Merge pull request #516 from robinmordasiewicz/dev99

adding init
robinmordasiewicz · Aug 4, 2024 · 4bacc5a · 4bacc5a
2 parents 7d3fbfd + c71646c
commit 4bacc5a
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 38 deletions.
diff --git a/terraform/cloud-init/fortiweb.conf b/terraform/cloud-init/fortiweb.conf
@@ -61,8 +61,8 @@ config global
     set ip-forward enable
   end
   config system firewall address
-    edit "spoke-linux-server-ip"
-      set ip-address-value ${VAR-spoke-linux-server-ip}
+    edit "spoke-aks-node-ip"
+      set ip-address-value ${VAR-spoke-aks-node-ip}
     next
     edit "internet"
       set type ip-netmask
@@ -90,34 +90,30 @@ config global
     edit "ICMP"
       set protocol ICMP
     next
-    edit "spoke-linux-server-ports"
-      set destination-port-min 80
-      set destination-port-max 81
-    next
   end
   config system firewall firewall-policy
     set default-action deny
-    config  firewall-policy-match-list
+    config firewall-policy-match-list
       edit 1
         set in-interface port2
         set out-interface port1
-        set src-address spoke-linux-server-ip
+        set src-address spoke-aks-node-ip
         set dest-address internet
         set service http
         set action accept
       next
       edit 2
         set in-interface port2
         set out-interface port1
-        set src-address spoke-linux-server-ip
+        set src-address spoke-aks-node-ip
         set dest-address internet
         set service https
         set action accept
       next
       edit 3
         set in-interface port2
         set out-interface port1
-        set src-address spoke-linux-server-ip
+        set src-address spoke-aks-node-ip
         set dest-address google-dns
         set service ICMP
         set action accept
@@ -139,16 +135,16 @@ config global
       edit 6
         set out-interface port2
         set src-address internet
-        set dest-address spoke-linux-server-ip
-        set service spoke-linux-server-ports
+        set dest-address spoke-aks-node-ip
+        set service spoke-aks-node-ports
         set action accept
       next
       edit 7
         set in-interface port1
         set out-interface port2
         set src-address internet
-        set dest-address spoke-linux-server-ip
-        set service spoke-linux-server-ports
+        set dest-address spoke-aks-node-ip
+        set service spoke-aks-node-ports
         set action accept
       next
       edit 8
@@ -162,7 +158,7 @@ config global
     end
   end
   config system firewall snat-policy
-    edit "spoke-linux-server-to-internet-snat"
+    edit "spoke-aks-node-to-internet-snat"
       set source-start ${VAR-spoke-virtual-network_subnet}
       set source-end ${VAR-spoke-virtual-network_netmask}
       set out-interface port1

diff --git a/terraform/hub-network.tf b/terraform/hub-network.tf
@@ -72,7 +72,7 @@ resource "azurerm_network_security_group" "hub-external_network_security_group"
     access                     = "Allow"
     protocol                   = "Tcp"
     source_port_range          = "*"
-    destination_port_ranges    = var.spoke-linux-server-image-gpu == true ? ["80", "443", "8080", "11434"] : ["80", "443"] #checkov:skip=CKV_AZURE_160: Allow HTTP redirects
+    destination_port_ranges    = var.spoke-aks-node-image-gpu == true ? ["80", "443", "8080", "11434"] : ["80", "443"] #checkov:skip=CKV_AZURE_160: Allow HTTP redirects
     source_address_prefix      = "*"
     destination_address_prefix = var.hub-nva-vip
   }
@@ -88,14 +88,14 @@ resource "azurerm_network_security_group" "hub-internal_network_security_group"
   location            = azurerm_resource_group.azure_resource_group.location
   resource_group_name = azurerm_resource_group.azure_resource_group.name
   security_rule {
-    name                    = "linux-server_to_internet_rule"
+    name                    = "aks-node_to_internet_rule"
     priority                = 100
     direction               = "Inbound"
     access                  = "Allow"
     protocol                = "Tcp"
     source_port_range       = "*"
     destination_port_ranges = ["80", "443"]
-    #source_address_prefix      = var.spoke-linux-server-ip
+    #source_address_prefix      = var.spoke-aks-node-ip
     source_address_prefix      = "10.0.0.0/8"
     destination_address_prefix = "*"
   }
@@ -107,7 +107,7 @@ resource "azurerm_network_security_group" "hub-internal_network_security_group"
     protocol                   = "Icmp"
     source_port_range          = "*"
     destination_port_range     = "*"
-    #source_address_prefix      = var.spoke-linux-server-ip
+    #source_address_prefix      = var.spoke-aks-node-ip
     source_address_prefix      = "*"
     #destination_address_prefix = var.spoke-check-internet-up-ip
     destination_address_prefix = "*"
@@ -121,7 +121,7 @@ resource "azurerm_network_security_group" "hub-internal_network_security_group"
     source_port_range          = "*"
     destination_port_ranges    = ["80", "81"]
     source_address_prefix      = "*"
-    #destination_address_prefix = var.spoke-linux-server-ip
+    #destination_address_prefix = var.spoke-aks-node-ip
     destination_address_prefix = "*"
   }
 }

