From ed29f3c468701a3c87063ccd816613eaa2a65f2e Mon Sep 17 00:00:00 2001 From: Charles Shea Date: Tue, 22 Aug 2023 19:02:39 -0400 Subject: [PATCH 01/11] adding azfw quickstarts --- quickstart/101-azfw-with-fwpolicy/README.md | 230 ++++++++ quickstart/101-azfw-with-fwpolicy/main.tf | 153 +++++ quickstart/101-azfw-with-fwpolicy/outputs.tf | 3 + quickstart/101-azfw-with-fwpolicy/provider.tf | 16 + .../101-azfw-with-fwpolicy/variables.tf | 18 + quickstart/201-azfw-with-secure-hub/README.md | 543 ++++++++++++++++++ quickstart/201-azfw-with-secure-hub/main.tf | 370 ++++++++++++ .../201-azfw-with-secure-hub/outputs.tf | 3 + .../201-azfw-with-secure-hub/provider.tf | 16 + .../201-azfw-with-secure-hub/variables.tf | 30 + 10 files changed, 1382 insertions(+) create mode 100644 quickstart/101-azfw-with-fwpolicy/README.md create mode 100644 quickstart/101-azfw-with-fwpolicy/main.tf create mode 100644 quickstart/101-azfw-with-fwpolicy/outputs.tf create mode 100644 quickstart/101-azfw-with-fwpolicy/provider.tf create mode 100644 quickstart/101-azfw-with-fwpolicy/variables.tf create mode 100644 quickstart/201-azfw-with-secure-hub/README.md create mode 100644 quickstart/201-azfw-with-secure-hub/main.tf create mode 100644 quickstart/201-azfw-with-secure-hub/outputs.tf create mode 100644 quickstart/201-azfw-with-secure-hub/provider.tf create mode 100644 quickstart/201-azfw-with-secure-hub/variables.tf diff --git a/quickstart/101-azfw-with-fwpolicy/README.md b/quickstart/101-azfw-with-fwpolicy/README.md new file mode 100644 index 000000000..5fb781393 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/README.md @@ -0,0 +1,230 @@ +# Deploy Azure Firewall and a Firewall Policy + +This template deploys an Azure Firewall and a Firewall Policy. The Firewall Policy is associated to the Firewall. + +## Resources + +| Terraform Resource Type | Description | +| - | - | +| `azurerm_resource_group` | The resource group all the deployed resources.| +| `azurerm_virtual_network` | The virtual network for the firewall. | +| `azurerm_subnet` |The firewall subnet.| +| `azurerm_public_ip` | The firewall public IP address. | +| `azurerm_firewall` | The premium Azure Firewall. | +| `azurerm_firewall_policy` | The policy associated to the Firewall | +| `azurerm_firewall_policy_rule_collection_group` | the rules collection group for firewall policy | +| `azurerm_ip_group` | The IP group for source addresses. | + +## Variables + +| Name | Description | +|-|-| +| `location` | location for your resources | +| `tags` | tags to organize your resources | +| `fw_sku` | Sku size for your Firewall and Firewall Policy | + +## Example + +```powershell +terraform plan -out main.tfplan + + # azurerm_firewall.fw will be created + + resource "azurerm_firewall" "fw" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "azfw" + + resource_group_name = "azfw-rg" + + sku_name = "AZFW_VNet" + + sku_tier = "Premium" + + threat_intel_mode = (known after apply) + + + ip_configuration { + + name = "azfw-ipconfig" + + private_ip_address = (known after apply) + + public_ip_address_id = (known after apply) + + subnet_id = (known after apply) + } + } + + # azurerm_firewall_policy.azfw_policy will be created + + resource "azurerm_firewall_policy" "azfw_policy" { + + child_policies = (known after apply) + + firewalls = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "azfw-policy" + + resource_group_name = "azfw-rg" + + rule_collection_groups = (known after apply) + + sku = "Premium" + + threat_intelligence_mode = "Alert" + } + + # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created + + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + name = "DefaulApplicationtRuleCollectionGroup" + + priority = 300 + + + application_rule_collection { + + action = "Allow" + + name = "DefaultApplicationRuleCollection" + + priority = 500 + + + rule { + + description = "Allow Windows Update" + + destination_fqdn_tags = [ + + "WindowsUpdate", + ] + + name = "AllowWindowsUpdate" + + source_ip_groups = (known after apply) + + + protocols { + + port = 80 + + type = "Http" + } + + protocols { + + port = 443 + + type = "Https" + } + } + + rule { + + description = "Allow access to Microsoft.com" + + destination_fqdns = [ + + "*.microsoft.com", + ] + + name = "Global Rule" + + source_ip_groups = (known after apply) + + terminate_tls = false + + + protocols { + + port = 443 + + type = "Https" + } + } + } + } + + # azurerm_firewall_policy_rule_collection_group.net_policy_rule_collection_group will be created + + resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + name = "DefaultNetworkRuleCollectionGroup" + + priority = 200 + + + network_rule_collection { + + action = "Allow" + + name = "DefaultNetworkRuleCollection" + + priority = 200 + + + rule { + + destination_addresses = [ + + "132.86.101.172", + ] + + destination_ports = [ + + "123", + ] + + name = "time-windows" + + protocols = [ + + "UDP", + ] + + source_ip_groups = (known after apply) + } + } + } + + # azurerm_ip_group.infra_ip_group will be created + + resource "azurerm_ip_group" "infra_ip_group" { + + cidrs = [ + + "10.40.0.0/24", + + "10.50.0.0/24", + ] + + firewall_ids = (known after apply) + + firewall_policy_ids = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "infra-ip-group" + + resource_group_name = "azfw-rg" + } + + # azurerm_ip_group.workload_ip_group will be created + + resource "azurerm_ip_group" "workload_ip_group" { + + cidrs = [ + + "10.20.0.0/24", + + "10.30.0.0/24", + ] + + firewall_ids = (known after apply) + + firewall_policy_ids = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "workload-ip-group" + + resource_group_name = "azfw-rg" + } + + # azurerm_public_ip.pip_azfw will be created + + resource "azurerm_public_ip" "pip_azfw" { + + allocation_method = "Static" + + ddos_protection_mode = "VirtualNetworkInherited" + + fqdn = (known after apply) + + id = (known after apply) + + idle_timeout_in_minutes = 4 + + ip_address = (known after apply) + + ip_version = "IPv4" + + location = "eastus" + + name = "pip-azfw" + + resource_group_name = "azfw-rg" + + sku = "Standard" + + sku_tier = "Regional" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_resource_group.azfw_rg will be created + + resource "azurerm_resource_group" "azfw_rg" { + + id = (known after apply) + + location = "eastus" + + name = "azfw-rg" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_subnet.azfw_subnet will be created + + resource "azurerm_subnet" "azfw_subnet" { + + address_prefixes = [ + + "10.10.0.0/26", + ] + + enforce_private_link_endpoint_network_policies = (known after apply) + + enforce_private_link_service_network_policies = (known after apply) + + id = (known after apply) + + name = "AzureFirewallSubnet" + + private_endpoint_network_policies_enabled = (known after apply) + + private_link_service_network_policies_enabled = (known after apply) + + resource_group_name = "azfw-rg" + + virtual_network_name = "azfw-vnet" + } + + # azurerm_virtual_network.azfw_vnet will be created + + resource "azurerm_virtual_network" "azfw_vnet" { + + address_space = [ + + "10.10.0.0/24", + ] + + dns_servers = (known after apply) + + guid = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "azfw-vnet" + + resource_group_name = "azfw-rg" + + subnet = (known after apply) + } + +Plan: 10 to add, 0 to change, 0 to destroy. +`````` \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/main.tf b/quickstart/101-azfw-with-fwpolicy/main.tf new file mode 100644 index 000000000..c39981331 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/main.tf @@ -0,0 +1,153 @@ + +// Create a Resource Group +resource "azurerm_resource_group" "azfw_rg" { + name = "azfw-rg" + location = var.location + tags = var.tags +} +// Create a Virtual Network +resource "azurerm_virtual_network" "azfw_vnet" { + name = "azfw-vnet" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + address_space = ["10.10.0.0/24"] + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create IP Groups +resource "azurerm_ip_group" "workload_ip_group" { + name = "workload-ip-group" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + cidrs = ["10.20.0.0/24", "10.30.0.0/24"] + depends_on = [ + azurerm_resource_group.azfw_rg, + azurerm_virtual_network.azfw_vnet + ] +} +resource "azurerm_ip_group" "infra_ip_group" { + name = "infra-ip-group" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + cidrs = ["10.40.0.0/24", "10.50.0.0/24"] + depends_on = [ + azurerm_resource_group.azfw_rg, + azurerm_virtual_network.azfw_vnet + ] +} + +// Create the Azure Firewall Subnet +resource "azurerm_subnet" "azfw_subnet" { + name = "AzureFirewallSubnet" + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.0.0/26"] + depends_on = [ + azurerm_resource_group.azfw_rg, + azurerm_virtual_network.azfw_vnet + ] +} + +// Create a Public IP Address for Azure Firewall +resource "azurerm_public_ip" "pip_azfw" { + name = "pip-azfw" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + allocation_method = "Static" + sku = "Standard" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Firewall Policy +resource "azurerm_firewall_policy" "azfw_policy" { + name = "azfw-policy" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + sku = var.fw_sku + threat_intelligence_mode = "Alert" +} + +// Create a Network Rule Collection Group +// Create a Network Rule Collection +// Create rules for NTP +resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { + name = "DefaultNetworkRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 200 + network_rule_collection { + name = "DefaultNetworkRuleCollection" + action = "Allow" + priority = 200 + rule { + name = "time-windows" + protocols = ["UDP"] + source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] + destination_ports = ["123"] + destination_addresses = ["132.86.101.172"] + } + } +} + +// Create a Azure Firewall Policy Rule Collection Group +// Create a Application Rule Collection +// Create rules for Windows Update +// Create rules for Microsoft.com +resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + name = "DefaulApplicationtRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "DefaultApplicationRuleCollection" + action = "Allow" + priority = 500 + rule { + name = "AllowWindowsUpdate" + + description = "Allow Windows Update" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] + destination_fqdn_tags = ["WindowsUpdate"] + } + rule { + name = "Global Rule" + description = "Allow access to Microsoft.com" + protocols { + type = "Https" + port = 443 + } + destination_fqdns = ["*.microsoft.com"] + terminate_tls = false + source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] + } + } + depends_on = [ + azurerm_firewall_policy.azfw_policy + ] +} + +// Create the Azure Firewall +resource "azurerm_firewall" "fw" { + name = "azfw" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + sku_name = "AZFW_VNet" + sku_tier = var.fw_sku + ip_configuration { + name = "azfw-ipconfig" + subnet_id = azurerm_subnet.azfw_subnet.id + public_ip_address_id = azurerm_public_ip.pip_azfw.id + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id +} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/outputs.tf b/quickstart/101-azfw-with-fwpolicy/outputs.tf new file mode 100644 index 000000000..67ad7df31 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/outputs.tf @@ -0,0 +1,3 @@ +output "rg_name" { + value = azurerm_resource_group.azfw_rg.name +} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/provider.tf b/quickstart/101-azfw-with-fwpolicy/provider.tf new file mode 100644 index 000000000..76b5065bc --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/provider.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.69.0" + } + } +} + +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false // Set to True for Production + } + } +} diff --git a/quickstart/101-azfw-with-fwpolicy/variables.tf b/quickstart/101-azfw-with-fwpolicy/variables.tf new file mode 100644 index 000000000..2a925a383 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/variables.tf @@ -0,0 +1,18 @@ +// Create Variables for Location and Tags +variable "location" { + default = "eastus" +} +variable "tags" { + default = { + environment = "dev" + costcenter = "1234556677" + owner = "cloud team" + workload = "azure firewall" + } +} + +// Create Firewall Variables +variable "fw_sku" { + default = "Premium" # Valid values are Standard and Premium +} + diff --git a/quickstart/201-azfw-with-secure-hub/README.md b/quickstart/201-azfw-with-secure-hub/README.md new file mode 100644 index 000000000..2bdb52b85 --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/README.md @@ -0,0 +1,543 @@ +# Deploy Azure Firewall and a Firewall Policy + +This template deploys an Azure Firewall and a Firewall Policy to a Secure Hub. The Firewall Policy is associated with the Firewall policy. + +## Resources + +| Terraform Resource Type | Description | +| - | - | +| `azurerm_resource_group` | The resource group all the deployed resources.