terraform: azure, google - usability improvements (#24)

closes #22

Author: clstokes

terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf

@@ -90,7 +90,7 @@ module "tailscale_aws_ec2_autoscaling" {
   tailscale_set_preferences = local.tailscale_set_preferences
 
   depends_on = [
-    module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
+    module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
   ]
 }
 

terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf

@@ -190,7 +190,7 @@ module "tailscale_aws_ec2_autoscaling" {
   ]
 
   depends_on = [
-    module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
+    module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
   ]
 }
 

terraform/aws/aws-ec2-autoscaling/main.tf

@@ -78,7 +78,7 @@ module "tailscale_aws_ec2_autoscaling" {
   tailscale_set_preferences = local.tailscale_set_preferences
 
   depends_on = [
-    module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
+    module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
   ]
 }
 

terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf

@@ -68,7 +68,7 @@ module "tailscale_aws_ec2" {
   tailscale_set_preferences = local.tailscale_set_preferences
 
   depends_on = [
-    module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
+    module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
   ]
 }
 

terraform/aws/aws-ec2-instance/main.tf

@@ -65,7 +65,7 @@ module "tailscale_aws_ec2" {
   tailscale_set_preferences = local.tailscale_set_preferences
 
   depends_on = [
-    module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
+    module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
   ]
 }
 

terraform/aws/internal-modules/aws-vpc/outputs.tf

@@ -25,9 +25,9 @@ output "nat_public_ips" {
   value = module.vpc.nat_public_ips
 }
 
-output "natgw_ids" {
+output "nat_ids" {
   description = "Useful for using within `depends_on` for other resources"
-  value       = module.vpc.natgw_ids
+  value       = module.vpc.nat_ids
 }
 
 output "public_route_table_ids" {

terraform/azure/azure-linux-vm/main.tf

@@ -1,24 +1,51 @@
 locals {
   name = "example-${basename(path.cwd)}"
 
-  tags = {
+  azure_tags = {
     Name = local.name
   }
+
+  tailscale_acl_tags = [
+    "tag:example-infra",
+    "tag:example-exitnode",
+    "tag:example-subnetrouter",
+    "tag:example-appconnector",
+  ]
+  tailscale_set_preferences = [
+    "--auto-update",
+    "--ssh",
+    "--advertise-connector",
+    "--advertise-exit-node",
+    "--advertise-routes=${join(",", coalescelist(
+      local.vpc_cidr_block,
+    ))}",
+  ]
+
+  // Modify these to use your own VPC
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+
+  vpc_cidr_block            = module.vpc.vnet_address_space
+  vpc_id                    = module.vpc.vnet_id
+  subnet_id                 = module.vpc.public_subnet_id
+  network_security_group_id = azurerm_network_security_group.tailscale_ingress.id
+  instance_type             = "Standard_DS1_v2"
+  admin_public_key_path     = var.admin_public_key_path
 }
 
 resource "azurerm_resource_group" "main" {
   location = "centralus"
   name     = local.name
 }
 
-module "network" {
+module "vpc" {
   source = "../internal-modules/azure-network"
 
   name = local.name
-  tags = local.tags
+  tags = local.azure_tags
 
-  location            = azurerm_resource_group.main.location
-  resource_group_name = azurerm_resource_group.main.name
+  location            = local.location
+  resource_group_name = local.resource_group_name
 
   cidrs = ["10.0.0.0/22"]
   subnet_cidrs = [
@@ -39,40 +66,49 @@ resource "tailscale_tailnet_key" "main" {
   preauthorized       = true
   reusable            = true
   recreate_if_invalid = "always"
-  tags = [
-    "tag:example-infra",
-    "tag:example-exitnode",
-    "tag:example-subnetrouter",
-    "tag:example-appconnector",
-  ]
+  tags                = local.tailscale_acl_tags
 }
 
 module "tailscale_azure_linux_virtual_machine" {
   source = "../internal-modules/azure-linux-vm"
 
-  location            = azurerm_resource_group.main.location
-  resource_group_name = azurerm_resource_group.main.name
+  location            = local.location
+  resource_group_name = local.resource_group_name
 
   # public subnet
-  primary_subnet_id = module.network.public_subnet_id
+  primary_subnet_id         = local.subnet_id
+  network_security_group_id = local.network_security_group_id
 
   machine_name          = local.name
-  machine_size          = "Standard_DS1_v2"
-  admin_public_key_path = var.admin_public_key_path
-  resource_tags         = local.tags
+  machine_size          = local.instance_type
+  admin_public_key_path = local.admin_public_key_path
+  resource_tags         = local.azure_tags
 
   # Variables for Tailscale resources
-  tailscale_hostname = local.name
-  tailscale_auth_key = tailscale_tailnet_key.main.key
-  tailscale_set_preferences = [
-    "--auto-update",
-    "--ssh",
-    "--advertise-connector",
-    "--advertise-exit-node",
-    "--advertise-routes=${join(",", module.network.vnet_address_space)}",
-  ]
+  tailscale_hostname        = local.name
+  tailscale_auth_key        = tailscale_tailnet_key.main.key
+  tailscale_set_preferences = local.tailscale_set_preferences
 
   depends_on = [
-    module.network.natgw_ids, # for private subnets - ensure NAT gateway is available before instance provisioning
+    module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
   ]
 }
+
+resource "azurerm_network_security_group" "tailscale_ingress" {
+  location            = local.location
+  resource_group_name = local.resource_group_name
+
+  name = "nsg-tailscale-ingress"
+
+  security_rule {
+    name                       = "AllowTailscaleInbound"
+    access                     = "Allow"
+    direction                  = "Inbound"
+    priority                   = 100
+    protocol                   = "Udp"
+    source_address_prefix      = "Internet"
+    source_port_range          = "*"
+    destination_address_prefix = "*"
+    destination_port_range     = "41641"
+  }
+}

