Dev #38: initial setup of load balancing, requiring relaxation of NSG…

… configuration

terraform/main.tf

@@ -31,14 +31,6 @@ module "data" {
   dns_zone            = module.network.dns_zone
 }
 
-module "web" {
-  source                      = "./web"
-  default_tags                = local.tags
-  project_name                = local.project_name
-  location                    = var.location
-  frontend_ip                 = module.network.gateway_ip
-}
-
 # PyGeoAPI app
 module "pygeoapi" {
   source                      = "./pygeoapi"
@@ -110,3 +102,15 @@ module "forecast_processor" {
   sendfrom_email               = var.sendfrom_email
   dns_zone                     = module.network.dns_zone
 }
+
+module "web" {
+  source                      = "./web"
+  default_tags                = local.tags
+  project_name                = local.project_name
+  location                    = var.location
+  frontend_ip                 = module.network.gateway_ip
+  subnet_id                   = module.network.gateway_subnet.id
+  domain_name                 = var.domain_name
+  environment                 = var.environment
+  # TODO: endpoints from application, data, pygeoapi
+}

terraform/network/nsg.tf

@@ -1,80 +1,78 @@
-resource "azurerm_network_security_group" "gateway" {
-  name                = "nsg-${var.project_name}-gateway"
-  location            = azurerm_resource_group.this.location
-  resource_group_name = azurerm_resource_group.this.name
-}
+#resource "azurerm_network_security_group" "gateway" {
+#  name                = "nsg-${var.project_name}-gateway"
+#  location            = azurerm_resource_group.this.location
+#  resource_group_name = azurerm_resource_group.this.name
+#}
 
-resource "azurerm_network_security_group" "public" {
-  name                = "nsg-${var.project_name}-public"
-  location            = azurerm_resource_group.this.location
-  resource_group_name = azurerm_resource_group.this.name
-}
+#resource "azurerm_network_security_group" "public" {
+#  name                = "nsg-${var.project_name}-public"
+#  location            = azurerm_resource_group.this.location
+#  resource_group_name = azurerm_resource_group.this.name
+#}
 
-resource "azurerm_network_security_group" "private" {
-  name                = "nsg-${var.project_name}-private"
-  location            = azurerm_resource_group.this.location
-  resource_group_name = azurerm_resource_group.this.name
-}
+#resource "azurerm_network_security_group" "private" {
+#  name                = "nsg-${var.project_name}-private"
+#  location            = azurerm_resource_group.this.location
+#  resource_group_name = azurerm_resource_group.this.name
+#}
 
-resource "azurerm_subnet_network_security_group_association" "gateway" {
-  subnet_id                 = azurerm_subnet.gateway.id
-  network_security_group_id = azurerm_network_security_group.gateway.id
-}
+#resource "azurerm_subnet_network_security_group_association" "gateway" {
+#  subnet_id                 = azurerm_subnet.gateway.id
+#  network_security_group_id = azurerm_network_security_group.gateway.id
+#}
 
-resource "azurerm_subnet_network_security_group_association" "public" {
-  subnet_id                 = azurerm_subnet.public.id
-  network_security_group_id = azurerm_network_security_group.public.id
-}
+#resource "azurerm_subnet_network_security_group_association" "public" {
+#  subnet_id                 = azurerm_subnet.public.id
+#  network_security_group_id = azurerm_network_security_group.public.id
+#}
 
-resource "azurerm_subnet_network_security_group_association" "private" {
-  subnet_id                 = azurerm_subnet.private.id
-  network_security_group_id = azurerm_network_security_group.private.id
-}
+#resource "azurerm_subnet_network_security_group_association" "private" {
+#  subnet_id                 = azurerm_subnet.private.id
+#  network_security_group_id = azurerm_network_security_group.private.id
+#}
 
 # Firewall rules
-resource "azurerm_network_security_rule" "gateway_net_rules" {
-  for_each                    = { for name, cidr_block in var.users_ip_addresses : name => cidr_block }
-  name                        = "AllowConnectionsFrom${each.key}"
-  priority                    = index(values(var.users_ip_addresses), each.value) + 100
-  direction                   = "Inbound"
-  access                      = "Allow"
-  protocol                    = "Tcp"
-  source_port_range           = "*"
-  destination_port_range      = "*"
-  source_address_prefix       = each.value
-  destination_address_prefix  = "VirtualNetwork"
-  resource_group_name         = azurerm_resource_group.this.name
-  network_security_group_name = azurerm_network_security_group.gateway.name
-}
+#resource "azurerm_network_security_rule" "gateway_net_rules" {
+#  for_each                    = { for name, cidr_block in var.users_ip_addresses : name => cidr_block }
+#  name                        = "AllowConnectionsFrom${each.key}"
+#  priority                    = index(values(var.users_ip_addresses), each.value) + 100
+#  direction                   = "Inbound"
+#  access                      = "Allow"
+#  protocol                    = "Tcp"
+#  source_port_range           = "*"
+#  destination_port_range      = "*"
+#  source_address_prefix       = each.value
+#  destination_address_prefix  = "VirtualNetwork"
+#  resource_group_name         = azurerm_resource_group.this.name
+#  network_security_group_name = azurerm_network_security_group.gateway.name
+#}
 
-# FIXME: we should deploy via the public services
-resource "azurerm_network_security_rule" "public_net_rules" {
-  for_each                    = { for name, cidr_block in var.users_ip_addresses : name => cidr_block }
-  name                        = "AllowConnectionsFrom${each.key}"
-  priority                    = index(values(var.users_ip_addresses), each.value) + 100
-  direction                   = "Inbound"
-  access                      = "Allow"
-  protocol                    = "Tcp"
-  source_port_range           = "*"
-  destination_port_range      = "*"
-  source_address_prefix       = each.value
-  destination_address_prefix  = "VirtualNetwork"
-  resource_group_name         = azurerm_resource_group.this.name
-  network_security_group_name = azurerm_network_security_group.public.name
-}
-
-# FIXME: we should deploy via the private services
-resource "azurerm_network_security_rule" "private_net_rules" {
-  for_each                    = { for name, cidr_block in var.users_ip_addresses : name => cidr_block }
-  name                        = "AllowConnectionsFrom${each.key}"
-  priority                    = index(values(var.users_ip_addresses), each.value) + 100
-  direction                   = "Inbound"
-  access                      = "Allow"
-  protocol                    = "Tcp"
-  source_port_range           = "*"
-  destination_port_range      = "*"
-  source_address_prefix       = each.value
-  destination_address_prefix  = "VirtualNetwork"
-  resource_group_name         = azurerm_resource_group.this.name
-  network_security_group_name = azurerm_network_security_group.private.name
-}
+#resource "azurerm_network_security_rule" "public_net_rules" {
+#  for_each                    = { for name, cidr_block in var.users_ip_addresses : name => cidr_block }
+#  name                        = "AllowConnectionsFrom${each.key}"
+#  priority                    = index(values(var.users_ip_addresses), each.value) + 100
+#  direction                   = "Inbound"
+#  access                      = "Allow"
+#  protocol                    = "Tcp"
+#  source_port_range           = "*"
+#  destination_port_range      = "*"
+#  source_address_prefix       = each.value
+#  destination_address_prefix  = "VirtualNetwork"
+#  resource_group_name         = azurerm_resource_group.this.name
+#  network_security_group_name = azurerm_network_security_group.public.name
+#}
+#
+#resource "azurerm_network_security_rule" "private_net_rules" {
+#  for_each                    = { for name, cidr_block in var.users_ip_addresses : name => cidr_block }
+#  name                        = "AllowConnectionsFrom${each.key}"
+#  priority                    = index(values(var.users_ip_addresses), each.value) + 100
+#  direction                   = "Inbound"
+#  access                      = "Allow"
+#  protocol                    = "Tcp"
+#  source_port_range           = "*"
+#  destination_port_range      = "*"
+#  source_address_prefix       = each.value
+#  destination_address_prefix  = "VirtualNetwork"
+#  resource_group_name         = azurerm_resource_group.this.name
+#  network_security_group_name = azurerm_network_security_group.private.name
+#}

terraform/pygeoapi/config.tf

@@ -4,7 +4,7 @@ resource "null_resource" "write_config" {
   triggers = {
     always_run = "${timestamp()}"
   }
-  
+
   provisioner "local-exec" {
     command = <<EOF
     cat <<SECRETS >${var.config_output_location}

terraform/variables.tf

@@ -17,6 +17,10 @@ variable "tenant_id" {
 }
 
 # These have sensible defaults
+variable "domain_name" {
+  description = "Domain name we're using for deployment"
+  default     = "icenet.ai"
+}
 variable "environment" {
   description = "Environment we're building"
   default     = "dev"

terraform/web/variables.tf

@@ -6,9 +6,19 @@ variable "location" {
   description = "Which Azure location to build in"
   default     = "uksouth"
 }
+variable "domain_name" {
+  description = "Domain name we're using for deployment"
+}
+variable "environment" {
+  description = "Environment we're building"
+}
 variable "frontend_ip" {
   description = "Frontend IP to utilise for load balancer"
 }
+variable "subnet_id" {
+    description = "Subnet ID to deploy in"
+    type = string
+}
 
 variable "default_tags" {
     description = "Default tags for resources"