link network security group to bastion nic for public ssh access [MRXNM-52]

hotzevzl · hotzevzl · commit 02775f853b9b · 2024-07-16T14:31:30.000+02:00
diff --git a/infrastructure/base/main.tf b/infrastructure/base/main.tf
@@ -39,6 +39,7 @@ module "bastion" {
   project_name            = var.project_name
   bastion_ssh_public_keys = var.bastion_ssh_public_keys
   bastion_subnet_id       = module.network.bastion_subnet_id
+  bastion_nsg_id          = module.network.bastion_nsg_id
   dns_zone                = module.dns.dns_zone
 }
 
diff --git a/infrastructure/base/modules/bastion/main.tf b/infrastructure/base/modules/bastion/main.tf
@@ -23,6 +23,11 @@ resource "azurerm_network_interface" "bastion_nic" {
   }
 }
 
+resource "azurerm_network_interface_security_group_association" "bastion_nic_nsg_association" {
+  network_interface_id      = azurerm_network_interface.bastion_nic.id
+  network_security_group_id = var.bastion_nsg_id
+}
+
 resource "tls_private_key" "ssh_private_key" {
   algorithm = "RSA"
   rsa_bits  = 4096
diff --git a/infrastructure/base/modules/bastion/variables.tf b/infrastructure/base/modules/bastion/variables.tf
@@ -21,6 +21,10 @@ variable "bastion_subnet_id" {
   description = "The id of the subnet where the bastion host will be placed"
 }
 
+variable "bastion_nsg_id" {
+  description = "The id of the network security group for the bastion host"
+}
+
 variable "dns_zone" {
   description = "The Azure DNS zone where the bastion A record will be added"
 }
diff --git a/infrastructure/base/modules/network/outputs.tf b/infrastructure/base/modules/network/outputs.tf
@@ -26,6 +26,10 @@ output "bastion_subnet_id" {
   value = azurerm_subnet.bastion_subnet.id
 }
 
+output "bastion_nsg_id" {
+  value = azurerm_network_security_group.bastion_nsg.id
+}
+
 output "firewall_subnet_id" {
   value = azurerm_subnet.firewall_subnet.id
 }

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,7 @@ module "bastion" {`
`39`	`39`	`project_name = var.project_name`
`40`	`40`	`bastion_ssh_public_keys = var.bastion_ssh_public_keys`
`41`	`41`	`bastion_subnet_id = module.network.bastion_subnet_id`
	`42`	`+ bastion_nsg_id = module.network.bastion_nsg_id`
`42`	`43`	`dns_zone = module.dns.dns_zone`
`43`	`44`	`}`
`44`	`45`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,11 @@ resource "azurerm_network_interface" "bastion_nic" {`
`23`	`23`	`}`
`24`	`24`	`}`
`25`	`25`
	`26`	`+resource "azurerm_network_interface_security_group_association" "bastion_nic_nsg_association" {`
	`27`	`+ network_interface_id = azurerm_network_interface.bastion_nic.id`
	`28`	`+ network_security_group_id = var.bastion_nsg_id`
	`29`	`+}`
	`30`	`+`
`26`	`31`	`resource "tls_private_key" "ssh_private_key" {`
`27`	`32`	`algorithm = "RSA"`
`28`	`33`	`rsa_bits = 4096`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,10 @@ variable "bastion_subnet_id" {`
`21`	`21`	`description = "The id of the subnet where the bastion host will be placed"`
`22`	`22`	`}`
`23`	`23`
	`24`	`+variable "bastion_nsg_id" {`
	`25`	`+ description = "The id of the network security group for the bastion host"`
	`26`	`+}`
	`27`	`+`
`24`	`28`	`variable "dns_zone" {`
`25`	`29`	`description = "The Azure DNS zone where the bastion A record will be added"`
`26`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,10 @@ output "bastion_subnet_id" {`
`26`	`26`	`value = azurerm_subnet.bastion_subnet.id`
`27`	`27`	`}`
`28`	`28`
	`29`	`+output "bastion_nsg_id" {`
	`30`	`+ value = azurerm_network_security_group.bastion_nsg.id`
	`31`	`+}`
	`32`	`+`
`29`	`33`	`output "firewall_subnet_id" {`
`30`	`34`	`value = azurerm_subnet.firewall_subnet.id`
`31`	`35`	`}`