From ed29f3c468701a3c87063ccd816613eaa2a65f2e Mon Sep 17 00:00:00 2001 From: Charles Shea Date: Tue, 22 Aug 2023 19:02:39 -0400 Subject: [PATCH 01/11] adding azfw quickstarts --- quickstart/101-azfw-with-fwpolicy/README.md | 230 ++++++++ quickstart/101-azfw-with-fwpolicy/main.tf | 153 +++++ quickstart/101-azfw-with-fwpolicy/outputs.tf | 3 + quickstart/101-azfw-with-fwpolicy/provider.tf | 16 + .../101-azfw-with-fwpolicy/variables.tf | 18 + quickstart/201-azfw-with-secure-hub/README.md | 543 ++++++++++++++++++ quickstart/201-azfw-with-secure-hub/main.tf | 370 ++++++++++++ .../201-azfw-with-secure-hub/outputs.tf | 3 + .../201-azfw-with-secure-hub/provider.tf | 16 + .../201-azfw-with-secure-hub/variables.tf | 30 + 10 files changed, 1382 insertions(+) create mode 100644 quickstart/101-azfw-with-fwpolicy/README.md create mode 100644 quickstart/101-azfw-with-fwpolicy/main.tf create mode 100644 quickstart/101-azfw-with-fwpolicy/outputs.tf create mode 100644 quickstart/101-azfw-with-fwpolicy/provider.tf create mode 100644 quickstart/101-azfw-with-fwpolicy/variables.tf create mode 100644 quickstart/201-azfw-with-secure-hub/README.md create mode 100644 quickstart/201-azfw-with-secure-hub/main.tf create mode 100644 quickstart/201-azfw-with-secure-hub/outputs.tf create mode 100644 quickstart/201-azfw-with-secure-hub/provider.tf create mode 100644 quickstart/201-azfw-with-secure-hub/variables.tf diff --git a/quickstart/101-azfw-with-fwpolicy/README.md b/quickstart/101-azfw-with-fwpolicy/README.md new file mode 100644 index 000000000..5fb781393 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/README.md @@ -0,0 +1,230 @@ +# Deploy Azure Firewall and a Firewall Policy + +This template deploys an Azure Firewall and a Firewall Policy. The Firewall Policy is associated to the Firewall. + +## Resources + +| Terraform Resource Type | Description | +| - | - | +| `azurerm_resource_group` | The resource group all the deployed resources.| +| `azurerm_virtual_network` | The virtual network for the firewall. | +| `azurerm_subnet` |The firewall subnet.| +| `azurerm_public_ip` | The firewall public IP address. | +| `azurerm_firewall` | The premium Azure Firewall. | +| `azurerm_firewall_policy` | The policy associated to the Firewall | +| `azurerm_firewall_policy_rule_collection_group` | the rules collection group for firewall policy | +| `azurerm_ip_group` | The IP group for source addresses. | + +## Variables + +| Name | Description | +|-|-| +| `location` | location for your resources | +| `tags` | tags to organize your resources | +| `fw_sku` | Sku size for your Firewall and Firewall Policy | + +## Example + +```powershell +terraform plan -out main.tfplan + + # azurerm_firewall.fw will be created + + resource "azurerm_firewall" "fw" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "azfw" + + resource_group_name = "azfw-rg" + + sku_name = "AZFW_VNet" + + sku_tier = "Premium" + + threat_intel_mode = (known after apply) + + + ip_configuration { + + name = "azfw-ipconfig" + + private_ip_address = (known after apply) + + public_ip_address_id = (known after apply) + + subnet_id = (known after apply) + } + } + + # azurerm_firewall_policy.azfw_policy will be created + + resource "azurerm_firewall_policy" "azfw_policy" { + + child_policies = (known after apply) + + firewalls = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "azfw-policy" + + resource_group_name = "azfw-rg" + + rule_collection_groups = (known after apply) + + sku = "Premium" + + threat_intelligence_mode = "Alert" + } + + # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created + + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + name = "DefaulApplicationtRuleCollectionGroup" + + priority = 300 + + + application_rule_collection { + + action = "Allow" + + name = "DefaultApplicationRuleCollection" + + priority = 500 + + + rule { + + description = "Allow Windows Update" + + destination_fqdn_tags = [ + + "WindowsUpdate", + ] + + name = "AllowWindowsUpdate" + + source_ip_groups = (known after apply) + + + protocols { + + port = 80 + + type = "Http" + } + + protocols { + + port = 443 + + type = "Https" + } + } + + rule { + + description = "Allow access to Microsoft.com" + + destination_fqdns = [ + + "*.microsoft.com", + ] + + name = "Global Rule" + + source_ip_groups = (known after apply) + + terminate_tls = false + + + protocols { + + port = 443 + + type = "Https" + } + } + } + } + + # azurerm_firewall_policy_rule_collection_group.net_policy_rule_collection_group will be created + + resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + name = "DefaultNetworkRuleCollectionGroup" + + priority = 200 + + + network_rule_collection { + + action = "Allow" + + name = "DefaultNetworkRuleCollection" + + priority = 200 + + + rule { + + destination_addresses = [ + + "132.86.101.172", + ] + + destination_ports = [ + + "123", + ] + + name = "time-windows" + + protocols = [ + + "UDP", + ] + + source_ip_groups = (known after apply) + } + } + } + + # azurerm_ip_group.infra_ip_group will be created + + resource "azurerm_ip_group" "infra_ip_group" { + + cidrs = [ + + "10.40.0.0/24", + + "10.50.0.0/24", + ] + + firewall_ids = (known after apply) + + firewall_policy_ids = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "infra-ip-group" + + resource_group_name = "azfw-rg" + } + + # azurerm_ip_group.workload_ip_group will be created + + resource "azurerm_ip_group" "workload_ip_group" { + + cidrs = [ + + "10.20.0.0/24", + + "10.30.0.0/24", + ] + + firewall_ids = (known after apply) + + firewall_policy_ids = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "workload-ip-group" + + resource_group_name = "azfw-rg" + } + + # azurerm_public_ip.pip_azfw will be created + + resource "azurerm_public_ip" "pip_azfw" { + + allocation_method = "Static" + + ddos_protection_mode = "VirtualNetworkInherited" + + fqdn = (known after apply) + + id = (known after apply) + + idle_timeout_in_minutes = 4 + + ip_address = (known after apply) + + ip_version = "IPv4" + + location = "eastus" + + name = "pip-azfw" + + resource_group_name = "azfw-rg" + + sku = "Standard" + + sku_tier = "Regional" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_resource_group.azfw_rg will be created + + resource "azurerm_resource_group" "azfw_rg" { + + id = (known after apply) + + location = "eastus" + + name = "azfw-rg" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_subnet.azfw_subnet will be created + + resource "azurerm_subnet" "azfw_subnet" { + + address_prefixes = [ + + "10.10.0.0/26", + ] + + enforce_private_link_endpoint_network_policies = (known after apply) + + enforce_private_link_service_network_policies = (known after apply) + + id = (known after apply) + + name = "AzureFirewallSubnet" + + private_endpoint_network_policies_enabled = (known after apply) + + private_link_service_network_policies_enabled = (known after apply) + + resource_group_name = "azfw-rg" + + virtual_network_name = "azfw-vnet" + } + + # azurerm_virtual_network.azfw_vnet will be created + + resource "azurerm_virtual_network" "azfw_vnet" { + + address_space = [ + + "10.10.0.0/24", + ] + + dns_servers = (known after apply) + + guid = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "azfw-vnet" + + resource_group_name = "azfw-rg" + + subnet = (known after apply) + } + +Plan: 10 to add, 0 to change, 0 to destroy. +`````` \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/main.tf b/quickstart/101-azfw-with-fwpolicy/main.tf new file mode 100644 index 000000000..c39981331 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/main.tf @@ -0,0 +1,153 @@ + +// Create a Resource Group +resource "azurerm_resource_group" "azfw_rg" { + name = "azfw-rg" + location = var.location + tags = var.tags +} +// Create a Virtual Network +resource "azurerm_virtual_network" "azfw_vnet" { + name = "azfw-vnet" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + address_space = ["10.10.0.0/24"] + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create IP Groups +resource "azurerm_ip_group" "workload_ip_group" { + name = "workload-ip-group" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + cidrs = ["10.20.0.0/24", "10.30.0.0/24"] + depends_on = [ + azurerm_resource_group.azfw_rg, + azurerm_virtual_network.azfw_vnet + ] +} +resource "azurerm_ip_group" "infra_ip_group" { + name = "infra-ip-group" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + cidrs = ["10.40.0.0/24", "10.50.0.0/24"] + depends_on = [ + azurerm_resource_group.azfw_rg, + azurerm_virtual_network.azfw_vnet + ] +} + +// Create the Azure Firewall Subnet +resource "azurerm_subnet" "azfw_subnet" { + name = "AzureFirewallSubnet" + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.0.0/26"] + depends_on = [ + azurerm_resource_group.azfw_rg, + azurerm_virtual_network.azfw_vnet + ] +} + +// Create a Public IP Address for Azure Firewall +resource "azurerm_public_ip" "pip_azfw" { + name = "pip-azfw" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + allocation_method = "Static" + sku = "Standard" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Firewall Policy +resource "azurerm_firewall_policy" "azfw_policy" { + name = "azfw-policy" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + sku = var.fw_sku + threat_intelligence_mode = "Alert" +} + +// Create a Network Rule Collection Group +// Create a Network Rule Collection +// Create rules for NTP +resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { + name = "DefaultNetworkRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 200 + network_rule_collection { + name = "DefaultNetworkRuleCollection" + action = "Allow" + priority = 200 + rule { + name = "time-windows" + protocols = ["UDP"] + source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] + destination_ports = ["123"] + destination_addresses = ["132.86.101.172"] + } + } +} + +// Create a Azure Firewall Policy Rule Collection Group +// Create a Application Rule Collection +// Create rules for Windows Update +// Create rules for Microsoft.com +resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + name = "DefaulApplicationtRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "DefaultApplicationRuleCollection" + action = "Allow" + priority = 500 + rule { + name = "AllowWindowsUpdate" + + description = "Allow Windows Update" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] + destination_fqdn_tags = ["WindowsUpdate"] + } + rule { + name = "Global Rule" + description = "Allow access to Microsoft.com" + protocols { + type = "Https" + port = 443 + } + destination_fqdns = ["*.microsoft.com"] + terminate_tls = false + source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] + } + } + depends_on = [ + azurerm_firewall_policy.azfw_policy + ] +} + +// Create the Azure Firewall +resource "azurerm_firewall" "fw" { + name = "azfw" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + sku_name = "AZFW_VNet" + sku_tier = var.fw_sku + ip_configuration { + name = "azfw-ipconfig" + subnet_id = azurerm_subnet.azfw_subnet.id + public_ip_address_id = azurerm_public_ip.pip_azfw.id + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id +} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/outputs.tf b/quickstart/101-azfw-with-fwpolicy/outputs.tf new file mode 100644 index 000000000..67ad7df31 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/outputs.tf @@ -0,0 +1,3 @@ +output "rg_name" { + value = azurerm_resource_group.azfw_rg.name +} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/provider.tf b/quickstart/101-azfw-with-fwpolicy/provider.tf new file mode 100644 index 000000000..76b5065bc --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/provider.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.69.0" + } + } +} + +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false // Set to True for Production + } + } +} diff --git a/quickstart/101-azfw-with-fwpolicy/variables.tf b/quickstart/101-azfw-with-fwpolicy/variables.tf new file mode 100644 index 000000000..2a925a383 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/variables.tf @@ -0,0 +1,18 @@ +// Create Variables for Location and Tags +variable "location" { + default = "eastus" +} +variable "tags" { + default = { + environment = "dev" + costcenter = "1234556677" + owner = "cloud team" + workload = "azure firewall" + } +} + +// Create Firewall Variables +variable "fw_sku" { + default = "Premium" # Valid values are Standard and Premium +} + diff --git a/quickstart/201-azfw-with-secure-hub/README.md b/quickstart/201-azfw-with-secure-hub/README.md new file mode 100644 index 000000000..2bdb52b85 --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/README.md @@ -0,0 +1,543 @@ +# Deploy Azure Firewall and a Firewall Policy + +This template deploys an Azure Firewall and a Firewall Policy to a Secure Hub. The Firewall Policy is associated with the Firewall policy. + +## Resources + +| Terraform Resource Type | Description | +| - | - | +| `azurerm_resource_group` | The resource group all the deployed resources.