make firewall mandatory when deploying hub

Azure · Oct 1, 2024 · 42f05af · 42f05af
1 parent ee592c7
commit 42f05af
Show file tree

Hide file tree

Showing 7 changed files with 31 additions and 73 deletions.
diff --git a/scenarios/aca-internal/azure-resource-manager/main-portal-ux.json b/scenarios/aca-internal/azure-resource-manager/main-portal-ux.json
@@ -239,22 +239,6 @@
                             "infoMessages": [],
                             "visible": true
                         },
-                        {
-                            "name": "enableFirewall",
-                            "type": "Microsoft.Common.CheckBox",
-                            "label": "Deploy Firewall",
-                            "subLabel": "",
-                            "defaultValue": true,
-                            "toolTip": "Enable or disable the creation a firewall in your hub network. It will not deploy if you don't enable hub network.",
-                            "constraints": {
-                              "required": false,
-                              "regex": "",
-                              "validationMessage": "",
-                              "validations": []
-                            },
-                            "infoMessages": [],
-                            "visible": true
-                        },
                         {
                             "name": "vnetAddressPrefixes",
                             "type": "Microsoft.Common.TextBox",

diff --git a/scenarios/aca-internal/azure-resource-manager/main.json b/scenarios/aca-internal/azure-resource-manager/main.json
@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.28.1.47646",
-      "templateHash": "4056363143713580873"
+      "templateHash": "1012743836202009324"
     }
   },
   "parameters": {
@@ -54,13 +54,6 @@
         "description": "Optional. Enable or disable the creation of the Hub network and it's supporting services."
       }
     },
-    "enableFirewall": {
-      "type": "bool",
-      "defaultValue": true,
-      "metadata": {
-        "description": "Optional. Enable or disable the creation of the Azure Firewall. Can't deploy a Firewall without deploying hub network."
-      }
-    },
     "hubResourceGroupName": {
       "type": "string",
       "defaultValue": "",
@@ -311,9 +304,6 @@
           "tags": {
             "value": "[parameters('tags')]"
           },
-          "enableFirewall": {
-            "value": "[parameters('enableFirewall')]"
-          },
           "hubResourceGroupName": {
             "value": "[variables('rgHubName')]"
           },
@@ -355,7 +345,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.28.1.47646",
-              "templateHash": "12305222078806844999"
+              "templateHash": "17895406598349441412"
             }
           },
           "parameters": {
@@ -407,13 +397,6 @@
                 "description": "Enable or disable the creation of the Azure Bastion."
               }
             },
-            "enableFirewall": {
-              "type": "bool",
-              "defaultValue": true,
-              "metadata": {
-                "description": "Enable or disable the creation of the Azure Bastion."
-              }
-            },
             "bastionSku": {
               "type": "string",
               "defaultValue": "Basic",
@@ -467,11 +450,22 @@
                 "properties": {
                   "addressPrefix": "[parameters('gatewaySubnetAddressPrefix')]"
                 }
+              },
+              {
+                "name": "[variables('azureFirewallSubnetName')]",
+                "properties": {
+                  "addressPrefix": "[parameters('azureFirewallSubnetAddressPrefix')]"
+                }
+              },
+              {
+                "name": "[variables('AzureFirewallManagementSubnetName')]",
+                "properties": {
+                  "addressPrefix": "[parameters('azureFirewallSubnetManagementAddressPrefix')]"
+                }
               }
             ],
             "bastionSubnetName": "AzureBastionSubnet",
-            "bastionSubnets": "[if(parameters('enableBastion'), concat(variables('defaultSubnets'), createArray(createObject('name', variables('bastionSubnetName'), 'properties', createObject('addressPrefix', parameters('bastionSubnetAddressPrefix'))))), variables('defaultSubnets'))]",
-            "vnetSubnets": "[if(parameters('enableFirewall'), concat(variables('bastionSubnets'), createArray(createObject('name', variables('azureFirewallSubnetName'), 'properties', createObject('addressPrefix', parameters('azureFirewallSubnetAddressPrefix'))), createObject('name', variables('AzureFirewallManagementSubnetName'), 'properties', createObject('addressPrefix', parameters('azureFirewallSubnetManagementAddressPrefix'))))), variables('bastionSubnets'))]",
+            "vnetSubnets": "[if(parameters('enableBastion'), concat(variables('defaultSubnets'), createArray(createObject('name', variables('bastionSubnetName'), 'properties', createObject('addressPrefix', parameters('bastionSubnetAddressPrefix'))))), variables('defaultSubnets'))]",
             "namingRules": "[json(variables('$fxv#0'))]",
             "rgHubName": "[if(not(empty(parameters('hubResourceGroupName'))), parameters('hubResourceGroupName'), format('{0}-{1}-hub-{2}-{3}', variables('namingRules').resourceTypeAbbreviations.resourceGroup, parameters('workloadName'), parameters('environment'), variables('namingRules').regionAbbreviations[toLower(parameters('location'))]))]"
           },
@@ -927,7 +921,6 @@
               }
             },
             {
-              "condition": "[parameters('enableFirewall')]",
               "type": "Microsoft.Resources/deployments",
               "apiVersion": "2022-09-01",
               "name": "[take(format('afw-{0}', deployment().name), 64)]",
@@ -3325,7 +3318,7 @@
               "metadata": {
                 "description": "The private IP address of the Azure Firewall."
               },
-              "value": "[if(parameters('enableFirewall'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('rgHubName')), 'Microsoft.Resources/deployments', take(format('afw-{0}', deployment().name), 64)), '2022-09-01').outputs.afwPrivateIp.value, '')]"
+              "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('rgHubName')), 'Microsoft.Resources/deployments', take(format('afw-{0}', deployment().name), 64)), '2022-09-01').outputs.afwPrivateIp.value]"
             }
           }
         }

