Skip to content

Commit 92dacc7

Browse files
grayzugrayzu
authored
Merge pull request microsoft#67 from vhorne/fw-upgrade
add firewall
2 parents cefacf9 + 8a9d094 commit 92dacc7

File tree

3 files changed

+272
-0
lines changed

3 files changed

+272
-0
lines changed

quickstart/101-firewall-standard/main.tf

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
terraform {
2+
3+
required_version = ">=0.12"
4+
5+
required_providers {
6+
azurerm = {
7+
source = "hashicorp/azurerm"
8+
version = ">=2.46.0"
9+
}
10+
}
11+
}
12+
13+
provider "azurerm" {
14+
features {}
15+
}
16+
17+
resource "azurerm_resource_group" "rg" {
18+
name = "test-resources"
19+
location = var.resource_group_location
20+
}
21+
22+
resource "azurerm_virtual_network" "vnet" {
23+
name = "testvnet"
24+
address_space = ["10.0.0.0/16"]
25+
location = azurerm_resource_group.rg.location
26+
resource_group_name = azurerm_resource_group.rg.name
27+
}
28+
29+
resource "azurerm_subnet" "subnet" {
30+
name = "AzureFirewallSubnet"
31+
resource_group_name = azurerm_resource_group.rg.name
32+
virtual_network_name = azurerm_virtual_network.vnet.name
33+
address_prefixes = ["10.0.1.0/24"]
34+
}
35+
36+
resource "azurerm_public_ip" "pip" {
37+
name = "testpip"
38+
location = azurerm_resource_group.rg.location
39+
resource_group_name = azurerm_resource_group.rg.name
40+
allocation_method = "Static"
41+
sku = "Standard"
42+
}
43+
44+
resource "azurerm_firewall" "fw" {
45+
name = "testfirewall"
46+
location = azurerm_resource_group.rg.location
47+
resource_group_name = azurerm_resource_group.rg.name
48+
49+
ip_configuration {
50+
name = "configuration"
51+
subnet_id = azurerm_subnet.subnet.id
52+
public_ip_address_id = azurerm_public_ip.pip.id
53+
}
54+
}
55+
56+
resource "azurerm_firewall_application_rule_collection" "app-rc" {
57+
name = "apptestcollection"
58+
azure_firewall_name = azurerm_firewall.fw.name
59+
resource_group_name = azurerm_resource_group.rg.name
60+
priority = 100
61+
action = "Allow"
62+
63+
rule {
64+
name = "testrule"
65+
66+
source_addresses = [
67+
"10.0.0.0/16",
68+
]
69+
70+
target_fqdns = [
71+
"*.google.com",
72+
]
73+
74+
protocol {
75+
port = "443"
76+
type = "Https"
77+
}
78+
}
79+
}
80+
81+
resource "azurerm_firewall_network_rule_collection" "net-rc" {
82+
name = "apptestcollection"
83+
azure_firewall_name = azurerm_firewall.fw.name
84+
resource_group_name = azurerm_resource_group.rg.name
85+
priority = 100
86+
action = "Allow"
87+
88+
rule {
89+
name = "dnsrule"
90+
91+
source_addresses = [
92+
"10.0.0.0/16",
93+
]
94+
95+
destination_ports = [
96+
"53",
97+
]
98+
99+
destination_addresses = [
100+
"8.8.8.8",
101+
"8.8.4.4",
102+
]
103+
104+
protocols = [
105+
"TCP",
106+
"UDP",
107+
]
108+
}
109+
}

