From ffe4d5f9502752b4f4fa9ec9f9754b5e4de16ec5 Mon Sep 17 00:00:00 2001 From: Jamil Date: Thu, 11 Jul 2024 09:10:12 -0700 Subject: [PATCH] docs: fix references to AWS and Azure example modules (#5829) These are now published at https://www.github.com/firezone/terraform-aws-gateway and https://www.github.com/firezone/terraform-azurerm-gateway to match the unclear docs for registry module naming... --- docs/README.md | 6 - terraform/examples/README.md | 14 -- .../examples/azure/nat-gateway/README.md | 4 - terraform/examples/azure/nat-gateway/main.tf | 213 ------------------ .../modules/azure/firezone-gateway/main.tf | 61 ----- .../azure/firezone-gateway/variables.tf | 100 -------- .../app/kb/automate/terraform/aws/readme.mdx | 2 +- .../kb/automate/terraform/azure/readme.mdx | 2 +- 8 files changed, 2 insertions(+), 400 deletions(-) delete mode 100644 terraform/examples/azure/nat-gateway/README.md delete mode 100644 terraform/examples/azure/nat-gateway/main.tf delete mode 100644 terraform/modules/azure/firezone-gateway/main.tf delete mode 100644 terraform/modules/azure/firezone-gateway/variables.tf diff --git a/docs/README.md b/docs/README.md index 2f0c64719..bcff895ba 100644 --- a/docs/README.md +++ b/docs/README.md @@ -106,15 +106,9 @@ product documentation, organized as follows: - [terraform/examples/google-cloud/nat-gateway](../terraform/examples/google-cloud/nat-gateway): Example Terraform configuration for deploying a cluster of Firezone Gateways behind a NAT gateway on GCP with a single egress IP. - - [terraform/examples/azure/nat-gateway](../terraform/examples/azure/nat-gateway): - Example Terraform configuration for deploying a cluster of Firezone Gateways - behind a NAT gateway on Azure with a single egress IP. - [terraform/modules/google-cloud/apps/gateway-region-instance-group](../terraform/modules/google-cloud/apps/gateway-region-instance-group): Production-ready Terraform module for deploying regional Firezone Gateways to Google Cloud Compute using Regional Instance Groups. - - [terraform/modules/azure/firezone-gateway](../terraform/modules/azure/firezone-gateway): - Production-ready Terraform module for deploying Firezone Gateways to Azure - using Azure Orchestrated Virtual Machine Scale Sets. ## Quickstart diff --git a/terraform/examples/README.md b/terraform/examples/README.md index 04726b179..5cfa88f85 100644 --- a/terraform/examples/README.md +++ b/terraform/examples/README.md @@ -8,23 +8,9 @@ Gateways to your infrastructure. Each example below is self-contained and includes a `README.md` with instructions on how to deploy the example. -### AWS - -- [NAT Gateway](./aws/nat-gateway): This example shows how to deploy one or more - Firezone Gateways in a single AWS VPC that is configured with a NAT Gateway - for egress. Read this if you're looking to deploy Firezone Gateways behind a - single, shared static IP address on AWS. - ### Google Cloud Platform (GCP) - [NAT Gateway](./google-cloud/nat-gateway): This example shows how to deploy one or more Firezone Gateways in a single GCP VPC that is configured with a Cloud NAT for egress. Read this if you're looking to deploy Firezone Gateways behind a single, shared static IP address on GCP. - -### Azure - -- [NAT Gateway](./azure/nat-gateway): This example shows how to deploy one or - more Firezone Gateways in a single Azure Vnet that is configured with a NAT - gateway for egress. Read this if you're looking to deploy Firezone Gateways - behind a single, shared static IP address on Azure. diff --git a/terraform/examples/azure/nat-gateway/README.md b/terraform/examples/azure/nat-gateway/README.md deleted file mode 100644 index 3df24f849..000000000 --- a/terraform/examples/azure/nat-gateway/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# Deploy Firezone on Azure with Terraform - -See [our docs for a detailed guide](/kb/automate/terraform/azure) on deploying -Firezone on Azure with Terraform using this example. diff --git a/terraform/examples/azure/nat-gateway/main.tf b/terraform/examples/azure/nat-gateway/main.tf deleted file mode 100644 index 2ed0bbdde..000000000 --- a/terraform/examples/azure/nat-gateway/main.tf +++ /dev/null @@ -1,213 +0,0 @@ -# Change these to match your environment -locals { - location = "East US" - admin_ssh_key = file("~/.ssh/id_rsa.azure.pub") - firezone_token = "YOUR_FIREZONE_TOKEN" -} - -module "azure_firezone_gateway" { - source = "github.com/firezone/firezone/terraform/modules/azure/firezone-gateway" - - ################### - # Required inputs # - ################### - - # Azure resource group information - resource_group_location = azurerm_resource_group.firezone.location - resource_group_name = azurerm_resource_group.firezone.name - - # Generate a token from the admin portal in Sites -> -> Deploy Gateway. - # Only one token is needed for the cluster. - firezone_token = local.firezone_token - - # Attach the Gateways to your subnet. - private_subnet = azurerm_subnet.private.id - - # Admin SSH public key. Must be RSA. - admin_ssh_key = local.admin_ssh_key - - # Attach the Gateways to your NSG. - network_security_group_id = azurerm_network_security_group.firezone.id - - # Attach the NAT Gateway - nat_gateway_id = azurerm_nat_gateway.firezone.id - - ################### - # Optional inputs # - ################### - - # Pick an image to use. Defaults to Ubuntu 22.04 LTS. - # source_image_reference { - # publisher = "Canonical" - # offer = "0001-com-ubuntu-server-jammy" - # sku = "22_04-lts" - # version = "latest" - # } - - # Deploy a specific version of the Gateway. Generally, we recommend using the latest version. - # firezone_version = "latest" - - # Override the default API URL. This should almost never be needed. - # firezone_api_url = "wss://api.firezone.dev" - - # Gateways are very lightweight. In general it's preferable to deploy - # more smaller Gateways than fewer larger Gateways if you need to scale - # horizontally. - # See https://www.firezone.dev/kb/deploy/gateways#sizing-recommendations. - # instance_type = "Standard_B1ls" - - # We recommend a minimum of 3 instances for high availability. - # desired_capacity = 3 -} - -# Configure the Azure provider -provider "azurerm" { - features {} -} - -# Create a resource group in your preferred region -resource "azurerm_resource_group" "firezone" { - name = "firezone-resources" - location = local.location -} - -# Create a virtual network -resource "azurerm_virtual_network" "firezone" { - name = "firezone-vnet" - address_space = ["172.16.0.0/16"] - location = azurerm_resource_group.firezone.location - resource_group_name = azurerm_resource_group.firezone.name -} - -# Create a public subnet -resource "azurerm_subnet" "public" { - name = "firezone-public-subnet" - resource_group_name = azurerm_resource_group.firezone.name - virtual_network_name = azurerm_virtual_network.firezone.name - address_prefixes = ["172.16.0.0/24"] -} - -# Create a private subnet -resource "azurerm_subnet" "private" { - name = "firezone-private-subnet" - resource_group_name = azurerm_resource_group.firezone.name - virtual_network_name = azurerm_virtual_network.firezone.name - address_prefixes = ["172.16.1.0/24"] -} - -# Create a public IP for the NAT gateway -resource "azurerm_public_ip" "firezone" { - name = "firezone-pip" - location = azurerm_resource_group.firezone.location - resource_group_name = azurerm_resource_group.firezone.name - allocation_method = "Static" - sku = "Standard" -} - -# OPTIONAL: Create a bastion to allow SSH access to the VMs which -# can be helpful for debugging when setting up the Gateways. -# After you're sure this configuration works, you can remove the bastion. -resource "azurerm_bastion_host" "firezone" { - name = "firezone-bastion" - location = azurerm_resource_group.firezone.location - resource_group_name = azurerm_resource_group.firezone.name - sku = "Standard" - tunneling_enabled = true - - ip_configuration { - name = "firezone-bastion-ip" - subnet_id = azurerm_subnet.bastion.id - public_ip_address_id = azurerm_public_ip.firezone-bastion.id - } -} -resource "azurerm_public_ip" "firezone-bastion" { - name = "firezone-bastion-pip" - location = azurerm_resource_group.firezone.location - resource_group_name = azurerm_resource_group.firezone.name - allocation_method = "Static" - sku = "Standard" -} -resource "azurerm_subnet" "bastion" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.firezone.name - virtual_network_name = azurerm_virtual_network.firezone.name - address_prefixes = ["172.16.2.0/24"] -} - -# Create a NAT gateway -resource "azurerm_nat_gateway" "firezone" { - name = "firezone-nat-gateway" - location = azurerm_resource_group.firezone.location - resource_group_name = azurerm_resource_group.firezone.name -} - -# Create a NAT gateway association -resource "azurerm_nat_gateway_public_ip_association" "firezone" { - nat_gateway_id = azurerm_nat_gateway.firezone.id - public_ip_address_id = azurerm_public_ip.firezone.id -} - -# Associate the NAT gateway with the public subnet -resource "azurerm_subnet_nat_gateway_association" "public" { - nat_gateway_id = azurerm_nat_gateway.firezone.id - subnet_id = azurerm_subnet.public.id -} - -# Associate the NAT gateway with the private subnet -resource "azurerm_subnet_nat_gateway_association" "private" { - nat_gateway_id = azurerm_nat_gateway.firezone.id - subnet_id = azurerm_subnet.private.id -} - -# Create a network security group -resource "azurerm_network_security_group" "firezone" { - name = "firezone-nsg" - location = azurerm_resource_group.firezone.location - resource_group_name = azurerm_resource_group.firezone.name - - security_rule { - name = "allow-ssh" - priority = 1001 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "22" - source_address_prefix = "172.16.0.0/24" - destination_address_prefix = "*" - } - - security_rule { - name = "allow-all-outbound" - priority = 1002 - direction = "Outbound" - access = "Allow" - protocol = "*" - source_port_range = "*" - destination_port_range = "0-65535" - source_address_prefix = "*" - destination_address_prefix = "0.0.0.0/0" - } -} - -# Attach the NSG to the public subnet -resource "azurerm_subnet_network_security_group_association" "public" { - subnet_id = azurerm_subnet.public.id - network_security_group_id = azurerm_network_security_group.firezone.id -} - -# Attach the NSG to the private subnet -resource "azurerm_subnet_network_security_group_association" "private" { - subnet_id = azurerm_subnet.private.id - network_security_group_id = azurerm_network_security_group.firezone.id -} - -output "nat_public_ip" { - description = "The public IP of the NAT gateway" - value = azurerm_public_ip.firezone.ip_address -} - -output "bastion_public_ip" { - description = "The public IP of the bastion host" - value = azurerm_public_ip.firezone-bastion.ip_address -} diff --git a/terraform/modules/azure/firezone-gateway/main.tf b/terraform/modules/azure/firezone-gateway/main.tf deleted file mode 100644 index b17e16d3e..000000000 --- a/terraform/modules/azure/firezone-gateway/main.tf +++ /dev/null @@ -1,61 +0,0 @@ -resource "azurerm_orchestrated_virtual_machine_scale_set" "firezone" { - name = "firezone-vmss" - location = var.resource_group_location - resource_group_name = var.resource_group_name - sku_name = var.instance_type - instances = var.desired_capacity - platform_fault_domain_count = var.platform_fault_domain_count - - source_image_reference { - publisher = var.source_image_reference.publisher - offer = var.source_image_reference.offer - sku = var.source_image_reference.sku - version = var.source_image_reference.version - } - - network_interface { - name = "firezone-nic" - primary = true - - # Required to egress traffic - enable_ip_forwarding = true - - network_security_group_id = var.network_security_group_id - - ip_configuration { - name = "internal" - primary = true - subnet_id = var.private_subnet - } - } - - os_profile { - linux_configuration { - admin_username = var.admin_username - - admin_ssh_key { - username = var.admin_username - public_key = var.admin_ssh_key - } - } - - custom_data = base64encode(<<-EOF - #!