Add support for virtual_hubs to firewall and connections

aztfmod · Jul 6, 2021 · 8c3b187 · 8c3b187
1 parent f314c82
commit 8c3b187
Show file tree

Hide file tree

Showing 6 changed files with 115 additions and 47 deletions.
diff --git a/examples/networking/virtual_wan/105-vwan-hub-route-table/virtual_wan.tfvars b/examples/networking/virtual_wan/105-vwan-hub-route-table/virtual_wan.tfvars
@@ -17,20 +17,30 @@ virtual_wans = {
     resource_group_key = "hub_re1"
     name               = "contosovWAN-re1"
     region             = "region1"
+  }
+}
 
-    hubs = {
-      hub_re1 = {
-        hub_name           = "hub-re1"
-        region             = "region1"
-        hub_address_prefix = "10.0.3.0/24"
-        deploy_firewall    = false
-        deploy_p2s         = false
-        p2s_config         = {}
-        deploy_s2s         = false
-        s2s_config         = {}
-        deploy_er          = false
-      }
+virtual_hubs = {
+  hub_re1 = {
+    virtual_wan = {
+      # lz_key = "" # for remote deployment
+      key    = "vwan_re1"
+    }
+
+    resource_group = {
+      # lz_key = "" # for remote deployment
+      key = "hub_re1"
     }
+
+    hub_name           = "hub-re1"
+    region             = "region1"
+    hub_address_prefix = "10.0.3.0/24"
+    deploy_firewall    = false
+    deploy_p2s         = false
+    p2s_config         = {}
+    deploy_s2s         = false
+    s2s_config         = {}
+    deploy_er          = false
   }
 }
 
@@ -39,19 +49,26 @@ virtual_hub_route_tables = {
   routetable1 = {
     name = "example-vhubroutetable1"
 
-    virtual_wan_key = "vwan_re1"
-    virtual_hub_key = "hub_re1"
+    virtual_hub = {
+      key = "hub_re1"
+    }
 
     labels = ["label1"]
     routes = {
-      # r1 = {
-      #   name              = "example-route1"
+      # egress_internet = {
+      #   name              = "egress-internet"
       #   destinations_type = "CIDR"
-      #   destinations      = ["10.0.0.0/16"]
+      #   destinations      = ["0.0.0.0/0"]
+
+      #   # Either next_hop or next_hop_id can be used
+      #   #
+      #   # When using next_hop, the virtual_hub_connection must be deployed in a different landingzone. This cannot be tested in the standalone module.
+      #   # Will be covered in the landingzone starter production configuration in future releases.
+      #   #
       #   next_hop = {
-      #     # lz_key if the connection is in a different deployment
-      #     resource_type = "azurerm_firewall"
-      #     resource_key  = "con2"
+      #     lz_key = "" # 
+      #     resource_type = "virtual_hub_connection"  # Only supported value.
+      #     resource_key  = "egress-fw"
       #   }
       #   #to cather for external object
       #   #next_hop_id       = "Azure_Resource_ID"
@@ -61,8 +78,9 @@ virtual_hub_route_tables = {
   routetable2 = {
     name = "example-vhubroutetable2"
 
-    virtual_wan_key = "vwan_re1"
-    virtual_hub_key = "hub_re1"
+    virtual_hub = {
+      key = "hub_re1"
+    }
 
     labels = ["label2"]
   }
@@ -76,9 +94,8 @@ virtual_hub_connections = {
     name                      = "vnet1-con1"
     internet_security_enabled = true
 
-    vhub = {
-      virtual_wan_key = "vwan_re1"
-      virtual_hub_key = "hub_re1"
+    virtual_hub = {
+      key = "hub_re1"
     }
 
     vnet = {
@@ -101,13 +118,22 @@ virtual_hub_connections = {
         }
 
         static_vnet_route = {
-          # crm = {
-          #   name = "crm"
-          #   address_prefixes  = [
-          #     "10.12.13.0/21"
-          #   ]
-          #   next_hop_ip_address = "192.34.23.11"
-          # }
+          egress_internet = {
+            name = "egress-internet"
+            address_prefixes  = [
+              "0.0.0.0/0"
+            ]
+
+
+            # Either next_hop or next_hop_ip_address can be used
+            next_hop = {
+              # lz_key = "" # 
+              key  = "egress-fw"
+              interface_index = 0         # Required.
+            }
+
+            # next_hop_ip_address = "192.34.23.11"
+          }
         }
 