| +| `azurerm_virtual_wan` | The virtual wan for the virtual hub | +| `azurerm_virtual_hub` | The virtual hub for the firewall | +| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | +| `azurerm_virtual_hub_connection` | The connection between the virtual hub and the virtual network spoke | +| `azurerm_public_ip` | The firewall public IP address and public access to the jump vm. | +| `azurerm_firewall_policy` | The policy associated to the Firewall | +| `azurerm_firewall_policy_rule_collection_group` | the rules collection group to add network and application rule collections for firewall policy | +| `azurerm_firewall` | The premium Azure Firewall. | +| `azurerm_virtual_network` | The virtual network for the firewall. | +| `azurerm_subnet` | The subnets for jump and workload vms. | +| `azurerm_network_interface` | The nics for the jump and workload vms | +| `azurerm_network_security_group` | The nsg for the jump and workload vms | +| `azurerm_network_interface_security_group_association` | The association between the nics and the nsgs | +| `azurerm_virtual_machine` | The jump and workload vms for testing | +| `azurerm_route_table` | The route table for the jump vms | +| `azurerm_subnet_route_table_association` | The association between the subnets and the route tables | +| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | + +## Variables + +| Name | Description | +|-|-| +| `location` | location for your resources | +| `tags` | tags to organize your resources | +| `fw_sku` | Sku size for your Firewall and Firewall Policy | +| `vm_size` | Sku size for your jump and workload vms | +| `admin_username` | admin username for the jump and workload vms | +| `admin_password` | admin password for the jump and workload vms | + +## Example + +```powershell +Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + + create + +Terraform will perform the following actions: + + # azurerm_firewall.fw will be created + + resource "azurerm_firewall" "fw" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "fw-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + sku_name = "AZFW_Hub" + + sku_tier = "Premium" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + threat_intel_mode = (known after apply) + + + virtual_hub { + + private_ip_address = (known after apply) + + public_ip_addresses = (known after apply) + + public_ip_count = 1 + + virtual_hub_id = (known after apply) + } + } + + # azurerm_firewall_policy.azfw_policy will be created + + resource "azurerm_firewall_policy" "azfw_policy" { + + child_policies = (known after apply) + + firewalls = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "policy-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + rule_collection_groups = (known after apply) + + sku = "Premium" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + threat_intelligence_mode = "Alert" + } + + # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created + + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + name = "DefaulApplicationtRuleCollectionGroup" + + priority = 300 + + + application_rule_collection { + + action = "Allow" + + name = "DefaultApplicationRuleCollection" + + priority = 100 + + + rule { + + description = "Allow access to Microsoft.com" + + destination_fqdns = [ + + "*.microsoft.com", + ] + + name = "Allow-MSFT" + + source_addresses = [ + + "*", + ] + + terminate_tls = false + + + protocols { + + port = 443 + + type = "Https" + } + + protocols { + + port = 80 + + type = "Http" + } + } + } + } + + # azurerm_network_interface.vm_jump_nic will be created + + resource "azurerm_network_interface" "vm_jump_nic" { + + applied_dns_servers = (known after apply) + + dns_servers = (known after apply) + + enable_accelerated_networking = false + + enable_ip_forwarding = false + + id = (known after apply) + + internal_dns_name_label = (known after apply) + + internal_domain_name_suffix = (known after apply) + + location = "eastus" + + mac_address = (known after apply) + + name = "nic-jump" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_machine_id = (known after apply) + + + ip_configuration { + + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + + name = "ipconfig-jump" + + primary = (known after apply) + + private_ip_address = (known after apply) + + private_ip_address_allocation = "Dynamic" + + private_ip_address_version = "IPv4" + + public_ip_address_id = (known after apply) + + subnet_id = (known after apply) + } + } + + # azurerm_network_interface.vm_workload_nic will be created + + resource "azurerm_network_interface" "vm_workload_nic" { + + applied_dns_servers = (known after apply) + + dns_servers = (known after apply) + + enable_accelerated_networking = false + + enable_ip_forwarding = false + + id = (known after apply) + + internal_dns_name_label = (known after apply) + + internal_domain_name_suffix = (known after apply) + + location = "eastus" + + mac_address = (known after apply) + + name = "nic-workload" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_machine_id = (known after apply) + + + ip_configuration { + + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + + name = "ipconfig-workload" + + primary = (known after apply) + + private_ip_address = (known after apply) + + private_ip_address_allocation = "Dynamic" + + private_ip_address_version = "IPv4" + + subnet_id = (known after apply) + } + } + + # azurerm_network_interface_security_group_association.vm_jump_nsg_association will be created + + resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { + + id = (known after apply) + + network_interface_id = (known after apply) + + network_security_group_id = (known after apply) + } + + # azurerm_network_interface_security_group_association.vm_workload_nsg_association will be created + + resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { + + id = (known after apply) + + network_interface_id = (known after apply) + + network_security_group_id = (known after apply) + } + + # azurerm_network_security_group.vm_jump_nsg will be created + + resource "azurerm_network_security_group" "vm_jump_nsg" { + + id = (known after apply) + + location = "eastus" + + name = "nsg-jump" + + resource_group_name = "rg-azfw-securehub-eus" + + security_rule = [ + + { + + access = "Allow" + + description = "" + + destination_address_prefix = "*" + + destination_address_prefixes = [] + + destination_application_security_group_ids = [] + + destination_port_range = "3389" + + destination_port_ranges = [] + + direction = "Inbound" + + name = "Allow-RDP" + + priority = 300 + + protocol = "Tcp" + + source_address_prefix = "*" + + source_address_prefixes = [] + + source_application_security_group_ids = [] + + source_port_range = "*" + + source_port_ranges = [] + }, + ] + } + + # azurerm_network_security_group.vm_workload_nsg will be created + + resource "azurerm_network_security_group" "vm_workload_nsg" { + + id = (known after apply) + + location = "eastus" + + name = "nsg-workload" + + resource_group_name = "rg-azfw-securehub-eus" + + security_rule = (known after apply) + } + + # azurerm_public_ip.pip_azfw will be created + + resource "azurerm_public_ip" "pip_azfw" { + + allocation_method = "Static" + + ddos_protection_mode = "VirtualNetworkInherited" + + fqdn = (known after apply) + + id = (known after apply) + + idle_timeout_in_minutes = 4 + + ip_address = (known after apply) + + ip_version = "IPv4" + + location = "eastus" + + name = "pip-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + sku = "Standard" + + sku_tier = "Regional" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_public_ip.vm_jump_pip will be created + + resource "azurerm_public_ip" "vm_jump_pip" { + + allocation_method = "Static" + + ddos_protection_mode = "VirtualNetworkInherited" + + fqdn = (known after apply) + + id = (known after apply) + + idle_timeout_in_minutes = 4 + + ip_address = (known after apply) + + ip_version = "IPv4" + + location = "eastus" + + name = "pip-jump" + + resource_group_name = "rg-azfw-securehub-eus" + + sku = "Standard" + + sku_tier = "Regional" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_resource_group.azfw_rg will be created + + resource "azurerm_resource_group" "azfw_rg" { + + id = (known after apply) + + location = "eastus" + + name = "rg-azfw-securehub-eus" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_route_table.rt will be created + + resource "azurerm_route_table" "rt" { + + disable_bgp_route_propagation = false + + id = (known after apply) + + location = "eastus" + + name = "rt-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + route = [ + + { + + address_prefix = "0.0.0.0/0" + + name = "jump-to-internet" + + next_hop_in_ip_address = "" + + next_hop_type = "Internet" + }, + ] + + subnets = (known after apply) + } + + # azurerm_subnet.jump_subnet will be created + + resource "azurerm_subnet" "jump_subnet" { + + address_prefixes = [ + + "10.10.2.0/24", + ] + + enforce_private_link_endpoint_network_policies = (known after apply) + + enforce_private_link_service_network_policies = (known after apply) + + id = (known after apply) + + name = "subnet-jump" + + private_endpoint_network_policies_enabled = (known after apply) + + private_link_service_network_policies_enabled = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_network_name = "vnet-azfw-securehub-eus" + } + + # azurerm_subnet.workload_subnet will be created + + resource "azurerm_subnet" "workload_subnet" { + + address_prefixes = [ + + "10.10.1.0/24", + ] + + enforce_private_link_endpoint_network_policies = (known after apply) + + enforce_private_link_service_network_policies = (known after apply) + + id = (known after apply) + + name = "subnet-workload" + + private_endpoint_network_policies_enabled = (known after apply) + + private_link_service_network_policies_enabled = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_network_name = "vnet-azfw-securehub-eus" + } + + # azurerm_subnet_route_table_association.jump_subnet_rt_association will be created + + resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + + id = (known after apply) + + route_table_id = (known after apply) + + subnet_id = (known after apply) + } + + # azurerm_virtual_hub.azfw_vwan_hub will be created + + resource "azurerm_virtual_hub" "azfw_vwan_hub" { + + address_prefix = "10.20.0.0/23" + + default_route_table_id = (known after apply) + + hub_routing_preference = "ExpressRoute" + + id = (known after apply) + + location = "eastus" + + name = "hub-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + virtual_router_asn = (known after apply) + + virtual_router_auto_scale_min_capacity = 2 + + virtual_router_ips = (known after apply) + + virtual_wan_id = (known after apply) + } + + # azurerm_virtual_hub_connection.azfw_vwan_hub_connection will be created + + resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { + + id = (known after apply) + + internet_security_enabled = true + + name = "hub-to-spoke" + + remote_virtual_network_id = (known after apply) + + virtual_hub_id = (known after apply) + + + routing { + + associated_route_table_id = (known after apply) + + + propagated_route_table { + + labels = [ + + "VNet", + ] + + route_table_ids = (known after apply) + } + } + } + + # azurerm_virtual_hub_route_table.vhub_rt will be created + + resource "azurerm_virtual_hub_route_table" "vhub_rt" { + + id = (known after apply) + + labels = [ + + "VNet", + ] + + name = "vhub-rt-azfw-securehub-eus" + + virtual_hub_id = (known after apply) + + + route { + + destinations = [ + + "0.0.0.0/0", + ] + + destinations_type = "CIDR" + + name = "InternetToFirewall" + + next_hop = (known after apply) + + next_hop_type = "ResourceId" + } + + route { + + destinations = [ + + "10.10.1.0/24", + ] + + destinations_type = "CIDR" + + name = "workload-SNToFirewall" + + next_hop = (known after apply) + + next_hop_type = "ResourceId" + } + } + + # azurerm_virtual_network.azfw_vnet will be created + + resource "azurerm_virtual_network" "azfw_vnet" { + + address_space = [ + + "10.10.0.0/16", + ] + + dns_servers = (known after apply) + + guid = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "vnet-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + subnet = (known after apply) + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_virtual_wan.azfw_vwan will be created + + resource "azurerm_virtual_wan" "azfw_vwan" { + + allow_branch_to_branch_traffic = true + + disable_vpn_encryption = false + + id = (known after apply) + + location = "eastus" + + name = "vwan-azfw-securehub-eus" + + office365_local_breakout_category = "None" + + resource_group_name = "rg-azfw-securehub-eus" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + type = "Standard" + } + + # azurerm_windows_virtual_machine.vm_jump will be created + + resource "azurerm_windows_virtual_machine" "vm_jump" { + + admin_password = (sensitive value) + + admin_username = "azureuser" + + allow_extension_operations = true + + bypass_platform_safety_checks_on_user_schedule_enabled = false + + computer_name = (known after apply) + + enable_automatic_updates = true + + extensions_time_budget = "PT1H30M" + + hotpatching_enabled = false + + id = (known after apply) + + location = "eastus" + + max_bid_price = -1 + + name = "jump-vm" + + network_interface_ids = (known after apply) + + patch_assessment_mode = "ImageDefault" + + patch_mode = "AutomaticByOS" + + platform_fault_domain = -1 + + priority = "Regular" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + provision_vm_agent = true + + public_ip_address = (known after apply) + + public_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + size = "Standard_D2_v3" + + virtual_machine_id = (known after apply) + + + os_disk { + + caching = "ReadWrite" + + disk_size_gb = (known after apply) + + name = (known after apply) + + storage_account_type = "Standard_LRS" + + write_accelerator_enabled = false + } + + + source_image_reference { + + offer = "WindowsServer" + + publisher = "MicrosoftWindowsServer" + + sku = "2019-Datacenter" + + version = "latest" + } + } + + # azurerm_windows_virtual_machine.vm_workload will be created + + resource "azurerm_windows_virtual_machine" "vm_workload" { + + admin_password = (sensitive value) + + admin_username = "azureuser" + + allow_extension_operations = true + + bypass_platform_safety_checks_on_user_schedule_enabled = false + + computer_name = (known after apply) + + enable_automatic_updates = true + + extensions_time_budget = "PT1H30M" + + hotpatching_enabled = false + + id = (known after apply) + + location = "eastus" + + max_bid_price = -1 + + name = "workload-vm" + + network_interface_ids = (known after apply) + + patch_assessment_mode = "ImageDefault" + + patch_mode = "AutomaticByOS" + + platform_fault_domain = -1 + + priority = "Regular" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + provision_vm_agent = true + + public_ip_address = (known after apply) + + public_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + size = "Standard_D2_v3" + + virtual_machine_id = (known after apply) + + + os_disk { + + caching = "ReadWrite" + + disk_size_gb = (known after apply) + + name = (known after apply) + + storage_account_type = "Standard_LRS" + + write_accelerator_enabled = false + } + + + source_image_reference { + + offer = "WindowsServer" + + publisher = "MicrosoftWindowsServer" + + sku = "2019-Datacenter" + + version = "latest" + } + } + +Plan: 23 to add, 0 to change, 0 to destroy. +`````` \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/main.tf b/quickstart/201-azfw-with-secure-hub/main.tf new file mode 100644 index 000000000..46c99695c --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/main.tf @@ -0,0 +1,370 @@ + +// Create a Resource Group +resource "azurerm_resource_group" "azfw_rg" { + name = "rg-azfw-securehub-eus" + location = var.location + tags = var.tags +} + +// Create resources for Azure Virtual WAN +// Create a Azure Vwan +resource "azurerm_virtual_wan" "azfw_vwan" { + name = "vwan-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + tags = azurerm_resource_group.azfw_rg.tags + allow_branch_to_branch_traffic = true + disable_vpn_encryption = false + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Vwan Hub +resource "azurerm_virtual_hub" "azfw_vwan_hub" { + name = "hub-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_wan_id = azurerm_virtual_wan.azfw_vwan.id + address_prefix = "10.20.0.0/23" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_virtual_wan.azfw_vwan + ] +} + +// Create a Azure VWan Hub Connection +resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { + name = "hub-to-spoke" + virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id + remote_virtual_network_id = azurerm_virtual_network.azfw_vnet.id + internet_security_enabled = true + routing { + associated_route_table_id = azurerm_virtual_hub_route_table.vhub_rt.id + propagated_route_table { + route_table_ids = [azurerm_virtual_hub_route_table.vhub_rt.id] + labels = ["VNet"] + } + } + depends_on = [ + azurerm_virtual_hub.azfw_vwan_hub, + azurerm_virtual_network.azfw_vnet + ] +} + +// Create resources for Azure Firewall +// Create a Public IP Address for Azure Firewall +resource "azurerm_public_ip" "pip_azfw" { + name = "pip-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + allocation_method = "Static" + sku = "Standard" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Firewall Policy +resource "azurerm_firewall_policy" "azfw_policy" { + name = "policy-azfw-securehub-eus" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + sku = "Premium" + threat_intelligence_mode = "Alert" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Firewall Policy Rule Collection Group +// Create a Application Rule Collection +// Create rules for Windows Update +// Create rules for Microsoft.com +resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + name = "DefaulApplicationtRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "DefaultApplicationRuleCollection" + action = "Allow" + priority = 100 + rule { + name = "Allow-MSFT" + description = "Allow access to Microsoft.com" + protocols { + type = "Https" + port = 443 + } + protocols { + type = "Http" + port = 80 + } + destination_fqdns = ["*.microsoft.com"] + terminate_tls = false + source_addresses = ["*"] + } + } + depends_on = [ + azurerm_firewall_policy.azfw_policy + ] +} + +// Create the Azure Firewall +resource "azurerm_firewall" "fw" { + name = "fw-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + sku_name = "AZFW_Hub" + sku_tier = var.fw_sku + tags = azurerm_resource_group.azfw_rg.tags + virtual_hub { + virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id + public_ip_count = 1 + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + depends_on = [ + azurerm_firewall_policy.azfw_policy, + azurerm_virtual_hub.azfw_vwan_hub + ] +} + +// Create Virtual Network, Subnets, PIP, NICs, NSGs, and NIC-NSG associations +// Create a Virtual Network +resource "azurerm_virtual_network" "azfw_vnet" { + name = "vnet-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + address_space = ["10.10.0.0/16"] + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Subnet for Workload VMs +resource "azurerm_subnet" "workload_subnet" { + name = "subnet-workload" + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.1.0/24"] + depends_on = [ + azurerm_virtual_network.azfw_vnet + ] +} + +// Create a Subnet for Jump VM +resource "azurerm_subnet" "jump_subnet" { + name = "subnet-jump" + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.2.0/24"] + + depends_on = [ + azurerm_virtual_network.azfw_vnet, + azurerm_route_table.rt + ] +} + +// Create a NIC for Workload VM +resource "azurerm_network_interface" "vm_workload_nic" { + name = "nic-workload" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + + ip_configuration { + name = "ipconfig-workload" + subnet_id = azurerm_subnet.workload_subnet.id + private_ip_address_allocation = "Dynamic" + } + depends_on = [ + azurerm_subnet.workload_subnet + ] +} + +// Create a PIP for Jump VM +resource "azurerm_public_ip" "vm_jump_pip" { + name = "pip-jump" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + allocation_method = "Static" + sku = "Standard" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a NIC for Jump VM +resource "azurerm_network_interface" "vm_jump_nic" { + name = "nic-jump" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + + ip_configuration { + name = "ipconfig-jump" + subnet_id = azurerm_subnet.jump_subnet.id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.vm_jump_pip.id + } + depends_on = [ + azurerm_subnet.jump_subnet, + azurerm_public_ip.vm_jump_pip + ] +} + +// Create a NSG for Workload VM +resource "azurerm_network_security_group" "vm_workload_nsg" { + name = "nsg-workload" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a NSG for Jump VM +resource "azurerm_network_security_group" "vm_jump_nsg" { + name = "nsg-jump" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + security_rule { + name = "Allow-RDP" + priority = 300 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Associate NSG for Workload VM NIC +resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { + network_interface_id = azurerm_network_interface.vm_workload_nic.id + network_security_group_id = azurerm_network_security_group.vm_workload_nsg.id + depends_on = [ + azurerm_network_interface.vm_workload_nic, + azurerm_network_security_group.vm_workload_nsg + ] +} + +// Associate NSG for Jump VM NIC +resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { + network_interface_id = azurerm_network_interface.vm_jump_nic.id + network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id + depends_on = [ + azurerm_network_interface.vm_jump_nic, + azurerm_network_security_group.vm_jump_nsg + ] +} + +// Create Virtual Machines for testing +// Create a Workload Virtual Machine +resource "azurerm_windows_virtual_machine" "vm_workload" { + name = "workload-vm" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + size = var.vm_size + admin_username = var.admin_username + admin_password = var.admin_password + network_interface_ids = [azurerm_network_interface.vm_workload_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + depends_on = [ + azurerm_network_interface.vm_workload_nic + ] +} + +// Create a Jump Virtual Machine +resource "azurerm_windows_virtual_machine" "vm_jump" { + name = "jump-vm" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + size = var.vm_size + admin_username = var.admin_username + admin_password = var.admin_password + network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + depends_on = [ + azurerm_network_interface.vm_jump_nic + ] +} + +// Create Routing for testing +// Create a Route Table +resource "azurerm_route_table" "rt" { + name = "rt-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + disable_bgp_route_propagation = false + route { + name = "jump-to-internet" + address_prefix = "0.0.0.0/0" + next_hop_type = "Internet" + } + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Associate Route Table to Jump VM Subnet +resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + subnet_id = azurerm_subnet.jump_subnet.id + route_table_id = azurerm_route_table.rt.id + depends_on = [ + azurerm_subnet.jump_subnet, + azurerm_route_table.rt + ] +} + +// Creat a Virtual Hub Route Table +resource "azurerm_virtual_hub_route_table" "vhub_rt" { + name = "vhub-rt-azfw-securehub-eus" + virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id + route { + name = "workload-SNToFirewall" + destinations_type = "CIDR" + destinations = ["10.10.1.0/24"] + next_hop_type = "ResourceId" + next_hop = azurerm_firewall.fw.id + } + route { + name = "InternetToFirewall" + destinations_type = "CIDR" + destinations = ["0.0.0.0/0"] + next_hop_type = "ResourceId" + next_hop = azurerm_firewall.fw.id + } + labels = ["VNet"] + depends_on = [ + azurerm_virtual_hub.azfw_vwan_hub, + azurerm_firewall.fw + ] +} + diff --git a/quickstart/201-azfw-with-secure-hub/outputs.tf b/quickstart/201-azfw-with-secure-hub/outputs.tf new file mode 100644 index 000000000..67ad7df31 --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/outputs.tf @@ -0,0 +1,3 @@ +output "rg_name" { + value = azurerm_resource_group.azfw_rg.name +} \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/provider.tf b/quickstart/201-azfw-with-secure-hub/provider.tf new file mode 100644 index 000000000..76b5065bc --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/provider.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.69.0" + } + } +} + +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false // Set to True for Production + } + } +} diff --git a/quickstart/201-azfw-with-secure-hub/variables.tf b/quickstart/201-azfw-with-secure-hub/variables.tf new file mode 100644 index 000000000..fd29a8593 --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/variables.tf @@ -0,0 +1,30 @@ +// Create Variables for Location and Tags +variable "location" { + default = "eastus" +} +variable "tags" { + default = { + environment = "dev" + costcenter = "1234556677" + owner = "cloud team" + workload = "azure firewall" + } +} + +// Create Firewall Variables +variable "fw_sku" { + default = "Premium" # Valid values are Standard and Premium +} + +// Create Virtual Machine Sku Size Variables +variable "vm_size" { + default = "Standard_D2_v3" +} + +// Create Admin Username and Password +variable "admin_username" { + default = "azureuser" +} +variable "admin_password" { + default = "P@ssw0rd1234!" +} From e46e9cec2c2feb063d5eb36deaf8c78d93de26b1 Mon Sep 17 00:00:00 2001 From: Charles Shea Date: Tue, 22 Aug 2023 19:21:06 -0400 Subject: [PATCH 02/11] removing files from this branch --- quickstart/101-azfw-with-fwpolicy/README.md | 230 -------- quickstart/101-azfw-with-fwpolicy/main.tf | 153 ----- quickstart/101-azfw-with-fwpolicy/outputs.tf | 3 - quickstart/101-azfw-with-fwpolicy/provider.tf | 16 - .../101-azfw-with-fwpolicy/variables.tf | 18 - quickstart/201-azfw-with-secure-hub/README.md | 543 ------------------ quickstart/201-azfw-with-secure-hub/main.tf | 370 ------------ .../201-azfw-with-secure-hub/outputs.tf | 3 - .../201-azfw-with-secure-hub/provider.tf | 16 - .../201-azfw-with-secure-hub/variables.tf | 30 - 10 files changed, 1382 deletions(-) delete mode 100644 quickstart/101-azfw-with-fwpolicy/README.md delete mode 100644 quickstart/101-azfw-with-fwpolicy/main.tf delete mode 100644 quickstart/101-azfw-with-fwpolicy/outputs.tf delete mode 100644 quickstart/101-azfw-with-fwpolicy/provider.tf delete mode 100644 quickstart/101-azfw-with-fwpolicy/variables.tf delete mode 100644 quickstart/201-azfw-with-secure-hub/README.md delete mode 100644 quickstart/201-azfw-with-secure-hub/main.tf delete mode 100644 quickstart/201-azfw-with-secure-hub/outputs.tf delete mode 100644 quickstart/201-azfw-with-secure-hub/provider.tf delete mode 100644 quickstart/201-azfw-with-secure-hub/variables.tf diff --git a/quickstart/101-azfw-with-fwpolicy/README.md b/quickstart/101-azfw-with-fwpolicy/README.md deleted file mode 100644 index 5fb781393..000000000 --- a/quickstart/101-azfw-with-fwpolicy/README.md +++ /dev/null @@ -1,230 +0,0 @@ -# Deploy Azure Firewall and a Firewall Policy - -This template deploys an Azure Firewall and a Firewall Policy. The Firewall Policy is associated to the Firewall. - -## Resources - -| Terraform Resource Type | Description | -| - | - | -| `azurerm_resource_group` | The resource group all the deployed resources.