This Terraform configuration defines an Azure infrastructure using the Azure provider.
This module provides a Terraform configuration for deploying various Azure resources as part of your infrastructure. The configuration includes the deployment of resource groups, virtual networks, subnets, firewall.
To use this module, you should have Terraform installed and configured for AZURE. This module provides the necessary Terraform configuration for creating AZURE resources, and you can customize the inputs as needed. Below is an example of how to use this module:
module "firewall" {
depends_on = [module.name_specific_subnet]
source = "git::https://github.com/opsstation/terraform-azure-firewall.git?ref=v1.0.0"
name = local.name
environment = local.environment
resource_group_name = module.resource_group.resource_group_name
location = module.resource_group.resource_group_location
subnet_id = module.name_specific_subnet.specific_subnet_id
public_ip_names = ["ingress", "vnet"] // Name of public ips you want to create.
firewall_enable = true
policy_rule_enabled = true
application_rule_collection = [
{
name = "example_app_policy"
priority = 200
action = "Allow"
rules = [
{
name = "app_test"
source_addresses = ["*"] // ["X.X.X.X"]
destination_fqdns = ["*"] // ["X.X.X.X"]
protocols = [
{
port = "443"
type = "Https"
},
{
port = "80"
type = "Http"
}
]
}
]
}
]
network_rule_collection = [
{
name = "example_network_policy"
priority = "100"
action = "Allow"
rules = [
{
name = "ssh"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["22"]
}
]
},
{
name = "example_network_policy-2"
priority = "101"
action = "Allow"
rules = [
{
name = "smtp"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["587"]
}
]
}
]
nat_rule_collection = [
{
name = "example_nat_policy-1"
priority = "101"
rules = [
{
name = "http"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["80"]
source_addresses = ["*"]
translated_port = "80"
translated_address = "10.1.1.1" #provide private ip address to translate
destination_address = module.firewall.public_ip_address[1] //Public ip associated with firewall. Here index 1 indicates 'vnet ip' (from public_ip_names = ["ingress" , "vnet"])
},
{
name = "https"
protocols = ["TCP"]
destination_ports = ["443"]
source_addresses = ["*"]
translated_port = "443"
translated_address = "10.1.1.1" #provide private ip address to translate
destination_address = module.firewall.public_ip_address[1] //Public ip associated with firewall
}
]
},
{
name = "example-nat-policy-2"
priority = "100"
rules = [
{
name = "http"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["80"]
translated_port = "80"
translated_address = "10.1.1.2" #provide private ip address to translate
destination_address = module.firewall.public_ip_address[0] //Public ip associated with firewall.Here index 0 indicates 'ingress ip' (from public_ip_names = ["ingress" , "vnet"])
},
{
name = "https"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["443"]
translated_port = "443"
translated_address = "10.1.1.2"
destination_address = module.firewall.public_ip_address[0]
}
]
}
]
}
module "firewall-rules" {
depends_on = [module.firewall]
source = "git::https://github.com/opsstation/terraform-azure-firewall.git?ref=v1.0.0"
name = local.name
environment = local.environment
policy_rule_enabled = true
firewall_policy_id = module.firewall.firewall_policy_id
application_rule_collection = [
{
name = "example_app_policy"
priority = 200
action = "Allow"
rules = [
{
name = "app_test"
source_addresses = ["*"] // ["X.X.X.X"]
destination_fqdns = ["*"] // ["X.X.X.X"]
protocols = [
{
port = "443"
type = "Https"
},
{
port = "80"
type = "Http"
}
]
}
]
}
]
network_rule_collection = [
{
name = "example_network_policy"
priority = "100"
action = "Allow"
rules = [
{
name = "ssh"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["22"]
}
]
},
{
name = "example_network_policy-2"
priority = "101"
action = "Allow"
rules = [
{
name = "smtp"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["587"]
}
]
}
]
nat_rule_collection = [
{
name = "example_nat_policy-1"
priority = "101"
rules = [
{
name = "http"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["80"]
source_addresses = ["*"]
translated_port = "80"
translated_address = "10.1.1.1" #provide private ip address to translate
