feat(terraform/azure): add jumpbox module for private AKS cluster access #1008
Conversation
Install aks cli in jumpbox Resolve conflicts Update code revise jumpbox validate and fmt revise use nap-complex to test revise revise revise enable ssh_key delete firewall fix error fix bugs fix bugs fix bugs fix bugs ssh debug update nsr update nsr reduce code update readme
This reverts commit ce11f9d.
xinWeiWei24
requested review from
anson627,
sumanthreddy29,
vittoriasalim and
wonderyl
as code owners
There was a problem hiding this comment.
Pull request overview
This PR adds a new Terraform module to provision Linux jumpbox VMs for accessing private AKS clusters. The jumpbox provides SSH-based access with pre-installed Azure/Kubernetes tools and automatic RBAC configuration for cluster authentication.
Key changes include:
- Self-contained jumpbox module with networking (NIC, NSG), VM provisioning, and RBAC role assignments
- Cloud-init based tool installation (Docker, Azure CLI, kubectl, kubelogin, Helm)
- Pipeline integration to pass SSH public key paths through input variables
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
steps/terraform/set-input-variables-azure.yml |
Adds SSH_PUBLIC_KEY_PATH environment variable handling and passes public_key_path to Terraform input variables |
modules/terraform/azure/variables.tf |
Adds public_key_path optional field to json_input and jumpbox_config_list variable for jumpbox configuration |
modules/terraform/azure/main.tf |
Adds local variables for SSH key handling and instantiates jumpbox module with dependencies on AKS modules |
modules/terraform/azure/jumpbox/variables.tf |
Defines input variables for jumpbox module including validation for non-empty SSH public key |
modules/terraform/azure/jumpbox/templates/cloud-init.tpl |
Cloud-init template for installing development and Kubernetes management tools on jumpbox VM |
modules/terraform/azure/jumpbox/main.tf |
Core jumpbox module implementation creating NSG, NIC, VM, and conditional RBAC role assignments |
modules/terraform/azure/jumpbox/README.md |
Documentation for jumpbox module including features, variables, RBAC details, and usage examples |
modules/terraform/azure/azure_input_schema.json |
Adds public_key_path field to input schema definition |
| resource_group_name = var.resource_group_name | ||
| tags = merge(var.tags, { "jumpbox" = "true" }) | ||
|
|
||
| security_rule { |
There was a problem hiding this comment.
Can we make these settings more configurable where user can dynamically set the setting
e.g security-rule
https://github.com/Azure/telescope/blob/ms-nap-complex/modules/terraform/azure/network/network-security-rule/main.tf
There was a problem hiding this comment.
Jumpbox only need to open SSH port 22 for remote access to the jumpbox
There was a problem hiding this comment.
As discussed, please do not expose these default values from the implementation directly ( this is quiet risky)
There was a problem hiding this comment.
I just checked the documentation https://registry.terraform.io/providers/hashicorp/azurerm/2.71.0/docs/resources/linux_virtual_machine
https://azure.github.io/eu-digital-covid-certificates-reference-architecture/terraform/modules/jumpbox/
there is none ; one standard value for jumpbox and
these parameters are configurable, the current implementation hardcoded these value to only one example usage. But these values can have many different settings.
if you pay attention to argument_reference, e.g os_disk this have the possibility to be configured in other different ways.
Setting one fixed value not only limit the flexibility of the configuration, it is also hard to read and maintain in the future
e.g of other settings https://github.com/hashicorp/terraform-provider-azurerm/tree/main/examples/virtual-machines/linux
I think it is best if we make this as user friendly/configurable, so it can be used by other user in the future. Feel free to correct me if you have different opinions
| resource_group_name = var.resource_group_name | ||
| tags = merge(var.tags, { "jumpbox" = "true" }) | ||
|
|
||
| ip_configuration { |
There was a problem hiding this comment.
can we make these setting more configurable.
Do not expose this value to the implementation directly
There was a problem hiding this comment.
These settings are default settings for jumpbox, no need to config
There was a problem hiding this comment.
As discussed, please do not expose these default values from the implementation directly ( this is quiet risky)
Add jumpbox module to support access to private clusters.