diff --git a/scenarios/aca-internal/azure-resource-manager/main.parameters.jsonc b/scenarios/aca-internal/azure-resource-manager/main.parameters.jsonc
@@ -13,9 +13,6 @@
     "tags": {
         "value": {}
     },
-    "enableFirewall": {
-      "value": true
-    },
     "deployHub": {
       "value": true
     },

diff --git a/scenarios/aca-internal/bicep/main.bicep b/scenarios/aca-internal/bicep/main.bicep
@@ -24,9 +24,6 @@ param tags object = {}
 @description('Optional. Enable or disable the creation of the Hub network and it\'s supporting services.')
 param deployHub bool = true
 
-@description('Optional. Enable or disable the creation of the Azure Firewall. Can\'t deploy a Firewall without deploying hub network.')
-param enableFirewall bool = true
-
 @description('Optional. The name of the hub resource group to create the resources in. If set, it overrides the name generated by the template.')
 param hubResourceGroupName string = ''
 
@@ -159,7 +156,6 @@ module hub 'modules/01-hub/deploy.hub.bicep' = if (deployHub) {
   params: {
     location: location
     tags: tags
-    enableFirewall: enableFirewall
     hubResourceGroupName: rgHubName
     environment: environment
     workloadName: workloadName

diff --git a/scenarios/aca-internal/bicep/main.parameters.jsonc b/scenarios/aca-internal/bicep/main.parameters.jsonc
@@ -13,9 +13,6 @@
     "tags": {
         "value": {}
     },
-    "enableFirewall": {
-      "value": true
-    },
     "deployHub": {
       "value": true
     },

diff --git a/scenarios/aca-internal/bicep/modules/01-hub/deploy.hub.bicep b/scenarios/aca-internal/bicep/modules/01-hub/deploy.hub.bicep
@@ -28,9 +28,6 @@ param vnetAddressPrefixes array
 @description('Enable or disable the creation of the Azure Bastion.')
 param enableBastion bool
 
-@description('Enable or disable the creation of the Azure Bastion.')
-param enableFirewall bool = true
-
 @description('Bastion sku, default is basic')
 @allowed([
   'Basic'
@@ -73,13 +70,25 @@ var defaultSubnets = [
       addressPrefix: gatewaySubnetAddressPrefix      
     }
   }
+  {
+    name: azureFirewallSubnetName
+    properties: {
+      addressPrefix: azureFirewallSubnetAddressPrefix
+    }
+  }
+  {
+    name: AzureFirewallManagementSubnetName
+    properties: {
+      addressPrefix: azureFirewallSubnetManagementAddressPrefix
+    }
+  }
 ]
 
 // This cannot be another value
 var bastionSubnetName = 'AzureBastionSubnet'
 
 // Append optional bastion subnet, if required
-var bastionSubnets = enableBastion ? concat(defaultSubnets, [
+var vnetSubnets = enableBastion ? concat(defaultSubnets, [
     {
       name: bastionSubnetName
       properties: {
@@ -88,21 +97,6 @@ var bastionSubnets = enableBastion ? concat(defaultSubnets, [
     }
   ]) : defaultSubnets
 
-var vnetSubnets = enableFirewall ? concat(bastionSubnets, [
-  {
-    name: azureFirewallSubnetName
-    properties: {
-      addressPrefix: azureFirewallSubnetAddressPrefix
-    }
-  }
-  {
-    name: AzureFirewallManagementSubnetName
-    properties: {
-      addressPrefix: azureFirewallSubnetManagementAddressPrefix
-    }
-  }
-]) : bastionSubnets
-
 //used only to override the RG name - because it is created at the subscription level, the naming module cannot be loaded/used
 var namingRules = json(loadTextContent('../../../../shared/bicep/naming/naming-rules.jsonc'))
 var rgHubName = !empty(hubResourceGroupName) ? hubResourceGroupName : '${namingRules.resourceTypeAbbreviations.resourceGroup}-${workloadName}-hub-${environment}-${namingRules.regionAbbreviations[toLower(location)]}'
@@ -154,7 +148,7 @@ module vnetHub '../../../../shared/bicep/network/vnet.bicep' = {
 }
 
 @description('The Azure Firewall deployment. This would normally be already provisioned by your platform team.')
-module azfw './modules/azureFirewall.bicep' = if (enableFirewall) {
+module azfw './modules/azureFirewall.bicep' =  {
   scope: hubResourceGroup
   name: take('afw-${deployment().name}', 64)
   params: {
@@ -200,4 +194,4 @@ output hubVnetName string = vnetHub.outputs.vnetName
 output resourceGroupName string = hubResourceGroup.name
 
 @description('The private IP address of the Azure Firewall.')
-output networkApplianceIpAddress string = enableFirewall ? azfw.outputs.afwPrivateIp : ''
+output networkApplianceIpAddress string =  azfw.outputs.afwPrivateIp 
diff --git a/scenarios/aca-internal/bicep/modules/01-hub/deploy.hub.parameters.jsonc b/scenarios/aca-internal/bicep/modules/01-hub/deploy.hub.parameters.jsonc
@@ -25,9 +25,6 @@
     "enableBastion": {
       "value": true
     },
-    "enableFirewall": {
-      "value": true
-    },
     "spokeInfraSubnetAddressPrefix": {
       "value":  "10.1.0.0/23"
     },