Common Azure module to generate an Azure Firewall and its dedicated subnet.
| Module version | Terraform version | AzureRM version |
|---|---|---|
| >= 7.x.x | 1.3.x | >= 3.0 |
| >= 6.x.x | 1.x | >= 3.0 |
| >= 5.x.x | 0.15.x | >= 2.0 |
| >= 4.x.x | 0.13.x / 0.14.x | >= 2.0 |
| >= 3.x.x | 0.12.x | >= 2.0 |
| >= 2.x.x | 0.12.x | < 2.0 |
| < 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper available in the documentation.
module "azure_region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
module "rg" {
source = "claranet/rg/azurerm"
version = "x.x.x"
location = module.azure_region.location
client_name = var.client_name
environment = var.environment
stack = var.stack
}
module "vnet" {
source = "claranet/vnet/azurerm"
version = "x.x.x"
environment = var.environment
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
stack = var.stack
resource_group_name = module.rg.resource_group_name
vnet_cidr = ["10.10.0.0/16"]
}
module "logs" {
source = "claranet/run/azurerm//modules/logs"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
stack = var.stack
location = module.azure_region.location
location_short = module.azure_region.location_short
resource_group_name = module.rg.resource_group_name
}
module "firewall" {
source = "claranet/firewall/azurerm"
version = "x.x.x"
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.resource_group_name
virtual_network_name = module.vnet.virtual_network_name
subnet_cidr = "10.10.0.0/22"
network_rule_collections = [
{
name = "RuleCollection1"
priority = 100
action = "Allow"
rules = [
{
name = "AllowSSHFromWorkload1ToWorkload2"
source_addresses = ["10.11.1.0/24"]
destination_ports = ["22"]
destination_addresses = ["10.11.2.0/24"]
protocols = ["TCP"]
destination_fqdns = null
destination_ip_groups = null
source_ip_groups = null
},
{
name = "AllowRDPFromWorkload1ToWorkload2"
source_addresses = ["10.11.1.0/24"]
destination_ports = ["3389"]
destination_addresses = ["10.11.2.0/24"]
protocols = ["TCP"]
destination_fqdns = null
destination_ip_groups = null
source_ip_groups = null
}
]
}
]
application_rule_collections = [
{
name = "AppRuleCollection1"
priority = 101
action = "Allow"
rules = [
{
name = "AllowGoogle"
source_addresses = ["10.11.1.0/24", "10.11.2.0/24"]
target_fqdns = ["*.google.com", "*.google.fr"]
source_ip_groups = null
protocols = [
{
port = "443"
type = "Https"
},
{
port = "80"
type = "Http"
}
]
}
]
}
]
nat_rule_collections = [
{
name = "NatRuleCollection1"
priority = 100
action = "Dnat"
rules = [
{
name = "RedirectWeb"
source_addresses = ["*"]
destination_ports = ["80"]
destination_addresses = ["x.x.x.x"] # Firewall public IP Address
translated_port = 80
translated_address = "10.10.1.4"
protocols = ["TCP", "UDP"]
source_ip_groups = null
}
]
}
]
logs_destinations_ids = [
module.logs.logs_storage_account_id,
module.logs.log_analytics_workspace_id
]
}| Name | Version |
|---|---|
| azurecaf | ~> 1.2, >= 1.2.22 |
| azurerm | ~> 3.39 |
| Name | Source | Version |
|---|---|---|
| diagnostics | claranet/diagnostic-settings/azurerm | ~> 6.5.0 |
| firewall_subnet | claranet/subnet/azurerm | 7.0.0 |
| Name | Type |
|---|---|
| azurerm_firewall.firewall | resource |
| azurerm_firewall_application_rule_collection.application_rule_collection | resource |
| azurerm_firewall_nat_rule_collection.nat_rule_collection | resource |
| azurerm_firewall_network_rule_collection.network_rule_collection | resource |
| azurerm_public_ip.firewall_public_ip | resource |
| azurerm_resource_group_template_deployment.firewall_workbook_logs | resource |
| azurecaf_name.firewall | data source |
| azurecaf_name.firewall_pip | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_public_ips | List of additional public ips' ids to attach to the firewall. | list(object({ |
[] |
no |
| application_rule_collections | Create an application rule collection | list(object({ |
null |
no |
