github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: fix references to AWS and Azure example modules (#5829)

Browse Source 
These are now published at
https://www.github.com/firezone/terraform-aws-gateway and
https://www.github.com/firezone/terraform-azurerm-gateway to match the
unclear docs for registry module naming...
This commit is contained in:
Jamil
2024-07-11 09:10:12 -07:00
committed by GitHub
parent 041e3459ae
commit ffe4d5f950
8 changed files with 2 additions and 400 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/README.md
View File

@@ -106,15 +106,9 @@ product documentation, organized as follows:
- [terraform/examples/google-cloud/nat-gateway](../terraform/examples/google-cloud/nat-gateway):
Example Terraform configuration for deploying a cluster of Firezone Gateways
behind a NAT gateway on GCP with a single egress IP.
- [terraform/examples/azure/nat-gateway](../terraform/examples/azure/nat-gateway):
Example Terraform configuration for deploying a cluster of Firezone Gateways
behind a NAT gateway on Azure with a single egress IP.
- [terraform/modules/google-cloud/apps/gateway-region-instance-group](../terraform/modules/google-cloud/apps/gateway-region-instance-group):
Production-ready Terraform module for deploying regional Firezone Gateways
to Google Cloud Compute using Regional Instance Groups.
- [terraform/modules/azure/firezone-gateway](../terraform/modules/azure/firezone-gateway):
Production-ready Terraform module for deploying Firezone Gateways to Azure
using Azure Orchestrated Virtual Machine Scale Sets.
## Quickstart

14
terraform/examples/README.md
View File

@@ -8,23 +8,9 @@ Gateways to your infrastructure.
Each example below is self-contained and includes a `README.md` with
instructions on how to deploy the example.
### AWS
- [NAT Gateway](./aws/nat-gateway): This example shows how to deploy one or more
Firezone Gateways in a single AWS VPC that is configured with a NAT Gateway
for egress. Read this if you're looking to deploy Firezone Gateways behind a
single, shared static IP address on AWS.
### Google Cloud Platform (GCP)
- [NAT Gateway](./google-cloud/nat-gateway): This example shows how to deploy
one or more Firezone Gateways in a single GCP VPC that is configured with a
Cloud NAT for egress. Read this if you're looking to deploy Firezone Gateways
behind a single, shared static IP address on GCP.
### Azure
- [NAT Gateway](./azure/nat-gateway): This example shows how to deploy one or
more Firezone Gateways in a single Azure Vnet that is configured with a NAT
gateway for egress. Read this if you're looking to deploy Firezone Gateways
behind a single, shared static IP address on Azure.

4
terraform/examples/azure/nat-gateway/README.md
View File

@@ -1,4 +0,0 @@
# Deploy Firezone on Azure with Terraform
See [our docs for a detailed guide](/kb/automate/terraform/azure) on deploying
Firezone on Azure with Terraform using this example.

