": "Microsoft.Web/sites",
59 |             "kind": "app",
60 |             "name": "[variables('webAppPortalName')]",
61 |             "location": "[parameters('location')]",
62 |             "properties": {
63 |                 "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
64 |             },
65 |             "dependsOn": [
66 |                 "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
67 |             ],
68 |             "resources": [
69 |                 {
70 |                     "apiVersion": "2018-02-01",
71 |                     "type": "config",
72 |                     "name": "virtualNetwork",
73 |                     "location": "[parameters('location')]",
74 |                     "dependsOn": [
75 |                         "[concat('Microsoft.Web/sites/', variables('webAppPortalName'))]"
76 |                     ],
77 |                     "properties": {
78 |                         "subnetResourceId": "[parameters('subnetRef')]",
79 |                         "swiftSupported": true
80 |                     }
81 |                 }
82 |             ]
83 |         }
84 |     ]
85 | }


--------------------------------------------------------------------------------
/10-arm-template/commands.txt:
--------------------------------------------------------------------------------
 1 | # Next we're going to update the networking config with a subnet delegation
 2 | # Upload the 10-arm-template/subnet_delegation.tf file to the networking
 3 | # directory in the Azure DevOps Repo
 4 | 
 5 | # Adding the file should kick off a pipeline run
 6 | # Approve the Production deployment and let the pipeline finish
 7 | 
 8 | # Now we've set the stage for deploying the arm template
 9 | # Copy the template and template-deploy.tf files over to 9-app-deploy
10 | cp template-deploy.tf ../9-app-deploy/
11 | cp azuredeploy.json ../9-app-deploy/
12 | 
13 | # Now we'll run the template deploy
14 | 
15 | terraform plan -out app.tfplan
16 | terraform apply "app.tfplan"
17 | 
18 | # Rinse and repeat for the other workspaces


--------------------------------------------------------------------------------
/10-arm-template/subnet_delegation.tf:
--------------------------------------------------------------------------------
 1 | resource "azurerm_subnet" "app_service" {
 2 |   name                 = "appservice"
 3 |   resource_group_name  = azurerm_resource_group.vnet_main.name
 4 |   virtual_network_name = module.vnet-main.vnet_name
 5 |   address_prefix       = cidrsubnet(var.vnet_cidr_range[terraform.workspace], 8, length(var.subnet_names))
 6 | 
 7 |   delegation {
 8 |     name = "appservicedelegation"
 9 | 
10 |     service_delegation {
11 |       name = "Microsoft.Web/serverFarms"
12 |       actions = [
13 |         "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
14 |         "Microsoft.Network/virtualNetworks/subnets/action",
15 |         "Microsoft.Network/virtualNetworks/subnets/join/action"
16 |       ]
17 |     }
18 |   }
19 | }


--------------------------------------------------------------------------------
/10-arm-template/template-deploy.tf:
--------------------------------------------------------------------------------
 1 | #############################################################################
 2 | # DATA
 3 | #############################################################################
 4 | 
 5 | data "azurerm_subnet" "appservice" {
 6 |   name                 = "appservice"
 7 |   virtual_network_name = data.terraform_remote_state.networking.outputs.vnet_name
 8 |   resource_group_name  = data.terraform_remote_state.networking.outputs.resource_group_name
 9 | }
10 | 
11 | #############################################################################
12 | # RESOURCES
13 | #############################################################################
14 | 
15 | resource "azurerm_resource_group" "webapp" {
16 |   name     = "${local.prefix}-webapp"
17 |   location = var.location
18 | }
19 | 
20 | resource "azurerm_template_deployment" "webapp" {
21 |   name                = "webappdeployment"
22 |   resource_group_name = azurerm_resource_group.webapp.name
23 | 
24 |   template_body = file("azuredeploy.json")
25 | 
26 |   parameters = {
27 |     "webAppName" = "${local.prefix}-web"
28 |     "vnetName"   = data.terraform_remote_state.networking.outputs.vnet_name
29 |     "subnetRef"  = data.azurerm_subnet.appservice.id
30 |   }
31 | 
32 |   deployment_mode = "Incremental"
33 | }


--------------------------------------------------------------------------------
/2-sec-vnet/commands.txt:
--------------------------------------------------------------------------------
 1 | ### The original Terraform marketplace item is gone! ###
 2 | ## You have two options:
 3 | 
 4 | # 1. Run the commands from your local workstation while logged into an account in the security subscription
 5 | # 2. Run the Terraform config in the zz-terraform-vm directory
 6 | 
 7 | # The config in the zz-terraform-vm directory mirrors what was in the marketplace item
 8 | # except for provisioning an MSI, which we don't use anyway
 9 | 
10 | #Log into the Azure CLI
11 | az login
12 | 
13 | # This time we are going to create resources in the security subscription
14 | # Be sure to select the security subscription for your SUB_NAME
15 | 
16 | az account set -s SUB_NAME
17 | 
18 | # If you're running in the remote Terraform VM you'll need to copy the main.tf contents 
19 | # over to the VM. If you're running locally, you can simply navigate to the 2-sec-vnet directory
20 | # and run the commands from there. You won't be using the storage account for the remote backend, b/c
21 | # it doesn't exist.
22 | 
23 | # Copy the ~/tfTemplate/remoteState.tf file to the working directory
24 | cp ~/tfTemplate/remoteState.tf .
25 | 
26 | # Create the security environment
27 | terraform init
28 | terraform plan -out sec.tfplan
29 | terraform apply sec.tfplan
30 | 
31 | # We're going to need the contents of the next-step.txt file for the next section
32 | # Run the following command to get the contents
33 | cat next-step.txt
34 | 
35 | #####################################################################################################
36 | 
37 | # Now we are going to create the peering connection
38 | 
39 | # These commands are run from the Cloud Shell
40 | # Make sure you're using the network subscription
41 | 
42 | az account set -s NETWORK_SUB_NAME
43 | 
44 | # Run the export commands from the next-step.txt file to prepare
45 | # the proper environment variables
46 | 
47 | # Then copy over the contents of the 3-vnet-peering/vnet-peering.tf 
48 | # file to the same named file in the cloud shell 1-main-vnet directory
49 | 
50 | # Run the standard plan and apply to update the config
51 | terraform plan -var resource_group_name=main-vnet -out vnet.tfplan 
52 | terraform apply "vnet.tfplan"


