From dcd3461cda75a9dc78011b7da7e240ad45ab89a7 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Sat, 23 Sep 2023 15:42:30 -0400 Subject: [PATCH 01/11] creating new fw quickstart --- quickstart/201-azfw-with-ipgroups/main.tf | 277 ++++++++++++++++++ quickstart/201-azfw-with-ipgroups/outputs.tf | 7 + quickstart/201-azfw-with-ipgroups/provider.tf | 16 + quickstart/201-azfw-with-ipgroups/readme.md | 36 +++ .../201-azfw-with-ipgroups/variables.tf | 37 +++ 5 files changed, 373 insertions(+) create mode 100644 quickstart/201-azfw-with-ipgroups/main.tf create mode 100644 quickstart/201-azfw-with-ipgroups/outputs.tf create mode 100644 quickstart/201-azfw-with-ipgroups/provider.tf create mode 100644 quickstart/201-azfw-with-ipgroups/readme.md create mode 100644 quickstart/201-azfw-with-ipgroups/variables.tf diff --git a/quickstart/201-azfw-with-ipgroups/main.tf b/quickstart/201-azfw-with-ipgroups/main.tf new file mode 100644 index 00000000..cb4a1e9c --- /dev/null +++ b/quickstart/201-azfw-with-ipgroups/main.tf @@ -0,0 +1,277 @@ +resource "random_pet" "rg-name" { + prefix = var.resource_group_name_prefix +} + +resource "random_string" "storage_account_name" { + length = 8 + lower = true + numeric = false + special = false + upper = false +} + +resource "azurerm_resource_group" "rg" { + name = random_pet.rg-name.id + location = var.resource_group_location +} + +resource "azurerm_public_ip" "pip_azfw" { + name = "pip-azfw" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_storage_account" "sa" { + name = random_string.storage_account_name.result + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + account_tier = "Standard" + account_replication_type = "LRS" + account_kind = "StorageV2" +} + +resource "azurerm_firewall_policy" "azfw_policy" { + name = "azfw-policy" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + sku = var.firewall_sku_tier + threat_intelligence_mode = "Alert" +} + +resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { + name = "DefaultNetworkRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 200 + network_rule_collection { + name = "DefaultNetworkRuleCollection" + action = "Allow" + priority = 200 + rule { + name = "networkRule" + protocols = ["Any"] + destination_ip_groups = [azurerm_ip_group.ip_group_2.id] + destination_ports = ["90"] + source_ip_groups = [azurerm_ip_group.ip_group_1.id] + } + } +} + +resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + name = "DefaulApplicationtRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "DefaultApplicationRuleCollection" + action = "Allow" + priority = 500 + rule { + name = "SomeAppRule" + protocols { + type = "Http" + port = 8080 + } + source_ip_groups = [azurerm_ip_group.ip_group_1.id] + destination_fqdns = ["*bing.com"] + } + } +} + +resource "azurerm_firewall" "fw" { + name = "azfw" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + sku_name = "AZFW_VNet" + sku_tier = var.firewall_sku_tier + ip_configuration { + name = "azfw-ipconfig" + subnet_id = azurerm_subnet.azfw_subnet.id + public_ip_address_id = azurerm_public_ip.pip_azfw.id + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id +} + +resource "azurerm_ip_group" "ip_group_1" { + name = "ip-group_1" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + cidrs = ["13.73.64.64/26", "13.73.208.128/25", "52.126.194.0/23"] +} +resource "azurerm_ip_group" "ip_group_2" { + name = "ip_group_2" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + cidrs = ["12.0.0.0/24", "13.9.0.0/24"] +} + +resource "azurerm_virtual_network" "azfw_vnet" { + name = "azfw-vnet" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + address_space = ["10.10.0.0/16"] +} + +resource "azurerm_subnet" "azfw_subnet" { + name = "AzureFirewallSubnet" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.0.0/26"] +} + +resource "azurerm_subnet" "server_subnet" { + name = "subnet-workload" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.1.0/24"] +} + +resource "azurerm_subnet" "jump_subnet" { + name = "subnet-jump" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.2.0/24"] +} + +resource "azurerm_public_ip" "vm_jump_pip" { + name = "pip-jump" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_network_interface" "vm_server_nic" { + name = "nic-server" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + + ip_configuration { + name = "ipconfig-workload" + subnet_id = azurerm_subnet.server_subnet.id + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_network_interface" "vm_jump_nic" { + name = "nic-jump" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + + ip_configuration { + name = "ipconfig-jump" + subnet_id = azurerm_subnet.jump_subnet.id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.vm_jump_pip.id + } +} + +resource "azurerm_network_security_group" "vm_server_nsg" { + name = "nsg-server" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name +} + +resource "azurerm_network_security_group" "vm_jump_nsg" { + name = "nsg-jump" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + security_rule { + name = "Allow-TCP" + priority = 1000 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource "azurerm_network_interface_security_group_association" "vm_server_nsg_association" { + network_interface_id = azurerm_network_interface.vm_server_nic.id + network_security_group_id = azurerm_network_security_group.vm_server_nsg.id +} + +resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { + network_interface_id = azurerm_network_interface.vm_jump_nic.id + network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id +} + +resource "azurerm_linux_virtual_machine" "vm_server" { + name = "server-vm" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + size = var.virtual_machine_size + admin_username = var.admin_username + admin_password = random_password.password.result + disable_password_authentication = false + network_interface_ids = [azurerm_network_interface.vm_server_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "18.04-LTS" + version = "latest" + } + boot_diagnostics { + storage_account_uri = azurerm_storage_account.sa.primary_blob_endpoint + } +} + +resource "azurerm_linux_virtual_machine" "vm_jump" { + name = "jump-vm" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + size = var.virtual_machine_size + admin_username = var.admin_username + admin_password = random_password.password.result + disable_password_authentication = false + network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "18.04-LTS" + version = "latest" + } + boot_diagnostics { + storage_account_uri = azurerm_storage_account.sa.primary_blob_endpoint + } + computer_name = "JumpBox" + +} + +resource "azurerm_route_table" "rt" { + name = "rt-azfw-eus" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + disable_bgp_route_propagation = false + route { + name = "azfwDefaultRoute" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration.0.private_ip_address + } +} + +resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + subnet_id = azurerm_subnet.server_subnet.id + route_table_id = azurerm_route_table.rt.id +} + +resource "random_password" "password" { + length = 20 + min_lower = 1 + min_upper = 1 + min_numeric = 1 + min_special = 1 + special = true +} diff --git a/quickstart/201-azfw-with-ipgroups/outputs.tf b/quickstart/201-azfw-with-ipgroups/outputs.tf new file mode 100644 index 00000000..3d6f89a1 --- /dev/null +++ b/quickstart/201-azfw-with-ipgroups/outputs.tf @@ -0,0 +1,7 @@ +output "resource_group_name" { + value = azurerm_resource_group.rg.name +} + +output "firewall_name" { + value = azurerm_firewall.fw.name +} \ No newline at end of file diff --git a/quickstart/201-azfw-with-ipgroups/provider.tf b/quickstart/201-azfw-with-ipgroups/provider.tf new file mode 100644 index 00000000..18eea7b7 --- /dev/null +++ b/quickstart/201-azfw-with-ipgroups/provider.