windows servers for ad

jmcalalang · Jan 17, 2024 · 9bf7444 · 9bf7444
1 parent d713270
commit 9bf7444
Show file tree

Hide file tree

Showing 8 changed files with 398 additions and 3 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -17,9 +17,53 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-# jobs for Argo, BIG-IP, F5XC, GoDaddy, Kubernetes, and NGINX
+# jobs for Argo, Active Directory, BIG-IP, F5XC, GoDaddy, Kubernetes, and NGINX
 jobs:
 
+  Active-Directory-Terraform-Infrastructure:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-20.04
+    needs: [Cloud-Network-Terraform-Infrastructure]
+
+    # Environment Variables
+    env:
+      ARM_CLIENT_ID: ${{ secrets.AZURE_APPID }}
+      ARM_CLIENT_SECRET: ${{ secrets.AZURE_PASSWORD }}
+      ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION }}
+      ARM_TENANT_ID: ${{ secrets.AZURE_TENANT }}
+      TF_VAR_active-directory-username: ${{ secrets.ACTIVE_DIRECTORY_USER }}
+      TF_VAR_active-directory-password: ${{ secrets.ACTIVE_DIRECTORY_PASSWORD }}
+
+    # Where are the Terraform files
+    defaults:
+      run:
+        working-directory: services/active-directory/terraform/infrastructure
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.6.3
+
+      - name: Terraform Active-Directory-Terraform-Infrastructure fmt
+        id: fmt
+        run: terraform fmt -check
+        continue-on-error: false
+
+      - name: Terraform Active-Directory-Terraform-Infrastructure Init
+        id: init
+        run: terraform init -backend-config="hostname=${{ secrets.TF_CLOUD_HOSTNAME }}" -backend-config="organization=${{ secrets.TF_CLOUD_ORGANIZATION }}" -backend-config="token=${{ secrets.TF_CLOUD_TOKEN }}"
+
+      - name: Terraform Active-Directory-Terraform-Infrastructure Validate
+        id: validate
+        run: terraform validate -no-color
+
+      - name: Terraform Active-Directory-Terraform-Infrastructure Apply
+        id: apply
+        run: terraform apply --auto-approve
+
 ########################################################################################################
 
   Argo-Terraform-Configuration:
@@ -658,4 +702,4 @@ jobs:
 
       - name: Terraform NGINX-Terraform-Infrastructure Apply
         id: apply
-        run: terraform apply --auto-approve
+        run: terraform apply --auto-approve
diff --git a/distributed-cloud/terraform/configuration/http-lb-nginx-calalang-net.tf b/distributed-cloud/terraform/configuration/http-lb-nginx-calalang-net.tf
@@ -1,5 +1,6 @@
 # HTTP Load Balancer for NGINX Servers
 
+# Load Balancer
 resource "volterra_http_loadbalancer" "http-lb-nginx-calalang-net" {
   name      = "http-lb-nginx-calalang-net"
   namespace = var.namespace
@@ -66,6 +67,24 @@ resource "volterra_http_loadbalancer" "http-lb-nginx-calalang-net" {
     name      = volterra_app_firewall.app-firewall-threat-campaigns.name
     namespace = var.namespace
   }
+  waf_exclusion_rules {
+    metadata {
+      name    = "waf-exclusion-rules"
+      disable = false
+    }
+    exact_value = "nginx.calalang.net"
+    methods     = ["GET"]
+    app_firewall_detection_control {
+      exclude_signature_contexts {
+        signature_id = 000000000
+        context      = "CONTEXT_URL"
+      }
+      exclude_signature_contexts {
+        signature_id = 000000001
+        context      = "CONTEXT_URL"
+      }
+    }
+  }
   add_location = true
   cookie_stickiness {
     name = "NGINXStickiness"
@@ -88,4 +107,4 @@ resource "volterra_http_loadbalancer" "http-lb-nginx-calalang-net" {
     ignore_changes = [labels]
   }
 
