Skip to content

Latest commit

 

History

History
122 lines (97 loc) · 11.6 KB

README.md

File metadata and controls

122 lines (97 loc) · 11.6 KB

Ensono Verified Module (EVM) - Azure Terraform Firewall and Firewall Policies

An Azure Terraform Ensono Verified Module (EVM) designed to abstract the complexity of provisioning resources related to:

  • Azure Firewall
  • Azure Firewall parent policies
  • Azure Firewall child policies

Contributing

This repository uses the pre-commit git hook framework which can update and format some files enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

Examples can be found at the bottom taken from the examples directory.

Providers

No providers.

Modules

Name Source Version
firewall Azure/avm-res-network-azurefirewall/azurerm 0.3.0
firewall_policy Azure/avm-res-network-firewallpolicy/azurerm 0.3.2
public_ip_address Azure/avm-res-network-publicipaddress/azurerm 0.1.2

Resources

No resources.

Inputs

Name Description Type Default Required
allocation_method The allocation method to use. string "Static" no
azure_location The Azure target location for all resources managed by this module. string n/a yes
azure_location_zones The Azure target location available zones set(number) n/a yes
azure_resource_tags Resource tags to add to all resources managed by this module. map(string) n/a yes
create_firewall_policy condition whetehr the FW policy to be created or not string n/a yes
diagnostic_settings A map of diagnostic settings to create on the Firewall. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

- name - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
- log_categories - (Optional) A set of log categories to send to the log analytics workspace. Defaults to [].
- log_groups - (Optional) A set of log groups to send to the log analytics workspace. Defaults to ["allLogs"].
- metric_categories - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to ["AllMetrics"].
- log_analytics_destination_type - (Optional) The destination type for the diagnostic setting. Possible values are Dedicated and AzureDiagnostics. Defaults to Dedicated.
- workspace_resource_id - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
- storage_account_resource_id - (Optional) The resource ID of the storage account to send logs and metrics to.
- event_hub_authorization_rule_resource_id - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
- event_hub_name - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
- marketplace_partner_resource_id - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic LogsLogs.		 
map(object({
    name                                     = optional(string, null)
    log_categories                           = optional(set(string), [])
    log_groups                               = optional(set(string), ["allLogs"])
    metric_categories                        = optional(set(string), ["AllMetrics"])
    log_analytics_destination_type           = optional(string, "Dedicated")
    workspace_resource_id                    = optional(string, null)
    storage_account_resource_id              = optional(string, null)
    event_hub_authorization_rule_resource_id = optional(string, null)
    event_hub_name                           = optional(string, null)
    marketplace_partner_resource_id          = optional(string, null)
  }))
 {} no
enable_telemetry This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.		 bool true no
firewall_ip_configuration_subnetid The subnet ID for the firewall IP configuration. string n/a yes
firewall_management_ip_configuration - name - (Required) Specifies the name of the IP Configuration.
- public_ip_address_id - (Required) The ID of the Public IP Address associated with the firewall.
- subnet_id - (Required) Reference to the subnet associated with the IP Configuration. Changing this forces a new resource to be created.		 
object({
    name                 = string
    public_ip_address_id = string
    subnet_id            = string
  })
 null no
firewall_policy_base_policy_id (Optional) The ID of the base Firewall Policy. string null no
firewall_policy_id (Optional) The ID of the Firewall Policy applied to this Firewall. string null no
firewall_policy_intrusion_detection - mode - (Optional) In which mode you want to run intrusion detection: Off, Alert or Deny.
- private_ranges - (Optional) A list of Private IP address ranges to identify traffic direction. By default, only ranges defined by IANA RFC 1918 are considered private IP addresses.

---
signature_overrides block supports the following:
- id - (Optional) 12-digit number (id) which identifies your signature.
- state - (Optional) state can be any of Off, Alert or Deny.