--------------------------------------------------------------------------------
/2-sec-vnet/main.tf:
--------------------------------------------------------------------------------
  1 | #############################################################################
  2 | # TERRAFORM CONFIG
  3 | #############################################################################
  4 | 
  5 | terraform {
  6 |   required_providers {
  7 |     azurerm = {
  8 |       source  = "hashicorp/azurerm"
  9 |       version = "~> 2.0"
 10 |     }
 11 | 
 12 |     azuread = {
 13 |       source  = "hashicorp/azuread"
 14 |       version = "~> 1.0"
 15 |     }
 16 | 
 17 |     local = {
 18 |       source  = "hashicorp/local"
 19 |       version = "~> 2.0"
 20 |     }
 21 |   }
 22 | }
 23 | 
 24 | #############################################################################
 25 | # VARIABLES
 26 | #############################################################################
 27 | 
 28 | variable "sec_resource_group_name" {
 29 |   type    = string
 30 |   default = "security"
 31 | }
 32 | 
 33 | variable "location" {
 34 |   type    = string
 35 |   default = "eastus"
 36 | }
 37 | 
 38 | variable "vnet_cidr_range" {
 39 |   type    = string
 40 |   default = "10.1.0.0/16"
 41 | }
 42 | 
 43 | variable "sec_subnet_prefixes" {
 44 |   type    = list(string)
 45 |   default = ["10.1.0.0/24", "10.1.1.0/24"]
 46 | }
 47 | 
 48 | variable "sec_subnet_names" {
 49 |   type    = list(string)
 50 |   default = ["siem", "inspect"]
 51 | }
 52 | 
 53 | #############################################################################
 54 | # DATA
 55 | #############################################################################
 56 | 
 57 | data "azurerm_subscription" "current" {}
 58 | 
 59 | #############################################################################
 60 | # PROVIDERS
 61 | #############################################################################
 62 | 
 63 | provider "azurerm" {
 64 |   features {}
 65 | }
 66 | 
 67 | #############################################################################
 68 | # RESOURCES
 69 | #############################################################################
 70 | 
 71 | ## NETWORKING ##
 72 | 
 73 | resource "azurerm_resource_group" "vnet_sec" {
 74 |   name     = var.sec_resource_group_name
 75 |   location = var.location
 76 | }
 77 | 
 78 | module "vnet-sec" {
 79 |   source              = "Azure/vnet/azurerm"
 80 |   version             = "~> 2.0"
 81 |   resource_group_name = azurerm_resource_group.vnet_sec.name
 82 |   vnet_name           = var.sec_resource_group_name
 83 |   address_space       = [var.vnet_cidr_range]
 84 |   subnet_prefixes     = var.sec_subnet_prefixes
 85 |   subnet_names        = var.sec_subnet_names
 86 |   nsg_ids             = {}
 87 | 
 88 |   tags = {
 89 |     environment = "security"
 90 |     costcenter  = "security"
 91 | 
 92 |   }
 93 | 
 94 |   depends_on = [azurerm_resource_group.vnet_sec]
 95 | }
 96 | 
 97 | ## AZURE AD SP ##
 98 | 
 99 | resource "random_password" "vnet_peering" {
100 |   length  = 16
101 |   special = true
102 | }
103 | 
104 | resource "azuread_application" "vnet_peering" {
105 |   display_name = "vnet-peer"
106 | }
107 | 
108 | resource "azuread_service_principal" "vnet_peering" {
109 |   application_id = azuread_application.vnet_peering.application_id
110 | }
111 | 
112 | resource "azuread_service_principal_password" "vnet_peering" {
113 |   service_principal_id = azuread_service_principal.vnet_peering.id
114 |   value                = random_password.vnet_peering.result
115 |   end_date_relative    = "17520h"
116 | }
117 | 
118 | resource "azurerm_role_definition" "vnet-peering" {
119 |   name  = "allow-vnet-peering"
120 |   scope = data.azurerm_subscription.current.id
121 | 
122 |   permissions {
123 |     actions     = ["Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", "Microsoft.Network/virtualNetworks/peer/action", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete"]
124 |     not_actions = []
125 |   }
126 | 
127 |   assignable_scopes = [
128 |     data.azurerm_subscription.current.id,
129 |   ]
130 | }
131 | 
132 | resource "azurerm_role_assignment" "vnet" {
133 |   scope              = module.vnet-sec.vnet_id
134 |   role_definition_id = azurerm_role_definition.vnet-peering.role_definition_resource_id
135 |   principal_id       = azuread_service_principal.vnet_peering.id
136 | }
137 | 
138 | #############################################################################
139 | # FILE OUTPUT
140 | #############################################################################
141 | 
142 | resource "local_file" "linux" {
143 |   filename = "${path.module}/next-step.txt"
144 |   content  = <<EOF
145 | export TF_VAR_sec_vnet_id=${module.vnet-sec.vnet_id}
146 | 
147 | export TF_VAR_sec_vnet_name=${module.vnet-sec.vnet_name}
148 | export TF_VAR_sec_sub_id=${data.azurerm_subscription.current.subscription_id}
149 | export TF_VAR_sec_client_id=${azuread_service_principal.vnet_peering.application_id}
150 | export TF_VAR_sec_principal_id=${azuread_service_principal.vnet_peering.id}
151 | export TF_VAR_sec_client_secret='${random_password.vnet_peering.result}'
152 | export TF_VAR_sec_resource_group=${var.sec_resource_group_name}
153 | export TF_VAR_sec_tenant_id=${data.azurerm_subscription.current.tenant_id}
154 | 
155 |   EOF
156 | }
157 | 
158 | resource "local_file" "windows" {
159 |   filename = "${path.module}/windows-next-step.txt"
160 |   content  = <<EOF
161 | $env:TF_VAR_sec_vnet_id="${module.vnet-sec.vnet_id}"
162 | 
163 | $env:TF_VAR_sec_vnet_name="${module.vnet-sec.vnet_name}"
164 | $env:TF_VAR_sec_sub_id="${data.azurerm_subscription.current.subscription_id}"
165 | $env:TF_VAR_sec_client_id="${azuread_service_principal.vnet_peering.application_id}"
166 | $env:TF_VAR_sec_principal_id="${azuread_service_principal.vnet_peering.id}"
167 | $env:TF_VAR_sec_client_secret="${random_password.vnet_peering.result}"
168 | $env:TF_VAR_sec_resource_group="${var.sec_resource_group_name}"
169 | $env:TF_VAR_sec_tenant_id="${data.azurerm_subscription.current.tenant_id}"
170 | 
171 |   EOF
172 | }
173 | 
174 | #############################################################################
175 | # OUTPUTS
176 | #############################################################################
177 | 
178 | output "vnet_id" {
179 |   value = module.vnet-sec.vnet_id
180 | }
181 | 
182 | output "vnet_name" {
183 |   value = module.vnet-sec.vnet_name
184 | }
185 | 
186 | output "service_principal_client_id" {
187 |   value = azuread_service_principal.vnet_peering.id
188 | }
189 | 
190 | output "service_principal_client_secret" {
191 |   value = nonsensitive(random_password.vnet_peering.result)
192 | }
193 | 
194 | output "resource_group_name" {
195 |   value = var.sec_resource_group_name
196 | }


--------------------------------------------------------------------------------
/3-vnet-peering/commands.txt:
--------------------------------------------------------------------------------
 1 | # Copy the contents of the vnet-peering.tf file to the 1-main-vnet 
 2 | # directory in Cloud Shell
 3 | 
 4 | # Run commands from the next-step.txt file generated by the 2-sec-vnet
 5 | # configuration to set the proper variables.
 6 | 
 7 | terraform init
 8 | terraform plan -var resource_group_name=main-vnet -out vnet.tfplan
 9 | terraform apply "vnet.tfplan"
10 | 


--------------------------------------------------------------------------------
/3-vnet-peering/vnet-peering.tf:
--------------------------------------------------------------------------------
 1 | variable "sec_sub_id" {
 2 |   type = string
 3 | }
 4 | 
 5 | variable "sec_client_id" {
 6 |   type = string
 7 | }
 8 | 
 9 | variable "sec_client_secret" {
10 |   type = string
11 | }
12 | 
13 | variable "sec_tenant_id" {
14 |   type = string
15 | }
16 | 
17 | variable "sec_vnet_name" {
18 |   type = string
19 | }
20 | 
21 | variable "sec_vnet_id" {
22 |   type = string
23 | }
24 | 
25 | variable "sec_resource_group" {
26 |   type = string
27 | }
28 | 
29 | variable "sec_principal_id" {
30 |   type = string
31 | }
32 | 
33 | 
34 | data "azurerm_subscription" "current" {}
35 | 
36 | 
37 | provider "azurerm" {
38 |   alias                       = "security"
39 |   subscription_id             = var.sec_sub_id
40 |   client_id                   = var.sec_client_id
41 |   client_secret               = var.sec_client_secret
42 |   tenant_id                   = var.sec_tenant_id
43 |   skip_provider_registration  = true
44 |   skip_credentials_validation = true
45 |   features {}
46 | }
47 | 
48 | provider "azurerm" {
49 |   alias                       = "peering"
50 |   subscription_id             = data.azurerm_subscription.current.subscription_id
51 |   client_id                   = var.sec_client_id
52 |   client_secret               = var.sec_client_secret
53 |   tenant_id                   = data.azurerm_subscription.current.tenant_id
54 |   skip_provider_registration  = true
55 |   skip_credentials_validation = true
56 |   features {}
57 | }
58 | 
59 | resource "azurerm_role_definition" "vnet-peering" {
60 |   name  = "allow-vnet-peer-main"
61 |   scope = data.azurerm_subscription.current.id
62 | 
63 |   permissions {
64 |     actions     = ["Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", "Microsoft.Network/virtualNetworks/peer/action", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete"]
65 |     not_actions = []
66 |   }
67 | 
68 |   assignable_scopes = [
69 |     data.azurerm_subscription.current.id,
70 |   ]
71 | }
72 | 
73 | resource "azurerm_role_assignment" "vnet" {
74 |   scope              = module.vnet-main.vnet_id
75 |   role_definition_id = azurerm_role_definition.vnet-peering.role_definition_resource_id
76 |   principal_id       = var.sec_principal_id
77 | }
78 | 
79 | resource "azurerm_virtual_network_peering" "main" {
80 |   name                      = "main_2_sec"
81 |   resource_group_name       = var.resource_group_name
82 |   virtual_network_name      = module.vnet-main.vnet_name
83 |   remote_virtual_network_id = var.sec_vnet_id
84 |   provider                  = azurerm.peering
85 | 
86 |   depends_on = [azurerm_role_assignment.vnet]
87 | }
88 | 
89 | resource "azurerm_virtual_network_peering" "sec" {
90 |   name                      = "sec_2_main"
91 |   resource_group_name       = var.sec_resource_group
92 |   virtual_network_name      = var.sec_vnet_name
93 |   remote_virtual_network_id = module.vnet-main.vnet_id
94 |   provider                  = azurerm.security
95 | 
96 |   depends_on = [azurerm_role_assignment.vnet]
97 | }


