Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

firewall quickstart with ipgroups #253

Merged
merged 15 commits into from
Oct 17, 2023
277 changes: 277 additions & 0 deletions quickstart/201-azfw-with-ipgroups/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,277 @@
resource "random_pet" "rg_name" {
prefix = var.resource_group_name_prefix
}

resource "random_string" "storage_account_name" {
length = 8
lower = true
numeric = false
special = false
upper = false
}

resource "random_password" "password" {
length = 20
min_lower = 1
min_upper = 1
min_numeric = 1
min_special = 1
special = true
}

resource "azurerm_resource_group" "rg" {
name = random_pet.rg_name.id
location = var.resource_group_location
}

resource "azurerm_public_ip" "pip_azfw" {
name = "pip-azfw"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
allocation_method = "Static"
sku = "Standard"
}

resource "azurerm_storage_account" "sa" {
name = random_string.storage_account_name.result
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
account_tier = "Standard"
account_replication_type = "LRS"
account_kind = "StorageV2"
}

resource "azurerm_firewall_policy" "azfw_policy" {
name = "azfw-policy"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku = var.firewall_sku_tier
threat_intelligence_mode = "Alert"
}

resource "azurerm_firewall_policy_rule_collection_group" "prcg" {
name = "prcg"
firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
priority = 300
application_rule_collection {
name = "app-rule-collection-1"
priority = 101
action = "Allow"
rule {
name = "someAppRule"
protocols {
type = "Https"
port = 443
}
destination_fqdns = ["*bing.com"]
source_ip_groups = [azurerm_ip_group.ip_group_1.id]
}
}
network_rule_collection {
name = "net-rule-collection-1"
priority = 200
action = "Allow"
rule {
name = "someNetRule"
protocols = ["TCP", "UDP", "ICMP"]
source_ip_groups = [azurerm_ip_group.ip_group_1.id]
destination_ip_groups = [azurerm_ip_group.ip_group_2.id]
destination_ports = ["90"]
}
}
}

resource "azurerm_firewall" "fw" {
name = "azfw"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
sku_name = "AZFW_VNet"
sku_tier = var.firewall_sku_tier
ip_configuration {
name = "azfw-ipconfig"
subnet_id = azurerm_subnet.azfw_subnet.id
public_ip_address_id = azurerm_public_ip.pip_azfw.id
}
firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
}

resource "azurerm_ip_group" "ip_group_1" {
name = "ip-group_1"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
cidrs = ["13.73.64.64/26", "13.73.208.128/25", "52.126.194.0/23"]
}
resource "azurerm_ip_group" "ip_group_2" {
name = "ip_group_2"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
cidrs = ["12.0.0.0/24", "13.9.0.0/24"]
}

resource "azurerm_virtual_network" "azfw_vnet" {
name = "azfw-vnet"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
address_space = ["10.10.0.0/16"]
}

resource "azurerm_subnet" "azfw_subnet" {
name = "AzureFirewallSubnet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.azfw_vnet.name
address_prefixes = ["10.10.0.0/26"]
}

resource "azurerm_subnet" "server_subnet" {
name = "subnet-server"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.azfw_vnet.name
address_prefixes = ["10.10.1.0/24"]
}

resource "azurerm_subnet" "jump_subnet" {
name = "subnet-jump"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.azfw_vnet.name
address_prefixes = ["10.10.2.0/24"]
}

resource "azurerm_public_ip" "vm_jump_pip" {
name = "pip-jump"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
allocation_method = "Static"
sku = "Standard"
}

resource "azurerm_network_interface" "vm_server_nic" {
name = "nic-server"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name

ip_configuration {
name = "ipconfig-workload"
subnet_id = azurerm_subnet.server_subnet.id
private_ip_address_allocation = "Dynamic"
}
}

resource "azurerm_network_interface" "vm_jump_nic" {
name = "nic-jump"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name

ip_configuration {
name = "ipconfig-jump"
subnet_id = azurerm_subnet.jump_subnet.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.vm_jump_pip.id
}
}

resource "azurerm_network_security_group" "vm_server_nsg" {
name = "nsg-server"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}

resource "azurerm_network_security_group" "vm_jump_nsg" {
name = "nsg-jump"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
security_rule {
name = "Allow-SSH"
priority = 1000
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}

