diff --git a/quickstart/101-azfw-with-fwpolicy/README.md b/quickstart/101-azfw-with-fwpolicy/README.md deleted file mode 100644 index 5fb78139..00000000 --- a/quickstart/101-azfw-with-fwpolicy/README.md +++ /dev/null @@ -1,230 +0,0 @@ -# Deploy Azure Firewall and a Firewall Policy - -This template deploys an Azure Firewall and a Firewall Policy. The Firewall Policy is associated to the Firewall. - -## Resources - -| Terraform Resource Type | Description | -| - | - | -| `azurerm_resource_group` | The resource group all the deployed resources.| -| `azurerm_virtual_network` | The virtual network for the firewall. | -| `azurerm_subnet` |The firewall subnet.| -| `azurerm_public_ip` | The firewall public IP address. | -| `azurerm_firewall` | The premium Azure Firewall. | -| `azurerm_firewall_policy` | The policy associated to the Firewall | -| `azurerm_firewall_policy_rule_collection_group` | the rules collection group for firewall policy | -| `azurerm_ip_group` | The IP group for source addresses. | - -## Variables - -| Name | Description | -|-|-| -| `location` | location for your resources | -| `tags` | tags to organize your resources | -| `fw_sku` | Sku size for your Firewall and Firewall Policy | - -## Example - -```powershell -terraform plan -out main.tfplan - - # azurerm_firewall.fw will be created - + resource "azurerm_firewall" "fw" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "azfw" - + resource_group_name = "azfw-rg" - + sku_name = "AZFW_VNet" - + sku_tier = "Premium" - + threat_intel_mode = (known after apply) - - + ip_configuration { - + name = "azfw-ipconfig" - + private_ip_address = (known after apply) - + public_ip_address_id = (known after apply) - + subnet_id = (known after apply) - } - } - - # azurerm_firewall_policy.azfw_policy will be created - + resource "azurerm_firewall_policy" "azfw_policy" { - + child_policies = (known after apply) - + firewalls = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "azfw-policy" - + resource_group_name = "azfw-rg" - + rule_collection_groups = (known after apply) - + sku = "Premium" - + threat_intelligence_mode = "Alert" - } - - # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created - + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + name = "DefaulApplicationtRuleCollectionGroup" - + priority = 300 - - + application_rule_collection { - + action = "Allow" - + name = "DefaultApplicationRuleCollection" - + priority = 500 - - + rule { - + description = "Allow Windows Update" - + destination_fqdn_tags = [ - + "WindowsUpdate", - ] - + name = "AllowWindowsUpdate" - + source_ip_groups = (known after apply) - - + protocols { - + port = 80 - + type = "Http" - } - + protocols { - + port = 443 - + type = "Https" - } - } - + rule { - + description = "Allow access to Microsoft.com" - + destination_fqdns = [ - + "*.microsoft.com", - ] - + name = "Global Rule" - + source_ip_groups = (known after apply) - + terminate_tls = false - - + protocols { - + port = 443 - + type = "Https" - } - } - } - } - - # azurerm_firewall_policy_rule_collection_group.net_policy_rule_collection_group will be created - + resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + name = "DefaultNetworkRuleCollectionGroup" - + priority = 200 - - + network_rule_collection { - + action = "Allow" - + name = "DefaultNetworkRuleCollection" - + priority = 200 - - + rule { - + destination_addresses = [ - + "132.86.101.172", - ] - + destination_ports = [ - + "123", - ] - + name = "time-windows" - + protocols = [ - + "UDP", - ] - + source_ip_groups = (known after apply) - } - } - } - - # azurerm_ip_group.infra_ip_group will be created - + resource "azurerm_ip_group" "infra_ip_group" { - + cidrs = [ - + "10.40.0.0/24", - + "10.50.0.0/24", - ] - + firewall_ids = (known after apply) - + firewall_policy_ids = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "infra-ip-group" - + resource_group_name = "azfw-rg" - } - - # azurerm_ip_group.workload_ip_group will be created - + resource "azurerm_ip_group" "workload_ip_group" { - + cidrs = [ - + "10.20.0.0/24", - + "10.30.0.0/24", - ] - + firewall_ids = (known after apply) - + firewall_policy_ids = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "workload-ip-group" - + resource_group_name = "azfw-rg" - } - - # azurerm_public_ip.pip_azfw will be created - + resource "azurerm_public_ip" "pip_azfw" { - + allocation_method = "Static" - + ddos_protection_mode = "VirtualNetworkInherited" - + fqdn = (known after apply) - + id = (known after apply) - + idle_timeout_in_minutes = 4 - + ip_address = (known after apply) - + ip_version = "IPv4" - + location = "eastus" - + name = "pip-azfw" - + resource_group_name = "azfw-rg" - + sku = "Standard" - + sku_tier = "Regional" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_resource_group.azfw_rg