Azure network

azure/prepare/auth.tf

@@ -0,0 +1,4 @@
+provider "azurerm" {
+  features {}
+  subscription_id = var.subscription_id
+}

azure/prepare/common.tf

@@ -0,0 +1,16 @@
+
+resource "azurerm_resource_group" "kubernetes" {
+  location = var.regions[0]
+  name     = var.project
+
+  tags = var.tags
+}
+
+resource "azurerm_ssh_public_key" "terraform" {
+  name                = "Terraform"
+  resource_group_name = azurerm_resource_group.kubernetes.name
+  location            = var.regions[0]
+  public_key          = file("~/.ssh/terraform.pub")
+
+  tags = var.tags
+}

azure/prepare/network-nat.tf

@@ -0,0 +1,35 @@
+
+resource "azurerm_public_ip" "nat" {
+  for_each                = { for idx, name in var.regions : name => idx if try(var.capabilities[name].network_nat_enable, false) }
+  location                = each.key
+  name                    = "nat-${each.value}"
+  resource_group_name     = azurerm_resource_group.kubernetes.name
+  sku                     = "Standard"
+  allocation_method       = "Static"
+  idle_timeout_in_minutes = 30
+
+  tags = merge(var.tags, { type = "infra" })
+}
+
+resource "azurerm_nat_gateway" "nat" {
+  for_each                = { for idx, name in var.regions : name => idx if try(var.capabilities[name].network_nat_enable, false) }
+  location                = each.key
+  name                    = "nat-${each.value}"
+  resource_group_name     = azurerm_resource_group.kubernetes.name
+  sku_name                = "Standard"
+  idle_timeout_in_minutes = 30
+
+  tags = var.tags
+}
+
+resource "azurerm_nat_gateway_public_ip_association" "nat" {
+  for_each             = { for idx, name in var.regions : name => idx if try(var.capabilities[name].network_nat_enable, false) }
+  nat_gateway_id       = azurerm_nat_gateway.nat[each.key].id
+  public_ip_address_id = azurerm_public_ip.nat[each.key].id
+}
+
+resource "azurerm_subnet_nat_gateway_association" "private" {
+  for_each       = { for idx, name in var.regions : name => idx if try(var.capabilities[name].network_nat_enable, false) }
+  subnet_id      = azurerm_subnet.private[each.key].id
+  nat_gateway_id = azurerm_nat_gateway.nat[each.key].id
+}

azure/prepare/network.tf

@@ -0,0 +1,69 @@
+
+resource "azurerm_virtual_network" "main" {
+  for_each            = { for idx, name in var.regions : name => idx }
+  location            = each.key
+  name                = "main-${each.value}"
+  address_space       = [cidrsubnet(var.network_cidr[0], 6, var.network_shift + each.value * 4), cidrsubnet(var.network_cidr[1], 6, var.network_shift + each.value * 4)]
+  resource_group_name = azurerm_resource_group.kubernetes.name
+
+  tags = merge(var.tags, { type = "infra" })
+}
+
+resource "azurerm_subnet" "public" {
+  for_each             = { for idx, name in var.regions : name => idx }
+  name                 = "public"
+  resource_group_name  = azurerm_resource_group.kubernetes.name
+  virtual_network_name = azurerm_virtual_network.main[each.key].name
+  address_prefixes     = [cidrsubnet(azurerm_virtual_network.main[each.key].address_space[0], 2, 0), cidrsubnet(azurerm_virtual_network.main[each.key].address_space[1], 2, 0)]
+}
+
+resource "azurerm_subnet" "private" {
+  for_each             = { for idx, name in var.regions : name => idx }
+  name                 = "private"
+  resource_group_name  = azurerm_resource_group.kubernetes.name
+  virtual_network_name = azurerm_virtual_network.main[each.key].name
+  address_prefixes     = [cidrsubnet(azurerm_virtual_network.main[each.key].address_space[0], 2, 1), cidrsubnet(azurerm_virtual_network.main[each.key].address_space[1], 2, 1)]
+}
+
+resource "azurerm_virtual_network_peering" "peering" {
+  for_each                     = { for idx, name in var.regions : name => idx }
+  name                         = "peering-from-${each.key}"
+  resource_group_name          = azurerm_resource_group.kubernetes.name
+  virtual_network_name         = azurerm_virtual_network.main[each.key].name
+  remote_virtual_network_id    = element([for network in azurerm_virtual_network.main : network.id if network.location != each.key], 0)
+  allow_virtual_network_access = true
+  allow_forwarded_traffic      = true
+  allow_gateway_transit        = false
+}
+
+resource "azurerm_route_table" "link" {
+  for_each            = { for idx, name in var.regions : name => idx if try(var.capabilities[name].network_gw_enable, false) }
+  location            = each.key
+  name                = "link-${each.value}"
+  resource_group_name = azurerm_resource_group.kubernetes.name
+
+  dynamic "route" {
+    for_each = range(0, length(var.network_cidr))
+
+    content {
+      name                   = "link-${each.value}-${route.value}"
+      address_prefix         = var.network_cidr[route.value]
+      next_hop_type          = "VirtualAppliance"
+      next_hop_in_ip_address = cidrhost(azurerm_subnet.public[each.key].address_prefixes[route.value], -2)
+    }
+  }
+
+  tags = merge(var.tags, { type = "infra" })
+}
+
+resource "azurerm_subnet_route_table_association" "public" {
+  for_each       = { for idx, name in var.regions : name => idx if try(var.capabilities[name].network_gw_enable, false) }
+  subnet_id      = azurerm_subnet.public[each.key].id
+  route_table_id = azurerm_route_table.link[each.key].id
+}
+
+resource "azurerm_subnet_route_table_association" "private" {
+  for_each       = { for idx, name in var.regions : name => idx if try(var.capabilities[name].network_gw_enable, false) }
+  subnet_id      = azurerm_subnet.private[each.key].id
+  route_table_id = azurerm_route_table.link[each.key].id
+}

