diff --git a/.github/workflows/db_rollback.yml b/.github/workflows/db_rollback.yml index 8a0581f3a..f8b463758 100644 --- a/.github/workflows/db_rollback.yml +++ b/.github/workflows/db_rollback.yml @@ -64,11 +64,35 @@ jobs: echo "DATABASE_HOSTNAME=$DATABASE_HOSTNAME" >> "$GITHUB_ENV" echo "DATABASE_PASSWORD=$DATABASE_PASSWORD" >> "$GITHUB_ENV" - - name: Run Db Rollback - uses: liquibase-github-actions/rollback-count@v4.26.0 + - name: Connect to VPN + uses: josiahsiegel/action-connect-ovpn@v2.0.2 + id: connect_vpn + if: github.event.inputs.environment != 'internal' with: - changelogFile: ${{ github.event.inputs.rollbackFile }} - count: ${{ github.event.inputs.rollbackCount }} - url: "jdbc:postgresql://${{ env.DATABASE_HOSTNAME }}:5432/postgres" - username: cdcti-github - password: ${{ env.DATABASE_PASSWORD }} + PING_URL: ${{ env.DATABASE_HOSTNAME }} + FILE_OVPN: ./operations/vpn/${{ github.event.inputs.environment }}.ovpn + TLS_KEY: ${{ secrets.VPN_TLS_KEY }} + env: + CA_CRT: ${{ secrets.VPN_CA_CERTIFICATE }} + USER_CRT: ${{ secrets.VPN_GITHUB_CERTIFICATE }} + USER_KEY: ${{ secrets.VPN_GITHUB_SECRET_KEY }} + + - name: Fail if VPN isn't Connected + if: github.event.inputs.environment != 'internal' && steps.connect_vpn.outputs.STATUS != 'true' + run: | + echo 'VPN connected: ${{ steps.connect_vpn.outputs.STATUS }}' + exit 1 + + - name: Install Liquibase + run: | + wget -O- https://repo.liquibase.com/liquibase.asc | gpg --dearmor > liquibase-keyring.gpg && \cat liquibase-keyring.gpg | sudo tee /usr/share/keyrings/liquibase-keyring.gpg > /dev/null && \echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/liquibase-keyring.gpg] https://repo.liquibase.com stable main' | sudo tee /etc/apt/sources.list.d/liquibase.list + sudo apt-get update + sudo apt-get install liquibase + liquibase -v + + - name: Run Db migration + run: liquibase rollback-count --changelog-file ${{ github.event.inputs.rollbackFile }} --count ${{ github.event.inputs.rollbackCount }} --url 'jdbc:postgresql://${{ env.DATABASE_HOSTNAME }}:5432/postgres' --username cdcti-github --password '${{ env.DATABASE_PASSWORD }}' + + - name: Disconnect VPN + if: github.event.inputs.environment != 'internal' && always() + run: sudo killall openvpn diff --git a/.github/workflows/dev-deploy.yml b/.github/workflows/dev-deploy.yml index 5f1318c3b..28fff8a23 100644 --- a/.github/workflows/dev-deploy.yml +++ b/.github/workflows/dev-deploy.yml @@ -18,6 +18,10 @@ jobs: AZURE_CLIENT_ID: ${{ secrets.AZURE_CDC_CLIENT_ID }} AZURE_TENANT_ID: ${{ secrets.AZURE_CDC_TENANT_ID }} AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_CDC_DMZ_C1_SUBSCRIPTION_ID }} + VPN_TLS_KEY: ${{ secrets.VPN_TLS_KEY }} + VPN_CA_CERTIFICATE: ${{ secrets.VPN_CA_CERTIFICATE }} + VPN_GITHUB_CERTIFICATE: ${{ secrets.VPN_GITHUB_CERTIFICATE}} + VPN_GITHUB_SECRET_KEY: ${{ secrets.VPN_GITHUB_SECRET_KEY }} dev-deploy: name: Dev Application Deploy diff --git a/.github/workflows/terraform-deploy_reusable.yml b/.github/workflows/terraform-deploy_reusable.yml index e9ca6495b..8c7471936 100644 --- a/.github/workflows/terraform-deploy_reusable.yml +++ b/.github/workflows/terraform-deploy_reusable.yml @@ -24,6 +24,14 @@ on: required: true AZURE_SUBSCRIPTION_ID: required: true + VPN_TLS_KEY: + required: false + VPN_CA_CERTIFICATE: + required: false + VPN_GITHUB_CERTIFICATE: + required: false + VPN_GITHUB_SECRET_KEY: + required: false outputs: REGISTRY: description: The container registry @@ -85,13 +93,39 @@ jobs: echo "DATABASE_HOSTNAME=$DATABASE_HOSTNAME" >> "$GITHUB_ENV" echo "DATABASE_PASSWORD=$DATABASE_PASSWORD" >> "$GITHUB_ENV" - - name: Run Db migration - uses: liquibase-github-actions/update@v4.26.0 + - name: Connect to VPN + uses: josiahsiegel/action-connect-ovpn@v2.0.2 + id: connect_vpn + if: inputs.ENVIRONMENT != 'internal' && inputs.ENVIRONMENT != 'pr' with: - changelogFile: ./etor/databaseMigrations/root.yml - url: "jdbc:postgresql://${{ env.DATABASE_HOSTNAME }}:5432/postgres" - username: cdcti-github - password: ${{ env.DATABASE_PASSWORD }} + PING_URL: ${{ env.DATABASE_HOSTNAME }} + FILE_OVPN: ./operations/vpn/${{ inputs.ENVIRONMENT }}.ovpn + TLS_KEY: ${{ secrets.VPN_TLS_KEY }} + env: + CA_CRT: ${{ secrets.VPN_CA_CERTIFICATE }} + USER_CRT: ${{ secrets.VPN_GITHUB_CERTIFICATE }} + USER_KEY: ${{ secrets.VPN_GITHUB_SECRET_KEY }} + + - name: Fail if VPN isn't Connected + if: inputs.ENVIRONMENT != 'internal' && inputs.ENVIRONMENT != 'pr' && steps.connect_vpn.outputs.STATUS != 'true' + run: | + echo 'VPN connected: ${{ steps.connect_vpn.outputs.STATUS }}' + exit 1 + + - name: Install Liquibase + run: | + wget -O- https://repo.liquibase.com/liquibase.asc | gpg --dearmor > liquibase-keyring.gpg && \cat liquibase-keyring.gpg | sudo tee /usr/share/keyrings/liquibase-keyring.gpg > /dev/null && \echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/liquibase-keyring.gpg] https://repo.liquibase.com stable main' | sudo tee /etc/apt/sources.list.d/liquibase.list + sudo apt-get update + sudo apt-get install liquibase + liquibase -v + + - name: Run Db migration + working-directory: ./ + run: liquibase update --changelog-file ./etor/databaseMigrations/root.yml --url 'jdbc:postgresql://${{ env.DATABASE_HOSTNAME }}:5432/postgres' --username cdcti-github --password '${{ env.DATABASE_PASSWORD }}' + + - name: Disconnect VPN + if: inputs.ENVIRONMENT != 'internal' && inputs.ENVIRONMENT != 'pr' && always() + run: sudo killall openvpn - id: export-terraform-output name: Export Terraform Output diff --git a/operations/environments/dev/main.tf b/operations/environments/dev/main.tf index 9f74e4e4b..df0b7effe 100644 --- a/operations/environments/dev/main.tf +++ b/operations/environments/dev/main.tf @@ -29,4 +29,5 @@ module "template" { environment = "dev" deployer_id = "f5feabe7-5d37-40ba-94f2-e5c0760b4561" //github app registration in CDC Azure Entra + vpn_root_certificate = "MIIC5jCCAc6gAwIBAgIIWvb3sLkOQtcwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAxMGVlBOIENBMB4XDTI0MDMwODE1MjM0OFoXDTI3MDMwODE1MjM0OFowETEPMA0GA1UEAxMGVlBOIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt1v2bAATE7IOJkqUrbwQw6X99fi3Ywf1bv0uZ0gGDjG10H+PB2BUzZ94RNcB4Oezi6t+/WAQUkhRozemFkegSkfKHEehAT6nu6OBXKt2rH/oJtpKR791ab9H9aQ6e5LO9OZ237QL6XikhGG7HXqG9ndYnhBYPy2/pd8VV6ZwqMR3PkfBJaC4tKy4d8dim+PMpT5rqPGbsf9H+dydvG6JOKZiHb3/yqi6fqoise1yY64aDwFC9MbEbtgXpvmBFsei2PA/XH5FqE6F/kyCg7mO5TSYYEqx0PCTPmICAT4iw5ELMyAhVKL2OpMjqw5YAYr/TGqlfyEYpBBQMvC3K9OmUwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5idI+AFsHn8BjvNBE5ShE+aFor0wDQYJKoZIhvcNAQELBQADggEBAJkDtuHj4QGyXtooiM7xfHZ/lGdDZvF+KAVfFKAlsIO8y1NS2iAeNT6MmampwzWzXIUMk9vxvALUoh2MJkWP5CX2e3vDj2lGpbhK5//rfWDin1/jj28+KZzSVsk4i/EkdBWW7eCKU401rafVOjSLmM5mfDTAHNrFxzQWJF5WL7TxrQw7chrnpy4v0V7/y4h+QsQja8LXx9keEdB2BQSjndAqxB9dblFALantpuEOM2pS3GCaC2REXSnKsgSEQoVL07MSndpCpdv5bsEkppM5LBC6gL66a43Lho3kSCm4ZU51mjJtNwadeBXpHjkJ1yiBA7CG/Roa+THAiV+VMP75g3E=" # pragma: allowlist secret } diff --git a/operations/environments/pr/main.tf b/operations/environments/pr/main.tf index 1dd4081bb..53983f640 100644 --- a/operations/environments/pr/main.tf +++ b/operations/environments/pr/main.tf @@ -28,11 +28,19 @@ resource "azurerm_resource_group" "group" { //create the PR resource group becau location = "East US" } +resource "azurerm_virtual_network" "vnet" { //create the PR resource group because it has a dynamic name that cannot be always pre-created + name = "csels-rsti-pr${var.pr_number}-moderate-app-vnet" + location = azurerm_resource_group.group.location + resource_group_name = azurerm_resource_group.group.name + + address_space = ["10.0.0.0/25"] +} + module "template" { source = "../../template/" environment = "pr${var.pr_number}" deployer_id = "d59c2c86-de5e-41b7-a752-0869a73f5a60" //github app registration in Flexion Azure Entra - depends_on = [azurerm_resource_group.group] + depends_on = [azurerm_resource_group.group, azurerm_virtual_network.vnet] } diff --git a/operations/environments/prd/main.tf b/operations/environments/prd/main.tf index f26865daf..2cae49b81 100644 --- a/operations/environments/prd/main.tf +++ b/operations/environments/prd/main.tf @@ -29,4 +29,5 @@ module "template" { environment = "prd" deployer_id = "f5feabe7-5d37-40ba-94f2-e5c0760b4561" //github app registration in CDC Azure Entra + vpn_root_certificate = "MIIC5jCCAc6gAwIBAgIIeHnOQDhz00AwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAxMGVlBOIENBMB4XDTI0MDMwODE1NDA1M1oXDTI3MDMwODE1NDA1M1owETEPMA0GA1UEAxMGVlBOIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkgeXZ6ReEQ5HAqlXULUUdVfCMtMPmlTeCFFkhD9i5E5lRg78PyJqczHMzCB6l83O/PrLWXjT3/s/R58cfeHJg/SndGwt/2uKhj1kNW7Ivc8kF0pgSL3lDR+NSj5OPda45EY30ZlTjgygmb9MjfCT2BmgjGcfUbgm0jzgDZsk7bLUUJkL38DJP+v2M6sDxyxMjoY9gJ1Kq5Fg81serJlZHaACShuuhgiKqH3+hwvIPluK8Y40FWfiKpGRjdkAXGTmB+afMeA4L1amyticIPzzOytIHFIDMOKgJRL62UQe+alzubXkYbDtEgDCOwF8k5TRiu9MUwID34CLkp2VWnLnUwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUHyrypPmh+KVb2sspeGsxboG1hQwwDQYJKoZIhvcNAQELBQADggEBAGmfFRLgqLQxedGHeXQoajHzhCvk+62lDR1xy0s2mklA3eRxzOyaXRPgmM6lbGBm6LdLxo5nxGgfD4h2vOBZl4MXOFLryLm97QtDZ34YkxGn+tugUAXpWBB/EJIynib1Ywyg6Kv6g3oYjf2bc8Ae9bOWGR0FtOGn8TvmSzKLXoUwQd0u9DEA774YtpvPxHxw69uyf8x2nekpyWNyFbR6DWJEA9M+BHeR0oGEGoc5FH6zTgstbdeNVou3NNQlRKlWD26vWeCeQvbKDK5+KuOPjjDTimGdx1GfA9z/ai/pX+K/NKvvC4JXQdW7jYYu3QFglP70esT9mBCxVQbXd49oD9M=" # pragma: allowlist secret } diff --git a/operations/environments/stg/main.tf b/operations/environments/stg/main.tf index 83cb26b98..5083831db 100644 --- a/operations/environments/stg/main.tf +++ b/operations/environments/stg/main.tf @@ -29,4 +29,5 @@ module "template" { environment = "stg" deployer_id = "f5feabe7-5d37-40ba-94f2-e5c0760b4561" //github app registration in CDC Azure Entra + vpn_root_certificate = "MIIC5jCCAc6gAwIBAgIIUC720RvICDQwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAxMGVlBOIENBMB4XDTI0MDMwODE1MzY1MloXDTI3MDMwODE1MzY1MlowETEPMA0GA1UEAxMGVlBOIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtn+H6PbB2y/JmoTTNuxljVY7I02BblPmnzwzQhEPAZjoMVQTsEvS5rr/ILLFFF5FdTcyPYJpD5Tvd+w1v62xV4QhZSFpSSyfRvsi6uzOLOyDOhVN++GWAjKyTvaOO654JwX/qj7nHSYQLQFtnf9OkixZazO8o0snXpGCSYKgxhBox6+XyZpjjwoFt+wMrNalrAOWCtAp/pgIB7xyStcWyGEi7vACiV+7rzI2Kxh+PfaltS4wU1vWN7jN2GxMbVG3539ybiT4fpoGuDWjZ7t7tp1LgQa1n7tlvNR0W01pdt7U/fPL9ynfyuP8Wph8eetW9THYtJkBTNk7KyhE+z36TwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU85kmRn9Cnq9LjFeKjwrMUhgo3xowDQYJKoZIhvcNAQELBQADggEBAHjzfciR/TqJojJ3xd2AmMQev5Aw6Wf9gFfhv0eb9bmqyeJ23bYhOvqWxIxb01TBp5CNhWgWuUE68cQpEqafu9JOITDk9GtQ9m6/4sHOhzqM11beGqKlomQuT+I/M/gS0pUcr//W7riTkOQQI6DHKgpoGoRXpk9/V5GrwQauZjy1hRyRpVlg4xDgJJqRr5PKUErtA07DYck+AblJW4msglfyM2HTvvMLNdsmiZmjFdU1osT0WT/W9nY+RGadAo47x6qknpFoDoVtIQ3XNH3C5Scl1bGphfQdmEjNVhg7a8gSWat7n1OjFiz3OvTqy5MsssmRz4WlOM5+xOhiT2OambA=" # pragma: allowlist secret } diff --git a/operations/template/app.tf b/operations/template/app.tf index 2f07d8ce1..6352c6f15 100644 --- a/operations/template/app.tf +++ b/operations/template/app.tf @@ -26,23 +26,31 @@ resource "azurerm_linux_web_app" "api" { https_only = true - virtual_network_subnet_id = azurerm_subnet.app.id + virtual_network_subnet_id = local.cdc_domain_environment ? azurerm_subnet.app.id : null site_config { - scm_use_main_ip_restriction = true + scm_use_main_ip_restriction = local.cdc_domain_environment ? true : null - ip_restriction { - name = "deny_all_ipv4" - action = "Deny" - ip_address = "0.0.0.0/0" - priority = "200" + dynamic "ip_restriction" { + for_each = local.cdc_domain_environment ? [1] : [] + + content { + name = "deny_all_ipv4" + action = "Deny" + ip_address = "0.0.0.0/0" + priority = "200" + } } - ip_restriction { - name = "deny_all_ipv6" - action = "Deny" - ip_address = "::/0" - priority = "201" + dynamic "ip_restriction" { + for_each = local.cdc_domain_environment ? [1] : [] + + content { + name = "deny_all_ipv6" + action = "Deny" + ip_address = "::/0" + priority = "201" + } } } diff --git a/operations/template/db.tf b/operations/template/db.tf index c1769753b..8024cca65 100644 --- a/operations/template/db.tf +++ b/operations/template/db.tf @@ -11,8 +11,8 @@ resource "azurerm_postgresql_flexible_server" "database" { storage_mb = "32768" auto_grow_enabled = true backup_retention_days = "14" - delegated_subnet_id = azurerm_subnet.database.id - private_dns_zone_id = azurerm_private_dns_zone.dns_zone.id + delegated_subnet_id = local.cdc_domain_environment ? azurerm_subnet.database.id : null + private_dns_zone_id = local.cdc_domain_environment ? azurerm_private_dns_zone.dns_zone.id : null authentication { password_auth_enabled = "false" @@ -30,14 +30,14 @@ resource "azurerm_postgresql_flexible_server" "database" { } } -#resource "azurerm_postgresql_flexible_server_active_directory_administrator" "admin_for_deployer" { -# server_name = azurerm_postgresql_flexible_server.database.name -# resource_group_name = data.azurerm_resource_group.group.name -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = var.deployer_id -# principal_name = "cdcti-github" -# principal_type = "ServicePrincipal" -#} +resource "azurerm_postgresql_flexible_server_active_directory_administrator" "admin_for_deployer" { + server_name = azurerm_postgresql_flexible_server.database.name + resource_group_name = data.azurerm_resource_group.group.name + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = var.deployer_id + principal_name = "cdcti-github" + principal_type = "ServicePrincipal" +} resource "azurerm_postgresql_flexible_server_active_directory_administrator" "admin_for_app" { server_name = azurerm_postgresql_flexible_server.database.name @@ -48,9 +48,10 @@ resource "azurerm_postgresql_flexible_server_active_directory_administrator" "ad principal_type = "ServicePrincipal" } -#resource "azurerm_postgresql_flexible_server_firewall_rule" "db_firewall_5" { -# name = "AllowAzure" -# server_id = azurerm_postgresql_flexible_server.database.id -# start_ip_address = "0.0.0.0" -# end_ip_address = "0.0.0.0" -#} +resource "azurerm_postgresql_flexible_server_firewall_rule" "db_firewall_5" { + count = local.cdc_domain_environment ? 0 : 1 + name = "AllowAzure" + server_id = azurerm_postgresql_flexible_server.database.id + start_ip_address = "0.0.0.0" + end_ip_address = "0.0.0.0" +} diff --git a/operations/template/key.tf b/operations/template/key.tf index fe1dcdca3..85b02dc19 100644 --- a/operations/template/key.tf +++ b/operations/template/key.tf @@ -81,5 +81,3 @@ resource "azurerm_key_vault_secret" "trusted_intermediary_private_key" { } depends_on = [azurerm_key_vault_access_policy.allow_github_deployer] //wait for the permission that allows our deployer to write the secret } - - diff --git a/operations/template/main.tf b/operations/template/main.tf index 02060b435..4745b35af 100644 --- a/operations/template/main.tf +++ b/operations/template/main.tf @@ -7,6 +7,7 @@ locals { selected_rs_environment_prefix = lookup(local.environment_to_rs_environment_prefix_mapping, var.environment, "staging") rs_domain_prefix = "${local.selected_rs_environment_prefix}${length(local.selected_rs_environment_prefix) == 0 ? "" : "."