| client_name | Client name/account used in naming | string |
n/a | yes |
| custom_diagnostic_settings_name | Custom name of the diagnostics settings, name will be 'default' if not set. | string |
"default" |
no |
| custom_firewall_name | Optional custom firewall name | string |
"" |
no |
| default_tags_enabled | Option to enable or disable default tags | bool |
true |
no |
| deploy_log_workbook | Deploy Azure Workbook Log in log analytics workspace. GitHub Azure | bool |
true |
no |
| dns_servers | DNS Servers to use with Azure Firewall. Using this also activate DNS Proxy. | list(string) |
null |
no |
| environment | Project environment | string |
n/a | yes |
| extra_tags | Extra tags to add | map(string) |
{} |
no |
| firewall_policy_id | Attach an existing firewall policy to this firewall. Cannot be used in conjuction with network_rule_collections, application_rule_collections and nat_rule_collections variables. |
string |
null |
no |
| firewall_private_ip_ranges | A list of SNAT private CIDR IP ranges, or the special string IANAPrivateRanges, which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918. |
list(string) |
null |
no |
| ip_configuration_name | Name of the ip_configuration block. https://www.terraform.io/docs/providers/azurerm/r/firewall.html#ip_configuration | string |
"ip_configuration" |
no |
| location | Azure region to use | string |
n/a | yes |
| location_short | Short string for Azure location. | string |
n/a | yes |
| logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
| logs_destinations_ids | List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the ` |
` character. | list(string) |
n/a |
| logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
| name_prefix | Optional prefix for the generated name | string |
"" |
no |
| name_suffix | Optional suffix for the generated name | string |
"" |
no |
| nat_rule_collections | Create a Nat rule collection | list(object({ |
null |
no |
| network_rule_collections | Create a network rule collection | list(object({ |
null |
no |
| public_ip_custom_name | Custom name for the public IP | string |
null |
no |
| public_ip_ddos_protection_mode | The ddos protection mode to use for the firewall's public address. | string |
"VirtualNetworkInherited" |
no |
| public_ip_zones | Public IP zones to configure. | list(number) |
[ |
no |
| resource_group_name | Resource group name | string |
n/a | yes |
| sku_tier | SKU tier of the Firewall. Possible values are Premium and Standard |
string |
"Standard" |
no |
| stack | Project stack name | string |
n/a | yes |
| subnet_cidr | The address prefix to use for the firewall's subnet | string |
n/a | yes |
| use_caf_naming | Use the Azure CAF naming provider to generate default resource name. custom_name override this if set. Legacy default name is used if this is set to false. |
bool |
true |
no |
| virtual_network_name | Name of the vnet attached to the firewall. | string |
n/a | yes |
| zones | Optional - Specifies a list of Availability Zones in which this Azure Firewall should be located. Changing this forces a new Azure Firewall to be created. | list(number) |
null |
no |
| Name | Description |
|---|---|
| firewall_id | Firewall generated id |
| firewall_name | Firewall name |
| private_ip_address | Firewall private IP |
| public_ip_address | Firewall public IP |
| subnet_id | ID of the subnet attached to the firewall |
- docs.microsoft.com/en-us/azure/firewall/overview
- docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
- docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat
- docs.microsoft.com/en-us/azure/firewall/rule-processing
- docs.microsoft.com/en-us/azure/firewall/firewall-diagnostics
- github.com/Azure/Azure-Network-Security/tree/master/Azure%20Firewall/Workbook%20-%20Azure%20Firewall%20Monitor%20Workbook
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent