robinmordasiewicz · robinmordasiewicz · Aug 7, 2024 · Aug 7, 2024
diff --git a/terraform/hub-network.tf b/terraform/hub-network.tf
@@ -12,7 +12,7 @@ resource "azurerm_virtual_network_peering" "hub-to-spoke_virtual_network_peering
   remote_virtual_network_id = azurerm_virtual_network.spoke_virtual_network.id
   allow_forwarded_traffic   = true
   allow_gateway_transit     = true
-  depends_on = [azurerm_virtual_network.hub_virtual_network,azurerm_virtual_network.spoke_virtual_network]
+  depends_on                = [azurerm_virtual_network.hub_virtual_network, azurerm_virtual_network.spoke_virtual_network]
 }
 
 resource "azurerm_subnet" "hub-external_subnet" {
@@ -100,27 +100,27 @@ resource "azurerm_network_security_group" "hub-internal_network_security_group"
     destination_address_prefix = "*"
   }
   security_rule {
-    name                       = "icmp_to_google-dns_rule"
-    priority                   = 101
-    direction                  = "Inbound"
-    access                     = "Allow"
-    protocol                   = "Icmp"
-    source_port_range          = "*"
-    destination_port_range     = "*"
+    name                   = "icmp_to_google-dns_rule"
+    priority               = 101
+    direction              = "Inbound"
+    access                 = "Allow"
+    protocol               = "Icmp"
+    source_port_range      = "*"
+    destination_port_range = "*"
     #source_address_prefix      = var.spoke-aks-node-ip
-    source_address_prefix      = "*"
+    source_address_prefix = "*"
     #destination_address_prefix = var.spoke-check-internet-up-ip
     destination_address_prefix = "*"
   }
   security_rule {
-    name                       = "outbound-http_rule"
-    priority                   = 102
-    direction                  = "Outbound"
-    access                     = "Allow"
-    protocol                   = "Tcp"
-    source_port_range          = "*"
-    destination_port_ranges    = ["80", "81"]
-    source_address_prefix      = "*"
+    name                    = "outbound-http_rule"
+    priority                = 102
+    direction               = "Outbound"
+    access                  = "Allow"
+    protocol                = "Tcp"
+    source_port_range       = "*"
+    destination_port_ranges = ["80", "81"]
+    source_address_prefix   = "*"
     #destination_address_prefix = var.spoke-aks-node-ip
     destination_address_prefix = "*"
   }
@@ -150,7 +150,7 @@ resource "azurerm_public_ip" "hub-nva-vip_public_ip" {
 }
 
 output "etc_host" {
-  value = "sudo sh -c 'echo ${azurerm_public_ip.hub-nva-vip_public_ip.ip_address} www.bankexample.com >> /etc/hosts'"
+  value       = "sudo sh -c 'echo ${azurerm_public_ip.hub-nva-vip_public_ip.ip_address} www.bankexample.com >> /etc/hosts'"
   description = "The public IP address of the hub NVA."
 }
 

diff --git a/terraform/hub-nva.tf b/terraform/hub-nva.tf
@@ -93,3 +93,19 @@ resource "azurerm_linux_virtual_machine" "hub-nva_virtual_machine" {
     )
   )
 }
+
+resource "azurerm_managed_disk" "disk" {
+  name                 = "hub-nva-disk1"
+  location             = azurerm_resource_group.azure_resource_group.location
+  resource_group_name  = azurerm_resource_group.azure_resource_group.name
+  storage_account_type = "Standard_LRS"
+  create_option        = "Empty"
+  disk_size_gb         = 10
+}
+
+resource "azurerm_virtual_machine_data_disk_attachment" "example" {
+  managed_disk_id    = azurerm_managed_disk.disk.id
+  virtual_machine_id = azurerm_linux_virtual_machine.hub-nva_virtual_machine.id
+  lun                = "0"
+  caching            = "ReadWrite"
+}
diff --git a/terraform/locals.tf b/terraform/locals.tf
@@ -25,8 +25,8 @@ locals {
       publisher       = "fortinet"
       offer           = "fortinet_fortiweb-vm_v5"
       size            = "Standard_F16s_v2"
-      version         = "7.2.4"
-      sku             = "fortinet_fw-vm"
+      version         = "latest"
+      sku             = "fortinet_fw-vm_payg_v3"
       management-port = "8443"
       terms           = true
     },
@@ -47,7 +47,7 @@ locals {
       publisher = ""
       size      = "Standard_B4ms"
       #gpu-size  = "Standard_NC6s_v3" #16GB
-      gpu-size      = "Standard_NC24s_v3"
+      gpu-size = "Standard_NC24s_v3"
       #gpu-size      = "Standard_NC4as_T4_v3" # 16GB
       #gpu-size      = "Standard_ND40rs_v2" # 32 GB vlink
       #gpu-size      = "Standard_NC24ads_A100_v4" # 80GB - not supported by azure-linux

