From 352ebf21bf5afea2e842bb4f02c670b99fcafe25 Mon Sep 17 00:00:00 2001 From: Byron Boudreaux <16844071+Phydeauxman@users.noreply.github.com> Date: Fri, 30 Apr 2021 10:28:20 +0000 Subject: [PATCH 01/13] - Added Management subnet to SACA Virtual Network --- src/core/saca-hub/main.tf | 15 ++++++++------- src/core/saca-hub/variables.tf | 6 ++++++ src/modules/hub/main.tf | 7 +++++++ src/modules/hub/variables.tf | 7 ++++++- 4 files changed, 27 insertions(+), 8 deletions(-) diff --git a/src/core/saca-hub/main.tf b/src/core/saca-hub/main.tf index 3fd1deda5..606794235 100644 --- a/src/core/saca-hub/main.tf +++ b/src/core/saca-hub/main.tf @@ -34,13 +34,14 @@ resource "azurerm_resource_group" "hub" { } module "saca-hub-network" { - depends_on = [azurerm_resource_group.hub] - source = "../../modules/hub" - location = var.mlz_location - resource_group_name = azurerm_resource_group.hub.name - vnet_name = var.saca_vnetname - vnet_address_space = var.vnet_address_space - firewall_address_space = var.firewall_address_space + depends_on = [azurerm_resource_group.hub] + source = "../../modules/hub" + location = var.mlz_location + resource_group_name = azurerm_resource_group.hub.name + vnet_name = var.saca_vnetname + vnet_address_space = var.vnet_address_space + firewall_address_space = var.firewall_address_space + management_address_space = var.management_address_space log_analytics_workspace_name = var.saca_lawsname log_analytics_workspace_sku = "PerGB2018" diff --git a/src/core/saca-hub/variables.tf b/src/core/saca-hub/variables.tf index e867a9d70..8c70a3301 100644 --- a/src/core/saca-hub/variables.tf +++ b/src/core/saca-hub/variables.tf @@ -71,6 +71,12 @@ variable "firewall_address_space" { type = string } +variable "management_address_space" { + description = "The address space to be used for the Firewall virtual network subnet used for management traffic." + default = "10.0.100.64/26" + type = string +} + variable "saca_fwname" { description = "Name of the Hub Firewall" default = "mlzDemoFirewall" diff --git a/src/modules/hub/main.tf b/src/modules/hub/main.tf index 92833c1b4..700ba169b 100644 --- a/src/modules/hub/main.tf +++ b/src/modules/hub/main.tf @@ -21,6 +21,13 @@ resource "azurerm_subnet" "firewall" { address_prefixes = [cidrsubnet(var.firewall_address_space, 0, 0)] } +resource "azurerm_subnet" "management" { + name = "AzureFirewallManagementSubnet" + resource_group_name = module.hub-network.resource_group_name + virtual_network_name = module.hub-network.virtual_network_name + address_prefixes = [cidrsubnet(var.management_address_space, 0, 0)] +} + resource "azurerm_log_analytics_workspace" "loganalytics" { name = var.log_analytics_workspace_name resource_group_name = data.azurerm_resource_group.rg.name diff --git a/src/modules/hub/variables.tf b/src/modules/hub/variables.tf index 1a08724a4..d6a1ab19d 100644 --- a/src/modules/hub/variables.tf +++ b/src/modules/hub/variables.tf @@ -19,7 +19,12 @@ variable "vnet_address_space" { } variable "firewall_address_space" { - description = "The address space to be used for the Firewall virtual network." + description = "The address space to be used for the Firewall virtual network subnet used for client traffic." + type = string +} + +variable "management_address_space" { + description = "The address space to be used for the Firewall virtual network subnet used for management traffic." type = string } From 215dc3beeb29e66d008cf4d234da05bf09e08d30 Mon Sep 17 00:00:00 2001 From: Byron Boudreaux <16844071+Phydeauxman@users.noreply.github.com> Date: Sat, 1 May 2021 10:42:06 +0000 Subject: [PATCH 02/13] - Added route table to management subnet --- src/core/saca-hub/main.tf | 1 + src/core/saca-hub/variables.tf | 5 +++++ src/modules/hub/main.tf | 21 +++++++++++++++++++++ src/modules/hub/variables.tf | 5 +++++ 4 files changed, 32 insertions(+) diff --git a/src/core/saca-hub/main.tf b/src/core/saca-hub/main.tf index 606794235..bd00fa35b 100644 --- a/src/core/saca-hub/main.tf +++ b/src/core/saca-hub/main.tf @@ -42,6 +42,7 @@ module "saca-hub-network" { vnet_address_space = var.vnet_address_space firewall_address_space = var.firewall_address_space management_address_space = var.management_address_space + routetable_name = var.mgmt_routetable_name log_analytics_workspace_name = var.saca_lawsname log_analytics_workspace_sku = "PerGB2018" diff --git a/src/core/saca-hub/variables.tf b/src/core/saca-hub/variables.tf index 8c70a3301..ae468e4f5 100644 --- a/src/core/saca-hub/variables.tf +++ b/src/core/saca-hub/variables.tf @@ -92,6 +92,11 @@ variable "public_ip_name" { default = "mlzDemoFirewallPip" } +variable "mgmt_routetable_name" { + description = "The name of the route table applied to the management subnet" + default = "mlzDemoFirewallMgmtRT" +} + variable "create_network_watcher" { description = "Deploy a Network Watcher resource alongside this virtual network (there's a limit of one per-subscription-per-region)" type = bool diff --git a/src/modules/hub/main.tf b/src/modules/hub/main.tf index 700ba169b..2f9a21145 100644 --- a/src/modules/hub/main.tf +++ b/src/modules/hub/main.tf @@ -28,6 +28,27 @@ resource "azurerm_subnet" "management" { address_prefixes = [cidrsubnet(var.management_address_space, 0, 0)] } +resource "azurerm_route_table" "routetable" { + name = var.routetable_name + resource_group_name = azurerm_subnet.management.resource_group_name + location = data.azurerm_resource_group.rg.location + disable_bgp_route_propagation = true + tags = var.tags +} + +resource "azurerm_route" "routetable" { + name = "default_route" + resource_group_name = azurerm_route_table.routetable.resource_group_name + route_table_name = azurerm_route_table.routetable.name + address_prefix = "0.0.0.0/0" + next_hop_type = "Internet" +} + +resource "azurerm_subnet_route_table_association" "routetable" { + subnet_id = azurerm_subnet.management.id + route_table_id = azurerm_route_table.routetable.id +} + resource "azurerm_log_analytics_workspace" "loganalytics" { name = var.log_analytics_workspace_name resource_group_name = data.azurerm_resource_group.rg.name diff --git a/src/modules/hub/variables.tf b/src/modules/hub/variables.tf index d6a1ab19d..43b9e425e 100644 --- a/src/modules/hub/variables.tf +++ b/src/modules/hub/variables.tf @@ -28,6 +28,11 @@ variable "management_address_space" { type = string } +variable "routetable_name" { + description = "The name of the route table to be applied to the firewall management subnet." + type = string +} + variable "log_analytics_workspace_name" { description = "The name used for the Log Analytics Workspace (must be globally unique)." type = string From 5c2159eb80ae793f22f40af687cb02ff707c302d Mon Sep 17 00:00:00 2001 From: Byron Boudreaux <16844071+Phydeauxman@users.noreply.github.com> Date: Fri, 7 May 2021 17:36:31 +0000 Subject: [PATCH 03/13] - Added TIME provider to Docerkfile - Added Route Table to HUB module - Added TIME provder declaration to SACA-HUB main.tf --- .devcontainer/Dockerfile | 8 +++++++- src/core/saca-hub/main.tf | 6 +++++- src/modules/hub/main.tf | 37 ++++++++++++++++++++++++------------- 3 files changed, 36 insertions(+), 15 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index fdc378044..b6b889869 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -42,16 +42,22 @@ RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/0.13.4/terraf ENV TF_PLUGIN_CACHE_DIR=/usr/lib/tf-plugins ARG AZURERM_LOCAL_PATH="${TF_PLUGIN_CACHE_DIR}/registry.terraform.io/hashicorp/azurerm/2.50.0/linux_amd64" ARG RANDOM_LOCAL_PATH="${TF_PLUGIN_CACHE_DIR}/registry.terraform.io/hashicorp/random/3.1.0/linux_amd64" +ARG TIME_LOCAL_PATH="${TF_PLUGIN_CACHE_DIR}/registry.terraform.io/hashicorp/time/0.7.1/linux_amd64" ARG AZURERM_PROVIDER=https://releases.hashicorp.com/terraform-provider-azurerm/2.50.0/terraform-provider-azurerm_2.50.0_linux_amd64.zip ARG RANDOM_PROVIDER=https://releases.hashicorp.com/terraform-provider-random/3.1.0/terraform-provider-random_3.1.0_linux_amd64.zip +ARG TIME_PROVIDER=https://releases.hashicorp.com/terraform-provider-time/0.7.1/terraform-provider-time_0.7.1_linux_amd64.zip RUN wget -O azurerm.zip ${AZURERM_PROVIDER} \ && wget -O random.zip ${RANDOM_PROVIDER} \ + && wget -O time.zip ${TIME_PROVIDER} \ && mkdir -p ${AZURERM_LOCAL_PATH} \ && mkdir -p ${RANDOM_LOCAL_PATH} \ + && mkdir -p ${TIME_LOCAL_PATH} \ && unzip azurerm.zip -d ${AZURERM_LOCAL_PATH} \ && unzip random.zip -d ${RANDOM_LOCAL_PATH} \ + && unzip time.zip -d ${TIME_LOCAL_PATH} \ && rm azurerm.zip \ - && rm random.zip + && rm random.zip \ + && rm time.zip # Install the Microsoft package key RUN wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb \ diff --git a/src/core/saca-hub/main.tf b/src/core/saca-hub/main.tf index bd00fa35b..179971cd6 100644 --- a/src/core/saca-hub/main.tf +++ b/src/core/saca-hub/main.tf @@ -24,6 +24,10 @@ provider "random" { version = "3.1.0" } +provider "time" { + version = "0.7.1" +} + resource "azurerm_resource_group" "hub" { location = var.mlz_location name = var.saca_rgname @@ -42,7 +46,7 @@ module "saca-hub-network" { vnet_address_space = var.vnet_address_space firewall_address_space = var.firewall_address_space management_address_space = var.management_address_space - routetable_name = var.mgmt_routetable_name + routetable_name = var.mgmt_routetable_name log_analytics_workspace_name = var.saca_lawsname log_analytics_workspace_sku = "PerGB2018" diff --git a/src/modules/hub/main.tf b/src/modules/hub/main.tf index 2f9a21145..95ea93bb5 100644 --- a/src/modules/hub/main.tf +++ b/src/modules/hub/main.tf @@ -29,24 +29,35 @@ resource "azurerm_subnet" "management" { } resource "azurerm_route_table" "routetable" { - name = var.routetable_name - resource_group_name = azurerm_subnet.management.resource_group_name - location = data.azurerm_resource_group.rg.location - disable_bgp_route_propagation = true - tags = var.tags + name = var.routetable_name + resource_group_name = azurerm_subnet.management.resource_group_name + location = data.azurerm_resource_group.rg.location + disable_bgp_route_propagation = true + tags = var.tags } -resource "azurerm_route" "routetable" { - name = "default_route" - resource_group_name = azurerm_route_table.routetable.resource_group_name - route_table_name = azurerm_route_table.routetable.name - address_prefix = "0.0.0.0/0" - next_hop_type = "Internet" +resource "azurerm_route" "default_route" { + name = "default_route" + resource_group_name = azurerm_route_table.routetable.resource_group_name + route_table_name = azurerm_route_table.routetable.name + address_prefix = "0.0.0.0/0" + next_hop_type = "Internet" +} + +resource "time_sleep" "wait_30_seconds" { + depends_on = [ + azurerm_route.default_route + ] + + create_duration = "30s" } resource "azurerm_subnet_route_table_association" "routetable" { - subnet_id = azurerm_subnet.management.id - route_table_id = azurerm_route_table.routetable.id + subnet_id = azurerm_subnet.management.id + route_table_id = azurerm_route_table.routetable.id + depends_on = [ + time_sleep.wait_30_seconds + ] } resource "azurerm_log_analytics_workspace" "loganalytics" { From 0c886c6f8d6f24ba7be27e9d2a175eb8f8f1d725 Mon Sep 17 00:00:00 2001 From: Byron Boudreaux <16844071+Phydeauxman@users.noreply.github.com> Date: Mon, 10 May 2021 12:56:37 +0000 Subject: [PATCH 04/13] - Updated FW related variable names - Added management IP config to firewall --- src/core/saca-hub/main.tf | 9 ++++-- src/core/saca-hub/saca-hub.tfvars.sample | 12 +++++--- src/core/saca-hub/variables.tf | 22 +++++++++---- src/modules/firewall/main.tf | 39 ++++++++++++++++++------ src/modules/firewall/variables.tf | 24 +++++++++++---- src/modules/hub/main.tf | 8 ++--- src/modules/hub/output.tf | 16 +++++++--- 7 files changed, 94 insertions(+), 36 deletions(-) diff --git a/src/core/saca-hub/main.tf b/src/core/saca-hub/main.tf index 179971cd6..f888ed829 100644 --- a/src/core/saca-hub/main.tf +++ b/src/core/saca-hub/main.tf @@ -70,11 +70,14 @@ module "saca-firewall" { vnet_name = module.saca-hub-network.virtual_network_name vnet_address_space = module.saca-hub-network.virtual_network_address_space firewall_sku = contains(local.firewall_premium_tf_environments, lower(var.tf_environment)) ? "Premium" : "Standard" - firewall_subnet_name = module.saca-hub-network.firewall_subnet_name + fw_client_sn_name = module.saca-hub-network.fw_client_subnet_name + fw_mgmt_sn_name = module.saca-hub-network.fw_mgmt_subnet_name firewall_address_space = var.firewall_address_space saca_fwname = var.saca_fwname - firewall_ipconfig_name = var.firewall_ipconfig_name - public_ip_name = var.public_ip_name + fw_client_ipcfg_name = var.fw_client_ipcfg_name + fw_client_pip_name = var.fw_client_pip_name + fw_mgmt_ipcfg_name = var.fw_mgmt_ipcfg_name + fw_mgmt_pip_name = var.fw_mgmt_pip_name log_analytics_workspace_id = module.saca-hub-network.log_analytics_workspace_id diff --git a/src/core/saca-hub/saca-hub.tfvars.sample b/src/core/saca-hub/saca-hub.tfvars.sample index e3be19f9a..8807ff177 100644 --- a/src/core/saca-hub/saca-hub.tfvars.sample +++ b/src/core/saca-hub/saca-hub.tfvars.sample @@ -21,7 +21,11 @@ tier2_vnetname = "{TIER2_VNETNAME}" # Firewall configuration section ################################# -firewall_address_space = "{SACA_FWSPACE}" -saca_fwname = "{SACA_FWNAME}" -firewall_ipconfig_name = "{SACA_FWIPCONFIGNAME}" -public_ip_name = "{SACA_FWPIPNAME}" \ No newline at end of file +firewall_address_space = "{FW_CLIENT_SPACE}" +management_address_space = "{FW_MGMT_SPACE}" +saca_fwname = "{FW_NAME}" +fw_client_ipcfg_name = "{FW_CLIENT_IPCFG_NAME}" +fw_client_pip_name = "{FW_CLIENT_PIP_NAME}" +fw_mgmt_ipcfg_name = "{FW_MGMT_IPCFG_NAME}" +fw_client_pip_name = "{FW_MGMT_PIP_NAME}" +mgmt_routetable_name = "{FW_MGMT_ROUTE_TABLE_NAME}" \ No newline at end of file diff --git a/src/core/saca-hub/variables.tf b/src/core/saca-hub/variables.tf index ae468e4f5..b73efef24 100644 --- a/src/core/saca-hub/variables.tf +++ b/src/core/saca-hub/variables.tf @@ -82,14 +82,24 @@ variable "saca_fwname" { default = "mlzDemoFirewall" } -variable "firewall_ipconfig_name" { - description = "The name of the Firewall IP Configuration" - default = "mlzDemoFirewallIpConfiguration" +variable "fw_client_ipcfg_name" { + description = "The name of the Firewall Client IP Configuration" + default = "mlzDemoFWClientIpCfg" } -variable "public_ip_name" { - description = "The name of the Firewall Public IP" - default = "mlzDemoFirewallPip" +variable "fw_client_pip_name" { + description = "The name of the Firewall Client Public IP" + default = "mlzDemoFWClientPip" +} + +variable "fw_mgmt_ipcfg_name" { + description = "The name of the Firewall Management IP Configuration" + default = "mlzDemoFWMgmtIpCfg" +} + +variable "fw_mgmt_pip_name" { + description = "The name of the Firewall Management Public IP" + default = "mlzDemoFWMgmtPip" } variable "mgmt_routetable_name" { diff --git a/src/modules/firewall/main.tf b/src/modules/firewall/main.tf index 4702c388a..ff856dc43 100644 --- a/src/modules/firewall/main.tf +++ b/src/modules/firewall/main.tf @@ -9,14 +9,29 @@ data "azurerm_virtual_network" "hub" { resource_group_name = data.azurerm_resource_group.hub.name } -data "azurerm_subnet" "firewall" { - name = var.firewall_subnet_name +data "azurerm_subnet" "fw_client_sn" { + name = var.fw_client_sn_name virtual_network_name = data.azurerm_virtual_network.hub.name resource_group_name = data.azurerm_resource_group.hub.name } -resource "azurerm_public_ip" "firewall" { - name = var.public_ip_name +data "azurerm_subnet" "fw_mgmt_sn" { + name = var.fw_mgmt_sn_name + virtual_network_name = data.azurerm_virtual_network.hub.name + resource_group_name = data.azurerm_resource_group.hub.name +} + +resource "azurerm_public_ip" "fw_client_pip" { + name = var.fw_client_pip_name + location = data.azurerm_resource_group.hub.location + resource_group_name = data.azurerm_resource_group.hub.name + allocation_method = "Static" + sku = "Standard" + tags = var.tags +} + +resource "azurerm_public_ip" "fw_mgmt_pip" { + name = var.fw_mgmt_pip_name location = data.azurerm_resource_group.hub.location resource_group_name = data.azurerm_resource_group.hub.name allocation_method = "Static" @@ -32,9 +47,15 @@ resource "azurerm_firewall" "firewall" { tags = var.tags ip_configuration { - name = var.firewall_ipconfig_name - subnet_id = data.azurerm_subnet.firewall.id - public_ip_address_id = azurerm_public_ip.firewall.id + name = var.fw_client_ipcfg_name + subnet_id = data.azurerm_subnet.fw_client_sn.id + public_ip_address_id = azurerm_public_ip.fw_client_pip.id + } + + management_ip_configuration { + name = var.fw_mgmt_ipcfg_name + subnet_id = data.azurerm_subnet.fw_mgmt_sn.id + public_ip_address_id = azurerm_public_ip.fw_mgmt_pip.id } } @@ -85,8 +106,8 @@ resource "azurerm_monitor_diagnostic_setting" "firewall-diagnostics" { } resource "azurerm_monitor_diagnostic_setting" "publicip-diagnostics" { - name = "${azurerm_public_ip.firewall.name}-pip-diagnostics" - target_resource_id = azurerm_public_ip.firewall.id + name = "${azurerm_public_ip.fw_client_pip.name}-pip-diagnostics" + target_resource_id = azurerm_public_ip.fw_client_pip.id storage_account_id = azurerm_storage_account.loganalytics.id log_analytics_workspace_id = var.log_analytics_workspace_id diff --git a/src/modules/firewall/variables.tf b/src/modules/firewall/variables.tf index d33c74f43..3acd62dce 100644 --- a/src/modules/firewall/variables.tf +++ b/src/modules/firewall/variables.tf @@ -24,20 +24,32 @@ variable "firewall_address_space" { description = "The address space to be used for the Firewall subnets" } -variable "firewall_subnet_name" { - description = "The name of the Firewall subnet" +variable "fw_client_sn_name" { + description = "The name of the Firewall client traffic subnet" +} + +variable "fw_mgmt_sn_name" { + description = "The name of the Firewall management traffic subnet" } variable "saca_fwname" { description = "The name of the Firewall" } -variable "firewall_ipconfig_name" { - description = "The name of the Firewall IP Configuration" +variable "fw_client_ipcfg_name" { + description = "The name of the Firewall Client IP Configuration" +} + +variable "fw_client_pip_name" { + description = "The name of the Firewall Client Public IP" +} + +variable "fw_mgmt_ipcfg_name" { + description = "The name of the Firewall Management IP Configuration" } -variable "public_ip_name" { - description = "The name of the Firewall Public IP" +variable "fw_mgmt_pip_name" { + description = "The name of the Firewall Management Public IP" } variable "log_analytics_workspace_id" { diff --git a/src/modules/hub/main.tf b/src/modules/hub/main.tf index 95ea93bb5..bf17c6a36 100644 --- a/src/modules/hub/main.tf +++ b/src/modules/hub/main.tf @@ -14,14 +14,14 @@ module "hub-network" { tags = var.tags } -resource "azurerm_subnet" "firewall" { +resource "azurerm_subnet" "fw_client" { name = "AzureFirewallSubnet" resource_group_name = module.hub-network.resource_group_name virtual_network_name = module.hub-network.virtual_network_name address_prefixes = [cidrsubnet(var.firewall_address_space, 0, 0)] } -resource "azurerm_subnet" "management" { +resource "azurerm_subnet" "fw_mgmt" { name = "AzureFirewallManagementSubnet" resource_group_name = module.hub-network.resource_group_name virtual_network_name = module.hub-network.virtual_network_name @@ -30,7 +30,7 @@ resource "azurerm_subnet" "management" { resource "azurerm_route_table" "routetable" { name = var.routetable_name - resource_group_name = azurerm_subnet.management.resource_group_name + resource_group_name = azurerm_subnet.fw_mgmt.resource_group_name location = data.azurerm_resource_group.rg.location disable_bgp_route_propagation = true tags = var.tags @@ -53,7 +53,7 @@ resource "time_sleep" "wait_30_seconds" { } resource "azurerm_subnet_route_table_association" "routetable" { - subnet_id = azurerm_subnet.management.id + subnet_id = azurerm_subnet.fw_mgmt.id route_table_id = azurerm_route_table.routetable.id depends_on = [ time_sleep.wait_30_seconds diff --git a/src/modules/hub/output.tf b/src/modules/hub/output.tf index e756ab700..c3dbcbc0d 100644 --- a/src/modules/hub/output.tf +++ b/src/modules/hub/output.tf @@ -20,12 +20,20 @@ output "virtual_network_address_space" { value = module.hub-network.virtual_network_address_space } -output "firewall_subnet_name" { - value = azurerm_subnet.firewall.name +output "fw_client_subnet_name" { + value = azurerm_subnet.fw_client.name } -output "firewall_subnet_id" { - value = azurerm_subnet.firewall.id +output "fw_mgmt_subnet_name" { + value = azurerm_subnet.fw_mgmt.name +} + +output "fw_client_subnet_id" { + value = azurerm_subnet.fw_client.id +} + +output "fw_mgmt_subnet_id" { + value = azurerm_subnet.fw_mgmt.id } output "log_analytics_workspace_name" { From a7f315c6ea01f94553fab19d02219e5fda7b89ef Mon Sep 17 00:00:00 2001 From: Byron Boudreaux <16844071+Phydeauxman@users.noreply.github.com> Date: Mon, 10 May 2021 17:06:05 +0000 Subject: [PATCH 05/13] - Removed AZURERM provider arg for 2.50 --- .devcontainer/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 343605e5a..8d06155d7 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -43,7 +43,6 @@ ENV TF_PLUGIN_CACHE_DIR=/usr/lib/tf-plugins ARG AZURERM_LOCAL_PATH="${TF_PLUGIN_CACHE_DIR}/registry.terraform.io/hashicorp/azurerm/2.55.0/linux_amd64" ARG RANDOM_LOCAL_PATH="${TF_PLUGIN_CACHE_DIR}/registry.terraform.io/hashicorp/random/3.1.0/linux_amd64" ARG TIME_LOCAL_PATH="${TF_PLUGIN_CACHE_DIR}/registry.terraform.io/hashicorp/time/0.7.1/linux_amd64" -ARG AZURERM_PROVIDER=https://releases.hashicorp.com/terraform-provider-azurerm/2.50.0/terraform-provider-azurerm_2.50.0_linux_amd64.zip ARG AZURERM_PROVIDER=https://releases.hashicorp.com/terraform-provider-azurerm/2.55.0/terraform-provider-azurerm_2.55.0_linux_amd64.zip ARG RANDOM_PROVIDER=https://releases.hashicorp.com/terraform-provider-random/3.1.0/terraform-provider-random_3.1.0_linux_amd64.zip ARG TIME_PROVIDER=https://releases.hashicorp.com/terraform-provider-time/0.7.1/terraform-provider-time_0.7.1_linux_amd64.zip From f35c36678982f712013dd3be3895a25ad9e42442 Mon Sep 17 00:00:00 2001 From: Byron Boudreaux <16844071+Phydeauxman@users.noreply.github.com> Date: Mon, 10 May 2021 17:08:24 +0000 Subject: [PATCH 06/13] - Added new line at end of file --- src/core/saca-hub/saca-hub.tfvars.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/saca-hub/saca-hub.tfvars.sample b/src/core/saca-hub/saca-hub.tfvars.sample index 8807ff177..05eeba885 100644 --- a/src/core/saca-hub/saca-hub.tfvars.sample +++ b/src/core/saca-hub/saca-hub.tfvars.sample @@ -28,4 +28,4 @@ fw_client_ipcfg_name = "{FW_CLIENT_IPCFG_NAME}" fw_client_pip_name = "{FW_CLIENT_PIP_NAME}" fw_mgmt_ipcfg_name = "{FW_MGMT_IPCFG_NAME}" fw_client_pip_name = "{FW_MGMT_PIP_NAME}" -mgmt_routetable_name = "{FW_MGMT_ROUTE_TABLE_NAME}" \ No newline at end of file +mgmt_routetable_name = "{FW_MGMT_ROUTE_TABLE_NAME}" From 188ad27d9d6b0f777dc71614252660a96aaea7eb Mon Sep 17 00:00:00 2001 From: Byron Boudreaux <16844071+Phydeauxman@users.noreply.github.com> Date: Mon, 10 May 2021 19:49:43 +0000 Subject: [PATCH 07/13] - Updated variable names in template files --- src/core/saca-hub/saca-hub.orig.tfvars.json | 11 +++++++---- src/core/saca-hub/saca-hub.tfvars.sample | 16 ++++++++-------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/src/core/saca-hub/saca-hub.orig.tfvars.json b/src/core/saca-hub/saca-hub.orig.tfvars.json index 25bc9ef52..16e94c5fa 100644 --- a/src/core/saca-hub/saca-hub.orig.tfvars.json +++ b/src/core/saca-hub/saca-hub.orig.tfvars.json @@ -13,9 +13,12 @@ "tier1_vnetname": "{TIER1_VNETNAME}", "tier2_rgname": "{TIER2_RGNAME}", "tier2_vnetname": "{TIER2_VNETNAME}", - "firewall_address_space": "{SACA_FWSPACE}", - "saca_fwname": "{SACA_FWNAME}", - "firewall_ipconfig_name": "{SACA_FWIPCONFIGNAME}", - "public_ip_name": "{SACA_FWPIPNAME}", + "client_address_space": "{FIREWALL_CLIENT_SPACE}", + "management_address_space": "{FIREWALL_MANAGEMENT_SPACE}", + "firewall_name": "{FIREWALL_NAME}", + "client_ipconfig_name": "{FIREWALL_CLIENT_IPCONFIG_NAME}", + "client_publicip_name": "{FIREWALL_CLIENT_PUBLICIP_NAME}", + "management_ipconfig_name": "{FIREWALL_MANAGEMENT_IPCONFIG_NAME}", + "management_publicip_name": "{FIREWALL_MANAGEMENT_PUBLICIP_NAME}", "create_network_watcher": false } \ No newline at end of file diff --git a/src/core/saca-hub/saca-hub.tfvars.sample b/src/core/saca-hub/saca-hub.tfvars.sample index 05eeba885..49a9ea52b 100644 --- a/src/core/saca-hub/saca-hub.tfvars.sample +++ b/src/core/saca-hub/saca-hub.tfvars.sample @@ -21,11 +21,11 @@ tier2_vnetname = "{TIER2_VNETNAME}" # Firewall configuration section ################################# -firewall_address_space = "{FW_CLIENT_SPACE}" -management_address_space = "{FW_MGMT_SPACE}" -saca_fwname = "{FW_NAME}" -fw_client_ipcfg_name = "{FW_CLIENT_IPCFG_NAME}" -fw_client_pip_name = "{FW_CLIENT_PIP_NAME}" -fw_mgmt_ipcfg_name = "{FW_MGMT_IPCFG_NAME}" -fw_client_pip_name = "{FW_MGMT_PIP_NAME}" -mgmt_routetable_name = "{FW_MGMT_ROUTE_TABLE_NAME}" +client_address_space = "{FIREWALL_CLIENT_SPACE}" +management_address_space = "{FIREWALL_MANAGEMENT_SPACE}" +firewall_name = "{FIREWALL_NAME}" +client_ipconfig_name = "{FIREWALL_CLIENT_IPCONFIG_NAME}" +client_publicip_name = "{FIREWALL_CLIENT_PUBLICIP_NAME}" +management_ipconfig_name = "{FIREWALL_MANAGEMENT_IPCONFIG_NAME}" +management_publicip_name = "{FIREWALL_MANAGEMENT_PUBLICIP_NAME}" +management_routetable_name = "{FIREWALL_MANAGEMENT_ROUTE_TABLE_NAME}" From 52280d2ff12a01c0a156df1a23f673213aad88b2 Mon Sep 17 00:00:00 2001 From: Byron Boudreaux <16844071+Phydeauxman@users.noreply.github.com> Date: Mon, 10 May 2021 21:00:35 +0000 Subject: [PATCH 08/13] - Update variable names --- src/core/saca-hub/main.tf | 34 ++++++++++++------------- src/core/saca-hub/saca-hub.front.json | 4 +-- src/core/saca-hub/variables.tf | 14 +++++----- src/core/tier-0/main.tf | 2 +- src/core/tier-0/tier-0.front.json | 2 +- src/core/tier-0/tier-0.orig.tfvars.json | 2 +- src/core/tier-0/tier-0.tfvars.sample | 2 +- src/core/tier-0/variables.tf | 2 +- src/core/tier-1/main.tf | 2 +- src/core/tier-1/tier-1.front.json | 2 +- src/core/tier-1/tier-1.orig.tfvars.json | 2 +- src/core/tier-1/tier-1.tfvars.sample | 2 +- src/core/tier-1/variables.tf | 2 +- src/core/tier-2/main.tf | 2 +- src/core/tier-2/tier-2.front.json | 2 +- src/core/tier-2/tier-2.orig.tfvars.json | 2 +- src/core/tier-2/tier-2.tfvars.sample | 2 +- src/core/tier-2/variables.tf | 2 +- src/modules/firewall/main.tf | 10 ++++---- src/modules/firewall/variables.tf | 14 +++++----- src/modules/hub/main.tf | 2 +- src/modules/hub/variables.tf | 2 +- 22 files changed, 55 insertions(+), 55 deletions(-) diff --git a/src/core/saca-hub/main.tf b/src/core/saca-hub/main.tf index e21c868b3..8db5fbabd 100644 --- a/src/core/saca-hub/main.tf +++ b/src/core/saca-hub/main.tf @@ -53,9 +53,9 @@ module "saca-hub-network" { resource_group_name = azurerm_resource_group.hub.name vnet_name = var.saca_vnetname vnet_address_space = var.vnet_address_space - firewall_address_space = var.firewall_address_space + client_address_space = var.client_address_space management_address_space = var.management_address_space - routetable_name = var.mgmt_routetable_name + routetable_name = var.management_routetable_name log_analytics_workspace_name = var.saca_lawsname log_analytics_workspace_sku = "PerGB2018" @@ -72,21 +72,21 @@ locals { } module "saca-firewall" { - depends_on = [module.saca-hub-network] - source = "../../modules/firewall" - location = var.mlz_location - resource_group_name = module.saca-hub-network.resource_group_name - vnet_name = module.saca-hub-network.virtual_network_name - vnet_address_space = module.saca-hub-network.virtual_network_address_space - firewall_sku = contains(local.firewall_premium_tf_environments, lower(var.tf_environment)) ? "Premium" : "Standard" - fw_client_sn_name = module.saca-hub-network.fw_client_subnet_name - fw_mgmt_sn_name = module.saca-hub-network.fw_mgmt_subnet_name - firewall_address_space = var.firewall_address_space - saca_fwname = var.saca_fwname - fw_client_ipcfg_name = var.fw_client_ipcfg_name - fw_client_pip_name = var.fw_client_pip_name - fw_mgmt_ipcfg_name = var.fw_mgmt_ipcfg_name - fw_mgmt_pip_name = var.fw_mgmt_pip_name + depends_on = [module.saca-hub-network] + source = "../../modules/firewall" + location = var.mlz_location + resource_group_name = module.saca-hub-network.resource_group_name + vnet_name = module.saca-hub-network.virtual_network_name + vnet_address_space = module.saca-hub-network.virtual_network_address_space + firewall_sku = contains(local.firewall_premium_tf_environments, lower(var.tf_environment)) ? "Premium" : "Standard" + fw_client_sn_name = module.saca-hub-network.fw_client_subnet_name + fw_mgmt_sn_name = module.saca-hub-network.fw_mgmt_subnet_name + client_address_space = var.client_address_space + firewall_name = var.firewall_name + client_ipconfig_name = var.client_ipconfig_name + client_publicip_name = var.client_publicip_name + management_ipconfig_name = var.management_ipconfig_name + management_publicip_name = var.management_publicip_name log_analytics_workspace_id = module.saca-hub-network.log_analytics_workspace_id diff --git a/src/core/saca-hub/saca-hub.front.json b/src/core/saca-hub/saca-hub.front.json index d9eb8a33b..04fb8a5eb 100644 --- a/src/core/saca-hub/saca-hub.front.json +++ b/src/core/saca-hub/saca-hub.front.json @@ -88,14 +88,14 @@ "options": [] }, { - "varname": "firewall_address_space", + "varname": "client_address_space", "type": "text", "default_val": "10.0.100.0/26", "description": "Address space for the firewall", "options": [] }, { - "varname": "saca_fwname", + "varname": "firewall_name", "type": "text", "default_val": "DemoFirewall", "description": "Saca Firewall Name", diff --git a/src/core/saca-hub/variables.tf b/src/core/saca-hub/variables.tf index b73efef24..7e0bbd0d6 100644 --- a/src/core/saca-hub/variables.tf +++ b/src/core/saca-hub/variables.tf @@ -65,7 +65,7 @@ variable "vnet_address_space" { # Firewall configuration section ################################# -variable "firewall_address_space" { +variable "client_address_space" { description = "The address space to be used for the Firewall virtual network." default = "10.0.100.0/26" type = string @@ -77,32 +77,32 @@ variable "management_address_space" { type = string } -variable "saca_fwname" { +variable "firewall_name" { description = "Name of the Hub Firewall" default = "mlzDemoFirewall" } -variable "fw_client_ipcfg_name" { +variable "client_ipconfig_name" { description = "The name of the Firewall Client IP Configuration" default = "mlzDemoFWClientIpCfg" } -variable "fw_client_pip_name" { +variable "client_publicip_name" { description = "The name of the Firewall Client Public IP" default = "mlzDemoFWClientPip" } -variable "fw_mgmt_ipcfg_name" { +variable "management_ipconfig_name" { description = "The name of the Firewall Management IP Configuration" default = "mlzDemoFWMgmtIpCfg" } -variable "fw_mgmt_pip_name" { +variable "management_publicip_name" { description = "The name of the Firewall Management Public IP" default = "mlzDemoFWMgmtPip" } -variable "mgmt_routetable_name" { +variable "management_routetable_name" { description = "The name of the route table applied to the management subnet" default = "mlzDemoFirewallMgmtRT" } diff --git a/src/core/tier-0/main.tf b/src/core/tier-0/main.tf index 230c5c6a4..5801912f5 100644 --- a/src/core/tier-0/main.tf +++ b/src/core/tier-0/main.tf @@ -60,7 +60,7 @@ data "azurerm_log_analytics_workspace" "hub" { data "azurerm_firewall" "firewall" { provider = azurerm.hub - name = var.saca_fwname + name = var.firewall_name resource_group_name = data.azurerm_resource_group.hub.name } diff --git a/src/core/tier-0/tier-0.front.json b/src/core/tier-0/tier-0.front.json index a888d64f9..1add9f595 100644 --- a/src/core/tier-0/tier-0.front.json +++ b/src/core/tier-0/tier-0.front.json @@ -26,7 +26,7 @@ "options": [] }, { - "varname": "saca_fwname", + "varname": "firewall_name", "type": "text", "default_val": "DemoFirewall", "description": "Saca Firewall Name", diff --git a/src/core/tier-0/tier-0.orig.tfvars.json b/src/core/tier-0/tier-0.orig.tfvars.json index 847c59df1..da9a60165 100644 --- a/src/core/tier-0/tier-0.orig.tfvars.json +++ b/src/core/tier-0/tier-0.orig.tfvars.json @@ -3,7 +3,7 @@ "saca_subid": "{SACA_SUBID}", "saca_rgname": "{SACA_RGNAME}", "saca_vnetname": "{SACA_VNETNAME}", - "saca_fwname": "{SACA_FWNAME}", + "firewall_name": "{firewall_name}", "saca_lawsname": "{SACA_LAWSNAME}", "tier0_subid": "{TIER0_SUBID}", "tier0_rgname": "{TIER0_RGNAME}", diff --git a/src/core/tier-0/tier-0.tfvars.sample b/src/core/tier-0/tier-0.tfvars.sample index fc308be93..d42e26321 100644 --- a/src/core/tier-0/tier-0.tfvars.sample +++ b/src/core/tier-0/tier-0.tfvars.sample @@ -8,7 +8,7 @@ deploymentname = "{TIER0_DEPLOYMENTNAME}" saca_subid = "{SACA_SUBID}" saca_rgname = "{SACA_RGNAME}" saca_vnetname = "{SACA_VNETNAME}" -saca_fwname = "{SACA_FWNAME}" +firewall_name = "{firewall_name}" saca_lawsname = "{SACA_LAWSNAME}" tier0_subid = "{TIER0_SUBID}" tier0_rgname = "{TIER0_RGNAME}" diff --git a/src/core/tier-0/variables.tf b/src/core/tier-0/variables.tf index 677d69ddd..69fb2a221 100644 --- a/src/core/tier-0/variables.tf +++ b/src/core/tier-0/variables.tf @@ -54,7 +54,7 @@ variable "saca_lawsname" { description = "Log Analytics Workspace name for the deployment" } -variable "saca_fwname" { +variable "firewall_name" { description = "Name of the Hub Firewall" } diff --git a/src/core/tier-1/main.tf b/src/core/tier-1/main.tf index cffbce307..5bb270dc5 100644 --- a/src/core/tier-1/main.tf +++ b/src/core/tier-1/main.tf @@ -60,7 +60,7 @@ data "azurerm_log_analytics_workspace" "hub" { data "azurerm_firewall" "firewall" { provider = azurerm.hub - name = var.saca_fwname + name = var.firewall_name resource_group_name = data.azurerm_resource_group.hub.name } diff --git a/src/core/tier-1/tier-1.front.json b/src/core/tier-1/tier-1.front.json index 1ff473e2a..af64190d8 100644 --- a/src/core/tier-1/tier-1.front.json +++ b/src/core/tier-1/tier-1.front.json @@ -26,7 +26,7 @@ "options": [] }, { - "varname": "saca_fwname", + "varname": "firewall_name", "type": "text", "default_val": "DemoFirewall", "description": "Saca Firewall Name", diff --git a/src/core/tier-1/tier-1.orig.tfvars.json b/src/core/tier-1/tier-1.orig.tfvars.json index 852dd8711..cb437d86c 100644 --- a/src/core/tier-1/tier-1.orig.tfvars.json +++ b/src/core/tier-1/tier-1.orig.tfvars.json @@ -3,7 +3,7 @@ "saca_subid": "{SACA_SUBID}", "saca_rgname": "{SACA_RGNAME}", "saca_vnetname": "{SACA_VNETNAME}", - "saca_fwname": "{SACA_FWNAME}", + "firewall_name": "{firewall_name}", "saca_lawsname": "{SACA_LAWSNAME}", "tier1_subid": "{TIER1_SUBID}", "tier1_rgname": "{TIER1_RGNAME}", diff --git a/src/core/tier-1/tier-1.tfvars.sample b/src/core/tier-1/tier-1.tfvars.sample index 5b16a744c..bace698ee 100644 --- a/src/core/tier-1/tier-1.tfvars.sample +++ b/src/core/tier-1/tier-1.tfvars.sample @@ -8,7 +8,7 @@ deploymentname = "{TIER1_DEPLOYMENTNAME}" saca_subid = "{SACA_SUBID}" saca_rgname = "{SACA_RGNAME}" saca_vnetname = "{SACA_VNETNAME}" -saca_fwname = "{SACA_FWNAME}" +firewall_name = "{firewall_name}" saca_lawsname = "{SACA_LAWSNAME}" tier1_subid = "{TIER1_SUBID}" tier1_rgname = "{TIER1_RGNAME}" diff --git a/src/core/tier-1/variables.tf b/src/core/tier-1/variables.tf index 3b0464d32..059bcb128 100644 --- a/src/core/tier-1/variables.tf +++ b/src/core/tier-1/variables.tf @@ -54,7 +54,7 @@ variable "saca_lawsname" { description = "Log Analytics Workspace name for the deployment" } -variable "saca_fwname" { +variable "firewall_name" { description = "Name of the Hub Firewall" } diff --git a/src/core/tier-2/main.tf b/src/core/tier-2/main.tf index e66a3784b..8b468b9dc 100644 --- a/src/core/tier-2/main.tf +++ b/src/core/tier-2/main.tf @@ -60,7 +60,7 @@ data "azurerm_log_analytics_workspace" "hub" { data "azurerm_firewall" "firewall" { provider = azurerm.hub - name = var.saca_fwname + name = var.firewall_name resource_group_name = data.azurerm_resource_group.hub.name } diff --git a/src/core/tier-2/tier-2.front.json b/src/core/tier-2/tier-2.front.json index 62cd0b0d4..9ee893e6d 100644 --- a/src/core/tier-2/tier-2.front.json +++ b/src/core/tier-2/tier-2.front.json @@ -26,7 +26,7 @@ "options": [] }, { - "varname": "saca_fwname", + "varname": "firewall_name", "type": "text", "default_val": "DemoFirewall", "description": "Saca Firewall Name", diff --git a/src/core/tier-2/tier-2.orig.tfvars.json b/src/core/tier-2/tier-2.orig.tfvars.json index 2c8a37077..e1bd3ea7b 100644 --- a/src/core/tier-2/tier-2.orig.tfvars.json +++ b/src/core/tier-2/tier-2.orig.tfvars.json @@ -3,7 +3,7 @@ "saca_subid":"{SACA_SUBID}", "saca_rgname":"{SACA_RGNAME}", "saca_vnetname":"{SACA_VNETNAME}", - "saca_fwname":"{SACA_FWNAME}", + "firewall_name":"{firewall_name}", "saca_lawsname":"{SACA_LAWSNAME}", "tier2_subid":"{TIER2_SUBID}", "tier2_rgname":"{TIER2_RGNAME}", diff --git a/src/core/tier-2/tier-2.tfvars.sample b/src/core/tier-2/tier-2.tfvars.sample index d9a45d789..2b588052c 100644 --- a/src/core/tier-2/tier-2.tfvars.sample +++ b/src/core/tier-2/tier-2.tfvars.sample @@ -8,7 +8,7 @@ deploymentname = "{TIER2_DEPLOYMENTNAME}" saca_subid = "{SACA_SUBID}" saca_rgname = "{SACA_RGNAME}" saca_vnetname = "{SACA_VENTNAME}" -saca_fwname = "{SACA_FWNAME}" +firewall_name = "{firewall_name}" saca_lawsname = "{SACA_LAWSNAME}" tier2_subid = "{TIER2_SUBID}" tier2_rgname = "{TIER2_RGNAME}" diff --git a/src/core/tier-2/variables.tf b/src/core/tier-2/variables.tf index 2b05521cc..f8917f8e7 100644 --- a/src/core/tier-2/variables.tf +++ b/src/core/tier-2/variables.tf @@ -54,7 +54,7 @@ variable "saca_lawsname" { description = "Log Analytics Workspace name for the deployment" } -variable "saca_fwname" { +variable "firewall_name" { description = "Name of the Hub Firewall" } diff --git a/src/modules/firewall/main.tf b/src/modules/firewall/main.tf index 47ddd239d..a4d27d9a4 100644 --- a/src/modules/firewall/main.tf +++ b/src/modules/firewall/main.tf @@ -22,7 +22,7 @@ data "azurerm_subnet" "fw_mgmt_sn" { } resource "azurerm_public_ip" "fw_client_pip" { - name = var.fw_client_pip_name + name = var.client_publicip_name location = data.azurerm_resource_group.hub.location resource_group_name = data.azurerm_resource_group.hub.name allocation_method = "Static" @@ -31,7 +31,7 @@ resource "azurerm_public_ip" "fw_client_pip" { } resource "azurerm_public_ip" "fw_mgmt_pip" { - name = var.fw_mgmt_pip_name + name = var.management_publicip_name location = data.azurerm_resource_group.hub.location resource_group_name = data.azurerm_resource_group.hub.name allocation_method = "Static" @@ -40,7 +40,7 @@ resource "azurerm_public_ip" "fw_mgmt_pip" { } resource "azurerm_firewall" "firewall" { - name = var.saca_fwname + name = var.firewall_name location = data.azurerm_resource_group.hub.location resource_group_name = data.azurerm_resource_group.hub.name sku_tier = var.firewall_sku @@ -48,13 +48,13 @@ resource "azurerm_firewall" "firewall" { tags = var.tags ip_configuration { - name = var.fw_client_ipcfg_name + name = var.client_ipconfig_name subnet_id = data.azurerm_subnet.fw_client_sn.id public_ip_address_id = azurerm_public_ip.fw_client_pip.id } management_ip_configuration { - name = var.fw_mgmt_ipcfg_name + name = var.management_ipconfig_name subnet_id = data.azurerm_subnet.fw_mgmt_sn.id public_ip_address_id = azurerm_public_ip.fw_mgmt_pip.id } diff --git a/src/modules/firewall/variables.tf b/src/modules/firewall/variables.tf index 40d00ee27..cfa2aaf09 100644 --- a/src/modules/firewall/variables.tf +++ b/src/modules/firewall/variables.tf @@ -20,7 +20,7 @@ variable "firewall_sku" { description = "The SKU for Azure Firewall" } -variable "firewall_address_space" { +variable "client_address_space" { description = "The address space to be used for the Firewall subnets" } @@ -32,23 +32,23 @@ variable "fw_mgmt_sn_name" { description = "The name of the Firewall management traffic subnet" } -variable "saca_fwname" { +variable "firewall_name" { description = "The name of the Firewall" } -variable "fw_client_ipcfg_name" { +variable "client_ipconfig_name" { description = "The name of the Firewall Client IP Configuration" } -variable "fw_client_pip_name" { +variable "client_publicip_name" { description = "The name of the Firewall Client Public IP" } -variable "fw_mgmt_ipcfg_name" { +variable "management_ipconfig_name" { description = "The name of the Firewall Management IP Configuration" } -variable "fw_mgmt_pip_name" { +variable "management_publicip_name" { description = "The name of the Firewall Management Public IP" } @@ -70,4 +70,4 @@ variable "disable_snat_ip_range" { description = "The address space to be used to ensure that SNAT is disabled." default = ["0.0.0.0/0"] type = list -} \ No newline at end of file +} diff --git a/src/modules/hub/main.tf b/src/modules/hub/main.tf index bf17c6a36..4e0a418b6 100644 --- a/src/modules/hub/main.tf +++ b/src/modules/hub/main.tf @@ -18,7 +18,7 @@ resource "azurerm_subnet" "fw_client" { name = "AzureFirewallSubnet" resource_group_name = module.hub-network.resource_group_name virtual_network_name = module.hub-network.virtual_network_name - address_prefixes = [cidrsubnet(var.firewall_address_space, 0, 0)] + address_prefixes = [cidrsubnet(var.client_address_space, 0, 0)] } resource "azurerm_subnet" "fw_mgmt" { diff --git a/src/modules/hub/variables.tf b/src/modules/hub/variables.tf index 43b9e425e..62e92dc93 100644 --- a/src/modules/hub/variables.tf +++ b/src/modules/hub/variables.tf @@ -18,7 +18,7 @@ variable "vnet_address_space" { type = list(string) } -variable "firewall_address_space" { +variable "client_address_space" { description = "The address space to be used for the Firewall virtual network subnet used for client traffic." type = string } From db535ded79f5317c1255d07f330e77189a7aad1d Mon Sep 17 00:00:00 2001 From: Glenn Musa <4622125+glennmusa@users.noreply.github.com> Date: Tue, 11 May 2021 10:37:45 -0400 Subject: [PATCH 09/13] update global tf vars generator --- src/scripts/terraform/create_globals_from_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/scripts/terraform/create_globals_from_config.sh b/src/scripts/terraform/create_globals_from_config.sh index c2e4332c8..61ad2a1d7 100755 --- a/src/scripts/terraform/create_globals_from_config.sh +++ b/src/scripts/terraform/create_globals_from_config.sh @@ -69,5 +69,5 @@ append_kvp "tier2_vnetname" "vn-t2-${mlz_env_name}" append_kvp "saca_subid" "${mlz_saca_subid}" append_kvp "saca_rgname" "rg-saca-${mlz_env_name}" append_kvp "saca_vnetname" "vn-saca-${mlz_env_name}" -append_kvp "saca_fwname" "Firewall${mlz_env_name}" +append_kvp "firewall_name" "Firewall${mlz_env_name}" append_kvp "saca_lawsname" "laws-${mlz_env_name}" From 2213a0840ce90f82986bf1d21e26dc108d86e45c Mon Sep 17 00:00:00 2001 From: Byron Boudreaux <16844071+Phydeauxman@users.noreply.github.com> Date: Tue, 11 May 2021 12:51:47 -0400 Subject: [PATCH 10/13] - Added additional fields to the frontend json --- src/core/saca-hub/saca-hub.front.json | 35 +++++++++++++++++++++------ 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/src/core/saca-hub/saca-hub.front.json b/src/core/saca-hub/saca-hub.front.json index 04fb8a5eb..8c497be2f 100644 --- a/src/core/saca-hub/saca-hub.front.json +++ b/src/core/saca-hub/saca-hub.front.json @@ -91,7 +91,14 @@ "varname": "client_address_space", "type": "text", "default_val": "10.0.100.0/26", - "description": "Address space for the firewall", + "description": "Address space for the client subnet attached to firewall", + "options": [] + }, + { + "varname": "management_address_space", + "type": "text", + "default_val": "10.0.100.64/26", + "description": "Address space for the management subnet attached to firewall", "options": [] }, { @@ -102,17 +109,31 @@ "options": [] }, { - "varname": "firewall_ipconfig_name", + "varname": "client_ipconfig_name", + "type": "text", + "default_val": "FirewallClientIPConfiguration", + "description": "Name