WIP: TES-350: NAT gateway

Ontotext-AD · Nov 19, 2023 · a118249 · a118249
1 parent 30cf839
commit a118249
Show file tree

Hide file tree

Showing 8 changed files with 137 additions and 10 deletions.
diff --git a/main.tf b/main.tf
@@ -60,6 +60,15 @@ resource "azurerm_subnet" "graphdb-vmss" {
   address_prefixes     = var.graphdb_subnet_address_prefix
 }
 
+resource "azurerm_subnet" "graphdb-nat" {
+  count = length(var.nat_subnet_address_prefix)
+
+  name                 = "${var.resource_name_prefix}-nat-${count.index + 1}"
+  resource_group_name  = azurerm_resource_group.graphdb.name
+  virtual_network_name = azurerm_virtual_network.graphdb.name
+  address_prefixes     = [var.nat_subnet_address_prefix[count.index]]
+}
+
 # ------------------------------------------------------------
 
 # Creates a public IP address with assigned FQDN from the regional Azure DNS
@@ -174,6 +183,20 @@ module "bastion" {
   tags = local.tags
 }
 
+module "nat" {
+  source = "./modules/nat"
+
+  resource_name_prefix = var.resource_name_prefix
+  location             = var.location
+  resource_group_name  = azurerm_resource_group.graphdb.name
+  zones                = var.zones
+
+  network_interface_name = azurerm_virtual_network.graphdb.name
+  nat_subnet_ids         = [for subnet in azurerm_subnet.graphdb-nat : subnet.id]
+
+  tags = local.tags
+}
+
 # Creates a VM scale set for GraphDB and GraphDB cluster proxies
 module "vm" {
   source = "./modules/vm"

diff --git a/modules/nat/README.md b/modules/nat/README.md
@@ -0,0 +1 @@
+# GraphDB NAT Module
diff --git a/modules/nat/main.tf b/modules/nat/main.tf
@@ -0,0 +1,48 @@
+locals {
+  # TODO: This module depends on both zones and subnet_ids... it could be misconfigured...
+  #   We could calculate the cidrs based on prefix & the zones
+  # Convert the numbers to a set of strings
+  zones = toset([for z in var.zones : format("%d", z)])
+}
+
+resource "azurerm_public_ip" "graphdb-nat-ip-address" {
+  for_each = local.zones
+
+  name                = "${var.resource_name_prefix}-nat-gateway-${each.key}"
+  resource_group_name = var.resource_group_name
+  location            = var.location
+
+  sku               = "Standard"
+  allocation_method = "Static"
+  zones             = [each.value]
+
+  tags = var.tags
+}
+
+resource "azurerm_nat_gateway" "graphdb" {
+  for_each = toset(local.zones)
+
+  name                = "${var.resource_name_prefix}-nat-${each.key}"
+  resource_group_name = var.resource_group_name
+  location            = var.location
+  zones               = [each.value]
+
+  sku_name                = "Standard"
+  idle_timeout_in_minutes = 10 # TODO: ???? 120 is the max in the portal
+
+  tags = var.tags
+}
+
+resource "azurerm_nat_gateway_public_ip_association" "graphdb-nat" {
+  count = length(azurerm_nat_gateway.graphdb)
+
+  nat_gateway_id       = azurerm_nat_gateway.graphdb[count.index + 1].id
+  public_ip_address_id = azurerm_public_ip.graphdb-nat-ip-address[count.index + 1].id
+}
+
+resource "azurerm_subnet_nat_gateway_association" "graphdb-nat" {
+  count = length(azurerm_nat_gateway.graphdb)
+
+  nat_gateway_id = azurerm_nat_gateway.graphdb[count.index + 1].id
+  subnet_id      = var.nat_subnet_ids[count.index]
+}
diff --git a/modules/nat/outputs.tf b/modules/nat/outputs.tf
diff --git a/modules/nat/variables.tf b/modules/nat/variables.tf
@@ -0,0 +1,39 @@
+# General configurations
+
+variable "resource_name_prefix" {
+  description = "Resource name prefix used for tagging and naming Azure resources"
+  type        = string
+}
+
+variable "location" {
+  description = "Azure geographical location where resources will be deployed"
+  type        = string
+}
+
+variable "zones" {
+  description = "Availability zones to use for resource deployment and HA"
+  type        = list(number)
+}
+
+variable "tags" {
+  description = "Common resource tags."
+  type        = map(string)
+  default     = {}
+}
+
+variable "resource_group_name" {
+  description = "Name of the resource group where GraphDB will be deployed."
+  type        = string
+}
+
+# Networking
+
+variable "network_interface_name" {
+  description = "Network interface where GraphDB will be deployed"
+  type        = string
+}
+
+variable "nat_subnet_ids" {
+  description = "Identifiers of the subnets to which the NATs will be associated"
+  type        = list(string)
+}
diff --git a/modules/nat/versions.tf b/modules/nat/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.1"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=3.71.0"
+    }
+  }
+}
diff --git a/output.tf b/output.tf
@@ -1,4 +1,4 @@
-output "public_address_fqdn" {
-  description = "External FQDN address for GraphDB"
-  value       = module.address.public_ip_address_fqdn
-}
+#output "public_address_fqdn" {
+#  description = "External FQDN address for GraphDB"
+#  value       = module.address.public_ip_address_fqdn
+#}
diff --git a/variables.tf b/variables.tf
@@ -48,6 +48,18 @@ variable "graphdb_subnet_address_prefix" {
   default     = ["10.0.2.0/24"]
 }
 
+variable "nat_subnet_address_prefix" {
+  description = "Subnet address prefix CIDRs where NAT gateways will reside."
+  type        = list(string)
+  default     = ["10.0.3.0/28", "10.0.3.64/26", "10.0.3.128/26"]
+}
+
+variable "bastion_subnet_address_prefix" {
+  description = "Bastion subnet address prefix"
+  type        = list(string)
+  default     = ["10.0.4.0/27"]
+}
+
 # TLS
 
 variable "tls_certificate_path" {
@@ -148,9 +160,3 @@ variable "deploy_bastion" {
   type        = bool
   default     = false
 }
-
-variable "bastion_subnet_address_prefix" {
-  description = "Bastion subnet address prefix"
-  type        = list(string)
-  default     = ["10.0.3.0/27"]
-}