| +| `azurerm_virtual_wan` | The virtual wan for the virtual hub | +| `azurerm_virtual_hub` | The virtual hub for the firewall | +| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | +| `azurerm_virtual_hub_connection` | The connection between the virtual hub and the virtual network spoke | +| `azurerm_public_ip` | The firewall public IP address and public access to the jump vm. | +| `azurerm_firewall_policy` | The policy associated to the Firewall | +| `azurerm_firewall_policy_rule_collection_group` | the rules collection group to add network and application rule collections for firewall policy | +| `azurerm_firewall` | The premium Azure Firewall. | +| `azurerm_virtual_network` | The virtual network for the firewall. | +| `azurerm_subnet` | The subnets for jump and workload vms. | +| `azurerm_network_interface` | The nics for the jump and workload vms | +| `azurerm_network_security_group` | The nsg for the jump and workload vms | +| `azurerm_network_interface_security_group_association` | The association between the nics and the nsgs | +| `azurerm_virtual_machine` | The jump and workload vms for testing | +| `azurerm_route_table` | The route table for the jump vms | +| `azurerm_subnet_route_table_association` | The association between the subnets and the route tables | +| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | + +## Variables + +| Name | Description | +|-|-| +| `location` | location for your resources | +| `tags` | tags to organize your resources | +| `fw_sku` | Sku size for your Firewall and Firewall Policy | +| `vm_size` | Sku size for your jump and workload vms | +| `admin_username` | admin username for the jump and workload vms | +| `admin_password` | admin password for the jump and workload vms | + +## Example + +```powershell +Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + + create + +Terraform will perform the following actions: + + # azurerm_firewall.fw will be created + + resource "azurerm_firewall" "fw" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "fw-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + sku_name = "AZFW_Hub" + + sku_tier = "Premium" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + threat_intel_mode = (known after apply) + + + virtual_hub { + + private_ip_address = (known after apply) + + public_ip_addresses = (known after apply) + + public_ip_count = 1 + + virtual_hub_id = (known after apply) + } + } + + # azurerm_firewall_policy.azfw_policy will be created + + resource "azurerm_firewall_policy" "azfw_policy" { + + child_policies = (known after apply) + + firewalls = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "policy-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + rule_collection_groups = (known after apply) + + sku = "Premium" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + threat_intelligence_mode = "Alert" + } + + # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created + + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + name = "DefaulApplicationtRuleCollectionGroup" + + priority = 300 + + + application_rule_collection { + + action = "Allow" + + name = "DefaultApplicationRuleCollection" + + priority = 100 + + + rule { + + description = "Allow access to Microsoft.com" + + destination_fqdns = [ + + "*.microsoft.com", + ] + + name = "Allow-MSFT" + + source_addresses = [ + + "*", + ] + + terminate_tls = false + + + protocols { + + port = 443 + + type = "Https" + } + + protocols { + + port = 80 + + type = "Http" + } + } + } + } + + # azurerm_network_interface.vm_jump_nic will be created + + resource "azurerm_network_interface" "vm_jump_nic" { + + applied_dns_servers = (known after apply) + + dns_servers = (known after apply) + + enable_accelerated_networking = false + + enable_ip_forwarding = false + + id = (known after apply) + + internal_dns_name_label = (known after apply) + + internal_domain_name_suffix = (known after apply) + + location = "eastus" + + mac_address = (known after apply) + + name = "nic-jump" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_machine_id = (known after apply) + + + ip_configuration { + + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + + name = "ipconfig-jump" + + primary = (known after apply) + + private_ip_address = (known after apply) + + private_ip_address_allocation = "Dynamic" + + private_ip_address_version = "IPv4" + + public_ip_address_id = (known after apply) + + subnet_id = (known after apply) + } + } + + # azurerm_network_interface.vm_workload_nic will be created + + resource "azurerm_network_interface" "vm_workload_nic" { + + applied_dns_servers = (known after apply) + + dns_servers = (known after apply) + + enable_accelerated_networking = false + + enable_ip_forwarding = false + + id = (known after apply) + + internal_dns_name_label = (known after apply) + + internal_domain_name_suffix = (known after apply) + + location = "eastus" + + mac_address = (known after apply) + + name = "nic-workload" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_machine_id = (known after apply) + + + ip_configuration { + + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + + name = "ipconfig-workload" + + primary = (known after apply) + + private_ip_address = (known after apply) + + private_ip_address_allocation = "Dynamic" + + private_ip_address_version = "IPv4" + + subnet_id = (known after apply) + } + } + + # azurerm_network_interface_security_group_association.vm_jump_nsg_association will be created + + resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { + + id = (known after apply) + + network_interface_id = (known after apply) + + network_security_group_id = (known after apply) + } + + # azurerm_network_interface_security_group_association.vm_workload_nsg_association will be created + + resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { + + id = (known after apply) + + network_interface_id = (known after apply) + + network_security_group_id = (known after apply) + } + + # azurerm_network_security_group.vm_jump_nsg will be created + + resource "azurerm_network_security_group" "vm_jump_nsg" { + + id = (known after apply) + + location = "eastus" + + name = "nsg-jump" + + resource_group_name = "rg-azfw-securehub-eus" + + security_rule = [ + + { + + access = "Allow" + + description = "" + + destination_address_prefix = "*" + + destination_address_prefixes = [] + + destination_application_security_group_ids = [] + + destination_port_range = "3389" + + destination_port_ranges = [] + + direction = "Inbound" + + name = "Allow-RDP" + + priority = 300 + + protocol = "Tcp" + + source_address_prefix = "*" + + source_address_prefixes = [] + + source_application_security_group_ids = [] + + source_port_range = "*" + + source_port_ranges = [] + }, + ] + } + + # azurerm_network_security_group.vm_workload_nsg will be created + + resource "azurerm_network_security_group" "vm_workload_nsg" { + + id = (known after apply) + + location = "eastus" + + name = "nsg-workload" + + resource_group_name = "rg-azfw-securehub-eus" + + security_rule = (known after apply) + } + + # azurerm_public_ip.pip_azfw will be created + + resource "azurerm_public_ip" "pip_azfw" { + + allocation_method = "Static" + + ddos_protection_mode = "VirtualNetworkInherited" + + fqdn = (known after apply) + + id = (known after apply) + + idle_timeout_in_minutes = 4 + + ip_address = (known after apply) + + ip_version = "IPv4" + + location = "eastus" + + name = "pip-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + sku = "Standard" + + sku_tier = "Regional" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_public_ip.vm_jump_pip will be created + + resource "azurerm_public_ip" "vm_jump_pip" { + + allocation_method = "Static" + + ddos_protection_mode = "VirtualNetworkInherited" + + fqdn = (known after apply) + + id = (known after apply) + + idle_timeout_in_minutes = 4 + + ip_address = (known after apply) + + ip_version = "IPv4" + + location = "eastus" + + name = "pip-jump" + + resource_group_name = "rg-azfw-securehub-eus" + + sku = "Standard" + + sku_tier = "Regional" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_resource_group.azfw_rg will be created + + resource "azurerm_resource_group" "azfw_rg" { + + id = (known after apply) + + location = "eastus" + + name = "rg-azfw-securehub-eus" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_route_table.rt will be created + + resource "azurerm_route_table" "rt" { + + disable_bgp_route_propagation = false + + id = (known after apply) + + location = "eastus" + + name = "rt-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + route = [ + + { + + address_prefix = "0.0.0.0/0" + + name = "jump-to-internet" + + next_hop_in_ip_address = "" + + next_hop_type = "Internet" + }, + ] + + subnets = (known after apply) + } + + # azurerm_subnet.jump_subnet will be created + + resource "azurerm_subnet" "jump_subnet" { + + address_prefixes = [ + + "10.10.2.0/24", + ] + + enforce_private_link_endpoint_network_policies = (known after apply) + + enforce_private_link_service_network_policies = (known after apply) + + id = (known after apply) + + name = "subnet-jump" + + private_endpoint_network_policies_enabled = (known after apply) + + private_link_service_network_policies_enabled = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_network_name = "vnet-azfw-securehub-eus" + } + + # azurerm_subnet.workload_subnet will be created + + resource "azurerm_subnet" "workload_subnet" { + + address_prefixes = [ + + "10.10.1.0/24", + ] + + enforce_private_link_endpoint_network_policies = (known after apply) + + enforce_private_link_service_network_policies = (known after apply) + + id = (known after apply) + + name = "subnet-workload" + + private_endpoint_network_policies_enabled = (known after apply) + + private_link_service_network_policies_enabled = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_network_name = "vnet-azfw-securehub-eus" + } + + # azurerm_subnet_route_table_association.jump_subnet_rt_association will be created + + resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + + id = (known after apply) + + route_table_id = (known after apply) + + subnet_id = (known after apply) + } + + # azurerm_virtual_hub.azfw_vwan_hub will be created + + resource "azurerm_virtual_hub" "azfw_vwan_hub" { + + address_prefix = "10.20.0.0/23" + + default_route_table_id = (known after apply) + + hub_routing_preference = "ExpressRoute" + + id = (known after apply) + + location = "eastus" + + name = "hub-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + virtual_router_asn = (known after apply) + + virtual_router_auto_scale_min_capacity = 2 + + virtual_router_ips = (known after apply) + + virtual_wan_id = (known after apply) + } + + # azurerm_virtual_hub_connection.azfw_vwan_hub_connection will be created + + resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { + + id = (known after apply) + + internet_security_enabled = true + + name = "hub-to-spoke" + + remote_virtual_network_id = (known after apply) + + virtual_hub_id = (known after apply) + + + routing { + + associated_route_table_id = (known after apply) + + + propagated_route_table { + + labels = [ + + "VNet", + ] + + route_table_ids = (known after apply) + } + } + } + + # azurerm_virtual_hub_route_table.vhub_rt will be created + + resource "azurerm_virtual_hub_route_table" "vhub_rt" { + + id = (known after apply) + + labels = [ + + "VNet", + ] + + name = "vhub-rt-azfw-securehub-eus" + + virtual_hub_id = (known after apply) + + + route { + + destinations = [ + + "0.0.0.0/0", + ] + + destinations_type = "CIDR" + + name = "InternetToFirewall" + + next_hop = (known after apply) + + next_hop_type = "ResourceId" + } + + route { + + destinations = [ + + "10.10.1.0/24", + ] + + destinations_type = "CIDR" + + name = "workload-SNToFirewall" + + next_hop = (known after apply) + + next_hop_type = "ResourceId" + } + } + + # azurerm_virtual_network.azfw_vnet will be created + + resource "azurerm_virtual_network" "azfw_vnet" { + + address_space = [ + + "10.10.0.0/16", + ] + + dns_servers = (known after apply) + + guid = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "vnet-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + subnet = (known after apply) + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_virtual_wan.azfw_vwan will be created + + resource "azurerm_virtual_wan" "azfw_vwan" { + + allow_branch_to_branch_traffic = true + + disable_vpn_encryption = false + + id = (known after apply) + + location = "eastus" + + name = "vwan-azfw-securehub-eus" + + office365_local_breakout_category = "None" + + resource_group_name = "rg-azfw-securehub-eus" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + type = "Standard" + } + + # azurerm_windows_virtual_machine.vm_jump will be created + + resource "azurerm_windows_virtual_machine" "vm_jump" { + + admin_password = (sensitive value) + + admin_username = "azureuser" + + allow_extension_operations = true + + bypass_platform_safety_checks_on_user_schedule_enabled = false + + computer_name = (known after apply) + + enable_automatic_updates = true + + extensions_time_budget = "PT1H30M" + + hotpatching_enabled = false + + id = (known after apply) + + location = "eastus" + + max_bid_price = -1 + + name = "jump-vm" + + network_interface_ids = (known after apply) + + patch_assessment_mode = "ImageDefault" + + patch_mode = "AutomaticByOS" + + platform_fault_domain = -1 + + priority = "Regular" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + provision_vm_agent = true + + public_ip_address = (known after apply) + + public_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + size = "Standard_D2_v3" + + virtual_machine_id = (known after apply) + + + os_disk { + + caching = "ReadWrite" + + disk_size_gb = (known after apply) + + name = (known after apply) + + storage_account_type = "Standard_LRS" + + write_accelerator_enabled = false + } + + + source_image_reference { + + offer = "WindowsServer" + + publisher = "MicrosoftWindowsServer" + + sku = "2019-Datacenter" + + version = "latest" + } + } + + # azurerm_windows_virtual_machine.vm_workload will be created + + resource "azurerm_windows_virtual_machine" "vm_workload" { + + admin_password = (sensitive value) + + admin_username = "azureuser" + + allow_extension_operations = true + + bypass_platform_safety_checks_on_user_schedule_enabled = false + + computer_name = (known after apply) + + enable_automatic_updates = true + + extensions_time_budget = "PT1H30M" + + hotpatching_enabled = false + + id = (known after apply) + + location = "eastus" + + max_bid_price = -1 + + name = "workload-vm" + + network_interface_ids = (known after apply) + + patch_assessment_mode = "ImageDefault" + + patch_mode = "AutomaticByOS" + + platform_fault_domain = -1 + + priority = "Regular" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + provision_vm_agent = true + + public_ip_address = (known after apply) + + public_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + size = "Standard_D2_v3" + + virtual_machine_id = (known after apply) + + + os_disk { + + caching = "ReadWrite" + + disk_size_gb = (known after apply) + + name = (known after apply) + + storage_account_type = "Standard_LRS" + + write_accelerator_enabled = false + } + + + source_image_reference { + + offer = "WindowsServer" + + publisher = "MicrosoftWindowsServer" + + sku = "2019-Datacenter" + + version = "latest" + } + } + +Plan: 23 to add, 0 to change, 0 to destroy. +`````` \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/main.tf b/quickstart/201-azfw-with-secure-hub/main.tf new file mode 100644 index 000000000..46c99695c --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/main.tf @@ -0,0 +1,370 @@ + +// Create a Resource Group +resource "azurerm_resource_group" "azfw_rg" { + name = "rg-azfw-securehub-eus" + location = var.location + tags = var.tags +} + +// Create resources for Azure Virtual WAN +// Create a Azure Vwan +resource "azurerm_virtual_wan" "azfw_vwan" { + name = "vwan-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + tags = azurerm_resource_group.azfw_rg.tags + allow_branch_to_branch_traffic = true + disable_vpn_encryption = false + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Vwan Hub +resource "azurerm_virtual_hub" "azfw_vwan_hub" { + name = "hub-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_wan_id = azurerm_virtual_wan.azfw_vwan.id + address_prefix = "10.20.0.0/23" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_virtual_wan.azfw_vwan + ] +} + +// Create a Azure VWan Hub Connection +resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { + name = "hub-to-spoke" + virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id + remote_virtual_network_id = azurerm_virtual_network.azfw_vnet.id + internet_security_enabled = true + routing { + associated_route_table_id = azurerm_virtual_hub_route_table.vhub_rt.id + propagated_route_table { + route_table_ids = [azurerm_virtual_hub_route_table.vhub_rt.id] + labels = ["VNet"] + } + } + depends_on = [ + azurerm_virtual_hub.azfw_vwan_hub, + azurerm_virtual_network.azfw_vnet + ] +} + +// Create resources for Azure Firewall +// Create a Public IP Address for Azure Firewall +resource "azurerm_public_ip" "pip_azfw" { + name = "pip-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + allocation_method = "Static" + sku = "Standard" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Firewall Policy +resource "azurerm_firewall_policy" "azfw_policy" { + name = "policy-azfw-securehub-eus" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + sku = "Premium" + threat_intelligence_mode = "Alert" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Firewall Policy Rule Collection Group +// Create a Application Rule Collection +// Create rules for Windows Update +// Create rules for Microsoft.com +resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + name = "DefaulApplicationtRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "DefaultApplicationRuleCollection" + action = "Allow" + priority = 100 + rule { + name = "Allow-MSFT" + description = "Allow access to Microsoft.com" + protocols { + type = "Https" + port = 443 + } + protocols { + type = "Http" + port = 80 + } + destination_fqdns = ["*.microsoft.com"] + terminate_tls = false + source_addresses = ["*"] + } + } + depends_on = [ + azurerm_firewall_policy.azfw_policy + ] +} + +// Create the Azure Firewall +resource "azurerm_firewall" "fw" { + name = "fw-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + sku_name = "AZFW_Hub" + sku_tier = var.fw_sku + tags = azurerm_resource_group.azfw_rg.tags + virtual_hub { + virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id + public_ip_count = 1 + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + depends_on = [ + azurerm_firewall_policy.azfw_policy, + azurerm_virtual_hub.azfw_vwan_hub + ] +} + +// Create Virtual Network, Subnets, PIP, NICs, NSGs, and NIC-NSG associations +// Create a Virtual Network +resource "azurerm_virtual_network" "azfw_vnet" { + name = "vnet-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + address_space = ["10.10.0.0/16"] + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Subnet for Workload VMs +resource "azurerm_subnet" "workload_subnet" { + name = "subnet-workload" + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.1.0/24"] + depends_on = [ + azurerm_virtual_network.azfw_vnet + ] +} + +// Create a Subnet for Jump VM +resource "azurerm_subnet" "jump_subnet" { + name = "subnet-jump" + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.2.0/24"] + + depends_on = [ + azurerm_virtual_network.azfw_vnet, + azurerm_route_table.rt + ] +} + +// Create a NIC for Workload VM +resource "azurerm_network_interface" "vm_workload_nic" { + name = "nic-workload" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + + ip_configuration { + name = "ipconfig-workload" + subnet_id = azurerm_subnet.workload_subnet.id + private_ip_address_allocation = "Dynamic" + } + depends_on = [ + azurerm_subnet.workload_subnet + ] +} + +// Create a PIP for Jump VM +resource "azurerm_public_ip" "vm_jump_pip" { + name = "pip-jump" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + allocation_method = "Static" + sku = "Standard" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a NIC for Jump VM +resource "azurerm_network_interface" "vm_jump_nic" { + name = "nic-jump" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + + ip_configuration { + name = "ipconfig-jump" + subnet_id = azurerm_subnet.jump_subnet.id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.vm_jump_pip.id + } + depends_on = [ + azurerm_subnet.jump_subnet, + azurerm_public_ip.vm_jump_pip + ] +} + +// Create a NSG for Workload VM +resource "azurerm_network_security_group" "vm_workload_nsg" { + name = "nsg-workload" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a NSG for Jump VM +resource "azurerm_network_security_group" "vm_jump_nsg" { + name = "nsg-jump" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + security_rule { + name = "Allow-RDP" + priority = 300 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Associate NSG for Workload VM NIC +resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { + network_interface_id = azurerm_network_interface.vm_workload_nic.id + network_security_group_id = azurerm_network_security_group.vm_workload_nsg.id + depends_on = [ + azurerm_network_interface.vm_workload_nic, + azurerm_network_security_group.vm_workload_nsg + ] +} + +// Associate NSG for Jump VM NIC +resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { + network_interface_id = azurerm_network_interface.vm_jump_nic.id + network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id + depends_on = [ + azurerm_network_interface.vm_jump_nic, + azurerm_network_security_group.vm_jump_nsg + ] +} + +// Create Virtual Machines for testing +// Create a Workload Virtual Machine +resource "azurerm_windows_virtual_machine" "vm_workload" { + name = "workload-vm" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + size = var.vm_size + admin_username = var.admin_username + admin_password = var.admin_password + network_interface_ids = [azurerm_network_interface.vm_workload_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + depends_on = [ + azurerm_network_interface.vm_workload_nic + ] +} + +// Create a Jump Virtual Machine +resource "azurerm_windows_virtual_machine" "vm_jump" { + name = "jump-vm" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + size = var.vm_size + admin_username = var.admin_username + admin_password = var.admin_password + network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + depends_on = [ + azurerm_network_interface.vm_jump_nic + ] +} + +// Create Routing for testing +// Create a Route Table +resource "azurerm_route_table" "rt" { + name = "rt-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + disable_bgp_route_propagation = false + route { + name = "jump-to-internet" + address_prefix = "0.0.0.0/0" + next_hop_type = "Internet" + } + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Associate Route Table to Jump VM Subnet +resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + subnet_id = azurerm_subnet.jump_subnet.id + route_table_id = azurerm_route_table.rt.id + depends_on = [ + azurerm_subnet.jump_subnet, + azurerm_route_table.rt + ] +} + +// Creat a Virtual Hub Route Table +resource "azurerm_virtual_hub_route_table" "vhub_rt" { + name = "vhub-rt-azfw-securehub-eus" + virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id + route { + name = "workload-SNToFirewall" + destinations_type = "CIDR" + destinations = ["10.10.1.0/24"] + next_hop_type = "ResourceId" + next_hop = azurerm_firewall.fw.id + } + route { + name = "InternetToFirewall" + destinations_type = "CIDR" + destinations = ["0.0.0.0/0"] + next_hop_type = "ResourceId" + next_hop = azurerm_firewall.fw.id + } + labels = ["VNet"] + depends_on = [ + azurerm_virtual_hub.azfw_vwan_hub, + azurerm_firewall.fw + ] +} + diff --git a/quickstart/201-azfw-with-secure-hub/outputs.tf b/quickstart/201-azfw-with-secure-hub/outputs.tf new file mode 100644 index 000000000..67ad7df31 --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/outputs.tf @@ -0,0 +1,3 @@ +output "rg_name" { + value = azurerm_resource_group.azfw_rg.name +} \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/provider.tf b/quickstart/201-azfw-with-secure-hub/provider.tf new file mode 100644 index 000000000..76b5065bc --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/provider.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.69.0" + } + } +} + +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false // Set to True for Production + } + } +} diff --git a/quickstart/201-azfw-with-secure-hub/variables.tf b/quickstart/201-azfw-with-secure-hub/variables.tf new file mode 100644 index 000000000..fd29a8593 --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/variables.tf @@ -0,0 +1,30 @@ +// Create Variables for Location and Tags +variable "location" { + default = "eastus" +} +variable "tags" { + default = { + environment = "dev" + costcenter = "1234556677" + owner = "cloud team" + workload = "azure firewall" + } +} + +// Create Firewall Variables +variable "fw_sku" { + default = "Premium" # Valid values are Standard and Premium +} + +// Create Virtual Machine Sku Size Variables +variable "vm_size" { + default = "Standard_D2_v3" +} + +// Create Admin Username and Password +variable "admin_username" { + default = "azureuser" +} +variable "admin_password" { + default = "P@ssw0rd1234!" +} From e46e9cec2c2feb063d5eb36deaf8c78d93de26b1 Mon Sep 17 00:00:00 2001 From: Charles Shea Date: Tue, 22 Aug 2023 19:21:06 -0400 Subject: [PATCH 02/11] removing files from this branch --- quickstart/101-azfw-with-fwpolicy/README.md | 230 -------- quickstart/101-azfw-with-fwpolicy/main.tf | 153 ----- quickstart/101-azfw-with-fwpolicy/outputs.tf | 3 - quickstart/101-azfw-with-fwpolicy/provider.tf | 16 - .../101-azfw-with-fwpolicy/variables.tf | 18 - quickstart/201-azfw-with-secure-hub/README.md | 543 ------------------ quickstart/201-azfw-with-secure-hub/main.tf | 370 ------------ .../201-azfw-with-secure-hub/outputs.tf | 3 - .../201-azfw-with-secure-hub/provider.tf | 16 - .../201-azfw-with-secure-hub/variables.tf | 30 - 10 files changed, 1382 deletions(-) delete mode 100644 quickstart/101-azfw-with-fwpolicy/README.md delete mode 100644 quickstart/101-azfw-with-fwpolicy/main.tf delete mode 100644 quickstart/101-azfw-with-fwpolicy/outputs.tf delete mode 100644 quickstart/101-azfw-with-fwpolicy/provider.tf delete mode 100644 quickstart/101-azfw-with-fwpolicy/variables.tf delete mode 100644 quickstart/201-azfw-with-secure-hub/README.md delete mode 100644 quickstart/201-azfw-with-secure-hub/main.tf delete mode 100644 quickstart/201-azfw-with-secure-hub/outputs.tf delete mode 100644 quickstart/201-azfw-with-secure-hub/provider.tf delete mode 100644 quickstart/201-azfw-with-secure-hub/variables.tf diff --git a/quickstart/101-azfw-with-fwpolicy/README.md b/quickstart/101-azfw-with-fwpolicy/README.md deleted file mode 100644 index 5fb781393..000000000 --- a/quickstart/101-azfw-with-fwpolicy/README.md +++ /dev/null @@ -1,230 +0,0 @@ -# Deploy Azure Firewall and a Firewall Policy - -This template deploys an Azure Firewall and a Firewall Policy. The Firewall Policy is associated to the Firewall. - -## Resources - -| Terraform Resource Type | Description | -| - | - | -| `azurerm_resource_group` | The resource group all the deployed resources.