       }
@@ -118,9 +144,8 @@ virtual_hub_connections = {
     name                      = "vnet2-con2"
     internet_security_enabled = true
 
-    vhub = {
-      virtual_wan_key = "vwan_re1"
-      virtual_hub_key = "hub_re1"
+    virtual_hub = {
+      key = "hub_re1"
     }
 
     vnet = {
@@ -161,18 +186,43 @@ virtual_hub_connections = {
 
 }
 
+azurerm_firewalls = {
+  egress-fw = {
+    name               = "egress-firewall"
+    sku_name           = "AZFW_Hub"
+    sku_tier           = "Standard"
+    resource_group_key = "hub_re1"
+    vnet_key           = "vnet1_region1"
+    virtual_hub = {
+      hub_re1 = {
+        virtual_wan_key = "vwan_re1"
+        virtual_hub_key = "hub_re1"
+        #virtual_hub_id = "Azure_resource_id"
+        #lz_key = "lz_key"
+        public_ip_count = 1
+      }
+    }
+  }
+}
+
+
 vnets = {
   vnet1_region1 = {
     resource_group_key = "hub_re1"
     vnet = {
       name          = "vwan_demo1"
       address_space = ["10.100.100.0/24"]
     }
-    specialsubnets = {}
+    specialsubnets = {
+      AzureFirewallSubnet = {
+        name = "AzureFirewallSubnet" # must be named AzureFirewallSubnet
+        cidr = ["10.100.100.128/25"]
+      }
+    }
     subnets = {
       example = {
         name = "vwan_demo"
-        cidr = ["10.100.100.0/29"]
+        cidr = ["10.100.100.0/25"]
       }
     }
 

diff --git a/modules/networking/firewall/module.tf b/modules/networking/firewall/module.tf
@@ -12,16 +12,17 @@ resource "azurecaf_name" "fw" {
 
 resource "azurerm_firewall" "fw" {
 
+  dns_servers         = try(var.settings.dns_servers, null)
+  firewall_policy_id  = var.firewall_policy_id
+  location            = var.location
   name                = azurecaf_name.fw.result
+  private_ip_ranges   = try(var.settings.private_ip_ranges, null)
   resource_group_name = var.resource_group_name
-  location            = var.location
-  threat_intel_mode   = try(var.settings.virtual_hub, null) != null ? "" : try(var.settings.threat_intel_mode, "Alert")
-  zones               = try(var.settings.zones, null)
   sku_name            = try(var.settings.sku_name, "AZFW_VNet")
   sku_tier            = try(var.settings.sku_tier, "Standard")
-  firewall_policy_id  = var.firewall_policy_id
-  dns_servers         = try(var.settings.dns_servers, null)
   tags                = local.tags
+  threat_intel_mode   = try(var.settings.virtual_hub, null) != null ? "" : try(var.settings.threat_intel_mode, "Alert")
+  zones               = try(var.settings.zones, null)
 
   ## direct subnet_id reference
   dynamic "ip_configuration" {
@@ -77,7 +78,14 @@ resource "azurerm_firewall" "fw" {
   dynamic "virtual_hub" {
     for_each = try(var.settings.virtual_hub, {})
     content {
-      virtual_hub_id  = try(virtual_hub.value.virtual_hub_id, null) != null ? virtual_hub.value.virtual_hub_id : var.virtual_wans[virtual_hub.value.virtual_wan_key].virtual_hubs[virtual_hub.value.virtual_hub_key].id
+      virtual_hub_id = coalesce(
+        try(virtual_hub.value.virtual_hub_id, null),
+        try(var.virtual_wans[virtual_hub.value.lz_key][virtual_hub.value.virtual_wan_key].virtual_hubs[virtual_hub.value.virtual_hub_key].id, null),
+        try(var.virtual_wans[var.client_config.landingzone_key][virtual_hub.value.virtual_wan_key].virtual_hubs[virtual_hub.value.virtual_hub_key].id, null),
+        try(var.virtual_hubs[virtual_hub.value.lz_key][virtual_hub.value.virtual_hub_key].id, null),
+        try(var.virtual_hubs[var.client_config.landingzone_key][virtual_hub.value.virtual_hub_key].id, null)
+      )
+
       public_ip_count = try(virtual_hub.value.public_ip_count, 1)
     }
   }

