diff --git a/azure_jumpstart_arcbox/bicep/main.bicep b/azure_jumpstart_arcbox/bicep/main.bicep index 780dfc1a2f..b8593d12bb 100644 --- a/azure_jumpstart_arcbox/bicep/main.bicep +++ b/azure_jumpstart_arcbox/bicep/main.bicep @@ -48,6 +48,14 @@ param githubBranch string = 'arcbox_3.0' @description('Choice to deploy Bastion to connect to the client VM') param deployBastion bool = false +@description('Bastion host Sku name. The Developer SKU is currently supported in a limited number of regions: https://learn.microsoft.com/azure/bastion/quickstart-developer-sku') +@allowed([ + 'Basic' + 'Standard' + 'Developer' +]) +param bastionSku string = 'Basic' + @description('User github account where they have forked https://github.com/microsoft/azure-arc-jumpstart-apps') param githubUser string = 'microsoft' @@ -173,6 +181,7 @@ module mgmtArtifactsAndPolicyDeployment 'mgmt/mgmtArtifacts.bicep' = { workspaceName: logAnalyticsWorkspaceName flavor: flavor deployBastion: deployBastion + bastionSku: bastionSku location: location } } diff --git a/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep b/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep index 21e7ebb4d6..1a33da45c2 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/mgmtArtifacts.bicep @@ -37,6 +37,14 @@ param sku string = 'pergb2018' @description('Choice to deploy Bastion to connect to the client VM') param deployBastion bool = false +@description('Bastion host Sku name') +@allowed([ + 'Basic' + 'Standard' + 'Developer' +]) +param bastionSku string = 'Basic' + @description('Name of the Network Security Group') param networkSecurityGroupName string = 'ArcBox-NSG' @@ -77,7 +85,7 @@ var primarySubnet = [ } } ] -var bastionSubnet = [ +var bastionSubnet = bastionSku != 'Developer' ? [ { name: 'AzureBastionSubnet' properties: { @@ -87,7 +95,7 @@ var bastionSubnet = [ } } } -] +] : [] var dataOpsSubnets = [ { name: aksSubnetName @@ -458,11 +466,17 @@ resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2022-01-01' = if ( } } -resource bastionHost 'Microsoft.Network/bastionHosts@2022-01-01' = if (deployBastion == true) { +resource bastionHost 'Microsoft.Network/bastionHosts@2023-11-01' = if (deployBastion == true) { name: bastionName location: location + sku: { + name: bastionSku + } properties: { - ipConfigurations: [ + virtualNetwork: bastionSku == 'Developer' ? { + id: arcVirtualNetwork.id + } : null + ipConfigurations: bastionSku != 'Developer' ? [ { name: 'IpConf' properties: { @@ -474,7 +488,7 @@ resource bastionHost 'Microsoft.Network/bastionHosts@2022-01-01' = if (deployBas } } } - ] + ] : null } } @@ -492,6 +506,7 @@ module keyVault 'br/public:avm/res/key-vault/vault:0.5.1' = { params: { name: keyVaultName enablePurgeProtection: false + enableSoftDelete: false location: location } } diff --git a/azure_jumpstart_arcbox/terraform/main.tf b/azure_jumpstart_arcbox/terraform/main.tf deleted file mode 100644 index e8d3a13577..0000000000 --- a/azure_jumpstart_arcbox/terraform/main.tf +++ /dev/null @@ -1,320 +0,0 @@ -# Configure the Azure provider -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 2.65" - } - } - - required_version = ">= 0.14.9" -} - -provider "azurerm" { - features {} -} - -variable "azure_location" { - type = string - description = "Azure Location" - default = "eastus" -} - -variable "resource_group_name" { - type = string - description = "Azure Resource Group" - default = "ArcBox-RG" -} - -variable "client_vm_name" { - type = string - description = "The name of the client virtual machine." - default = "ArcBox-Client" -} - -variable "capi_vm_name" { - type = string - description = "The name of the client virtual machine." - default = "ArcBox-CAPI-MGMT" -} - -variable "rancher_vm_name" { - type = string - description = "The name of the client virtual machine." - default = "ArcBox-K3s" -} - -variable "virtual_network_name" { - type = string - description = "ArcBox vNET name." - default = "ArcBox-vNET" -} - -variable "subnet_name" { - type = string - description = "ArcBox subnet name." - default = "ArcBox-Subnet" -} - -variable "workspace_name" { - type = string - description = "Log Analytics workspace name." - default = "ArcBox-Workspace" -} - -variable "github_username" { - type = string - description = "User's github account where they have forked https://github.com/microsoft/azure-arc-jumpstart-apps" - default = "microsoft" -} - -variable "github_repo" { - type = string - description = "Specify a GitHub repo (used for testing purposes)" - default = "microsoft" -} - -variable "github_branch" { - type = string - description = "Specify a GitHub branch (used for testing purposes)" - default = "main" -} - -variable "spn_client_id" { - type = string - description = "Arc Service Principal clientID." -} - -variable "spn_client_secret" { - type = string - description = "Arc Service Principal client secret." - sensitive = true -} - -variable "spn_tenant_id" { - type = string - description = "Arc Service Principal tenantID." -} - -variable "client_admin_username" { - type = string - description = "Username for the client virtual machine." - default = "arcdemo" -} - -variable "client_admin_password" { - type = string - description = "Password for Windows admin account. Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character. The value must be between 12 and 123 characters long." - default = "ArcPassword123!!" - sensitive = true -} - -variable "client_admin_ssh" { - type = string - description = "SSH Key for the Linux VM's." - sensitive = true -} - -variable "deploy_bastion" { - type = bool - description = "Choice to deploy Azure Bastion" - default = false -} - -variable "addsDomainName" { - type = string - description = "Active directory domain services domain name" - default = "jumpstart.local" -} - -### This should be swapped to a lower-case value to avoid case sensitivity ### -variable "deployment_flavor" { - type = string - description = "The flavor of ArcBox you want to deploy. Valid values are: 'Full', 'ITPro', or 'DevOps'." - default = "ITPro" - - validation { - condition = contains(["ITPro", "DevOps", "DataOps"], var.deployment_flavor) - error_message = "Valid options for Deployment Flavor: 'Full', 'ITPro', 'DevOps' and 'DataOps'." - } -} -############################################################################## - -locals { - template_base_url = "https://raw.githubusercontent.com/${var.github_repo}/azure_arc/${var.github_branch}/azure_jumpstart_arcbox/" - capi_arc_data_cluster_name = "ArcBox-CAPI-Data" - k3s_arc_data_cluster_name = var.rancher_vm_name - aks_arc_data_cluster_name = "ArcBox-AKS-Data" - aks_dr_arc_data_cluster_name = "ArcBox-AKS-DR-Data" -} - -resource "random_string" "guid" { - length = 4 - special = false -} - -resource "azurerm_resource_group" "rg" { - name = var.resource_group_name - location = var.azure_location -} - -module "management_storage" { - source = "./modules/mgmt/mgmtStorage" - - resource_group_name = azurerm_resource_group.rg.name - - depends_on = [azurerm_resource_group.rg] -} - -module "management_artifacts" { - source = "./modules/mgmt/mgmtArtifacts" - - resource_group_name = azurerm_resource_group.rg.name - spn_client_id = var.spn_client_id - virtual_network_name = var.virtual_network_name - subnet_name = var.subnet_name - workspace_name = var.workspace_name - deploy_bastion = var.deploy_bastion - deployment_flavor = var.deployment_flavor - depends_on = [azurerm_resource_group.rg] -} - -module "management_policy" { - source = "./modules/mgmt/mgmtPolicy" - - resource_group_name = azurerm_resource_group.rg.name - workspace_name = var.workspace_name - workspace_id = module.management_artifacts.workspace_id - deployment_flavor = var.deployment_flavor - - depends_on = [azurerm_resource_group.rg] -} - -module "client_vm" { - source = "./modules/clientVm" - - resource_group_name = azurerm_resource_group.rg.name - vm_name = var.client_vm_name - virtual_network_name = var.virtual_network_name - subnet_name = var.subnet_name - template_base_url = local.template_base_url - storage_account_name = module.management_storage.storage_account_name - workspace_name = var.workspace_name - spn_client_id = var.spn_client_id - spn_client_secret = var.spn_client_secret - spn_tenant_id = var.spn_tenant_id - deployment_flavor = var.deployment_flavor - admin_username = var.client_admin_username - admin_password = var.client_admin_password - github_username = var.github_username - github_repo = var.github_repo - github_branch = var.github_branch - deploy_bastion = var.deploy_bastion - capi_arc_data_cluster_name = "${local.capi_arc_data_cluster_name}-${random_string.guid.result}" - k3s_arc_cluster_name = "${local.k3s_arc_data_cluster_name}-${random_string.guid.result}" - aks_arc_data_cluster_name = "${local.aks_arc_data_cluster_name}-${random_string.guid.result}" - aks_dr_arc_data_cluster_name = "${local.aks_dr_arc_data_cluster_name}-${random_string.guid.result}" - - depends_on = [ - azurerm_resource_group.rg, - module.management_artifacts, - module.management_storage, - random_string.guid, - module.adds_vm - ] -} - -module "adds_vm" { - source = "./modules/mgmt/addsVM" - count = var.deployment_flavor == "DataOps" ? 1 : 0 - resource_group_name = azurerm_resource_group.rg.name - adds_Domain_Name = var.addsDomainName - deploy_bastion = var.deploy_bastion - windows_Admin_Username = var.client_admin_username - windows_Admin_password = var.client_admin_password - template_base_url = local.template_base_url - depends_on = [ - azurerm_resource_group.rg, - module.management_artifacts, - module.management_storage - ] -} - -module "capi_vm" { - source = "./modules/kubernetes/ubuntuCapi" - count = contains(["DevOps", "DataOps"], var.deployment_flavor) ? 1 : 0 - - resource_group_name = azurerm_resource_group.rg.name - vm_name = var.capi_vm_name - virtual_network_name = var.virtual_network_name - subnet_name = var.subnet_name - template_base_url = local.template_base_url - storage_account_name = module.management_storage.storage_account_name - spn_client_id = var.spn_client_id - spn_client_secret = var.spn_client_secret - spn_tenant_id = var.spn_tenant_id - admin_username = var.client_admin_username - admin_ssh_key = var.client_admin_ssh - workspace_name = var.workspace_name - deploy_bastion = var.deploy_bastion - deployment_flavor = var.deployment_flavor - capi_arc_data_cluster_name = "${local.capi_arc_data_cluster_name}-${random_string.guid.result}" - - depends_on = [ - azurerm_resource_group.rg, - module.management_artifacts, - module.management_storage, - random_string.guid, - module.adds_vm - ] -} - -module "rancher_vm" { - source = "./modules/kubernetes/ubuntuRancher" - count = contains(["DevOps"], var.deployment_flavor) ? 1 : 0 - - resource_group_name = azurerm_resource_group.rg.name - vm_name = "${local.k3s_arc_data_cluster_name}-${random_string.guid.result}" - virtual_network_name = var.virtual_network_name - subnet_name = var.subnet_name - template_base_url = local.template_base_url - storage_account_name = module.management_storage.storage_account_name - spn_client_id = var.spn_client_id - spn_client_secret = var.spn_client_secret - spn_tenant_id = var.spn_tenant_id - admin_username = var.client_admin_username - admin_ssh_key = var.client_admin_ssh - workspace_name = var.workspace_name - deploy_bastion = var.deploy_bastion - - depends_on = [ - azurerm_resource_group.rg, - module.management_artifacts, - module.management_storage, - random_string.guid - ] -} - -module "aks_clusters" { - source = "./modules/kubernetes/aks" - count = var.deployment_flavor == "DataOps" ? 