Two intermediate task added : hub-n-spoke and egress traffic on aks using fw

intermediate/README.md

@@ -1,15 +1,17 @@
 # Terraform Intermediate Track
 
-## Kubernetes
-
-- [Deploy Your EKS Cluster using Terraform](https://github.com/collabnix/terraform/blob/master/beginners/aws/README.md)
+#### Azure
+
+  - [Terraform Provisioners in Azure](https://github.com/collabnix/terraform/blob/master/intermediate/azure/Terraform-Provisioners/)
+  - [Hub and Spoke Architecture](https://github.com/collabnix/terraform/blob/master/intermediate/azure/Hub-and-Spoke/)
+  - [Control egress traffic using Azure Firewall in Azure Kubernetes Service](https://github.com/collabnix/terraform/blob/master/intermediate/azure/AZ_FW-AKS-Egress/)
 
 
 ## Generic Terraform Related
 
 - [Terraform Functions](https://github.com/collabnix/terraform/blob/master/intermediate/Terraform-Functions)
 - Terraform Conditionals
 - Using Remote Backend
-- Terraform Provisioners
+- [Terraform Provisioners](https://github.com/collabnix/terraform/blob/master/intermediate/azure/Terraform-Provisioners/)
 - Multiple Providers
 

intermediate/azure/AZ_FW-AKS-Egress/README.md

@@ -0,0 +1,21 @@
+# Control egress traffic using Azure Firewall in Azure Kubernetes Service (AKS)
+
+Architecture :
+
+<img src="https://learn.microsoft.com/en-us/azure/aks/media/limit-egress-traffic/aks-azure-firewall-egress.png" />
+
+link : https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic
+
+required commands after `terraform apply` :
+
+1. Update Api Server Authorized IP Ranges
+```
+az aks update --resource-group rg-egress-001 --name aks-egress-001 --api-server-authorized-ip-ranges FW_PIP/32,Your_PIP/32
+```
+
+2. Create DNAT rule in Azure Firewall Policy and add Source Address of K8s Service and Destination address of Firewall Public IP
+```
+az network firewall policy rule-collection-group collection add-nat-collection -n nat_collection --collection-priority 10003 --policy-name {policy} -g {rg} --rule-collection-group-name {collectiongroup} --action DNAT --rule-name network_rule --description "test" --destination-addresses "202.120.36.15" --source-addresses "202.120.36.13" "202.120.36.14" --translated-address 128.1.1.1 --translated-port 1234 --destination-ports 12000 12001 --ip-protocols TCP UDP
+```
+or 
+`Create DNAT rule using Azure Portal`