--------------------------------------------------------------------------------
/4-remote-state-prep/commands.txt:
--------------------------------------------------------------------------------
 1 | # Now we're going to create a storage account and credentials for 
 2 | # setting up remote state storage on an Azure
 3 | 
 4 | # This is going to be run from the Cloud Shell, so you're going to 
 5 | # create a ~/terraform/remote-state directory and then copy the contents
 6 | # of the 4-remote-state-prep/main.tf file into a main.tf file in Cloud Shell
 7 | 
 8 | cd terraform/
 9 | mkdir remote-state
10 | cd remote-state
11 | code main.tf
12 | 
13 | # Make sure you're running in the network subscription
14 | 
15 | az account set -s NETWORK_SUB_NAME
16 | 
17 | # Now we roll through the standard terraform config
18 | 
19 | terraform init
20 | terraform plan -var resource_group_name=itma-state -out state.tfplan
21 | terraform apply "state.tfplan"
22 | 
23 | # Next we're going to copy the backend-config.txt file to the 1-main-vnet
24 | # Head over to the 5-remote-state directory to continue


--------------------------------------------------------------------------------
/4-remote-state-prep/main.tf:
--------------------------------------------------------------------------------
  1 | #############################################################################
  2 | # TERRAFORM CONFIG
  3 | #############################################################################
  4 | 
  5 | terraform {
  6 |   required_providers {
  7 |     azurerm = {
  8 |       source  = "hashicorp/azurerm"
  9 |       version = "~> 2.0"
 10 |     }
 11 |   }
 12 | }
 13 | 
 14 | #############################################################################
 15 | # VARIABLES
 16 | #############################################################################
 17 | 
 18 | variable "resource_group_name" {
 19 |   type = string
 20 | }
 21 | 
 22 | variable "location" {
 23 |   type    = string
 24 |   default = "eastus"
 25 | }
 26 | 
 27 | variable "naming_prefix" {
 28 |   type    = string
 29 |   default = "itma"
 30 | }
 31 | 
 32 | ##################################################################################
 33 | # PROVIDERS
 34 | ##################################################################################
 35 | 
 36 | provider "azurerm" {
 37 |   features {}
 38 | }
 39 | 
 40 | ##################################################################################
 41 | # RESOURCES
 42 | ##################################################################################
 43 | resource "random_integer" "sa_num" {
 44 |   min = 10000
 45 |   max = 99999
 46 | }
 47 | 
 48 | 
 49 | resource "azurerm_resource_group" "setup" {
 50 |   name     = var.resource_group_name
 51 |   location = var.location
 52 | }
 53 | 
 54 | resource "azurerm_storage_account" "sa" {
 55 |   name                     = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
 56 |   resource_group_name      = azurerm_resource_group.setup.name
 57 |   location                 = var.location
 58 |   account_tier             = "Standard"
 59 |   account_replication_type = "LRS"
 60 | 
 61 | }
 62 | 
 63 | resource "azurerm_storage_container" "ct" {
 64 |   name                 = "terraform-state"
 65 |   storage_account_name = azurerm_storage_account.sa.name
 66 | 
 67 | }
 68 | 
 69 | data "azurerm_storage_account_sas" "state" {
 70 |   connection_string = azurerm_storage_account.sa.primary_connection_string
 71 |   https_only        = true
 72 | 
 73 |   resource_types {
 74 |     service   = true
 75 |     container = true
 76 |     object    = true
 77 |   }
 78 | 
 79 |   services {
 80 |     blob  = true
 81 |     queue = false
 82 |     table = false
 83 |     file  = false
 84 |   }
 85 | 
 86 |   start  = timestamp()
 87 |   expiry = timeadd(timestamp(), "17520h")
 88 | 
 89 |   permissions {
 90 |     read    = true
 91 |     write   = true
 92 |     delete  = true
 93 |     list    = true
 94 |     add     = true
 95 |     create  = true
 96 |     update  = false
 97 |     process = false
 98 |   }
 99 | }
100 | 
101 | #############################################################################
102 | # LOCAL FILE
103 | #############################################################################
104 | 
105 | resource "local_file" "post-config" {
106 |   depends_on = [azurerm_storage_container.ct]
107 | 
108 |   filename = "${path.module}/backend-config.txt"
109 |   content  = <<EOF
110 | storage_account_name = "${azurerm_storage_account.sa.name}"
111 | container_name = "terraform-state"
112 | key = "terraform.tfstate"
113 | sas_token = "${data.azurerm_storage_account_sas.state.sas}"
114 | 
115 |   EOF
116 | }
117 | 
118 | ##################################################################################
119 | # OUTPUT
120 | ##################################################################################
121 | 
122 | output "storage_account_name" {
123 |   value = azurerm_storage_account.sa.name
124 | }
125 | 
126 | output "resource_group_name" {
127 |   value = azurerm_resource_group.setup.name
128 | }


--------------------------------------------------------------------------------
/5-remote-state/backend.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 |   backend "azurerm" {
3 |   }
4 | }


--------------------------------------------------------------------------------
/5-remote-state/commands.txt:
--------------------------------------------------------------------------------
 1 | # These commands should be run from the Cloud Shell session
 2 | # We're going to go to the terraform/1-main-vnet directory and
 3 | # create a backend.tf file and then copy the contents of the 
 4 | # 5-remote-state/backend.tf file into it
 5 | 
 6 | cd ~/terraform/1-main-vnet
 7 | code backend.tf
 8 | 
 9 | # Now we're going to copy the backend-config.txt file from the 
10 | # ~/terraform/remote-state/ directory
11 | 
12 | cp ../remote-state/backend-config.txt .
13 | 
14 | # Lastly, we'll migrate the local state of our config to
15 | # a remote state location
16 | 
17 | terraform init -backend-config="backend-config.txt"


--------------------------------------------------------------------------------
/6-azuredevops/azure-pipelines.yaml:
--------------------------------------------------------------------------------
 1 | # Azure DevOps pipeline for Azure deployment
 2 | 
 3 | variables:
 4 | - group: globomantics
 5 | 
 6 | trigger:
 7 |   branches:
 8 |     include:
 9 |     - main
10 | 
11 | stages:
12 | - stage: development
13 |   displayName: development
14 |   jobs:
15 |   - deployment: deploy
16 |     environment: development
17 |     pool:
18 |       vmImage: ubuntu-latest
19 |     strategy:
20 |       runOnce:
21 |         deploy:
22 |           steps:
23 |           - checkout: self
24 |           - task: TerraformInstaller@0
25 |             displayName: Install Terraform
26 |             inputs:
27 |               terraformVersion: 'latest'
28 |       
29 |           # Init
30 |           - task: TerraformCLI@0
31 |             displayName: Initialize Terraform
32 |             env:
33 |               ARM_SAS_TOKEN: $(sas_token)
34 |             inputs:
35 |               command: 'init'
36 |               workingDirectory: '$(System.DefaultWorkingDirectory)/networking'
37 |               commandOptions: '-backend-config=storage_account_name=$(storage_account_name) -backend-config=container_name="terraform-state" -backend-config=key="terraform.tfstate"'
38 |               backendType: 'selfConfigured'
39 |       
40 |           # Check for workspace
41 |           - task: Bash@3
42 |             displayName: Check for Workspace
43 |             inputs:
44 |               targetType: 'filePath'
45 |               filePath: '$(System.DefaultWorkingDirectory)/networking/workspacetest.sh'
46 |               arguments: '$(Environment.Name)'
47 |       
48 |           - task: TerraformCLI@0
49 |             displayName: Plan Terraform Deployment
50 |             env:
51 |               TF_WORKSPACE: '$(Environment.Name)'
52 |               TF_VAR_sec_client_secret: $(sec_client_secret)
53 |               ARM_SAS_TOKEN: $(sas_token)
54 |             inputs:
55 |               command: 'plan'
56 |               commandOptions: '-out main.tfplan'
57 |               workingDirectory: '$(System.DefaultWorkingDirectory)/networking'
58 |               environmentServiceName: 'Networking_Sub'
59 |       
60 |           - task: TerraformCLI@0
61 |             displayName: Apply Terraform Deployment
62 |             env:
63 |               TF_WORKSPACE: '$(Environment.Name)'
64 |               TF_VAR_sec_client_secret: $(sec_client_secret)
65 |               ARM_SAS_TOKEN: $(sas_token)
66 |             inputs:
67 |               command: 'apply'
68 |               workingDirectory: '$(System.DefaultWorkingDirectory)/networking'
69 |               commandOptions: 'main.tfplan'
70 |               environmentServiceName: 'Networking_Sub'