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.0" + } + random = { + source = "hashicorp/random" + version = "~>3.0" + } + } +} + +provider "azurerm" { + features {} +} diff --git a/quickstart/201-azfw-with-ipgroups/readme.md b/quickstart/201-azfw-with-ipgroups/readme.md new file mode 100644 index 00000000..8d9aec20 --- /dev/null +++ b/quickstart/201-azfw-with-ipgroups/readme.md @@ -0,0 +1,36 @@ +# Deploying Azure Firewall with IP Groups + +This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with [IP Groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group) + +## Terraform resource types + +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) +- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) +- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) +- [azurerm_ip_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group) +- [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) +- [azurerm_firewall_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy) +- [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) +- [azurerm_firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) +- [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) +- [azurerm_network_security_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) +- [azurerm_network_interface_security_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association +- [azurerm_route_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) +- [azurerm_subnet_route_table_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) +- [azurerm_linux_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine) +- [azurerm_storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) +- [random_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) +- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) +- [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string)} + +## Variables + +| Name | Description | Default value | +|-|-|-| +| `resource_group_location` | location for your resources | eastus | +| `firewall_sku_tier` | Sku size for your Firewall and Firewall Policy | Premium | +| `resource_group_name_prefix` | Prefix for your resource group | rg | +| `virtual_machine_size` | Sku size for your jump and workload vms | Standard_D2_v3 | +| `admin_username` | admin username for the jump and workload vms | azureuser | + +## Example \ No newline at end of file diff --git a/quickstart/201-azfw-with-ipgroups/variables.tf b/quickstart/201-azfw-with-ipgroups/variables.tf new file mode 100644 index 00000000..2b836925 --- /dev/null +++ b/quickstart/201-azfw-with-ipgroups/variables.tf @@ -0,0 +1,37 @@ +variable "resource_group_location" { + type = string + description = "Location for all resources." + default = "eastus" +} + +variable "resource_group_name_prefix" { + type = string + description = "Prefix for the Resource Group Name that's combined with a random id so name is unique in your Azure subcription." + default = "rg" +} + +variable "firewall_sku_tier" { + type = string + description = "Firewall SKU." + default = "Premium" # Valid values are Standard and Premium + validation { + condition = contains(["Standard", "Premium"], var.firewall_sku_tier) + error_message = "The sku must be one of the following: Standard, Premium" + } +} + +variable "virtual_machine_size" { + type = string + description = "Size of the virtual machine." + default = "Standard_D2_v3" +} + +variable "admin_username" { + default = "azureuser" +} + +variable "storage_name" { + type = string + description = "value of the storage account name" + default = "azfwteststgacctipg" +} \ No newline at end of file From a242f2310bfafa9a00e5548d90bc6296b3f910f1 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Sat, 23 Sep 2023 15:44:06 -0400 Subject: [PATCH 02/11] made changes --- quickstart/201-azfw-with-ipgroups/main.tf | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/quickstart/201-azfw-with-ipgroups/main.tf b/quickstart/201-azfw-with-ipgroups/main.tf index cb4a1e9c..3bdf6f8c 100644 --- a/quickstart/201-azfw-with-ipgroups/main.tf +++ b/quickstart/201-azfw-with-ipgroups/main.tf @@ -1,4 +1,4 @@ -resource "random_pet" "rg-name" { +resource "random_pet" "rg_name" { prefix = var.resource_group_name_prefix } @@ -10,8 +10,17 @@ resource "random_string" "storage_account_name" { upper = false } +resource "random_password" "password" { + length = 20 + min_lower = 1 + min_upper = 1 + min_numeric = 1 + min_special = 1 + special = true +} + resource "azurerm_resource_group" "rg" { - name = random_pet.rg-name.id + name = random_pet.rg_name.id location = var.resource_group_location } @@ -267,11 +276,4 @@ resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { route_table_id = azurerm_route_table.rt.id } -resource "random_password" "password" { - length = 20 - min_lower = 1 - min_upper = 1 - min_numeric = 1 - min_special = 1 - special = true -} + From eda163c0f749d69b95be2e53eacefd526af71b25 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Sun, 24 Sep 2023 20:38:46 -0400 Subject: [PATCH 03/11] update changes to file --- quickstart/201-azfw-with-ipgroups/main.tf | 64 +++++++++---------- quickstart/201-azfw-with-ipgroups/readme.md | 2 +- .../201-azfw-with-ipgroups/variables.tf | 6 -- 3 files changed, 30 insertions(+), 42 deletions(-) diff --git a/quickstart/201-azfw-with-ipgroups/main.tf b/quickstart/201-azfw-with-ipgroups/main.tf index 3bdf6f8c..4c645cd2 100644 --- a/quickstart/201-azfw-with-ipgroups/main.tf +++ b/quickstart/201-azfw-with-ipgroups/main.tf @@ -49,42 +49,36 @@ resource "azurerm_firewall_policy" "azfw_policy" { threat_intelligence_mode = "Alert" } -resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { - name = "DefaultNetworkRuleCollectionGroup" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 200 - network_rule_collection { - name = "DefaultNetworkRuleCollection" - action = "Allow" - priority = 200 - rule { - name = "networkRule" - protocols = ["Any"] - destination_ip_groups = [azurerm_ip_group.ip_group_2.id] - destination_ports = ["90"] - source_ip_groups = [azurerm_ip_group.ip_group_1.id] - } - } -} - -resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - name = "DefaulApplicationtRuleCollectionGroup" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 300 - application_rule_collection { - name = "DefaultApplicationRuleCollection" - action = "Allow" - priority = 500 - rule { - name = "SomeAppRule" - protocols { - type = "Http" - port = 8080 +resource "azurerm_firewall_policy_rule_collection_group" "prcg" { + name = "prcg" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "app-rule-collection-1" + priority = 101 + action = "Allow" + rule { + name = "someAppRule" + protocols { + type = "Https" + port = 443 + } + destination_fqdns = [ "*bing.com" ] + source_ip_groups = [ azurerm_ip_group.ip_group_1.id ] + } + } + network_rule_collection { + name = "net-rule-collection-1" + priority = 200 + action = "Allow" + rule { + name = "someNetRule" + protocols = [ "TCP", "UDP", "ICMP" ] + source_ip_groups = [ azurerm_ip_group.ip_group_1.id ] + destination_ip_groups = [ azurerm_ip_group.ip_group_2.id ] + destination_ports = ["90"] } - source_ip_groups = [azurerm_ip_group.ip_group_1.id] - destination_fqdns = ["*bing.com"] } - } } resource "azurerm_firewall" "fw" { @@ -129,7 +123,7 @@ resource "azurerm_subnet" "azfw_subnet" { } resource "azurerm_subnet" "server_subnet" { - name = "subnet-workload" + name = "subnet-server" resource_group_name = azurerm_resource_group.rg.name virtual_network_name = azurerm_virtual_network.azfw_vnet.name address_prefixes = ["10.10.1.0/24"] diff --git a/quickstart/201-azfw-with-ipgroups/readme.md b/quickstart/201-azfw-with-ipgroups/readme.md index 8d9aec20..85a8b9a7 100644 --- a/quickstart/201-azfw-with-ipgroups/readme.md +++ b/quickstart/201-azfw-with-ipgroups/readme.md @@ -14,7 +14,7 @@ This template deploys an [Azure Firewall](https://registry.terraform.io/provider - [azurerm_firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) - [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) - [azurerm_network_security_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) -- [azurerm_network_interface_security_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association +- [azurerm_network_interface_security_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association) - [azurerm_route_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) - [azurerm_subnet_route_table_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) - [azurerm_linux_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine) diff --git a/quickstart/201-azfw-with-ipgroups/variables.tf b/quickstart/201-azfw-with-ipgroups/variables.tf index 2b836925..a855798d 100644 --- a/quickstart/201-azfw-with-ipgroups/variables.tf +++ b/quickstart/201-azfw-with-ipgroups/variables.tf @@ -28,10 +28,4 @@ variable "virtual_machine_size" { variable "admin_username" { default = "azureuser" -} - -variable "storage_name" { - type = string - description = "value of the storage account name" - default = "azfwteststgacctipg" } \ No newline at end of file From e0c258c3d7e56af81f265b8f8c73ea5bd6a4b51e Mon Sep 17 00:00:00 2001 From: cshea15 Date: Mon, 25 Sep 2023 13:48:04 -0400 Subject: [PATCH 04/11] update readme --- quickstart/201-azfw-with-ipgroups/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quickstart/201-azfw-with-ipgroups/readme.md b/quickstart/201-azfw-with-ipgroups/readme.md index 85a8b9a7..4144340f 100644 --- a/quickstart/201-azfw-with-ipgroups/readme.md +++ b/quickstart/201-azfw-with-ipgroups/readme.md @@ -1,6 +1,6 @@ # Deploying Azure Firewall with IP Groups -This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with [IP Groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group) +This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with [IP Groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group) used in a network rule and application rule. An IP Group is a top-level resource that allows you to define and group IP addresses, ranges, and subnets into a single object. IP Group is useful for managing IP addresses in Azure Firewall rules. ## Terraform resource types From 757c9646ae7743673c2695547afe2ce2306d10c0 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Tue, 3 Oct 2023 09:44:43 -0400 Subject: [PATCH 05/11] made minor changes --- quickstart/201-azfw-with-ipgroups/main.tf | 2 +- quickstart/201-azfw-with-ipgroups/readme.md | 12 ++++++------ quickstart/201-azfw-with-ipgroups/variables.tf | 2 ++ 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/quickstart/201-azfw-with-ipgroups/main.tf b/quickstart/201-azfw-with-ipgroups/main.tf index 4c645cd2..7cae00ea 100644 --- a/quickstart/201-azfw-with-ipgroups/main.tf +++ b/quickstart/201-azfw-with-ipgroups/main.tf @@ -261,7 +261,7 @@ resource "azurerm_route_table" "rt" { name = "azfwDefaultRoute" address_prefix = "0.0.0.0/0" next_hop_type = "VirtualAppliance" - next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration.0.private_ip_address + next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration[0].private_ip_address } } diff --git a/quickstart/201-azfw-with-ipgroups/readme.md b/quickstart/201-azfw-with-ipgroups/readme.md index 4144340f..360db8d9 100644 --- a/quickstart/201-azfw-with-ipgroups/readme.md +++ b/quickstart/201-azfw-with-ipgroups/readme.md @@ -21,16 +21,16 @@ This template deploys an [Azure Firewall](https://registry.terraform.io/provider - [azurerm_storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) - [random_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) - [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) -- [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string)} +- [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) ## Variables | Name | Description | Default value | |-|-|-| -| `resource_group_location` | location for your resources | eastus | -| `firewall_sku_tier` | Sku size for your Firewall and Firewall Policy | Premium | -| `resource_group_name_prefix` | Prefix for your resource group | rg | -| `virtual_machine_size` | Sku size for your jump and workload vms | Standard_D2_v3 | -| `admin_username` | admin username for the jump and workload vms | azureuser | +| `resource_group_location` | The location of the resource group. | eastus | +| `firewall_sku_tier` | the sku size for your Firewall and Firewall Policy. | Possible values: Standard, Premium | +| `resource_group_name_prefix` | The prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | +| `virtual_machine_size` | The sku size for your jump and workload VMs. | Standard_D2_v3 | +| `admin_username` | The admin username for the jump and workload VMs. | azureuser | ## Example \ No newline at end of file diff --git a/quickstart/201-azfw-with-ipgroups/variables.tf b/quickstart/201-azfw-with-ipgroups/variables.tf index a855798d..fd409122 100644 --- a/quickstart/201-azfw-with-ipgroups/variables.tf +++ b/quickstart/201-azfw-with-ipgroups/variables.tf @@ -27,5 +27,7 @@ variable "virtual_machine_size" { } variable "admin_username" { + type = string + description = "value of the admin username." default = "azureuser" } \ No newline at end of file From e80ace340dee7107494fa433d988b88ce707cfd2 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Tue, 3 Oct 2023 17:12:10 -0400 Subject: [PATCH 06/11] updating readme --- quickstart/201-azfw-with-ipgroups/readme.