destination_address = module.firewall.public_ip_address[1] //Public ip associated with firewall. Here index 1 indicates 'vnet ip' (from public_ip_names = ["ingress" , "vnet"])
},
{
name = "https"
protocols = ["TCP"]
destination_ports = ["443"]
source_addresses = ["*"]
translated_port = "443"
translated_address = "10.1.1.1" #provide private ip address to translate
destination_address = module.firewall.public_ip_address[1] //Public ip associated with firewall
}
]
},
{
name = "example-nat-policy-2"
priority = "100"
rules = [
{
name = "http"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["80"]
translated_port = "80"
translated_address = "10.1.1.2" #provide private ip address to translate
destination_address = module.firewall.public_ip_address[0] //Public ip associated with firewall.Here index 0 indicates 'ingress ip' (from public_ip_names = ["ingress" , "vnet"])
},
{
name = "https"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["443"]
translated_port = "443"
translated_address = "10.1.1.2" #provide private ip address to translate
destination_address = module.firewall.public_ip_address[0] //Public ip associated with firewall
}
]
}
]
}
module "firewall" {
depends_on = [module.name_specific_subnet]
source = "git::https://github.com/opsstation/terraform-azure-firewall.git?ref=v1.0.0"
name = local.name
environment = local.environment
resource_group_name = module.resource_group.resource_group_name
location = module.resource_group.resource_group_location
subnet_id = module.name_specific_subnet.specific_subnet_id
public_ip_prefix_enable = true
prefix_public_ip_names = ["test-1", "test-2"]
public_ip_prefix_length = 31
enable_prefix_subnet = true
firewall_enable = true
policy_rule_enabled = true
application_rule_collection = [
{
name = "example_app_policy"
priority = 200
action = "Allow"
rules = [
{
name = "app_test"
source_addresses = ["*"] // ["X.X.X.X"]
destination_fqdns = ["*"] // ["X.X.X.X"]
protocols = [
{
port = "443"
type = "Https"
},
{
port = "80"
type = "Http"
}
]
}
]
}
]
network_rule_collection = [
{
name = "example_network_policy"
priority = "100"
action = "Allow"
rules = [
{
name = "ssh"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["22"]
}
]
},
{
name = "example_network_policy-2"
priority = "101"
action = "Allow"
rules = [
{
name = "smtp"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["587"]
}
]
}
]
nat_rule_collection = [
{
name = "example_nat_policy-1"
priority = "101"
rules = [
{
name = "http"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["80"]
source_addresses = ["*"]
translated_port = "80"
translated_address = "10.1.1.1" #provide private ip address to translate
destination_address = module.firewall.prefix_public_ip_address[1] //Public ip associated with firewall. Here index 1 indicates 'vnet ip' (from public_ip_names = ["ingress" , "vnet"])
},
{
name = "https"
protocols = ["TCP"]
destination_ports = ["443"]
source_addresses = ["*"]
translated_port = "443"
translated_address = "10.1.1.1" #provide private ip address to translate
destination_address = module.firewall.prefix_public_ip_address[1] //Public ip associated with firewall
}
]
},
{
name = "example-nat-policy-2"
priority = "100"
rules = [
{
name = "http"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["80"]
translated_port = "80"
translated_address = "10.1.1.2" #provide private ip address to translate
destination_address = module.firewall.prefix_public_ip_address[0] //Public ip associated with firewall.Here index 0 indicates 'ingress ip' (from public_ip_names = ["ingress" , "vnet"])
},
{
name = "https"
protocols = ["TCP"]
source_addresses = ["*"] // ["X.X.X.X"]
destination_ports = ["443"]
translated_port = "443"
translated_address = "10.1.1.2" #provide private ip address to translate
destination_address = module.firewall.prefix_public_ip_address[0] //Public ip associated with firewall
}
]
}
]
}
This example demonstrates how to create various AZURE resources using the provided modules. Adjust the input values to suit your specific requirements.
For detailed examples on how to use this module, please refer to the examples directory within this repository.
This Terraform module is provided under the MIT License. Please see the LICENSE file for more details.
Your Name Replace MIT and OpsStation with the appropriate license and your information. Feel free to expand this README with additional details or usage instructions as needed for your specific use case.
