From c07d5891cef7a70fc31d83de1a266b20917ab40d Mon Sep 17 00:00:00 2001
From: "R. Tyler Croy" <tyler@monkeypox.org>
Date: Fri, 10 Nov 2017 15:15:42 -0800
Subject: [PATCH] Provision a big trusted-agent in Azure

This will still need to be somewhat manually bootstrapped with Puppet and then
manually added to trusted.ci

Part of INFRA-1274
---
 plans/ci.tf    | 109 +++++++++++++++++++++++++++++++++++++++++++++++++
 plans/vnets.tf |  27 +++++++-----
 2 files changed, 126 insertions(+), 10 deletions(-)
 create mode 100644 plans/ci.tf

diff --git a/plans/ci.tf b/plans/ci.tf
new file mode 100644
index 00000000..4b755b27
--- /dev/null
+++ b/plans/ci.tf
@@ -0,0 +1,109 @@
+#
+# Resources related to our CI infrastructure for ci.jenkins.io or trusted.ci
+#
+
+
+resource "azurerm_resource_group" "ci" {
+    name     = "${var.prefix}jenkinsci"
+    location = "${var.location}"
+    tags {
+        env = "${var.prefix}"
+    }
+}
+
+resource "azurerm_storage_account" "ci_storage" {
+    name                     = "${var.prefix}jenkinscistore"
+    resource_group_name      = "${azurerm_resource_group.ci.name}"
+    location                 = "${var.location}"
+    account_tier             = "Standard"
+    account_replication_type = "LRS"
+
+    tags {
+        environment = "${var.prefix}"
+    }
+}
+
+resource "azurerm_storage_container" "ci_container" {
+    name                  = "vhds"
+    resource_group_name   = "${azurerm_resource_group.ci.name}"
+    storage_account_name  = "${azurerm_storage_account.ci_storage.name}"
+    container_access_type = "private"
+}
+
+resource "azurerm_public_ip" "ci_trusted_agent_1" {
+    name                         = "trusted-agent-1"
+    location                     = "${azurerm_resource_group.ci.location}"
+    resource_group_name          = "${azurerm_resource_group.ci.name}"
+    public_ip_address_allocation = "dynamic"
+
+    tags {
+        environment = "${var.prefix}"
+    }
+}
+
+resource "azurerm_network_interface" "ci_trusted_agent_1_nic" {
+    name                = "trusted-agent-1-nic"
+    location            = "${var.location}"
+    resource_group_name = "${azurerm_resource_group.ci.name}"
+
+    ip_configuration {
+        name                          = "testconfiguration1"
+        subnet_id                     = "${azurerm_subnet.public_dmz.id}"
+        private_ip_address_allocation = "dynamic"
+        public_ip_address_id          = "${azurerm_public_ip.ci_trusted_agent_1.id}"
+    }
+}
+
+resource "azurerm_virtual_machine" "ci_trusted_agent_1" {
+    name                  = "trusted-agent-1"
+    location              = "${var.location}"
+    resource_group_name   = "${azurerm_resource_group.ci.name}"
+    network_interface_ids = ["${azurerm_network_interface.ci_trusted_agent_1_nic.id}"]
+    vm_size               = "Standard_DS4_v2"
+
+    delete_os_disk_on_termination = true
+    delete_data_disks_on_termination = true
+
+    storage_image_reference {
+        publisher = "Canonical"
+        offer     = "UbuntuServer"
+        sku       = "16.04-LTS"
+        version   = "latest"
+    }
+
+    storage_os_disk {
+        name          = "trusted-agent-1-disk"
+        vhd_uri       = "${azurerm_storage_account.ci_storage.primary_blob_endpoint}${azurerm_storage_container.ci_container.name}/trustedagent1os.vhd"
+        caching       = "ReadWrite"
+        create_option = "FromImage"
+    }
+
+
+    os_profile {
+        computer_name  = "trusted-agent-1"
+        admin_username = "azureuser"
+        admin_password = "${random_id.prefix.hex}"
+    }
+
+    os_profile_linux_config {
+        disable_password_authentication = true
+        ssh_keys = [
+            {
+                path = "/home/azureuser/.ssh/authorized_keys"
+                key_data = "${file("${var.ssh_pubkey_path}")}"
+            },
+        ]
+    }
+
+    tags {
+        environment = "${var.prefix}"
+    }
+}
+
+
+resource "random_id" "prefix" {
+    keepers {
+        prefix = "${var.prefix}"
+    }
+    byte_length = 16
+}
diff --git a/plans/vnets.tf b/plans/vnets.tf
index 5d49ceeb..5f72e239 100644
--- a/plans/vnets.tf
+++ b/plans/vnets.tf
@@ -63,19 +63,26 @@ resource "azurerm_virtual_network" "public_prod" {
     address_prefix = "10.0.2.0/24"
     security_group = "${azurerm_network_security_group.public_data_tier.id}"
   }
+}
 
-  # The "dmz-tier" subnet is intended for resources which need to be
-  # provisioned in the Public Production network but don't need to be
-  # accessible from the public internet. Such as dynamically provisioned VMs for
-  # Jenkins masters, or other untrusted workloads which should be in the Public
-  # Production VNet
-  subnet {
-    name           = "dmz-tier"
-    address_prefix = "10.0.99.0/24"
-    security_group = "${azurerm_network_security_group.public_dmz_tier.id}"
-  }
+# The "dmz-tier" subnet is intended for resources which need to be
+# provisioned in the Public Production network but don't need to be
+# accessible from the public internet. Such as dynamically provisioned VMs for
+# Jenkins masters, or other untrusted workloads which should be in the Public
+# Production VNet
+#
+# Defining as a separate resource so it can eaisly be referred to in the
+# Terraform resource graph
+resource "azurerm_subnet" "public_dmz" {
+    name                      = "dmz-tier"
+    resource_group_name       = "${azurerm_resource_group.public_prod.name}"
+
+    virtual_network_name      = "${azurerm_virtual_network.public_prod.name}"
+    network_security_group_id = "${azurerm_network_security_group.public_dmz_tier.id}"
+    address_prefix            = "10.0.99.0/24"
 }
 
+
 # The Private Production VNet is where all management and highly classified
 # resources should be provisioned. It should never have its resources exposed
 # to the public internet but is peered with Public Production