dev-docs: add on-prem terraform to vpn setup (#2619)

* vpn: add fake-on-prem infra

* dev-docs: move vpn helm

dev-docs/howto/vpn/on-prem-terraform/main.tf

@@ -0,0 +1,294 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.74.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.5.1"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+locals {
+  username = "azureadmin"
+}
+
+resource "random_pet" "rg_name" {
+  prefix = var.name_prefix
+}
+
+resource "azurerm_resource_group" "rg" {
+  location = var.resource_group_location
+  name     = random_pet.rg_name.id
+}
+
+# Create virtual network
+resource "azurerm_virtual_network" "network" {
+  name                = "network"
+  address_space       = [var.local_ts]
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+}
+
+# Create subnet
+resource "azurerm_subnet" "subnet" {
+  name                 = "subnet"
+  resource_group_name  = azurerm_resource_group.rg.name
+  virtual_network_name = azurerm_virtual_network.network.name
+  address_prefixes     = [cidrsubnet(var.local_ts, 8, 0)]
+
+}
+
+resource "tls_private_key" "ssh_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+# Create public IPs
+resource "azurerm_public_ip" "pubIP" {
+  name                = "publicIP"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  allocation_method   = "Dynamic"
+}
+
+# Create Network Security Group and rule
+resource "azurerm_network_security_group" "security_group" {
+  name                = "secuityGroup"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+
+  security_rule {
+    name                       = "SSH"
+    priority                   = 1001
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "22"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+  security_rule {
+    name                       = "strongSwan_500"
+    priority                   = 1002
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Udp"
+    source_port_range          = "*"
+    destination_port_range     = "500"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+  security_rule {
+    name                       = "strongSwan_4500"
+    priority                   = 1003
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Udp"
+    source_port_range          = "*"
+    destination_port_range     = "4500"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+}
+
+resource "azurerm_route_table" "route_table" {
+  name                          = "vpn-routes"
+  location                      = azurerm_resource_group.rg.location
+  resource_group_name           = azurerm_resource_group.rg.name
+  disable_bgp_route_propagation = false
+
+  dynamic "route" {
+    for_each = var.remote_ts
+    content {
+      name                   = "route-${route.key}"
+      address_prefix         = route.value
+      next_hop_type          = "VirtualAppliance"
+      next_hop_in_ip_address = azurerm_network_interface.public_nic.private_ip_address
+    }
+  }
+}
+
+resource "azurerm_subnet_route_table_association" "route_table_association" {
+  subnet_id      = azurerm_subnet.subnet.id
+  route_table_id = azurerm_route_table.route_table.id
+}
+
+
+# Create network interface
+resource "azurerm_network_interface" "public_nic" {
+  name                = "public-nic"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+
+  ip_configuration {
+    name                          = "my_nic_configuration"
+    subnet_id                     = azurerm_subnet.subnet.id
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = azurerm_public_ip.pubIP.id
+  }
+}
+
+# Connect the security group to the network interface
+resource "azurerm_network_interface_security_group_association" "example" {
+  network_interface_id      = azurerm_network_interface.public_nic.id
+  network_security_group_id = azurerm_network_security_group.security_group.id
+}
+
+# Create virtual machine
+resource "azurerm_linux_virtual_machine" "public_vm" {
+  name                  = "public_vm"
+  location              = azurerm_resource_group.rg.location
+  resource_group_name   = azurerm_resource_group.rg.name
+  network_interface_ids = [azurerm_network_interface.public_nic.id]
+  size                  = "Standard_B2ats_v2"
+
+  os_disk {
+    name                 = "disk_public_vm"
+    caching              = "ReadWrite"
+    storage_account_type = "Premium_LRS"
+  }
+
+  source_image_reference {
+    publisher = "Canonical"
+    offer     = "0001-com-ubuntu-server-jammy"
+    sku       = "22_04-lts-gen2"
+    version   = "latest"
+  }
+
+  computer_name  = "hostname"
+  admin_username = local.username
+
+  admin_ssh_key {
+    username   = local.username
+    public_key = tls_private_key.ssh_key.public_key_openssh
+  }
+
+  boot_diagnostics {
+  }
+
+  user_data = base64encode(<<EOF
+#!/bin/bash
+set -x
+
+apt-get update
+apt-get install strongswan-charon strongswan-swanctl -y
+
+
+cat <<'EOT' >> /etc/strongswan.d/charon-logging.conf
+charon {
+  filelog {
+    stderr {
+      time_format = %b %e %T
+      ike_name = yes
+      default = 1
+      ike = 2
+      flush_line = yes
+    }
+  }
+}
+EOT
+
+
+cat <<'EOT' >> /etc/swanctl/conf.d/constellation.conf
+connections {
+  gw-gw {
+    remote_addrs = ${var.remote_addr}
+
+    local {
+        auth = psk
+    }
+    remote {
+        auth = psk
+    }
+    children {
+        net-net {
+          local_ts  = ${var.local_ts}
+          remote_ts = ${join(",", var.remote_ts)}
+
+          start_action = trap
+        }
+    }
+  }
+}
+
+secrets {
+  ike {
+    secret = ${var.ike_psk}
+  }
+}
+EOT
+
+cat <<'EOT' >> /home/${local.username}/restart-and-reload-strongswan.sh
+#!/bin/sh
+
+# Restart charon daemon
+ipsec restart
+
+sleep 5
+
+# Load all the config files
+swanctl --load-all
+
+echo "You now should be able to ping and curl the remote network (Pod IPs and Services)"
+
+EOT
+
+chmod +x /home/${local.username}/restart-and-reload-strongswan.sh
+sysctl -w net.ipv4.ip_forward=1
+
+EOF
+  )
+}
+
+resource "azurerm_network_interface" "private_nic" {
+  name                = "private-nic"
+  location            = var.resource_group_location
+  resource_group_name = azurerm_resource_group.rg.name
+
+  ip_configuration {
+    name                          = "internal"
+    subnet_id                     = azurerm_subnet.subnet.id
+    private_ip_address_allocation = "Dynamic"
+  }
+}
+
+# Create virtual machine
+resource "azurerm_linux_virtual_machine" "private_vm" {
+  name                  = "private_vm"
+  location              = azurerm_resource_group.rg.location
+  resource_group_name   = azurerm_resource_group.rg.name
+  network_interface_ids = [azurerm_network_interface.private_nic.id]
+  size                  = "Standard_B2ats_v2"
+
+  os_disk {
+    name                 = "disk_private_vm"
+    caching              = "ReadWrite"
+    storage_account_type = "Premium_LRS"
+  }
+
+  source_image_reference {
+    publisher = "Canonical"
+    offer     = "0001-com-ubuntu-server-jammy"
+    sku       = "22_04-lts-gen2"
+    version   = "latest"
+  }
+
+  computer_name  = "hostname"
+  admin_username = local.username
+
+  admin_ssh_key {
+    username   = local.username
+    public_key = tls_private_key.ssh_key.public_key_openssh
+  }
+
+  boot_diagnostics {
+  }
+}

dev-docs/howto/vpn/on-prem-terraform/output.tf

@@ -0,0 +1,8 @@
+output "private_key" {
+  value     = tls_private_key.ssh_key.private_key_pem
+  sensitive = true
+}
+
+output "public_ip" {
+  value = azurerm_public_ip.pubIP.ip_address
+}