-}
+}
diff --git a/...tive-directory/terraform/infrastructure/files/bootstrap-instance-group-azure-instances.sh b/...tive-directory/terraform/infrastructure/files/bootstrap-instance-group-azure-instances.sh
@@ -0,0 +1,44 @@
+#! /bin/bash
+
+# Install the NGINX Agent and bind to instance group api
+curl -k https://${nms-hostname}/install/nginx-agent > install.sh && sudo sh install.sh -g azure-instances && sudo systemctl start nginx-agent
+
+# install nginx modules
+
+# curl -k https://${nms-hostname}/install/nginx-plus-module-metrics | sudo sh
+
+sudo apt-get install nginx-plus-module-njs
+
+# Append to nginx-agent.conf the app-protect monitoring
+cat << EOF | sudo tee -a /etc/nginx-agent/nginx-agent.conf
+
+# Enable reporting NGINX App Protect details to the control plane.
+nginx_app_protect:
+  # Report interval for NGINX App Protect details - the frequency at which NGINX Agent checks NGINX App Protect for changes.
+  report_interval: 15s
+# NGINX App Protect Monitoring config
+nap_monitoring:
+  # Buffer size for collector. Will contain log lines and parsed log lines
+  collector_buffer_size: 50000
+  # Buffer size for processor. Will contain log lines and parsed log lines
+  processor_buffer_size: 50000
+  # Syslog server IP address the collector will be listening to
+  syslog_ip: "127.0.0.1"
+  # Syslog server port the collector will be listening to
+  syslog_port: 514
+
+EOF
+
+# Append to agent-dynamic.conf for tags
+cat << EOF | sudo tee -a /etc/nginx-agent/agent-dynamic.conf
+
+tags:
+    - azure-instances
+
+EOF
+
+# Restart NGINX
+sudo systemctl restart nginx
+
+# Restart NGINX Agent
+sudo systemctl restart nginx-agent
diff --git a/services/active-directory/terraform/infrastructure/nginxInstances.tf b/services/active-directory/terraform/infrastructure/nginxInstances.tf
@@ -0,0 +1,143 @@
+## Active Directory Instances Terraform
+
+# Random uuid generator
+resource "random_uuid" "active-directory-random-uuid" {
+  count = sum([var.active-directory-instance-count])
+}
+
+# Data of an existing subnet
+data "azurerm_subnet" "existing" {
+  name                 = var.existing_internal_subnet_name
+  virtual_network_name = var.existing_subnet_vnet
+  resource_group_name  = var.existing_subnet_resource_group
+}
+
+################################# Active Directory Azure Instance Group #################################
+
+# Active Directory API Gateway Security Groups
+
+resource "azurerm_network_security_group" "active-directory-instances-sg" {
+  name                = "active-directory-instances-sg"
+  location            = azurerm_resource_group.active-directory-resource-group.location
+  resource_group_name = azurerm_resource_group.active-directory-resource-group.name
+
+  tags = {
+    environment = var.tag_environment
+    resource    = var.tag_resource_type
+    Owner       = var.tag_owner
+  }
+}
+
+resource "azurerm_network_interface_security_group_association" "active-directory-instances-sg" {
+  network_interface_id      = azurerm_network_interface.nic-instances[count.index].id
+  network_security_group_id = azurerm_network_security_group.active-directory-instances-sg.id
+  count                     = sum([var.active-directory-instance-count])
+}
+
+# Active Directory Instances NICs
+resource "azurerm_network_interface" "nic-instances" {
+  name                = "nic-${random_uuid.active-directory-random-uuid[1].result}-${count.index}"
+  location            = azurerm_resource_group.active-directory-resource-group.location
+  resource_group_name = azurerm_resource_group.active-directory-resource-group.name
+  count               = sum([var.active-directory-instance-count])
+
+  ip_configuration {
+    name                          = "if-config"
+    subnet_id                     = data.azurerm_subnet.existing.id
+    private_ip_address_allocation = "Dynamic"
+  }
+
+  tags = {
+    environment = var.tag_environment
+    resource    = var.tag_resource_type
+    Owner       = var.tag_owner
+    windows     = var.active-directory-instance-sku
+  }
+}
+
+# Active Directory Instances
+resource "azurerm_virtual_machine" "active-directory-instance" {
+  name                             = "active-directory-${random_uuid.active-directory-random-uuid[1].result}-${count.index}"
+  location                         = azurerm_resource_group.active-directory-resource-group.location
+  resource_group_name              = azurerm_resource_group.active-directory-resource-group.name
+  network_interface_ids            = [azurerm_network_interface.nic-instances[count.index].id]
+  vm_size                          = "Standard_B1s"
+  delete_data_disks_on_termination = true
+  delete_os_disk_on_termination    = true
+  availability_set_id              = azurerm_availability_set.active-directory-instance.id
+  count                            = sum([var.active-directory-instance-count])
+
