diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f58ffe3..f2b5bf8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,12 +27,6 @@ jobs: - name: Ensure code is formatted run: terraform fmt -diff -check -recursive - - name: Terraform Init - run: terraform init -backend=false - - - name: Terraform Validate - run: terraform validate - - uses: actions/cache@v4 name: Cache TFLint plugin dir with: @@ -51,6 +45,21 @@ jobs: - name: Run TFLint run: tflint + - name: Azure Login + uses: azure/login@v2 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Terraform Init + run: terraform init -backend=false + + - name: Terraform Plan + run: | + terraform plan -input=false -refresh=false + + - name: Terraform Validate + run: terraform validate + - name: Pull Checkov image run: docker pull bridgecrew/checkov:latest diff --git a/main.tf b/main.tf index 722db28..25601f5 100644 --- a/main.tf +++ b/main.tf @@ -1,4 +1,29 @@ locals { + ubuntu_vm_network_security_rules = [ + { + name = "Allow-HTTP-From-Internet-To-VM" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = 80 + source_address_prefix = "Internet" + destination_address_prefix = "10.0.0.10/32" + }, + { + name = "Allow-SSH-From-Internet-To-VM" + priority = 200 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = 22 + source_address_prefix = "Internet" + destination_address_prefix = "10.0.0.10/32" + } + ] + tags = { creator = "terraform" environment = "playground" @@ -28,7 +53,7 @@ resource "azurerm_subnet" "this" { address_prefixes = ["10.0.0.0/28"] } -resource "azurerm_public_ip" "vm_ubuntu" { +resource "azurerm_public_ip" "ubuntu_vm" { name = "pip-ubuntu" resource_group_name = azurerm_resource_group.playground.name location = azurerm_resource_group.playground.location @@ -40,7 +65,7 @@ resource "azurerm_public_ip" "vm_ubuntu" { tags = local.tags } -resource "azurerm_network_interface" "vm_ubuntu" { +resource "azurerm_network_interface" "ubuntu_vm" { name = "nic-ubuntu" location = azurerm_virtual_network.this.location resource_group_name = azurerm_subnet.this.resource_group_name @@ -51,61 +76,50 @@ resource "azurerm_network_interface" "vm_ubuntu" { private_ip_address_version = "IPv4" private_ip_address_allocation = "Static" private_ip_address = "10.0.0.10" - public_ip_address_id = azurerm_public_ip.vm_ubuntu.id + public_ip_address_id = azurerm_public_ip.ubuntu_vm.id } tags = local.tags } -module "vm_ubuntu" { +module "ubuntu_vm" { source = "./modules/linux_virtual_machine/" name = "vm-ubuntu" - resource_group_name = azurerm_network_interface.vm_ubuntu.resource_group_name - location = azurerm_network_interface.vm_ubuntu.location + resource_group_name = azurerm_network_interface.ubuntu_vm.resource_group_name + location = azurerm_network_interface.ubuntu_vm.location size = "Standard_B2s" admin_username = "wozorio" - network_interface_ids = [azurerm_network_interface.vm_ubuntu.id] + network_interface_ids = [azurerm_network_interface.ubuntu_vm.id] tags = local.tags } -module "nsg_vm_ubuntu" { - source = "./modules/network_security_group/" - +resource "azurerm_network_security_group" "ubuntu_vm" { name = "nsg-ubuntu" location = azurerm_resource_group.playground.location resource_group_name = azurerm_resource_group.playground.name - security_rules = [ - { - name = "Allow-HTTP-From-Internet-To-VM" - priority = 100 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = 80 - source_address_prefix = "Internet" - destination_address_prefix = "10.0.0.10/32" - }, - { - name = "Allow-SSH-From-Internet-To-VM" - priority = 200 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = 22 - source_address_prefix = "Internet" - destination_address_prefix = "10.0.0.10/32" + dynamic "security_rule" { + for_each = local.ubuntu_vm_network_security_rules + + content { + name = security_rule.value.name + priority = security_rule.value.priority + direction = security_rule.value.direction + access = security_rule.value.access + protocol = security_rule.value.protocol + source_port_range = security_rule.value.source_port_range + destination_port_range = security_rule.value.destination_port_range + source_address_prefix = security_rule.value.source_address_prefix + destination_address_prefix = security_rule.value.destination_address_prefix } - ] + } tags = local.tags } -resource "azurerm_network_interface_security_group_association" "vm_ubuntu" { - network_interface_id = azurerm_network_interface.vm_ubuntu.id - network_security_group_id = module.nsg_vm_ubuntu.id +resource "azurerm_network_interface_security_group_association" "ubuntu_vm" { + network_interface_id = azurerm_network_interface.ubuntu_vm.id + network_security_group_id = azurerm_network_security_group.ubuntu_vm.id } diff --git a/providers.tf b/providers.tf index 4db4b36..4a75087 100644 --- a/providers.tf +++ b/providers.tf @@ -1,9 +1,5 @@ terraform { - backend "azurerm" { - storage_account_name = "stterraformwozorio" - container_name = "tfstate" - key = "playground.tfstate" - } + backend "azurerm" {} } provider "azurerm" {