From 8c3b1873cc1b85efd79ad0f3da5f92fae8124417 Mon Sep 17 00:00:00 2001 From: lolorol Date: Tue, 6 Jul 2021 13:57:26 +0000 Subject: [PATCH] Add support for virtual_hubs to firewall and connections --- .../virtual_wan.tfvars | 124 ++++++++++++------ modules/networking/firewall/module.tf | 20 ++- modules/networking/firewall/output.tf | 5 + modules/networking/firewall/variables.tf | 4 + networking_firewall.tf | 5 +- networking_virtual_hub_connection.tf | 4 +- 6 files changed, 115 insertions(+), 47 deletions(-) diff --git a/examples/networking/virtual_wan/105-vwan-hub-route-table/virtual_wan.tfvars b/examples/networking/virtual_wan/105-vwan-hub-route-table/virtual_wan.tfvars index 2db0378b85..4922e36e75 100644 --- a/examples/networking/virtual_wan/105-vwan-hub-route-table/virtual_wan.tfvars +++ b/examples/networking/virtual_wan/105-vwan-hub-route-table/virtual_wan.tfvars @@ -17,20 +17,30 @@ virtual_wans = { resource_group_key = "hub_re1" name = "contosovWAN-re1" region = "region1" + } +} - hubs = { - hub_re1 = { - hub_name = "hub-re1" - region = "region1" - hub_address_prefix = "10.0.3.0/24" - deploy_firewall = false - deploy_p2s = false - p2s_config = {} - deploy_s2s = false - s2s_config = {} - deploy_er = false - } +virtual_hubs = { + hub_re1 = { + virtual_wan = { + # lz_key = "" # for remote deployment + key = "vwan_re1" + } + + resource_group = { + # lz_key = "" # for remote deployment + key = "hub_re1" } + + hub_name = "hub-re1" + region = "region1" + hub_address_prefix = "10.0.3.0/24" + deploy_firewall = false + deploy_p2s = false + p2s_config = {} + deploy_s2s = false + s2s_config = {} + deploy_er = false } } @@ -39,19 +49,26 @@ virtual_hub_route_tables = { routetable1 = { name = "example-vhubroutetable1" - virtual_wan_key = "vwan_re1" - virtual_hub_key = "hub_re1" + virtual_hub = { + key = "hub_re1" + } labels = ["label1"] routes = { - # r1 = { - # name = "example-route1" + # egress_internet = { + # name = "egress-internet" # destinations_type = "CIDR" - # destinations = ["10.0.0.0/16"] + # destinations = ["0.0.0.0/0"] + + # # Either next_hop or next_hop_id can be used + # # + # # When using next_hop, the virtual_hub_connection must be deployed in a different landingzone. This cannot be tested in the standalone module. + # # Will be covered in the landingzone starter production configuration in future releases. + # # # next_hop = { - # # lz_key if the connection is in a different deployment - # resource_type = "azurerm_firewall" - # resource_key = "con2" + # lz_key = "" # + # resource_type = "virtual_hub_connection" # Only supported value. + # resource_key = "egress-fw" # } # #to cather for external object # #next_hop_id = "Azure_Resource_ID" @@ -61,8 +78,9 @@ virtual_hub_route_tables = { routetable2 = { name = "example-vhubroutetable2" - virtual_wan_key = "vwan_re1" - virtual_hub_key = "hub_re1" + virtual_hub = { + key = "hub_re1" + } labels = ["label2"] } @@ -76,9 +94,8 @@ virtual_hub_connections = { name = "vnet1-con1" internet_security_enabled = true - vhub = { - virtual_wan_key = "vwan_re1" - virtual_hub_key = "hub_re1" + virtual_hub = { + key = "hub_re1" } vnet = { @@ -101,13 +118,22 @@ virtual_hub_connections = { } static_vnet_route = { - # crm = { - # name = "crm" - # address_prefixes = [ - # "10.12.13.0/21" - # ] - # next_hop_ip_address = "192.34.23.11" - # } + egress_internet = { + name = "egress-internet" + address_prefixes = [ + "0.0.0.0/0" + ] + + + # Either next_hop or next_hop_ip_address can be used + next_hop = { + # lz_key = "" # + key = "egress-fw" + interface_index = 0 # Required. + } + + # next_hop_ip_address = "192.34.23.11" + } } } @@ -118,9 +144,8 @@ virtual_hub_connections = { name = "vnet2-con2" internet_security_enabled = true - vhub = { - virtual_wan_key = "vwan_re1" - virtual_hub_key = "hub_re1" + virtual_hub = { + key = "hub_re1" } vnet = { @@ -161,6 +186,26 @@ virtual_hub_connections = { } +azurerm_firewalls = { + egress-fw = { + name = "egress-firewall" + sku_name = "AZFW_Hub" + sku_tier = "Standard" + resource_group_key = "hub_re1" + vnet_key = "vnet1_region1" + virtual_hub = { + hub_re1 = { + virtual_wan_key = "vwan_re1" + virtual_hub_key = "hub_re1" + #virtual_hub_id = "Azure_resource_id" + #lz_key = "lz_key" + public_ip_count = 1 + } + } + } +} + + vnets = { vnet1_region1 = { resource_group_key = "hub_re1" @@ -168,11 +213,16 @@ vnets = { name = "vwan_demo1" address_space = ["10.100.100.0/24"] } - specialsubnets = {} + specialsubnets = { + AzureFirewallSubnet = { + name = "AzureFirewallSubnet" # must be named AzureFirewallSubnet + cidr = ["10.100.100.128/25"] + } + } subnets = { example = { name = "vwan_demo" - cidr = ["10.100.100.0/29"] + cidr = ["10.100.100.0/25"] } } diff --git a/modules/networking/firewall/module.tf b/modules/networking/firewall/module.tf index cf2ec6adf8..9bb080bcde 100755 --- a/modules/networking/firewall/module.tf +++ b/modules/networking/firewall/module.tf @@ -12,16 +12,17 @@ resource "azurecaf_name" "fw" { resource "azurerm_firewall" "fw" { + dns_servers = try(var.settings.dns_servers, null) + firewall_policy_id = var.firewall_policy_id + location = var.location name = azurecaf_name.fw.result + private_ip_ranges = try(var.settings.private_ip_ranges, null) resource_group_name = var.resource_group_name - location = var.location - threat_intel_mode = try(var.settings.virtual_hub, null) != null ? "" : try(var.settings.threat_intel_mode, "Alert") - zones = try(var.settings.zones, null) sku_name = try(var.settings.sku_name, "AZFW_VNet") sku_tier = try(var.settings.sku_tier, "Standard") - firewall_policy_id = var.firewall_policy_id - dns_servers = try(var.settings.dns_servers, null) tags = local.tags + threat_intel_mode = try(var.settings.virtual_hub, null) != null ? "" : try(var.settings.threat_intel_mode, "Alert") + zones = try(var.settings.zones, null) ## direct subnet_id reference dynamic "ip_configuration" { @@ -77,7 +78,14 @@ resource "azurerm_firewall" "fw" { dynamic "virtual_hub" { for_each = try(var.settings.virtual_hub, {}) content { - virtual_hub_id = try(virtual_hub.value.virtual_hub_id, null) != null ? virtual_hub.value.virtual_hub_id : var.virtual_wans[virtual_hub.value.virtual_wan_key].virtual_hubs[virtual_hub.value.virtual_hub_key].id + virtual_hub_id = coalesce( + try(virtual_hub.value.virtual_hub_id, null), + try(var.virtual_wans[virtual_hub.value.lz_key][virtual_hub.value.virtual_wan_key].virtual_hubs[virtual_hub.value.virtual_hub_key].id, null), + try(var.virtual_wans[var.client_config.landingzone_key][virtual_hub.value.virtual_wan_key].virtual_hubs[virtual_hub.value.virtual_hub_key].id, null), + try(var.virtual_hubs[virtual_hub.value.lz_key][virtual_hub.value.virtual_hub_key].id, null), + try(var.virtual_hubs[var.client_config.landingzone_key][virtual_hub.value.virtual_hub_key].id, null) + ) + public_ip_count = try(virtual_hub.value.public_ip_count, 1) } } diff --git a/modules/networking/firewall/output.tf b/modules/networking/firewall/output.tf index c3a1e881c2..c5eb1cd451 100755 --- a/modules/networking/firewall/output.tf +++ b/modules/networking/firewall/output.tf @@ -16,4 +16,9 @@ output "resource_group_name" { output "ip_configuration" { description = "The Private IP address of the Azure Firewall." value = azurerm_firewall.fw.ip_configuration +} + +output "virtual_hub" { + description = "A virtual_hub block with private_ip_address and punlic_ip_addresses." + value = azurerm_firewall.fw.virtual_hub } \ No newline at end of file diff --git a/modules/networking/firewall/variables.tf b/modules/networking/firewall/variables.tf index 44ab61f3bc..bfd171abe6 100755 --- a/modules/networking/firewall/variables.tf +++ b/modules/networking/firewall/variables.tf @@ -53,6 +53,10 @@ variable "virtual_wans" { default = {} } +variable "virtual_hubs" { + default = {} +} + variable "virtual_networks" { } diff --git a/networking_firewall.tf b/networking_firewall.tf index d842e607dc..cfdad8a975 100755 --- a/networking_firewall.tf +++ b/networking_firewall.tf @@ -8,8 +8,8 @@ module "azurerm_firewalls" { base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} client_config = local.client_config - diagnostics = local.combined_diagnostics diagnostic_profiles = try(each.value.diagnostic_profiles, null) + diagnostics = local.combined_diagnostics global_settings = local.global_settings location = lookup(each.value, "region", null) == null ? local.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region] name = each.value.name @@ -20,8 +20,9 @@ module "azurerm_firewalls" { settings = each.value subnet_id = module.networking[each.value.vnet_key].subnets["AzureFirewallSubnet"].id tags = try(each.value.tags, null) + virtual_hubs = local.combined_objects_virtual_hubs virtual_networks = local.combined_objects_networking - virtual_wans = module.virtual_wans + virtual_wans = local.combined_objects_virtual_wans firewall_policy_id = try(coalesce( try(local.combined_objects_azurerm_firewall_policies[each.value.firewall_policy.lz_key][each.value.firewall_policy.key].id, null), diff --git a/networking_virtual_hub_connection.tf b/networking_virtual_hub_connection.tf index d772939be1..c5b03465aa 100644 --- a/networking_virtual_hub_connection.tf +++ b/networking_virtual_hub_connection.tf @@ -12,7 +12,7 @@ output "virtual_hub_connection" { # Virtual Hub Peerings to virtual networks resource "azurerm_virtual_hub_connection" "vhub_connection" { - depends_on = [azurerm_virtual_hub_route_table.route_table] + depends_on = [azurerm_virtual_hub_route_table.route_table, module.azurerm_firewalls] for_each = local.networking.virtual_hub_connections name = each.value.name @@ -68,7 +68,7 @@ resource "azurerm_virtual_hub_connection" "vhub_connection" { try(local.combined_objects_azurerm_firewalls[static_vnet_route.value.next_hop.lz_key][static_vnet_route.value.next_hop.key].ip_configuration[static_vnet_route.value.next_hop.interface_index].private_ip_address, null), try(local.combined_objects_azurerm_firewalls[static_vnet_route.value.next_hop.lz_key][static_vnet_route.value.next_hop.key].virtual_hub.private_ip_address, null), try(local.combined_objects_azurerm_firewalls[local.client_config.landingzone_key][static_vnet_route.value.next_hop.key].ip_configuration[static_vnet_route.value.next_hop.interface_index].private_ip_address, null), - try(local.combined_objects_azurerm_firewalls[local.client_config.landingzone_key][static_vnet_route.value.next_hop.key].virtual_hub.private_ip_address, null) + try(local.combined_objects_azurerm_firewalls[local.client_config.landingzone_key][static_vnet_route.value.next_hop.key].virtual_hub[static_vnet_route.value.next_hop.interface_index].private_ip_address, null) ) } }