Merge pull request #1 from JinLee794/feature/zel-vm

Feature/zel vm

.github/CODEOWNERS

@@ -0,0 +1,8 @@
+# This is a comment.
+# Each line is a file pattern followed by one or more owners.
+
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence,
+# @global-owner1 and @global-owner2 will be requested for
+# review when someone opens a pull request.
+*       @JinLee794

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,26 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[BUG] "
+labels: "bug"
+assignees: unfor19
+---
+
+**Description of the bug**
+A clear and concise description of what the bug is.
+
+**How To Reproduce**
+Steps to reproduce the behavior:
+
+1. Go to '...'
+1. Execute this '....'
+1. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/enhancement.md

@@ -0,0 +1,19 @@
+---
+name: Enhancement
+about: Suggest an idea for this project
+title: "[ENHANCEMENT] "
+labels: "enhancement"
+assignees: unfor19
+---
+
+**Description**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Possible solution**
+A clear and concise description of what you want to happen.
+
+**Alternatives**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/question.md

@@ -0,0 +1,7 @@
+---
+name: Question
+about: Ask anything!
+title: "[QUESTION] "
+labels: "question"
+assignees: unfor19
+---

.pre-commit-config.yaml

@@ -7,12 +7,21 @@ repos:
       - id: detect-private-key
       - id: end-of-file-fixer
 
-  - repo: https://github.com/gruntwork-io/pre-commit
-    rev: v0.1.17
+  # - repo: https://github.com/gruntwork-io/pre-commit
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.64.1
     hooks:
-      # - id: terraform-fmt
-      # - id: terraform-validate
-      - id: tflint
+      - id: terraform_fmt
+        description: runs terraform fmt
+        entry: terraform fmt -recursive
+        language: system
+        pass_filenames: false
+      - id: terraform_validate
+      - id: terraform_tflint
+      - id: terrascan
+        args:
+          - --args=--non-recursive # avoids scan errors on subdirectories without Terraform config files
+          - --args=--policy-type=azure
 
   - repo: https://github.com/Yelp/detect-secrets
     rev: v0.13.1

Azure/linux-virtual-machine/main.tf

@@ -1,11 +1,16 @@
-// data "azurerm_subnet" "this" {
-//   name                 = var.subnet_name
-//   virtual_network_name = "production"
-//   resource_group_name  = "networking"
-// }
+data "azurerm_key_vault" "this" {
+  name                = var.key_vault_name
+  resource_group_name = var.key_vault_resource_group_name
+}
+
+data "azurerm_key_vault_secret" "ssh_pub_key" {
+  name         = var.ssh_public_key_name
+  key_vault_id = data.azurerm_key_vault.this.id
+}
+
 
 resource "azurerm_network_interface" "this" {
-  name                = "${var.name}-eni"
+  name                = var.env == "dev" ? "${var.name}-eni" : "${var.env}-${var.name}-eni"
   location            = var.location
   resource_group_name = var.resource_group_name
 
@@ -17,22 +22,24 @@ resource "azurerm_network_interface" "this" {
 }
 
 resource "azurerm_linux_virtual_machine" "this" {
-  name                            = var.name
-  location                        = var.location
-  resource_group_name             = var.resource_group_name
-  admin_password                  = var.admin_password
+  name                = var.name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  availability_set_id = var.availability_set_id
+
   disable_password_authentication = false
-  // admin_ssh_key {
-  //   username   = var.admin_username
-  //   public_key = file(var.ssh_public_key)
-  // }
 
   size           = var.size
   admin_username = var.admin_username
   network_interface_ids = [
     azurerm_network_interface.this.id,
   ]
 
+  admin_ssh_key {
+    username   = var.admin_username
+    public_key = data.azurerm_key_vault_secret.ssh_pub_key.value
+  }
+
   os_disk {
     caching              = "ReadWrite"
     storage_account_type = "Standard_LRS"
@@ -45,5 +52,10 @@ resource "azurerm_linux_virtual_machine" "this" {
     version   = var.source_image_reference["version"]
   }
 
+  # Custom images from SIG
+  // storage_image_reference {
+  //   id = "<ID of Image>"
+  // }
+
   tags = var.tags
 }