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/quickstart/201-azfw-with-ipgroups/readme.md b/quickstart/201-azfw-with-ipgroups/readme.md index 360db8d9..c1c78059 100644 --- a/quickstart/201-azfw-with-ipgroups/readme.md +++ b/quickstart/201-azfw-with-ipgroups/readme.md @@ -27,10 +27,10 @@ This template deploys an [Azure Firewall](https://registry.terraform.io/provider | Name | Description | Default value | |-|-|-| -| `resource_group_location` | The location of the resource group. | eastus | -| `firewall_sku_tier` | the sku size for your Firewall and Firewall Policy. | Possible values: Standard, Premium | -| `resource_group_name_prefix` | The prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | -| `virtual_machine_size` | The sku size for your jump and workload VMs. | Standard_D2_v3 | -| `admin_username` | The admin username for the jump and workload VMs. | azureuser | +| `resource_group_location` | Location of the resource group | eastus | +| `firewall_sku_tier` | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium | Premium | +| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | +| `virtual_machine_size` | SKU size for your jump and workload VMs | Standard_D2_v3 | +| `admin_username` | THe admin username for the jump and workload VMs | azureuser | ## Example \ No newline at end of file From d389b6df65625a82331e2d580de3c5b5b9563f33 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Wed, 4 Oct 2023 09:38:56 -0400 Subject: [PATCH 07/11] chang to main.tf --- quickstart/201-azfw-with-ipgroups/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quickstart/201-azfw-with-ipgroups/main.tf b/quickstart/201-azfw-with-ipgroups/main.tf index 7cae00ea..6060d129 100644 --- a/quickstart/201-azfw-with-ipgroups/main.tf +++ b/quickstart/201-azfw-with-ipgroups/main.tf @@ -180,7 +180,7 @@ resource "azurerm_network_security_group" "vm_jump_nsg" { location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name security_rule { - name = "Allow-TCP" + name = "Allow-SSH" priority = 1000 direction = "Inbound" access = "Allow" From e25785c539729f589681637c90e3361324297ed4 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Wed, 4 Oct 2023 15:00:02 -0400 Subject: [PATCH 08/11] update providers.tf --- quickstart/201-azfw-with-ipgroups/{provider.tf => providers.tf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename quickstart/201-azfw-with-ipgroups/{provider.tf => providers.tf} (100%) diff --git a/quickstart/201-azfw-with-ipgroups/provider.tf b/quickstart/201-azfw-with-ipgroups/providers.tf similarity index 100% rename from quickstart/201-azfw-with-ipgroups/provider.tf rename to quickstart/201-azfw-with-ipgroups/providers.tf From deee58f798f68c733c5bb1e9650ad5e9160d0ab9 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Thu, 5 Oct 2023 16:52:15 -0400 Subject: [PATCH 09/11] add ssh key to module --- quickstart/201-azfw-with-ipgroups/main.tf | 78 ++++++++++--------- .../201-azfw-with-ipgroups/providers.tf | 4 + quickstart/201-azfw-with-ipgroups/readme.md | 4 +- quickstart/201-azfw-with-ipgroups/ssh.tf | 25 ++++++ .../201-azfw-with-ipgroups/variables.tf | 4 +- 5 files changed, 74 insertions(+), 41 deletions(-) create mode 100644 quickstart/201-azfw-with-ipgroups/ssh.tf diff --git a/quickstart/201-azfw-with-ipgroups/main.tf b/quickstart/201-azfw-with-ipgroups/main.tf index 6060d129..dde9749a 100644 --- a/quickstart/201-azfw-with-ipgroups/main.tf +++ b/quickstart/201-azfw-with-ipgroups/main.tf @@ -50,35 +50,35 @@ resource "azurerm_firewall_policy" "azfw_policy" { } resource "azurerm_firewall_policy_rule_collection_group" "prcg" { - name = "prcg" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 300 - application_rule_collection { - name = "app-rule-collection-1" - priority = 101 - action = "Allow" - rule { - name = "someAppRule" - protocols { - type = "Https" - port = 443 - } - destination_fqdns = [ "*bing.com" ] - source_ip_groups = [ azurerm_ip_group.ip_group_1.id ] + name = "prcg" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "app-rule-collection-1" + priority = 101 + action = "Allow" + rule { + name = "someAppRule" + protocols { + type = "Https" + port = 443 } + destination_fqdns = ["*bing.com"] + source_ip_groups = [azurerm_ip_group.ip_group_1.id] } - network_rule_collection { - name = "net-rule-collection-1" - priority = 200 - action = "Allow" - rule { - name = "someNetRule" - protocols = [ "TCP", "UDP", "ICMP" ] - source_ip_groups = [ azurerm_ip_group.ip_group_1.id ] - destination_ip_groups = [ azurerm_ip_group.ip_group_2.id ] - destination_ports = ["90"] - } + } + network_rule_collection { + name = "net-rule-collection-1" + priority = 200 + action = "Allow" + rule { + name = "someNetRule" + protocols = ["TCP", "UDP", "ICMP"] + source_ip_groups = [azurerm_ip_group.ip_group_1.id] + destination_ip_groups = [azurerm_ip_group.ip_group_2.id] + destination_ports = ["90"] } + } } resource "azurerm_firewall" "fw" { @@ -184,7 +184,7 @@ resource "azurerm_network_security_group" "vm_jump_nsg" { priority = 1000 direction = "Inbound" access = "Allow" - protocol = "Tcp" + protocol = "SSH" source_port_range = "*" destination_port_range = "22" source_address_prefix = "*" @@ -208,8 +208,10 @@ resource "azurerm_linux_virtual_machine" "vm_server" { location = azurerm_resource_group.rg.location size = var.virtual_machine_size admin_username = var.admin_username - admin_password = random_password.password.result - disable_password_authentication = false + admin_ssh_key { + username = var.admin_username + public_key = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey + } network_interface_ids = [azurerm_network_interface.vm_server_nic.id] os_disk { caching = "ReadWrite" @@ -227,18 +229,20 @@ resource "azurerm_linux_virtual_machine" "vm_server" { } resource "azurerm_linux_virtual_machine" "vm_jump" { - name = "jump-vm" - resource_group_name = azurerm_resource_group.rg.name - location = azurerm_resource_group.rg.location - size = var.virtual_machine_size - admin_username = var.admin_username - admin_password = random_password.password.result - disable_password_authentication = false - network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] + name = "jump-vm" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + size = var.virtual_machine_size + network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] + admin_username = var.admin_username os_disk { caching = "ReadWrite" storage_account_type = "Standard_LRS" } + admin_ssh_key { + username = var.admin_username + public_key = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey + } source_image_reference { publisher = "Canonical" offer = "UbuntuServer" diff --git a/quickstart/201-azfw-with-ipgroups/providers.tf b/quickstart/201-azfw-with-ipgroups/providers.tf index 18eea7b7..3b06585f 100644 --- a/quickstart/201-azfw-with-ipgroups/providers.tf +++ b/quickstart/201-azfw-with-ipgroups/providers.tf @@ -8,6 +8,10 @@ terraform { source = "hashicorp/random" version = "~>3.0" } + azapi = { + source = "azure/azapi" + version = "~>1.5" + } } } diff --git a/quickstart/201-azfw-with-ipgroups/readme.md b/quickstart/201-azfw-with-ipgroups/readme.md index c1c78059..36f7237b 100644 --- a/quickstart/201-azfw-with-ipgroups/readme.md +++ b/quickstart/201-azfw-with-ipgroups/readme.md @@ -29,8 +29,8 @@ This template deploys an [Azure Firewall](https://registry.terraform.io/provider |-|-|-| | `resource_group_location` | Location of the resource group | eastus | | `firewall_sku_tier` | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium | Premium | -| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | +| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | | `virtual_machine_size` | SKU size for your jump and workload VMs | Standard_D2_v3 | -| `admin_username` | THe admin username for the jump and workload VMs | azureuser | +| `admin_username` | The admin username for the jump and workload VMs | azureuser | ## Example \ No newline at end of file diff --git a/quickstart/201-azfw-with-ipgroups/ssh.tf b/quickstart/201-azfw-with-ipgroups/ssh.tf new file mode 100644 