diff --git a/terraform/azure/azure-instance/Makefile b/terraform/azure/azure-instance/Makefile index d22c037..f294696 100644 --- a/terraform/azure/azure-instance/Makefile +++ b/terraform/azure/azure-instance/Makefile @@ -34,6 +34,33 @@ ssh-via-bastion: ## connect to instance via Azure Bastion --username ubuntu \ --ssh-key ~/.ssh/id_rsa.cloud.vm +expose-direct-proxy-locally: ## expose TinyProxy locally to access resource inside VNet - uses az tunnel (limitations, slow) + @[ "$(shell sudo ss -antl |grep -c 8888)" -ne 0 ] || az network bastion tunnel \ + --name $(shell cd stage/$(ENV) && terragrunt output bastion_name) \ + --resource-group dev \ + --target-resource-id $(shell cd stage/$(ENV) && terragrunt output vm_id) \ + --resource-port 8888 \ + --port 8888 & + +shutdown-local-proxy: ## shutdown tunneled bastion's HTTP proxy + @-[ "$(shell sudo ss -antl |grep -c 8888)" -eq 0 ] || sudo kill -9 $(shell sudo lsof -t -i:8888) + @-[ "$(shell sudo ss -antl |grep -c 2022)" -eq 0 ] || sudo kill -9 $(shell sudo lsof -t -i:2022) + + +expose-proxy-via-ssh-locally: ## expose TinyProxy locally to access resource inside VNet - uses ssh tunneling (done via az tunnel), needs 2 ports, but more resilient + @[ "$(shell sudo ss -antl |grep -c 2022)" -ne 0 ] || az network bastion tunnel \ + --name $(shell cd stage/$(ENV) && terragrunt output bastion_name) \ + --resource-group dev \ + --target-resource-id $(shell cd stage/$(ENV) && terragrunt output vm_id) \ + --resource-port 22 \ + --port 2022 & + @sleep 2 # workaround for az tunnel delay when run in background + @[ "$(shell sudo ss -antl |grep -c 8888)" -ne 0 ] || ssh -o StrictHostKeyChecking=accept-new -f -N -i ~/.ssh/id_rsa.cloud.vm ubuntu@127.0.0.1 -p 2022 -L 8888:127.0.0.1:8888 + + +test: ## test connectivity via proxy to vm ngnix + export http_proxy=http://localhost:8888 && export https_proxy=http://localhost:8888 && curl http://dev-weu-vm + show-state: ## show state cd stage/$(ENV) && terragrunt state list && terragrunt show diff --git a/terraform/azure/azure-instance/README.md b/terraform/azure/azure-instance/README.md index 6fc7f5a..11e5751 100644 --- a/terraform/azure/azure-instance/README.md +++ b/terraform/azure/azure-instance/README.md @@ -31,4 +31,29 @@ make run MODE=apply ENV=dev-westeurope # connect to instance via Azure Bastion make ssh-via-bastion + + +# to test or to access other resouces inside VNet via VM + +# expose TinyProxy locally to access resource inside VNet - uses az tunnel (limitations, slow) +make expose-direct-proxy-locally + +# or + +# expose TinyProxy locally to access resource inside VNet - uses ssh tunneling (done via az tunnel), needs 2 ports, but more resilient +make expose-proxy-via-ssh-locally + +# then +# test connectivity via proxy to vm ngnix +make test + +# or access any other resource in the vnet via proxy exposed on 8888 port +# to do so export proxy variables: +export http_proxy=http://localhost:8888 && export https_proxy=http://localhost:8888 +# then you can curl whatever in the vm + +# at then end close the proxy tunnel: + +# shutdown tunneled bastion's HTTP proxy +make shutdown-local-proxy ``` diff --git a/terraform/azure/azure-instance/stage/dev-polandcentral/vm.cloud-init.tpl b/terraform/azure/azure-instance/stage/dev-polandcentral/vm.cloud-init.tpl index f3a8216..fe19ffb 100644 --- a/terraform/azure/azure-instance/stage/dev-polandcentral/vm.cloud-init.tpl +++ b/terraform/azure/azure-instance/stage/dev-polandcentral/vm.cloud-init.tpl @@ -8,7 +8,9 @@ repo_upgrade: all packages: - nginx + - tinyproxy - plocate + - dnsutils - azure-cli # cloud-init creates a final script in: /var/lib/cloud/instance/scripts/runcmd @@ -19,3 +21,5 @@ runcmd: - cat /home/${admin_username}/.ssh/id_rsa.pub >> /home/${admin_username}/.ssh/authorized_keys - 'chown ${admin_username}:${admin_username} /home/${admin_username}/.ssh/id_rsa*' - chmod 400 /home/${admin_username}/.ssh/id_rsa + - sed -i -E "s/^#Allow 10.0.0.0\/8.*$/Allow 10.0.0.0\/8/" /etc/tinyproxy/tinyproxy.conf + - systemctl restart tinyproxy diff --git a/terraform/azure/azure-instance/stage/dev-westeurope/vm.cloud-init.tpl b/terraform/azure/azure-instance/stage/dev-westeurope/vm.cloud-init.tpl index f3a8216..fe19ffb 100644 --- a/terraform/azure/azure-instance/stage/dev-westeurope/vm.cloud-init.tpl +++ b/terraform/azure/azure-instance/stage/dev-westeurope/vm.cloud-init.tpl @@ -8,7 +8,9 @@ repo_upgrade: all packages: - nginx + - tinyproxy - plocate + - dnsutils - azure-cli # cloud-init creates a final script in: /var/lib/cloud/instance/scripts/runcmd @@ -19,3 +21,5 @@ runcmd: - cat /home/${admin_username}/.ssh/id_rsa.pub >> /home/${admin_username}/.ssh/authorized_keys - 'chown ${admin_username}:${admin_username} /home/${admin_username}/.ssh/id_rsa*' - chmod 400 /home/${admin_username}/.ssh/id_rsa + - sed -i -E "s/^#Allow 10.0.0.0\/8.*$/Allow 10.0.0.0\/8/" /etc/tinyproxy/tinyproxy.conf + - systemctl restart tinyproxy diff --git a/terraform/azure/azure-network-setup/module/bastion.tf b/terraform/azure/azure-network-setup/module/bastion.tf index 8bff701..6c01504 100644 --- a/terraform/azure/azure-network-setup/module/bastion.tf +++ b/terraform/azure/azure-network-setup/module/bastion.tf @@ -41,7 +41,7 @@ resource "azurerm_network_security_group" "bastion" { access = "Allow" protocol = "*" source_port_range = "*" - destination_port_ranges = ["8080", "5701"] + destination_port_ranges = ["8080", "5701", "8888"] source_address_prefix = "VirtualNetwork" destination_address_prefix = "VirtualNetwork" } @@ -72,13 +72,13 @@ resource "azurerm_network_security_group" "bastion" { security_rule { - name = "AllowSSHandRDPOutBound" + name = "AllowSSHandRDPandProxyOutBound" priority = 110 direction = "Outbound" access = "Allow" protocol = "Tcp" source_port_range = "*" - destination_port_ranges = ["22", "3389"] + destination_port_ranges = ["22", "3389", "8888"] source_address_prefix = "*" destination_address_prefix = "VirtualNetwork" }