| -| `azurerm_virtual_network` | The virtual network for the firewall. | -| `azurerm_subnet` |The firewall subnet.| -| `azurerm_public_ip` | The firewall public IP address. | -| `azurerm_firewall` | The premium Azure Firewall. | -| `azurerm_firewall_policy` | The policy associated to the Firewall | -| `azurerm_firewall_policy_rule_collection_group` | the rules collection group for firewall policy | -| `azurerm_ip_group` | The IP group for source addresses. | - -## Variables - -| Name | Description | -|-|-| -| `location` | location for your resources | -| `tags` | tags to organize your resources | -| `fw_sku` | Sku size for your Firewall and Firewall Policy | - -## Example - -```powershell -terraform plan -out main.tfplan - - # azurerm_firewall.fw will be created - + resource "azurerm_firewall" "fw" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "azfw" - + resource_group_name = "azfw-rg" - + sku_name = "AZFW_VNet" - + sku_tier = "Premium" - + threat_intel_mode = (known after apply) - - + ip_configuration { - + name = "azfw-ipconfig" - + private_ip_address = (known after apply) - + public_ip_address_id = (known after apply) - + subnet_id = (known after apply) - } - } - - # azurerm_firewall_policy.azfw_policy will be created - + resource "azurerm_firewall_policy" "azfw_policy" { - + child_policies = (known after apply) - + firewalls = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "azfw-policy" - + resource_group_name = "azfw-rg" - + rule_collection_groups = (known after apply) - + sku = "Premium" - + threat_intelligence_mode = "Alert" - } - - # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created - + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + name = "DefaulApplicationtRuleCollectionGroup" - + priority = 300 - - + application_rule_collection { - + action = "Allow" - + name = "DefaultApplicationRuleCollection" - + priority = 500 - - + rule { - + description = "Allow Windows Update" - + destination_fqdn_tags = [ - + "WindowsUpdate", - ] - + name = "AllowWindowsUpdate" - + source_ip_groups = (known after apply) - - + protocols { - + port = 80 - + type = "Http" - } - + protocols { - + port = 443 - + type = "Https" - } - } - + rule { - + description = "Allow access to Microsoft.com" - + destination_fqdns = [ - + "*.microsoft.com", - ] - + name = "Global Rule" - + source_ip_groups = (known after apply) - + terminate_tls = false - - + protocols { - + port = 443 - + type = "Https" - } - } - } - } - - # azurerm_firewall_policy_rule_collection_group.net_policy_rule_collection_group will be created - + resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + name = "DefaultNetworkRuleCollectionGroup" - + priority = 200 - - + network_rule_collection { - + action = "Allow" - + name = "DefaultNetworkRuleCollection" - + priority = 200 - - + rule { - + destination_addresses = [ - + "132.86.101.172", - ] - + destination_ports = [ - + "123", - ] - + name = "time-windows" - + protocols = [ - + "UDP", - ] - + source_ip_groups = (known after apply) - } - } - } - - # azurerm_ip_group.infra_ip_group will be created - + resource "azurerm_ip_group" "infra_ip_group" { - + cidrs = [ - + "10.40.0.0/24", - + "10.50.0.0/24", - ] - + firewall_ids = (known after apply) - + firewall_policy_ids = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "infra-ip-group" - + resource_group_name = "azfw-rg" - } - - # azurerm_ip_group.workload_ip_group will be created - + resource "azurerm_ip_group" "workload_ip_group" { - + cidrs = [ - + "10.20.0.0/24", - + "10.30.0.0/24", - ] - + firewall_ids = (known after apply) - + firewall_policy_ids = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "workload-ip-group" - + resource_group_name = "azfw-rg" - } - - # azurerm_public_ip.pip_azfw will be created - + resource "azurerm_public_ip" "pip_azfw" { - + allocation_method = "Static" - + ddos_protection_mode = "VirtualNetworkInherited" - + fqdn = (known after apply) - + id = (known after apply) - + idle_timeout_in_minutes = 4 - + ip_address = (known after apply) - + ip_version = "IPv4" - + location = "eastus" - + name = "pip-azfw" - + resource_group_name = "azfw-rg" - + sku = "Standard" - + sku_tier = "Regional" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_resource_group.azfw_rg will be created - + resource "azurerm_resource_group" "azfw_rg" { - + id = (known after apply) - + location = "eastus" - + name = "azfw-rg" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_subnet.azfw_subnet will be created - + resource "azurerm_subnet" "azfw_subnet" { - + address_prefixes = [ - + "10.10.0.0/26", - ] - + enforce_private_link_endpoint_network_policies = (known after apply) - + enforce_private_link_service_network_policies = (known after apply) - + id = (known after apply) - + name = "AzureFirewallSubnet" - + private_endpoint_network_policies_enabled = (known after apply) - + private_link_service_network_policies_enabled = (known after apply) - + resource_group_name = "azfw-rg" - + virtual_network_name = "azfw-vnet" - } - - # azurerm_virtual_network.azfw_vnet will be created - + resource "azurerm_virtual_network" "azfw_vnet" { - + address_space = [ - + "10.10.0.0/24", - ] - + dns_servers = (known after apply) - + guid = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "azfw-vnet" - + resource_group_name = "azfw-rg" - + subnet = (known after apply) - } - -Plan: 10 to add, 0 to change, 0 to destroy. -`````` \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/main.tf b/quickstart/101-azfw-with-fwpolicy/main.tf deleted file mode 100644 index c39981331..000000000 --- a/quickstart/101-azfw-with-fwpolicy/main.tf +++ /dev/null @@ -1,153 +0,0 @@ - -// Create a Resource Group -resource "azurerm_resource_group" "azfw_rg" { - name = "azfw-rg" - location = var.location - tags = var.tags -} -// Create a Virtual Network -resource "azurerm_virtual_network" "azfw_vnet" { - name = "azfw-vnet" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - address_space = ["10.10.0.0/24"] - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create IP Groups -resource "azurerm_ip_group" "workload_ip_group" { - name = "workload-ip-group" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - cidrs = ["10.20.0.0/24", "10.30.0.0/24"] - depends_on = [ - azurerm_resource_group.azfw_rg, - azurerm_virtual_network.azfw_vnet - ] -} -resource "azurerm_ip_group" "infra_ip_group" { - name = "infra-ip-group" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - cidrs = ["10.40.0.0/24", "10.50.0.0/24"] - depends_on = [ - azurerm_resource_group.azfw_rg, - azurerm_virtual_network.azfw_vnet - ] -} - -// Create the Azure Firewall Subnet -resource "azurerm_subnet" "azfw_subnet" { - name = "AzureFirewallSubnet" - resource_group_name = azurerm_resource_group.azfw_rg.name - virtual_network_name = azurerm_virtual_network.azfw_vnet.name - address_prefixes = ["10.10.0.0/26"] - depends_on = [ - azurerm_resource_group.azfw_rg, - azurerm_virtual_network.azfw_vnet - ] -} - -// Create a Public IP Address for Azure Firewall -resource "azurerm_public_ip" "pip_azfw" { - name = "pip-azfw" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - allocation_method = "Static" - sku = "Standard" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Azure Firewall Policy -resource "azurerm_firewall_policy" "azfw_policy" { - name = "azfw-policy" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - sku = var.fw_sku - threat_intelligence_mode = "Alert" -} - -// Create a Network Rule Collection Group -// Create a Network Rule Collection -// Create rules for NTP -resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { - name = "DefaultNetworkRuleCollectionGroup" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 200 - network_rule_collection { - name = "DefaultNetworkRuleCollection" - action = "Allow" - priority = 200 - rule { - name = "time-windows" - protocols = ["UDP"] - source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] - destination_ports = ["123"] - destination_addresses = ["132.86.101.172"] - } - } -} - -// Create a Azure Firewall Policy Rule Collection Group -// Create a Application Rule Collection -// Create rules for Windows Update -// Create rules for Microsoft.com -resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - name = "DefaulApplicationtRuleCollectionGroup" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 300 - application_rule_collection { - name = "DefaultApplicationRuleCollection" - action = "Allow" - priority = 500 - rule { - name = "AllowWindowsUpdate" - - description = "Allow Windows Update" - protocols { - type = "Http" - port = 80 - } - protocols { - type = "Https" - port = 443 - } - source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] - destination_fqdn_tags = ["WindowsUpdate"] - } - rule { - name = "Global Rule" - description = "Allow access to Microsoft.com" - protocols { - type = "Https" - port = 443 - } - destination_fqdns = ["*.microsoft.com"] - terminate_tls = false - source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] - } - } - depends_on = [ - azurerm_firewall_policy.azfw_policy - ] -} - -// Create the Azure Firewall -resource "azurerm_firewall" "fw" { - name = "azfw" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - sku_name = "AZFW_VNet" - sku_tier = var.fw_sku - ip_configuration { - name = "azfw-ipconfig" - subnet_id = azurerm_subnet.azfw_subnet.id - public_ip_address_id = azurerm_public_ip.pip_azfw.id - } - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id -} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/outputs.tf b/quickstart/101-azfw-with-fwpolicy/outputs.tf deleted file mode 100644 index 67ad7df31..000000000 --- a/quickstart/101-azfw-with-fwpolicy/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "rg_name" { - value = azurerm_resource_group.azfw_rg.name -} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/provider.tf b/quickstart/101-azfw-with-fwpolicy/provider.tf deleted file mode 100644 index 76b5065bc..000000000 --- a/quickstart/101-azfw-with-fwpolicy/provider.tf +++ /dev/null @@ -1,16 +0,0 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "3.69.0" - } - } -} - -provider "azurerm" { - features { - resource_group { - prevent_deletion_if_contains_resources = false // Set to True for Production - } - } -} diff --git a/quickstart/101-azfw-with-fwpolicy/variables.tf b/quickstart/101-azfw-with-fwpolicy/variables.tf deleted file mode 100644 index 2a925a383..000000000 --- a/quickstart/101-azfw-with-fwpolicy/variables.tf +++ /dev/null @@ -1,18 +0,0 @@ -// Create Variables for Location and Tags -variable "location" { - default = "eastus" -} -variable "tags" { - default = { - environment = "dev" - costcenter = "1234556677" - owner = "cloud team" - workload = "azure firewall" - } -} - -// Create Firewall Variables -variable "fw_sku" { - default = "Premium" # Valid values are Standard and Premium -} - diff --git a/quickstart/201-azfw-with-secure-hub/README.md b/quickstart/201-azfw-with-secure-hub/README.md deleted file mode 100644 index 2bdb52b85..000000000 --- a/quickstart/201-azfw-with-secure-hub/README.md +++ /dev/null @@ -1,543 +0,0 @@ -# Deploy Azure Firewall and a Firewall Policy - -This template deploys an Azure Firewall and a Firewall Policy to a Secure Hub. The Firewall Policy is associated with the Firewall policy. - -## Resources - -| Terraform Resource Type | Description | -| - | - | -| `azurerm_resource_group` | The resource group all the deployed resources.| -| `azurerm_virtual_wan` | The virtual wan for the virtual hub | -| `azurerm_virtual_hub` | The virtual hub for the firewall | -| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | -| `azurerm_virtual_hub_connection` | The connection between the virtual hub and the virtual network spoke | -| `azurerm_public_ip` | The firewall public IP address and public access to the jump vm. | -| `azurerm_firewall_policy` | The policy associated to the Firewall | -| `azurerm_firewall_policy_rule_collection_group` | the rules collection group to add network and application rule collections for firewall policy | -| `azurerm_firewall` | The premium Azure Firewall. | -| `azurerm_virtual_network` | The virtual network for the firewall. | -| `azurerm_subnet` | The subnets for jump and workload vms. | -| `azurerm_network_interface` | The nics for the jump and workload vms | -| `azurerm_network_security_group` | The nsg for the jump and workload vms | -| `azurerm_network_interface_security_group_association` | The association between the nics and the nsgs | -| `azurerm_virtual_machine` | The jump and workload vms for testing | -| `azurerm_route_table` | The route table for the jump vms | -| `azurerm_subnet_route_table_association` | The association between the subnets and the route tables | -| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | - -## Variables - -| Name | Description | -|-|-| -| `location` | location for your resources | -| `tags` | tags to organize your resources | -| `fw_sku` | Sku size for your Firewall and Firewall Policy | -| `vm_size` | Sku size for your jump and workload vms | -| `admin_username` | admin username for the jump and workload vms | -| `admin_password` | admin password for the jump and workload vms | - -## Example - -```powershell -Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: - + create - -Terraform will perform the following actions: - - # azurerm_firewall.fw will be created - + resource "azurerm_firewall" "fw" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "fw-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + sku_name = "AZFW_Hub" - + sku_tier = "Premium" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + threat_intel_mode = (known after apply) - - + virtual_hub { - + private_ip_address = (known after apply) - + public_ip_addresses = (known after apply) - + public_ip_count = 1 - + virtual_hub_id = (known after apply) - } - } - - # azurerm_firewall_policy.azfw_policy will be created - + resource "azurerm_firewall_policy" "azfw_policy" { - + child_policies = (known after apply) - + firewalls = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "policy-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + rule_collection_groups = (known after apply) - + sku = "Premium" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + threat_intelligence_mode = "Alert" - } - - # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created - + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + name = "DefaulApplicationtRuleCollectionGroup" - + priority = 300 - - + application_rule_collection { - + action = "Allow" - + name = "DefaultApplicationRuleCollection" - + priority = 100 - - + rule { - + description = "Allow access to Microsoft.com" - + destination_fqdns = [ - + "*.microsoft.com", - ] - + name = "Allow-MSFT" - + source_addresses = [ - + "*", - ] - + terminate_tls = false - - + protocols { - + port = 443 - + type = "Https" - } - + protocols { - + port = 80 - + type = "Http" - } - } - } - } - - # azurerm_network_interface.vm_jump_nic will be created - + resource "azurerm_network_interface" "vm_jump_nic" { - + applied_dns_servers = (known after apply) - + dns_servers = (known after apply) - + enable_accelerated_networking = false - + enable_ip_forwarding = false - + id = (known after apply) - + internal_dns_name_label = (known after apply) - + internal_domain_name_suffix = (known after apply) - + location = "eastus" - + mac_address = (known after apply) - + name = "nic-jump" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_machine_id = (known after apply) - - + ip_configuration { - + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) - + name = "ipconfig-jump" - + primary = (known after apply) - + private_ip_address = (known after apply) - + private_ip_address_allocation = "Dynamic" - + private_ip_address_version = "IPv4" - + public_ip_address_id = (known after apply) - + subnet_id = (known after apply) - } - } - - # azurerm_network_interface.vm_workload_nic will be created - + resource "azurerm_network_interface" "vm_workload_nic" { - + applied_dns_servers = (known after apply) - + dns_servers = (known after apply) - + enable_accelerated_networking = false - + enable_ip_forwarding = false - + id = (known after apply) - + internal_dns_name_label = (known after apply) - + internal_domain_name_suffix = (known after apply) - + location = "eastus" - + mac_address = (known after apply) - + name = "nic-workload" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_machine_id = (known after apply) - - + ip_configuration { - + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) - + name = "ipconfig-workload" - + primary = (known after apply) - + private_ip_address = (known after apply) - + private_ip_address_allocation = "Dynamic" - + private_ip_address_version = "IPv4" - + subnet_id = (known after apply) - } - } - - # azurerm_network_interface_security_group_association.vm_jump_nsg_association will be created - + resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { - + id = (known after apply) - + network_interface_id = (known after apply) - + network_security_group_id = (known after apply) - } - - # azurerm_network_interface_security_group_association.vm_workload_nsg_association will be created - + resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { - + id = (known after apply) - + network_interface_id = (known after apply) - + network_security_group_id = (known after apply) - } - - # azurerm_network_security_group.vm_jump_nsg will be created - + resource "azurerm_network_security_group" "vm_jump_nsg" { - + id = (known after apply) - + location = "eastus" - + name = "nsg-jump" - + resource_group_name = "rg-azfw-securehub-eus" - + security_rule = [ - + { - + access = "Allow" - + description = "" - + destination_address_prefix = "*" - + destination_address_prefixes = [] - + destination_application_security_group_ids = [] - + destination_port_range = "3389" - + destination_port_ranges = [] - + direction = "Inbound" - + name = "Allow-RDP" - + priority = 300 - + protocol = "Tcp" - + source_address_prefix = "*" - + source_address_prefixes = [] - + source_application_security_group_ids = [] - + source_port_range = "*" - + source_port_ranges = [] - }, - ] - } - - # azurerm_network_security_group.vm_workload_nsg will be created - + resource "azurerm_network_security_group" "vm_workload_nsg" { - + id = (known after apply) - + location = "eastus" - + name = "nsg-workload" - + resource_group_name = "rg-azfw-securehub-eus" - + security_rule = (known after apply) - } - - # azurerm_public_ip.pip_azfw will be created - + resource "azurerm_public_ip" "pip_azfw" { - + allocation_method = "Static" - + ddos_protection_mode = "VirtualNetworkInherited" - + fqdn = (known after apply) - + id = (known after apply) - + idle_timeout_in_minutes = 4 - + ip_address = (known after apply) - + ip_version = "IPv4" - + location = "eastus" - + name = "pip-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + sku = "Standard" - + sku_tier = "Regional" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_public_ip.vm_jump_pip will be created - + resource "azurerm_public_ip" "vm_jump_pip" { - + allocation_method = "Static" - + ddos_protection_mode = "VirtualNetworkInherited" - + fqdn = (known after apply) - + id = (known after apply) - + idle_timeout_in_minutes = 4 - + ip_address = (known after apply) - + ip_version = "IPv4" - + location = "eastus" - + name = "pip-jump" - + resource_group_name = "rg-azfw-securehub-eus" - + sku = "Standard" - + sku_tier = "Regional" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_resource_group.azfw_rg will be created - + resource "azurerm_resource_group" "azfw_rg" { - + id = (known after apply) - + location = "eastus" - + name = "rg-azfw-securehub-eus" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_route_table.rt will be created - + resource "azurerm_route_table" "rt" { - + disable_bgp_route_propagation = false - + id = (known after apply) - + location = "eastus" - + name = "rt-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + route = [ - + { - + address_prefix = "0.0.0.0/0" - + name = "jump-to-internet" - + next_hop_in_ip_address = "" - + next_hop_type = "Internet" - }, - ] - + subnets = (known after apply) - } - - # azurerm_subnet.jump_subnet will be created - + resource "azurerm_subnet" "jump_subnet" { - + address_prefixes = [ - + "10.10.2.0/24", - ] - + enforce_private_link_endpoint_network_policies = (known after apply) - + enforce_private_link_service_network_policies = (known after apply) - + id = (known after apply) - + name = "subnet-jump" - + private_endpoint_network_policies_enabled = (known after apply) - + private_link_service_network_policies_enabled = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_network_name = "vnet-azfw-securehub-eus" - } - - # azurerm_subnet.workload_subnet will be created - + resource "azurerm_subnet" "workload_subnet" { - + address_prefixes = [ - + "10.10.1.0/24", - ] - + enforce_private_link_endpoint_network_policies = (known after apply) - + enforce_private_link_service_network_policies = (known after apply) - + id = (known after apply) - + name = "subnet-workload" - + private_endpoint_network_policies_enabled = (known after apply) - + private_link_service_network_policies_enabled = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_network_name = "vnet-azfw-securehub-eus" - } - - # azurerm_subnet_route_table_association.jump_subnet_rt_association will be created - + resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { - + id = (known after apply) - + route_table_id = (known after apply) - + subnet_id = (known after apply) - } - - # azurerm_virtual_hub.azfw_vwan_hub will be created - + resource "azurerm_virtual_hub" "azfw_vwan_hub" { - + address_prefix = "10.20.0.0/23" - + default_route_table_id = (known after apply) - + hub_routing_preference = "ExpressRoute" - + id = (known after apply) - + location = "eastus" - + name = "hub-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + virtual_router_asn = (known after apply) - + virtual_router_auto_scale_min_capacity = 2 - + virtual_router_ips = (known after apply) - + virtual_wan_id = (known after apply) - } - - # azurerm_virtual_hub_connection.azfw_vwan_hub_connection will be created - + resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { - + id = (known after apply) - + internet_security_enabled = true - + name = "hub-to-spoke" - + remote_virtual_network_id = (known after apply) - + virtual_hub_id = (known after apply) - - + routing { - + associated_route_table_id = (known after apply) - - + propagated_route_table { - + labels = [ - + "VNet", - ] - + route_table_ids = (known after apply) - } - } - } - - # azurerm_virtual_hub_route_table.vhub_rt will be created - + resource "azurerm_virtual_hub_route_table" "vhub_rt" { - + id = (known after apply) - + labels = [ - + "VNet", - ] - + name = "vhub-rt-azfw-securehub-eus" - + virtual_hub_id = (known after apply) - - + route { - + destinations = [ - + "0.0.0.0/0", - ] - + destinations_type = "CIDR" - + name = "InternetToFirewall" - + next_hop = (known after apply) - + next_hop_type = "ResourceId" - } - + route { - + destinations = [ - + "10.10.1.0/24", - ] - + destinations_type = "CIDR" - + name = "workload-SNToFirewall" - + next_hop = (known after apply) - + next_hop_type = "ResourceId" - } - } - - # azurerm_virtual_network.azfw_vnet will be created - + resource "azurerm_virtual_network" "azfw_vnet" { - + address_space = [ - + "10.10.0.0/16", - ] - + dns_servers = (known after apply) - + guid = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "vnet-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + subnet = (known after apply) - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_virtual_wan.azfw_vwan will be created - + resource "azurerm_virtual_wan" "azfw_vwan" { - + allow_branch_to_branch_traffic = true - + disable_vpn_encryption = false - + id = (known after apply) - + location = "eastus" - + name = "vwan-azfw-securehub-eus" - + office365_local_breakout_category = "None" - + resource_group_name = "rg-azfw-securehub-eus" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + type = "Standard" - } - - # azurerm_windows_virtual_machine.vm_jump will be created - + resource "azurerm_windows_virtual_machine" "vm_jump" { - + admin_password = (sensitive value) - + admin_username = "azureuser" - + allow_extension_operations = true - + bypass_platform_safety_checks_on_user_schedule_enabled = false - + computer_name = (known after apply) - + enable_automatic_updates = true - + extensions_time_budget = "PT1H30M" - + hotpatching_enabled = false - + id = (known after apply) - + location = "eastus" - + max_bid_price = -1 - + name = "jump-vm" - + network_interface_ids = (known after apply) - + patch_assessment_mode = "ImageDefault" - + patch_mode = "AutomaticByOS" - + platform_fault_domain = -1 - + priority = "Regular" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + provision_vm_agent = true - + public_ip_address = (known after apply) - + public_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + size = "Standard_D2_v3" - + virtual_machine_id = (known after apply) - - + os_disk { - + caching = "ReadWrite" - + disk_size_gb = (known after apply) - + name = (known after apply) - + storage_account_type = "Standard_LRS" - + write_accelerator_enabled = false - } - - + source_image_reference { - + offer = "WindowsServer" - + publisher = "MicrosoftWindowsServer" - + sku = "2019-Datacenter" - + version = "latest" - } - } - - # azurerm_windows_virtual_machine.vm_workload will be created - + resource "azurerm_windows_virtual_machine" "vm_workload" { - + admin_password = (sensitive value) - + admin_username = "azureuser" - + allow_extension_operations = true - + bypass_platform_safety_checks_on_user_schedule_enabled = false - + computer_name = (known after apply) - + enable_automatic_updates = true - + extensions_time_budget = "PT1H30M" - + hotpatching_enabled = false - + id = (known after apply) - + location = "eastus" - + max_bid_price = -1 - + name = "workload-vm" - + network_interface_ids = (known after apply) - + patch_assessment_mode = "ImageDefault" - + patch_mode = "AutomaticByOS" - + platform_fault_domain = -1 - + priority = "Regular" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + provision_vm_agent = true - + public_ip_address = (known after apply) - + public_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + size = "Standard_D2_v3" - + virtual_machine_id = (known after apply) - - + os_disk { - + caching = "ReadWrite" - + disk_size_gb = (known after apply) - + name = (known after apply) - + storage_account_type = "Standard_LRS" - + write_accelerator_enabled = false - } - - + source_image_reference { - + offer = "WindowsServer" - + publisher = "MicrosoftWindowsServer" - + sku = "2019-Datacenter" - + version = "latest" - } - } - -Plan: 23 to add, 0 to change, 0 to destroy. -`````` \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/main.tf