resource "azurerm_network_interface_security_group_association" "vm_server_nsg_association" {
network_interface_id = azurerm_network_interface.vm_server_nic.id
network_security_group_id = azurerm_network_security_group.vm_server_nsg.id
}

resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" {
network_interface_id = azurerm_network_interface.vm_jump_nic.id
network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id
}

resource "azurerm_linux_virtual_machine" "vm_server" {
name = "server-vm"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
size = var.virtual_machine_size
admin_username = var.admin_username
admin_ssh_key {
username = var.admin_username
public_key = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
}
network_interface_ids = [azurerm_network_interface.vm_server_nic.id]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "18.04-LTS"
version = "latest"
}
boot_diagnostics {
storage_account_uri = azurerm_storage_account.sa.primary_blob_endpoint
}
}

resource "azurerm_linux_virtual_machine" "vm_jump" {
name = "jump-vm"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
size = var.virtual_machine_size
network_interface_ids = [azurerm_network_interface.vm_jump_nic.id]
admin_username = var.admin_username
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
admin_ssh_key {
username = var.admin_username
public_key = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
}
source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "18.04-LTS"
version = "latest"
}
boot_diagnostics {
storage_account_uri = azurerm_storage_account.sa.primary_blob_endpoint
}
computer_name = "JumpBox"

}

resource "azurerm_route_table" "rt" {
name = "rt-azfw-eus"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
disable_bgp_route_propagation = false
route {
name = "azfwDefaultRoute"
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration[0].private_ip_address
}
}

resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" {
subnet_id = azurerm_subnet.server_subnet.id
route_table_id = azurerm_route_table.rt.id
}


7 changes: 7 additions & 0 deletions quickstart/201-azfw-with-ipgroups/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
output "resource_group_name" {
value = azurerm_resource_group.rg.name
}

output "firewall_name" {
value = azurerm_firewall.fw.name
}
20 changes: 20 additions & 0 deletions quickstart/201-azfw-with-ipgroups/providers.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
random = {
source = "hashicorp/random"
version = "~>3.0"
}
azapi = {
source = "azure/azapi"
version = "~>1.5"
}
}
}

provider "azurerm" {
features {}
}
36 changes: 36 additions & 0 deletions quickstart/201-azfw-with-ipgroups/readme.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Deploying Azure Firewall with IP Groups

This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with [IP Groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group) used in a network rule and application rule. An IP Group is a top-level resource that allows you to define and group IP addresses, ranges, and subnets into a single object. IP Group is useful for managing IP addresses in Azure Firewall rules.

## Terraform resource types

- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network)
- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet)
- [azurerm_ip_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group)
- [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip)
- [azurerm_firewall_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy)
- [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group)
- [azurerm_firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall)
- [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface)
- [azurerm_network_security_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group)
- [azurerm_network_interface_security_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association)
- [azurerm_route_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table)
- [azurerm_subnet_route_table_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association)
- [azurerm_linux_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine)
- [azurerm_storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account)
- [random_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password)
- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet)
- [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string)

## Variables

| Name | Description | Default value |
|-|-|-|
| `resource_group_location` | Location of the resource group | eastus |
| `firewall_sku_tier` | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium | Premium |
| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg |
| `virtual_machine_size` | SKU size for your jump and workload VMs | Standard_D2_v3 |
| `admin_username` | The admin username for the jump and workload VMs | azureuser |

## Example
25 changes: 25 additions & 0 deletions quickstart/201-azfw-with-ipgroups/ssh.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
resource "random_pet" "ssh_key_name" {
prefix = "ssh"
separator = ""
}

resource "azapi_resource_action" "ssh_public_key_gen" {
type = "Microsoft.Compute/sshPublicKeys@2022-11-01"
resource_id = azapi_resource.ssh_public_key.id
action = "generateKeyPair"
method = "POST"

response_export_values = ["publicKey", "privateKey"]
}

resource "azapi_resource" "ssh_public_key" {
type = "Microsoft.Compute/sshPublicKeys@2022-11-01"
name = random_pet.ssh_key_name.id
location = azurerm_resource_group.rg.location
parent_id = azurerm_resource_group.rg.id
}

output "key_data" {
value = jsondecode(azapi_resource_action.ssh_public_key_gen.output).publicKey
}

Loading