From dcd3461cda75a9dc78011b7da7e240ad45ab89a7 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Sat, 23 Sep 2023 15:42:30 -0400 Subject: [PATCH] creating new fw quickstart --- quickstart/201-azfw-with-ipgroups/main.tf | 277 ++++++++++++++++++ quickstart/201-azfw-with-ipgroups/outputs.tf | 7 + quickstart/201-azfw-with-ipgroups/provider.tf | 16 + quickstart/201-azfw-with-ipgroups/readme.md | 36 +++ .../201-azfw-with-ipgroups/variables.tf | 37 +++ 5 files changed, 373 insertions(+) create mode 100644 quickstart/201-azfw-with-ipgroups/main.tf create mode 100644 quickstart/201-azfw-with-ipgroups/outputs.tf create mode 100644 quickstart/201-azfw-with-ipgroups/provider.tf create mode 100644 quickstart/201-azfw-with-ipgroups/readme.md create mode 100644 quickstart/201-azfw-with-ipgroups/variables.tf diff --git a/quickstart/201-azfw-with-ipgroups/main.tf b/quickstart/201-azfw-with-ipgroups/main.tf new file mode 100644 index 00000000..cb4a1e9c --- /dev/null +++ b/quickstart/201-azfw-with-ipgroups/main.tf @@ -0,0 +1,277 @@ +resource "random_pet" "rg-name" { + prefix = var.resource_group_name_prefix +} + +resource "random_string" "storage_account_name" { + length = 8 + lower = true + numeric = false + special = false + upper = false +} + +resource "azurerm_resource_group" "rg" { + name = random_pet.rg-name.id + location = var.resource_group_location +} + +resource "azurerm_public_ip" "pip_azfw" { + name = "pip-azfw" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_storage_account" "sa" { + name = random_string.storage_account_name.result + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + account_tier = "Standard" + account_replication_type = "LRS" + account_kind = "StorageV2" +} + +resource "azurerm_firewall_policy" "azfw_policy" { + name = "azfw-policy" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + sku = var.firewall_sku_tier + threat_intelligence_mode = "Alert" +} + +resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { + name = "DefaultNetworkRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 200 + network_rule_collection { + name = "DefaultNetworkRuleCollection" + action = "Allow" + priority = 200 + rule { + name = "networkRule" + protocols = ["Any"] + destination_ip_groups = [azurerm_ip_group.ip_group_2.id] + destination_ports = ["90"] + source_ip_groups = [azurerm_ip_group.ip_group_1.id] + } + } +} + +resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + name = "DefaulApplicationtRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "DefaultApplicationRuleCollection" + action = "Allow" + priority = 500 + rule { + name = "SomeAppRule" + protocols { + type = "Http" + port = 8080 + } + source_ip_groups = [azurerm_ip_group.ip_group_1.id] + destination_fqdns = ["*bing.com"] + } + } +} + +resource "azurerm_firewall" "fw" { + name = "azfw" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + sku_name = "AZFW_VNet" + sku_tier = var.firewall_sku_tier + ip_configuration { + name = "azfw-ipconfig" + subnet_id = azurerm_subnet.azfw_subnet.id + public_ip_address_id = azurerm_public_ip.pip_azfw.id + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id +} + +resource "azurerm_ip_group" "ip_group_1" { + name = "ip-group_1" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + cidrs = ["13.73.64.64/26", "13.73.208.128/25", "52.126.194.0/23"] +} +resource "azurerm_ip_group" "ip_group_2" { + name = "ip_group_2" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + cidrs = ["12.0.0.0/24", "13.9.0.0/24"] +} + +resource "azurerm_virtual_network" "azfw_vnet" { + name = "azfw-vnet" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + address_space = ["10.10.0.0/16"] +} + +resource "azurerm_subnet" "azfw_subnet" { + name = "AzureFirewallSubnet" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.0.0/26"] +} + +resource "azurerm_subnet" "server_subnet" { + name = "subnet-workload" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.1.0/24"] +} + +resource "azurerm_subnet" "jump_subnet" { + name = "subnet-jump" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.2.0/24"] +} + +resource "azurerm_public_ip" "vm_jump_pip" { + name = "pip-jump" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_network_interface" "vm_server_nic" { + name = "nic-server" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + + ip_configuration { + name = "ipconfig-workload" + subnet_id = azurerm_subnet.server_subnet.id + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_network_interface" "vm_jump_nic" { + name = "nic-jump" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + + ip_configuration { + name = "ipconfig-jump" + subnet_id = azurerm_subnet.jump_subnet.id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.vm_jump_pip.id + } +} + +resource "azurerm_network_security_group" "vm_server_nsg" { + name = "nsg-server" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name +} + +resource "azurerm_network_security_group" "vm_jump_nsg" { + name = "nsg-jump" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + security_rule { + name = "Allow-TCP" + priority = 1000 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource "azurerm_network_interface_security_group_association" "vm_server_nsg_association" { + network_interface_id = azurerm_network_interface.vm_server_nic.id + network_security_group_id = azurerm_network_security_group.vm_server_nsg.id +} + +resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { + network_interface_id = azurerm_network_interface.vm_jump_nic.id + network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id +} + +resource "azurerm_linux_virtual_machine" "vm_server" { + name = "server-vm" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + size = var.virtual_machine_size + admin_username = var.admin_username + admin_password = random_password.password.result + disable_password_authentication = false + network_interface_ids = [azurerm_network_interface.vm_server_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "18.04-LTS" + version = "latest" + } + boot_diagnostics { + storage_account_uri = azurerm_storage_account.sa.primary_blob_endpoint + } +} + +resource "azurerm_linux_virtual_machine" "vm_jump" { + name = "jump-vm" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + size = var.virtual_machine_size + admin_username = var.admin_username + admin_password = random_password.password.result + disable_password_authentication = false + network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "18.04-LTS" + version = "latest" + } + boot_diagnostics { + storage_account_uri = azurerm_storage_account.sa.primary_blob_endpoint + } + computer_name = "JumpBox" + +} + +resource "azurerm_route_table" "rt" { + name = "rt-azfw-eus" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + disable_bgp_route_propagation = false + route { + name = "azfwDefaultRoute" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration.0.private_ip_address + } +} + +resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + subnet_id = azurerm_subnet.server_subnet.id + route_table_id = azurerm_route_table.rt.id +} + +resource "random_password" "password" { + length = 20 + min_lower = 1 + min_upper = 1 + min_numeric = 1 + min_special = 1 + special = true +} diff --git a/quickstart/201-azfw-with-ipgroups/outputs.tf b/quickstart/201-azfw-with-ipgroups/outputs.tf new file mode 100644 index 00000000..3d6f89a1 --- /dev/null +++ b/quickstart/201-azfw-with-ipgroups/outputs.tf @@ -0,0 +1,7 @@ +output "resource_group_name" { + value = azurerm_resource_group.rg.name +} + +output "firewall_name" { + value = azurerm_firewall.fw.name +} \ No newline at end of file diff --git a/quickstart/201-azfw-with-ipgroups/provider.tf b/quickstart/201-azfw-with-ipgroups/provider.tf new file mode 100644 index 00000000..18eea7b7 --- /dev/null +++ b/quickstart/201-azfw-with-ipgroups/provider.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.0" + } + random = { + source = "hashicorp/random" + version = "~>3.0" + } + } +} + +provider "azurerm" { + features {} +} diff --git a/quickstart/201-azfw-with-ipgroups/readme.md b/quickstart/201-azfw-with-ipgroups/readme.md new file mode 100644 index 00000000..8d9aec20 --- /dev/null +++ b/quickstart/201-azfw-with-ipgroups/readme.md @@ -0,0 +1,36 @@ +# Deploying Azure Firewall with IP Groups + +This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with [IP Groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group) + +## Terraform resource types + +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) +- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) +- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) +- [azurerm_ip_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group) +- [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) +- [azurerm_firewall_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy) +- [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) +- [azurerm_firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) +- [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) +- [azurerm_network_security_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) +- [azurerm_network_interface_security_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association +- [azurerm_route_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) +- [azurerm_subnet_route_table_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) +- [azurerm_linux_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine) +- [azurerm_storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) +- [random_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) +- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) +- [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string)} + +## Variables + +| Name | Description | Default value | +|-|-|-| +| `resource_group_location` | location for your resources | eastus | +| `firewall_sku_tier` | Sku size for your Firewall and Firewall Policy | Premium | +| `resource_group_name_prefix` | Prefix for your resource group | rg | +| `virtual_machine_size` | Sku size for your jump and workload vms | Standard_D2_v3 | +| `admin_username` | admin username for the jump and workload vms | azureuser | + +## Example \ No newline at end of file diff --git a/quickstart/201-azfw-with-ipgroups/variables.tf b/quickstart/201-azfw-with-ipgroups/variables.tf new file mode 100644 index 00000000..2b836925 --- /dev/null +++ b/quickstart/201-azfw-with-ipgroups/variables.tf @@ -0,0 +1,37 @@ +variable "resource_group_location" { + type = string + description = "Location for all resources." + default = "eastus" +} + +variable "resource_group_name_prefix" { + type = string + description = "Prefix for the Resource Group Name that's combined with a random id so name is unique in your Azure subcription." + default = "rg" +} + +variable "firewall_sku_tier" { + type = string + description = "Firewall SKU." + default = "Premium" # Valid values are Standard and Premium + validation { + condition = contains(["Standard", "Premium"], var.firewall_sku_tier) + error_message = "The sku must be one of the following: Standard, Premium" + } +} + +variable "virtual_machine_size" { + type = string + description = "Size of the virtual machine." + default = "Standard_D2_v3" +} + +variable "admin_username" { + default = "azureuser" +} + +variable "storage_name" { + type = string + description = "value of the storage account name" + default = "azfwteststgacctipg" +} \ No newline at end of file