Add NAT Gateway for agents (#13)

* Add NAT Gateway for agents

* Fix linting

* Fix typos

* Add missing count

Author: jaredfholgate

alz/azuredevops/main.tf

@@ -49,6 +49,8 @@ module "azure" {
   virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances
   virtual_network_subnet_address_prefix_storage             = var.virtual_network_subnet_address_prefix_storage
   storage_account_replication_type                          = var.storage_account_replication_type
+  public_ip_name                                            = local.resource_names.public_ip
+  nat_gateway_name                                          = local.resource_names.nat_gateway
 }
 
 module "azure_devops" {

alz/azuredevops/terraform.tfvars

@@ -33,6 +33,8 @@ resource_names = {
   version_control_system_agent_pool_apply                    = "{{service_name}}-{{environment_name}}-apply"
   version_control_system_group                               = "{{service_name}}-{{environment_name}}-approvers"
   virtual_network                                            = "vnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
+  public_ip                                                  = "pip-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
+  nat_gateway                                                = "nat-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
   subnet_container_instances                                 = "subnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-aci"
   subnet_storage                                             = "subnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-sto"
   private_endpoint                                           = "pe-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"

alz/github/main.tf

@@ -50,6 +50,8 @@ module "azure" {
   virtual_network_subnet_address_prefix_container_instances = var.virtual_network_subnet_address_prefix_container_instances
   virtual_network_subnet_address_prefix_storage             = var.virtual_network_subnet_address_prefix_storage
   storage_account_replication_type                          = var.storage_account_replication_type
+  public_ip_name                                            = local.resource_names.public_ip
+  nat_gateway_name                                          = local.resource_names.nat_gateway
 }
 
 module "github" {

alz/github/terraform.tfvars

@@ -23,6 +23,8 @@ resource_names = {
   version_control_system_team                                 = "{{service_name}}-{{environment_name}}-approvers"
   version_control_system_runner_group                         = "{{service_name}}-{{environment_name}}"
   virtual_network                                             = "vnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
+  public_ip                                                   = "pip-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
+  nat_gateway                                                 = "nat-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"
   subnet_container_instances                                  = "subnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-aci"
   subnet_storage                                              = "subnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-sto"
   private_endpoint                                            = "pe-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}"

modules/azure/container_instances.tf

@@ -42,10 +42,4 @@ resource "azurerm_container_group" "alz" {
       (var.agent_token_environment_variable) = var.agent_token
     }
   }
-
-  lifecycle {
-    ignore_changes = [
-      container[0].secure_environment_variables
-    ]
-  }
 }

modules/azure/networking.tf

@@ -6,6 +6,29 @@ resource "azurerm_virtual_network" "alz" {
   address_space       = [var.virtual_network_address_space]
 }
 
+resource "azurerm_public_ip" "alz" {
+  count               = local.use_private_networking ? 1 : 0
+  name                = var.public_ip_name
+  location            = var.azure_location
+  resource_group_name = azurerm_resource_group.network[0].name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+}
+
+resource "azurerm_nat_gateway" "alz" {
+  count               = local.use_private_networking ? 1 : 0
+  name                = var.nat_gateway_name
+  location            = var.azure_location
+  resource_group_name = azurerm_resource_group.network[0].name
+  sku_name            = "Standard"
+}
+
+resource "azurerm_nat_gateway_public_ip_association" "alz" {
+  count                = local.use_private_networking ? 1 : 0
+  nat_gateway_id       = azurerm_nat_gateway.alz[0].id
+  public_ip_address_id = azurerm_public_ip.alz[0].id
+}
+
 resource "azurerm_subnet" "container_instances" {
   count                             = local.use_private_networking ? 1 : 0
   name                              = var.virtual_network_subnet_name_container_instances
@@ -22,6 +45,12 @@ resource "azurerm_subnet" "container_instances" {
   }
 }
 
+resource "azurerm_subnet_nat_gateway_association" "container_instances" {
+  count          = local.use_private_networking ? 1 : 0
+  subnet_id      = azurerm_subnet.container_instances[0].id
+  nat_gateway_id = azurerm_nat_gateway.alz[0].id
+}
+
 resource "azurerm_subnet" "storage" {
   count                             = local.use_private_networking ? 1 : 0
   name                              = var.virtual_network_subnet_name_storage

modules/azure/variables.tf

@@ -202,6 +202,18 @@ variable "virtual_network_address_space" {
   default     = "10.0.0.0/24"
 }
 
+variable "public_ip_name" {
+  type        = string
+  description = "The name of the public ip"
+  default     = ""
+}
+
+variable "nat_gateway_name" {
+  type        = string
+  description = "The name of the nat gateway"
+  default     = ""
+}
+
 variable "virtual_network_subnet_name_container_instances" {
   type        = string
   description = "Name of the virtual network subnet"