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -17,7 +17,7 @@ data "external" "tenant_default_domain" {
 }
 
 output "resource_group_url" {
-  value = "https://portal.azure.com/#@${data.external.tenant_default_domain.result["tenantDefaultDomain"]}/resource${azurerm_resource_group.azure_resource_group.id}"
+  value       = "https://portal.azure.com/#@${data.external.tenant_default_domain.result["tenantDefaultDomain"]}/resource${azurerm_resource_group.azure_resource_group.id}"
   description = "URL to access the Azure Resource Group in the Azure Portal"
 }
 

diff --git a/terraform/spoke-k8s_cluster.tf b/terraform/spoke-k8s_cluster.tf
@@ -20,21 +20,21 @@ resource "azurerm_user_assigned_identity" "my_identity" {
   location            = azurerm_resource_group.azure_resource_group.location
 }
 resource "azurerm_role_assignment" "kubernetes_contributor" {
-  principal_id   = azurerm_user_assigned_identity.my_identity.principal_id
+  principal_id         = azurerm_user_assigned_identity.my_identity.principal_id
   role_definition_name = "Contributor"
-  scope          = azurerm_resource_group.azure_resource_group.id
+  scope                = azurerm_resource_group.azure_resource_group.id
 }
 resource "azurerm_role_assignment" "route_table_network_contributor" {
-  principal_id   = azurerm_user_assigned_identity.my_identity.principal_id
+  principal_id         = azurerm_user_assigned_identity.my_identity.principal_id
   role_definition_name = "Network Contributor"
-  scope          = azurerm_resource_group.azure_resource_group.id
+  scope                = azurerm_resource_group.azure_resource_group.id
 }
 resource "azurerm_kubernetes_cluster" "kubernetes_cluster" {
-  depends_on                        = [azurerm_virtual_network_peering.spoke-to-hub_virtual_network_peering, azurerm_linux_virtual_machine.hub-nva_virtual_machine]
-  name                              = "spoke_kubernetes_cluster"
-  location                          = azurerm_resource_group.azure_resource_group.location
-  resource_group_name               = azurerm_resource_group.azure_resource_group.name
-  dns_prefix                        = azurerm_resource_group.azure_resource_group.name
+  depends_on          = [azurerm_virtual_network_peering.spoke-to-hub_virtual_network_peering, azurerm_linux_virtual_machine.hub-nva_virtual_machine]
+  name                = "spoke_kubernetes_cluster"
+  location            = azurerm_resource_group.azure_resource_group.location
+  resource_group_name = azurerm_resource_group.azure_resource_group.name
+  dns_prefix          = azurerm_resource_group.azure_resource_group.name
   #kubernetes_version                = data.azurerm_kubernetes_service_versions.current.latest_version
   support_plan                      = "AKSLongTermSupport"
   kubernetes_version                = "1.27"
@@ -72,7 +72,7 @@ resource "azurerm_kubernetes_cluster" "kubernetes_cluster" {
     load_balancer_sku = "standard"
     #service_cidr      = var.spoke-aks-subnet_prefix
     #dns_service_ip    = var.spoke-aks_dns_service_ip
-    pod_cidr         = var.spoke-aks_pod_cidr
+    pod_cidr = var.spoke-aks_pod_cidr
   }
   identity {
     type         = "UserAssigned"
@@ -136,7 +136,7 @@ resource "null_resource" "secret" {
 
   provisioner "local-exec" {
     interpreter = ["bash", "-c"]
-    command = <<-EOF
+    command     = <<-EOF
       kubectl apply -f - <<EOF2
       ---
       apiVersion: v1
@@ -206,14 +206,14 @@ resource "azurerm_kubernetes_flux_configuration" "flux_configuration" {
   depends_on = [
     azurerm_kubernetes_cluster_extension.flux_extension
   ]
-} 
+}
 
 resource "null_resource" "openapi_file" {
-  depends_on = [ azurerm_kubernetes_cluster.kubernetes_cluster ]
+  depends_on = [azurerm_kubernetes_cluster.kubernetes_cluster, azurerm_linux_virtual_machine.hub-nva_virtual_machine]
   provisioner "local-exec" {
     interpreter = ["bash", "-c"]
-    command = <<-EOF
-      curl -k -X POST -H "Content-Type: multipart/form-data" -H "Authorization:eyJ1c2VybmFtZSI6InJlbGV2YW50aG9yc2UiLCJwYXNzd29yZCI6ImZzTlJCQ1NTdjhUYUtzeW4iLCJ2ZG9tIjoicm9vdCJ9Cg==" -F 'openapifile=@petstore.yaml' --insecure "https://relevanthorse-management.canadacentral.cloudapp.azure.com:8443/api/v2.0/waf/openapi.openapischemafile"
+    command     = <<-EOF
+      curl -k -X POST -H "Content-Type: multipart/form-data" -H "Authorization:eyJ1c2VybmFtZSI6InJlbGV2YW50aG9yc2UiLCJwYXNzd29yZCI6ImZzTlJCQ1NTdjhUYUtzeW4iLCJ2ZG9tIjoicm9vdCJ9Cg==" -F 'openapifile=@../manifests/apps/ollama/openapi.yaml' --insecure "https://relevanthorse-management.canadacentral.cloudapp.azure.com:8443/api/v2.0/waf/openapi.openapischemafile"
     EOF
   }
 }

