-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy path02-azure_deploy.yaml
262 lines (233 loc) · 10.4 KB
/
02-azure_deploy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
---
- name: Create a network in Azure with ISE and VPN
gather_facts: false
hosts: localhost
connection: local
vars_files:
- vars/main.yaml
#--------------------------------------------------------------------------
# This role will create a local ssh public key pair and name it the
# same as the project name.
#--------------------------------------------------------------------------
roles:
- role: ssh_key_local
vars:
ssh_key_name: "{{ project_name }}"
#--------------------------------------------------------------------------
# 💡To configure Azure for API access and to allow Ansible to configure
# modules, create an Azure service principal.
# 🛈 Instructions can be found at:
# https://learn.microsoft.com/en-us/azure/developer/ansible/create-ansible-service-principal?tabs=azure-cli
#
#--------------------------------------------------------------------------
# This playbook will create a local SSH Key, then move on to create a
# Resource Group (RG), Virtual Network (VN), Security Group (SG),
# and two subnets (Private and Gateway). The SG will be assigned to
# the private subnet.
#
#--------------------------------------------------------------------------
tasks:
- name: Create a resource group
azure_rm_resourcegroup:
name: "{{ az_resource_group }}"
location: "{{ az_region }}"
tags:
project: "{{ project_name }}"
owner: "{{ owner }}"
started: "{{ '%Y-%m-%d T%H:%M:%S-%Z' | strftime }}"
- name: Create virtual network
azure.azcollection.azure_rm_virtualnetwork:
resource_group: "{{ az_resource_group }}"
name: "{{ az_vn_name }}"
address_prefixes: "{{ az_vn_cidr }}"
tags:
project: "{{ project_name }}"
owner: "{{ owner }}"
started: "{{ '%Y-%m-%d T%H:%M:%S-%Z' | strftime }}"
#--------------------------------------------------------------------------
# Create the Network Security Group (ACL) before the subnets
# so you can attach it to your subnet as it is created.
#--------------------------------------------------------------------------
- name: Create network security group
azure.azcollection.azure_rm_securitygroup:
resource_group: "{{ az_resource_group }}"
name: "sg_{{ project_name }}"
purge_rules: yes
rules:
- name: "AllowAllTCP"
protocol: Tcp
source_address_prefix: "*"
destination_port_range: "*"
access: Allow
priority: 100
direction: Inbound
- name: "AllowAllUDP"
protocol: Udp
source_address_prefix: "*"
destination_port_range: "*"
priority: 101
direction: Inbound
- name: "AllowAllPing"
protocol: Icmp
source_address_prefix: "*"
destination_port_range: "*"
priority: 102
direction: Inbound
tags:
project: "{{ project_name }}"
owner: "{{ owner }}"
started: "{{ '%Y-%m-%d T%H:%M:%S-%Z' | strftime }}"
#--------------------------------------------------------------------------
# The private subnet is where ISE will be installed
#--------------------------------------------------------------------------
- name: Add private subnet
azure.azcollection.azure_rm_subnet:
resource_group: "{{ az_resource_group }}"
name: "{{ az_vn_name }}-private"
address_prefix: "{{ az_vn_private_subnet_cidr }}"
virtual_network: "{{ az_vn_name }}"
security_group_name: "sg_{{ project_name }}"
# tags: # subnets do not support tags - adding tags to a
# subnet will cause the task to fail, stopping the playbook
# from continuing.
#--------------------------------------------------------------------------
# The gateway subnet is where the VPN will be installed
#--------------------------------------------------------------------------
- name: Add gateway subnet # A GatewaySubnet is required for VPN
azure.azcollection.azure_rm_subnet:
resource_group: "{{ az_resource_group }}"
name: "GatewaySubnet" # Default name
address_prefix: "{{ az_vn_gateway_subnet_cidr }}"
virtual_network: "{{ az_vn_name }}"
#--------------------------------------------------------------------------
# Create a Storage Account to enable Boot Diagnostics
# so you can use the Serial Console
#--------------------------------------------------------------------------
- name: Create a storage account
azure_rm_storageaccount:
resource_group: "{{ az_resource_group }}"
name: ise32d4sstorage # MUST be globally unique
account_type: Standard_LRS
kind: StorageV2
tags:
project: "{{ project_name }}"
owner: "{{ owner }}"
started: "{{ '%Y-%m-%d T%H:%M:%S-%Z' | strftime }}"
