terraform: use nat gateway on azure (#1655)

* terraform: use nat gateway on azure * docs: add new azure permission
2024-10-01 01:36:09 -04:00 · 2023-04-17 11:00:35 +02:00 · 2023-04-17 11:00:35 +02:00 · 14d26e1af4
commit 14d26e1af4
parent 0b3190ea8b
2 changed files with 29 additions and 17 deletions
--- a/cli/internal/terraform/terraform/azure/main.tf
+++ b/cli/internal/terraform/terraform/azure/main.tf
@ -58,7 +58,7 @@ resource "azurerm_application_insights" "insights" {
 }

 resource "azurerm_public_ip" "loadbalancer_ip" {
-  name                = local.name
+  name                = "${local.name}-lb"
  resource_group_name = var.resource_group
  location            = var.location
  allocation_method   = "Static"
@ -66,6 +66,33 @@ resource "azurerm_public_ip" "loadbalancer_ip" {
  tags                = local.tags
 }

+resource "azurerm_public_ip" "nat_gateway_ip" {
+  name                = "${local.name}-nat"
+  resource_group_name = var.resource_group
+  location            = var.location
+  allocation_method   = "Static"
+  sku                 = "Standard"
+  tags                = local.tags
+}
+
+resource "azurerm_nat_gateway" "gateway" {
+  name                    = local.name
+  location                = var.location
+  resource_group_name     = var.resource_group
+  sku_name                = "Standard"
+  idle_timeout_in_minutes = 10
+}
+
+resource "azurerm_subnet_nat_gateway_association" "example" {
+  nat_gateway_id = azurerm_nat_gateway.gateway.id
+  subnet_id      = azurerm_subnet.node_subnet.id
+}
+
+resource "azurerm_nat_gateway_public_ip_association" "example" {
+  nat_gateway_id       = azurerm_nat_gateway.gateway.id
+  public_ip_address_id = azurerm_public_ip.nat_gateway_ip.id
+}
+
 resource "azurerm_lb" "loadbalancer" {
  name                = local.name
  location            = var.location
@ -137,15 +164,6 @@ resource "azurerm_lb_backend_address_pool" "all" {
  name            = "${var.name}-all"
 }

-resource "azurerm_lb_outbound_rule" "outbound" {
-  name                    = "${var.name}-outbound"
-  loadbalancer_id         = azurerm_lb.loadbalancer.id
-  protocol                = "All"
-  backend_address_pool_id = azurerm_lb_backend_address_pool.all.id
-
-  frontend_ip_configuration { name = "PublicIPAddress" }
-}
-
 resource "azurerm_virtual_network" "network" {
  name                = local.name
  resource_group_name = var.resource_group
@ -161,13 +179,6 @@ resource "azurerm_subnet" "node_subnet" {
  address_prefixes     = ["10.9.0.0/16"]
 }

-resource "azurerm_subnet" "pod_subnet" {
-  name                 = "${local.name}-pod"
-  resource_group_name  = var.resource_group
-  virtual_network_name = azurerm_virtual_network.network.name
-  address_prefixes     = ["10.10.0.0/16"]
-}
-
 resource "azurerm_network_security_group" "security_group" {
  name                = local.name
  location            = var.location
--- a/docs/docs/getting-started/install.md
+++ b/docs/docs/getting-started/install.md
@ -140,6 +140,7 @@ To [create a Constellation cluster](../workflows/create.md#the-create-step), you
 * `Microsoft.Network/publicIPAddresses/*`
 * `Microsoft.Network/virtualNetworks/*`
 * `Microsoft.Network/virtualNetworks/subnets/*`
+* `Microsoft.Network/natGateways/*`

 The built-in `Contributor` role is a superset of these permissions.