--------------------------------------------------------------------------------
/6-azuredevops/production-pipeline.yaml:
--------------------------------------------------------------------------------
 1 | - stage: production
 2 |   displayName: production
 3 |   jobs:
 4 |   - deployment: deploy
 5 |     environment: production
 6 |     pool:
 7 |       vmImage: ubuntu-latest
 8 |     strategy:
 9 |       runOnce:
10 |         deploy:
11 |           steps:
12 |           - checkout: self
13 |           - task: TerraformInstaller@0
14 |             displayName: Install Terraform
15 |             inputs:
16 |               terraformVersion: 'latest'
17 |       
18 |           # Init
19 |           - task: TerraformCLI@0
20 |             displayName: Initialize Terraform
21 |             env:
22 |               ARM_SAS_TOKEN: $(sas_token)
23 |             inputs:
24 |               command: 'init'
25 |               workingDirectory: '$(System.DefaultWorkingDirectory)/networking'
26 |               commandOptions: '-backend-config=storage_account_name=$(storage_account_name) -backend-config=container_name="terraform-state" -backend-config=key="terraform.tfstate"'
27 |               backendType: 'selfConfigured'
28 |       
29 |           # Check for workspace
30 |           - task: Bash@3
31 |             displayName: Check for Workspace
32 |             inputs:
33 |               targetType: 'filePath'
34 |               filePath: '$(System.DefaultWorkingDirectory)/networking/workspacetest.sh'
35 |               arguments: '$(Environment.Name)'
36 |       
37 |           - task: TerraformCLI@0
38 |             displayName: Plan Terraform Deployment
39 |             env:
40 |               TF_WORKSPACE: '$(Environment.Name)'
41 |               TF_VAR_sec_client_secret: $(sec_client_secret)
42 |               ARM_SAS_TOKEN: $(sas_token)
43 |             inputs:
44 |               command: 'plan'
45 |               commandOptions: '-out main.tfplan'
46 |               workingDirectory: '$(System.DefaultWorkingDirectory)/networking'
47 |               environmentServiceName: 'Networking_Sub'
48 |       
49 |           - task: TerraformCLI@0
50 |             displayName: Apply Terraform Deployment
51 |             env:
52 |               TF_WORKSPACE: '$(Environment.Name)'
53 |               TF_VAR_sec_client_secret: $(sec_client_secret)
54 |               ARM_SAS_TOKEN: $(sas_token)
55 |             inputs:
56 |               command: 'apply'
57 |               workingDirectory: '$(System.DefaultWorkingDirectory)/networking'
58 |               commandOptions: 'main.tfplan'
59 |               environmentServiceName: 'Networking_Sub'


--------------------------------------------------------------------------------
/6-azuredevops/uat-pipeline.yaml:
--------------------------------------------------------------------------------
 1 | - stage: uat
 2 |   displayName: uat
 3 |   jobs:
 4 |   - deployment: deploy
 5 |     environment: uat
 6 |     pool:
 7 |       vmImage: ubuntu-latest
 8 |     strategy:
 9 |       runOnce:
10 |         deploy:
11 |           steps:
12 |           - checkout: self
13 |           - task: TerraformInstaller@0
14 |             displayName: Install Terraform
15 |             inputs:
16 |               terraformVersion: 'latest'
17 |       
18 |           # Init
19 |           - task: TerraformCLI@0
20 |             displayName: Initialize Terraform
21 |             env:
22 |               ARM_SAS_TOKEN: $(sas_token)
23 |             inputs:
24 |               command: 'init'
25 |               workingDirectory: '$(System.DefaultWorkingDirectory)/networking'
26 |               commandOptions: '-backend-config=storage_account_name=$(storage_account_name) -backend-config=container_name="terraform-state" -backend-config=key="terraform.tfstate"'
27 |               backendType: 'selfConfigured'
28 |       
29 |           # Check for workspace
30 |           - task: Bash@3
31 |             displayName: Check for Workspace
32 |             inputs:
33 |               targetType: 'filePath'
34 |               filePath: '$(System.DefaultWorkingDirectory)/networking/workspacetest.sh'
35 |               arguments: '$(Environment.Name)'
36 |       
37 |           - task: TerraformCLI@0
38 |             displayName: Plan Terraform Deployment
39 |             env:
40 |               TF_WORKSPACE: '$(Environment.Name)'
41 |               TF_VAR_sec_client_secret: $(sec_client_secret)
42 |               ARM_SAS_TOKEN: $(sas_token)
43 |             inputs:
44 |               command: 'plan'
45 |               commandOptions: '-out main.tfplan'
46 |               workingDirectory: '$(System.DefaultWorkingDirectory)/networking'
47 |               environmentServiceName: 'Networking_Sub'
48 |       
49 |           - task: TerraformCLI@0
50 |             displayName: Apply Terraform Deployment
51 |             env:
52 |               TF_WORKSPACE: '$(Environment.Name)'
53 |               TF_VAR_sec_client_secret: $(sec_client_secret)
54 |               ARM_SAS_TOKEN: $(sas_token)
55 |             inputs:
56 |               command: 'apply'
57 |               workingDirectory: '$(System.DefaultWorkingDirectory)/networking'
58 |               commandOptions: 'main.tfplan'
59 |               environmentServiceName: 'Networking_Sub'


--------------------------------------------------------------------------------
/7-azure-devops-workspaces/backend.tf:
--------------------------------------------------------------------------------
1 | 
2 | terraform {
3 |   backend "azurerm" {
4 |   }
5 | }


--------------------------------------------------------------------------------
/7-azure-devops-workspaces/commands.txt:
--------------------------------------------------------------------------------
 1 | # Now we are going to use Azure DevOps pipelines.
 2 | # You're going to need to have set up a project in Azure DevOps with
 3 | # pipelines and repos enabled.
 4 | 
 5 | # In Repos, initialize a main branch by clicking on initialize
 6 | 
 7 | # Create two directories, one called networking and the other
 8 | # called pipelines
 9 | 
10 | # Copy the contents of 7-azure-devops-workspaces into the networking folder
11 | # and the contents of 6-azuredevops into the pipelines folder
12 | 
13 | # Edit the terraform.tfvars.example file with the correct values
14 | # and rename it to terraform.tfvars
15 | 
16 | # Now you have a choice... you can set up the pipeline using the legacy GUI as
17 | # shown in the video, or you can create the pipeline from the YAML files in 
18 | # the pipelines directory.
19 | 
20 | # If you choose to follow the video, happy viewing!
21 | 
22 | # If you choose to use the pipelines folder, do the following:
23 | 
24 | # Create variables for use by the pipeline
25 | # Create a variable group called globomantics
26 | # Create variables
27 | # storage_account_name - set to the storage account name created earlier
28 | # sas_token - set to the SAS token create earlier and set to secret
29 | # sec_client_secret - the client secret for the security service principal set to secret
30 | 
31 | # Create a service connection 
32 | # Go to project settings, pipelines, service connections
33 | # Create a service connection to the Networking Subscription
34 | # Connection type is Azure Resource Manager
35 | # Detection type is Service Principal
36 | # Select the proper Subscription
37 | # Name the service connection Networking_Sub
38 | # Go into the properties of the service connection and change the role assignment 
39 | # of the service principal that was created. 
40 | # This will take you to the Azure Subscription IAM page
41 | # Find the name of the service principal in Role Assignments 
42 | # Add a new Role Assignment and grant the service principal Owner rights on the Subscription
43 | 
44 | # Create a new Pipeline!
45 | # Select Azure Repos Git for the code location
46 | # Select the globomantics-test repo you created earlier
47 | # Select existing azure pipelines YAML file
48 | # Pick the azure-pipelines.yaml file 
49 | # Try running the file!
50 | 
51 | # Sometimes the run will fail the first time b/c the role assignment hasn't propagated
52 | # Just run it again and it should be fine
53 | 
54 | # Once the development run succeeds, add in the yaml in the uat-pipeline.yaml file to
55 | # the azure-pipelines.yaml file in the Repo and run the pipeline again. Check and watch it deploy!
56 | 
57 | # Finally, add the yaml from the production-pipeline.yaml file to
58 | # the azure-pipelines.yaml file in the Repo and run the pipeline again. Check and watch it deploy!
59 | 
60 | # Now we are going to add an approval for production
61 | # Go to environments under Pipelines
62 | # Select Production and click on the More Actions menu
63 | # Add yourself as an approver
64 | 
65 | # This time it should pause before apply and wait for approval, good times...
66 | 
67 | # Now you can make a change to the main.tf file in the Repo and watch it roll through
68 | # each environment. Pretty sweet I know.
69 | 


