Add management and VM resources

kennethcarnes · Feb 18, 2024 · b9d0234 · b9d0234
1 parent 28cbba4
commit b9d0234
Show file tree

Hide file tree

Showing 9 changed files with 139 additions and 10 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -17,9 +17,13 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
 
+      - name: Set up environment variable for SSH Public Key
+        run: echo "ADMIN_PUBLIC_KEY=${{ secrets.ADMIN_PUBLIC_KEY }}" >> $GITHUB_ENV
+
       - name: Deploy Azure Resources
         run: |
           az deployment group create \
-          --name deployment-${{ github.run_id }} \
-          --resource-group "${{ secrets.RESOURCE_GROUP_NAME }}" \
-          --template-file ./bicep/main.bicep
+            --name deployment-${{ github.run_id }} \
+            --resource-group "${{ secrets.RESOURCE_GROUP_NAME }}" \
+            --template-file ./bicep/main.bicep \
+            --parameters adminPublicKey="${{ secrets.ADMIN_PUBLIC_KEY }}"
diff --git a/bicep/compute.bicep b/bicep/compute.bicep
@@ -0,0 +1,51 @@
+param location string
+param vmSize string = 'Standard_B1s'
+param adminUsername string
+param adminPublicKey string
+param spokeVnetDetails array
+
+resource spokeVMs 'Microsoft.Compute/virtualMachines@2021-07-01' = [for (vnet, i) in spokeVnetDetails: {
+  name: '${vnet.name}-vm'
+  location: location
+  properties: {
+    hardwareProfile: {
+      vmSize: vmSize
+    }
+    osProfile: {
+      computerName: '${vnet.name}-vm'
+      adminUsername: adminUsername
+      linuxConfiguration: {
+        disablePasswordAuthentication: true
+        ssh: {
+          publicKeys: [
+            {
+              path: '/home/${adminUsername}/.ssh/authorized_keys'
+              keyData: adminPublicKey
+            }
+          ]
+        }
+      }
+    }
+    storageProfile: {
+      imageReference: {
+        publisher: 'Canonical'
+        offer: 'UbuntuServer'
+        sku: '18.04-LTS'
+        version: 'latest'
+      }
+      osDisk: {
+        createOption: 'FromImage'
+        managedDisk: {
+          storageAccountType: 'Standard_LRS'
+        }
+      }
+    }
+    networkProfile: {
+      networkInterfaces: [
+        {
+          id: resourceId('Microsoft.Network/networkInterfaces', '${vnet.name}-vm-nic')
+        }
+      ]
+    }
+  }
+}]
diff --git a/bicep/firewall.bicep b/bicep/firewall.bicep
@@ -159,3 +159,6 @@ resource networkRuleCollection 'Microsoft.Network/firewallPolicies/ruleCollectio
     ]
   }
 }
+
+output firewallPublicIPAddress string = firewallPublicIP.properties.ipAddress
+output firewallMgmtPublicIPAddress string = firewallMgmtPublicIP.properties.ipAddress
diff --git a/bicep/main.bicep b/bicep/main.bicep
@@ -1,4 +1,5 @@
 param location string = 'eastus'
+param adminPublicKey string
 param hubVnetName string = 'hubVnet'
 param hubSubnet1Prefix string = '10.0.1.0/24'
 param hubSubnet2Prefix string = '10.0.2.0/24'
@@ -23,6 +24,8 @@ param spokeVnetDetails array = [
   }
 ]
 
+var firewallPrivateIp = '10.0.0.4'
+
 module vnets './vnets.bicep' = {
   name: 'vnetDeployment'
   params: {
@@ -39,7 +42,31 @@ module firewall './firewall.bicep' = {
   params: {
     location: location
     hubVnetName: hubVnetName
-    firewallPrivateIp: '10.0.0.4'
+    firewallPrivateIp: firewallPrivateIp
+  }
+  dependsOn: [
+    vnets
+  ]
+}
+
+module compute './compute.bicep' = {
+  name: 'computeDeployment'
+  params: {
+    location: location
+    adminUsername: 'adminUser'
+    adminPublicKey: adminPublicKey
+    spokeVnetDetails: spokeVnetDetails
+  }
+  dependsOn: [
+    vnets
+  ]
+}
+
+module management './management.bicep' = {
+  name: 'managementDeployment'
+  params: {
+    location: location
+    hubVnetName: hubVnetName
   }
   dependsOn: [
     vnets

