Skip to content

Commit

Permalink
feat: add NSG to bastion subnet, add cli ssh to private vm via bastion
Browse files Browse the repository at this point in the history
  • Loading branch information
matihost committed Dec 7, 2024
1 parent 3861e48 commit bbfafa9
Show file tree
Hide file tree
Showing 7 changed files with 145 additions and 3 deletions.
3 changes: 3 additions & 0 deletions .trivyignore.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,6 @@ misconfigurations:
- id: AVD-AZU-0011
# Network ACL for Key Vault should be set. https://avd.aquasec.com/misconfig/avd-azu-0013
- id: AVD-AZU-0013
# Internet or * in NSGs
- id: AVD-AZU-0051
- id: AVD-AZU-0047
9 changes: 9 additions & 0 deletions terraform/azure/azure-instance/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,15 @@ init: init-tf-backend prepare
run: init ## setup VPC: make run [ENV=dev] [MODE=apply]
@cd stage/$(ENV) && terragrunt validate && terragrunt $(MODE_STR)

ssh-via-bastion: ## connect to instance via Azure Bastion
az network bastion ssh \
--name $(shell cd stage/$(ENV) && terragrunt output bastion_name) \
--resource-group dev \
--target-resource-id $(shell cd stage/$(ENV) && terragrunt output vm_id) \
--auth-type ssh-key \
--username ubuntu \
--ssh-key ~/.ssh/id_rsa.cloud.vm

show-state: ## show state
cd stage/$(ENV) && terragrunt state list && terragrunt show

Expand Down
3 changes: 3 additions & 0 deletions terraform/azure/azure-instance/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,7 @@ Setup single VM instance with Ngnix server on it.
```bash
# setup VM
make run MODE=apply ENV=dev-westeurope

# connect to instance via Azure Bastion
make ssh-via-bastion
```
12 changes: 12 additions & 0 deletions terraform/azure/azure-instance/module/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
data "azurerm_bastion_host" "bastion" {
name = "${local.prefix}-bastion"
resource_group_name = local.resource_group_name
}

output "vm_id" {
value = azurerm_linux_virtual_machine.linux.id
}

output "bastion_name" {
value = data.azurerm_bastion_host.bastion.name
}
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,5 @@ inputs = {
ssh_pub_key = local.pub_ssh
ssh_key = local.ssh_key
user_data_template = local.user_data_template
spot = true
}
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,5 @@ inputs = {
ssh_pub_key = local.pub_ssh
ssh_key = local.ssh_key
user_data_template = local.user_data_template
spot = true
}
119 changes: 116 additions & 3 deletions terraform/azure/azure-network-setup/module/bastion.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ resource "azurerm_public_ip" "bastion" {


resource "azurerm_subnet" "bastion" {
# Mandatory name for subnet where bastion resides
name = "AzureBastionSubnet"
resource_group_name = local.resource_group_name
virtual_network_name = azurerm_virtual_network.vnet.name
Expand All @@ -16,6 +17,114 @@ resource "azurerm_subnet" "bastion" {



resource "azurerm_network_security_group" "bastion" {
name = "${local.prefix}-bastion"
location = local.location
resource_group_name = local.resource_group_name

security_rule {
name = "AllowHttpsInBound"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_address_prefix = "*"
source_port_range = "*"
destination_port_range = "443"
destination_address_prefix = "*"
}

security_rule {
name = "AllowTunnellingThroughBastionInBound"
priority = 110
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_ranges = ["8080", "5701"]
source_address_prefix = "VirtualNetwork"
destination_address_prefix = "VirtualNetwork"
}

security_rule {
name = "DenyAllInBound"
priority = 1000
direction = "Inbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}

security_rule {
name = "AllowAzureCloudCommunicationOutBound"
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "443"
destination_address_prefix = "AzureCloud"
}


security_rule {
name = "AllowSSHandRDPOutBound"
priority = 110
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["22", "3389"]
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
}

security_rule {
name = "AllowBastionHostCommunicationOutBound"
priority = 120
direction = "Outbound"
access = "Allow"
protocol = "*"
source_address_prefix = "VirtualNetwork"
source_port_range = "*"
destination_port_ranges = ["8080", "5701"]
destination_address_prefix = "VirtualNetwork"
}

security_rule {
name = "AllowGetSessionInformationOutBound"
priority = 130
direction = "Outbound"
access = "Allow"
protocol = "*"
source_address_prefix = "*"
source_port_range = "*"
destination_port_ranges = ["80", "443"]
destination_address_prefix = "Internet"
}

security_rule {
name = "DenyAllOutBound"
priority = 1000
direction = "Outbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}


resource "azurerm_subnet_network_security_group_association" "bastion" {
subnet_id = azurerm_subnet.bastion.id
network_security_group_id = azurerm_network_security_group.bastion.id
}

resource "azurerm_bastion_host" "bastion" {
name = "${local.prefix}-bastion"
Expand All @@ -24,9 +133,13 @@ resource "azurerm_bastion_host" "bastion" {

copy_paste_enabled = true

# sku = "Standard"
# tunneling_enabled = true
# file_copy_enabled = true

# In order to ssh to instance via CLI: az network bastion ssh
# Bastion Host SKU must be Standard or Premium and Native Client must be enabled.
sku = "Standard"
tunneling_enabled = true
file_copy_enabled = true


ip_configuration {
name = "configuration"
Expand Down

0 comments on commit bbfafa9

Please sign in to comment.