terraform/azure/azure-linux-vm/outputs.tf

@@ -1,20 +1,20 @@
 output "vpc_id" {
-  value = module.network.vnet_id
+  value = module.vpc.vnet_id
 }
 
 output "nat_public_ips" {
-  value = module.network.nat_public_ips
+  value = module.vpc.nat_public_ips
 }
 
 output "public_subnet_id" {
-  value = module.network.public_subnet_id
+  value = module.vpc.public_subnet_id
 }
 output "private_subnet_id" {
-  value = module.network.private_subnet_id
+  value = module.vpc.private_subnet_id
 }
 
 output "private_dns_resolver_inbound_endpoint_ip" {
-  value = module.network.private_dns_resolver_inbound_endpoint_ip
+  value = module.vpc.private_dns_resolver_inbound_endpoint_ip
 }
 output "internal_domain_name_suffix" {
   value = module.tailscale_azure_linux_virtual_machine.internal_domain_name_suffix

terraform/azure/internal-modules/azure-linux-vm/main.tf

@@ -28,26 +28,7 @@ resource "azurerm_network_interface" "primary" {
 
 resource "azurerm_network_interface_security_group_association" "tailscale" {
   network_interface_id      = azurerm_network_interface.primary.id
-  network_security_group_id = azurerm_network_security_group.tailscale_ingress.id
-}
-
-resource "azurerm_network_security_group" "tailscale_ingress" {
-  location            = var.location
-  resource_group_name = var.resource_group_name
-
-  name = "nsg-tailscale-ingress"
-
-  security_rule {
-    name                       = "AllowTailscaleInbound"
-    access                     = "Allow"
-    direction                  = "Inbound"
-    priority                   = 100
-    protocol                   = "Udp"
-    source_address_prefix      = "Internet"
-    source_port_range          = "*"
-    destination_address_prefix = "*"
-    destination_port_range     = "41641"
-  }
+  network_security_group_id = var.network_security_group_id
 }
 
 resource "azurerm_linux_virtual_machine" "tailscale_instance" {

terraform/azure/internal-modules/azure-linux-vm/variables.tf

@@ -25,6 +25,10 @@ variable "primary_subnet_id" {
   description = "The primary subnet (typically PUBLIC) to assign to the virtual machine"
   type        = string
 }
+variable "network_security_group_id" {
+  description = "The network security group to assign to the virtual machine"
+  type        = string
+}
 variable "machine_size" {
   description = "The machine size to assign the virtual machine"
   type        = string

terraform/azure/internal-modules/azure-network/main.tf

@@ -1,4 +1,4 @@
-module "network" {
+module "vpc" {
   # https://registry.terraform.io/modules/Azure/network/azurerm/latest
   source  = "Azure/network/azurerm"
   version = ">= 5.0, < 6.0"
@@ -37,28 +37,28 @@ module "network" {
 data "azurerm_subnet" "public" {
   resource_group_name = var.resource_group_name
 
-  virtual_network_name = module.network.vnet_name
+  virtual_network_name = module.vpc.vnet_name
   name                 = var.subnet_name_public
 
-  depends_on = [module.network.vnet_subnets]
+  depends_on = [module.vpc.vnet_subnets]
 }
 
 data "azurerm_subnet" "private" {
   resource_group_name = var.resource_group_name
 
-  virtual_network_name = module.network.vnet_name
+  virtual_network_name = module.vpc.vnet_name
   name                 = var.subnet_name_private
 
-  depends_on = [module.network.vnet_subnets]
+  depends_on = [module.vpc.vnet_subnets]
 }
 
 data "azurerm_subnet" "dns-inbound" {
   resource_group_name = var.resource_group_name
 
-  virtual_network_name = module.network.vnet_name
+  virtual_network_name = module.vpc.vnet_name
   name                 = var.subnet_name_private_dns_resolver
 
-  depends_on = [module.network.vnet_subnets]
+  depends_on = [module.vpc.vnet_subnets]
 }
 #
 # Private DNS resolver resources
@@ -70,7 +70,7 @@ resource "azurerm_private_dns_resolver" "main" {
   name = var.name
   tags = var.tags
 
-  virtual_network_id = module.network.vnet_id
+  virtual_network_id = module.vpc.vnet_id
 }
 
 resource "azurerm_private_dns_resolver_inbound_endpoint" "main" {

terraform/azure/internal-modules/azure-network/outputs.tf

@@ -1,14 +1,14 @@
 output "vnet_id" {
-  value = module.network.vnet_id
+  value = module.vpc.vnet_id
 }
 output "vnet_name" {
-  value = module.network.vnet_name
+  value = module.vpc.vnet_name
 }
 output "vnet_address_space" {
-  value = module.network.vnet_address_space
+  value = module.vpc.vnet_address_space
 }
 output "vnet_subnets" {
-  value = module.network.vnet_subnets
+  value = module.vpc.vnet_subnets
 }
 
 output "public_subnet_id" {
@@ -40,7 +40,7 @@ output "nat_public_ips" {
   value = azurerm_public_ip.nat.*.ip_address
 }
 
-output "natgw_ids" {
+output "nat_ids" {
   description = "Useful for using within `depends_on` for other resources"
   value       = azurerm_nat_gateway.nat.*.id
 }