1 : 0 - - resource_group_name = azurerm_resource_group.rg.name - spn_client_id = var.spn_client_id - spn_client_secret = var.spn_client_secret - spn_tenant_id = var.spn_tenant_id - ssh_rsa_public_key = var.client_admin_ssh - aks_cluster_name = "${local.aks_arc_data_cluster_name}-${random_string.guid.result}" - aks_dr_cluster_name = "${local.aks_dr_arc_data_cluster_name}-${random_string.guid.result}" - - depends_on = [ - azurerm_resource_group.rg, - module.management_artifacts, - module.management_storage, - module.adds_vm - ] -} - -output "clientVmLogonUserName" { - value = var.deployment_flavor == "DataOps" ? "${var.client_admin_username}@${var.addsDomainName}" : null -} diff --git a/azure_jumpstart_arcbox/terraform/modules/clientVm/main.tf b/azure_jumpstart_arcbox/terraform/modules/clientVm/main.tf deleted file mode 100644 index 3280856a15..0000000000 --- a/azure_jumpstart_arcbox/terraform/modules/clientVm/main.tf +++ /dev/null @@ -1,291 +0,0 @@ -variable "resource_group_name" { - type = string - description = "Azure Resource Group" -} - -variable "vm_name" { - type = string - description = "The name of the client virtual machine." -} - -variable "capi_arc_data_cluster_name" { - type = string - description = "The name of the CAPI cluster" - default = "ArcBox-CAPI-Data" -} - -variable "k3s_arc_cluster_name" { - type = string - description = "The name of the K3s cluster" - default = "ArcBox-K3s" -} - -variable "aks_arc_data_cluster_name" { - type = string - description = "The name of the AKS cluster" - default = "ArcBox-AKS-Data" -} - -variable "aks_dr_arc_data_cluster_name" { - type = string - description = "The name of the AKS cluster" - default = "ArcBox-AKS-DR-Data" -} - -variable "os_sku" { - type = string - description = "The Windows version for the client VM." - default = "2022-datacenter-g2" -} - -variable "admin_username" { - type = string - description = "Username for the Windows client virtual machine." -} - -variable "admin_password" { - type = string - description = "Password for Windows admin account. Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character. The value must be between 12 and 123 characters long." - sensitive = true -} - -variable "virtual_network_name" { - type = string - description = "ArcBox vNET name." -} - -variable "subnet_name" { - type = string - description = "ArcBox subnet name." -} - -variable "template_base_url" { - type = string - description = "Base URL for the GitHub repo where the ArcBox artifacts are located." -} - -variable "data_controller_username" { - type = string - description = "Arc Data Controller user name." - default = "arcdemo" -} - -variable "data_controller_password" { - type = string - description = "Arc Data Controller password" - default = "ArcPassword123!!" - sensitive = true -} - -variable "accept_eula" { - type = string - description = "Accept EULA for all ArcBox scripts." - default = "yes" -} - -variable "storage_account_name" { - type = string - description = "Name for the staging storage account used to hold kubeconfig." -} - -variable "workspace_name" { - type = string - description = "Log Analytics workspace name." -} - -variable "spn_client_id" { - type = string - description = "Arc Service Principal clientID." -} - -variable "spn_client_secret" { - type = string - description = "Arc Service Principal client secret." - sensitive = true -} - -variable "spn_tenant_id" { - type = string - description = "Arc Service Principal tenantID." -} - -variable "deployment_flavor" { - type = string - description = "The flavor of ArcBox you want to deploy. Valid values are: 'Full', 'ITPro', 'DevOps' and 'DataOps'." -} - -variable "github_username" { - type = string - description = "Specify a GitHub username for ArcBox DevOps" - default = "microsoft" -} - -variable "github_repo" { - type = string - description = "Specify a GitHub repo (used for testing purposes)" -} - -variable "github_branch" { - type = string - description = "Specify a GitHub branch (used for testing purposes)" -} - -variable "trigger_at_logon" { - type = bool - description = "Whether or not the automation scripts will trigger at log on, or at startup. True for AtLogon, False for AtStartup." - default = true -} - -variable "deploy_bastion" { - type = bool - description = "Choice to deploy Bastion to connect to the client VM" - default = false -} - -### THESE ARE LEGACY VARIABLES FOR BACKWARDS COMPATIBILITY WITH LEGACY SCRIPT FUNCTIONS ### - -variable "spn_authority" { - type = string - description = "Authority for Service Principal authentication" - default = "https://login.microsoftonline.com" -} - -variable "registry_username" { - type = string - description = "Registry username" - default = "registryUser" -} - -variable "registry_password" { - type = string - description = "Registry password" - default = "registrySecret" - sensitive = true -} - -variable "data_controller_name" { - type = string - description = "Arc Data Controller name." - default = "arcdatactrl" -} - -variable "sql_mi_name" { - type = string - description = "Arc Data Controller name." - default = "arcdatactrl" -} - -variable "postgres_name" { - type = string - description = "Name of PostgreSQL server group." - default = "arcpg" -} - -variable "postgres_worker_node_count" { - type = number - description = "Number of PostgreSQL worker nodes." - default = 3 -} - -variable "postgres_data_size" { - type = number - description = "Size of data volumes in MB." - default = 1024 -} - -variable "postgres_service_type" { - type = string - description = "How PostgreSQL service is accessed through Kubernetes CNI." - default = "LoadBalancer" -} -########################################################################################### - -locals { - bastion_name = "ArcBox-Bastion" - public_ip_name = var.deploy_bastion == false ? "${var.vm_name}-PIP" : "${local.bastion_name}-PIP" - network_interface_name = "${var.vm_name}-NIC" - bastionSubnetIpPrefix = "172.16.3.64/26" -} - -data "azurerm_subscription" "primary" { -} - -data "azurerm_resource_group" "rg" { - name = var.resource_group_name -} - -data "azurerm_subnet" "subnet" { - name = var.subnet_name - virtual_network_name = var.virtual_network_name - resource_group_name = data.azurerm_resource_group.rg.name -} - -resource "azurerm_public_ip" "pip" { - count = var.deploy_bastion == false ? 1: 0 - name = local.public_ip_name - resource_group_name = data.azurerm_resource_group.rg.name - location = data.azurerm_resource_group.rg.location - allocation_method = "Static" -} - -resource "azurerm_network_interface" "nic" { - name = local.network_interface_name - location = data.azurerm_resource_group.rg.location - resource_group_name = data.azurerm_resource_group.rg.name - - ip_configuration { - name = "ipconfig1" - subnet_id = data.azurerm_subnet.subnet.id - private_ip_address_allocation = "Dynamic" - public_ip_address_id = var.deploy_bastion == false ? azurerm_public_ip.pip[0].id : null - } -} -resource "azurerm_virtual_machine" "client" { - name = var.vm_name - location = data.azurerm_resource_group.rg.location - resource_group_name = data.azurerm_resource_group.rg.name - network_interface_ids = [ azurerm_network_interface.nic.id ] - vm_size = var.deployment_flavor == "DevOps" ? "Standard_B4ms" : var.deployment_flavor == "DataOps" ? "Standard_D8s_v4" : "Standard_D16s_v4" - - - storage_image_reference { - publisher = "MicrosoftWindowsServer" - offer = "WindowsServer" - sku = var.os_sku - version = "latest" - } - storage_os_disk { - name = "${var.vm_name}-OS_Disk" - caching = "ReadWrite" - create_option = "FromImage" - managed_disk_type = "Premium_LRS" - disk_size_gb = 1024 - } - os_profile { - computer_name = var.vm_name - admin_username = var.admin_username - admin_password = var.admin_password - } - os_profile_windows_config { - provision_vm_agent = true - enable_automatic_upgrades = false - } -} - -resource "azurerm_virtual_machine_extension" "custom_script" { - name = var.vm_name - virtual_machine_id = azurerm_virtual_machine.client.id - publisher = "Microsoft.Compute" - type = "CustomScriptExtension" - type_handler_version = "1.10" - auto_upgrade_minor_version = true - - settings = < v - if contains(v.flavor, var.deployment_flavor) - } - solution_name = each.value.name - location = data.azurerm_resource_group.rg.location - resource_group_name = data.azurerm_resource_group.rg.name - workspace_resource_id = azurerm_log_analytics_workspace.workspace.id - workspace_name = azurerm_log_analytics_workspace.workspace.name - - plan { - publisher = "Microsoft" - product = "OMSGallery/${each.value.name}" - } -} - -resource "azurerm_public_ip" "publicIpAddress" { - count = var.deploy_bastion == true ? 1 : 0 - resource_group_name = data.azurerm_resource_group.rg.name - name = local.bastionPublicIpAddressName - location = data.azurerm_resource_group.rg.location - allocation_method = "Static" - ip_version = "IPv4" - idle_timeout_in_minutes = 4 - sku = "Standard" - -} - -resource "azurerm_bastion_host" "bastionHost" { - name = local.bastionName - location = data.azurerm_resource_group.rg.location - resource_group_name = data.azurerm_resource_group.rg.name - count = var.deploy_bastion == true ? 1 : 0 - depends_on = [ - azurerm_public_ip.publicIpAddress - ] - ip_configuration { - name = "IpConf" - public_ip_address_id = azurerm_public_ip.publicIpAddress[0].id - subnet_id = azurerm_subnet.AzureBastionSubnet[0].id - } - -} - -output "workspace_id" { - value = azurerm_log_analytics_workspace.workspace.id -} diff --git a/azure_jumpstart_arcbox/terraform/modules/mgmt/mgmtPolicy/main.tf b/azure_jumpstart_arcbox/terraform/modules/mgmt/mgmtPolicy/main.tf deleted file mode 100644 index 7f5fc22907..0000000000 --- a/azure_jumpstart_arcbox/terraform/modules/mgmt/mgmtPolicy/main.tf +++ /dev/null @@ -1,103 +0,0 @@ -variable "resource_group_name" { - type = string - description = "Azure Resource Group" -} - -variable "workspace_name" { - type = string - description = "Log Analytics workspace name." -} - -variable "workspace_id" { - type = string - description = "Log Analytics workspace id." -} - -variable "deployment_flavor" { - type = string - description = "The flavor of ArcBox you want to deploy. Valid values are: 'Full', 'ITPro', and 'DevOps'." -} - -locals { - policies = [ - { - name = "(ArcBox) Enable Azure Monitor for Hybrid VMs with AMA" - id = "/providers/Microsoft.Authorization/policySetDefinitions/59e9c3eb-d8df-473b-8059-23fd38ddd0f0" - params = { "logAnalyticsWorkspace": { "value": "${var.workspace_id}" }} - role = [ "Log Analytics Contributor", "Azure Connected Machine Resource Administrator", "Monitoring Contributor" ] - flavor = ["ITPro" ] - }, - { - name = "(ArcBox) Tag resources" - id = "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26" - params = { "tagName": { "value": "project" }, "tagValue": { "value": "jumpstart_arcbox" }} - role = "Tag Contributor" - flavor = [ "DevOps", "ITPro" , "DataOps" ] - }, - { - name = "(ArcBox) Enable Azure Defender on Kubernetes clusters" - id = "/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c" - params = {} - role = "Log Analytics Contributor" - flavor = [ "DevOps" ] - } - ] -} - -data "azurerm_subscription" "primary" { -} - -data "azurerm_resource_group" "rg" { - name = var.resource_group_name -} - -resource "azurerm_resource_group_policy_assignment" "policies" { - for_each = { for i, v in local.policies: i => v - if contains(v.flavor, var.deployment_flavor) - } - name = each.value.name - location = data.azurerm_resource_group.rg.location - resource_group_id = data.azurerm_resource_group.rg.id - policy_definition_id = each.value.id - identity { - type = "SystemAssigned" - } - parameters = <