will be created - + resource "azurerm_resource_group" "azfw_rg" { - + id = (known after apply) - + location = "eastus" - + name = "azfw-rg" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_subnet.azfw_subnet will be created - + resource "azurerm_subnet" "azfw_subnet" { - + address_prefixes = [ - + "10.10.0.0/26", - ] - + enforce_private_link_endpoint_network_policies = (known after apply) - + enforce_private_link_service_network_policies = (known after apply) - + id = (known after apply) - + name = "AzureFirewallSubnet" - + private_endpoint_network_policies_enabled = (known after apply) - + private_link_service_network_policies_enabled = (known after apply) - + resource_group_name = "azfw-rg" - + virtual_network_name = "azfw-vnet" - } - - # azurerm_virtual_network.azfw_vnet will be created - + resource "azurerm_virtual_network" "azfw_vnet" { - + address_space = [ - + "10.10.0.0/24", - ] - + dns_servers = (known after apply) - + guid = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "azfw-vnet" - + resource_group_name = "azfw-rg" - + subnet = (known after apply) - } - -Plan: 10 to add, 0 to change, 0 to destroy. -`````` \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/main.tf b/quickstart/101-azfw-with-fwpolicy/main.tf deleted file mode 100644 index c3998133..00000000 --- a/quickstart/101-azfw-with-fwpolicy/main.tf +++ /dev/null @@ -1,153 +0,0 @@ - -// Create a Resource Group -resource "azurerm_resource_group" "azfw_rg" { - name = "azfw-rg" - location = var.location - tags = var.tags -} -// Create a Virtual Network -resource "azurerm_virtual_network" "azfw_vnet" { - name = "azfw-vnet" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - address_space = ["10.10.0.0/24"] - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create IP Groups -resource "azurerm_ip_group" "workload_ip_group" { - name = "workload-ip-group" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - cidrs = ["10.20.0.0/24", "10.30.0.0/24"] - depends_on = [ - azurerm_resource_group.azfw_rg, - azurerm_virtual_network.azfw_vnet - ] -} -resource "azurerm_ip_group" "infra_ip_group" { - name = "infra-ip-group" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - cidrs = ["10.40.0.0/24", "10.50.0.0/24"] - depends_on = [ - azurerm_resource_group.azfw_rg, - azurerm_virtual_network.azfw_vnet - ] -} - -// Create the Azure Firewall Subnet -resource "azurerm_subnet" "azfw_subnet" { - name = "AzureFirewallSubnet" - resource_group_name = azurerm_resource_group.azfw_rg.name - virtual_network_name = azurerm_virtual_network.azfw_vnet.name - address_prefixes = ["10.10.0.0/26"] - depends_on = [ - azurerm_resource_group.azfw_rg, - azurerm_virtual_network.azfw_vnet - ] -} - -// Create a Public IP Address for Azure Firewall -resource "azurerm_public_ip" "pip_azfw" { - name = "pip-azfw" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - allocation_method = "Static" - sku = "Standard" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Azure Firewall Policy -resource "azurerm_firewall_policy" "azfw_policy" { - name = "azfw-policy" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - sku = var.fw_sku - threat_intelligence_mode = "Alert" -} - -// Create a Network Rule Collection Group -// Create a Network Rule Collection -// Create rules for NTP -resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { - name = "DefaultNetworkRuleCollectionGroup" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 200 - network_rule_collection { - name = "DefaultNetworkRuleCollection" - action = "Allow" - priority = 200 - rule { - name = "time-windows" - protocols = ["UDP"] - source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] - destination_ports = ["123"] - destination_addresses = ["132.86.101.172"] - } - } -} - -// Create a Azure Firewall Policy Rule Collection Group -// Create a Application Rule Collection -// Create rules for Windows Update -// Create rules for Microsoft.com -resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - name = "DefaulApplicationtRuleCollectionGroup" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 300 - application_rule_collection { - name = "DefaultApplicationRuleCollection" - action = "Allow" - priority = 500 - rule { - name = "AllowWindowsUpdate" - - description = "Allow Windows Update" - protocols { - type = "Http" - port = 80 - } - protocols { - type = "Https" - port = 443 - } - source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] - destination_fqdn_tags = ["WindowsUpdate"] - } - rule { - name = "Global Rule" - description = "Allow access to Microsoft.com" - protocols { - type = "Https" - port = 443 - } - destination_fqdns = ["*.microsoft.com"] - terminate_tls = false - source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] - } - } - depends_on = [ - azurerm_firewall_policy.azfw_policy - ] -} - -// Create the Azure Firewall -resource "azurerm_firewall" "fw" { - name = "azfw" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - sku_name = "AZFW_VNet" - sku_tier = var.fw_sku - ip_configuration { - name = "azfw-ipconfig" - subnet_id = azurerm_subnet.azfw_subnet.id - public_ip_address_id = azurerm_public_ip.pip_azfw.id - } - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id -} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/outputs.tf b/quickstart/101-azfw-with-fwpolicy/outputs.tf deleted file mode 100644 index 67ad7df3..00000000 --- a/quickstart/101-azfw-with-fwpolicy/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "rg_name" { - value = azurerm_resource_group.azfw_rg.name -} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/provider.tf b/quickstart/101-azfw-with-fwpolicy/provider.tf deleted file mode 100644 index 76b5065b..00000000 --- a/quickstart/101-azfw-with-fwpolicy/provider.tf +++ /dev/null @@ -1,16 +0,0 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "3.69.0" - } - } -} - -provider "azurerm" { - features { - resource_group { - prevent_deletion_if_contains_resources = false // Set to True for Production - } - } -} diff --git a/quickstart/101-azfw-with-fwpolicy/variables.tf b/quickstart/101-azfw-with-fwpolicy/variables.tf deleted file mode 100644 index 2a925a38..00000000 --- a/quickstart/101-azfw-with-fwpolicy/variables.tf +++ /dev/null @@ -1,18 +0,0 @@ -// Create Variables for Location and Tags -variable "location" { - default = "eastus" -} -variable "tags" { - default = { - environment = "dev" - costcenter = "1234556677" - owner = "cloud team" - workload = "azure firewall" - } -} - -// Create Firewall Variables -variable "fw_sku" { - default = "Premium" # Valid values are Standard and Premium -} - diff --git a/quickstart/201-azfw-with-secure-hub/README.md b/quickstart/201-azfw-with-secure-hub/README.md deleted file mode 100644 index 2bdb52b8..00000000 --- a/quickstart/201-azfw-with-secure-hub/README.md +++ /dev/null @@ -1,543 +0,0 @@ -# Deploy Azure Firewall and a Firewall Policy - -This template deploys an Azure Firewall and a Firewall Policy to a Secure Hub. The Firewall Policy is associated with the Firewall policy. - -## Resources - -| Terraform Resource Type | Description | -| - | - | -| `azurerm_resource_group` | The resource group all the deployed resources.| -| `azurerm_virtual_wan` | The virtual wan for the virtual hub | -| `azurerm_virtual_hub` | The virtual hub for the firewall | -| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | -| `azurerm_virtual_hub_connection` | The connection between the virtual hub and the virtual network spoke | -| `azurerm_public_ip` | The firewall public IP address and public access to the jump vm. | -| `azurerm_firewall_policy` | The policy associated to the Firewall | -| `azurerm_firewall_policy_rule_collection_group` | the rules collection group to add network and application rule collections for firewall policy | -| `azurerm_firewall` | The premium Azure Firewall. | -| `azurerm_virtual_network` | The virtual network for the firewall. | -| `azurerm_subnet` | The subnets for jump and workload vms. | -| `azurerm_network_interface` | The nics for the jump and workload vms | -| `azurerm_network_security_group` | The nsg for the jump and workload vms | -| `azurerm_network_interface_security_group_association` | The association between the nics and the nsgs | -| `azurerm_virtual_machine` | The jump and workload vms for testing | -| `azurerm_route_table` | The route table for the jump vms | -| `azurerm_subnet_route_table_association` | The association between the subnets and the route tables | -| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | - -## Variables - -| Name | Description | -|-|-| -| `location` | location for your resources | -| `tags` | tags to organize your resources | -| `fw_sku` | Sku size for your Firewall and Firewall Policy | -| `vm_size` | Sku size for your jump and workload vms | -| `admin_username` | admin username for the jump and workload vms | -| `admin_password` | admin password for the jump and workload vms | - -## Example - -```powershell -Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: - + create - -Terraform will perform the following actions: - - # azurerm_firewall.fw will be created - + resource "azurerm_firewall" "fw" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "fw-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + sku_name = "AZFW_Hub" - + sku_tier = "Premium" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + threat_intel_mode = (known after apply) - - + virtual_hub { - + private_ip_address = (known after apply) - + public_ip_addresses = (known after apply) - + public_ip_count = 1 - + virtual_hub_id = (known after apply) - } - } - - # azurerm_firewall_policy.azfw_policy