Name | Version |
---|---|
terraform | >= 1.3.0 |
azurerm | >=2.90.0 |
Name | Version |
---|---|
azurerm | >=2.90.0 |
Name | Source | Version |
---|---|---|
labels | git::https://github.com/opsstation/terraform-azure-labels.git | v1.0.0 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_public_ips | List of additional public ips' ids to attach to the firewall. | list(object({ |
[] |
no |
app_policy_collection_group | (optional) Name of app policy group | string |
"DefaultApplicationRuleCollectionGroup" |
no |
application_rule_collection | One or more application_rule_collection blocks as defined below.. | any |
{} |
no |
dnat-destination_ip | Variable to specify that you have destination ip to attach to policy or not.(Destination ip is public ip that is attached to firewall) | bool |
true |
no |
dns_servers | DNS Servers to use with Azure Firewall. Using this also activate DNS Proxy. | list(string) |
null |
no |
enable_ip_subnet | Should subnet id be attached to first public ip name specified in public ip names variable. To be true when there is no individual public ip. | bool |
true |
no |
enable_prefix_subnet | Should subnet id be attached to first public ip name specified in public ip prefix name varible. To be true when there is no individual public ip. | bool |
false |
no |
enabled | Set to false to prevent the module from creating any resources. | bool |
true |
no |
environment | Environment (e.g. prod , dev , staging ). |
string |
"" |
no |
firewall_enable | n/a | bool |
false |
no |
firewall_policy_id | The ID of the Firewall Policy. | string |
null |
no |
firewall_private_ip_ranges | A list of SNAT private CIDR IP ranges, or the special string IANAPrivateRanges , which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918. |
list(string) |
null |
no |
identity_type | Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are SystemAssigned , UserAssigned , SystemAssigned, UserAssigned (to enable both). |
string |
"UserAssigned" |
no |
label_order | Label order, e.g. sequence of application name and environment name ,environment ,'attribute' [webserver ,qa ,devops ,public ,] . |
list(any) |
[ |
no |
location | The location/region where the virtual network is created. Changing this forces a new resource to be created. | string |
"" |
no |
managedby | ManagedBy, eg 'opsstation'. | string |
"" |
no |
name | Name (e.g. app or cluster ). |
string |
"" |
no |
nat_policy_collection_group | (optional) Name of nat policy group | string |
"DefaultDnatRuleCollectionGroup" |
no |
nat_rule_collection | One or more nat_rule_collection blocks as defined below. | any |
{} |
no |
net_policy_collection_group | (optional) Name of network policy group | string |
"DefaultNetworkRuleCollectionGroup" |
no |
network_rule_collection | One or more network_rule_collection blocks as defined below. | any |
{} |
no |
policy_rule_enabled | Flag used to control creation of policy rules. | bool |
false |
no |
prefix_public_ip_allocation_method | n/a | string |
"Static" |
no |
prefix_public_ip_names | Name of prefix public ips. | list(string) |
[] |
no |
prefix_public_ip_sku | n/a | string |
"Standard" |
no |
public_ip_allocation_method | Defines the allocation method for this IP address. Possible values are Static or Dynamic | any |
"Static" |
no |
public_ip_names | n/a | list(string) |
[] |
no |
public_ip_prefix_enable | Flag to control creation of public ip prefix resource. | bool |
false |
no |
public_ip_prefix_ip_version | The IP Version to use, IPv6 or IPv4. Changing this forces a new resource to be created. Default is IPv4 | string |
"IPv4" |
no |
public_ip_prefix_length | Specifies the number of bits of the prefix. The value can be set between 0 (4,294,967,296 addresses) and 31 (2 addresses). Defaults to 28(16 addresses). Changing this forces a new resource to be created. | number |
31 |
no |
public_ip_prefix_sku | SKU for public ip prefix. Default to standard. | string |
"Standard" |
no |
public_ip_sku | The SKU of the Public IP. Accepted values are Basic and Standard. Defaults to Basic | any |
"Standard" |
no |
repository | Terraform current module repo | string |
"https://github.com/opsstation/terraform-azure-firewall" |
no |
resource_group_name | A container that holds related resources for an Azure solution | any |
"" |
no |
sku_name | (optional) describe your variable | string |
"AZFW_VNet" |
no |
sku_policy | Specifies the firewall-policy sku | string |
"Standard" |
no |
sku_tier | Specifies the firewall sku tier | string |
"Standard" |
no |
subnet_id | Subnet ID | string |
"" |
no |
threat_intel_mode | (Optional) The operation mode for threat intelligence-based filtering. Possible values are: Off, Alert, Deny. Defaults to Alert. | string |
"Alert" |
no |
Name | Description |
---|---|
firewall_id | Firewall generated id |
firewall_name | Firewall name |
firewall_policy_id | n/a |
prefix_public_ip_address | n/a |
prefix_public_ip_id | n/a |
private_ip_address | Firewall private IP |
public_ip_address | n/a |
public_ip_id | n/a |
public_ip_prefix_id | n/a |