213
terraform/examples/azure/nat-gateway/main.tf
View File

@@ -1,213 +0,0 @@
# Change these to match your environment
locals {
location = "East US"
admin_ssh_key = file("~/.ssh/id_rsa.azure.pub")
firezone_token = "YOUR_FIREZONE_TOKEN"
}
module "azure_firezone_gateway" {
source = "github.com/firezone/firezone/terraform/modules/azure/firezone-gateway"
###################
# Required inputs #
###################
# Azure resource group information
resource_group_location = azurerm_resource_group.firezone.location
resource_group_name = azurerm_resource_group.firezone.name
# Generate a token from the admin portal in Sites -> <site> -> Deploy Gateway.
# Only one token is needed for the cluster.
firezone_token = local.firezone_token
# Attach the Gateways to your subnet.
private_subnet = azurerm_subnet.private.id
# Admin SSH public key. Must be RSA.
admin_ssh_key = local.admin_ssh_key
# Attach the Gateways to your NSG.
network_security_group_id = azurerm_network_security_group.firezone.id
# Attach the NAT Gateway
nat_gateway_id = azurerm_nat_gateway.firezone.id
###################
# Optional inputs #
###################
# Pick an image to use. Defaults to Ubuntu 22.04 LTS.
# source_image_reference {
# publisher = "Canonical"
# offer = "0001-com-ubuntu-server-jammy"
# sku = "22_04-lts"
# version = "latest"
# }
# Deploy a specific version of the Gateway. Generally, we recommend using the latest version.
# firezone_version = "latest"
# Override the default API URL. This should almost never be needed.
# firezone_api_url = "wss://api.firezone.dev"
# Gateways are very lightweight. In general it's preferable to deploy
# more smaller Gateways than fewer larger Gateways if you need to scale
# horizontally.
# See https://www.firezone.dev/kb/deploy/gateways#sizing-recommendations.
# instance_type = "Standard_B1ls"
# We recommend a minimum of 3 instances for high availability.
# desired_capacity = 3
}
# Configure the Azure provider
provider "azurerm" {
features {}
}
# Create a resource group in your preferred region
resource "azurerm_resource_group" "firezone" {
name = "firezone-resources"
location = local.location
}
# Create a virtual network
resource "azurerm_virtual_network" "firezone" {
name = "firezone-vnet"
address_space = ["172.16.0.0/16"]
location = azurerm_resource_group.firezone.location
resource_group_name = azurerm_resource_group.firezone.name
}
# Create a public subnet
resource "azurerm_subnet" "public" {
name = "firezone-public-subnet"
resource_group_name = azurerm_resource_group.firezone.name
virtual_network_name = azurerm_virtual_network.firezone.name
address_prefixes = ["172.16.0.0/24"]
}
# Create a private subnet
resource "azurerm_subnet" "private" {
name = "firezone-private-subnet"
resource_group_name = azurerm_resource_group.firezone.name
virtual_network_name = azurerm_virtual_network.firezone.name
address_prefixes = ["172.16.1.0/24"]
}
# Create a public IP for the NAT gateway
resource "azurerm_public_ip" "firezone" {
name = "firezone-pip"
location = azurerm_resource_group.firezone.location
resource_group_name = azurerm_resource_group.firezone.name
allocation_method = "Static"
sku = "Standard"
}
# OPTIONAL: Create a bastion to allow SSH access to the VMs which
# can be helpful for debugging when setting up the Gateways.
# After you're sure this configuration works, you can remove the bastion.
resource "azurerm_bastion_host" "firezone" {
name = "firezone-bastion"
location = azurerm_resource_group.firezone.location
resource_group_name = azurerm_resource_group.firezone.name
sku = "Standard"
tunneling_enabled = true
ip_configuration {
name = "firezone-bastion-ip"
subnet_id = azurerm_subnet.bastion.id
public_ip_address_id = azurerm_public_ip.firezone-bastion.id
}
}
resource "azurerm_public_ip" "firezone-bastion" {
name = "firezone-bastion-pip"
location = azurerm_resource_group.firezone.location
resource_group_name = azurerm_resource_group.firezone.name
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_subnet" "bastion" {
name = "AzureBastionSubnet"
resource_group_name = azurerm_resource_group.firezone.name
virtual_network_name = azurerm_virtual_network.firezone.name
address_prefixes = ["172.16.2.0/24"]
}
# Create a NAT gateway
resource "azurerm_nat_gateway" "firezone" {
name = "firezone-nat-gateway"
location = azurerm_resource_group.firezone.location
resource_group_name = azurerm_resource_group.firezone.name
}
# Create a NAT gateway association
resource "azurerm_nat_gateway_public_ip_association" "firezone" {
nat_gateway_id = azurerm_nat_gateway.firezone.id
public_ip_address_id = azurerm_public_ip.firezone.id
}
# Associate the NAT gateway with the public subnet
resource "azurerm_subnet_nat_gateway_association" "public" {
nat_gateway_id = azurerm_nat_gateway.firezone.id
subnet_id = azurerm_subnet.public.id
}
# Associate the NAT gateway with the private subnet
resource "azurerm_subnet_nat_gateway_association" "private" {
nat_gateway_id = azurerm_nat_gateway.firezone.id
subnet_id = azurerm_subnet.private.id
}
# Create a network security group
resource "azurerm_network_security_group" "firezone" {
name = "firezone-nsg"
location = azurerm_resource_group.firezone.location
resource_group_name = azurerm_resource_group.firezone.name
security_rule {
name = "allow-ssh"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "172.16.0.0/24"
destination_address_prefix = "*"
}
security_rule {
name = "allow-all-outbound"
priority = 1002
direction = "Outbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "0-65535"
source_address_prefix = "*"
destination_address_prefix = "0.0.0.0/0"
}
}
# Attach the NSG to the public subnet
resource "azurerm_subnet_network_security_group_association" "public" {
subnet_id = azurerm_subnet.public.id
network_security_group_id = azurerm_network_security_group.firezone.id
}
# Attach the NSG to the private subnet
resource "azurerm_subnet_network_security_group_association" "private" {
subnet_id = azurerm_subnet.private.id
network_security_group_id = azurerm_network_security_group.firezone.id
}
output "nat_public_ip" {
description = "The public IP of the NAT gateway"
value = azurerm_public_ip.firezone.ip_address
}
output "bastion_public_ip" {
description = "The public IP of the bastion host"
value = azurerm_public_ip.firezone-bastion.ip_address
}