| -| `azurerm_virtual_network` | The virtual network for the firewall. | -| `azurerm_subnet` |The firewall subnet.| -| `azurerm_public_ip` | The firewall public IP address. | -| `azurerm_firewall` | The premium Azure Firewall. | -| `azurerm_firewall_policy` | The policy associated to the Firewall | -| `azurerm_firewall_policy_rule_collection_group` | the rules collection group for firewall policy | -| `azurerm_ip_group` | The IP group for source addresses. | - -## Variables - -| Name | Description | -|-|-| -| `location` | location for your resources | -| `tags` | tags to organize your resources | -| `fw_sku` | Sku size for your Firewall and Firewall Policy | - -## Example - -```powershell -terraform plan -out main.tfplan - - # azurerm_firewall.fw will be created - + resource "azurerm_firewall" "fw" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "azfw" - + resource_group_name = "azfw-rg" - + sku_name = "AZFW_VNet" - + sku_tier = "Premium" - + threat_intel_mode = (known after apply) - - + ip_configuration { - + name = "azfw-ipconfig" - + private_ip_address = (known after apply) - + public_ip_address_id = (known after apply) - + subnet_id = (known after apply) - } - } - - # azurerm_firewall_policy.azfw_policy will be created - + resource "azurerm_firewall_policy" "azfw_policy" { - + child_policies = (known after apply) - + firewalls = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "azfw-policy" - + resource_group_name = "azfw-rg" - + rule_collection_groups = (known after apply) - + sku = "Premium" - + threat_intelligence_mode = "Alert" - } - - # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created - + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + name = "DefaulApplicationtRuleCollectionGroup" - + priority = 300 - - + application_rule_collection { - + action = "Allow" - + name = "DefaultApplicationRuleCollection" - + priority = 500 - - + rule { - + description = "Allow Windows Update" - + destination_fqdn_tags = [ - + "WindowsUpdate", - ] - + name = "AllowWindowsUpdate" - + source_ip_groups = (known after apply) - - + protocols { - + port = 80 - + type = "Http" - } - + protocols { - + port = 443 - + type = "Https" - } - } - + rule { - + description = "Allow access to Microsoft.com" - + destination_fqdns = [ - + "*.microsoft.com", - ] - + name = "Global Rule" - + source_ip_groups = (known after apply) - + terminate_tls = false - - + protocols { - + port = 443 - + type = "Https" - } - } - } - } - - # azurerm_firewall_policy_rule_collection_group.net_policy_rule_collection_group will be created - + resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + name = "DefaultNetworkRuleCollectionGroup" - + priority = 200 - - + network_rule_collection { - + action = "Allow" - + name = "DefaultNetworkRuleCollection" - + priority = 200 - - + rule { - + destination_addresses = [ - + "132.86.101.172", - ] - + destination_ports = [ - + "123", - ] - + name = "time-windows" - + protocols = [ - + "UDP", - ] - + source_ip_groups = (known after apply) - } - } - } - - # azurerm_ip_group.infra_ip_group will be created - + resource "azurerm_ip_group" "infra_ip_group" { - + cidrs = [ - + "10.40.0.0/24", - + "10.50.0.0/24", - ] - + firewall_ids = (known after apply) - + firewall_policy_ids = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "infra-ip-group" - + resource_group_name = "azfw-rg" - } - - # azurerm_ip_group.workload_ip_group will be created - + resource "azurerm_ip_group" "workload_ip_group" { - + cidrs = [ - + "10.20.0.0/24", - + "10.30.0.0/24", - ] - + firewall_ids = (known after apply) - + firewall_policy_ids = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "workload-ip-group" - + resource_group_name = "azfw-rg" - } - - # azurerm_public_ip.pip_azfw will be created - + resource "azurerm_public_ip" "pip_azfw" { - + allocation_method = "Static" - + ddos_protection_mode = "VirtualNetworkInherited" - + fqdn = (known after apply) - + id = (known after apply) - + idle_timeout_in_minutes = 4 - + ip_address = (known after apply) - + ip_version = "IPv4" - + location = "eastus" - + name = "pip-azfw" - + resource_group_name = "azfw-rg" - + sku = "Standard" - + sku_tier = "Regional" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_resource_group.azfw_rg will be created - + resource "azurerm_resource_group" "azfw_rg" { - + id = (known after apply) - + location = "eastus" - + name = "azfw-rg" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_subnet.azfw_subnet will be created - + resource "azurerm_subnet" "azfw_subnet" { - + address_prefixes = [ - + "10.10.0.0/26", - ] - + enforce_private_link_endpoint_network_policies = (known after apply) - + enforce_private_link_service_network_policies = (known after apply) - + id = (known after apply) - + name = "AzureFirewallSubnet" - + private_endpoint_network_policies_enabled = (known after apply) - + private_link_service_network_policies_enabled = (known after apply) - + resource_group_name = "azfw-rg" - + virtual_network_name = "azfw-vnet" - } - - # azurerm_virtual_network.azfw_vnet will be created - + resource "azurerm_virtual_network" "azfw_vnet" { - + address_space = [ - + "10.10.0.0/24", - ] - + dns_servers = (known after apply) - + guid = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "azfw-vnet" - + resource_group_name = "azfw-rg" - + subnet = (known after apply) - } - -Plan: 10 to add, 0 to change, 0 to destroy. -`````` \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/main.tf b/quickstart/101-azfw-with-fwpolicy/main.tf deleted file mode 100644 index c39981331..000000000 --- a/quickstart/101-azfw-with-fwpolicy/main.tf +++ /dev/null @@ -1,153 +0,0 @@ - -// Create a Resource Group -resource "azurerm_resource_group" "azfw_rg" { - name = "azfw-rg" - location = var.location - tags = var.tags -} -// Create a Virtual Network -resource "azurerm_virtual_network" "azfw_vnet" { - name = "azfw-vnet" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - address_space = ["10.10.0.0/24"] - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create IP Groups -resource "azurerm_ip_group" "workload_ip_group" { - name = "workload-ip-group" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - cidrs = ["10.20.0.0/24", "10.30.0.0/24"] - depends_on = [ - azurerm_resource_group.azfw_rg, - azurerm_virtual_network.azfw_vnet - ] -} -resource "azurerm_ip_group" "infra_ip_group" { - name = "infra-ip-group" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - cidrs = ["10.40.0.0/24", "10.50.0.0/24"] - depends_on = [ - azurerm_resource_group.azfw_rg, - azurerm_virtual_network.azfw_vnet - ] -} - -// Create the Azure Firewall Subnet -resource "azurerm_subnet" "azfw_subnet" { - name = "AzureFirewallSubnet" - resource_group_name = azurerm_resource_group.azfw_rg.name - virtual_network_name = azurerm_virtual_network.azfw_vnet.name - address_prefixes = ["10.10.0.0/26"] - depends_on = [ - azurerm_resource_group.azfw_rg, - azurerm_virtual_network.azfw_vnet - ] -} - -// Create a Public IP Address for Azure Firewall -resource "azurerm_public_ip" "pip_azfw" { - name = "pip-azfw" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - allocation_method = "Static" - sku = "Standard" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Azure Firewall Policy -resource "azurerm_firewall_policy" "azfw_policy" { - name = "azfw-policy" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - sku = var.fw_sku - threat_intelligence_mode = "Alert" -} - -// Create a Network Rule Collection Group -// Create a Network Rule Collection -// Create rules for NTP -resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { - name = "DefaultNetworkRuleCollectionGroup" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 200 - network_rule_collection { - name = "DefaultNetworkRuleCollection" - action = "Allow" - priority = 200 - rule { - name = "time-windows" - protocols = ["UDP"] - source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] - destination_ports = ["123"] - destination_addresses = ["132.86.101.172"] - } - } -} - -// Create a Azure Firewall Policy Rule Collection Group -// Create a Application Rule Collection -// Create rules for Windows Update -// Create rules for Microsoft.com -resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - name = "DefaulApplicationtRuleCollectionGroup" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 300 - application_rule_collection { - name = "DefaultApplicationRuleCollection" - action = "Allow" - priority = 500 - rule { - name = "AllowWindowsUpdate" - - description = "Allow Windows Update" - protocols { - type = "Http" - port = 80 - } - protocols { - type = "Https" - port = 443 - } - source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] - destination_fqdn_tags = ["WindowsUpdate"] - } - rule { - name = "Global Rule" - description = "Allow access to Microsoft.com" - protocols { - type = "Https" - port = 443 - } - destination_fqdns = ["*.microsoft.com"] - terminate_tls = false - source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] - } - } - depends_on = [ - azurerm_firewall_policy.azfw_policy - ] -} - -// Create the Azure Firewall -resource "azurerm_firewall" "fw" { - name = "azfw" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - sku_name = "AZFW_VNet" - sku_tier = var.fw_sku - ip_configuration { - name = "azfw-ipconfig" - subnet_id = azurerm_subnet.azfw_subnet.id - public_ip_address_id = azurerm_public_ip.pip_azfw.id - } - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id -} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/outputs.tf b/quickstart/101-azfw-with-fwpolicy/outputs.tf deleted file mode 100644 index 67ad7df31..000000000 --- a/quickstart/101-azfw-with-fwpolicy/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "rg_name" { - value = azurerm_resource_group.azfw_rg.name -} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/provider.tf b/quickstart/101-azfw-with-fwpolicy/provider.tf deleted file mode 100644 index 76b5065bc..000000000 --- a/quickstart/101-azfw-with-fwpolicy/provider.tf +++ /dev/null @@ -1,16 +0,0 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "3.69.0" - } - } -} - -provider "azurerm" { - features { - resource_group { - prevent_deletion_if_contains_resources = false // Set to True for Production - } - } -} diff --git a/quickstart/101-azfw-with-fwpolicy/variables.tf b/quickstart/101-azfw-with-fwpolicy/variables.tf deleted file mode 100644 index 2a925a383..000000000 --- a/quickstart/101-azfw-with-fwpolicy/variables.tf +++ /dev/null @@ -1,18 +0,0 @@ -// Create Variables for Location and Tags -variable "location" { - default = "eastus" -} -variable "tags" { - default = { - environment = "dev" - costcenter = "1234556677" - owner = "cloud team" - workload = "azure firewall" - } -} - -// Create Firewall Variables -variable "fw_sku" { - default = "Premium" # Valid values are Standard and Premium -} - diff --git a/quickstart/201-azfw-with-secure-hub/README.md b/quickstart/201-azfw-with-secure-hub/README.md deleted file mode 100644 index 2bdb52b85..000000000 --- a/quickstart/201-azfw-with-secure-hub/README.md +++ /dev/null @@ -1,543 +0,0 @@ -# Deploy Azure Firewall and a Firewall Policy - -This template deploys an Azure Firewall and a Firewall Policy to a Secure Hub. The Firewall Policy is associated with the Firewall policy. - -## Resources - -| Terraform Resource Type | Description | -| - | - | -| `azurerm_resource_group` | The resource group all the deployed resources.