Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Firewall Policy #331

Merged
merged 17 commits into from
Apr 14, 2022
Merged

Add Firewall Policy #331

merged 17 commits into from
Apr 14, 2022

Conversation

krowlandson
Copy link
Contributor

@krowlandson krowlandson commented Apr 8, 2022

Overview/Summary

This PR adds an azurerm_firewall_policy resource for each azurerm_firewall created by the module.

To enable DNS proxy settings, each Azure Firewall needs to be associated with an Azure Firewall Policy. The Azure Firewall Policy also enables other firewall settings to be configured, including:

  • base_policy_id
  • private_ip_ranges
  • sku (should match the firewall sku)
  • threat_intelligence_mode
  • threat_intelligence_allowlist
  • identity
  • insights
  • intrusion_detection

Note: not all of these settings are exposed directly through the module

This PR fixes/adds/changes/removes

  1. Adds an azurerm_firewall_policy resource for each azurerm_firewall created by the module
  2. Enables the enable_dns_proxy feature flag for Azure Firewall settings (enabled via the attached Firewall Policy), including the ability to set custom dns_servers
  3. Updates the debug output for the connectivity child module to ensure all locals are included

Although no issue is logged for adding the firewall policy, this requirement was identified as part of the work for #287

  1. Add the ability to set names for the azurerm_public_ip resource types (previously missing) as discussed in How can I rename resources? #332
  2. Fix Feature Request - Add AZ Support for Azure Firewall in Secure vHub Model #336

Breaking Changes

  1. Added the following new settings to the configure_connectivity_resources.settings.hub_networks[*].config.azure_firewall.config input object to enable configuration of common settings for the new azurerm_firewall_policy resources:
    1. dns_servers
    2. base_policy_id
    3. private_ip_ranges
    4. threat_intelligence_mode
    5. threat_intelligence_allowlist
  2. As part of addressing How can I rename resources? #332, we also fixed some addressing inconsistencies where the name field was being addressed by a different scope than the other properties. To improve consistency and flatten the scope object, we have updated the following resources:
    1. Setting the name field for azurerm_virtual_network_gateway["expressroute"] has been updated to azurerm_virtual_network_gateway["connectivity_expressroute"]
    2. Setting all other fields for azurerm_virtual_network_gateway["connectivity"]["ergw"] have been updated to azurerm_virtual_network_gateway["connectivity_expressroute"]
    3. Setting all fields for azurerm_public_ip["connectivity"]["ergw"] have been updated to azurerm_public_ip["connectivity_expressroute"]
    4. Setting the name field for azurerm_virtual_network_gateway["vpngw"] has been updated to azurerm_virtual_network_gateway["connectivity_vpn"]
    5. Setting all other fields for azurerm_virtual_network_gateway["connectivity"]["vpngw"] have been updated to azurerm_virtual_network_gateway["connectivity_vpn"]
    6. Setting all fields for azurerm_public_ip["connectivity"]["vpn"] have been updated to azurerm_public_ip["connectivity_vpn"]
    7. Setting all fields for azurerm_public_ip["connectivity"]["azfw"] have been updated to azurerm_public_ip["connectivity_firewall"]

IMPORTANT: Customers who have already used the advanced settings to set custom values on any of the above resource types must take care when upgrading. Please review your code and verify your plan carefully when upgrading to avoid unexpected reconfiguration or redeployment of resources.

The following is an example showing the required config object for azure_firewall settings:

  azure_firewall = {
    enabled = true
    config = {
      address_prefix                = "10.100.0.0/24"
      enable_dns_proxy              = true             # NOW WORKING
      dns_servers                   = []               # NEW
      sku_tier                      = ""               # NEW
      base_policy_id                = ""               # NEW
      private_ip_ranges             = []               # NEW
      threat_intelligence_mode      = ""               # NEW
      threat_intelligence_allowlist = []               # NEW
      availability_zones = {
        zone_1 = true
        zone_2 = true
        zone_3 = true
      }
    }
  }

The following is an example advanced config object reflecting some of these changes:

    advanced = {
      custom_settings_by_resource_type = {
        azurerm_public_ip = {
          connectivity_expressroute = {
            (var.location) = {
              name = "pip-ergw-${var.location}"
            }
          }
          connectivity_vpn = {
            (var.location) = {
              name = "pip-vpngw-${var.location}"
            }

          }
          connectivity_firewall = {
            (var.location) = {
              name = "pip-fw-${var.location}"
            }
          }
        }
        azurerm_firewall = {
          connectivity = {
            (var.location) = {
              name = "fw-${var.location}"
            }
          }
          virtual_wan = {
            (var.location) = {
              name = "fw-hub-${var.location}"
            }
          }
        }
        azurerm_firewall_policy = {
          connectivity = {
            (var.location) = {
              name = "fwp-${var.location}"
            }
          }
          virtual_wan = {
            (var.location) = {
              name = "fwp-hub-${var.location}"
            }
          }
        }
      }
    }

Testing Evidence

Please provide any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate).

azurerm_firewall_policy_outputs

azurerm_firewall_policy_for_hub

azurerm_firewall_policy_for_vwan

Evidence of DNS changes

Evidence of name changes

As part of this Pull Request I have

  • Checked for duplicate Pull Requests
  • Associated it with relevant issues, for tracking and closure.
  • Ensured my code/branch is up-to-date with the latest changes in the main branch
  • Performed testing and provided evidence.
  • Updated relevant and associated documentation.
  • Updated the "What's New?" wiki page (located in the Enterprise-Scale repo in the directory: /docs/wiki/whats-new.md)

@krowlandson krowlandson added the enhancement New feature or request label Apr 8, 2022
@krowlandson krowlandson added this to the v1.2.0 release milestone Apr 8, 2022
@krowlandson
Copy link
Contributor Author

/azp run unit

@krowlandson krowlandson requested a review from matt-FFFFFF April 14, 2022 12:05
@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

Copy link
Member

@matt-FFFFFF matt-FFFFFF left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@krowlandson
Copy link
Contributor Author

/azp run e2e

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Feature Request - Add AZ Support for Azure Firewall in Secure vHub Model
2 participants