Tips-Of-Mine/terraform-azure
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adding azfw quickstarts

Browse Source
This commit is contained in:
Charles Shea
2023-08-22 19:02:39 -04:00
parent d1b9572df1
commit ed29f3c468
10 changed files with 1382 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

230
quickstart/101-azfw-with-fwpolicy/README.md Normal file
View File

@ -0,0 +1,230 @@
# Deploy Azure Firewall and a Firewall Policy
This template deploys an Azure Firewall and a Firewall Policy. The Firewall Policy is associated to the Firewall.
## Resources
| Terraform Resource Type | Description |
| - | - |
| `azurerm_resource_group` | The resource group all the deployed resources.|
| `azurerm_virtual_network` | The virtual network for the firewall. |
| `azurerm_subnet` |The firewall subnet.|
| `azurerm_public_ip` | The firewall public IP address. |
| `azurerm_firewall` | The premium Azure Firewall. |
| `azurerm_firewall_policy` | The policy associated to the Firewall |
| `azurerm_firewall_policy_rule_collection_group` | the rules collection group for firewall policy |
| `azurerm_ip_group` | The IP group for source addresses. |
## Variables
| Name | Description |
|-|-|
| `location` | location for your resources |
| `tags` | tags to organize your resources |
| `fw_sku` | Sku size for your Firewall and Firewall Policy |
## Example
```powershell
terraform plan -out main.tfplan
# azurerm_firewall.fw will be created
+ resource "azurerm_firewall" "fw" {
+ firewall_policy_id = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "azfw"
+ resource_group_name = "azfw-rg"
+ sku_name = "AZFW_VNet"
+ sku_tier = "Premium"
+ threat_intel_mode = (known after apply)
+ ip_configuration {
+ name = "azfw-ipconfig"
+ private_ip_address = (known after apply)
+ public_ip_address_id = (known after apply)
+ subnet_id = (known after apply)
}
}
# azurerm_firewall_policy.azfw_policy will be created
+ resource "azurerm_firewall_policy" "azfw_policy" {
+ child_policies = (known after apply)
+ firewalls = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "azfw-policy"
+ resource_group_name = "azfw-rg"
+ rule_collection_groups = (known after apply)
+ sku = "Premium"
+ threat_intelligence_mode = "Alert"
}
# azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created
+ resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" {
+ firewall_policy_id = (known after apply)
+ id = (known after apply)
+ name = "DefaulApplicationtRuleCollectionGroup"
+ priority = 300
+ application_rule_collection {
+ action = "Allow"
+ name = "DefaultApplicationRuleCollection"
+ priority = 500
+ rule {
+ description = "Allow Windows Update"
+ destination_fqdn_tags = [
+ "WindowsUpdate",
]
+ name = "AllowWindowsUpdate"
+ source_ip_groups = (known after apply)
+ protocols {
+ port = 80
+ type = "Http"
}
+ protocols {
+ port = 443
+ type = "Https"
}
}
+ rule {
+ description = "Allow access to Microsoft.com"
+ destination_fqdns = [
+ "*.microsoft.com",
]
+ name = "Global Rule"
+ source_ip_groups = (known after apply)
+ terminate_tls = false
+ protocols {