---
traffic_bypass block supports the following:
- description - (Optional) The description for this bypass traffic setting.
- destination_addresses - (Optional) Specifies a list of destination IP addresses that shall be bypassed by intrusion detection.
- destination_ip_groups - (Optional) Specifies a list of destination IP groups that shall be bypassed by intrusion detection.
- destination_ports - (Optional) Specifies a list of destination IP ports that shall be bypassed by intrusion detection.
- name - (Required) The name which should be used for this bypass traffic setting.
- protocol - (Required) The protocols any of ANY, TCP, ICMP, UDP that shall be bypassed by intrusion detection.
- source_addresses - (Optional) Specifies a list of source addresses that shall be bypassed by intrusion detection.
- source_ip_groups - (Optional) Specifies a list of source IP groups that shall be bypassed by intrusion detection.		 
object({
    mode           = optional(string)
    private_ranges = optional(list(string))
    signature_overrides = optional(list(object({
      id    = optional(string)
      state = optional(string)
    })))
    traffic_bypass = optional(list(object({
      description           = optional(string)
      destination_addresses = optional(set(string))
      destination_ip_groups = optional(set(string))
      destination_ports     = optional(set(string))
      name                  = string
      protocol              = string
      source_addresses      = optional(set(string))
      source_ip_groups      = optional(set(string))
    })))
  })
 null no
firewall_policy_policy_sku (Optional) The SKU Tier of the Firewall Policy. Possible values are Standard, Premium and Basic. Changing this forces a new Firewall Policy to be created. string null no
firewall_policy_threat_intelligence_allowlist - fqdns - (Optional) A list of FQDNs that will be skipped for threat detection.
- ip_addresses - (Optional) A list of IP addresses or CIDR ranges that will be skipped for threat detection.		 
object({
    fqdns        = optional(set(string))
    ip_addresses = optional(set(string))
  })
 null no
firewall_policy_threat_intelligence_mode (Optional) The operation mode for Threat Intelligence. Possible values are Alert, Deny and Off. Defaults to Alert. string null no
firewall_private_ip_ranges (Optional) A list of SNAT private CIDR IP ranges, or the special string IANAPrivateRanges, which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918. set(string) null no
firewall_sku_name (Required) SKU name of the Firewall. Possible values are AZFW_Hub and AZFW_VNet. Changing this forces a new resource to be created. string n/a yes
firewall_sku_tier (Required) SKU tier of the Firewall. Possible values are Premium, Standard and Basic. string n/a yes
naming_map A map containing Azure resource anmes aligned to the Cloud Adoption Framework. any n/a yes
network_resource_group_name The resource group where the network resources are deployed. Firewall must be created in network resource group string n/a yes
public_ip_sku The SKU of the public IP address. string "Standard" no
public_ip_sku_tier The tier of the SKU of the public IP address. string "Regional" no
resource_group_name The resource group where the resources will be deployed. string n/a yes

Outputs

Name Description
firewall_id The resource ID of the firewall.
firewall_ip_configuration The Private IP address of the Azure Firewall.
firewall_name The name of the firewall.
firewall_policy_id The resource ID of the firewall parent policy.
public_ip_address The IP address of the firewall public ip.
public_ip_id The resource ID of the firewall public ip address.

Examples

Main

terraform.tfvars

company_name_short                       = "ensevm"
subscription_name_short                  = "con"
module_names                             = ["firewall"]
azure_location                           = "eastus2"
network_resource_group_name              = "rg-ensrtf-eus2-prod-con-hub"
firewall_sku_name                        = "AZFW_VNet"
firewall_sku_tier                        = "Standard"
firewall_ip_configuration_subnetid       = "/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/resourceGroups/rg-ensrtf-eus2-prod-con-hub/providers/Microsoft.Network/virtualNetworks/vnet-ensrtf-eus2-prod-con-hub/subnets/AzureFirewallSubnet"
firewall_policy_threat_intelligence_mode = "Alert"
firewall_policy_policy_sku               = "Standard"




/*
Sensitive inputs should be passed as pipeline environment variables

azure_subscription_id = "xxx"
*/

example.tf

module "hub_firewall" {
  source                      = "../../"
  network_resource_group_name = var.network_resource_group_name
  azure_location              = azurerm_resource_group.modules["firewall"].location
  resource_group_name         = azurerm_resource_group.modules["firewall"].name
  azure_location_zones        = module.azure_regions.regions_by_name[var.azure_location].zones
  naming_map                  = local.name_map["firewall"]
  azure_resource_tags         = local.resource_tags

  #Firewall Configurations
  firewall_sku_name                  = var.firewall_sku_name
  firewall_sku_tier                  = var.firewall_sku_tier
  firewall_ip_configuration_subnetid = var.firewall_ip_configuration_subnetid
  # Firewall Policy Configurations

  create_firewall_policy                   = true
  firewall_policy_threat_intelligence_mode = var.firewall_policy_threat_intelligence_mode
  firewall_policy_policy_sku               = var.firewall_policy_policy_sku
}