diff --git a/bicep/management.bicep b/bicep/management.bicep
@@ -0,0 +1,36 @@
+param location string
+param hubVnetName string
+param bastionPublicIpName string = '${hubVnetName}-bastion-pip'
+
+resource bastionPublicIp 'Microsoft.Network/publicIPAddresses@2020-06-01' = {
+  name: bastionPublicIpName
+  location: location
+  sku: {
+    name: 'Standard'
+  }
+  properties: {
+    publicIPAllocationMethod: 'Static'
+  }
+}
+
+resource bastionHost 'Microsoft.Network/bastionHosts@2020-11-01' = {
+  name: '${hubVnetName}-bastion'
+  location: location
+  properties: {
+    ipConfigurations: [
+      {
+        name: '${hubVnetName}-bastion-config'
+        properties: {
+          subnet: {
+            id: resourceId('Microsoft.Network/virtualNetworks/subnets', hubVnetName, 'AzureBastionSubnet')
+          }
+          publicIPAddress: {
+            id: bastionPublicIp.id
+          }
+        }
+      }
+    ]
+  }
+}
+
+output bastionPublicIPAddress string = bastionPublicIp.properties.ipAddress
diff --git a/bicep/vnets.bicep b/bicep/vnets.bicep
@@ -4,8 +4,7 @@ param hubSubnet1Prefix string = '10.0.1.0/24'
 param hubSubnet2Prefix string = '10.0.2.0/24'
 param spokeVnetDetails array
 param AzureFirewallSubnet string = '10.0.0.0/24'
-// Updated to avoid overlap with AzureFirewallSubnet
-param AzureFirewallManagementSubnet string = '10.0.3.0/24' 
+param AzureFirewallManagementSubnet string = '10.0.3.0/24'
 
 resource hubVnet 'Microsoft.Network/virtualNetworks@2021-02-01' = {
   name: hubVnetName

diff --git a/readme.md b/readme.md
@@ -18,5 +18,6 @@ This project automates the deployment of scalable network infrastructure using A
 
 1. Execute `scripts/setupAzure.ps1` to initialize Azure environment.
 2. Add Azure Credential JSON to GitHub Secrets.
-3. Run `scripts/setupGithub.ps1` to configure GitHub Secrets and environment variables.
-4. Push to main branch to trigger deployment via GitHub Actions.
+3. Generate SSH key pair for remote access to VMs.  `ssh-keygen -t rsa -b 2048` 
+4. Run `scripts/setupGithub.ps1` to configure GitHub Secrets and environment variables.
+5. Push to main branch to trigger deployment via GitHub Actions.
diff --git a/scripts/setupGithub.ps1 b/scripts/setupGithub.ps1
@@ -13,13 +13,13 @@ $repositoryName = Read-Host "Enter the GitHub repository name"
 # Environment variable keys
 $envVarKeys = @(
     "RESOURCE_GROUP_NAME",
-    "LOCATION"
+    "LOCATION",
+    "ADMIN_PUBLIC_KEY"
 )
 # Prompt for each environment variable
 foreach ($key in $envVarKeys) {
     $value = Read-Host "Enter the value for $key"
     gh secret set $key --body $value --repo "$repositoryOwner/$repositoryName"
 }
 
-
 Write-Host "GitHub repository secrets and environment variables have been set."
diff --git a/scripts/validateDeployment.ps1 b/scripts/validateDeployment.ps1
@@ -23,4 +23,12 @@ az bicep build --file ./bicep/firewall.bicep
 Write-Host "Validating firewall.bicep..."
 az bicep build --file ./bicep/vnets.bicep
 
+# Validate management.bicep
+Write-Host "Validating management.bicep..."
+az bicep build --file ./bicep/management.bicep
+
+# Validate compute.bicep
+Write-Host "Validating compute.bicep..."
+az bicep build --file ./bicep/compute.bicep
+
 Write-Host "Validation completed."