will be created - + resource "azurerm_firewall_policy" "azfw_policy" { - + child_policies = (known after apply) - + firewalls = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "policy-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + rule_collection_groups = (known after apply) - + sku = "Premium" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + threat_intelligence_mode = "Alert" - } - - # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created - + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + name = "DefaulApplicationtRuleCollectionGroup" - + priority = 300 - - + application_rule_collection { - + action = "Allow" - + name = "DefaultApplicationRuleCollection" - + priority = 100 - - + rule { - + description = "Allow access to Microsoft.com" - + destination_fqdns = [ - + "*.microsoft.com", - ] - + name = "Allow-MSFT" - + source_addresses = [ - + "*", - ] - + terminate_tls = false - - + protocols { - + port = 443 - + type = "Https" - } - + protocols { - + port = 80 - + type = "Http" - } - } - } - } - - # azurerm_network_interface.vm_jump_nic will be created - + resource "azurerm_network_interface" "vm_jump_nic" { - + applied_dns_servers = (known after apply) - + dns_servers = (known after apply) - + enable_accelerated_networking = false - + enable_ip_forwarding = false - + id = (known after apply) - + internal_dns_name_label = (known after apply) - + internal_domain_name_suffix = (known after apply) - + location = "eastus" - + mac_address = (known after apply) - + name = "nic-jump" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_machine_id = (known after apply) - - + ip_configuration { - + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) - + name = "ipconfig-jump" - + primary = (known after apply) - + private_ip_address = (known after apply) - + private_ip_address_allocation = "Dynamic" - + private_ip_address_version = "IPv4" - + public_ip_address_id = (known after apply) - + subnet_id = (known after apply) - } - } - - # azurerm_network_interface.vm_workload_nic will be created - + resource "azurerm_network_interface" "vm_workload_nic" { - + applied_dns_servers = (known after apply) - + dns_servers = (known after apply) - + enable_accelerated_networking = false - + enable_ip_forwarding = false - + id = (known after apply) - + internal_dns_name_label = (known after apply) - + internal_domain_name_suffix = (known after apply) - + location = "eastus" - + mac_address = (known after apply) - + name = "nic-workload" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_machine_id = (known after apply) - - + ip_configuration { - + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) - + name = "ipconfig-workload" - + primary = (known after apply) - + private_ip_address = (known after apply) - + private_ip_address_allocation = "Dynamic" - + private_ip_address_version = "IPv4" - + subnet_id = (known after apply) - } - } - - # azurerm_network_interface_security_group_association.vm_jump_nsg_association will be created - + resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { - + id = (known after apply) - + network_interface_id = (known after apply) - + network_security_group_id = (known after apply) - } - - # azurerm_network_interface_security_group_association.vm_workload_nsg_association will be created - + resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { - + id = (known after apply) - + network_interface_id = (known after apply) - + network_security_group_id = (known after apply) - } - - # azurerm_network_security_group.vm_jump_nsg will be created - + resource "azurerm_network_security_group" "vm_jump_nsg" { - + id = (known after apply) - + location = "eastus" - + name = "nsg-jump" - + resource_group_name = "rg-azfw-securehub-eus" - + security_rule = [ - + { - + access = "Allow" - + description = "" - + destination_address_prefix = "*" - + destination_address_prefixes = [] - + destination_application_security_group_ids = [] - + destination_port_range = "3389" - + destination_port_ranges = [] - + direction = "Inbound" - + name = "Allow-RDP" - + priority = 300 - + protocol = "Tcp" - + source_address_prefix = "*" - + source_address_prefixes = [] - + source_application_security_group_ids = [] - + source_port_range = "*" - + source_port_ranges = [] - }, - ] - } - - # azurerm_network_security_group.vm_workload_nsg will be created - + resource "azurerm_network_security_group" "vm_workload_nsg" { - + id = (known after apply) - + location = "eastus" - + name = "nsg-workload" - + resource_group_name = "rg-azfw-securehub-eus" - + security_rule = (known after apply) - } - - # azurerm_public_ip.pip_azfw will be created - + resource "azurerm_public_ip" "pip_azfw" { - + allocation_method = "Static" - + ddos_protection_mode = "VirtualNetworkInherited" - + fqdn = (known after apply) - + id = (known after apply) - + idle_timeout_in_minutes = 4 - + ip_address = (known after apply) - + ip_version = "IPv4" - + location = "eastus" - + name = "pip-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + sku = "Standard" - + sku_tier = "Regional" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_public_ip.vm_jump_pip will be created - + resource "azurerm_public_ip" "vm_jump_pip" { - + allocation_method = "Static" - + ddos_protection_mode = "VirtualNetworkInherited" - + fqdn = (known after apply) - + id = (known after apply) - + idle_timeout_in_minutes = 4 - + ip_address = (known after apply) - + ip_version = "IPv4" - + location = "eastus" - + name = "pip-jump" - + resource_group_name = "rg-azfw-securehub-eus" - + sku = "Standard" - + sku_tier = "Regional" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_resource_group.azfw_rg will be created - + resource "azurerm_resource_group" "azfw_rg" { - + id = (known after apply) - + location = "eastus" - + name = "rg-azfw-securehub-eus" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_route_table.rt will be created - + resource "azurerm_route_table" "rt" { - + disable_bgp_route_propagation = false - + id = (known after apply) - + location = "eastus" - + name = "rt-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + route = [ - + { - + address_prefix = "0.0.0.0/0" - + name = "jump-to-internet" - + next_hop_in_ip_address = "" - + next_hop_type = "Internet" - }, - ] - + subnets = (known after apply) - } - - # azurerm_subnet.jump_subnet will be created - + resource "azurerm_subnet" "jump_subnet" { - + address_prefixes = [ - + "10.10.2.0/24", - ] - + enforce_private_link_endpoint_network_policies = (known after apply) - + enforce_private_link_service_network_policies = (known after apply) - + id = (known after apply) - + name = "subnet-jump" - + private_endpoint_network_policies_enabled = (known after apply) - + private_link_service_network_policies_enabled = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_network_name = "vnet-azfw-securehub-eus" - } - - # azurerm_subnet.workload_subnet will be created - + resource "azurerm_subnet" "workload_subnet" { - + address_prefixes = [ - + "10.10.1.0/24", - ] - + enforce_private_link_endpoint_network_policies = (known after apply) - + enforce_private_link_service_network_policies = (known after apply) - + id = (known after apply) - + name = "subnet-workload" - + private_endpoint_network_policies_enabled = (known after apply) - + private_link_service_network_policies_enabled = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_network_name = "vnet-azfw-securehub-eus" - } - - # azurerm_subnet_route_table_association.jump_subnet_rt_association will be created - + resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { - + id = (known after apply) - + route_table_id = (known after apply) - + subnet_id = (known after apply) - } - - # azurerm_virtual_hub.azfw_vwan_hub will be created - + resource "azurerm_virtual_hub" "azfw_vwan_hub" { - + address_prefix = "10.20.0.0/23" - + default_route_table_id = (known after apply) - + hub_routing_preference = "ExpressRoute" - + id = (known after apply) - + location = "eastus" - + name = "hub-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + virtual_router_asn = (known after apply) - + virtual_router_auto_scale_min_capacity = 2 - + virtual_router_ips = (known after apply) - + virtual_wan_id = (known after apply) - } - - # azurerm_virtual_hub_connection.azfw_vwan_hub_connection will be created - + resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { - + id = (known after apply) - + internet_security_enabled = true - + name = "hub-to-spoke" - + remote_virtual_network_id = (known after apply) - + virtual_hub_id = (known after apply) - - + routing { - + associated_route_table_id = (known after apply) - - + propagated_route_table { - + labels = [ - + "VNet", - ] - + route_table_ids = (known after apply) - } - } - } - - # azurerm_virtual_hub_route_table.vhub_rt will be created - + resource "azurerm_virtual_hub_route_table" "vhub_rt" { - + id = (known after apply) - + labels = [ - + "VNet", - ] - + name = "vhub-rt-azfw-securehub-eus" - + virtual_hub_id = (known after apply) - - + route { - + destinations = [ - + "0.0.0.0/0", - ] - + destinations_type = "CIDR" - + name = "InternetToFirewall" - + next_hop = (known after apply) - + next_hop_type = "ResourceId" - } - + route { - + destinations = [ - + "10.10.1.0/24", - ] - + destinations_type = "CIDR" - + name = "workload-SNToFirewall" - + next_hop = (known after apply) - + next_hop_type = "ResourceId" - } - } - - # azurerm_virtual_network.azfw_vnet will be created - + resource "azurerm_virtual_network" "azfw_vnet" { - + address_space = [ - + "10.10.0.0/16", - ] - + dns_servers = (known after apply) - + guid = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "vnet-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + subnet = (known after apply) - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_virtual_wan.azfw_vwan will be created - + resource "azurerm_virtual_wan" "azfw_vwan" { - + allow_branch_to_branch_traffic = true - + disable_vpn_encryption = false - + id = (known after apply) - + location = "eastus" - + name = "vwan-azfw-securehub-eus" - + office365_local_breakout_category = "None" - + resource_group_name = "rg-azfw-securehub-eus" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + type = "Standard" - } - - # azurerm_windows_virtual_machine.vm_jump will be created - + resource "azurerm_windows_virtual_machine" "vm_jump" { - + admin_password = (sensitive value) - + admin_username = "azureuser" - + allow_extension_operations = true - + bypass_platform_safety_checks_on_user_schedule_enabled = false - + computer_name = (known after apply) - + enable_automatic_updates = true - + extensions_time_budget = "PT1H30M" - + hotpatching_enabled = false - + id = (known after apply) - + location = "eastus" - + max_bid_price = -1 - + name = "jump-vm" - + network_interface_ids = (known after apply) - + patch_assessment_mode = "ImageDefault" - + patch_mode = "AutomaticByOS" - + platform_fault_domain = -1 - + priority = "Regular" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + provision_vm_agent = true - + public_ip_address = (known after apply) - + public_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + size = "Standard_D2_v3" - + virtual_machine_id = (known after apply) - - + os_disk { - + caching = "ReadWrite" - + disk_size_gb = (known after apply) - + name = (known after apply) - + storage_account_type = "Standard_LRS" - + write_accelerator_enabled = false - } - - + source_image_reference { - + offer = "WindowsServer" - + publisher = "MicrosoftWindowsServer" - + sku = "2019-Datacenter" - + version = "latest" - } - } - - # azurerm_windows_virtual_machine.vm_workload will be created - + resource "azurerm_windows_virtual_machine" "vm_workload" { - + admin_password = (sensitive value) - + admin_username = "azureuser" - + allow_extension_operations = true - + bypass_platform_safety_checks_on_user_schedule_enabled = false - + computer_name = (known after apply) - + enable_automatic_updates = true - + extensions_time_budget = "PT1H30M" - + hotpatching_enabled = false - + id = (known after apply) - + location = "eastus" - + max_bid_price = -1 - + name = "workload-vm" - + network_interface_ids = (known after apply) - + patch_assessment_mode = "ImageDefault" - + patch_mode = "AutomaticByOS" - + platform_fault_domain = -1 - + priority = "Regular" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + provision_vm_agent = true - + public_ip_address = (known after apply) - + public_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + size = "Standard_D2_v3" - + virtual_machine_id = (known after apply) - - + os_disk { - + caching = "ReadWrite" - + disk_size_gb = (known after apply) - + name = (known after apply) - + storage_account_type = "Standard_LRS" - + write_accelerator_enabled = false - } - - + source_image_reference { - + offer = "WindowsServer" - + publisher = "MicrosoftWindowsServer" - + sku = "2019-Datacenter" - + version = "latest" - } - } - -Plan: 23 to add, 0 to change, 0 to destroy. -`````` \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/main.tf b/quickstart/201-azfw-with-secure-hub/main.tf deleted file mode 100644 index 46c99695..00000000 --- a/quickstart/201-azfw-with-secure-hub/main.tf +++ /dev/null @@ -1,370 +0,0 @@ - -// Create a Resource Group -resource "azurerm_resource_group" "azfw_rg" { - name = "rg-azfw-securehub-eus" - location = var.location - tags = var.tags -} - -// Create resources for Azure Virtual WAN -// Create a Azure Vwan -resource "azurerm_virtual_wan" "azfw_vwan" { - name = "vwan-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - tags = azurerm_resource_group.azfw_rg.tags - allow_branch_to_branch_traffic = true - disable_vpn_encryption = false - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Azure Vwan Hub -resource "azurerm_virtual_hub" "azfw_vwan_hub" { - name = "hub-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - virtual_wan_id = azurerm_virtual_wan.azfw_vwan.id - address_prefix = "10.20.0.0/23" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_virtual_wan.azfw_vwan - ] -} - -// Create a Azure VWan Hub Connection -resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { - name = "hub-to-spoke" - virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id - remote_virtual_network_id = azurerm_virtual_network.azfw_vnet.id - internet_security_enabled = true - routing { - associated_route_table_id = azurerm_virtual_hub_route_table.vhub_rt.id - propagated_route_table { - route_table_ids = [azurerm_virtual_hub_route_table.vhub_rt.id] - labels = ["VNet"] - } - } - depends_on = [ - azurerm_virtual_hub.azfw_vwan_hub, - azurerm_virtual_network.azfw_vnet - ] -} - -// Create resources for Azure Firewall -// Create a Public IP Address for Azure Firewall -resource "azurerm_public_ip" "pip_azfw" { - name = "pip-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - allocation_method = "Static" - sku = "Standard" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Azure Firewall Policy -resource "azurerm_firewall_policy" "azfw_policy" { - name = "policy-azfw-securehub-eus" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - sku = "Premium" - threat_intelligence_mode = "Alert" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Azure Firewall Policy Rule Collection Group -// Create a Application Rule Collection -// Create rules for Windows Update -// Create rules for Microsoft.com -resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - name = "DefaulApplicationtRuleCollectionGroup" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 300 - application_rule_collection { - name = "DefaultApplicationRuleCollection" - action = "Allow" - priority = 100 - rule { - name = "Allow-MSFT" - description = "Allow access to Microsoft.com" - protocols { - type = "Https" - port = 443 - } - protocols { - type = "Http" - port = 80 - } - destination_fqdns = ["*.microsoft.com"] - terminate_tls = false - source_addresses = ["*"] - } - } - depends_on = [ - azurerm_firewall_policy.azfw_policy - ] -} - -// Create the Azure Firewall -resource "azurerm_firewall" "fw" { - name = "fw-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - sku_name = "AZFW_Hub" - sku_tier = var.fw_sku - tags = azurerm_resource_group.azfw_rg.tags - virtual_hub { - virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id - public_ip_count = 1 - } - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - depends_on = [ - azurerm_firewall_policy.azfw_policy, - azurerm_virtual_hub.azfw_vwan_hub - ] -} - -// Create Virtual Network, Subnets, PIP, NICs, NSGs, and NIC-NSG associations -// Create a Virtual Network -resource "azurerm_virtual_network" "azfw_vnet" { - name = "vnet-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - address_space = ["10.10.0.0/16"] - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Subnet for Workload VMs -resource "azurerm_subnet" "workload_subnet" { - name = "subnet-workload" - resource_group_name = azurerm_resource_group.azfw_rg.name - virtual_network_name = azurerm_virtual_network.azfw_vnet.name - address_prefixes = ["10.10.1.0/24"] - depends_on = [ - azurerm_virtual_network.azfw_vnet - ] -} - -// Create a Subnet for Jump VM -resource "azurerm_subnet" "jump_subnet" { - name = "subnet-jump" - resource_group_name = azurerm_resource_group.azfw_rg.name - virtual_network_name = azurerm_virtual_network.azfw_vnet.name - address_prefixes = ["10.10.2.0/24"] - - depends_on = [ - azurerm_virtual_network.azfw_vnet, - azurerm_route_table.rt - ] -} - -// Create a NIC for Workload VM -resource "azurerm_network_interface" "vm_workload_nic" { - name = "nic-workload" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - - ip_configuration { - name = "ipconfig-workload" - subnet_id = azurerm_subnet.workload_subnet.id - private_ip_address_allocation = "Dynamic" - } - depends_on = [ - azurerm_subnet.workload_subnet - ] -} - -// Create a PIP for Jump VM -resource "azurerm_public_ip" "vm_jump_pip" { - name = "pip-jump" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - allocation_method = "Static" - sku = "Standard" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a NIC for Jump VM -resource "azurerm_network_interface" "vm_jump_nic" { - name = "nic-jump" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - - ip_configuration { - name = "ipconfig-jump" - subnet_id = azurerm_subnet.jump_subnet.id - private_ip_address_allocation = "Dynamic" - public_ip_address_id = azurerm_public_ip.vm_jump_pip.id - } - depends_on = [ - azurerm_subnet.jump_subnet, - azurerm_public_ip.vm_jump_pip - ] -} - -// Create a NSG for Workload VM -resource "azurerm_network_security_group" "vm_workload_nsg" { - name = "nsg-workload" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a NSG for Jump VM -resource "azurerm_network_security_group" "vm_jump_nsg" { - name = "nsg-jump" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - security_rule { - name = "Allow-RDP" - priority = 300 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "3389" - source_address_prefix = "*" - destination_address_prefix = "*" - } - - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Associate NSG for Workload VM NIC -resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { - network_interface_id = azurerm_network_interface.vm_workload_nic.id - network_security_group_id = azurerm_network_security_group.vm_workload_nsg.id - depends_on = [ - azurerm_network_interface.vm_workload_nic, - azurerm_network_security_group.vm_workload_nsg - ] -} - -// Associate NSG for Jump VM NIC -resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { - network_interface_id = azurerm_network_interface.vm_jump_nic.id - network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id - depends_on = [ - azurerm_network_interface.vm_jump_nic, - azurerm_network_security_group.vm_jump_nsg - ] -} - -// Create Virtual Machines for testing -// Create a Workload Virtual Machine -resource "azurerm_windows_virtual_machine" "vm_workload" { - name = "workload-vm" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - size = var.vm_size - admin_username = var.admin_username - admin_password = var.admin_password - network_interface_ids = [azurerm_network_interface.vm_workload_nic.id] - os_disk { - caching = "ReadWrite" - storage_account_type = "Standard_LRS" - } - source_image_reference { - publisher = "MicrosoftWindowsServer" - offer = "WindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - depends_on = [ - azurerm_network_interface.vm_workload_nic - ] -} - -// Create a Jump Virtual Machine -resource "azurerm_windows_virtual_machine" "vm_jump" { - name = "jump-vm" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - size = var.vm_size - admin_username = var.admin_username - admin_password = var.admin_password - network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] - os_disk { - caching = "ReadWrite" - storage_account_type = "Standard_LRS" - } - source_image_reference { - publisher = "MicrosoftWindowsServer" - offer = "WindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - depends_on = [ - azurerm_network_interface.vm_jump_nic - ] -} - -// Create Routing for testing -// Create a Route Table -resource "azurerm_route_table" "rt" { - name = "rt-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - disable_bgp_route_propagation = false - route { - name = "jump-to-internet" - address_prefix = "0.0.0.0/0" - next_hop_type = "Internet" - } - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Associate Route Table to Jump VM Subnet -resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { - subnet_id = azurerm_subnet.jump_subnet.id - route_table_id = azurerm_route_table.rt.id - depends_on = [ - azurerm_subnet.jump_subnet, - azurerm_route_table.rt - ] -} - -// Creat a Virtual Hub Route Table -resource "azurerm_virtual_hub_route_table" "vhub_rt" { - name = "vhub-rt-azfw-securehub-eus" - virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id - route { - name = "workload-SNToFirewall" - destinations_type = "CIDR" - destinations = ["10.10.1.0/24"] - next_hop_type = "ResourceId" - next_hop = azurerm_firewall.fw.id - } - route { - name = "InternetToFirewall" - destinations_type = "CIDR" - destinations = ["0.0.0.0/0"] - next_hop_type = "ResourceId" - next_hop = azurerm_firewall.fw.id - } - labels = ["VNet"] - depends_on = [ - azurerm_virtual_hub.azfw_vwan_hub, - azurerm_firewall.fw - ] -} - diff --git a/quickstart/201-azfw-with-secure-hub/outputs.tf b/quickstart/201-azfw-with-secure-hub/outputs.tf deleted file mode 100644 index 67ad7df3..00000000 --- a/quickstart/201-azfw-with-secure-hub/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "rg_name" { - value = azurerm_resource_group.azfw_rg.name -} \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/provider.tf b/quickstart/201-azfw-with-secure-hub/provider.tf deleted file mode 100644 index 76b5065b..00000000 --- a/quickstart/201-azfw-with-secure-hub/provider.tf +++ /dev/null @@ -1,16 +0,0 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "3.69.0" - } - } -} - -provider "azurerm" { - features { - resource_group { - prevent_deletion_if_contains_resources = false // Set to True for Production - } - } -} diff --git a/quickstart/201-azfw-with-secure-hub/variables.tf b/quickstart/201-azfw-with-secure-hub/variables.tf deleted file mode 100644 index fd29a859..00000000 --- a/quickstart/201-azfw-with-secure-hub/variables.tf +++ /dev/null @@ -1,30 +0,0 @@ -// Create Variables for Location and Tags -variable "location" { - default = "eastus" -} -variable "tags" { - default = { - environment = "dev" - costcenter = "1234556677" - owner = "cloud team" - workload = "azure firewall" - } -} - -// Create Firewall Variables -variable "fw_sku" { - default = "Premium" # Valid values are Standard and Premium -} - -// Create Virtual Machine Sku Size Variables -variable "vm_size" { - default = "Standard_D2_v3" -} - -// Create Admin Username and Password -variable "admin_username" { - default = "azureuser" -} -variable "admin_password" { - default = "P@ssw0rd1234!" -}