b/quickstart/201-azfw-with-secure-hub/main.tf deleted file mode 100644 index 46c99695c..000000000 --- a/quickstart/201-azfw-with-secure-hub/main.tf +++ /dev/null @@ -1,370 +0,0 @@ - -// Create a Resource Group -resource "azurerm_resource_group" "azfw_rg" { - name = "rg-azfw-securehub-eus" - location = var.location - tags = var.tags -} - -// Create resources for Azure Virtual WAN -// Create a Azure Vwan -resource "azurerm_virtual_wan" "azfw_vwan" { - name = "vwan-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - tags = azurerm_resource_group.azfw_rg.tags - allow_branch_to_branch_traffic = true - disable_vpn_encryption = false - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Azure Vwan Hub -resource "azurerm_virtual_hub" "azfw_vwan_hub" { - name = "hub-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - virtual_wan_id = azurerm_virtual_wan.azfw_vwan.id - address_prefix = "10.20.0.0/23" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_virtual_wan.azfw_vwan - ] -} - -// Create a Azure VWan Hub Connection -resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { - name = "hub-to-spoke" - virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id - remote_virtual_network_id = azurerm_virtual_network.azfw_vnet.id - internet_security_enabled = true - routing { - associated_route_table_id = azurerm_virtual_hub_route_table.vhub_rt.id - propagated_route_table { - route_table_ids = [azurerm_virtual_hub_route_table.vhub_rt.id] - labels = ["VNet"] - } - } - depends_on = [ - azurerm_virtual_hub.azfw_vwan_hub, - azurerm_virtual_network.azfw_vnet - ] -} - -// Create resources for Azure Firewall -// Create a Public IP Address for Azure Firewall -resource "azurerm_public_ip" "pip_azfw" { - name = "pip-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - allocation_method = "Static" - sku = "Standard" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Azure Firewall Policy -resource "azurerm_firewall_policy" "azfw_policy" { - name = "policy-azfw-securehub-eus" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - sku = "Premium" - threat_intelligence_mode = "Alert" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Azure Firewall Policy Rule Collection Group -// Create a Application Rule Collection -// Create rules for Windows Update -// Create rules for Microsoft.com -resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - name = "DefaulApplicationtRuleCollectionGroup" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 300 - application_rule_collection { - name = "DefaultApplicationRuleCollection" - action = "Allow" - priority = 100 - rule { - name = "Allow-MSFT" - description = "Allow access to Microsoft.com" - protocols { - type = "Https" - port = 443 - } - protocols { - type = "Http" - port = 80 - } - destination_fqdns = ["*.microsoft.com"] - terminate_tls = false - source_addresses = ["*"] - } - } - depends_on = [ - azurerm_firewall_policy.azfw_policy - ] -} - -// Create the Azure Firewall -resource "azurerm_firewall" "fw" { - name = "fw-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - sku_name = "AZFW_Hub" - sku_tier = var.fw_sku - tags = azurerm_resource_group.azfw_rg.tags - virtual_hub { - virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id - public_ip_count = 1 - } - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - depends_on = [ - azurerm_firewall_policy.azfw_policy, - azurerm_virtual_hub.azfw_vwan_hub - ] -} - -// Create Virtual Network, Subnets, PIP, NICs, NSGs, and NIC-NSG associations -// Create a Virtual Network -resource "azurerm_virtual_network" "azfw_vnet" { - name = "vnet-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - address_space = ["10.10.0.0/16"] - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Subnet for Workload VMs -resource "azurerm_subnet" "workload_subnet" { - name = "subnet-workload" - resource_group_name = azurerm_resource_group.azfw_rg.name - virtual_network_name = azurerm_virtual_network.azfw_vnet.name - address_prefixes = ["10.10.1.0/24"] - depends_on = [ - azurerm_virtual_network.azfw_vnet - ] -} - -// Create a Subnet for Jump VM -resource "azurerm_subnet" "jump_subnet" { - name = "subnet-jump" - resource_group_name = azurerm_resource_group.azfw_rg.name - virtual_network_name = azurerm_virtual_network.azfw_vnet.name - address_prefixes = ["10.10.2.0/24"] - - depends_on = [ - azurerm_virtual_network.azfw_vnet, - azurerm_route_table.rt - ] -} - -// Create a NIC for Workload VM -resource "azurerm_network_interface" "vm_workload_nic" { - name = "nic-workload" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - - ip_configuration { - name = "ipconfig-workload" - subnet_id = azurerm_subnet.workload_subnet.id - private_ip_address_allocation = "Dynamic" - } - depends_on = [ - azurerm_subnet.workload_subnet - ] -} - -// Create a PIP for Jump VM -resource "azurerm_public_ip" "vm_jump_pip" { - name = "pip-jump" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - allocation_method = "Static" - sku = "Standard" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a NIC for Jump VM -resource "azurerm_network_interface" "vm_jump_nic" { - name = "nic-jump" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - - ip_configuration { - name = "ipconfig-jump" - subnet_id = azurerm_subnet.jump_subnet.id - private_ip_address_allocation = "Dynamic" - public_ip_address_id = azurerm_public_ip.vm_jump_pip.id - } - depends_on = [ - azurerm_subnet.jump_subnet, - azurerm_public_ip.vm_jump_pip - ] -} - -// Create a NSG for Workload VM -resource "azurerm_network_security_group" "vm_workload_nsg" { - name = "nsg-workload" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a NSG for Jump VM -resource "azurerm_network_security_group" "vm_jump_nsg" { - name = "nsg-jump" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - security_rule { - name = "Allow-RDP" - priority = 300 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "3389" - source_address_prefix = "*" - destination_address_prefix = "*" - } - - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Associate NSG for Workload VM NIC -resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { - network_interface_id = azurerm_network_interface.vm_workload_nic.id - network_security_group_id = azurerm_network_security_group.vm_workload_nsg.id - depends_on = [ - azurerm_network_interface.vm_workload_nic, - azurerm_network_security_group.vm_workload_nsg - ] -} - -// Associate NSG for Jump VM NIC -resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { - network_interface_id = azurerm_network_interface.vm_jump_nic.id - network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id - depends_on = [ - azurerm_network_interface.vm_jump_nic, - azurerm_network_security_group.vm_jump_nsg - ] -} - -// Create Virtual Machines for testing -// Create a Workload Virtual Machine -resource "azurerm_windows_virtual_machine" "vm_workload" { - name = "workload-vm" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - size = var.vm_size - admin_username = var.admin_username - admin_password = var.admin_password - network_interface_ids = [azurerm_network_interface.vm_workload_nic.id] - os_disk { - caching = "ReadWrite" - storage_account_type = "Standard_LRS" - } - source_image_reference { - publisher = "MicrosoftWindowsServer" - offer = "WindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - depends_on = [ - azurerm_network_interface.vm_workload_nic - ] -} - -// Create a Jump Virtual Machine -resource "azurerm_windows_virtual_machine" "vm_jump" { - name = "jump-vm" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - size = var.vm_size - admin_username = var.admin_username - admin_password = var.admin_password - network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] - os_disk { - caching = "ReadWrite" - storage_account_type = "Standard_LRS" - } - source_image_reference { - publisher = "MicrosoftWindowsServer" - offer = "WindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - depends_on = [ - azurerm_network_interface.vm_jump_nic - ] -} - -// Create Routing for testing -// Create a Route Table -resource "azurerm_route_table" "rt" { - name = "rt-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - disable_bgp_route_propagation = false - route { - name = "jump-to-internet" - address_prefix = "0.0.0.0/0" - next_hop_type = "Internet" - } - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Associate Route Table to Jump VM Subnet -resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { - subnet_id = azurerm_subnet.jump_subnet.id - route_table_id = azurerm_route_table.rt.id - depends_on = [ - azurerm_subnet.jump_subnet, - azurerm_route_table.rt - ] -} - -// Creat a Virtual Hub Route Table -resource "azurerm_virtual_hub_route_table" "vhub_rt" { - name = "vhub-rt-azfw-securehub-eus" - virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id - route { - name = "workload-SNToFirewall" - destinations_type = "CIDR" - destinations = ["10.10.1.0/24"] - next_hop_type = "ResourceId" - next_hop = azurerm_firewall.fw.id - } - route { - name = "InternetToFirewall" - destinations_type = "CIDR" - destinations = ["0.0.0.0/0"] - next_hop_type = "ResourceId" - next_hop = azurerm_firewall.fw.id - } - labels = ["VNet"] - depends_on = [ - azurerm_virtual_hub.azfw_vwan_hub, - azurerm_firewall.fw - ] -} - diff --git a/quickstart/201-azfw-with-secure-hub/outputs.tf b/quickstart/201-azfw-with-secure-hub/outputs.tf deleted file mode 100644 index 67ad7df31..000000000 --- a/quickstart/201-azfw-with-secure-hub/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "rg_name" { - value = azurerm_resource_group.azfw_rg.name -} \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/provider.tf b/quickstart/201-azfw-with-secure-hub/provider.tf deleted file mode 100644 index 76b5065bc..000000000 --- a/quickstart/201-azfw-with-secure-hub/provider.tf +++ /dev/null @@ -1,16 +0,0 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "3.69.0" - } - } -} - -provider "azurerm" { - features { - resource_group { - prevent_deletion_if_contains_resources = false // Set to True for Production - } - } -} diff --git a/quickstart/201-azfw-with-secure-hub/variables.tf b/quickstart/201-azfw-with-secure-hub/variables.tf deleted file mode 100644 index fd29a8593..000000000 --- a/quickstart/201-azfw-with-secure-hub/variables.tf +++ /dev/null @@ -1,30 +0,0 @@ -// Create Variables for Location and Tags -variable "location" { - default = "eastus" -} -variable "tags" { - default = { - environment = "dev" - costcenter = "1234556677" - owner = "cloud team" - workload = "azure firewall" - } -} - -// Create Firewall Variables -variable "fw_sku" { - default = "Premium" # Valid values are Standard and Premium -} - -// Create Virtual Machine Sku Size Variables -variable "vm_size" { - default = "Standard_D2_v3" -} - -// Create Admin Username and Password -variable "admin_username" { - default = "azureuser" -} -variable "admin_password" { - default = "P@ssw0rd1234!" -} From d6cb01939426a99f03929aa5ca0b6f07123a101c Mon Sep 17 00:00:00 2001 From: cshea15 Date: Sat, 23 Sep 2023 16:05:24 -0400 Subject: [PATCH 03/11] add new files to new branch --- quickstart/201-azfw-multi-addresses/main.tf | 0 .../201-azfw-multi-addresses/outputs.tf | 18 +++++++++++++ .../201-azfw-multi-addresses/provider.tf | 21 +++++++++++++++ quickstart/201-azfw-multi-addresses/readme.tf | 0 .../201-azfw-multi-addresses/variables.tf | 27 +++++++++++++++++++ 5 files changed, 66 insertions(+) create mode 100644 quickstart/201-azfw-multi-addresses/main.tf create mode 100644 quickstart/201-azfw-multi-addresses/outputs.tf create mode 100644 quickstart/201-azfw-multi-addresses/provider.tf create mode 100644 quickstart/201-azfw-multi-addresses/readme.tf create mode 100644 quickstart/201-azfw-multi-addresses/variables.tf diff --git a/quickstart/201-azfw-multi-addresses/main.tf b/quickstart/201-azfw-multi-addresses/main.tf new file mode 100644 index 000000000..e69de29bb diff --git a/quickstart/201-azfw-multi-addresses/outputs.tf b/quickstart/201-azfw-multi-addresses/outputs.tf new file mode 100644 index 000000000..81d20800b --- /dev/null +++ b/quickstart/201-azfw-multi-addresses/outputs.tf @@ -0,0 +1,18 @@ +output "resource_group_name" { + value = azurerm_resource_group.rg.name +} + +output "virtual_hub_name" { + value = azurerm_virtual_hub.azfw_vwan_hub.name +} + +output "jump_admin_password" { + sensitive = true + value = azurerm_windows_virtual_machine.vm_jump.admin_password +} + +output "service_admin_password" { + sensitive = true + value = azurerm_windows_virtual_machine.vm_workload.admin_password +} + diff --git a/quickstart/201-azfw-multi-addresses/provider.tf b/quickstart/201-azfw-multi-addresses/provider.tf new file mode 100644 index 000000000..bf50b67ec --- /dev/null +++ b/quickstart/201-azfw-multi-addresses/provider.tf @@ -0,0 +1,21 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.0" + } + random = { + source = "hashicorp/random" + version = "~>3.0" + } + } +} + +provider "azurerm" { + features { + virtual_machine { + delete_os_disk_on_deletion = true + skip_shutdown_and_force_delete = true + } + } +} diff --git a/quickstart/201-azfw-multi-addresses/readme.tf b/quickstart/201-azfw-multi-addresses/readme.tf new file mode 100644 index 000000000..e69de29bb diff --git a/quickstart/201-azfw-multi-addresses/variables.tf b/quickstart/201-azfw-multi-addresses/variables.tf new file mode 100644 index 000000000..e76f46d92 --- /dev/null +++ b/quickstart/201-azfw-multi-addresses/variables.tf @@ -0,0 +1,27 @@ +variable "resource_group_location" { + type = string + description = "Location for all resources." + default = "eastus" +} + +variable "resource_group_name_prefix" { + type = string + description = "Prefix for the Resource Group Name that's combined with a random id so name is unique in your Azure subcription." + default = "rg" +} + +variable "firewall_sku_name" { + type = string + description = "SKU name for the firewall." + default = "Premium" # Valid values are Standard and Premium +} + +variable "virtual_machine_size" { + type = string + description = "Size of the virtual machine." + default = "Standard_D2_v3" +} + +variable "admin_username" { + default = "azureuser" +} From 5c810c97a344786249520260e42fab980a0b5854 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Sun, 24 Sep 2023 12:28:21 -0400 Subject: [PATCH 04/11] update files --- .../101-azfw-with-fwpolicy/variables.tf | 2 +- quickstart/201-azfw-multi-addresses/main.tf | 228 ++++++++++++++++++ .../201-azfw-multi-addresses/outputs.tf | 14 +- .../201-azfw-multi-addresses/provider.tf | 2 +- quickstart/201-azfw-multi-addresses/readme.md | 32 +++ quickstart/201-azfw-multi-addresses/readme.tf | 0 .../201-azfw-multi-addresses/variables.tf | 14 +- 7 files changed, 273 insertions(+), 19 deletions(-) create mode 100644 quickstart/201-azfw-multi-addresses/readme.md delete mode 100644 quickstart/201-azfw-multi-addresses/readme.tf diff --git a/quickstart/101-azfw-with-fwpolicy/variables.tf b/quickstart/101-azfw-with-fwpolicy/variables.tf index eb12bf647..570f731bf 100644 --- a/quickstart/101-azfw-with-fwpolicy/variables.tf +++ b/quickstart/101-azfw-with-fwpolicy/variables.tf @@ -13,7 +13,7 @@ variable "resource_group_name_prefix" { variable "firewall_sku_tier" { type = string description = "Firewall SKU." - default = "Premium" # Valid values are Standard and Premium + default = "Standard" # Valid values are Standard and Premium validation { condition = contains(["Standard", "Premium"], var.firewall_sku_tier) error_message = "The sku must be one of the following: Standard, Premium" diff --git a/quickstart/201-azfw-multi-addresses/main.tf b/quickstart/201-azfw-multi-addresses/main.tf index e69de29bb..8cd1d9a65 100644 --- a/quickstart/201-azfw-multi-addresses/main.tf +++ b/quickstart/201-azfw-multi-addresses/main.tf @@ -0,0 +1,228 @@ +resource "random_pet" "rg_name" { + prefix = var.resource_group_name_prefix +} + +resource "random_password" "password" { + length = 20 + min_lower = 1 + min_upper = 1 + min_numeric = 1 + min_special = 1 + special = true +} + +resource "azurerm_resource_group" "rg" { + name = random_pet.rg_name.id + location = var.resource_group_location +} +resource "azurerm_public_ip_prefix" "pip_prefix" { + count = 2 + name = "pip-prefix-${count.index + 1}" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + sku = "Standard" + prefix_length = 31 +} + +resource "azurerm_public_ip" "pip_azfw" { + count = 2 + name = "pip-azfw-${count.index + 1}" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + sku = "Standard" + allocation_method = "Static" + public_ip_prefix_id = azurerm_public_ip_prefix.pip_prefix[count.index].id +} + +resource "azurerm_virtual_network" "azfw_vnet" { + name = "azfw-vnet" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + address_space = ["10.10.0.0/16"] +} + +resource "azurerm_subnet" "azfw_subnet" { + name = "AzureFirewallSubnet" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.0.0/26"] +} + +resource "azurerm_subnet" "backend_subnet" { + name = "subnet-backend" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.1.0/24"] +} + +resource "azurerm_network_interface" "backend_nic" { + count = 2 + name = "nic-backend-${count.index + 1}" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + + ip_configuration { + name = "ipconfig-backend-${count.index + 1}" + subnet_id = azurerm_subnet.backend_subnet.id + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_network_security_group" "backend_nsg" { + name = "nsg-backend" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + security_rule { + name = "RDP" + priority = 300 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource "azurerm_network_interface_security_group_association" "vm_backend_nsg_association" { + count = 2 + network_interface_id = azurerm_network_interface.backend_nic[count.index].id + network_security_group_id = azurerm_network_security_group.backend_nsg.id +} + +resource "azurerm_windows_virtual_machine" "vm_backend" { + count = 2 + name = "vm-backend-${count.index + 1}" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + size = var.virtual_machine_size + admin_username = var.admin_username + admin_password = random_password.password.result + network_interface_ids = [azurerm_network_interface.backend_nic[count.index].id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } +} + +resource "azurerm_firewall_policy" "azfw_policy" { + name = "azfw-policy" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + sku = var.firewall_sku_tier + threat_intelligence_mode = "Alert" +} + +resource "azurerm_firewall_policy_rule_collection_group" "policy_rule_collection_group" { + name = "RuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "web" + priority = 100 + action = "Allow" + rule { + name = "wan-address" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + destination_fqdns = ["getmywanip.com"] + source_addresses = ["*"] + } + rule { + name = "google" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + destination_fqdns = ["www.google.com"] + source_addresses = ["10.10.1.0/24"] + } + rule { + name = "wupdate" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + destination_fqdn_tags = ["WindowsUpdate"] + source_addresses = ["*"] + } + } + nat_rule_collection { + name = "Coll-01" + action = "Dnat" + priority = 200 + rule { + name = "rdp-01" + protocols = ["TCP"] + translated_address = "10.10.1.4" + translated_port = "3389" + source_addresses = ["*"] + destination_address = azurerm_public_ip.pip_azfw[count.index].ip_address + destination_ports = ["3389"] + } + rule { + name = "rdp-02" + protocols = ["TCP"] + translated_address = "10.10.1.5" + translated_port = "3389" + source_addresses = ["*"] + destination_address = azurerm_public_ip.pip_azfw[count.index].ip_address + destination_ports = ["3389"] + } + } +} + +resource "azurerm_firewall" "fw" { + name = "azfw" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + sku_name = "AZFW_VNet" + sku_tier = var.firewall_sku_tier + ip_configuration { + count = 2 + name = "azfw-ipconfig-${count.index + 1}" + subnet_id = azurerm_subnet.azfw_subnet.id + public_ip_address_id = azurerm_public_ip.pip_azfw[count.index].id + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id +} + +resource "azurerm_route_table" "rt" { + name = "rt-azfw-eus" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + disable_bgp_route_propagation = false + route { + name = "azfw" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = "10.10.0.4" + } +} + +resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + subnet_id = azurerm_subnet.backend_subnet.id + route_table_id = azurerm_route_table.rt.id +} + diff --git a/quickstart/201-azfw-multi-addresses/outputs.tf b/quickstart/201-azfw-multi-addresses/outputs.tf index 81d20800b..2deac2a36 100644 --- a/quickstart/201-azfw-multi-addresses/outputs.tf +++ b/quickstart/201-azfw-multi-addresses/outputs.tf @@ -1,18 +1,8 @@ output "resource_group_name" { value = azurerm_resource_group.rg.name } - -output "virtual_hub_name" { - value = azurerm_virtual_hub.azfw_vwan_hub.name -} - -output "jump_admin_password" { - sensitive = true - value = azurerm_windows_virtual_machine.vm_jump.admin_password -} - -output "service_admin_password" { +output "backend_admin_password" { sensitive = true - value = azurerm_windows_virtual_machine.vm_workload.admin_password + value = azurerm_windows_virtual_machine.vm_backend.admin_password } diff --git a/quickstart/201-azfw-multi-addresses/provider.tf b/quickstart/201-azfw-multi-addresses/provider.tf index bf50b67ec..72b9204f2 100644 --- a/quickstart/201-azfw-multi-addresses/provider.tf +++ b/quickstart/201-azfw-multi-addresses/provider.tf @@ -14,7 +14,7 @@ terraform { provider "azurerm" { features { virtual_machine { - delete_os_disk_on_deletion = true + delete_os_disk_on_deletion = true skip_shutdown_and_force_delete = true } } diff --git a/quickstart/201-azfw-multi-addresses/readme.md b/quickstart/201-azfw-multi-addresses/readme.md new file mode 100644 index 000000000..f601bd811 --- /dev/null +++ b/quickstart/201-azfw-multi-addresses/readme.md @@ -0,0 +1,32 @@ +# Deploy Azure Firewall with multiple public IP addresses + +This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with [Public IP Prefixes] + +## Terraform resource types + +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) +- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) +- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) +- [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) +- [azurerm_public_ip_prefix](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip_prefix) +- [azurerm_firewall_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy) +- [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) +- [azurerm_firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) +- [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) +- [azurerm_network_security_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) +- [azurerm_network_interface_security_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association +- [azurerm_route_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) +- [azurerm_subnet_route_table_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) +- [azurerm_windows_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine) +- [random_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) +- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) + +## Variables + +| Name | Description | Default value | +|-|-|-| +| `resource_group_location` | location for your resources | eastus | +| `firewall_sku_tier` | Sku size for your Firewall and Firewall Policy | Standard | +| `resource_group_name_prefix` | Prefix for your resource group | rg | +| `virtual_machine_size` | Sku size for your jump and workload vms | Standard_D2_v3 | +| `admin_username` | admin username for the jump and workload vms | azureuser | \ No newline at end of file diff --git a/quickstart/201-azfw-multi-addresses/readme.tf b/quickstart/201-azfw-multi-addresses/readme.tf deleted file mode 100644 index e69de29bb..000000000 diff --git a/quickstart/201-azfw-multi-addresses/variables.tf b/quickstart/201-azfw-multi-addresses/variables.tf index e76f46d92..5abb6c492 100644 --- a/quickstart/201-azfw-multi-addresses/variables.tf +++ b/quickstart/201-azfw-multi-addresses/variables.tf @@ -5,15 +5,19 @@ variable "resource_group_location" { } variable "resource_group_name_prefix" { - type = string - description = "Prefix for the Resource Group Name that's combined with a random id so name is unique in your Azure subcription." - default = "rg" + type = string + description = "Prefix for the Resource Group Name that's combined with a random id so name is unique in your Azure subcription." + default = "rg" } -variable "firewall_sku_name" { +variable "firewall_sku_tier" { type = string - description = "SKU name for the firewall." + description = "Firewall SKU." default = "Premium" # Valid values are Standard and Premium + validation { + condition = contains(["Standard", "Premium"], var.firewall_sku_tier) + error_message = "The sku must be one of the following: Standard, Premium" + } } variable "virtual_machine_size" { From ec8fa91e0512da04c44c258e94f74b2537499898 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Mon, 25 Sep 2023 16:18:40 -0400 Subject: [PATCH 05/11] update files --- quickstart/201-azfw-multi-addresses/main.tf | 25 +++++++++---------- .../201-azfw-multi-addresses/outputs.tf | 2 +- quickstart/201-azfw-multi-addresses/readme.md | 2 +- 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/quickstart/201-azfw-multi-addresses/main.tf b/quickstart/201-azfw-multi-addresses/main.tf index 8cd1d9a65..c6fa8f48b 100644 --- a/quickstart/201-azfw-multi-addresses/main.tf +++ b/quickstart/201-azfw-multi-addresses/main.tf @@ -3,6 +3,7 @@ resource "random_pet" "rg_name" { } resource "random_password" "password" { + count = 2 length = 20 min_lower = 1 min_upper = 1 @@ -15,9 +16,9 @@ resource "azurerm_resource_group" "rg" { name = random_pet.rg_name.id location = var.resource_group_location } + resource "azurerm_public_ip_prefix" "pip_prefix" { - count = 2 - name = "pip-prefix-${count.index + 1}" + name = "pip-prefix" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name sku = "Standard" @@ -25,13 +26,12 @@ resource "azurerm_public_ip_prefix" "pip_prefix" { } resource "azurerm_public_ip" "pip_azfw" { - count = 2 - name = "pip-azfw-${count.index + 1}" + name = "pip-azfw" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name sku = "Standard" allocation_method = "Static" - public_ip_prefix_id = azurerm_public_ip_prefix.pip_prefix[count.index].id + public_ip_prefix_id = azurerm_public_ip_prefix.pip_prefix.id } resource "azurerm_virtual_network" "azfw_vnet" { @@ -56,7 +56,7 @@ resource "azurerm_subnet" "backend_subnet" { } resource "azurerm_network_interface" "backend_nic" { - count = 2 + count = 2 name = "nic-backend-${count.index + 1}" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name @@ -86,7 +86,7 @@ resource "azurerm_network_security_group" "backend_nsg" { } resource "azurerm_network_interface_security_group_association" "vm_backend_nsg_association" { - count = 2 + count = 2 network_interface_id = azurerm_network_interface.backend_nic[count.index].id network_security_group_id = azurerm_network_security_group.backend_nsg.id } @@ -98,7 +98,7 @@ resource "azurerm_windows_virtual_machine" "vm_backend" { location = azurerm_resource_group.rg.location size = var.virtual_machine_size admin_username = var.admin_username - admin_password = random_password.password.result + admin_password = random_password.password[count.index].result network_interface_ids = [azurerm_network_interface.backend_nic[count.index].id] os_disk { caching = "ReadWrite" @@ -178,7 +178,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "policy_rule_collection translated_address = "10.10.1.4" translated_port = "3389" source_addresses = ["*"] - destination_address = azurerm_public_ip.pip_azfw[count.index].ip_address + destination_address = azurerm_public_ip.pip_azfw.ip_address destination_ports = ["3389"] } rule { @@ -187,7 +187,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "policy_rule_collection translated_address = "10.10.1.5" translated_port = "3389" source_addresses = ["*"] - destination_address = azurerm_public_ip.pip_azfw[count.index].ip_address + destination_address = azurerm_public_ip.pip_azfw.ip_address destination_ports = ["3389"] } } @@ -200,10 +200,9 @@ resource "azurerm_firewall" "fw" { sku_name = "AZFW_VNet" sku_tier = var.firewall_sku_tier ip_configuration { - count = 2 - name = "azfw-ipconfig-${count.index + 1}" + name = "azfw-ipconfig" subnet_id = azurerm_subnet.azfw_subnet.id - public_ip_address_id = azurerm_public_ip.pip_azfw[count.index].id + public_ip_address_id = azurerm_public_ip.pip_azfw.id } firewall_policy_id = azurerm_firewall_policy.azfw_policy.id } diff --git a/quickstart/201-azfw-multi-addresses/outputs.tf b/quickstart/201-azfw-multi-addresses/outputs.tf index 2deac2a36..f00ff985d 100644 --- a/quickstart/201-azfw-multi-addresses/outputs.tf +++ b/quickstart/201-azfw-multi-addresses/outputs.tf @@ -3,6 +3,6 @@ output "resource_group_name" { } output "backend_admin_password" { sensitive = true - value = azurerm_windows_virtual_machine.vm_backend.admin_password + value = azurerm_windows_virtual_machine.vm_backend.*.admin_password } diff --git a/quickstart/201-azfw-multi-addresses/readme.md b/quickstart/201-azfw-multi-addresses/readme.md index f601bd811..76afbb7f8 100644 --- a/quickstart/201-azfw-multi-addresses/readme.md +++ b/quickstart/201-azfw-multi-addresses/readme.md @@ -1,6 +1,6 @@ # Deploy Azure Firewall with multiple public IP addresses -This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with [Public IP Prefixes] +This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with multiple [Public IP Address](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) from a public IP address prefix. The deployed firewall has NAT rule collection rules that allow RDP connections to two Windows Server 2019 virtual machines.\ ## Terraform resource types From 00d4ef3f0ce2d3e85d2670b6d50ab5bb4e2626ca Mon Sep 17 00:00:00 2001 From: cshea15 Date: Mon, 2 Oct 2023 20:37:33 -0400 Subject: [PATCH 06/11] update files from comments --- quickstart/201-azfw-multi-addresses/readme.md | 10 +++++----- quickstart/201-azfw-multi-addresses/variables.tf | 2 ++ 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/quickstart/201-azfw-multi-addresses/readme.md b/quickstart/201-azfw-multi-addresses/readme.md index 76afbb7f8..c909c77a0 100644 --- a/quickstart/201-azfw-multi-addresses/readme.md +++ b/quickstart/201-azfw-multi-addresses/readme.md @@ -25,8 +25,8 @@ This template deploys an [Azure Firewall](https://registry.terraform.io/provider | Name | Description | Default value | |-|-|-| -| `resource_group_location` | location for your resources | eastus | -| `firewall_sku_tier` | Sku size for your Firewall and Firewall Policy | Standard | -| `resource_group_name_prefix` | Prefix for your resource group | rg | -| `virtual_machine_size` | Sku size for your jump and workload vms | Standard_D2_v3 | -| `admin_username` | admin username for the jump and workload vms | azureuser | \ No newline at end of file +| `resource_group_location` | The location of the resource group | eastus | +| `firewall_sku_tier` | The sku size for your Firewall and Firewall Policy | Possible values: Standard, Premium | +| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription | rg | +| `virtual_machine_size` | The sku size for your jump and workload VMs | Standard_D2_v3 | +| `admin_username` | THe admin username for the jump and workload VMs | azureuser | \ No newline at end of file diff --git a/quickstart/201-azfw-multi-addresses/variables.tf b/quickstart/201-azfw-multi-addresses/variables.tf index 5abb6c492..d48ebf42d 100644 --- a/quickstart/201-azfw-multi-addresses/variables.tf +++ b/quickstart/201-azfw-multi-addresses/variables.tf @@ -27,5 +27,7 @@ variable "virtual_machine_size" { } variable "admin_username" { + type = string + description = "value of the admin username." default = "azureuser" } From 44857345c7f860f7e4524b608c45acca777bb745 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Mon, 2 Oct 2023 21:32:54 -0400 Subject: [PATCH 07/11] update changes to files --- quickstart/201-azfw-multi-addresses/main.tf | 15 ++++++++++++++- quickstart/201-azfw-multi-addresses/variables.tf | 4 ++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/quickstart/201-azfw-multi-addresses/main.tf b/quickstart/201-azfw-multi-addresses/main.tf index c6fa8f48b..8d252f1a8 100644 --- a/quickstart/201-azfw-multi-addresses/main.tf +++ b/quickstart/201-azfw-multi-addresses/main.tf @@ -3,7 +3,7 @@ resource "random_pet" "rg_name" { } resource "random_password" "password" { - count = 2 + count = 2 length = 20 min_lower = 1 min_upper = 1 @@ -34,6 +34,15 @@ resource "azurerm_public_ip" "pip_azfw" { public_ip_prefix_id = azurerm_public_ip_prefix.pip_prefix.id } +resource "azurerm_public_ip" "pip_azfw_2" { + name = "pip-azfw-1" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + sku = "Standard" + allocation_method = "Static" + public_ip_prefix_id = azurerm_public_ip_prefix.pip_prefix.id +} + resource "azurerm_virtual_network" "azfw_vnet" { name = "azfw-vnet" location = azurerm_resource_group.rg.location @@ -204,6 +213,10 @@ resource "azurerm_firewall" "fw" { subnet_id = azurerm_subnet.azfw_subnet.id public_ip_address_id = azurerm_public_ip.pip_azfw.id } + ip_configuration { + name = "azfw-ipconfig-2" + public_ip_address_id = azurerm_public_ip.pip_azfw_2.id + } firewall_policy_id = azurerm_firewall_policy.azfw_policy.id } diff --git a/quickstart/201-azfw-multi-addresses/variables.tf b/quickstart/201-azfw-multi-addresses/variables.tf index d48ebf42d..f33081003 100644 --- a/quickstart/201-azfw-multi-addresses/variables.tf +++ b/quickstart/201-azfw-multi-addresses/variables.tf @@ -27,7 +27,7 @@ variable "virtual_machine_size" { } variable "admin_username" { - type = string + type = string description = "value of the admin username." - default = "azureuser" + default = "azureuser" } From 477932520dea57cf0246ef2d0119826c99a6fd26 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Tue, 3 Oct 2023 17:10:50 -0400 Subject: [PATCH 08/11] updating readme --- quickstart/201-azfw-multi-addresses/readme.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/quickstart/201-azfw-multi-addresses/readme.md b/quickstart/201-azfw-multi-addresses/readme.md index c909c77a0..8575980c5 100644 --- a/quickstart/201-azfw-multi-addresses/readme.md +++ b/quickstart/201-azfw-multi-addresses/readme.md @@ -25,8 +25,8 @@ This template deploys an [Azure Firewall](https://registry.terraform.io/provider | Name | Description | Default value | |-|-|-| -| `resource_group_location` | The location of the resource group | eastus | -| `firewall_sku_tier` | The sku size for your Firewall and Firewall Policy | Possible values: Standard, Premium | -| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription | rg | -| `virtual_machine_size` | The sku size for your jump and workload VMs | Standard_D2_v3 | -| `admin_username` | THe admin username for the jump and workload VMs | azureuser | \ No newline at end of file +| `resource_group_location` | Location of the resource group | eastus | +| `firewall_sku_tier` | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium | Premium | +| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | +| `virtual_machine_size` | SKU size for your jump and workload VMs | Standard_D2_v3 | +| `admin_username` | THe admin username for the jump and workload VMs | azureuser | \ No newline at end of file From 6d957e8a997111ab31a11ba28dfe051b703e6294 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Wed, 4 Oct 2023 15:02:11 -0400 Subject: [PATCH 09/11] updating providers.tf --- quickstart/201-azfw-multi-addresses/{provider.tf => providers.tf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename quickstart/201-azfw-multi-addresses/{provider.tf => providers.tf} (100%) diff --git a/quickstart/201-azfw-multi-addresses/provider.tf b/quickstart/201-azfw-multi-addresses/providers.tf similarity index 100% rename from quickstart/201-azfw-multi-addresses/provider.tf rename to quickstart/201-azfw-multi-addresses/providers.tf From f4a6a235e2c6518449447e0059902a3834fd99aa Mon Sep 17 00:00:00 2001 From: cshea15 Date: Thu, 5 Oct 2023 14:04:10 -0400 Subject: [PATCH 10/11] update file with changes --- quickstart/101-azfw-with-fwpolicy/variables.tf | 2 +- quickstart/201-azfw-multi-addresses/outputs.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/quickstart/101-azfw-with-fwpolicy/variables.tf b/quickstart/101-azfw-with-fwpolicy/variables.tf index 570f731bf..eb12bf647 100644 --- a/quickstart/101-azfw-with-fwpolicy/variables.tf +++ b/quickstart/101-azfw-with-fwpolicy/variables.tf @@ -13,7 +13,7 @@ variable "resource_group_name_prefix" { variable "firewall_sku_tier" { type = string description = "Firewall SKU." - default = "Standard" # Valid values are Standard and Premium + default = "Premium" # Valid values are Standard and Premium validation { condition = contains(["Standard", "Premium"], var.firewall_sku_tier) error_message = "The sku must be one of the following: Standard, Premium" diff --git a/quickstart/201-azfw-multi-addresses/outputs.tf b/quickstart/201-azfw-multi-addresses/outputs.tf index f00ff985d..7a255dcb3 100644 --- a/quickstart/201-azfw-multi-addresses/outputs.tf +++ b/quickstart/201-azfw-multi-addresses/outputs.tf @@ -3,6 +3,6 @@ output "resource_group_name" { } output "backend_admin_password" { sensitive = true - value = azurerm_windows_virtual_machine.vm_backend.*.admin_password + value = azurerm_windows_virtual_machine.vm_backend[*].admin_password } From 67de62401526292d7e1dafe8fe34ee3a5a5c52a8 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Thu, 5 Oct 2023 15:33:57 -0400 Subject: [PATCH 11/11] fixed minor issues --- quickstart/201-azfw-multi-addresses/readme.md | 4 ++-- quickstart/201-azfw-multi-addresses/variables.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/quickstart/201-azfw-multi-addresses/readme.md b/quickstart/201-azfw-multi-addresses/readme.md index 8575980c5..c9364f504 100644 --- a/quickstart/201-azfw-multi-addresses/readme.md +++ b/quickstart/201-azfw-multi-addresses/readme.md @@ -1,6 +1,6 @@ # Deploy Azure Firewall with multiple public IP addresses -This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with multiple [Public IP Address](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) from a public IP address prefix. The deployed firewall has NAT rule collection rules that allow RDP connections to two Windows Server 2019 virtual machines.\ +This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with multiple [Public IP Address](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) from a public IP address prefix. The deployed firewall has NAT rule collection rules that allow RDP connections to two Windows Server 2019 virtual machines. ## Terraform resource types @@ -27,6 +27,6 @@ This template deploys an [Azure Firewall](https://registry.terraform.io/provider |-|-|-| | `resource_group_location` | Location of the resource group | eastus | | `firewall_sku_tier` | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium | Premium | -| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | +| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | | `virtual_machine_size` | SKU size for your jump and workload VMs | Standard_D2_v3 | | `admin_username` | THe admin username for the jump and workload VMs | azureuser | \ No newline at end of file diff --git a/quickstart/201-azfw-multi-addresses/variables.tf b/quickstart/201-azfw-multi-addresses/variables.tf index f33081003..c3af42e47 100644 --- a/quickstart/201-azfw-multi-addresses/variables.tf +++ b/quickstart/201-azfw-multi-addresses/variables.tf @@ -16,7 +16,7 @@ variable "firewall_sku_tier" { default = "Premium" # Valid values are Standard and Premium validation { condition = contains(["Standard", "Premium"], var.firewall_sku_tier) - error_message = "The sku must be one of the following: Standard, Premium" + error_message = "The SKU must be one of the following: Standard, Premium" } } @@ -28,6 +28,6 @@ variable "virtual_machine_size" { variable "admin_username" { type = string - description = "value of the admin username." + description = "Value of the admin username." default = "azureuser" }