| -| `azurerm_virtual_wan` | The virtual wan for the virtual hub | -| `azurerm_virtual_hub` | The virtual hub for the firewall | -| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | -| `azurerm_virtual_hub_connection` | The connection between the virtual hub and the virtual network spoke | -| `azurerm_public_ip` | The firewall public IP address and public access to the jump vm. | -| `azurerm_firewall_policy` | The policy associated to the Firewall | -| `azurerm_firewall_policy_rule_collection_group` | the rules collection group to add network and application rule collections for firewall policy | -| `azurerm_firewall` | The premium Azure Firewall. | -| `azurerm_virtual_network` | The virtual network for the firewall. | -| `azurerm_subnet` | The subnets for jump and workload vms. | -| `azurerm_network_interface` | The nics for the jump and workload vms | -| `azurerm_network_security_group` | The nsg for the jump and workload vms | -| `azurerm_network_interface_security_group_association` | The association between the nics and the nsgs | -| `azurerm_virtual_machine` | The jump and workload vms for testing | -| `azurerm_route_table` | The route table for the jump vms | -| `azurerm_subnet_route_table_association` | The association between the subnets and the route tables | -| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | - -## Variables - -| Name | Description | -|-|-| -| `location` | location for your resources | -| `tags` | tags to organize your resources | -| `fw_sku` | Sku size for your Firewall and Firewall Policy | -| `vm_size` | Sku size for your jump and workload vms | -| `admin_username` | admin username for the jump and workload vms | -| `admin_password` | admin password for the jump and workload vms | - -## Example - -```powershell -Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: - + create - -Terraform will perform the following actions: - - # azurerm_firewall.fw will be created - + resource "azurerm_firewall" "fw" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "fw-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + sku_name = "AZFW_Hub" - + sku_tier = "Premium" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + threat_intel_mode = (known after apply) - - + virtual_hub { - + private_ip_address = (known after apply) - + public_ip_addresses = (known after apply) - + public_ip_count = 1 - + virtual_hub_id = (known after apply) - } - } - - # azurerm_firewall_policy.azfw_policy will be created - + resource "azurerm_firewall_policy" "azfw_policy" { - + child_policies = (known after apply) - + firewalls = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "policy-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + rule_collection_groups = (known after apply) - + sku = "Premium" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + threat_intelligence_mode = "Alert" - } - - # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created - + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + name = "DefaulApplicationtRuleCollectionGroup" - + priority = 300 - - + application_rule_collection { - + action = "Allow" - + name = "DefaultApplicationRuleCollection" - + priority = 100 - - + rule { - + description = "Allow access to Microsoft.com" - + destination_fqdns = [ - + "*.microsoft.com", - ] - + name = "Allow-MSFT" - + source_addresses = [ - + "*", - ] - + terminate_tls = false - - + protocols { - + port = 443 - + type = "Https" - } - + protocols { - + port = 80 - + type = "Http" - } - } - } - } - - # azurerm_network_interface.vm_jump_nic will be created - + resource "azurerm_network_interface" "vm_jump_nic" { - + applied_dns_servers = (known after apply) - + dns_servers = (known after apply) - + enable_accelerated_networking = false - + enable_ip_forwarding = false - + id = (known after apply) - + internal_dns_name_label = (known after apply) - + internal_domain_name_suffix = (known after apply) - + location = "eastus" - + mac_address = (known after apply) - + name = "nic-jump" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_machine_id = (known after apply) - - + ip_configuration { - + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) - + name = "ipconfig-jump" - + primary = (known after apply) - + private_ip_address = (known after apply) - + private_ip_address_allocation = "Dynamic" - + private_ip_address_version = "IPv4" - + public_ip_address_id = (known after apply) - + subnet_id = (known after apply) - } - } - - # azurerm_network_interface.vm_workload_nic will be created - + resource "azurerm_network_interface" "vm_workload_nic" { - + applied_dns_servers = (known after apply) - + dns_servers = (known after apply) - + enable_accelerated_networking = false - + enable_ip_forwarding = false - + id = (known after apply) - + internal_dns_name_label = (known after apply) - + internal_domain_name_suffix = (known after apply) - + location = "eastus" - + mac_address = (known after apply) - + name = "nic-workload" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_machine_id = (known after apply) - - + ip_configuration { - + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) - + name = "ipconfig-workload" - + primary = (known after apply) - + private_ip_address = (known after apply) - + private_ip_address_allocation = "Dynamic" - + private_ip_address_version = "IPv4" - + subnet_id = (known after apply) - } - } - - # azurerm_network_interface_security_group_association.vm_jump_nsg_association will be created - + resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { - + id = (known after apply) - + network_interface_id = (known after apply) - + network_security_group_id = (known after apply) - } - - # azurerm_network_interface_security_group_association.vm_workload_nsg_association will be created - + resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { - + id = (known after apply) - + network_interface_id = (known after apply) - + network_security_group_id = (known after apply) - } - - # azurerm_network_security_group.vm_jump_nsg will be created - + resource "azurerm_network_security_group" "vm_jump_nsg" { - + id = (known after apply) - + location = "eastus" - + name = "nsg-jump" - + resource_group_name = "rg-azfw-securehub-eus" - + security_rule = [ - + { - + access = "Allow" - + description = "" - + destination_address_prefix = "*" - + destination_address_prefixes = [] - + destination_application_security_group_ids = [] - + destination_port_range = "3389" - + destination_port_ranges = [] - + direction = "Inbound" - + name = "Allow-RDP" - + priority = 300 - + protocol = "Tcp" - + source_address_prefix = "*" - + source_address_prefixes = [] - + source_application_security_group_ids = [] - + source_port_range = "*" - + source_port_ranges = [] - }, - ] - } - - # azurerm_network_security_group.vm_workload_nsg will be created - + resource "azurerm_network_security_group" "vm_workload_nsg" { - + id = (known after apply) - + location = "eastus" - + name = "nsg-workload" - + resource_group_name = "rg-azfw-securehub-eus" - + security_rule = (known after apply) - } - - # azurerm_public_ip.pip_azfw will be created - + resource "azurerm_public_ip" "pip_azfw" { - + allocation_method = "Static" - + ddos_protection_mode = "VirtualNetworkInherited" - + fqdn = (known after apply) - + id = (known after apply) - + idle_timeout_in_minutes = 4 - + ip_address = (known after apply) - + ip_version = "IPv4" - + location = "eastus" - + name = "pip-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + sku = "Standard" - + sku_tier = "Regional" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_public_ip.vm_jump_pip will be created - + resource "azurerm_public_ip" "vm_jump_pip" { - + allocation_method = "Static" - + ddos_protection_mode = "VirtualNetworkInherited" - + fqdn = (known after apply) - + id = (known after apply) - + idle_timeout_in_minutes = 4 - + ip_address = (known after apply) - + ip_version = "IPv4" - + location = "eastus" - + name = "pip-jump" - + resource_group_name = "rg-azfw-securehub-eus" - + sku = "Standard" - + sku_tier = "Regional" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_resource_group.azfw_rg will be created - + resource "azurerm_resource_group" "azfw_rg" { - + id = (known after apply) - + location = "eastus" - + name = "rg-azfw-securehub-eus" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_route_table.rt will be created - + resource "azurerm_route_table" "rt" { - + disable_bgp_route_propagation = false - + id = (known after apply) - + location = "eastus" - + name = "rt-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + route = [ - + { - + address_prefix = "0.0.0.0/0" - + name = "jump-to-internet" - + next_hop_in_ip_address = "" - + next_hop_type = "Internet" - }, - ] - + subnets = (known after apply) - } - - # azurerm_subnet.jump_subnet will be created - + resource "azurerm_subnet" "jump_subnet" { - + address_prefixes = [ - + "10.10.2.0/24", - ] - + enforce_private_link_endpoint_network_policies = (known after apply) - + enforce_private_link_service_network_policies = (known after apply) - + id = (known after apply) - + name = "subnet-jump" - + private_endpoint_network_policies_enabled = (known after apply) - + private_link_service_network_policies_enabled = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_network_name = "vnet-azfw-securehub-eus" - } - - # azurerm_subnet.workload_subnet will be created - + resource "azurerm_subnet" "workload_subnet" { - + address_prefixes = [ - + "10.10.1.0/24", - ] - + enforce_private_link_endpoint_network_policies = (known after apply) - + enforce_private_link_service_network_policies = (known after apply) - + id = (known after apply) - + name = "subnet-workload" - + private_endpoint_network_policies_enabled = (known after apply) - + private_link_service_network_policies_enabled = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_network_name = "vnet-azfw-securehub-eus" - } - - # azurerm_subnet_route_table_association.jump_subnet_rt_association will be created - + resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { - + id = (known after apply) - + route_table_id = (known after apply) - + subnet_id = (known after apply) - } - - # azurerm_virtual_hub.azfw_vwan_hub will be created - + resource "azurerm_virtual_hub" "azfw_vwan_hub" { - + address_prefix = "10.20.0.0/23" - + default_route_table_id = (known after apply) - + hub_routing_preference = "ExpressRoute" - + id = (known after apply) - + location = "eastus" - + name = "hub-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + virtual_router_asn = (known after apply) - + virtual_router_auto_scale_min_capacity = 2 - + virtual_router_ips = (known after apply) - + virtual_wan_id = (known after apply) - } - - # azurerm_virtual_hub_connection.azfw_vwan_hub_connection will be created - + resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { - + id = (known after apply) - + internet_security_enabled = true - + name = "hub-to-spoke" - + remote_virtual_network_id = (known after apply) - + virtual_hub_id = (known after apply) - - + routing { - + associated_route_table_id = (known after apply) - - + propagated_route_table { - + labels = [ - + "VNet", - ] - + route_table_ids = (known after apply) - } - } - } - - # azurerm_virtual_hub_route_table.vhub_rt will be created - + resource "azurerm_virtual_hub_route_table" "vhub_rt" { - + id = (known after apply) - + labels = [ - + "VNet", - ] - + name = "vhub-rt-azfw-securehub-eus" - + virtual_hub_id = (known after apply) - - + route { - + destinations = [ - + "0.0.0.0/0", - ] - + destinations_type = "CIDR" - + name = "InternetToFirewall" - + next_hop = (known after apply) - + next_hop_type = "ResourceId" - } - + route { - + destinations = [ - + "10.10.1.0/24", - ] - + destinations_type = "CIDR" - + name = "workload-SNToFirewall" - + next_hop = (known after apply) - + next_hop_type = "ResourceId" - } - } - - # azurerm_virtual_network.azfw_vnet will be created - + resource "azurerm_virtual_network" "azfw_vnet" { - + address_space = [ - + "10.10.0.0/16", - ] - + dns_servers = (known after apply) - + guid = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "vnet-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + subnet = (known after apply) - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_virtual_wan.azfw_vwan will be created - + resource "azurerm_virtual_wan" "azfw_vwan" { - + allow_branch_to_branch_traffic = true - + disable_vpn_encryption = false - + id = (known after apply) - + location = "eastus" - + name = "vwan-azfw-securehub-eus" - + office365_local_breakout_category = "None" - + resource_group_name = "rg-azfw-securehub-eus" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + type = "Standard" - } - - # azurerm_windows_virtual_machine.vm_jump will be created - + resource "azurerm_windows_virtual_machine" "vm_jump" { - + admin_password = (sensitive value) - + admin_username = "azureuser" - + allow_extension_operations = true - + bypass_platform_safety_checks_on_user_schedule_enabled = false - + computer_name = (known after apply) - + enable_automatic_updates = true - + extensions_time_budget = "PT1H30M" - + hotpatching_enabled = false - + id = (known after apply) - + location = "eastus" - + max_bid_price = -1 - + name = "jump-vm" - + network_interface_ids = (known after apply) - + patch_assessment_mode = "ImageDefault" - + patch_mode = "AutomaticByOS" - + platform_fault_domain = -1 - + priority = "Regular" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + provision_vm_agent = true - + public_ip_address = (known after apply) - + public_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + size = "Standard_D2_v3" - + virtual_machine_id = (known after apply) - - + os_disk { - + caching = "ReadWrite" - + disk_size_gb = (known after apply) - + name = (known after apply) - + storage_account_type = "Standard_LRS" - + write_accelerator_enabled = false - } - - + source_image_reference { - + offer = "WindowsServer" - + publisher = "MicrosoftWindowsServer" - + sku = "2019-Datacenter" - + version = "latest" - } - } - - # azurerm_windows_virtual_machine.vm_workload will be created - + resource "azurerm_windows_virtual_machine" "vm_workload" { - + admin_password = (sensitive value) - + admin_username = "azureuser" - + allow_extension_operations = true - + bypass_platform_safety_checks_on_user_schedule_enabled = false - + computer_name = (known after apply) - + enable_automatic_updates = true - + extensions_time_budget = "PT1H30M" - + hotpatching_enabled = false - + id = (known after apply) - + location = "eastus" - + max_bid_price = -1 - + name = "workload-vm" - + network_interface_ids = (known after apply) - + patch_assessment_mode = "ImageDefault" - + patch_mode = "AutomaticByOS" - + platform_fault_domain = -1 - + priority = "Regular" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + provision_vm_agent = true - + public_ip_address = (known after apply) - + public_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + size = "Standard_D2_v3" - + virtual_machine_id = (known after apply) - - + os_disk { - + caching = "ReadWrite" - + disk_size_gb = (known after apply) - + name = (known after apply) - + storage_account_type = "Standard_LRS" - + write_accelerator_enabled = false - } - - + source_image_reference { - + offer = "WindowsServer" - + publisher = "MicrosoftWindowsServer" - + sku = "2019-Datacenter" - + version = "latest" - } - } - -Plan: 23 to add, 0 to change, 0 to destroy. -`````` \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/main.tf b/quickstart/201-azfw-with-secure-hub/main.tf deleted file mode 100644 index 46c99695c..000000000 --- a/quickstart/201-azfw-with-secure-hub/main.tf +++ /dev/null @@ -1,370 +0,0 @@ - -// Create a Resource Group -resource "azurerm_resource_group" "azfw_rg" { - name = "rg-azfw-securehub-eus" - location = var.location - tags = var.tags -} - -// Create resources for Azure Virtual WAN -// Create a Azure Vwan -resource "azurerm_virtual_wan" "azfw_vwan" { - name = "vwan-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - tags = azurerm_resource_group.azfw_rg.tags - allow_branch_to_branch_traffic = true - disable_vpn_encryption = false - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Azure Vwan Hub -resource "azurerm_virtual_hub" "azfw_vwan_hub" { - name = "hub-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - virtual_wan_id = azurerm_virtual_wan.azfw_vwan.id - address_prefix = "10.20.0.0/23" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_virtual_wan.azfw_vwan - ] -} - -// Create a Azure VWan Hub Connection -resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { - name = "hub-to-spoke" - virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id - remote_virtual_network_id = azurerm_virtual_network.azfw_vnet.id - internet_security_enabled = true - routing { - associated_route_table_id = azurerm_virtual_hub_route_table.vhub_rt.id - propagated_route_table { - route_table_ids = [azurerm_virtual_hub_route_table.vhub_rt.id] - labels = ["VNet"] - } - } - depends_on = [ - azurerm_virtual_hub.azfw_vwan_hub, - azurerm_virtual_network.azfw_vnet - ] -} - -// Create resources for Azure Firewall -// Create a Public IP Address for Azure Firewall -resource "azurerm_public_ip" "pip_azfw" { - name = "pip-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - allocation_method = "Static" - sku = "Standard" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Azure Firewall Policy -resource "azurerm_firewall_policy" "azfw_policy" { - name = "policy-azfw-securehub-eus" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - sku = "Premium" - threat_intelligence_mode = "Alert" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Azure Firewall Policy Rule Collection Group -// Create a Application Rule Collection -// Create rules for Windows Update -// Create rules for Microsoft.com -resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - name = "DefaulApplicationtRuleCollectionGroup" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 300 - application_rule_collection { - name = "DefaultApplicationRuleCollection" - action = "Allow" - priority = 100 - rule { - name = "Allow-MSFT" - description = "Allow access to Microsoft.com" - protocols { - type = "Https" - port = 443 - } - protocols { - type = "Http" - port = 80 - } - destination_fqdns = ["*.microsoft.com"] - terminate_tls = false - source_addresses = ["*"] - } - } - depends_on = [ - azurerm_firewall_policy.azfw_policy - ] -} - -// Create the Azure Firewall -resource "azurerm_firewall" "fw" { - name = "fw-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - sku_name = "AZFW_Hub" - sku_tier = var.fw_sku - tags = azurerm_resource_group.azfw_rg.tags - virtual_hub { - virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id - public_ip_count = 1 - } - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - depends_on = [ - azurerm_firewall_policy.azfw_policy, - azurerm_virtual_hub.azfw_vwan_hub - ] -} - -// Create Virtual Network, Subnets, PIP, NICs, NSGs, and NIC-NSG associations -// Create a Virtual Network -resource "azurerm_virtual_network" "azfw_vnet" { - name = "vnet-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - address_space = ["10.10.0.0/16"] - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a Subnet for Workload VMs -resource "azurerm_subnet" "workload_subnet" { - name = "subnet-workload" - resource_group_name = azurerm_resource_group.azfw_rg.name - virtual_network_name = azurerm_virtual_network.azfw_vnet.name - address_prefixes = ["10.10.1.0/24"] - depends_on = [ - azurerm_virtual_network.azfw_vnet - ] -} - -// Create a Subnet for Jump VM -resource "azurerm_subnet" "jump_subnet" { - name = "subnet-jump" - resource_group_name = azurerm_resource_group.azfw_rg.name - virtual_network_name = azurerm_virtual_network.azfw_vnet.name - address_prefixes = ["10.10.2.0/24"] - - depends_on = [ - azurerm_virtual_network.azfw_vnet, - azurerm_route_table.rt - ] -} - -// Create a NIC for Workload VM -resource "azurerm_network_interface" "vm_workload_nic" { - name = "nic-workload" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - - ip_configuration { - name = "ipconfig-workload" - subnet_id = azurerm_subnet.workload_subnet.id - private_ip_address_allocation = "Dynamic" - } - depends_on = [ - azurerm_subnet.workload_subnet - ] -} - -// Create a PIP for Jump VM -resource "azurerm_public_ip" "vm_jump_pip" { - name = "pip-jump" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - allocation_method = "Static" - sku = "Standard" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a NIC for Jump VM -resource "azurerm_network_interface" "vm_jump_nic" { - name = "nic-jump" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - - ip_configuration { - name = "ipconfig-jump" - subnet_id = azurerm_subnet.jump_subnet.id - private_ip_address_allocation = "Dynamic" - public_ip_address_id = azurerm_public_ip.vm_jump_pip.id - } - depends_on = [ - azurerm_subnet.jump_subnet, - azurerm_public_ip.vm_jump_pip - ] -} - -// Create a NSG for Workload VM -resource "azurerm_network_security_group" "vm_workload_nsg" { - name = "nsg-workload" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Create a NSG for Jump VM -resource "azurerm_network_security_group" "vm_jump_nsg" { - name = "nsg-jump" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - security_rule { - name = "Allow-RDP" - priority = 300 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "3389" - source_address_prefix = "*" - destination_address_prefix = "*" - } - - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Associate NSG for Workload VM NIC -resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { - network_interface_id = azurerm_network_interface.vm_workload_nic.id - network_security_group_id = azurerm_network_security_group.vm_workload_nsg.id - depends_on = [ - azurerm_network_interface.vm_workload_nic, - azurerm_network_security_group.vm_workload_nsg - ] -} - -// Associate NSG for Jump VM NIC -resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { - network_interface_id = azurerm_network_interface.vm_jump_nic.id - network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id - depends_on = [ - azurerm_network_interface.vm_jump_nic, - azurerm_network_security_group.vm_jump_nsg - ] -} - -// Create Virtual Machines for testing -// Create a Workload Virtual Machine -resource "azurerm_windows_virtual_machine" "vm_workload" { - name = "workload-vm" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - size = var.vm_size - admin_username = var.admin_username - admin_password = var.admin_password - network_interface_ids = [azurerm_network_interface.vm_workload_nic.id] - os_disk { - caching = "ReadWrite" - storage_account_type = "Standard_LRS" - } - source_image_reference { - publisher = "MicrosoftWindowsServer" - offer = "WindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - depends_on = [ - azurerm_network_interface.vm_workload_nic - ] -} - -// Create a Jump Virtual Machine -resource "azurerm_windows_virtual_machine" "vm_jump" { - name = "jump-vm" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - size = var.vm_size - admin_username = var.admin_username - admin_password = var.admin_password - network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] - os_disk { - caching = "ReadWrite" - storage_account_type = "Standard_LRS" - } - source_image_reference { - publisher = "MicrosoftWindowsServer" - offer = "WindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - depends_on = [ - azurerm_network_interface.vm_jump_nic - ] -} - -// Create Routing for testing -// Create a Route Table -resource "azurerm_route_table" "rt" { - name = "rt-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - disable_bgp_route_propagation = false - route { - name = "jump-to-internet" - address_prefix = "0.0.0.0/0" - next_hop_type = "Internet" - } - depends_on = [ - azurerm_resource_group.azfw_rg - ] -} - -// Associate Route Table to Jump VM Subnet -resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { - subnet_id = azurerm_subnet.jump_subnet.id - route_table_id = azurerm_route_table.rt.id - depends_on = [ - azurerm_subnet.jump_subnet, - azurerm_route_table.rt - ] -} - -// Creat a Virtual Hub Route Table -resource "azurerm_virtual_hub_route_table" "vhub_rt" { - name = "vhub-rt-azfw-securehub-eus" - virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id - route { - name = "workload-SNToFirewall" - destinations_type = "CIDR" - destinations = ["10.10.1.0/24"] - next_hop_type = "ResourceId" - next_hop = azurerm_firewall.fw.id - } - route { - name = "InternetToFirewall" - destinations_type = "CIDR" - destinations = ["0.0.0.0/0"] - next_hop_type = "ResourceId" - next_hop = azurerm_firewall.fw.id - } - labels = ["VNet"] - depends_on = [ - azurerm_virtual_hub.azfw_vwan_hub, - azurerm_firewall.fw - ] -} - diff --git a/quickstart/201-azfw-with-secure-hub/outputs.tf b/quickstart/201-azfw-with-secure-hub/outputs.tf deleted file mode 100644 index 67ad7df31..000000000 --- a/quickstart/201-azfw-with-secure-hub/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "rg_name" { - value = azurerm_resource_group.azfw_rg.name -} \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/provider.tf b/quickstart/201-azfw-with-secure-hub/provider.tf deleted file mode 100644 index 76b5065bc..000000000 --- a/quickstart/201-azfw-with-secure-hub/provider.tf +++ /dev/null @@ -1,16 +0,0 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "3.69.0" - } - } -} - -provider "azurerm" { - features { - resource_group { - prevent_deletion_if_contains_resources = false // Set to True for Production - } - } -} diff --git a/quickstart/201-azfw-with-secure-hub/variables.tf b/quickstart/201-azfw-with-secure-hub/variables.tf deleted file mode 100644 index fd29a8593..000000000 --- a/quickstart/201-azfw-with-secure-hub/variables.tf +++ /dev/null @@ -1,30 +0,0 @@ -// Create Variables for Location and Tags -variable "location" { - default = "eastus" -} -variable "tags" { - default = { - environment = "dev" - costcenter = "1234556677" - owner = "cloud team" - workload = "azure firewall" - } -} - -// Create Firewall Variables -variable "fw_sku" { - default = "Premium" # Valid values are Standard and Premium -} - -// Create Virtual Machine Sku Size Variables -variable "vm_size" { - default = "Standard_D2_v3" -} - -// Create Admin Username and Password -variable "admin_username" { - default = "azureuser" -} -variable "admin_password" { - default = "P@ssw0rd1234!" -} From 02691ea927c0e25c2ff4b209c9f0e6fd762f0cf4 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Sun, 24 Sep 2023 21:13:18 -0400 Subject: [PATCH 03/11] commit files to folder --- quickstart/201-azfw-with-avzones/main.tf | 262 ++++++++++++++++++ quickstart/201-azfw-with-avzones/outputs.tf | 7 + quickstart/201-azfw-with-avzones/provider.tf | 16 ++ quickstart/201-azfw-with-avzones/readme.md | 35 +++ quickstart/201-azfw-with-avzones/variables.tf | 31 +++ 5 files changed, 351 insertions(+) create mode 100644 quickstart/201-azfw-with-avzones/main.tf create mode 100644 quickstart/201-azfw-with-avzones/outputs.tf create mode 100644 quickstart/201-azfw-with-avzones/provider.tf create mode 100644 quickstart/201-azfw-with-avzones/readme.md