Tips-Of-Mine/terraform-azure
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dc601d2ad81344b45be503c907bbded9729dc032
terraform-azure/quickstart/101-azfw-with-fwpolicy/main.tf
Charles J Shea 8aa0c51a71 azfw quickstarts (#245) 
* adding azfw quickstarts
2023-09-04 10:23:48 +08:00

120 lines
4.0 KiB
HCL
Raw Blame History

resource "random_pet" "rg-name" {
prefix = var.resource_group_name_prefix
}
resource "azurerm_resource_group" "rg" {
name = random_pet.rg-name.id
location = var.resource_group_location
}
resource "azurerm_virtual_network" "azfw_vnet" {
name = "azfw-vnet"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
address_space = ["10.10.0.0/24"]
}
resource "azurerm_ip_group" "workload_ip_group" {
name = "workload-ip-group"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
cidrs = ["10.20.0.0/24", "10.30.0.0/24"]
}
resource "azurerm_ip_group" "infra_ip_group" {
name = "infra-ip-group"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
cidrs = ["10.40.0.0/24", "10.50.0.0/24"]
}
resource "azurerm_subnet" "azfw_subnet" {
name = "AzureFirewallSubnet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.azfw_vnet.name
address_prefixes = ["10.10.0.0/26"]
}
resource "azurerm_public_ip" "pip_azfw" {
name = "pip-azfw"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_firewall_policy" "azfw_policy" {
name = "azfw-policy"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku = var.firewall_sku_tier
threat_intelligence_mode = "Alert"
}
resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" {
name = "DefaultNetworkRuleCollectionGroup"
firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
priority = 200
network_rule_collection {
name = "DefaultNetworkRuleCollection"
action = "Allow"
priority = 200
rule {
name = "time-windows"
protocols = ["UDP"]
source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id]
destination_ports = ["123"]
destination_addresses = ["132.86.101.172"]
}
}
}
resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" {
name = "DefaulApplicationtRuleCollectionGroup"
firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
priority = 300
application_rule_collection {
name = "DefaultApplicationRuleCollection"
action = "Allow"
priority = 500
rule {
name = "AllowWindowsUpdate"
description = "Allow Windows Update"
protocols {
type = "Http"
port = 80
}
protocols {
type = "Https"
port = 443
}
source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id]
destination_fqdn_tags = ["WindowsUpdate"]
}
rule {
name = "Global Rule"
description = "Allow access to Microsoft.com"
protocols {
type = "Https"
port = 443
}
destination_fqdns = ["*.microsoft.com"]
terminate_tls = false
source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id]
}
}
}
resource "azurerm_firewall" "fw" {
name = "azfw"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
sku_name = "AZFW_VNet"
sku_tier = var.firewall_sku_tier
ip_configuration {
name = "azfw-ipconfig"
subnet_id = azurerm_subnet.azfw_subnet.id
public_ip_address_id = azurerm_public_ip.pip_azfw.id
}
firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
}
Reference in New Issue View Git Blame Copy Permalink