diff --git a/terraform/spoke-network.tf b/terraform/spoke-network.tf
@@ -12,7 +12,7 @@ resource "azurerm_virtual_network_peering" "spoke-to-hub_virtual_network_peering
   remote_virtual_network_id = azurerm_virtual_network.hub_virtual_network.id
   allow_forwarded_traffic   = true
   allow_gateway_transit     = true
-  depends_on = [azurerm_virtual_network.hub_virtual_network,azurerm_virtual_network.spoke_virtual_network]
+  depends_on                = [azurerm_virtual_network.hub_virtual_network, azurerm_virtual_network.spoke_virtual_network]
 }
 
 resource "azurerm_subnet" "spoke_subnet" {
@@ -51,39 +51,39 @@ resource "azurerm_network_security_group" "spoke_network_security_group" {
   location            = azurerm_resource_group.azure_resource_group.location
   resource_group_name = azurerm_resource_group.azure_resource_group.name
   security_rule { #tfsec:ignore:AVD-AZU-0047
-    name                       = "inbound-http_rule"
-    priority                   = 100
-    direction                  = "Inbound"
-    access                     = "Allow"
-    protocol                   = "Tcp"
-    source_port_range          = "*"
+    name              = "inbound-http_rule"
+    priority          = 100
+    direction         = "Inbound"
+    access            = "Allow"
+    protocol          = "Tcp"
+    source_port_range = "*"
     #destination_port_ranges    = var.spoke-aks-node-image-gpu == true ? ["80", "81", "8080", "11434"] : ["80", "81"] #checkov:skip=CKV_AZURE_160: Allow HTTP redirects
-    source_address_prefix      = "*"
+    source_address_prefix = "*"
     #destination_address_prefix = var.spoke-aks-node-ip
-    destination_port_range = "*"
+    destination_port_range     = "*"
     destination_address_prefix = "*"
   }
   security_rule {
-    name                       = "aks-node_to_internet_rule"
-    priority                   = 100
-    direction                  = "Outbound"
-    access                     = "Allow"
-    protocol                   = "Tcp"
-    source_port_range          = "*"
-    destination_port_ranges    = ["80", "443"]
+    name                    = "aks-node_to_internet_rule"
+    priority                = 100
+    direction               = "Outbound"
+    access                  = "Allow"
+    protocol                = "Tcp"
+    source_port_range       = "*"
+    destination_port_ranges = ["80", "443"]
     #source_address_prefix      = var.spoke-aks-node-ip
     #source_address_prefix = var.spoke-subnet_prefix
-    source_address_prefix = "*"
+    source_address_prefix      = "*"
     destination_address_prefix = "*" #tfsec:ignore:AVD-AZU-0051
   }
   security_rule { #tfsec:ignore:AVD-AZU-0051
-    name                       = "icmp_to_google-dns_rule"
-    priority                   = 101
-    direction                  = "Outbound"
-    access                     = "Allow"
-    protocol                   = "Icmp"
-    source_port_range          = "*"
-    destination_port_range     = "*"
+    name                   = "icmp_to_google-dns_rule"
+    priority               = 101
+    direction              = "Outbound"
+    access                 = "Allow"
+    protocol               = "Icmp"
+    source_port_range      = "*"
+    destination_port_range = "*"
     #source_address_prefix      = var.spoke-aks-node-ip
     #source_address_prefix = var.spoke-subnet_prefix
     source_address_prefix = "*"

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -296,7 +296,7 @@ variable "spoke-aks_service_cidr" {
   validation {
     condition     = can(regex("^((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])/(3[0-2]|[12]?[0-9])$", var.spoke-aks_service_cidr))
     error_message = "The subnet must be in the format of 'xxx.xxx.xxx.xxx/xx', where xxx is between 0 and 255, and xx is between 0 and 32."
-  } 
+  }
 }
 
 variable "spoke-aks_pod_cidr" {
@@ -306,7 +306,7 @@ variable "spoke-aks_pod_cidr" {
   validation {
     condition     = can(regex("^((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])/(3[0-2]|[12]?[0-9])$", var.spoke-aks_pod_cidr))
     error_message = "The subnet must be in the format of 'xxx.xxx.xxx.xxx/xx', where xxx is between 0 and 255, and xx is between 0 and 32."
-  } 
+  }
 }
 
 variable "spoke-aks_dns_service_ip" {