/bin/bash - set -e - - sudo apt-get update - sudo apt-get install -y curl uuid-runtime - - FIREZONE_TOKEN="${var.firezone_token}" \ - FIREZONE_VERSION="${var.firezone_version}" \ - FIREZONE_NAME="${var.firezone_name}" \ - FIREZONE_ID="$(uuidgen)" \ - FIREZONE_API_URL="${var.firezone_api_url}" \ - bash <(curl -fsSL https://raw.githubusercontent.com/firezone/firezone/main/scripts/gateway-systemd-install.sh) - - EOF - ) - } - - tags = var.extra_tags -} diff --git a/terraform/modules/azure/firezone-gateway/variables.tf b/terraform/modules/azure/firezone-gateway/variables.tf deleted file mode 100644 index 2a0d4c277..000000000 --- a/terraform/modules/azure/firezone-gateway/variables.tf +++ /dev/null @@ -1,100 +0,0 @@ -variable "resource_group_location" { - description = "The location for the resource group" - type = string -} - -variable "resource_group_name" { - description = "The name of the resource group" - type = string -} - -variable "source_image_reference" { - description = "The source image reference for the instances" - type = object({ - publisher = string - offer = string - sku = string - version = string - }) - - default = { - publisher = "Canonical" - offer = "0001-com-ubuntu-server-jammy" - sku = "22_04-lts" - version = "latest" - } -} - -variable "instance_type" { - description = "The instance type" - type = string - default = "Standard_B1ls" -} - -variable "desired_capacity" { - description = "The desired number of instances" - type = number - default = 3 -} - -variable "admin_username" { - description = "The admin username" - type = string - default = "firezone" -} - -variable "admin_ssh_key" { - description = "The admin SSH public key" - type = string -} - -variable "firezone_token" { - description = "The Firezone token" - type = string - sensitive = true -} - -variable "firezone_version" { - description = "The Gateway version to deploy" - type = string - default = "latest" -} - -variable "firezone_name" { - description = "Name for the Gateways used in the admin portal" - type = string - default = "$(hostname)" -} - -variable "firezone_api_url" { - description = "The Firezone API URL" - type = string - default = "wss://api.firezone.dev" -} - -variable "private_subnet" { - description = "The private subnet ID" - type = string -} - -variable "network_security_group_id" { - description = "The network security group id to attach to the instances" - type = string -} - -variable "extra_tags" { - description = "Extra tags to attach to the instances" - type = map(string) - default = { "Name" = "firezone-gateway-instance" } -} - -variable "platform_fault_domain_count" { - description = "The number of fault domains" - type = number - default = 3 -} - -variable "nat_gateway_id" { - description = "The NAT gateway ID" - type = string -} diff --git a/website/src/app/kb/automate/terraform/aws/readme.mdx b/website/src/app/kb/automate/terraform/aws/readme.mdx index 3c505a8ec..5e6647fe2 100644 --- a/website/src/app/kb/automate/terraform/aws/readme.mdx +++ b/website/src/app/kb/automate/terraform/aws/readme.mdx @@ -63,7 +63,7 @@ for some general guidelines depending on your expected traffic. ## Deployment -1. [Download](https://raw.githubusercontent.com/firezone/terraform-firezone-aws/main/examples/nat-gateway/main.tf) +1. [Download](https://raw.githubusercontent.com/firezone/terraform-aws-gateway/main/examples/nat-gateway/main.tf) the `main.tf` from the example module. 1. Customize it as desired. At a minimum, you will need to set the `firezone_token` and change `base_ami` and `region` to match your diff --git a/website/src/app/kb/automate/terraform/azure/readme.mdx b/website/src/app/kb/automate/terraform/azure/readme.mdx index a7f1aa329..cd982bfca 100644 --- a/website/src/app/kb/automate/terraform/azure/readme.mdx +++ b/website/src/app/kb/automate/terraform/azure/readme.mdx @@ -66,7 +66,7 @@ for some general guidelines depending on your expected traffic. ## Deployment -1. [Download](https://raw.githubusercontent.com/firezone/firezone/main/terraform/examples/azure/nat-gateway/main.tf) +1. [Download](https://raw.githubusercontent.com/firezone/terraform-azurerm-gateway/main/terraform/examples/azure/nat-gateway/main.tf) the `main.tf` from the example module. 1. Customize it as desired. At a minimum, you will need to set the `firezone_token` and change `admin_ssh_key` to match your environment.