61
terraform/modules/azure/firezone-gateway/main.tf
View File

@@ -1,61 +0,0 @@
resource "azurerm_orchestrated_virtual_machine_scale_set" "firezone" {
name = "firezone-vmss"
location = var.resource_group_location
resource_group_name = var.resource_group_name
sku_name = var.instance_type
instances = var.desired_capacity
platform_fault_domain_count = var.platform_fault_domain_count
source_image_reference {
publisher = var.source_image_reference.publisher
offer = var.source_image_reference.offer
sku = var.source_image_reference.sku
version = var.source_image_reference.version
}
network_interface {
name = "firezone-nic"
primary = true
# Required to egress traffic
enable_ip_forwarding = true
network_security_group_id = var.network_security_group_id
ip_configuration {
name = "internal"
primary = true
subnet_id = var.private_subnet
}
}
os_profile {
linux_configuration {
admin_username = var.admin_username
admin_ssh_key {
username = var.admin_username
public_key = var.admin_ssh_key
}
}
custom_data = base64encode(<<-EOF
#!/bin/bash
set -e
sudo apt-get update
sudo apt-get install -y curl uuid-runtime
FIREZONE_TOKEN="${var.firezone_token}" \
FIREZONE_VERSION="${var.firezone_version}" \
FIREZONE_NAME="${var.firezone_name}" \
FIREZONE_ID="$(uuidgen)" \
FIREZONE_API_URL="${var.firezone_api_url}" \
bash <(curl -fsSL https://raw.githubusercontent.com/firezone/firezone/main/scripts/gateway-systemd-install.sh)
EOF
)
}
tags = var.extra_tags
}

100
terraform/modules/azure/firezone-gateway/variables.tf
View File

@@ -1,100 +0,0 @@
variable "resource_group_location" {
description = "The location for the resource group"
type = string
}
variable "resource_group_name" {
description = "The name of the resource group"
type = string
}
variable "source_image_reference" {
description = "The source image reference for the instances"
type = object({
publisher = string
offer = string
sku = string
version = string
})
default = {
publisher = "Canonical"
offer = "0001-com-ubuntu-server-jammy"
sku = "22_04-lts"
version = "latest"
}
}
variable "instance_type" {
description = "The instance type"
type = string
default = "Standard_B1ls"
}
variable "desired_capacity" {
description = "The desired number of instances"
type = number
default = 3
}
variable "admin_username" {
description = "The admin username"
type = string
default = "firezone"
}
variable "admin_ssh_key" {
description = "The admin SSH public key"
type = string
}
variable "firezone_token" {
description = "The Firezone token"
type = string
sensitive = true
}
variable "firezone_version" {
description = "The Gateway version to deploy"
type = string
default = "latest"
}
variable "firezone_name" {
description = "Name for the Gateways used in the admin portal"
type = string
default = "$(hostname)"
}
variable "firezone_api_url" {
description = "The Firezone API URL"
type = string
default = "wss://api.firezone.dev"
}
variable "private_subnet" {
description = "The private subnet ID"
type = string
}
variable "network_security_group_id" {
description = "The network security group id to attach to the instances"
type = string
}
variable "extra_tags" {
description = "Extra tags to attach to the instances"
type = map(string)
default = { "Name" = "firezone-gateway-instance" }
}
variable "platform_fault_domain_count" {
description = "The number of fault domains"
type = number
default = 3
}
variable "nat_gateway_id" {
description = "The NAT gateway ID"
type = string
}

2
website/src/app/kb/automate/terraform/aws/readme.mdx
View File

@@ -63,7 +63,7 @@ for some general guidelines depending on your expected traffic.
## Deployment
1. [Download](https://raw.githubusercontent.com/firezone/terraform-firezone-aws/main/examples/nat-gateway/main.tf)
1. [Download](https://raw.githubusercontent.com/firezone/terraform-aws-gateway/main/examples/nat-gateway/main.tf)
the `main.tf` from the example module.
1. Customize it as desired. At a minimum, you will need to set the
`firezone_token` and change `base_ami` and `region` to match your

2
website/src/app/kb/automate/terraform/azure/readme.mdx
View File

@@ -66,7 +66,7 @@ for some general guidelines depending on your expected traffic.
## Deployment
1. [Download](https://raw.githubusercontent.com/firezone/firezone/main/terraform/examples/azure/nat-gateway/main.tf)
1. [Download](https://raw.githubusercontent.com/firezone/terraform-azurerm-gateway/main/terraform/examples/azure/nat-gateway/main.tf)
the `main.tf` from the example module.
1. Customize it as desired. At a minimum, you will need to set the
`firezone_token` and change `admin_ssh_key` to match your environment.