--------------------------------------------------------------------------------
/7-azure-devops-workspaces/main.tf:
--------------------------------------------------------------------------------
  1 | #############################################################################
  2 | # TERRAFORM CONFIG
  3 | #############################################################################
  4 | 
  5 | terraform {
  6 |   required_providers {
  7 |     azurerm = {
  8 |       source  = "hashicorp/azurerm"
  9 |       version = "~> 2.0"
 10 |     }
 11 |   }
 12 | }
 13 | 
 14 | #############################################################################
 15 | # VARIABLES
 16 | #############################################################################
 17 | 
 18 | variable "resource_group_name" {
 19 |   type = string
 20 | }
 21 | 
 22 | variable "location" {
 23 |   type    = string
 24 |   default = "eastus"
 25 | }
 26 | 
 27 | 
 28 | variable "vnet_cidr_range" {
 29 |   type = map(string)
 30 |   default = {
 31 |     development = "10.2.0.0/16"
 32 |     uat         = "10.3.0.0/16"
 33 |     production  = "10.4.0.0/16"
 34 |   }
 35 | }
 36 | 
 37 | variable "subnet_names" {
 38 |   type    = list(string)
 39 |   default = ["web", "database", "app"]
 40 | }
 41 | 
 42 | locals {
 43 |   full_rg_name = "${terraform.workspace}-${var.resource_group_name}"
 44 | }
 45 | 
 46 | #############################################################################
 47 | # PROVIDERS
 48 | #############################################################################
 49 | 
 50 | provider "azurerm" {
 51 |   features {}
 52 | }
 53 | 
 54 | #############################################################################
 55 | # RESOURCES
 56 | #############################################################################
 57 | 
 58 | data "template_file" "subnet_prefixes" {
 59 |   count = length(var.subnet_names)
 60 | 
 61 |   template = "$${cidrsubnet(vnet_cidr,8,current_count)}"
 62 | 
 63 |   vars = {
 64 |     vnet_cidr     = var.vnet_cidr_range[terraform.workspace]
 65 |     current_count = count.index
 66 |   }
 67 | }
 68 | 
 69 | resource "azurerm_resource_group" "vnet_main" {
 70 |   name     = local.full_rg_name
 71 |   location = var.location
 72 | }
 73 | 
 74 | module "vnet-main" {
 75 |   source              = "Azure/vnet/azurerm"
 76 |   version             = "~> 2.0"
 77 |   resource_group_name = azurerm_resource_group.vnet_main.name
 78 |   vnet_name           = local.full_rg_name
 79 |   address_space       = [var.vnet_cidr_range[terraform.workspace]]
 80 |   subnet_prefixes     = data.template_file.subnet_prefixes[*].rendered
 81 |   subnet_names        = var.subnet_names
 82 |   nsg_ids             = {}
 83 | 
 84 |   tags = {
 85 |     environment = terraform.workspace
 86 |     costcenter  = "it"
 87 | 
 88 |   }
 89 | 
 90 |   depends_on = [azurerm_resource_group.vnet_main]
 91 | }
 92 | 
 93 | #############################################################################
 94 | # OUTPUTS
 95 | #############################################################################
 96 | 
 97 | output "vnet_id" {
 98 |   value = module.vnet-main.vnet_id
 99 | }
100 | 
101 | output "vnet_name" {
102 |   value = module.vnet-main.vnet_name
103 | }
104 | 
105 | output "resource_group_name" {
106 |   value = local.full_rg_name
107 | }
108 | 
109 | 
110 | 


--------------------------------------------------------------------------------
/7-azure-devops-workspaces/terraform.tfvars.example:
--------------------------------------------------------------------------------
1 | resource_group_name = "vnet"
2 | sec_sub_id = "SEC_SUB_ID"
3 | sec_client_id = "SEC_CLIENT_ID"
4 | sec_tenant_id="SEC_TENANT_ID"
5 | sec_vnet_name = "security"
6 | sec_vnet_id = "SEC_VNET_ID"
7 | sec_resource_group = "security"
8 | sec_principal_id = "SEC_PRINCIPAL_ID"


--------------------------------------------------------------------------------
/7-azure-devops-workspaces/vnet-peering.tf:
--------------------------------------------------------------------------------
 1 | variable "sec_sub_id" {
 2 |   type = string
 3 | }
 4 | 
 5 | variable "sec_client_id" {
 6 |   type = string
 7 | }
 8 | 
 9 | variable "sec_client_secret" {
10 |   type = string
11 | }
12 | 
13 | variable "sec_tenant_id" {
14 |   type = string
15 | }
16 | 
17 | variable "sec_vnet_name" {
18 |   type = string
19 | }
20 | 
21 | variable "sec_vnet_id" {
22 |   type = string
23 | }
24 | 
25 | variable "sec_resource_group" {
26 |   type = string
27 | }
28 | 
29 | variable "sec_principal_id" {
30 |   type = string
31 | }
32 | 
33 | 
34 | data "azurerm_subscription" "current" {}
35 | 
36 | 
37 | provider "azurerm" {
38 |   alias                       = "security"
39 |   subscription_id             = var.sec_sub_id
40 |   client_id                   = var.sec_client_id
41 |   client_secret               = var.sec_client_secret
42 |   tenant_id                   = var.sec_tenant_id
43 |   skip_provider_registration  = true
44 |   skip_credentials_validation = true
45 |   features {}
46 | }
47 | 
48 | provider "azurerm" {
49 |   alias                       = "peering"
50 |   subscription_id             = data.azurerm_subscription.current.subscription_id
51 |   client_id                   = var.sec_client_id
52 |   client_secret               = var.sec_client_secret
53 |   tenant_id                   = data.azurerm_subscription.current.tenant_id
54 |   skip_provider_registration  = true
55 |   skip_credentials_validation = true
56 |   features {}
57 | }
58 | 
59 | 
60 | resource "azurerm_role_definition" "vnet-peering" {
61 |   name  = "allow-vnet-peer-action-${terraform.workspace}"
62 |   scope = data.azurerm_subscription.current.id
63 | 
64 |   permissions {
65 |     actions     = ["Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", "Microsoft.Network/virtualNetworks/peer/action", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete"]
66 |     not_actions = []
67 |   }
68 | 
69 |   assignable_scopes = [
70 |     data.azurerm_subscription.current.id,
71 |   ]
72 | }
73 | 
74 | resource "azurerm_role_assignment" "vnet" {
75 |   scope              = module.vnet-main.vnet_id
76 |   role_definition_id = azurerm_role_definition.vnet-peering.role_definition_resource_id
77 |   principal_id       = var.sec_principal_id
78 | }
79 | 
80 | resource "azurerm_virtual_network_peering" "main" {
81 |   name                      = "${terraform.workspace}_2_sec"
82 |   resource_group_name       = azurerm_resource_group.vnet_main.name
83 |   virtual_network_name      = module.vnet-main.vnet_name
84 |   remote_virtual_network_id = var.sec_vnet_id
85 |   provider                  = azurerm.peering
86 | 
87 |   depends_on = [azurerm_role_assignment.vnet]
88 | }
89 | 
90 | resource "azurerm_virtual_network_peering" "sec" {
91 |   name                      = "sec_2_${terraform.workspace}"
92 |   resource_group_name       = var.sec_resource_group
93 |   virtual_network_name      = var.sec_vnet_name
94 |   remote_virtual_network_id = module.vnet-main.vnet_id
95 |   provider                  = azurerm.security
96 | 
97 |   depends_on = [azurerm_role_assignment.vnet]
98 | }


--------------------------------------------------------------------------------
/7-azure-devops-workspaces/workspacetest.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | echo "*********** Create or select workspace"
 4 | if [ $(terraform workspace list | grep -c "$1") -eq 0 ] ; then
 5 |   echo "Create new workspace $1"
 6 |   terraform workspace new "$1" -no-color
 7 | else
 8 |   echo "Switch to workspace $1"
 9 |   terraform workspace select "$1" -no-color
10 | fi


--------------------------------------------------------------------------------
/8-app-remote-state/backend-config-example.txt:
--------------------------------------------------------------------------------
1 | storage_account_name = "SA_ACCOUNT_NAME"
2 | container_name = "terraform-state"
3 | key = "terraform.tfstate"
4 | sas_token = "SAS_TOKEN"
5 | 