diff --git a/modules/networking/firewall/output.tf b/modules/networking/firewall/output.tf
@@ -16,4 +16,9 @@ output "resource_group_name" {
 output "ip_configuration" {
   description = "The Private IP address of the Azure Firewall."
   value       = azurerm_firewall.fw.ip_configuration
+}
+
+output "virtual_hub" {
+  description = "A virtual_hub block with private_ip_address and punlic_ip_addresses."
+  value       = azurerm_firewall.fw.virtual_hub
 }
diff --git a/modules/networking/firewall/variables.tf b/modules/networking/firewall/variables.tf
@@ -53,6 +53,10 @@ variable "virtual_wans" {
   default = {}
 }
 
+variable "virtual_hubs" {
+  default = {}
+}
+
 variable "virtual_networks" {
 
 }

diff --git a/networking_firewall.tf b/networking_firewall.tf
@@ -8,8 +8,8 @@ module "azurerm_firewalls" {
 
   base_tags           = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {}
   client_config       = local.client_config
-  diagnostics         = local.combined_diagnostics
   diagnostic_profiles = try(each.value.diagnostic_profiles, null)
+  diagnostics         = local.combined_diagnostics
   global_settings     = local.global_settings
   location            = lookup(each.value, "region", null) == null ? local.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region]
   name                = each.value.name
@@ -20,8 +20,9 @@ module "azurerm_firewalls" {
   settings            = each.value
   subnet_id           = module.networking[each.value.vnet_key].subnets["AzureFirewallSubnet"].id
   tags                = try(each.value.tags, null)
+  virtual_hubs        = local.combined_objects_virtual_hubs
   virtual_networks    = local.combined_objects_networking
-  virtual_wans        = module.virtual_wans
+  virtual_wans        = local.combined_objects_virtual_wans
 
   firewall_policy_id = try(coalesce(
     try(local.combined_objects_azurerm_firewall_policies[each.value.firewall_policy.lz_key][each.value.firewall_policy.key].id, null),

diff --git a/networking_virtual_hub_connection.tf b/networking_virtual_hub_connection.tf
@@ -12,7 +12,7 @@ output "virtual_hub_connection" {
 
 # Virtual Hub Peerings to virtual networks
 resource "azurerm_virtual_hub_connection" "vhub_connection" {
-  depends_on = [azurerm_virtual_hub_route_table.route_table]
+  depends_on = [azurerm_virtual_hub_route_table.route_table, module.azurerm_firewalls]
   for_each   = local.networking.virtual_hub_connections
 
   name           = each.value.name
@@ -68,7 +68,7 @@ resource "azurerm_virtual_hub_connection" "vhub_connection" {
             try(local.combined_objects_azurerm_firewalls[static_vnet_route.value.next_hop.lz_key][static_vnet_route.value.next_hop.key].ip_configuration[static_vnet_route.value.next_hop.interface_index].private_ip_address, null),
             try(local.combined_objects_azurerm_firewalls[static_vnet_route.value.next_hop.lz_key][static_vnet_route.value.next_hop.key].virtual_hub.private_ip_address, null),
             try(local.combined_objects_azurerm_firewalls[local.client_config.landingzone_key][static_vnet_route.value.next_hop.key].ip_configuration[static_vnet_route.value.next_hop.interface_index].private_ip_address, null),
-            try(local.combined_objects_azurerm_firewalls[local.client_config.landingzone_key][static_vnet_route.value.next_hop.key].virtual_hub.private_ip_address, null)
+            try(local.combined_objects_azurerm_firewalls[local.client_config.landingzone_key][static_vnet_route.value.next_hop.key].virtual_hub[static_vnet_route.value.next_hop.interface_index].private_ip_address, null)
           )
         }
       }