create mode 100644 quickstart/201-azfw-with-avzones/variables.tf diff --git a/quickstart/201-azfw-with-avzones/main.tf b/quickstart/201-azfw-with-avzones/main.tf new file mode 100644 index 000000000..039d3a9f3 --- /dev/null +++ b/quickstart/201-azfw-with-avzones/main.tf @@ -0,0 +1,262 @@ +resource "random_pet" "rg_name" { + prefix = var.resource_group_name_prefix +} + +resource "random_string" "storage_account_name" { + length = 8 + lower = true + numeric = false + special = false + upper = false +} + +resource "random_password" "password" { + length = 20 + min_lower = 1 + min_upper = 1 + min_numeric = 1 + min_special = 1 + special = true +} + +resource "azurerm_resource_group" "rg" { + name = random_pet.rg_name.id + location = var.resource_group_location +} + +resource "azurerm_public_ip" "pip_azfw" { + name = "pip-azfw" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_storage_account" "sa" { + name = random_string.storage_account_name.result + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + account_tier = "Standard" + account_replication_type = "LRS" + account_kind = "StorageV2" +} + +resource "azurerm_virtual_network" "azfw_vnet" { + name = "azfw-vnet" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + address_space = ["10.10.0.0/16"] +} + +resource "azurerm_subnet" "azfw_subnet" { + name = "AzureFirewallSubnet" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.0.0/26"] +} + +resource "azurerm_subnet" "server_subnet" { + name = "subnet-server" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.1.0/24"] +} + +resource "azurerm_subnet" "jump_subnet" { + name = "subnet-jump" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.2.0/24"] +} + +resource "azurerm_public_ip" "vm_jump_pip" { + name = "pip-jump" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_network_interface" "vm_server_nic" { + name = "nic-server" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + + ip_configuration { + name = "ipconfig-workload" + subnet_id = azurerm_subnet.server_subnet.id + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_network_interface" "vm_jump_nic" { + name = "nic-jump" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + + ip_configuration { + name = "ipconfig-jump" + subnet_id = azurerm_subnet.jump_subnet.id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.vm_jump_pip.id + } +} + +resource "azurerm_network_security_group" "vm_server_nsg" { + name = "nsg-server" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name +} + +resource "azurerm_network_security_group" "vm_jump_nsg" { + name = "nsg-jump" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + security_rule { + name = "Allow-TCP" + priority = 1000 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource "azurerm_network_interface_security_group_association" "vm_server_nsg_association" { + network_interface_id = azurerm_network_interface.vm_server_nic.id + network_security_group_id = azurerm_network_security_group.vm_server_nsg.id +} + +resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { + network_interface_id = azurerm_network_interface.vm_jump_nic.id + network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id +} + +resource "azurerm_linux_virtual_machine" "vm_server" { + name = "server-vm" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + computer_name = "server" + size = var.virtual_machine_size + admin_username = var.admin_username + admin_password = random_password.password.result + network_interface_ids = [azurerm_network_interface.vm_server_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + disk_size_gb = "128" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + boot_diagnostics { + storage_account_uri = azurerm_storage_account.sa.primary_blob_endpoint + } +} + +resource "azurerm_linux_virtual_machine" "vm_jump" { + name = "jump-vm" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + computer_name = "jumpbox" + size = var.virtual_machine_size + admin_username = var.admin_username + admin_password = random_password.password.result + network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + disk_size_gb = "128" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + boot_diagnostics { + storage_account_uri = azurerm_storage_account.sa.primary_blob_endpoint + } +} + +resource "azurerm_firewall_policy" "azfw_policy" { + name = "azfw-policy" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + sku = var.firewall_sku_tier + threat_intelligence_mode = "Alert" +} + +resource "azurerm_firewall_policy_rule_collection_group" "prcg" { + name = "prcg" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "appRc1" + priority = 101 + action = "Allow" + rule { + name = "appRule1" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + destination_fqdns = [ "www.microsoft.com" ] + source_addresses = ["10.10.1.0/24"] + } + } + network_rule_collection { + name = "netRc1" + priority = 200 + action = "Allow" + rule { + name = "netRule1" + protocols = [ "TCP" ] + source_addresses = [ "10.10.1.0/24" ] + destination_ports = [ "8000", "8999" ] + } + } +} + +resource "azurerm_firewall" "fw" { + name = "azfw" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + sku_name = "AZFW_VNet" + sku_tier = var.firewall_sku_tier + zones = ["1", "2", "3"] + ip_configuration { + name = "azfw-ipconfig" + subnet_id = azurerm_subnet.azfw_subnet.id + public_ip_address_id = azurerm_public_ip.pip_azfw.id + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id +} + +resource "azurerm_route_table" "rt" { + name = "rt-azfw-eus" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + disable_bgp_route_propagation = false + route { + name = "azfwDefaultRoute" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = "10.10.0.4" + } +} + +resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + subnet_id = azurerm_subnet.server_subnet.id + route_table_id = azurerm_route_table.rt.id +} \ No newline at end of file diff --git a/quickstart/201-azfw-with-avzones/outputs.tf b/quickstart/201-azfw-with-avzones/outputs.tf new file mode 100644 index 000000000..3d6f89a11 --- /dev/null +++ b/quickstart/201-azfw-with-avzones/outputs.tf @@ -0,0 +1,7 @@ +output "resource_group_name" { + value = azurerm_resource_group.rg.name +} + +output "firewall_name" { + value = azurerm_firewall.fw.name +} \ No newline at end of file diff --git a/quickstart/201-azfw-with-avzones/provider.tf b/quickstart/201-azfw-with-avzones/provider.tf new file mode 100644 index 000000000..7261b1fb4 --- /dev/null +++ b/quickstart/201-azfw-with-avzones/provider.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.0" + } + random = { + source = "hashicorp/random" + version = "~>3.0" + } + } +} + +provider "azurerm" { + features {} +} \ No newline at end of file diff --git a/quickstart/201-azfw-with-avzones/readme.md b/quickstart/201-azfw-with-avzones/readme.md new file mode 100644 index 000000000..7b97df5f6 --- /dev/null +++ b/quickstart/201-azfw-with-avzones/readme.md @@ -0,0 +1,35 @@ +# Deploying Azure Firewall in Availability Zones + +This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) in Availability Zones + +## Terraform resource types + +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) +- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) +- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) +- [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) +- [azurerm_firewall_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy) +- [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) +- [azurerm_firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) +- [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) +- [azurerm_network_security_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) +- [azurerm_network_interface_security_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association) +- [azurerm_route_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) +- [azurerm_subnet_route_table_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) +- [azurerm_windows_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine) +- [azurerm_storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) +- [random_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) +- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) +- [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string)} + +## Variables + +| Name | Description | Default value | +|-|-|-| +| `resource_group_location` | location for your resources | eastus | +| `firewall_sku_tier` | Sku size for your Firewall and Firewall Policy | Premium | +| `resource_group_name_prefix` | Prefix for your resource group | rg | +| `virtual_machine_size` | Sku size for your jump and workload vms | Standard_D2_v3 | +| `admin_username` | admin username for the jump and workload vms | azureuser | + +## Example \ No newline at end of file diff --git a/quickstart/201-azfw-with-avzones/variables.tf b/quickstart/201-azfw-with-avzones/variables.tf new file mode 100644 index 000000000..a855798d7 --- /dev/null +++ b/quickstart/201-azfw-with-avzones/variables.tf @@ -0,0 +1,31 @@ +variable "resource_group_location" { + type = string + description = "Location for all resources." + default = "eastus" +} + +variable "resource_group_name_prefix" { + type = string + description = "Prefix for the Resource Group Name that's combined with a random id so name is unique in your Azure subcription." + default = "rg" +} + +variable "firewall_sku_tier" { + type = string + description = "Firewall SKU." + default = "Premium" # Valid values are Standard and Premium + validation { + condition = contains(["Standard", "Premium"], var.firewall_sku_tier) + error_message = "The sku must be one of the following: Standard, Premium" + } +} + +variable "virtual_machine_size" { + type = string + description = "Size of the virtual machine." + default = "Standard_D2_v3" +} + +variable "admin_username" { + default = "azureuser" +} \ No newline at end of file From 06cb8336728b202439f471d3f3065c9db462f4ec Mon Sep 17 00:00:00 2001 From: cshea15 Date: Mon, 25 Sep 2023 10:39:55 -0400 Subject: [PATCH 04/11] update files --- quickstart/201-azfw-with-avzones/main.tf | 88 ++++++++++++------------ 1 file changed, 45 insertions(+), 43 deletions(-) diff --git a/quickstart/201-azfw-with-avzones/main.tf b/quickstart/201-azfw-with-avzones/main.tf index 039d3a9f3..f2ba30f88 100644 --- a/quickstart/201-azfw-with-avzones/main.tf +++ b/quickstart/201-azfw-with-avzones/main.tf @@ -30,6 +30,7 @@ resource "azurerm_public_ip" "pip_azfw" { resource_group_name = azurerm_resource_group.rg.name allocation_method = "Static" sku = "Standard" + zones = [ "1", "2", "3" ] } resource "azurerm_storage_account" "sa" { @@ -135,19 +136,19 @@ resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_ass network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id } -resource "azurerm_linux_virtual_machine" "vm_server" { - name = "server-vm" - resource_group_name = azurerm_resource_group.rg.name - location = azurerm_resource_group.rg.location - computer_name = "server" - size = var.virtual_machine_size - admin_username = var.admin_username - admin_password = random_password.password.result - network_interface_ids = [azurerm_network_interface.vm_server_nic.id] +resource "azurerm_windows_virtual_machine" "vm_server" { + name = "server-vm" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + computer_name = "server" + size = var.virtual_machine_size + admin_username = var.admin_username + admin_password = random_password.password.result + network_interface_ids = [azurerm_network_interface.vm_server_nic.id] os_disk { caching = "ReadWrite" storage_account_type = "Standard_LRS" - disk_size_gb = "128" + disk_size_gb = "128" } source_image_reference { publisher = "MicrosoftWindowsServer" @@ -160,19 +161,19 @@ resource "azurerm_linux_virtual_machine" "vm_server" { } } -resource "azurerm_linux_virtual_machine" "vm_jump" { - name = "jump-vm" - resource_group_name = azurerm_resource_group.rg.name - location = azurerm_resource_group.rg.location - computer_name = "jumpbox" - size = var.virtual_machine_size - admin_username = var.admin_username - admin_password = random_password.password.result - network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] +resource "azurerm_windows_virtual_machine" "vm_jump" { + name = "jump-vm" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + computer_name = "jumpbox" + size = var.virtual_machine_size + admin_username = var.admin_username + admin_password = random_password.password.result + network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] os_disk { caching = "ReadWrite" storage_account_type = "Standard_LRS" - disk_size_gb = "128" + disk_size_gb = "128" } source_image_reference { publisher = "MicrosoftWindowsServer" @@ -194,36 +195,37 @@ resource "azurerm_firewall_policy" "azfw_policy" { } resource "azurerm_firewall_policy_rule_collection_group" "prcg" { - name = "prcg" - firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - priority = 300 + name = "prcg" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 application_rule_collection { - name = "appRc1" + name = "appRc1" priority = 101 - action = "Allow" + action = "Allow" rule { - name = "appRule1" - protocols { - type = "Http" - port = 80 - } - protocols { - type = "Https" - port = 443 - } - destination_fqdns = [ "www.microsoft.com" ] - source_addresses = ["10.10.1.0/24"] + name = "appRule1" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + destination_fqdns = ["www.microsoft.com"] + source_addresses = ["10.10.1.0/24"] } } network_rule_collection { - name = "netRc1" + name = "netRc1" priority = 200 - action = "Allow" + action = "Allow" rule { - name = "netRule1" - protocols = [ "TCP" ] - source_addresses = [ "10.10.1.0/24" ] - destination_ports = [ "8000", "8999" ] + name = "netRule1" + protocols = ["TCP"] + source_addresses = ["10.10.1.0/24"] + destination_addresses = [ "*" ] + destination_ports = ["8000", "8999"] } } } @@ -234,7 +236,7 @@ resource "azurerm_firewall" "fw" { resource_group_name = azurerm_resource_group.rg.name sku_name = "AZFW_VNet" sku_tier = var.firewall_sku_tier - zones = ["1", "2", "3"] + zones = ["1", "2", "3"] ip_configuration { name = "azfw-ipconfig" subnet_id = azurerm_subnet.azfw_subnet.id From 295ee5a644d4de5972236dca03bdcdea640148ab Mon Sep 17 00:00:00 2001 From: cshea15 Date: Mon, 25 Sep 2023 13:38:56 -0400 Subject: [PATCH 05/11] update readme --- quickstart/201-azfw-with-avzones/readme.