+ port = 443
+ type = "Https"
}
}
}
}
# azurerm_firewall_policy_rule_collection_group.net_policy_rule_collection_group will be created
+ resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" {
+ firewall_policy_id = (known after apply)
+ id = (known after apply)
+ name = "DefaultNetworkRuleCollectionGroup"
+ priority = 200
+ network_rule_collection {
+ action = "Allow"
+ name = "DefaultNetworkRuleCollection"
+ priority = 200
+ rule {
+ destination_addresses = [
+ "132.86.101.172",
]
+ destination_ports = [
+ "123",
]
+ name = "time-windows"
+ protocols = [
+ "UDP",
]
+ source_ip_groups = (known after apply)
}
}
}
# azurerm_ip_group.infra_ip_group will be created
+ resource "azurerm_ip_group" "infra_ip_group" {
+ cidrs = [
+ "10.40.0.0/24",
+ "10.50.0.0/24",
]
+ firewall_ids = (known after apply)
+ firewall_policy_ids = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "infra-ip-group"
+ resource_group_name = "azfw-rg"
}
# azurerm_ip_group.workload_ip_group will be created
+ resource "azurerm_ip_group" "workload_ip_group" {
+ cidrs = [
+ "10.20.0.0/24",
+ "10.30.0.0/24",
]
+ firewall_ids = (known after apply)
+ firewall_policy_ids = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "workload-ip-group"
+ resource_group_name = "azfw-rg"
}
# azurerm_public_ip.pip_azfw will be created
+ resource "azurerm_public_ip" "pip_azfw" {
+ allocation_method = "Static"
+ ddos_protection_mode = "VirtualNetworkInherited"
+ fqdn = (known after apply)
+ id = (known after apply)
+ idle_timeout_in_minutes = 4
+ ip_address = (known after apply)
+ ip_version = "IPv4"
+ location = "eastus"
+ name = "pip-azfw"
+ resource_group_name = "azfw-rg"
+ sku = "Standard"
+ sku_tier = "Regional"
+ tags = {
+ "costcenter" = "1234556677"
+ "environment" = "dev"
+ "owner" = "cloud team"
+ "workload" = "azure firewall"
}
}
# azurerm_resource_group.azfw_rg will be created
+ resource "azurerm_resource_group" "azfw_rg" {
+ id = (known after apply)
+ location = "eastus"
+ name = "azfw-rg"
+ tags = {
+ "costcenter" = "1234556677"
+ "environment" = "dev"
+ "owner" = "cloud team"
+ "workload" = "azure firewall"
}
}
# azurerm_subnet.azfw_subnet will be created
+ resource "azurerm_subnet" "azfw_subnet" {
+ address_prefixes = [
+ "10.10.0.0/26",
]
+ enforce_private_link_endpoint_network_policies = (known after apply)
+ enforce_private_link_service_network_policies = (known after apply)
+ id = (known after apply)
+ name = "AzureFirewallSubnet"
+ private_endpoint_network_policies_enabled = (known after apply)
+ private_link_service_network_policies_enabled = (known after apply)
+ resource_group_name = "azfw-rg"
+ virtual_network_name = "azfw-vnet"
}
# azurerm_virtual_network.azfw_vnet will be created
+ resource "azurerm_virtual_network" "azfw_vnet" {
+ address_space = [
+ "10.10.0.0/24",
]
+ dns_servers = (known after apply)
+ guid = (known after apply)
+ id = (known after apply)
+ location = "eastus"
+ name = "azfw-vnet"
+ resource_group_name = "azfw-rg"
+ subnet = (known after apply)
}
Plan: 10 to add, 0 to change, 0 to destroy.
``````