Azure/linux-virtual-machine/variables.tf

@@ -4,24 +4,53 @@ variable "name" {
   default     = ""
 }
 
+variable "env" {
+  description = "Environment code. Accepted values of 'dev', 'uat', 'qa', 'prod'."
+  type        = string
+
+  validation {
+    condition     = contains(["dev", "uat", "qa", "prod"], var.env)
+    error_message = "Invalid environment provided. Accepted values are: 'dev', 'uat', 'qa', 'prod'."
+  }
+}
+
+variable "availability_set_id" {
+  description = "(Optional) The ID of the Availability Set in which the Virtual Machine should exist. Changing this forces a new resource to be created."
+  type        = string
+  default     = null
+}
+
 variable "size" {
   description = "Size of the VM"
   type        = string
-  default     = ""
+
+  # Allow only D, E, and F-series VMs
+  validation {
+    condition = can(regex(
+      "^Standard_[DEF][a-z0-9_-]+",
+      var.size
+    ))
+    error_message = "The VM 'size' value must be of type D, E, or F. e.g (Standard_Dsv3)."
+  }
 }
 
 variable "admin_username" {
   description = "Name for admin account to initialize the vm with."
   type        = string
-  default     = ""
 }
-variable "admin_password" {
-  description = "Password for admin account to initialize the vm with."
+
+variable "key_vault_name" {
+  description = "Name of the keyvault that holds vm secrets."
   type        = string
 }
 
-variable "ssh_public_key" {
-  description = "Local path to public key"
+variable "key_vault_resource_group_name" {
+  description = "Name of the keyvault resource group."
+  type        = string
+}
+
+variable "ssh_public_key_name" {
+  description = "Name of the secret that holds the public ssh key inside the keyvault."
   type        = string
   default     = ""
 }
@@ -37,6 +66,12 @@ variable "source_image_reference" {
   default = null
 }
 
+variable "source_image_id" {
+  type        = string
+  description = "(Optional) The ID of the Image which this Virtual Machine should be created from. Changing this forces a new resource to be created."
+  default     = ""
+}
+
 variable "resource_group_name" {
   type        = string
   description = "Name of an existing resource group to deply the virtual network into."
@@ -53,8 +88,14 @@ variable "subnet_id" {
   description = "Subnet ID"
 }
 
+# If attempting enforce tagging, see source_image_reference (line 54) variable to see how
 variable "tags" {
-  type        = map(any)
-  description = "Map of key value pairs for the resource tagging. Default: none."
-  default     = {}
+  description = "Pre-formatted tags to apply toe the VM. See https://docs.microsoft.com/en-us/azure/virtual-machines/linux/using-tags for more information."
+  type = object({
+    BusinessUnit        = string
+    OperationsTeam      = string
+    BusinessCriticality = string
+    DataClassification  = string
+    WorkloadName        = string
+  })
 }