azure/prepare/outputs.tf

@@ -0,0 +1,22 @@
+
+output "regions" {
+  description = "Regions"
+  value       = var.regions
+}
+
+output "network_public" {
+  description = "The public network"
+  value = { for zone, subnet in azurerm_subnet.public : zone => {
+    network_id = subnet.id
+    cidr       = subnet.address_prefixes
+  } }
+}
+
+output "network_private" {
+  description = "The private network"
+  value = { for zone, subnet in azurerm_subnet.private : zone => {
+    network_id = subnet.id
+    cidr       = subnet.address_prefixes
+    nat        = try(azurerm_public_ip.nat[zone].ip_address, "")
+  } }
+}

azure/prepare/variables.tf

@@ -0,0 +1,75 @@
+
+variable "subscription_id" {
+  description = "The subscription id"
+  type        = string
+}
+
+variable "project" {
+  description = "The project name"
+  type        = string
+}
+
+variable "regions" {
+  description = "The region name list"
+  type        = list(string)
+  default     = ["uksouth", "ukwest"]
+
+  validation {
+    condition     = length(var.regions) == 2
+    error_message = "The regions list must have only 2 zones."
+  }
+}
+
+variable "tags" {
+  description = "Tags to set on resources"
+  type        = map(string)
+  default = {
+    environment = "Develop"
+  }
+}
+
+variable "network_name" {
+  type    = string
+  default = "main"
+}
+
+variable "network_cidr" {
+  description = "Local subnet rfc1918/ULA"
+  type        = list(string)
+  default     = ["172.16.0.0/16", "fd60:172:16::/56"]
+
+  validation {
+    condition     = length(var.network_cidr) == 2
+    error_message = "The network_cidr is a list of IPv4/IPv6 cidr."
+  }
+}
+
+variable "network_shift" {
+  description = "Network number shift"
+  type        = number
+  default     = 34
+}
+
+variable "whitelist_admin" {
+  default = ["*"]
+}
+
+variable "whitelist_web" {
+  default = ["*"]
+}
+
+variable "capabilities" {
+  type = map(any)
+  default = {
+    "uksouth" = {
+      network_nat_enable = false,
+      network_gw_enable  = true,
+      network_gw_type    = "Standard_B1s",
+    },
+    "ukwest" = {
+      network_nat_enable = false,
+      network_gw_enable  = true,
+      network_gw_type    = "Standard_B1s",
+    },
+  }
+}

azure/prepare/versions.tf

@@ -0,0 +1,9 @@
+
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.6.0"
+    }
+  }
+}