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/quickstart/201-azfw-with-avzones/readme.md b/quickstart/201-azfw-with-avzones/readme.md index 7b97df5f6..3100d5d3e 100644 --- a/quickstart/201-azfw-with-avzones/readme.md +++ b/quickstart/201-azfw-with-avzones/readme.md @@ -1,6 +1,12 @@ # Deploying Azure Firewall in Availability Zones -This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) in Availability Zones +This template deploys a test network environment with [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) in Availability Zones. The network has one virtual network (VNet) with three subnets: AzureFirewallSubnet, ServersSubnet, and JumpboxSubnet. The ServersSubnet and JumpboxSubnet subnet each have a single, two-core Windows Server virtual machine. + +The firewall is in the AzureFirewallSubnet subnet, and has an application rule collection with a single rule that allows access to www.microsoft.com. + +A user-defined route points network traffic from the ServersSubnet subnet through the firewall, where the firewall rules are applied. + + ## Terraform resource types From 69a69c4969d64875fe9299dd37cb75ac6e5cd71f Mon Sep 17 00:00:00 2001 From: cshea15 Date: Tue, 3 Oct 2023 17:08:46 -0400 Subject: [PATCH 06/11] fixed files on feedback --- quickstart/201-azfw-with-avzones/main.tf | 14 +++++++------- quickstart/201-azfw-with-avzones/readme.md | 12 ++++++------ quickstart/201-azfw-with-avzones/variables.tf | 4 +++- 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/quickstart/201-azfw-with-avzones/main.tf b/quickstart/201-azfw-with-avzones/main.tf index f2ba30f88..f6f26cf9f 100644 --- a/quickstart/201-azfw-with-avzones/main.tf +++ b/quickstart/201-azfw-with-avzones/main.tf @@ -30,7 +30,7 @@ resource "azurerm_public_ip" "pip_azfw" { resource_group_name = azurerm_resource_group.rg.name allocation_method = "Static" sku = "Standard" - zones = [ "1", "2", "3" ] + zones = ["1", "2", "3"] } resource "azurerm_storage_account" "sa" { @@ -221,11 +221,11 @@ resource "azurerm_firewall_policy_rule_collection_group" "prcg" { priority = 200 action = "Allow" rule { - name = "netRule1" - protocols = ["TCP"] - source_addresses = ["10.10.1.0/24"] - destination_addresses = [ "*" ] - destination_ports = ["8000", "8999"] + name = "netRule1" + protocols = ["TCP"] + source_addresses = ["10.10.1.0/24"] + destination_addresses = ["*"] + destination_ports = ["8000", "8999"] } } } @@ -254,7 +254,7 @@ resource "azurerm_route_table" "rt" { name = "azfwDefaultRoute" address_prefix = "0.0.0.0/0" next_hop_type = "VirtualAppliance" - next_hop_in_ip_address = "10.10.0.4" + next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration[0].private_ip_address } } diff --git a/quickstart/201-azfw-with-avzones/readme.md b/quickstart/201-azfw-with-avzones/readme.md index 3100d5d3e..dc098439e 100644 --- a/quickstart/201-azfw-with-avzones/readme.md +++ b/quickstart/201-azfw-with-avzones/readme.md @@ -26,16 +26,16 @@ A user-defined route points network traffic from the ServersSubnet subnet throug - [azurerm_storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) - [random_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) - [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) -- [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string)} +- [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) ## Variables | Name | Description | Default value | |-|-|-| -| `resource_group_location` | location for your resources | eastus | -| `firewall_sku_tier` | Sku size for your Firewall and Firewall Policy | Premium | -| `resource_group_name_prefix` | Prefix for your resource group | rg | -| `virtual_machine_size` | Sku size for your jump and workload vms | Standard_D2_v3 | -| `admin_username` | admin username for the jump and workload vms | azureuser | +| `resource_group_location` | Location of the resource group | eastus | +| `firewall_sku_tier` | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium | Premium | +| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | +| `virtual_machine_size` | SKU size for your jump and workload VMs | Standard_D2_v3 | +| `admin_username` | THe admin username for the jump and workload VMs | azureuser | ## Example \ No newline at end of file diff --git a/quickstart/201-azfw-with-avzones/variables.tf b/quickstart/201-azfw-with-avzones/variables.tf index a855798d7..11c23c95e 100644 --- a/quickstart/201-azfw-with-avzones/variables.tf +++ b/quickstart/201-azfw-with-avzones/variables.tf @@ -27,5 +27,7 @@ variable "virtual_machine_size" { } variable "admin_username" { - default = "azureuser" + type = string + description = "value of the admin username." + default = "azureuser" } \ No newline at end of file From 3c051b5d19e4fb4ebd5726dab74dca11260c0913 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Wed, 4 Oct 2023 14:59:29 -0400 Subject: [PATCH 07/11] updating providers file --- quickstart/201-azfw-with-avzones/{provider.tf => providers.tf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename quickstart/201-azfw-with-avzones/{provider.tf => providers.tf} (100%) diff --git a/quickstart/201-azfw-with-avzones/provider.tf b/quickstart/201-azfw-with-avzones/providers.tf similarity index 100% rename from quickstart/201-azfw-with-avzones/provider.tf rename to quickstart/201-azfw-with-avzones/providers.tf From d2fe413a19cd8ea8796490ec4282a5594ae79eca Mon Sep 17 00:00:00 2001 From: cshea15 Date: Thu, 5 Oct 2023 15:56:50 -0400 Subject: [PATCH 08/11] made small changes to file --- quickstart/201-azfw-with-avzones/readme.md | 6 +++--- quickstart/201-azfw-with-avzones/variables.tf | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/quickstart/201-azfw-with-avzones/readme.md b/quickstart/201-azfw-with-avzones/readme.md index dc098439e..1778a311a 100644 --- a/quickstart/201-azfw-with-avzones/readme.md +++ b/quickstart/201-azfw-with-avzones/readme.md @@ -1,10 +1,10 @@ # Deploying Azure Firewall in Availability Zones -This template deploys a test network environment with [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) in Availability Zones. The network has one virtual network (VNet) with three subnets: AzureFirewallSubnet, ServersSubnet, and JumpboxSubnet. The ServersSubnet and JumpboxSubnet subnet each have a single, two-core Windows Server virtual machine. +This template deploys a test network environment with [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) in Availability Zones. The network has one virtual network (VNet) with three subnets: AzureFirewallSubnet, server_subnet, and jump_subnet. The server-subnet and jump_subnet subnet each have a single, two-core Windows Server virtual machine. The firewall is in the AzureFirewallSubnet subnet, and has an application rule collection with a single rule that allows access to www.microsoft.com. -A user-defined route points network traffic from the ServersSubnet subnet through the firewall, where the firewall rules are applied. +A user-defined route points network traffic from the server-subnet through the firewall, where the firewall rules are applied. @@ -36,6 +36,6 @@ A user-defined route points network traffic from the ServersSubnet subnet throug | `firewall_sku_tier` | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium | Premium | | `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | | `virtual_machine_size` | SKU size for your jump and workload VMs | Standard_D2_v3 | -| `admin_username` | THe admin username for the jump and workload VMs | azureuser | +| `admin_username` | The admin username for the jump and workload VMs | azureuser | ## Example \ No newline at end of file diff --git a/quickstart/201-azfw-with-avzones/variables.tf b/quickstart/201-azfw-with-avzones/variables.tf index 11c23c95e..549583d20 100644 --- a/quickstart/201-azfw-with-avzones/variables.tf +++ b/quickstart/201-azfw-with-avzones/variables.tf @@ -16,7 +16,7 @@ variable "firewall_sku_tier" { default = "Premium" # Valid values are Standard and Premium validation { condition = contains(["Standard", "Premium"], var.firewall_sku_tier) - error_message = "The sku must be one of the following: Standard, Premium" + error_message = "The SKU must be one of the following: Standard, Premium" } } @@ -28,6 +28,6 @@ variable "virtual_machine_size" { variable "admin_username" { type = string - description = "value of the admin username." + description = "Value of the admin username." default = "azureuser" } \ No newline at end of file From f436fad9efef80a69dfaede7725e4c9b7e55d898 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Thu, 5 Oct 2023 15:58:18 -0400 Subject: [PATCH 09/11] small space change --- quickstart/201-azfw-with-avzones/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quickstart/201-azfw-with-avzones/readme.md b/quickstart/201-azfw-with-avzones/readme.md index 1778a311a..56db53ef9 100644 --- a/quickstart/201-azfw-with-avzones/readme.md +++ b/quickstart/201-azfw-with-avzones/readme.md @@ -34,7 +34,7 @@ A user-defined route points network traffic from the server-subnet through the f |-|-|-| | `resource_group_location` | Location of the resource group | eastus | | `firewall_sku_tier` | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium | Premium | -| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | +| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | | `virtual_machine_size` | SKU size for your jump and workload VMs | Standard_D2_v3 | | `admin_username` | The admin username for the jump and workload VMs | azureuser | From 371cd6947e5045c05ecd8de14952975f5dc0252f Mon Sep 17 00:00:00 2001 From: cshea15 Date: Thu, 5 Oct 2023 17:18:34 -0400 Subject: [PATCH 10/11] fix format --- quickstart/201-azfw-with-avzones/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quickstart/201-azfw-with-avzones/readme.md b/quickstart/201-azfw-with-avzones/readme.md index 56db53ef9..aaa9f50f6 100644 --- a/quickstart/201-azfw-with-avzones/readme.md +++ b/quickstart/201-azfw-with-avzones/readme.md @@ -34,7 +34,7 @@ A user-defined route points network traffic from the server-subnet through the f |-|-|-| | `resource_group_location` | Location of the resource group | eastus | | `firewall_sku_tier` | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium | Premium | -| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | +| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | | `virtual_machine_size` | SKU size for your jump and workload VMs | Standard_D2_v3 | | `admin_username` | The admin username for the jump and workload VMs | azureuser | From 1f19491026c22a5033bd5536c3af7bd34ada1973 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Fri, 6 Oct 2023 10:11:06 -0400 Subject: [PATCH 11/11] fixed jump-subnet --- quickstart/201-azfw-with-avzones/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quickstart/201-azfw-with-avzones/readme.md b/quickstart/201-azfw-with-avzones/readme.md index aaa9f50f6..f795edf7d 100644 --- a/quickstart/201-azfw-with-avzones/readme.md +++ b/quickstart/201-azfw-with-avzones/readme.md @@ -1,6 +1,6 @@ # Deploying Azure Firewall in Availability Zones -This template deploys a test network environment with [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) in Availability Zones. The network has one virtual network (VNet) with three subnets: AzureFirewallSubnet, server_subnet, and jump_subnet. The server-subnet and jump_subnet subnet each have a single, two-core Windows Server virtual machine. +This template deploys a test network environment with [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) in Availability Zones. The network has one virtual network (VNet) with three subnets: AzureFirewallSubnet, server_subnet, and jump_subnet. The server-subnet and jump-subnet subnet each have a single, two-core Windows Server virtual machine. The firewall is in the AzureFirewallSubnet subnet, and has an application rule collection with a single rule that allows access to www.microsoft.com.