-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.tf
More file actions
133 lines (116 loc) · 4.15 KB
/
main.tf
File metadata and controls
133 lines (116 loc) · 4.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 4.0"
}
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 5.0"
}
}
}
provider "azurerm" {
features {}
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
subscription_id = var.subscription_id
}
# -- Resources --
resource "azurerm_resource_group" "vm_rg" {
name = "tf-vm-rg"
location = var.location
}
resource "azurerm_virtual_network" "vm_vnet" {
name = "tf-vnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.vm_rg.location
resource_group_name = azurerm_resource_group.vm_rg.name
}
resource "azurerm_subnet" "vm_subnet" {
name = "tf-subnet"
resource_group_name = azurerm_resource_group.vm_rg.name
virtual_network_name = azurerm_virtual_network.vm_vnet.name
address_prefixes = ["10.0.1.0/24"]
}
resource "azurerm_public_ip" "vm_public_ip" {
name = "tf-public-ip"
location = azurerm_resource_group.vm_rg.location
resource_group_name = azurerm_resource_group.vm_rg.name
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_network_interface" "vm_nic" {
name = "tf-nic"
location = azurerm_resource_group.vm_rg.location
resource_group_name = azurerm_resource_group.vm_rg.name
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.vm_subnet.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.vm_public_ip.id
}
}
resource "azurerm_linux_virtual_machine" "vm" {
name = "tf-linux-vm"
resource_group_name = azurerm_resource_group.vm_rg.name
location = azurerm_resource_group.vm_rg.location
size = "Standard_B1s"
admin_username = var.admin_username
# SSH KEY CONFIG
disable_password_authentication = true
admin_ssh_key {
username = var.admin_username
public_key = var.admin_public_key
}
network_interface_ids = [azurerm_network_interface.vm_nic.id]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "Canonical"
offer = "0001-com-ubuntu-server-jammy"
sku = "22_04-lts"
version = "latest"
}
}
# --- Security ---
resource "azurerm_network_security_group" "vm_nsg" {
name = "tf-vm-nsg"
location = azurerm_resource_group.vm_rg.location
resource_group_name = azurerm_resource_group.vm_rg.name
}
# Allow SSH (Ideally restrict 'source_address_prefix' to your IP only)
resource "azurerm_network_security_rule" "ssh_rule" {
name = "Allow-SSH"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.vm_rg.name
network_security_group_name = azurerm_network_security_group.vm_nsg.name
}
# RESTRICTED HTTPS: Only Cloudflare IPs can access Port 443
resource "azurerm_network_security_rule" "allow_cloudflare_only" {
name = "AllowCloudflareHTTPS"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["443"]
source_address_prefixes = data.cloudflare_ip_ranges.cloudflare.ipv4_cidrs
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.vm_rg.name
network_security_group_name = azurerm_network_security_group.vm_nsg.name
}
resource "azurerm_network_interface_security_group_association" "vm_nsg_assoc" {
network_interface_id = azurerm_network_interface.vm_nic.id
network_security_group_id = azurerm_network_security_group.vm_nsg.id
}