quickstart/101-firewall-standard/readme.md

Lines changed: 160 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,160 @@
1+
# Azure Firewall Standard
2+
3+
This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with classic application and network rules.
4+
5+
## Resources
6+
7+
| Terraform Resource Type | Description |
8+
| - | - |
9+
| `azurerm_resource_group` | The resource group all the deployed resources.|
10+
| `azurerm_virtual_network` | The virtual network for the firewall. |
11+
| `azurerm_subnet` |The firewall subnet.|
12+
| `azurerm_public_ip` | The firewall public IP address. |
13+
| `azurerm_firewall` | The standard Azure Firewall. |
14+
| `azurerm_firewall_application_rule_collection` | The application rule collection. |
15+
| `azurerm_firewall_network_rule_collection` | The network rule collection. |
16+
17+
## Variables
18+
19+
| Name | Description |
20+
|-|-|
21+
| `resource_group_location` | Resource group location |
22+
23+
## Example
24+
25+
```bash
26+
$ terraform plan -out main.tfplan
27+
28+
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
29+
+ create
30+
31+
Terraform will perform the following actions:
32+
33+
# azurerm_firewall.fw will be created
34+
+ resource "azurerm_firewall" "fw" {
35+
+ id = (known after apply)
36+
+ location = "eastus"
37+
+ name = "testfirewall"
38+
+ resource_group_name = "test-resources"
39+
+ sku_name = (known after apply)
40+
+ sku_tier = (known after apply)
41+
+ threat_intel_mode = "Alert"
42+
43+
+ ip_configuration {
44+
+ name = "configuration"
45+
+ private_ip_address = (known after apply)
46+
+ public_ip_address_id = (known after apply)
47+
+ subnet_id = (known after apply)
48+
}
49+
}
50+
51+
# azurerm_firewall_application_rule_collection.app-rc will be created
52+
+ resource "azurerm_firewall_application_rule_collection" "app-rc" {
53+
+ action = "Allow"
54+
+ azure_firewall_name = "testfirewall"
55+
+ id = (known after apply)
56+
+ name = "apptestcollection"
57+
+ priority = 100
58+
+ resource_group_name = "test-resources"
59+
60+
+ rule {
61+
+ name = "testrule"
62+
+ source_addresses = [
63+
+ "10.0.0.0/16",
64+
]
65+
+ target_fqdns = [
66+
+ "*.google.com",
67+
]
68+
69+
+ protocol {
70+
+ port = 443
71+
+ type = "Https"
72+
}
73+
}
74+
}
75+
76+
# azurerm_firewall_network_rule_collection.net-rc will be created
77+
+ resource "azurerm_firewall_network_rule_collection" "net-rc" {
78+
+ action = "Allow"
79+
+ azure_firewall_name = "testfirewall"
80+
+ id = (known after apply)
81+
+ name = "apptestcollection"
82+
+ priority = 100
83+
+ resource_group_name = "test-resources"
84+
85+
+ rule {
86+
+ destination_addresses = [
87+
+ "8.8.4.4",
88+
+ "8.8.8.8",
89+
]
90+
+ destination_fqdns = []
91+
+ destination_ip_groups = []
92+
+ destination_ports = [
93+
+ "53",
94+
]
95+
+ name = "dnsrule"
96+
+ protocols = [
97+
+ "TCP",
98+
+ "UDP",
99+
]
100+
+ source_addresses = [
101+
+ "10.0.0.0/16",
102+
]
103+
+ source_ip_groups = []
104+
}
105+
}
106+
107+
# azurerm_public_ip.pip will be created
108+
+ resource "azurerm_public_ip" "pip" {
109+
+ allocation_method = "Static"
110+
+ availability_zone = (known after apply)
111+
+ fqdn = (known after apply)
112+
+ id = (known after apply)
113+
+ idle_timeout_in_minutes = 4
114+
+ ip_address = (known after apply)
115+
+ ip_version = "IPv4"
116+
+ location = "eastus"
117+
+ name = "testpip"
118+
+ resource_group_name = "test-resources"
119+
+ sku = "Standard"
120+
+ zones = (known after apply)
121+
}
122+
123+
# azurerm_resource_group.rg will be created
124+
+ resource "azurerm_resource_group" "rg" {
125+
+ id = (known after apply)
126+
+ location = "eastus"
127+
+ name = "test-resources"
128+
}
129+
130+
# azurerm_subnet.subnet will be created
131+
+ resource "azurerm_subnet" "subnet" {
132+
+ address_prefix = (known after apply)
133+
+ address_prefixes = [
134+
+ "10.0.1.0/24",
135+
]
136+
+ enforce_private_link_endpoint_network_policies = false
137+
+ enforce_private_link_service_network_policies = false
138+
+ id = (known after apply)
139+
+ name = "AzureFirewallSubnet"
140+
+ resource_group_name = "test-resources"
141+
+ virtual_network_name = "testvnet"
142+
}
143+
144+
# azurerm_virtual_network.vnet will be created
145+
+ resource "azurerm_virtual_network" "vnet" {
146+
+ address_space = [
147+
+ "10.0.0.0/16",
148+
]
149+
+ dns_servers = (known after apply)
150+
+ guid = (known after apply)
151+
+ id = (known after apply)
152+
+ location = "eastus"
153+
+ name = "testvnet"
154+
+ resource_group_name = "test-resources"
155+
+ subnet = (known after apply)
156+
+ vm_protection_enabled = false
157+
}
158+
159+
Plan: 7 to add, 0 to change, 0 to destroy.
160+
```

quickstart/101-firewall-standard/variables.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
variable "resource_group_location" {
2+
default = "eastus"
3+
}

0 commit comments

Comments
 (0)