}" higher_environment_level = var.environment == "stg" || var.environment == "prd" + cdc_domain_environment = var.environment == "dev" || var.environment == "stg" || var.environment == "prd" } data "azurerm_resource_group" "group" { diff --git a/operations/template/net.tf b/operations/template/net.tf index 6d45f882e..c888d089f 100644 --- a/operations/template/net.tf +++ b/operations/template/net.tf @@ -3,11 +3,15 @@ data "azurerm_virtual_network" "app" { resource_group_name = data.azurerm_resource_group.group.name } +locals { + subnets_cidrs = cidrsubnets(data.azurerm_virtual_network.app.address_space[0], 2, 2, 2, 3, 3) +} + resource "azurerm_subnet" "app" { name = "app" resource_group_name = data.azurerm_resource_group.group.name virtual_network_name = data.azurerm_virtual_network.app.name - address_prefixes = ["172.17.67.128/26"] + address_prefixes = [local.subnets_cidrs[0]] service_endpoints = [ "Microsoft.AzureActiveDirectory", @@ -35,7 +39,7 @@ resource "azurerm_subnet" "database" { name = "database" resource_group_name = data.azurerm_resource_group.group.name virtual_network_name = data.azurerm_virtual_network.app.name - address_prefixes = ["172.17.67.192/27"] + address_prefixes = [local.subnets_cidrs[1]] service_endpoints = [ "Microsoft.AzureActiveDirectory", @@ -59,6 +63,45 @@ resource "azurerm_subnet" "database" { } } +resource "azurerm_subnet" "vpn" { + name = "GatewaySubnet" + resource_group_name = data.azurerm_resource_group.group.name + virtual_network_name = data.azurerm_virtual_network.app.name + address_prefixes = [local.subnets_cidrs[2]] +} + +resource "azurerm_subnet" "resolver_inbound" { + name = "resolver-inbound" + resource_group_name = data.azurerm_resource_group.group.name + virtual_network_name = data.azurerm_virtual_network.app.name + address_prefixes = [local.subnets_cidrs[3]] + + delegation { + name = "delegation" + + service_delegation { + name = "Microsoft.Network/dnsResolvers" + actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"] + } + } +} + +resource "azurerm_subnet" "resolver_outbound" { + name = "resolver-outbound" + resource_group_name = data.azurerm_resource_group.group.name + virtual_network_name = data.azurerm_virtual_network.app.name + address_prefixes = [local.subnets_cidrs[4]] + + delegation { + name = "delegation" + + service_delegation { + name = "Microsoft.Network/dnsResolvers" + actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"] + } + } +} + resource "azurerm_private_dns_zone" "dns_zone" { name = "privateintermediary.postgres.database.azure.com" resource_group_name = data.azurerm_resource_group.group.name diff --git a/operations/template/variables.tf b/operations/template/variables.tf index 566f1a881..7344533bb 100644 --- a/operations/template/variables.tf +++ b/operations/template/variables.tf @@ -7,3 +7,9 @@ variable "deployer_id" { type = string nullable = false } + +variable "vpn_root_certificate" { + type = string + nullable = true + default = null +} diff --git a/operations/template/vpn.tf b/operations/template/vpn.tf new file mode 100644 index 000000000..0c4e7e3e9 --- /dev/null +++ b/operations/template/vpn.tf @@ -0,0 +1,67 @@ + +resource "azurerm_public_ip" "vpn" { + name = "vpn-public-ip" + location = data.azurerm_resource_group.group.location + resource_group_name = data.azurerm_resource_group.group.name + + allocation_method = "Dynamic" +} + +resource "azurerm_virtual_network_gateway" "vpn" { + name = "${var.environment}-vpn" + location = data.azurerm_resource_group.group.location + resource_group_name = data.azurerm_resource_group.group.name + + type = "Vpn" + vpn_type = "RouteBased" + + active_active = false + enable_bgp = false + sku = "VpnGw1" + + ip_configuration { + public_ip_address_id = azurerm_public_ip.vpn.id + private_ip_address_allocation = "Dynamic" + subnet_id = azurerm_subnet.vpn.id + } + + dynamic "vpn_client_configuration" { + for_each = var.vpn_root_certificate != null ? [1] : [] + content { + address_space = ["192.168.0.0/16"] + vpn_auth_types = ["Certificate"] + vpn_client_protocols = ["OpenVPN"] + + root_certificate { + name = "vpn-cert" + public_cert_data = var.vpn_root_certificate + } + } + } +} + +resource "azurerm_private_dns_resolver" "private_zone_resolver" { + name = "private-resolve-${var.environment}" + resource_group_name = data.azurerm_resource_group.group.name + location = data.azurerm_resource_group.group.location + virtual_network_id = data.azurerm_virtual_network.app.id +} + + +resource "azurerm_private_dns_resolver_inbound_endpoint" "resolver_inbound_endpoint" { + name = "endpoint-inbound-${var.environment}" + private_dns_resolver_id = azurerm_private_dns_resolver.private_zone_resolver.id + location = azurerm_private_dns_resolver.private_zone_resolver.location + + ip_configurations { + private_ip_allocation_method = "Dynamic" + subnet_id = azurerm_subnet.resolver_inbound.id + } +} + +resource "azurerm_private_dns_resolver_outbound_endpoint" "resolver_outbound_endpoint" { + name = "endpoint-outbound-${var.environment}" + private_dns_resolver_id = azurerm_private_dns_resolver.private_zone_resolver.id + location = azurerm_private_dns_resolver.private_zone_resolver.location + subnet_id = azurerm_subnet.resolver_outbound.id +} diff --git a/operations/vpn/dev.ovpn b/operations/vpn/dev.ovpn new file mode 100644 index 000000000..ff7a4d225 --- /dev/null +++ b/operations/vpn/dev.ovpn @@ -0,0 +1,48 @@ +client +remote azuregateway-d84e0077-7de0-48f3-b087-b3759344ba44-7322fc20c350.vpn.azure.com 443 +verify-x509-name d84e0077-7de0-48f3-b087-b3759344ba44.vpn.azure.com name +remote-cert-tls server + +dev tun +proto tcp +resolv-retry infinite +nobind + +auth SHA256 +cipher AES-256-GCM +persist-key +persist-tun + +tls-timeout 30 +tls-version-min 1.2 +key-direction 1 + +dhcp-option DNS 172.17.67.228 +dhcp-option DOMAIN azure.net +dhcp-option DOMAIN azure.com +dhcp-option DOMAIN azurewebsites.net +dhcp-option DOMAIN windows.net + +verb 3 + +# P2S CA root certificate +ca ca.crt + +# Pre Shared Key +tls-auth tls.key + +# P2S client certificate +# Please fill this field with a PEM formatted client certificate +# Alternatively, configure 'cert PATH_TO_CLIENT_CERT' to use input from a PEM certificate file. +cert user.crt + +# P2S client certificate private key +# Please fill this field with a PEM formatted private key of the client certificate. +# Alternatively, configure 'key PATH_TO_CLIENT_KEY' to use input from a PEM key file. +key user.key + +# DNS +script-security 2 +up /etc/openvpn/update-systemd-resolved +down /etc/openvpn/update-systemd-resolved +down-pre