#--------------------------------------------------------------------------
# Create Resource Manager deployment using the JSON template
# to install ISE, NIC, and Public IP.
# The `template_link` will be the same for all ISE VMs,
# use the `parameters_link` to customize per ISE node.
#--------------------------------------------------------------------------
- name: Create an ISE Resource Manager Deployment
azure_rm_deployment:
resource_group: "{{ az_resource_group }}"
name: "ISEinAzure"
template_link: 'https://isedemolab.com/endpoints/azuredeploy.json'
parameters_link: 'https://isedemolab.com/endpoints/azuredeploy.parameters.json'
#--------------------------------------------------------------------------
# While the Resource Manager Deployment does support tags,
# it does NOT assign them to the resources being deployed.
# Add tags to the ISE VM so you know exactly when it was created
# and by whom.
#--------------------------------------------------------------------------
- name: Add tags to ISE VM
azure_rm_virtualmachine:
resource_group: "{{ az_resource_group }}"
name: ise32-d4s
tags:
project: "{{ project_name }}"
owner: "{{ owner }}"
started: "{{ '%Y-%m-%d T%H:%M:%S-%Z' | strftime }}"
role: PSN
#--------------------------------------------------------------------------
# Create a Site-to-Site VPN connection
# Start by creating a Public IP Address
#--------------------------------------------------------------------------
- name: Create a public IP Address for VPN
azure_rm_publicipaddress:
resource_group: "{{ az_resource_group }}"
name: vpn-ip
sku: standard
allocation_method: static
tags:
project: "{{ project_name }}"
owner: "{{ owner }}"
started: "{{ '%Y-%m-%d T%H:%M:%S-%Z' | strftime }}"
#--------------------------------------------------------------------------
# The Virtual Network Gateway is the gateway that lives in Azure.
# This is the remote device to connect TO
# This task _will_ take ~20 minutes to complete.
#--------------------------------------------------------------------------
- name: Create virtual network gateway without BGP settings
azure_rm_virtualnetworkgateway:
resource_group: "{{ az_resource_group }}"
name: "{{ az_resource_group }}-vng"
ip_configurations:
- name: vpnipconfig
private_ip_allocation_method: Dynamic
public_ip_address_name: vpn-ip
subnet: GatewaySubnet
virtual_network: "{{ az_vn_name }}"
tags:
project: "{{ project_name }}"
owner: "{{ owner }}"
started: "{{ '%Y-%m-%d T%H:%M:%S-%Z' | strftime }}"
#--------------------------------------------------------------------------
# The Local Network Gateway is the gateway that lives in YOUR network.
# This is the local VPN device to connect FROM
#--------------------------------------------------------------------------
- name: Create a Local Network Gateway
azure_rm_deployment:
resource_group: "{{ az_resource_group }}"
name: "LocalNetworkGateway"
template_link: 'https://isedemolab.com/endpoints/azure_lng.json'
parameters_link: 'https://isedemolab.com/endpoints/azure_lng.parameters.json'
tags:
project: "{{ project_name }}"
owner: "{{ owner }}"
started: "{{ '%Y-%m-%d T%H:%M:%S-%Z' | strftime }}"
#--------------------------------------------------------------------------
# The Connection is the VPN Configuration for the Virtual Network
# Gateway. You can use the Connection properties in Azure
# to download the configuration for your local VPN device.
#--------------------------------------------------------------------------
- name: Create a VPN Connection
azure_rm_deployment:
resource_group: "{{ az_resource_group }}"
name: "VPNConnection"
template_link: 'https://isedemolab.com/endpoints/azure_vpn.json'
parameters_link: 'https://isedemolab.com/endpoints/azure_vpn.parameters.json'
tags:
project: "{{ project_name }}"
owner: "{{ owner }}"
started: "{{ '%Y-%m-%d T%H:%M:%S-%Z' | strftime }}"
#--------------------------------------------------------------------------
# Create a Route Table and associate it to your private subnet
#--------------------------------------------------------------------------
- name: Create a route table
azure_rm_routetable:
name: "rt_{{ az_vn_name }}"
resource_group: "{{ az_resource_group }}"
tags:
project: "{{ project_name }}"
owner: "{{ owner }}"
started: "{{ '%Y-%m-%d T%H:%M:%S-%Z' | strftime }}"
- name: Associate route table to private subnet
azure_rm_subnet:
name: "{{ az_vn_name }}-private"
virtual_network_name: "{{ az_vn_name }}"
resource_group: "{{ az_resource_group }}"
address_prefix_cidr: "{{ az_vn_private_subnet_cidr }}"
route_table: "rt_{{ az_vn_name }}"
- name: Create route from Azure to local network
azure_rm_route:
name: "RoutetoCSR"
resource_group: "{{ az_resource_group }}"
next_hop_type: virtual_network_gateway
address_prefix: "10.1.100.0/24"
route_table_name: "rt_{{ az_vn_name }}"
tags:
project: "{{ project_name }}"
owner: "{{ owner }}"
started: "{{ '%Y-%m-%d T%H:%M:%S-%Z' | strftime }}"