Caravan Infra Azure

Caravan 2021 Azure

Setup

# SUBSCRIPTION_ID where to create resources
# PARENT_RESOURCE_GROUP that contains VM images and shared DNS
# LOCAITON where to create resources
# PREFIX prepended to all resources name 
./project-setup.sh SUBSCRIPTION_ID PARENT_RESOURCE_GROUP LOCATION PREFIX

Teardown

# SUBSCRIPTION_ID where to create resources
# PREFIX prepended to all resources name 
./project-cleanup.sh SUBSCRIPTION_ID PREFIX

Usage

terraform init
terraform apply -var-file azure.tfvars

Requirements

Name

Version

terraform

~> 0.15.4

azuread

~> 1.0

azurerm

~> 2.0

Providers

Name

Version

azuread

1.6.0

azurerm

2.69.0

local

2.1.0

null

3.1.0

random

3.1.0

tls

3.1.0

Modules

Name

Source

Version

caravan_bootstrap

git::https://github.com/bitrockteam/caravan-bootstrap

refs/tags/v0.2.13

cloud_init_control_plane

git::https://github.com/bitrockteam/caravan-cloudinit

refs/tags/v0.1.13

cloud_init_worker_plane

git::https://github.com/bitrockteam/caravan-cloudinit

refs/tags/v0.1.9

terraform_acme_le

git::https://github.com/bitrockteam/caravan-acme-le

refs/tags/v0.0.11

Resources

Name

Type

azuread_application.vault

resource

azuread_application_password.vault

resource

azuread_service_principal.vault

resource

azurerm_application_gateway.this

resource

azurerm_application_security_group.control_plane

resource

azurerm_application_security_group.monitoring

resource

azurerm_application_security_group.worker_plane

resource

azurerm_dns_a_record.control_plane_internal

resource

azurerm_dns_a_record.star

resource

azurerm_dns_ns_record.this

resource

azurerm_dns_zone.this

resource

azurerm_key_vault.key_vault

resource

azurerm_key_vault_access_policy.control_plane

resource

azurerm_key_vault_access_policy.self

resource

azurerm_key_vault_key.key

resource

azurerm_linux_virtual_machine.control_plane

resource

azurerm_linux_virtual_machine.monitoring

resource

azurerm_linux_virtual_machine_scale_set.worker_plane

resource

azurerm_managed_disk.consul_data

resource

azurerm_managed_disk.csi

resource

azurerm_managed_disk.nomad_data

resource

azurerm_managed_disk.vault_data

resource

azurerm_network_interface.control_plane

resource

azurerm_network_interface.monitoring

resource

azurerm_network_interface_application_gateway_backend_address_pool_association.control_plane

resource

azurerm_network_interface_application_gateway_backend_address_pool_association.monitoring