+  # az vm image list -p nginxinc --all -f nginx_plus_with_nginx_app_protect_developer -s debian
+  plan {
+    publisher = "nginxinc"
+    product   = var.active-directory-instance-offer
+    name      = var.active-directory-instance-sku
+  }
+
+  storage_image_reference {
+    publisher = "nginxinc"
+    offer     = var.active-directory-instance-offer
+    sku       = var.active-directory-instance-sku
+    version   = var.active-directory-instance-version
+  }
+
+  storage_os_disk {
+    name              = "os-disk-${random_uuid.active-directory-random-uuid[1].result}-${count.index}"
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+    managed_disk_type = "Standard_LRS"
+  }
+
+  os_profile {
+    computer_name  = "active-directory-${random_uuid.active-directory-random-uuid[1].result}-${count.index}"
+    admin_username = var.active-directory-username
+    admin_password = var.active-directory-password
+    custom_data    = base64encode(data.template_file.bootstrap-instance-group-azure-instances.rendered)
+  }
+
+  os_profile_linux_config {
+    disable_password_authentication = false
+  }
+
+  tags = {
+    environment = var.tag_environment
+    resource    = var.tag_resource_type
+    Owner       = var.tag_owner
+    windows     = var.active-directory-instance-sku
+  }
+}
+
+# Active Directory Instances bootstrapping file
+# data "template_file" "bootstrap-instance-group-azure-instances" {
+#  template = templatefile("${path.module}/files/bootstrap-instance-group-azure-instances.sh", { nms-hostname = var.nms-hostname })
+# }
+
+## Availability Set
+resource "azurerm_availability_set" "active-directory-instance" {
+  name                = "aset-${random_uuid.active-directory-random-uuid[1].result}"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.active-directory-resource-group.name
+
+  tags = {
+    environment = var.tag_environment
+    resource    = var.tag_resource_type
+    Owner       = var.tag_owner
+    windows     = var.active-directory-instance-sku
+  }
+}
+
+# Active Directory Instances Shutdown Schedule
+resource "azurerm_dev_test_global_vm_shutdown_schedule" "instance-group-azure-instances" {
+  virtual_machine_id    = azurerm_virtual_machine.active-directory-instance[count.index].id
+  location              = var.location
+  enabled               = true
+  daily_recurrence_time = "1900"
+  timezone              = "Pacific Standard Time"
+  count                 = sum([var.active-directory-instance-count])
+
+  notification_settings {
+    enabled         = true
+    time_in_minutes = "30"
+    email           = var.notification_email
+  }
+}
diff --git a/services/active-directory/terraform/infrastructure/provider.tf b/services/active-directory/terraform/infrastructure/provider.tf
@@ -0,0 +1,37 @@
+# Main Terraform Provider
+
+## Remove backend "remote" to run terraform state locally
+
+terraform {
+  backend "remote" {
+    organization = {}
+    hostname     = {}
+    token        = {}
+    workspaces {
+      name = "active-directory-terraform-infrastructure-state"
+    }
+  }
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.57.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.4.3"
+    }
+  }
+}
+
+# Provider Options
+
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+  }
+}
+provider "random" {
+  # Configuration options
+}
diff --git a/services/active-directory/terraform/infrastructure/resourceGroup.tf b/services/active-directory/terraform/infrastructure/resourceGroup.tf
@@ -0,0 +1,13 @@
+## Resource Group for NGINX resources
+
+resource "azurerm_resource_group" "nginx-resource-group" {
+  name     = var.resource_group_name
+  location = var.location
+
+  tags = {
+    environment = var.tag_environment
+    resource    = var.tag_resource_type
+    Owner       = var.tag_owner
+  }
+
+}
diff --git a/services/active-directory/terraform/infrastructure/variables.auto.tfvars b/services/active-directory/terraform/infrastructure/variables.auto.tfvars
@@ -0,0 +1,22 @@
+# Azure variables
+
+location                       = "westus2"
+resource_group_name            = "calalang-active-directory-rg"
+tag_owner                      = "[email protected]"
+tag_resource_type              = "active-directory"
+tag_environment                = "lab"
+notification_email             = "[email protected]"
+existing_internal_subnet_name  = "internal"
+existing_external_subnet_name  = "external"
+existing_mgmt_subnet_name      = "management"
+existing_subnet_vnet           = "azure-10-0-0-0-16-vnet"
+existing_subnet_resource_group = "calalang-networking-rg"
+
+# Active Directory variables
+
+# az vm image list -p MicrosoftWindowsServer --all -f WindowsServer -s 2022-datacenter-g2
+
+active-directory-instance-offer   = "WindowsServer"
+active-directory-instance-sku     = "2022-datacenter-g2"
+active-directory-instance-version = "20348.2227.240104"
+active-directory-instance-count   = 1