resource "random_pet" "rg-name" { prefix = var.resource_group_name_prefix } resource "azurerm_resource_group" "rg" { name = random_pet.rg-name.id location = var.resource_group_location } resource "azurerm_virtual_network" "azfw_vnet" { name = "azfw-vnet" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name address_space = ["10.10.0.0/24"] } resource "azurerm_ip_group" "workload_ip_group" { name = "workload-ip-group" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location cidrs = ["10.20.0.0/24", "10.30.0.0/24"] } resource "azurerm_ip_group" "infra_ip_group" { name = "infra-ip-group" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location cidrs = ["10.40.0.0/24", "10.50.0.0/24"] } resource "azurerm_subnet" "azfw_subnet" { name = "AzureFirewallSubnet" resource_group_name = azurerm_resource_group.rg.name virtual_network_name = azurerm_virtual_network.azfw_vnet.name address_prefixes = ["10.10.0.0/26"] } resource "azurerm_public_ip" "pip_azfw" { name = "pip-azfw" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name allocation_method = "Static" sku = "Standard" } resource "azurerm_firewall_policy" "azfw_policy" { name = "azfw-policy" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location sku = var.firewall_sku_tier threat_intelligence_mode = "Alert" } resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { name = "DefaultNetworkRuleCollectionGroup" firewall_policy_id = azurerm_firewall_policy.azfw_policy.id priority = 200 network_rule_collection { name = "DefaultNetworkRuleCollection" action = "Allow" priority = 200 rule { name = "time-windows" protocols = ["UDP"] source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] destination_ports = ["123"] destination_addresses = ["132.86.101.172"] } } } resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { name = "DefaulApplicationtRuleCollectionGroup" firewall_policy_id = azurerm_firewall_policy.azfw_policy.id priority = 300 application_rule_collection { name = "DefaultApplicationRuleCollection" action = "Allow" priority = 500 rule { name = "AllowWindowsUpdate" description = "Allow Windows Update" protocols { type = "Http" port = 80 } protocols { type = "Https" port = 443 } source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] destination_fqdn_tags = ["WindowsUpdate"] } rule { name = "Global Rule" description = "Allow access to Microsoft.com" protocols { type = "Https" port = 443 } destination_fqdns = ["*.microsoft.com"] terminate_tls = false source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] } } } resource "azurerm_firewall" "fw" { name = "azfw" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name sku_name = "AZFW_VNet" sku_tier = var.firewall_sku_tier ip_configuration { name = "azfw-ipconfig" subnet_id = azurerm_subnet.azfw_subnet.id public_ip_address_id = azurerm_public_ip.pip_azfw.id } firewall_policy_id = azurerm_firewall_policy.azfw_policy.id }