main.tf

terraform {
  required_version = ">=0.10"
}

locals {
  environment = "${terraform.workspace == "default" ? "test" : terraform.workspace}"
}

resource "azurerm_resource_group" "bastion" {
  name     = "${var.resource_group}"
  location = "${var.location}"

  tags = {
    Environment = "${local.environment}"
    ManagedBy   = "TF"
  }
}

resource "random_integer" "ssh_port" {
  min = 1111
  max = 9999
}

resource "random_string" "vm_password" {
  length  = 10
  special = true
}

data "azurerm_resource_group" "existing_rg_for_vnet" {
  name = "${var.existing_rg_for_vnet}"
}

resource "azurerm_lb" "bastion" {
  name                = "${var.name_prefix}-bastion-load-balancer-${local.environment}"
  location            = "${var.location}"
  resource_group_name = "${azurerm_resource_group.bastion.name}"
  depends_on          = ["azurerm_public_ip.bastion"]

  frontend_ip_configuration {
    name                 = "lb-frontend-${local.environment}"
    public_ip_address_id = "${azurerm_public_ip.bastion.id}"
  }
}

resource "azurerm_lb_backend_address_pool" "bastion" {
  name                = "${var.name_prefix}-bastion-lb-backend-address-pool-${local.environment}"
  resource_group_name = "${azurerm_resource_group.bastion.name}"
  loadbalancer_id     = "${azurerm_lb.bastion.id}"
}

resource "azurerm_lb_nat_rule" "bastion_nat_rule" {
  name                           = "SSHAccess"
  resource_group_name            = "${azurerm_resource_group.bastion.name}"
  loadbalancer_id                = "${azurerm_lb.bastion.id}"
  protocol                       = "Tcp"
  frontend_port                  = "${random_integer.ssh_port.result}"
  backend_port                   = 22
  frontend_ip_configuration_name = "lb-frontend-${local.environment}"
}

resource "azurerm_public_ip" "bastion" {
  name                         = "${var.name_prefix}-bastion-public-ip-${local.environment}"
  resource_group_name          = "${azurerm_resource_group.bastion.name}"
  public_ip_address_allocation = "static"
  location                     = "${var.location}"
}

resource "azurerm_subnet" "bastion" {
  name                 = "${var.name_prefix}-bastion-subnet-${local.environment}"
  resource_group_name  = "${data.azurerm_resource_group.existing_rg_for_vnet.name}"
  virtual_network_name = "${var.existing_vnet_name}"
  address_prefix       = "${var.subnet_address_prefix}"
  route_table_id       = "${var.existing_rt_id}"
}

resource "azurerm_network_interface" "bastion" {
  name                      = "${var.name_prefix}-bastion-nic-${local.environment}"
  resource_group_name       = "${azurerm_resource_group.bastion.name}"
  location                  = "${var.location}"
  network_security_group_id = "${azurerm_network_security_group.bastion.id}"

  ip_configuration {
    name                                    = "BastionIPConfig"
    subnet_id                               = "${azurerm_subnet.bastion.id}"
    private_ip_address_allocation           = "dynamic"
    load_balancer_backend_address_pools_ids = ["${azurerm_lb_backend_address_pool.bastion.id}"]
    load_balancer_inbound_nat_rules_ids     = ["${azurerm_lb_nat_rule.bastion_nat_rule.id}"]
  }
}

resource "azurerm_network_security_group" "bastion" {
  name                = "${var.name_prefix}-bastion-nsg-${local.environment}"
  resource_group_name = "${azurerm_resource_group.bastion.name}"
  location            = "${var.location}"
}

resource "azurerm_virtual_machine" "bastion" {
  name                          = "${var.name_prefix}-bastion-vm-${local.environment}"
  resource_group_name           = "${azurerm_resource_group.bastion.name}"
  location                      = "${var.location}"
  network_interface_ids         = ["${azurerm_network_interface.bastion.id}"]
  vm_size                       = "${var.vm_size}"
  delete_os_disk_on_termination = true

  storage_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "16.04-LTS"
    version   = "latest"
  }

  storage_os_disk {
    name              = "myosdisk1"
    caching           = "ReadWrite"
    create_option     = "FromImage"
    managed_disk_type = "Standard_LRS"
  }

  os_profile {
    computer_name  = "${var.name_prefix}-bastion"
    admin_username = "${var.bastion_username}"
    admin_password = "${random_string.vm_password.result}"
  }

  os_profile_linux_config {
    disable_password_authentication = false
  }

  tags = {
    Environment = "${local.environment}"
    ManagedBy   = "TF"
    role        = "bastion"
    os_type     = "Linux"
  }
}