index 00000000..fcdb482b --- /dev/null +++ b/quickstart/201-azfw-with-ipgroups/ssh.tf @@ -0,0 +1,25 @@ +resource "random_pet" "ssh_key_name" { + prefix = "ssh" + separator = "" +} + +resource "azapi_resource_action" "ssh_public_key_gen" { + type = "Microsoft.Compute/sshPublicKeys@2022-11-01" + resource_id = azapi_resource.ssh_public_key.id + action = "generateKeyPair" + method = "POST" + + response_export_values = ["publicKey", "privateKey"] +} + +resource "azapi_resource" "ssh_public_key" { + type = "Microsoft.Compute/sshPublicKeys@2022-11-01" + name = random_pet.ssh_key_name.id + location = azurerm_resource_group.rg.location + parent_id = azurerm_resource_group.rg.id +} + +output "key_data" { + value = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey +} + diff --git a/quickstart/201-azfw-with-ipgroups/variables.tf b/quickstart/201-azfw-with-ipgroups/variables.tf index fd409122..11c23c95 100644 --- a/quickstart/201-azfw-with-ipgroups/variables.tf +++ b/quickstart/201-azfw-with-ipgroups/variables.tf @@ -27,7 +27,7 @@ variable "virtual_machine_size" { } variable "admin_username" { - type = string + type = string description = "value of the admin username." - default = "azureuser" + default = "azureuser" } \ No newline at end of file From e24feee41af5980c26ecfa97c2d05c2679516446 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Thu, 5 Oct 2023 16:54:59 -0400 Subject: [PATCH 10/11] formatting --- quickstart/201-azfw-with-ipgroups/main.tf | 12 ++++++------ quickstart/201-azfw-with-ipgroups/variables.tf | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/quickstart/201-azfw-with-ipgroups/main.tf b/quickstart/201-azfw-with-ipgroups/main.tf index dde9749a..5da8605d 100644 --- a/quickstart/201-azfw-with-ipgroups/main.tf +++ b/quickstart/201-azfw-with-ipgroups/main.tf @@ -203,16 +203,16 @@ resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_ass } resource "azurerm_linux_virtual_machine" "vm_server" { - name = "server-vm" - resource_group_name = azurerm_resource_group.rg.name - location = azurerm_resource_group.rg.location - size = var.virtual_machine_size - admin_username = var.admin_username + name = "server-vm" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + size = var.virtual_machine_size + admin_username = var.admin_username admin_ssh_key { username = var.admin_username public_key = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey } - network_interface_ids = [azurerm_network_interface.vm_server_nic.id] + network_interface_ids = [azurerm_network_interface.vm_server_nic.id] os_disk { caching = "ReadWrite" storage_account_type = "Standard_LRS" diff --git a/quickstart/201-azfw-with-ipgroups/variables.tf b/quickstart/201-azfw-with-ipgroups/variables.tf index 11c23c95..549583d2 100644 --- a/quickstart/201-azfw-with-ipgroups/variables.tf +++ b/quickstart/201-azfw-with-ipgroups/variables.tf @@ -16,7 +16,7 @@ variable "firewall_sku_tier" { default = "Premium" # Valid values are Standard and Premium validation { condition = contains(["Standard", "Premium"], var.firewall_sku_tier) - error_message = "The sku must be one of the following: Standard, Premium" + error_message = "The SKU must be one of the following: Standard, Premium" } } @@ -28,6 +28,6 @@ variable "virtual_machine_size" { variable "admin_username" { type = string - description = "value of the admin username." + description = "Value of the admin username." default = "azureuser" } \ No newline at end of file From 708dbf9f80bfb5d175536129ddbc8c1c9e2aaeed Mon Sep 17 00:00:00 2001 From: cshea15 Date: Thu, 5 Oct 2023 17:00:51 -0400 Subject: [PATCH 11/11] fixed nsg protocol error --- quickstart/201-azfw-with-ipgroups/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quickstart/201-azfw-with-ipgroups/main.tf b/quickstart/201-azfw-with-ipgroups/main.tf index 5da8605d..68d506a0 100644 --- a/quickstart/201-azfw-with-ipgroups/main.tf +++ b/quickstart/201-azfw-with-ipgroups/main.tf @@ -184,7 +184,7 @@ resource "azurerm_network_security_group" "vm_jump_nsg" { priority = 1000 direction = "Inbound" access = "Allow" - protocol = "SSH" + protocol = "Tcp" source_port_range = "*" destination_port_range = "22" source_address_prefix = "*"