Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

infra(chore): update bastion host vm setup [MRXNM-52] #1688

Merged
merged 3 commits into from
Sep 13, 2024
Merged

infra(chore): update bastion host vm setup [MRXNM-52] #1688

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
267497d
create and activate swapfile when provisioning VM for bastion host [M…
hotzevzl Jul 15, 2024
7c2c682
use latest Ubuntu LTS base image [MRXNM-52]
hotzevzl Jul 15, 2024
02775f8
link network security group to bastion nic for public ssh access [MRX…
hotzevzl Jul 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions infrastructure/base/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ module "bastion" {
project_name = var.project_name
bastion_ssh_public_keys = var.bastion_ssh_public_keys
bastion_subnet_id = module.network.bastion_subnet_id
bastion_nsg_id = module.network.bastion_nsg_id
dns_zone = module.dns.dns_zone
}

Expand Down
27 changes: 25 additions & 2 deletions infrastructure/base/modules/bastion/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,28 @@ resource "azurerm_network_interface" "bastion_nic" {
}
}

resource "azurerm_network_interface_security_group_association" "bastion_nic_nsg_association" {
network_interface_id = azurerm_network_interface.bastion_nic.id
network_security_group_id = var.bastion_nsg_id
}

resource "tls_private_key" "ssh_private_key" {
algorithm = "RSA"
rsa_bits = 4096
}

locals {
admin_user = "ubuntu"

cloud_init_custom_data = <<-EOF
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't just easier/simpler to provision a suitably beefed up vm?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep, that's an option - I proposed this because we can keep the lowest ongoing cost for this, since all it actually needs to do is to tunnel connections through, and the setup for the swapfile - just in case, as maybe it "just" makes sense to reapply the config and get the VM recreated with the latest 24.04 image that includes any security fixes added by Canonical, instead of tediously doing an apt upgrade on what is essentially a disposable VM instance - was easy enough.

#cloud-config
runcmd:
- fallocate -l 2G /swapfile
- chmod 600 /swapfile
- mkswap /swapfile
- swapon /swapfile
- echo '/swapfile none swap sw 0 0' | tee -a /etc/fstab
EOF
}

resource "azurerm_linux_virtual_machine" "bastion" {
Expand Down Expand Up @@ -59,10 +74,18 @@ resource "azurerm_linux_virtual_machine" "bastion" {

source_image_reference {
publisher = "Canonical"
offer = "0001-com-ubuntu-server-focal"
sku = "20_04-lts"
offer = "ubuntu-24_04-lts"
sku = "minimal"
version = "latest"
}

# Since the VM for this bastion host is provisioned with a very small VM size
# by default (Standard_B1ls, with 1 vCPU core and 0.5GiB of memory), memory
# may typically not be enough if needing to run an apt update/upgrade to pull
# in security-fix packages, so a small swapfile should help here. This is
# created via cloud-init
# (https://learn.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-automate-vm-deployment)
custom_data = base64encode(local.cloud_init_custom_data)
}

resource "azurerm_dns_a_record" "bastion_dns_record" {
Expand Down
4 changes: 4 additions & 0 deletions infrastructure/base/modules/bastion/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ variable "bastion_subnet_id" {
description = "The id of the subnet where the bastion host will be placed"
}

variable "bastion_nsg_id" {
description = "The id of the network security group for the bastion host"
}

variable "dns_zone" {
description = "The Azure DNS zone where the bastion A record will be added"
}
4 changes: 4 additions & 0 deletions infrastructure/base/modules/network/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ output "bastion_subnet_id" {
value = azurerm_subnet.bastion_subnet.id
}

output "bastion_nsg_id" {
value = azurerm_network_security_group.bastion_nsg.id
}

output "firewall_subnet_id" {
value = azurerm_subnet.firewall_subnet.id
}
Expand Down