--------------------------------------------------------------------------------
/8-app-remote-state/commands.txt:
--------------------------------------------------------------------------------
 1 | # Now we're going to create a storage account and credentials for 
 2 | # setting up remote state storage on an Azure for the application team
 3 | 
 4 | # This is going to be run from your local workstation
 5 | # Be sure to log in as the user you want to do application stuff
 6 | # And select the networking subscription you've been using
 7 | 
 8 | az account set -s NETWORK_SUB_NAME
 9 | 
10 | # Now we roll through the standard terraform config
11 | 
12 | terraform init
13 | terraform plan -var resource_group_name=itma-app-state -var naming_prefix=appitma -out state.tfplan
14 | terraform apply "state.tfplan"
15 | 
16 | # Next we're going to copy the backend-config.txt file to the 9-app-deploy
17 | cp backend-config.txt ../9-app-deploy/
18 | 
19 | # Head over to the 9-app-deploy directory to continue
20 | 
21 | 


--------------------------------------------------------------------------------
/8-app-remote-state/main.tf:
--------------------------------------------------------------------------------
  1 | #############################################################################
  2 | # TERRAFORM CONFIG
  3 | #############################################################################
  4 | 
  5 | terraform {
  6 |   required_providers {
  7 |     azurerm = {
  8 |       source  = "hashicorp/azurerm"
  9 |       version = "~> 2.0"
 10 |     }
 11 |   }
 12 | }
 13 | 
 14 | #############################################################################
 15 | # VARIABLES
 16 | #############################################################################
 17 | 
 18 | variable "resource_group_name" {
 19 |   type = string
 20 | }
 21 | 
 22 | variable "location" {
 23 |   type    = string
 24 |   default = "eastus"
 25 | }
 26 | 
 27 | variable "naming_prefix" {
 28 |   type    = string
 29 |   default = "itma"
 30 | }
 31 | 
 32 | ##################################################################################
 33 | # PROVIDERS
 34 | ##################################################################################
 35 | 
 36 | provider "azurerm" {
 37 |   features {}
 38 | }
 39 | 
 40 | ##################################################################################
 41 | # RESOURCES
 42 | ##################################################################################
 43 | resource "random_integer" "sa_num" {
 44 |   min = 10000
 45 |   max = 99999
 46 | }
 47 | 
 48 | 
 49 | resource "azurerm_resource_group" "setup" {
 50 |   name     = var.resource_group_name
 51 |   location = var.location
 52 | }
 53 | 
 54 | resource "azurerm_storage_account" "sa" {
 55 |   name                     = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
 56 |   resource_group_name      = azurerm_resource_group.setup.name
 57 |   location                 = var.location
 58 |   account_tier             = "Standard"
 59 |   account_replication_type = "LRS"
 60 | 
 61 | }
 62 | 
 63 | resource "azurerm_storage_container" "ct" {
 64 |   name                 = "terraform-state"
 65 |   storage_account_name = azurerm_storage_account.sa.name
 66 | 
 67 | }
 68 | 
 69 | data "azurerm_storage_account_sas" "state" {
 70 |   connection_string = azurerm_storage_account.sa.primary_connection_string
 71 |   https_only        = true
 72 | 
 73 |   resource_types {
 74 |     service   = true
 75 |     container = true
 76 |     object    = true
 77 |   }
 78 | 
 79 |   services {
 80 |     blob  = true
 81 |     queue = false
 82 |     table = false
 83 |     file  = false
 84 |   }
 85 | 
 86 |   start  = timestamp()
 87 |   expiry = timeadd(timestamp(), "17520h")
 88 | 
 89 |   permissions {
 90 |     read    = true
 91 |     write   = true
 92 |     delete  = true
 93 |     list    = true
 94 |     add     = true
 95 |     create  = true
 96 |     update  = false
 97 |     process = false
 98 |   }
 99 | }
100 | 
101 | #############################################################################
102 | # LOCAL FILE
103 | #############################################################################
104 | 
105 | resource "local_file" "post-config" {
106 |   depends_on = [azurerm_storage_container.ct]
107 | 
108 |   filename = "${path.module}/backend-config.txt"
109 |   content  = <<EOF
110 | storage_account_name = "${azurerm_storage_account.sa.name}"
111 | container_name = "terraform-state"
112 | key = "terraform.tfstate"
113 | sas_token = "${data.azurerm_storage_account_sas.state.sas}"
114 | 
115 |   EOF
116 | }
117 | 
118 | ##################################################################################
119 | # OUTPUT
120 | ##################################################################################
121 | 
122 | output "storage_account_name" {
123 |   value = azurerm_storage_account.sa.name
124 | }
125 | 
126 | output "resource_group_name" {
127 |   value = azurerm_resource_group.setup.name
128 | }
129 | 
130 | output "shared_access_signature" {
131 |   value = nonsensitive(data.azurerm_storage_account_sas.state.sas)
132 | }


--------------------------------------------------------------------------------
/9-app-deploy/commands.txt:
--------------------------------------------------------------------------------
 1 | # You're going to need a SAS token to access the networking state storage account
 2 | # Go to the portal and generate it like you see in the video
 3 | 
 4 | # Now make a copy of the terraform.tfvars.example file
 5 | cp terraform.tfvars.example terraform.tfvars
 6 | 
 7 | # Open the file and fill out all the fields
 8 | # The CONTAINER_NAME and STATE_FILE_KEY should be 
 9 | # terraform-state and terraform.tfstate 
10 | 
11 | # Now that we have our variables set up, we can run the usual
12 | # Terraform commands
13 | 
14 | terraform init --backend-config=backend-config.txt
15 | terraform workspace new development
16 | terraform plan -out app.tfplan
17 | terraform apply "app.tfplan"
18 | 
19 | # You can repeat for the uat and production environments if you want
20 | 


