add ssh key to module

Azure · Oct 5, 2023 · deee58f · deee58f
1 parent e25785c
commit deee58f
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 41 deletions.
diff --git a/quickstart/201-azfw-with-ipgroups/main.tf b/quickstart/201-azfw-with-ipgroups/main.tf
@@ -50,35 +50,35 @@ resource "azurerm_firewall_policy" "azfw_policy" {
 }
 
 resource "azurerm_firewall_policy_rule_collection_group" "prcg" {
-    name = "prcg"
-    firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
-    priority = 300
-    application_rule_collection {
-      name = "app-rule-collection-1"
-      priority = 101
-      action = "Allow"
-      rule {
-        name = "someAppRule"
-        protocols {
-          type = "Https"
-          port = 443
-        }
-        destination_fqdns = [ "*bing.com" ]
-        source_ip_groups = [ azurerm_ip_group.ip_group_1.id ]
+  name               = "prcg"
+  firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
+  priority           = 300
+  application_rule_collection {
+    name     = "app-rule-collection-1"
+    priority = 101
+    action   = "Allow"
+    rule {
+      name = "someAppRule"
+      protocols {
+        type = "Https"
+        port = 443
       }
+      destination_fqdns = ["*bing.com"]
+      source_ip_groups  = [azurerm_ip_group.ip_group_1.id]
     }
-    network_rule_collection {
-      name = "net-rule-collection-1"
-      priority = 200
-      action = "Allow"
-      rule {
-        name = "someNetRule"
-        protocols = [ "TCP", "UDP", "ICMP" ]
-        source_ip_groups = [ azurerm_ip_group.ip_group_1.id ]
-        destination_ip_groups = [ azurerm_ip_group.ip_group_2.id ]
-        destination_ports = ["90"]
-      }
+  }
+  network_rule_collection {
+    name     = "net-rule-collection-1"
+    priority = 200
+    action   = "Allow"
+    rule {
+      name                  = "someNetRule"
+      protocols             = ["TCP", "UDP", "ICMP"]
+      source_ip_groups      = [azurerm_ip_group.ip_group_1.id]
+      destination_ip_groups = [azurerm_ip_group.ip_group_2.id]
+      destination_ports     = ["90"]
     }
+  }
 }
 
 resource "azurerm_firewall" "fw" {
@@ -184,7 +184,7 @@ resource "azurerm_network_security_group" "vm_jump_nsg" {
     priority                   = 1000
     direction                  = "Inbound"
     access                     = "Allow"
-    protocol                   = "Tcp"
+    protocol                   = "SSH"
     source_port_range          = "*"
     destination_port_range     = "22"
     source_address_prefix      = "*"
@@ -208,8 +208,10 @@ resource "azurerm_linux_virtual_machine" "vm_server" {
   location                        = azurerm_resource_group.rg.location
   size                            = var.virtual_machine_size
   admin_username                  = var.admin_username
-  admin_password                  = random_password.password.result
-  disable_password_authentication = false
+  admin_ssh_key {
+    username   = var.admin_username
+    public_key = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
+  }
   network_interface_ids           = [azurerm_network_interface.vm_server_nic.id]
   os_disk {
     caching              = "ReadWrite"
@@ -227,18 +229,20 @@ resource "azurerm_linux_virtual_machine" "vm_server" {
 }
 
 resource "azurerm_linux_virtual_machine" "vm_jump" {
-  name                            = "jump-vm"
-  resource_group_name             = azurerm_resource_group.rg.name
-  location                        = azurerm_resource_group.rg.location
-  size                            = var.virtual_machine_size
-  admin_username                  = var.admin_username
-  admin_password                  = random_password.password.result
-  disable_password_authentication = false
-  network_interface_ids           = [azurerm_network_interface.vm_jump_nic.id]
+  name                  = "jump-vm"
+  resource_group_name   = azurerm_resource_group.rg.name
+  location              = azurerm_resource_group.rg.location
+  size                  = var.virtual_machine_size
+  network_interface_ids = [azurerm_network_interface.vm_jump_nic.id]
+  admin_username        = var.admin_username
   os_disk {
     caching              = "ReadWrite"
     storage_account_type = "Standard_LRS"
   }
+  admin_ssh_key {
+    username   = var.admin_username
+    public_key = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
+  }
   source_image_reference {
     publisher = "Canonical"
     offer     = "UbuntuServer"

diff --git a/quickstart/201-azfw-with-ipgroups/providers.tf b/quickstart/201-azfw-with-ipgroups/providers.tf
@@ -8,6 +8,10 @@ terraform {
       source  = "hashicorp/random"
       version = "~>3.0"
     }
+    azapi = {
+      source  = "azure/azapi"
+      version = "~>1.5"
+    }
   }
 }
 

diff --git a/quickstart/201-azfw-with-ipgroups/readme.md b/quickstart/201-azfw-with-ipgroups/readme.md
@@ -29,8 +29,8 @@ This template deploys an [Azure Firewall](https://registry.terraform.io/provider
 |-|-|-|
 | `resource_group_location`    | Location of the resource group                                                                                                          | eastus         |
 | `firewall_sku_tier`          | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium                                                      | Premium        |
-| `resource_group_name_prefix` |  Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription.                  | rg             |
+| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription.                   | rg             |
 | `virtual_machine_size`       | SKU size for your jump and workload VMs                                                                                                 | Standard_D2_v3 |
-| `admin_username`             | THe admin username for the jump and workload VMs                                                                                        | azureuser      |
+| `admin_username`             | The admin username for the jump and workload VMs                                                                                        | azureuser      |
 
 ## Example
diff --git a/quickstart/201-azfw-with-ipgroups/ssh.tf b/quickstart/201-azfw-with-ipgroups/ssh.tf
@@ -0,0 +1,25 @@
+resource "random_pet" "ssh_key_name" {
+  prefix    = "ssh"
+  separator = ""
+}
+
+resource "azapi_resource_action" "ssh_public_key_gen" {
+  type        = "Microsoft.Compute/sshPublicKeys@2022-11-01"
+  resource_id = azapi_resource.ssh_public_key.id
+  action      = "generateKeyPair"
+  method      = "POST"
+
+  response_export_values = ["publicKey", "privateKey"]
+}
+
+resource "azapi_resource" "ssh_public_key" {
+  type      = "Microsoft.Compute/sshPublicKeys@2022-11-01"
+  name      = random_pet.ssh_key_name.id
+  location  = azurerm_resource_group.rg.location
+  parent_id = azurerm_resource_group.rg.id
+}
+
+output "key_data" {
+  value = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
+}
+
diff --git a/quickstart/201-azfw-with-ipgroups/variables.tf b/quickstart/201-azfw-with-ipgroups/variables.tf
@@ -27,7 +27,7 @@ variable "virtual_machine_size" {
 }
 
 variable "admin_username" {
-  type = string
+  type        = string
   description = "value of the admin username."
-  default = "azureuser"
+  default     = "azureuser"
 }