terraform {
backend "http" {
}
}
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.53.0"
}
}
}
provider "azurerm" {
features {}
}
backend "file" {
path = "/vault/file"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/vault/cert/cert.pem"
tls_key_file = "/vault/cert-key/cert.key"
}
disable_mlock = true
seal "azurekeyvault" {
}
/* Custom Font */
@font-face {
font-family: Rubik;
src: url(../font/Rubik.ttf);
}
body {
font-family: 'Rubik', sans-serif;
}
button {
font-family: 'Rubik', sans-serif;
font-size: 18px;
}
.success-encrypted {
font-size: 18px;
}
.subtitle {
font-size: 18px;
}
/* Custom Wallpaper */
body {
/* background-image: url("../img/background/background.jpg"); */
background-color: #343a40;
}
/* Custom Color */
button:hover {
background-color: rgba(76, 205, 79, 0.7);
}
.encrypt {
background-color: #4ccd4f;
}
.clipboard {
background-color: #4ccd4f;
}
/* Custom Logo size */
.logo {
width: 250px;
}
resource "azurerm_resource_group" "axe-ots" {
name = "axe-rg-ots"
location = var.location
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "axe-ots" {
name = "axe-kv-ots"
location = azurerm_resource_group.axe-ots.location
resource_group_name = azurerm_resource_group.axe-ots.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"GetRotationPolicy",
"SetRotationPolicy"
]
}
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_user_assigned_identity.axe-aci-ots.principal_id
key_permissions = [
"Get",
"WrapKey",
"UnwrapKey",
]
}
}
resource "azurerm_key_vault_key" "axe-ots" {
name = "ots"
key_vault_id = azurerm_key_vault.axe-ots.id
key_type = "RSA"
key_size = 4096
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey"
]
}
resource "azurerm_storage_account" "axe-ots" {
name = "axestots"
resource_group_name = azurerm_resource_group.axe-ots.name
location = azurerm_resource_group.axe-ots.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_storage_share" "axe-ots" {
name = "vault"
storage_account_name = azurerm_storage_account.axe-ots.name
quota = 1
}
resource "azurerm_storage_share" "axe-ots-acme" {
name = "acme"
storage_account_name = azurerm_storage_account.axe-ots.name
quota = 1
}
resource "azurerm_storage_share" "axe-ots-icons" {
name = "icons"
storage_account_name = azurerm_storage_account.axe-ots.name
quota = 1
}
# resource "azurerm_storage_share" "axe-ots-background" {
# name = "background"
# storage_account_name = azurerm_storage_account.axe-ots.name
# quota = 1
# }
resource "azurerm_user_assigned_identity" "axe-aci-ots" {
location = azurerm_resource_group.axe-ots.location
name = "axe-aci-ots"
resource_group_name = azurerm_resource_group.axe-ots.name
}
resource "azurerm_container_group" "axe-ots" {
name = "axe-aci-ots"
location = azurerm_resource_group.axe-ots.location
resource_group_name = azurerm_resource_group.axe-ots.name
ip_address_type = "Public"
dns_name_label = "axe-aci-ots"
os_type = "Linux"
restart_policy = "Never"
exposed_port {
port = 80
protocol = "TCP"
}
exposed_port {
port = 443
protocol = "TCP"
}
identity {
type = "UserAssigned"
identity_ids = [
azurerm_user_assigned_identity.axe-aci-ots.id
]
}
container {
name = "vault"
image = "hashicorp/vault:latest"
cpu = "0.5"
memory = "0.5"
ports {
port = 8200
protocol = "TCP"
}
commands = [
"vault", "server", "-config=/vault/config/vault.hcl"
]
environment_variables = {
"VAULT_CACERT" = "/vault/cert/cert.pem"
"VAULT_ADDR" = "https://localhost:8200"
"VAULT_AZUREKEYVAULT_VAULT_NAME" = "axe-kv-ots"
"VAULT_AZUREKEYVAULT_KEY_NAME" = "ots"
"AZURE_TENANT_ID" = data.azurerm_client_config.current.tenant_id
}
volume {
name = "vault-config"
mount_path = "/vault/config"
secret = {
"vault.hcl" = filebase64("${path.module}/axe-ots/config/vault.hcl")
}
}
volume {
name = "vault-cert"
mount_path = "/vault/cert"
secret = {
"cert.pem" = base64encode(var.ots_vault_cert)
}
}
volume {
name = "vault-cert-key"
mount_path = "/vault/cert-key"
secret = {
"cert.key" = base64encode(var.ots_vault_cert_key)
}
}
volume {
name = "vault-file"
mount_path = "/vault/file"
share_name = azurerm_storage_share.axe-ots.name