--------------------------------------------------------------------------------
/9-app-deploy/main.tf:
--------------------------------------------------------------------------------
  1 | #############################################################################
  2 | # TERRAFORM CONFIG
  3 | #############################################################################
  4 | 
  5 | terraform {
  6 |   required_providers {
  7 |     azurerm = {
  8 |       source  = "hashicorp/azurerm"
  9 |       version = "~> 2.0"
 10 |     }
 11 |   }
 12 | 
 13 |   backend "azurerm" {
 14 |   }
 15 | }
 16 | 
 17 | #############################################################################
 18 | # VARIABLES
 19 | #############################################################################
 20 | 
 21 | variable "resource_group_name" {
 22 |   type = string
 23 | }
 24 | 
 25 | variable "naming_prefix" {
 26 |   type    = string
 27 |   default = "itma"
 28 | }
 29 | 
 30 | variable "location" {
 31 |   type    = string
 32 |   default = "eastus"
 33 | }
 34 | 
 35 | variable "network_state" {
 36 |   type        = map(string)
 37 |   description = "map of network state properties, should include sa, cn, key, and sts"
 38 | }
 39 | 
 40 | variable "vm_count" {
 41 |   type    = number
 42 |   default = 2
 43 | }
 44 | 
 45 | locals {
 46 |   prefix = "${terraform.workspace}-${var.naming_prefix}"
 47 | }
 48 | 
 49 | #############################################################################
 50 | # PROVIDERS
 51 | #############################################################################
 52 | 
 53 | provider "azurerm" {
 54 |   features {}
 55 | }
 56 | 
 57 | #############################################################################
 58 | # DATA
 59 | #############################################################################
 60 | 
 61 | data "azurerm_subscription" "current" {}
 62 | 
 63 | data "terraform_remote_state" "networking" {
 64 |   backend   = "azurerm"
 65 |   workspace = terraform.workspace
 66 |   config = {
 67 |     storage_account_name = var.network_state["sa"]
 68 |     container_name       = var.network_state["cn"]
 69 |     key                  = var.network_state["key"]
 70 |     sas_token            = var.network_state["sts"]
 71 |   }
 72 | }
 73 | 
 74 | data "azurerm_subnet" "app" {
 75 |   name                 = "app"
 76 |   virtual_network_name = data.terraform_remote_state.networking.outputs.vnet_name
 77 |   resource_group_name  = data.terraform_remote_state.networking.outputs.resource_group_name
 78 | }
 79 | 
 80 | #############################################################################
 81 | # RESOURCES
 82 | #############################################################################
 83 | 
 84 | resource "azurerm_resource_group" "app" {
 85 |   name     = "${local.prefix}-app"
 86 |   location = var.location
 87 | }
 88 | 
 89 | resource "azurerm_availability_set" "app" {
 90 |   name                = "${local.prefix}-aset"
 91 |   location            = azurerm_resource_group.app.location
 92 |   resource_group_name = azurerm_resource_group.app.name
 93 |   managed             = true
 94 | 
 95 |   tags = {
 96 |     environment = terraform.workspace
 97 |   }
 98 | }
 99 | 
100 | resource "azurerm_network_interface" "app" {
101 |   count               = var.vm_count
102 |   name                = "${local.prefix}-${count.index}-nic"
103 |   location            = azurerm_resource_group.app.location
104 |   resource_group_name = azurerm_resource_group.app.name
105 | 
106 |   ip_configuration {
107 |     name                          = "config1"
108 |     subnet_id                     = data.azurerm_subnet.app.id
109 |     private_ip_address_allocation = "Dynamic"
110 |   }
111 | }
112 | 
113 | resource "azurerm_lb" "app" {
114 |   name                = local.prefix
115 |   location            = azurerm_resource_group.app.location
116 |   resource_group_name = azurerm_resource_group.app.name
117 |   sku                 = "Standard"
118 | 
119 |   frontend_ip_configuration {
120 |     name                          = "internal"
121 |     private_ip_address_allocation = "Dynamic"
122 |     subnet_id                     = data.azurerm_subnet.app.id
123 |   }
124 | }
125 | 
126 | resource "azurerm_lb_backend_address_pool" "app" {
127 |   loadbalancer_id = azurerm_lb.app.id
128 |   name            = "${local.prefix}-app"
129 | }
130 | 
131 | resource "azurerm_network_interface_backend_address_pool_association" "app" {
132 |   count                   = var.vm_count
133 |   network_interface_id    = azurerm_network_interface.app[count.index].id
134 |   ip_configuration_name   = "config1"
135 |   backend_address_pool_id = azurerm_lb_backend_address_pool.app.id
136 | }
137 | 
138 | resource "azurerm_virtual_machine" "main" {
139 |   count                 = var.vm_count
140 |   name                  = "${local.prefix}-${count.index}"
141 |   location              = azurerm_resource_group.app.location
142 |   resource_group_name   = azurerm_resource_group.app.name
143 |   network_interface_ids = [azurerm_network_interface.app[count.index].id]
144 |   availability_set_id   = azurerm_availability_set.app.id
145 |   vm_size               = "Standard_DS1_v2"
146 | 
147 |   # Uncomment this line to delete the OS disk automatically when deleting the VM
148 |   delete_os_disk_on_termination = true
149 | 
150 | 
151 |   # Uncomment this line to delete the data disks automatically when deleting the VM
152 |   delete_data_disks_on_termination = true
153 | 
154 |   storage_image_reference {
155 |     publisher = "Canonical"
156 |     offer     = "UbuntuServer"
157 |     sku       = "18.04-LTS"
158 |     version   = "latest"
159 |   }
160 |   storage_os_disk {
161 |     name              = "${local.prefix}${count.index}"
162 |     caching           = "ReadWrite"
163 |     create_option     = "FromImage"
164 |     managed_disk_type = "Standard_LRS"
165 |   }
166 |   os_profile {
167 |     computer_name  = "${var.naming_prefix}${count.index}vm"
168 |     admin_username = "tfadmin"
169 |     admin_password = "Password1234!"
170 |   }
171 |   os_profile_linux_config {
172 |     disable_password_authentication = false
173 |   }
174 |   tags = {
175 |     environment = terraform.workspace
176 |   }
177 | }
178 | 
179 | #############################################################################
180 | # OUTPUTS
181 | #############################################################################
182 | 
183 | output "lb_private_ip" {
184 |   value = azurerm_lb.app.private_ip_address
185 | }
186 | 
187 | 
188 | 
189 | 
190 | 


--------------------------------------------------------------------------------
/9-app-deploy/terraform.tfvars.example:
--------------------------------------------------------------------------------
1 | resource_group_name = "app"
2 | 
3 | network_state = {
4 |     "sa" = "STORAGE_ACCOUNT_NAME"
5 |     "cn" = "CONTAINER_NAME"
6 |     "key" = "STATE_FILE_KEY"
7 |     "sts" = "SAS_TOKEN"
8 | }


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
 1 | # Terraform 1.0 changes
 2 | 
 3 | * Updated the configurations to use the new provider syntax for Terraform 1.0. Added `required_providers` block in the `terraform` block and added the `features{}` block to the Azure provider instances.
 4 | * Updated the configurations to use version 2.0 of the Azure RM provider.
 5 | * Updated the vnet module to use version 2.X
 6 | * Replaced null_resource with local_file resource in 2-sec-vnet
 7 | * Created the zz-terraform-vm directory to replace the missing Terraform VM marketplace item (**HEAVY SIGH**)
 8 | * Updated the commands.txt files to include a LOT more information, because knowledge is power!
 9 | * Added YAML files to 6-azuredevops to run the pipeline with YAML definitions instead of using the classic builder (YAHOO for YAML!)
10 | * Removed the null_resource in 8-app-remote-state to remove the need to use PowerShell, using local_file instead
11 | * Updated the terraform_state data source to use a workspace explicitly


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 Ned Bellavance
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Implementing-Terraform-on-Microsoft-Azure
 2 | 
 3 | Welcome to Implementing Terraform on Microsoft Azure. These exercise files are meant to accompany my course on [Pluralsight](https://app.pluralsight.com/library/courses/implementing-terraform-microsoft-azure/).  The course was developed using version 0.12.10 of Terraform.  As far as I know there are no coming changes that will significantly impact the validity of these exercise files.  But I also don't control all the plug-ins, providers, and modules used by the configurations.
 4 | 
 5 | **Update**: Well folks, version 1.0 of Terraform is out and naturally a bunch of stuff has changed since 0.12.10 that broke the configs. Weeeee! I have updated all the configurations to accomodate the changes, but the videos in the course have not yet been updated. What you see in the demo will diverge from what's in the exercise files, but the core concepts remain the same. The current plan is to overhaul the course in the second half of 2021. You can find the changes in the [CHANGELOG](./CHANGELOG.md) file.
 6 | 
 7 | ## Using the files
 8 | 
 9 | Each folder follows in succession as the course progresses. In some cases, you will need to copy files from one directory to another. Assuming you are following along with the course, when to copy the files and where should be fairly obvious. Many of the folders include a `commands.txt` file that has example commands for that portion of the exercise. Other folders may include an example of a file you'll need, for instance the `9-app-deploy` folder has the `terraform.tfvars.example` file. Simply update the values in the file and rename it to `terraform.tfvars`.
10 | 
11 | Each module in the course builds on the infrastructure created by the previous module. Bearing that in mind, jumping around in the course will be difficult. When you complete a module, you might be tempted to run `terraform destroy` to delete the resources. You can do that, but remember that you will need to deploy the resources again for the next module.
12 | 
13 | ## Terraform Marketplace Item
14 | 
15 | *Sigh*, the Terraform marketplace item I used in the course has been deprecated and you can't find it anymore. Grrr... You've got two options for that portion of the course.
16 | 
17 | 1. Login to the Azure CLI as the security user on your local desktop and run the commands. This is the "easy" option.
18 | 1. I've added a new folder that will deploy the necessary resources using Terraform. It's called `zz-terraform-vm`. Using Terraform to deploy Terraform? Yes! Why not? Check out the `commands.txt` file in that directory for more information.
19 | 
20 | ## Azure DevOps Pipelines Update
21 | 
22 | Since the release of this course, Azure DevOps Pipelines has moved to a YAML defined pipeline model. You can still build pipelines the "classic" way, but using YAML and storing the pipeline config in source control is preferred. I have created new files in `6-azuredevops` that include the whole pipeline config using the new YAML style.
23 | 
24 | Follow the directions in the `commands.txt` file in the same directory to follow the process of setting up the YAML based pipelines. It will be different than the video, which will be updated with the rest course in late 2021. I'm also going to add more steps for validation and formatting.
25 | 
26 | ## Course Prerequisites
27 | 
28 | There are a few prerequisites for working with the course files.
29 | 
30 | ### Visual Studio Code
31 | 
32 | You are going to want to use Visual Studio Code or a similar code editor. Personally I like VS Code because it's free and cross-platform, and it has source control built-in. But hey, that's just me. You do you.
33 | 
34 | ### Azure Subscription(s)
35 | 
36 | This is a course all about using Terraform on Microsoft Azure. It is safe to assume you'll need at least one Azure subscription and the **Owner** or **Co-administrator** role on that subscription. The exercises use two subscriptions - one for networking and another for security - to demonstrate multiple instances of the AzureRM provider.
37 | 
38 | You don't have to use two separate subscriptions, instead you could use the same subscription for all the exercises. I haven't tested that, and some of the automatic role creation might fail. It's probably just as easy to create an extra subscription and delete it when you are done the course.
39 | 
40 | ### Azure Active Directory Rights
41 | 
42 | The course includes use of the AzureAD provider, and it assumes that you have permissions to create Service Principals within the Azure AD tenant associated with your Azure subscriptions. Assuming you created subscriptions and an Azure AD tenant for this course, then you shouldn't have any problems.
43 | 
44 | ### Azure DevOps Subscription
45 | 
46 | The course also makes use of Azure DevOps Repos and Pipelines. The basic Azure DevOps plan is free for up to five users. You will also need to add the [Terraform Build & Release Tasks](https://marketplace.visualstudio.com/items?itemName=charleszipp.azure-pipelines-tasks-terraform) extension from the Visual Studio Marketplace.
47 | 
48 | 
49 | ## MONEY!!!
50 | 
51 | A gentle reminder about cost. The course will have you creating resources in Azure.  Some of the resources are not going to be 100% free. I have tried to use free resources when possible, but Azure VMs, Azure Storage, and App Service all cost money. We're probably talking a couple dollars for the duration of the exercises, but it won't be zero.
52 | 
53 | Each module builds on the previous one to create a complete deployment for the Globomantics scenario. As I mentioned before, destroying the resources after each module will make things more difficult. For that reason, I waited until the last module to deploy any actual Azure VMs or App Services. Those are the things that will actually cost you money. Once you complete the course, I highly recommend tearing everything down with `terraform destroy` or by deleting the Resource Groups in Azure.
54 | 
55 | ## Conclusion
56 | 
57 | I hope you enjoy taking this course as much as I did creating it.  I'd love to hear feedback and suggestions for revisions. Log an issue on this repo or hit me up on [Twitter](https://twitter.com/ned1313).
58 | 
59 | Thanks and happy automating!
60 | 
61 | Ned


--------------------------------------------------------------------------------
/zz-terraform-vm/commands.txt:
--------------------------------------------------------------------------------
 1 | # We're going to launch a Terraform VM into the Security subscription
 2 | az account set -s SEC_SUB_NAME
 3 | 
 4 | # Follow the standard Terraform process
 5 | terraform init
 6 | 
 7 | terraform plan -out tfvm.tfplan
 8 | 
 9 | terraform apply tfvm.tfplan
10 | 
11 | # The outputs include the public IP address of the VM and
12 | # the password for the VM. The username is azureuser. 
13 | # Connect via SSH with the username and password
14 | # and then you should be able to follow along with the video
15 | 
16 | # Be sure to destroy this VM when you're done or at least deallocate the VM to
17 | # save on costs!


--------------------------------------------------------------------------------
/zz-terraform-vm/terraform-vm.tmpl:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # This script is meant to install Terraform and some other utilities
 4 | # as well as create a directory and file with the remote backend config
 5 | # for the storage account that was created from the same Terraform config
 6 | 
 7 | # Variables used:
 8 | # storage_account_name - the storage account name being used for state
 9 | # access_key - the access key for the storage account
10 | 
11 | # Install Terraform and other utilities
12 | curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
13 | sudo apt-add-repository "deb [arch=$(dpkg --print-architecture)] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
14 | sudo apt-get update && sudo apt install terraform jq unzip -y
15 | 
16 | # Install the Azure CLI 
17 | sudo apt-get install ca-certificates curl apt-transport-https lsb-release gnupg -y
18 | curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
19 | AZ_REPO=$(lsb_release -cs)
20 | echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
21 | sudo apt-get update && sudo apt-get install azure-cli -y
22 | 
23 | # Create a directory and the remote backend example file
24 | mkdir tfTemplate
25 | cat <<TFF > ~/tfTemplate/remoteState.tf
26 | terraform {
27 |     backend "azurerm" {
28 |         storage_account_name = "${storage_account_name}"
29 |         container_name = "terraform-state"
30 |         key = "prod.terraform.tfstate"
31 |         access_key = "${access_key}"
32 |     }
33 | }
34 | 
35 | TFF
36 | 
37 | EOF


--------------------------------------------------------------------------------
/zz-terraform-vm/terraform.tf:
--------------------------------------------------------------------------------
 1 | #############################################################################
 2 | # TERRAFORM CONFIG
 3 | #############################################################################
 4 | 
 5 | terraform {
 6 |   required_providers {
 7 |     azurerm = {
 8 |       source  = "hashicorp/azurerm"
 9 |       version = "~> 2.0"
10 |     }
11 |   }
12 | }
13 | 
14 | provider "azurerm" {
15 |   features {}
16 | }


--------------------------------------------------------------------------------
/zz-terraform-vm/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "resource_group_name" {
 2 |   type    = string
 3 |   default = "terraform-vm"
 4 | }
 5 | 
 6 | variable "location" {
 7 |   type    = string
 8 |   default = "eastus"
 9 | }
10 | 
11 | variable "vnet_cidr_range" {
12 |   type    = string
13 |   default = "10.0.0.0/16"
14 | }
15 | 
16 | variable "subnet_prefixes" {
17 |   type    = list(string)
18 |   default = ["10.0.0.0/24"]
19 | }
20 | 
21 | variable "subnet_names" {
22 |   type    = list(string)
23 |   default = ["subnet1"]
24 | }
25 | 
26 | resource "random_id" "id" {
27 |   byte_length = 4
28 | }
29 | 
30 | locals {
31 |   storage_account_name = "terraformstate${lower(random_id.id.hex)}"
32 |   vm_public_dns        = "tfvm-${random_id.id.hex}"
33 | }


--------------------------------------------------------------------------------
/zz-terraform-vm/vm.tf:
--------------------------------------------------------------------------------
 1 | # Password for Terraform VM
 2 | resource "random_password" "terraform_vm" {
 3 |   length  = 16
 4 |   special = true
 5 | }
 6 | 
 7 | # Resource group for Terraform VM
 8 | resource "azurerm_resource_group" "vnet_main" {
 9 |   name     = var.resource_group_name
10 |   location = var.location
11 | }
12 | 
13 | # Network for Terraform VM
14 | module "vnet-main" {
15 |   source              = "Azure/vnet/azurerm"
16 |   version             = "~> 2.0"
17 |   resource_group_name = azurerm_resource_group.vnet_main.name
18 |   vnet_name           = var.resource_group_name
19 |   address_space       = [var.vnet_cidr_range]
20 |   subnet_prefixes     = var.subnet_prefixes
21 |   subnet_names        = var.subnet_names
22 |   nsg_ids             = {}
23 | 
24 |   tags = {
25 |     environment = "terraform"
26 |     costcenter  = "it"
27 | 
28 |   }
29 | 
30 |   depends_on = [azurerm_resource_group.vnet_main]
31 | }
32 | 
33 | # Storage account for Terraform VM
34 | resource "azurerm_storage_account" "sa" {
35 |   name                     = local.storage_account_name
36 |   resource_group_name      = azurerm_resource_group.vnet_main.name
37 |   location                 = var.location
38 |   account_tier             = "Standard"
39 |   account_replication_type = "LRS"
40 | 
41 | }
42 | 
43 | resource "azurerm_storage_container" "ct" {
44 |   name                 = "terraform-state"
45 |   storage_account_name = azurerm_storage_account.sa.name
46 | 
47 | }
48 | 
49 | # Compute deployment for Terraform VM using Ubuntu
50 | module "terraform-vm" {
51 |   source                        = "Azure/compute/azurerm"
52 |   version                       = "~> 3.0"
53 |   resource_group_name           = azurerm_resource_group.vnet_main.name
54 |   vm_os_simple                  = "UbuntuServer"
55 |   public_ip_dns                 = [local.vm_public_dns]
56 |   vnet_subnet_id                = module.vnet-main.vnet_subnets[0]
57 |   remote_port                   = "22"
58 |   admin_password                = random_password.terraform_vm.result
59 |   enable_ssh_key                = false
60 |   delete_os_disk_on_termination = true
61 | 
62 |   custom_data = base64encode(templatefile("${path.module}/terraform-vm.tmpl", {
63 |     storage_account_name = azurerm_storage_account.sa.name
64 |     access_key           = azurerm_storage_account.sa.primary_access_key
65 |   }))
66 | 
67 | 
68 |   depends_on = [azurerm_resource_group.vnet_main]
69 | }
70 | 
71 | output "public_ip_address" {
72 |   value = module.terraform-vm.public_ip_address
73 | }
74 | 
75 | output "password" {
76 |   value = nonsensitive(random_password.terraform_vm.result)
77 | }


--------------------------------------------------------------------------------