intermediate/azure/AZ_FW-AKS-Egress/main.tf

@@ -0,0 +1,159 @@
+resource "azurerm_resource_group" "rg" {
+  name     = "rg-${var.postfix}"
+  location = var.location
+}
+
+resource "azurerm_virtual_network" "vnet" {
+  name                = "vnet-${var.postfix}"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  address_space       = ["10.42.0.0/16"]
+}
+
+resource "azurerm_subnet" "aks_subnet" {
+  name                 = "subnet-${var.postfix}"
+  resource_group_name  = azurerm_resource_group.rg.name
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  address_prefixes     = ["10.42.1.0/24"]
+}
+
+resource "azurerm_subnet" "fw_subnet" {
+  name                 = "AzureFirewallSubnet"
+  resource_group_name  = azurerm_resource_group.rg.name
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  address_prefixes     = ["10.42.2.0/24"]
+}
+
+resource "azurerm_public_ip" "fw_public_ip" {
+  name                = "fw-pip-${var.postfix}"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+  allocation_method   = "Static"
+  sku                 = "Standard"
+}
+
+resource "azurerm_firewall" "fw" {
+  name                = "fw-${var.postfix}"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+  sku_name            = "AZFW_VNet"
+  sku_tier            = "Standard"
+  firewall_policy_id  = azurerm_firewall_policy.fw_policy.id
+  ip_configuration {
+    name                 = "fw-ip-config-${var.postfix}"
+    subnet_id            = azurerm_subnet.fw_subnet.id
+    public_ip_address_id = azurerm_public_ip.fw_public_ip.id
+  }
+}
+
+resource "azurerm_route_table" "fw_route_table" {
+  name                = "fw-route-table-${var.postfix}"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+
+  route {
+    name                   = "fw-route-${var.postfix}"
+    address_prefix         = "0.0.0.0/0"
+    next_hop_type          = "VirtualAppliance"
+    next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration[0].private_ip_address
+  }
+
+  route {
+    name                   = "fw-route-internet-${var.postfix}"
+    address_prefix         = "${azurerm_public_ip.fw_public_ip.ip_address}/32"
+    next_hop_type          = "Internet"
+    next_hop_in_ip_address = null
+  }
+}
+
+resource "azurerm_firewall_policy" "fw_policy" {
+  name                = "fw-policy-${var.postfix}"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+  dns {
+    proxy_enabled = true
+  }
+}
+
+resource "azurerm_firewall_policy_rule_collection_group" "fw_rule_collection_group" {
+  name               = "fw-rule-collection-group-${var.postfix}"
+  firewall_policy_id = azurerm_firewall_policy.fw_policy.id
+  priority           = 100
+
+  network_rule_collection {
+    name     = "aksfwnr"
+    priority = 200
+    action   = "Allow"
+    rule {
+      name                  = "apiudp"
+      protocols             = ["UDP"]
+      source_addresses      = ["*"]
+      destination_addresses = ["AzureCloud.${var.location}"]
+      destination_ports     = ["1194"]
+    }
+    rule {
+      name                  = "apitcp"
+      protocols             = ["TCP"]
+      source_addresses      = ["*"]
+      destination_addresses = ["AzureCloud.${var.location}"]
+      destination_ports     = ["9000"]
+    }
+    rule {
+      name              = "time"
+      protocols         = ["UDP"]
+      source_addresses  = ["*"]
+      destination_fqdns = ["ntp.ubuntu.com"]
+      destination_ports = ["123"]
+    }
+  }
+
+  application_rule_collection {
+    name     = "aksfwar"
+    priority = 300
+    action   = "Allow"
+    rule {
+      name                  = "fqdn"
+      source_addresses      = ["*"]
+      destination_fqdn_tags = ["AzureKubernetesService"]
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      protocols {
+        type = "Https"
+        port = 443
+      }
+    }
+  }
+}
+
+resource "azurerm_subnet_route_table_association" "aks_subnet_route_table_association" {
+  subnet_id      = azurerm_subnet.aks_subnet.id
+  route_table_id = azurerm_route_table.fw_route_table.id
+}
+
+resource "azurerm_kubernetes_cluster" "aks" {
+  name                = "aks-${var.postfix}"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  dns_prefix          = "aks-${var.postfix}"
+
+  default_node_pool {
+    name           = "default"
+    node_count     = 1
+    vm_size        = "Standard_D2_v2"
+    vnet_subnet_id = azurerm_subnet.aks_subnet.id
+  }
+
+  network_profile {
+    network_plugin    = "azure"
+    outbound_type     = "userDefinedRouting"
+    load_balancer_sku = "standard"
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  api_server_authorized_ip_ranges = api_server_authorized_ip_ranges = ["${azurerm_public_ip.fw_public_ip.ip_address}/32"]
+}

intermediate/azure/AZ_FW-AKS-Egress/provider.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 2.65"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+
+  client_id       = ""
+  client_secret   = ""
+  tenant_id       = ""
+  subscription_id = ""
+}

intermediate/azure/AZ_FW-AKS-Egress/variables.tf

@@ -0,0 +1,7 @@
+variable "postfix" {
+  default = "egress-001"
+}
+
+variable "location" {
+  default = "canadacentral"
+}

intermediate/azure/Hub-and-Spoke/README.md

@@ -0,0 +1,7 @@
+# Create a hub and spoke hybrid network topology in Azure using Terraform
+
+Architecture :
+
+<img src="https://learn.microsoft.com/en-us/azure/developer/terraform/media/hub-and-spoke-series/hub-spoke-architecture.png" />
+
+link : https://learn.microsoft.com/en-us/azure/developer/terraform/hub-spoke-introduction