Azure/network-security-group/main.tf

@@ -15,19 +15,19 @@ resource "azurerm_network_security_group" "nsg" {
 
 resource "azurerm_network_security_rule" "predefined_rules" {
   count                                      = length(var.predefined_rules)
-  name                                       = lookup(var.predefined_rules[count.index], "name")
-  priority                                   = lookup(var.predefined_rules[count.index], "priority", 4096 - length(var.predefined_rules) + count.index)
-  direction                                  = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 0)
-  access                                     = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 1)
-  protocol                                   = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 2)
+  name                                       = lookup(var.predefined_rules[count.index], "name", "default_rule_name")
+  priority                                   = lookup(var.predefined_rules[count.index], "priority")
+  direction                                  = lookup(var.predefined_rules[count.index], "direction", "Any")
+  access                                     = lookup(var.predefined_rules[count.index], "access", "Allow")
+  protocol                                   = lookup(var.predefined_rules[count.index], "protocol", "*")
   source_port_range                          = lookup(var.predefined_rules[count.index], "source_port_range", "*") == "*" ? "*" : null
   source_port_ranges                         = lookup(var.predefined_rules[count.index], "source_port_range", "*") == "*" ? null : split(",", var.predefined_rules[count.index].source_port_range)
-  destination_port_range                     = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 4)
-  description                                = element(var.rules[lookup(var.predefined_rules[count.index], "name")], 5)
-  source_address_prefix                      = lookup(var.predefined_rules[count.index], "source_application_security_group_ids", null) == null && var.source_address_prefixes == null ? join(",", var.source_address_prefix) : null
-  source_address_prefixes                    = lookup(var.predefined_rules[count.index], "source_application_security_group_ids", null) == null ? var.source_address_prefixes : null
-  destination_address_prefix                 = lookup(var.predefined_rules[count.index], "destination_application_security_group_ids", null) == null && var.destination_address_prefixes == null ? join(",", var.destination_address_prefix) : null
-  destination_address_prefixes               = lookup(var.predefined_rules[count.index], "destination_application_security_group_ids", null) == null ? var.destination_address_prefixes : null
+  destination_port_ranges                    = split(",", replace(lookup(var.predefined_rules[count.index], "destination_port_range", "*"), "*", "0-65535"))
+  source_address_prefix                      = lookup(var.predefined_rules[count.index], "source_application_security_group_ids", null) == null && lookup(var.predefined_rules[count.index], "source_address_prefixes", null) == null ? lookup(var.predefined_rules[count.index], "source_address_prefix", "*") : null
+  source_address_prefixes                    = lookup(var.predefined_rules[count.index], "source_application_security_group_ids", null) == null ? lookup(var.predefined_rules[count.index], "source_address_prefixes", null) : null
+  destination_address_prefix                 = lookup(var.predefined_rules[count.index], "destination_application_security_group_ids", null) == null && lookup(var.predefined_rules[count.index], "destination_address_prefixes", null) == null ? lookup(var.predefined_rules[count.index], "destination_address_prefix", "*") : null
+  destination_address_prefixes               = lookup(var.predefined_rules[count.index], "destination_application_security_group_ids", null) == null ? lookup(var.predefined_rules[count.index], "destination_address_prefixes", null) : null
+  description                                = lookup(var.predefined_rules[count.index], "description", "Security rule for ${lookup(var.predefined_rules[count.index], "name", "default_rule_name")}")
   resource_group_name                        = data.azurerm_resource_group.nsg.name
   network_security_group_name                = azurerm_network_security_group.nsg.name
   source_application_security_group_ids      = lookup(var.predefined_rules[count.index], "source_application_security_group_ids", null)

Azure/resource-group/main.tf

@@ -10,3 +10,88 @@ resource "azurerm_resource_group" "this" {
 
   tags = var.tags
 }
+
+# WIP - Policy to ensure all child elements under the RG share certain tags
+// resource "azurerm_policy_definition" "policy" {
+//   name         = "InheritResourceGroupTags"
+//   policy_type  = "Custom"
+//   mode         = "Indexed"
+//   display_name = "acceptance test policy definition"
+
+//   metadata = <<METADATA
+//     {
+//     "category": "General"
+//     }
+
+// METADATA
+//   parameters = <<PARAMETERS
+//     {
+//     "tags": {
+//         "type": "Array",
+//         "metadata": {
+//             "description": "The list of tags to be applied to the resource(s).",
+//             "displayName": "Tags",
+//             "strongType": "string"
+//         }
+//         "allowedValues": [
+//           ${join(", ", var.tags.keys()}}
+//         ]
+//     }
+//   }
+// PARAMETERS
+
+//   policy_rule = <<POLICY_RULE
+//     {
+//       "if": {
+//         "anyOf": [
+//           {
+//             "field": "[concat('tags[', parameters('tagName1'), ']')]",
+//             "exists": "false"
+//           },
+//           {
+//             "field": "[concat('tags[', parameters('tagName2'), ']')]",
+//             "exists": "false"
+//           },
+//           {
+//             "field": "[concat('tags[', parameters('tagName3'), ']')]",
+//             "exists": "false"
+//           },
+//           {
+//             "field": "[concat('tags[', parameters('tagName4'), ']')]",
+//             "exists": "false"
+//           }
+//         ]
+//       },
+//       "then": {
+//         "effect": "modify",
+//           "details": {
+//             "roleDefinitionIds": [
+//               "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
+//             ],
+//             "operations": [
+//               {
+//                 "operation": "addOrReplace",
+//                 "field": "[concat('tags[', parameters('tagName'), ']')]",
+//                 "value": "[resourceGroup().tags[parameters('tagName')]]"
+//               }
+//             ]
+//           }
+//         }
+//       }
+// POLICY_RULE
+
+
+//   parameters = <<PARAMETERS
+//     {
+//     "allowedLocations": {
+//       "type": "Array",
+//       "metadata": {
+//         "description": "The list of allowed locations for resources.",
+//         "displayName": "Allowed locations",
+//         "strongType": "location"
+//       }
+//     }
+//   }
+// PARAMETERS
+
+// }