diff --git a/terraform/hub-nva.tf b/terraform/hub-nva.tf
@@ -79,15 +79,15 @@ resource "azurerm_linux_virtual_machine" "hub-nva_virtual_machine" {
         VAR-spoke-virtual-network_address_prefix = var.spoke-virtual-network_address_prefix
         VAR-spoke-virtual-network_subnet         = cidrhost(var.spoke-virtual-network_address_prefix, 0)
         VAR-spoke-virtual-network_netmask        = cidrnetmask(var.spoke-virtual-network_address_prefix)
-        VAR-spoke-linux-server-ip                = var.spoke-linux-server-ip
+        VAR-spoke-aks-node-ip                    = var.spoke-aks-node-ip
         VAR-hub-nva-vip                          = var.hub-nva-vip
         VAR-admin-username                       = random_pet.admin_username.id
         VAR-CERTIFICATE                          = tls_self_signed_cert.self_signed_cert.cert_pem
         VAR-PRIVATEKEY                           = tls_private_key.private_key.private_key_pem
         VAR-fwb_license_file                     = ""
         VAR-fwb_license_fortiflex                = ""
-        VAR-spoke-linux-server-ollama-port       = var.spoke-linux-server-ollama-port
-        VAR-spoke-linux-server-ollama-webui-port = var.spoke-linux-server-ollama-webui-port
+        VAR-spoke-aks-node-ollama-port           = var.spoke-aks-node-ollama-port
+        VAR-spoke-aks-node-ollama-webui-port     = var.spoke-aks-node-ollama-webui-port
         VAR-spoke-aks-network                    = var.spoke-aks-subnet_prefix
       }
     )

diff --git a/terraform/spoke-network.tf b/terraform/spoke-network.tf
@@ -57,21 +57,21 @@ resource "azurerm_network_security_group" "spoke_network_security_group" {
     access                     = "Allow"
     protocol                   = "Tcp"
     source_port_range          = "*"
-    #destination_port_ranges    = var.spoke-linux-server-image-gpu == true ? ["80", "81", "8080", "11434"] : ["80", "81"] #checkov:skip=CKV_AZURE_160: Allow HTTP redirects
+    #destination_port_ranges    = var.spoke-aks-node-image-gpu == true ? ["80", "81", "8080", "11434"] : ["80", "81"] #checkov:skip=CKV_AZURE_160: Allow HTTP redirects
     source_address_prefix      = "*"
-    #destination_address_prefix = var.spoke-linux-server-ip
+    #destination_address_prefix = var.spoke-aks-node-ip
     destination_port_range = "*"
     destination_address_prefix = "*"
   }
   security_rule {
-    name                       = "linux-server_to_internet_rule"
+    name                       = "aks-node_to_internet_rule"
     priority                   = 100
     direction                  = "Outbound"
     access                     = "Allow"
     protocol                   = "Tcp"
     source_port_range          = "*"
     destination_port_ranges    = ["80", "443"]
-    #source_address_prefix      = var.spoke-linux-server-ip
+    #source_address_prefix      = var.spoke-aks-node-ip
     #source_address_prefix = var.spoke-subnet_prefix
     source_address_prefix = "*"
     destination_address_prefix = "*" #tfsec:ignore:AVD-AZU-0051
@@ -84,7 +84,7 @@ resource "azurerm_network_security_group" "spoke_network_security_group" {
     protocol                   = "Icmp"
     source_port_range          = "*"
     destination_port_range     = "*"
-    #source_address_prefix      = var.spoke-linux-server-ip
+    #source_address_prefix      = var.spoke-aks-node-ip
     #source_address_prefix = var.spoke-subnet_prefix
     source_address_prefix = "*"
     #destination_address_prefix = "8.8.8.8"

diff --git a/terraform/terraform.auto.tfvars b/terraform/terraform.auto.tfvars
@@ -18,6 +18,6 @@ spoke-aks-subnet_name                = "spoke_aks_subnet"
 spoke-aks-subnet_prefix              = "10.1.2.0/24"
 spoke-aks_dns_service_ip             = "10.1.2.10"
 spoke-check-internet-up-ip           = "8.8.8.8"
-spoke-linux-server-ip                = "10.1.1.5"
-spoke-linux-server-image-gpu         = false
+spoke-aks-node-ip                    = "10.1.1.4"
+spoke-aks-node-image-gpu             = false
 spoke-k8s-node-pool-gpu              = false
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -216,13 +216,13 @@ variable "hub-nva-management-action" {
   }
 }
 
-variable "spoke-linux-server-image" {
-  default     = "linux-server"
+variable "spoke-aks-node-image" {
+  default     = "aks-node"
   description = "Container server image product"
   type        = string
 }
 
-variable "spoke-linux-server-image-gpu" {
+variable "spoke-aks-node-image-gpu" {
   default     = false
   description = "Set to true to enable GPU workloads"
   type        = bool
@@ -319,12 +319,12 @@ variable "spoke-aks_dns_service_ip" {
   }
 }
 
-variable "spoke-linux-server-ip" {
-  default     = "10.1.1.5"
+variable "spoke-aks-node-ip" {
+  default     = "10.1.1.4"
   description = "Spoke Container Server IP Address"
   type        = string
   validation {
-    condition     = can(regex("^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", var.spoke-linux-server-ip))
+    condition     = can(regex("^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", var.spoke-aks-node-ip))
     error_message = "The IP address must be a valid IPv4 format (e.g., 10.1.1.5)."
   }
 }
@@ -339,13 +339,13 @@ variable "spoke-check-internet-up-ip" {
   }
 }
 
-variable "spoke-linux-server-ollama-port" {
+variable "spoke-aks-node-ollama-port" {
   default     = "11434"
   description = "Port for ollama"
   type        = string
 }
 
-variable "spoke-linux-server-ollama-webui-port" {
+variable "spoke-aks-node-ollama-webui-port" {
   default     = "8080"
   description = "Port for the ollama web ui"
   type        = string