153
quickstart/101-azfw-with-fwpolicy/main.tf Normal file
View File

@ -0,0 +1,153 @@
// Create a Resource Group
resource "azurerm_resource_group" "azfw_rg" {
name = "azfw-rg"
location = var.location
tags = var.tags
}
// Create a Virtual Network
resource "azurerm_virtual_network" "azfw_vnet" {
name = "azfw-vnet"
location = azurerm_resource_group.azfw_rg.location
resource_group_name = azurerm_resource_group.azfw_rg.name
address_space = ["10.10.0.0/24"]
depends_on = [
azurerm_resource_group.azfw_rg
]
}
// Create IP Groups
resource "azurerm_ip_group" "workload_ip_group" {
name = "workload-ip-group"
resource_group_name = azurerm_resource_group.azfw_rg.name
location = azurerm_resource_group.azfw_rg.location
cidrs = ["10.20.0.0/24", "10.30.0.0/24"]
depends_on = [
azurerm_resource_group.azfw_rg,
azurerm_virtual_network.azfw_vnet
]
}
resource "azurerm_ip_group" "infra_ip_group" {
name = "infra-ip-group"
resource_group_name = azurerm_resource_group.azfw_rg.name
location = azurerm_resource_group.azfw_rg.location
cidrs = ["10.40.0.0/24", "10.50.0.0/24"]
depends_on = [
azurerm_resource_group.azfw_rg,
azurerm_virtual_network.azfw_vnet
]
}
// Create the Azure Firewall Subnet
resource "azurerm_subnet" "azfw_subnet" {
name = "AzureFirewallSubnet"
resource_group_name = azurerm_resource_group.azfw_rg.name
virtual_network_name = azurerm_virtual_network.azfw_vnet.name
address_prefixes = ["10.10.0.0/26"]
depends_on = [
azurerm_resource_group.azfw_rg,
azurerm_virtual_network.azfw_vnet
]
}
// Create a Public IP Address for Azure Firewall
resource "azurerm_public_ip" "pip_azfw" {
name = "pip-azfw"
location = azurerm_resource_group.azfw_rg.location
resource_group_name = azurerm_resource_group.azfw_rg.name
allocation_method = "Static"
sku = "Standard"
tags = azurerm_resource_group.azfw_rg.tags
depends_on = [
azurerm_resource_group.azfw_rg
]
}
// Create a Azure Firewall Policy
resource "azurerm_firewall_policy" "azfw_policy" {
name = "azfw-policy"
resource_group_name = azurerm_resource_group.azfw_rg.name
location = azurerm_resource_group.azfw_rg.location
sku = var.fw_sku
threat_intelligence_mode = "Alert"
}
// Create a Network Rule Collection Group
// Create a Network Rule Collection
// Create rules for NTP
resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" {
name = "DefaultNetworkRuleCollectionGroup"
firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
priority = 200
network_rule_collection {
name = "DefaultNetworkRuleCollection"
action = "Allow"
priority = 200
rule {
name = "time-windows"
protocols = ["UDP"]
source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id]
destination_ports = ["123"]
destination_addresses = ["132.86.101.172"]
}
}
}
// Create a Azure Firewall Policy Rule Collection Group
// Create a Application Rule Collection
// Create rules for Windows Update
// Create rules for Microsoft.com
resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" {
name = "DefaulApplicationtRuleCollectionGroup"
firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
priority = 300
application_rule_collection {
name = "DefaultApplicationRuleCollection"
action = "Allow"
priority = 500
rule {
name = "AllowWindowsUpdate"
description = "Allow Windows Update"
protocols {
type = "Http"
port = 80
}
protocols {
type = "Https"
port = 443
}
source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id]
destination_fqdn_tags = ["WindowsUpdate"]
}
rule {
name = "Global Rule"
description = "Allow access to Microsoft.com"
protocols {
type = "Https"
port = 443
}
destination_fqdns = ["*.microsoft.com"]
terminate_tls = false
source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id]
}
}
depends_on = [
azurerm_firewall_policy.azfw_policy
]
}
// Create the Azure Firewall
resource "azurerm_firewall" "fw" {
name = "azfw"
location = azurerm_resource_group.azfw_rg.location
resource_group_name = azurerm_resource_group.azfw_rg.name
sku_name = "AZFW_VNet"
sku_tier = var.fw_sku
ip_configuration {
name = "azfw-ipconfig"
subnet_id = azurerm_subnet.azfw_subnet.id
public_ip_address_id = azurerm_public_ip.pip_azfw.id
}
firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
}

3
quickstart/101-azfw-with-fwpolicy/outputs.tf Normal file
View File

@ -0,0 +1,3 @@
output "rg_name" {
value = azurerm_resource_group.azfw_rg.name
}

16
quickstart/101-azfw-with-fwpolicy/provider.tf Normal file
View File

@ -0,0 +1,16 @@
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.69.0"
}
}
}
provider "azurerm" {
features {
resource_group {
prevent_deletion_if_contains_resources = false // Set to True for Production
}
}
}

18
quickstart/101-azfw-with-fwpolicy/variables.tf Normal file
View File

@ -0,0 +1,18 @@
// Create Variables for Location and Tags
variable "location" {
default = "eastus"
}
variable "tags" {
default = {
environment = "dev"
costcenter = "1234556677"
owner = "cloud team"
workload = "azure firewall"
}
}
// Create Firewall Variables
variable "fw_sku" {
default = "Premium" # Valid values are Standard and Premium
}