resource

azurerm_network_interface_application_security_group_association.control_plane

resource

azurerm_network_interface_application_security_group_association.monitoring

resource

azurerm_network_interface_application_security_group_association.monitoring_2

resource

azurerm_network_security_group.app_gateway

resource

azurerm_network_security_group.default

resource

azurerm_network_security_rule.allow_in_icmp

resource

azurerm_network_security_rule.allow_in_internal

resource

azurerm_network_security_rule.allow_in_internal_2

resource

azurerm_network_security_rule.allow_in_lb

resource

azurerm_network_security_rule.allow_in_lb_2

resource

azurerm_network_security_rule.allow_in_ssh

resource

azurerm_network_security_rule.allow_nomad_consul_envoy

resource

azurerm_network_security_rule.lb_default_rules

resource

azurerm_network_security_rule.lb_default_rules-2

resource

azurerm_public_ip.control_plane

resource

azurerm_public_ip.lb

resource

azurerm_public_ip.monitoring

resource

azurerm_role_assignment.control_plane_acr_read

resource

azurerm_role_assignment.control_plane_key_vault_user

resource

azurerm_role_assignment.control_plane_vault_auth

resource

azurerm_role_assignment.vault

resource

azurerm_role_assignment.worker_plane_acr_read

resource

azurerm_subnet.app_gateway

resource

azurerm_subnet.subnet

resource

azurerm_subnet_network_security_group_association.default

resource

azurerm_user_assigned_identity.control_plane

resource

azurerm_user_assigned_identity.worker_plane

resource

azurerm_virtual_machine_data_disk_attachment.consul_data

resource

azurerm_virtual_machine_data_disk_attachment.nomad_data

resource

azurerm_virtual_machine_data_disk_attachment.vault_data

resource

azurerm_virtual_network.vnet

resource

local_file.backend_tf_appsupport

resource

local_file.backend_tf_platform

resource

local_file.ssh_key

resource

local_file.tfvars_appsupport

resource

local_file.tfvars_platform

resource

null_resource.ca_certs

resource

null_resource.ca_certs_bundle

resource

random_string.vault_password

resource

tls_private_key.cert_private_key

resource

tls_private_key.ssh_key

resource

azuread_client_config.this

data source

azurerm_client_config.this

data source

azurerm_dns_zone.parent

data source

azurerm_image.caravan

data source

azurerm_resource_group.this

data source

azurerm_role_definition.acr_pull

data source

azurerm_role_definition.key_vault_user

data source

azurerm_role_definition.owner

data source

azurerm_storage_account.this

data source

azurerm_subscription.this

data source

Inputs

Name

Description

Type

Default

Required

client_id

The Azure Service Principal Client ID which should be used.

string

n/a

yes

client_secret

The Azure Service Principal Client Secret which should be used.

string

n/a

yes

external_domain

The external domain to use for registering DNS names.

string

n/a

yes

image_resource_group_name

The Azure Resource Group name where Caravan images are available.

string

n/a

yes

location

The Azure location where to create resources.

string

n/a

yes

parent_resource_group_name

The Azure Resource Group name where a dns zone exists for external_domain.

string

n/a

yes

prefix

A string prefix prepended to resource names.

string

n/a

yes

resource_group_name

The Azure Resource Group name in which the objects will be created.

string

n/a

yes

storage_account_name

The Azure Storage Account which is used for Terraform state storage.

string

n/a

yes

subscription_id

The Azure Subscription ID which should be used.

string

n/a

yes

tenant_id

The Azure Tenant ID which should be used.

string

n/a

yes

use_le_staging

Whether to use Let’s Encrypt staging endpoint.

bool

n/a

yes

allowed_ssh_cidrs

The list of CIDRs from which ssh is allowed.

list(string)

[
“0.0.0.0/0”
]

no

app_gateway_subnet_cidr

The CIDR of the subnet created for the Application Gateway instance.

string

"10.0.2.0/24"

no

ca_certs

A group of certificate objects to download locally. This helps when using Let’s Encrypt staging environment.

map(object({
filename = string
pemurl = string
}))

{
“fakeleintermediatex1”: {
“filename”: “letsencrypt-stg-root-x1.pem”,
“pemurl”: “https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem”
},
“fakelerootx1”: {
“filename”: “letsencrypt-stg-int-r3.pem”,
“pemurl”: “https://letsencrypt.org/certs/staging/letsencrypt-stg-int-r3.pem”
}
}

no

consul_license_file

Path to Consul Enterprise license

string

null

no

control_plane_disk_data_size

The size of control plane instances data disk.

number

20

no

control_plane_disk_data_type

The type of control plane instances data disk.

string

"Standard_LRS"

no

control_plane_disk_root_size

The size of control plane instances root disk.

number

30

no

control_plane_disk_root_type

The type of control plane instances root disk.

string

"Standard_LRS"

no

control_plane_instance_count

The number of control plane instances.

number

3

no

control_plane_size

The size of control plane instances.

string

"Standard_B2s"

no

csi_volumes

Example:
{
“jenkins” : {
“storage_account_type” : “Standard_LRS”
“disk_size_gb” : “30”
}
}

map(map(string))

{}

no

dc_name

The Consul DC name.

string

"azure-dc"

no

enable_monitoring

Whether to create an additional instance for monitoring purposes.

bool

true

no

image_name_regex

The Azure Compute image name regex

string

"caravan-centos-image-*"

no

monitoring_disk_size

The size of monitoring instance disk.

string

"40"

no

monitoring_size

The size of monitoring instance.

string

"Standard_B2s"

no

nomad_license_file

Path to Nomad Enterprise license

string

null

no

subnet_cidr

The CIDR of the subnet created for Compute instances.

string

"10.0.1.0/24"

no

tags

A set of key-value tags applied to all resources created by Terraform.

map(string)

{
“project”: “caravan”
}

no

vault_auth_resource

The Azure AD application to use for generating access tokens.

string

"https://management.azure.com/"

no

vault_license_file

Path to Vault Enterprise license

string

null

no

vnet_cidrs

The CIDR of the created Virtual Network.

list(string)

[
“10.0.0.0/16”
]

no

worker_plane_disk_size

The size of worker plane instances disk.

string

"40"

no

worker_plane_instance_count

The number of worker plane instances.

number

3

no

worker_plane_size

The size of control plane instances.

string

"Standard_B2s"

no