diff --git a/terraform/infrastructure/azure/main.tf b/terraform/infrastructure/azure/main.tf index a749b8cf6..16b7c6bb7 100644 --- a/terraform/infrastructure/azure/main.tf +++ b/terraform/infrastructure/azure/main.tf @@ -295,3 +295,90 @@ data "azurerm_user_assigned_identity" "uaid" { name = local.uai_name resource_group_name = local.uai_resource_group } + +############## For emergency ssh access ############## +resource "azurerm_public_ip" "loadbalancer_ssh_ip" { + count = var.emergency_ssh ? 1 : 0 + name = "${local.name}-ssh-lb" + domain_name_label = "${local.name}-ssh" + resource_group_name = var.resource_group + location = var.location + allocation_method = "Static" + sku = "Standard" + tags = local.tags + + lifecycle { + ignore_changes = [name] + } +} + +// Reads data from the resource of the same name. +// Used to wait to the actual resource to become ready, before using data from that resource. +// Property "fqdn" only becomes available on azurerm_public_ip resources once domain_name_label is set. +// Since we are setting domain_name_label starting with 2.10 we need to migrate +// resources for clusters created before 2.9. In those cases we need to wait until loadbalancer_ip has +// been updated before reading from it. +data "azurerm_public_ip" "loadbalancer_ssh_ip" { + count = var.emergency_ssh ? 1 : 0 + name = "${local.name}-ssh-lb" + resource_group_name = var.resource_group + depends_on = [azurerm_public_ip.loadbalancer_ssh_ip] +} + +resource "azurerm_lb" "loadbalancer_ssh" { + count = var.emergency_ssh ? 1 : 0 + name = "${local.name}-ssh" + location = var.location + resource_group_name = var.resource_group + sku = "Standard" + tags = local.tags + + dynamic "frontend_ip_configuration" { + for_each = var.emergency_ssh ? [1] : [] + content { + name = "PublicIPAddress" + public_ip_address_id = azurerm_public_ip.loadbalancer_ssh_ip[0].id + } + } +} + +module "loadbalancer_backend_control_plane_ssh" { + count = var.emergency_ssh ? 1 : 0 + source = "./modules/load_balancer_backend" + + name = "${local.name}-control-plane-ssh" + loadbalancer_id = azurerm_lb.loadbalancer_ssh[0].id + frontend_ip_configuration_name = azurerm_lb.loadbalancer_ssh[0].frontend_ip_configuration[0].name + ports = [{ name = "ssh-cp", port = "22", health_check_protocol = "Tcp", path = null, priority = 100 }] +} + +module "loadbalancer_backend_worker_ssh" { + count = var.emergency_ssh ? 1 : 0 + source = "./modules/load_balancer_backend" + + name = "${local.name}-worker-ssh" + loadbalancer_id = azurerm_lb.loadbalancer_ssh[0].id + frontend_ip_configuration_name = azurerm_lb.loadbalancer_ssh[0].frontend_ip_configuration[0].name + ports = [] +} + +resource "azurerm_lb_backend_address_pool" "all_ssh" { + count = var.emergency_ssh ? 1 : 0 + loadbalancer_id = azurerm_lb.loadbalancer_ssh[0].id + name = "${var.name}-all-ssh" +} + +resource "azurerm_network_security_rule" "nsg_rule_ssh" { + count = var.emergency_ssh ? 1 : 0 + name = "ssh-new" + priority = 210 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = var.resource_group + network_security_group_name = azurerm_network_security_group.security_group.name +} diff --git a/terraform/infrastructure/azure/variables.tf b/terraform/infrastructure/azure/variables.tf index a3ab1fd0b..e28558068 100644 --- a/terraform/infrastructure/azure/variables.tf +++ b/terraform/infrastructure/azure/variables.tf @@ -101,3 +101,9 @@ variable "additional_tags" { default = {} description = "Additional tags that should be applied to created resources." } + +variable "emergency_ssh" { + type = bool + default = false + description = "Wether to deploy a load balancer to connect to nodes via ssh." +}