storage_account_name = azurerm_storage_account.axe-ots.name
storage_account_key = azurerm_storage_account.axe-ots.primary_access_key
}
}
container {
name = "one-time-secret"
image = "ghcr.io/swissbuechi/one-time-secret:latest"
cpu = "0.5"
memory = "0.5"
environment_variables = {
"VAULT_CACERT" = "/vault/ca/cert.pem"
"VAULT_ADDR" = "https://localhost:8200"
"OTS_HTTP_BINDING_ADDRESS" = ":80"
"OTS_HTTPS_BINDING_ADDRESS" = ":443"
"OTS_HTTPS_REDIRECT_ENABLED" = "true"
"OTS_TLS_AUTO_DOMAIN" = "ots.axelion.ch"
}
secure_environment_variables = {
"VAULT_TOKEN" = var.ots_vault_token
}
volume {
name = "acme"
mount_path = "/var/www/.cache"
share_name = azurerm_storage_share.axe-ots-acme.name
storage_account_name = azurerm_storage_account.axe-ots.name
storage_account_key = azurerm_storage_account.axe-ots.primary_access_key
}
volume {
name = "vault-ca"
mount_path = "/vault/ca"
secret = {
"cert.pem" = base64encode(var.ots_vault_cert)
}
}
volume {
name = "css"
mount_path = "/app/static/css"
secret = {
"custom.css" = filebase64("${path.module}/axe-ots/css/custom.css")
}
}
volume {
name = "logo"
mount_path = "/app/static/img/logo"
secret = {
"logo.png" = filebase64("${path.module}/axe-ots/img/logo.png")
}
}
volume {
name = "font"
mount_path = "/app/static/font"
secret = {
"Rubik.ttf" = filebase64("${path.module}/axe-ots/font/Rubik.ttf")
}
}
# volume {
# name = "background"
# mount_path = "/app/static/img/background"
# share_name = azurerm_storage_share.axe-ots-background.name
# storage_account_name = azurerm_storage_account.axe-ots.name
# storage_account_key = azurerm_storage_account.axe-ots.primary_access_key
# }
volume {
name = "favicon"
mount_path = "/app/static/icons"
share_name = azurerm_storage_share.axe-ots-icons.name
storage_account_name = azurerm_storage_account.axe-ots.name
storage_account_key = azurerm_storage_account.axe-ots.primary_access_key
}
ports {
port = 80
protocol = "TCP"
}
ports {
port = 443
protocol = "TCP"
}
}
depends_on = [ azurerm_key_vault_key.axe-ots ]
}
resource "azurerm_automation_account" "axe-ots" {
name = "axe-aa-ots"
location = azurerm_resource_group.axe-ots.location
resource_group_name = azurerm_resource_group.axe-ots.name
sku_name = "Basic"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_role_assignment" "axe-ots" {
scope = azurerm_container_group.axe-ots.id
role_definition_name = "Contributor"
principal_id = azurerm_automation_account.axe-ots.identity.0.principal_id
}
resource "azurerm_automation_runbook" "axe-ots" {
name = "Restart-ContainerGroup"
location = azurerm_resource_group.axe-ots.location
resource_group_name = azurerm_resource_group.axe-ots.name
automation_account_name = azurerm_automation_account.axe-ots.name
log_verbose = "true"
log_progress = "true"
runbook_type = "PowerShell"
content = <<-EOT
param (
[Parameter(Mandatory=$true)]
[String]$containergroupname,
[Parameter(Mandatory=$true)]
[String]$resourcegroupname
)
Connect-AzAccount -Identity
Restart-AzContainerGroup -Name $containergroupname -ResourceGroupName $resourcegroupname
EOT
}
resource "azurerm_automation_schedule" "axe-ots" {
name = "weekly-saturday-3am"
resource_group_name = azurerm_resource_group.axe-ots.name
automation_account_name = azurerm_automation_account.axe-ots.name
frequency = "Week"
interval = 1
timezone = "Europe/Zurich"
start_time = replace(timeadd(timestamp(), "24h"), "/T\\d{2}:\\d{2}:\\d{2}/", "T03:00:00")
week_days = ["Saturday"]
lifecycle {
ignore_changes = [
start_time
]
}
}
resource "azurerm_automation_job_schedule" "axe-ots" {
resource_group_name = azurerm_resource_group.axe-ots.name
automation_account_name = azurerm_automation_account.axe-ots.name
schedule_name = azurerm_automation_schedule.axe-ots.name
runbook_name = azurerm_automation_runbook.axe-ots.name
parameters = {
"resourcegroupname" = azurerm_resource_group.axe-ots.name
"containergroupname" = azurerm_container_group.axe-ots.name
}
}
variable "location" {
type = string
default = "switzerlandnorth"
}
variable "ots_vault_token" {}
variable "ots_vault_cert" {}
variable "ots_vault_cert_key" {}