for the IP configuration for the firewall client subnet", + "options": [] + }, + { + "varname": "management_ipconfig_name", + "type": "text", + "default_val": "FirewallManagementIPConfiguration", + "description": "Name for the IP configuration for the firewall management subnet", + "options": [] + }, + { + "varname": "client_publicip_name", "type": "text", - "default_val": "FirewallIPConfiguration", - "description": "Name for the firewall ipconfig", + "default_val": "FirewallClientPublicIP", + "description": "Name for the Public IP attached to the firewall client subnet", "options": [] }, { - "varname": "public_ip_name", + "varname": "management_publicip_name", "type": "text", - "default_val": "FirewallPublicIP", - "description": "Name for the Public IP", + "default_val": "FirewallManaghementPublicIP", + "description": "Name for the Public IP attached to the firewall management subnet", "options": [] }, { From c16ff57878fdbee64366f0c23474a3044310b3b6 Mon Sep 17 00:00:00 2001 From: Byron Boudreaux <16844071+Phydeauxman@users.noreply.github.com> Date: Tue, 11 May 2021 13:51:39 -0400 Subject: [PATCH 11/13] - Added route table field to frontend json --- src/core/saca-hub/saca-hub.front.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/core/saca-hub/saca-hub.front.json b/src/core/saca-hub/saca-hub.front.json index 8c497be2f..bd62ce371 100644 --- a/src/core/saca-hub/saca-hub.front.json +++ b/src/core/saca-hub/saca-hub.front.json @@ -132,10 +132,17 @@ { "varname": "management_publicip_name", "type": "text", - "default_val": "FirewallManaghementPublicIP", + "default_val": "FirewallManagementPublicIP", "description": "Name for the Public IP attached to the firewall management subnet", "options": [] }, + { + "varname": "management_routetable_name", + "type": "text", + "default_val": "FirewallManagementRouteTable", + "description": "Name of the routing table that gets attached to the firewall management subnet", + "options": [] + }, { "varname": "create_network_watcher", "type": "boolean", From 4de98cd0a9c8fba2178c8dfcf633e3c7f93350b5 Mon Sep 17 00:00:00 2001 From: Byron Boudreaux <16844071+Phydeauxman@users.noreply.github.com> Date: Wed, 12 May 2021 13:47:10 +0000 Subject: [PATCH 12/13] - Updated variable names in modules --- src/core/saca-hub/main.tf | 30 +++++++++++++++--------------- src/modules/firewall/main.tf | 4 ++-- src/modules/firewall/variables.tf | 4 ++-- src/modules/hub/output.tf | 8 ++++---- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/src/core/saca-hub/main.tf b/src/core/saca-hub/main.tf index 8db5fbabd..fd007f733 100644 --- a/src/core/saca-hub/main.tf +++ b/src/core/saca-hub/main.tf @@ -72,21 +72,21 @@ locals { } module "saca-firewall" { - depends_on = [module.saca-hub-network] - source = "../../modules/firewall" - location = var.mlz_location - resource_group_name = module.saca-hub-network.resource_group_name - vnet_name = module.saca-hub-network.virtual_network_name - vnet_address_space = module.saca-hub-network.virtual_network_address_space - firewall_sku = contains(local.firewall_premium_tf_environments, lower(var.tf_environment)) ? "Premium" : "Standard" - fw_client_sn_name = module.saca-hub-network.fw_client_subnet_name - fw_mgmt_sn_name = module.saca-hub-network.fw_mgmt_subnet_name - client_address_space = var.client_address_space - firewall_name = var.firewall_name - client_ipconfig_name = var.client_ipconfig_name - client_publicip_name = var.client_publicip_name - management_ipconfig_name = var.management_ipconfig_name - management_publicip_name = var.management_publicip_name + depends_on = [module.saca-hub-network] + source = "../../modules/firewall" + location = var.mlz_location + resource_group_name = module.saca-hub-network.resource_group_name + vnet_name = module.saca-hub-network.virtual_network_name + vnet_address_space = module.saca-hub-network.virtual_network_address_space + firewall_sku = contains(local.firewall_premium_tf_environments, lower(var.tf_environment)) ? "Premium" : "Standard" + firewall_client_subnet_name = module.saca-hub-network.firewall_client_subnet_name + firewall_management_subnet_name = module.saca-hub-network.firewall_management_subnet_name + client_address_space = var.client_address_space + firewall_name = var.firewall_name + client_ipconfig_name = var.client_ipconfig_name + client_publicip_name = var.client_publicip_name + management_ipconfig_name = var.management_ipconfig_name + management_publicip_name = var.management_publicip_name log_analytics_workspace_id = module.saca-hub-network.log_analytics_workspace_id diff --git a/src/modules/firewall/main.tf b/src/modules/firewall/main.tf index a4d27d9a4..aa5712cd1 100644 --- a/src/modules/firewall/main.tf +++ b/src/modules/firewall/main.tf @@ -10,13 +10,13 @@ data "azurerm_virtual_network" "hub" { } data "azurerm_subnet" "fw_client_sn" { - name = var.fw_client_sn_name + name = var.firewall_client_subnet_name virtual_network_name = data.azurerm_virtual_network.hub.name resource_group_name = data.azurerm_resource_group.hub.name } data "azurerm_subnet" "fw_mgmt_sn" { - name = var.fw_mgmt_sn_name + name = var.firewall_management_subnet_name virtual_network_name = data.azurerm_virtual_network.hub.name resource_group_name = data.azurerm_resource_group.hub.name } diff --git a/src/modules/firewall/variables.tf b/src/modules/firewall/variables.tf index cfa2aaf09..86579ab9e 100644 --- a/src/modules/firewall/variables.tf +++ b/src/modules/firewall/variables.tf @@ -24,11 +24,11 @@ variable "client_address_space" { description = "The address space to be used for the Firewall subnets" } -variable "fw_client_sn_name" { +variable "firewall_client_subnet_name" { description = "The name of the Firewall client traffic subnet" } -variable "fw_mgmt_sn_name" { +variable "firewall_management_subnet_name" { description = "The name of the Firewall management traffic subnet" } diff --git a/src/modules/hub/output.tf b/src/modules/hub/output.tf index c3dbcbc0d..b7f49746b 100644 --- a/src/modules/hub/output.tf +++ b/src/modules/hub/output.tf @@ -20,19 +20,19 @@ output "virtual_network_address_space" { value = module.hub-network.virtual_network_address_space } -output "fw_client_subnet_name" { +output "firewall_client_subnet_name" { value = azurerm_subnet.fw_client.name } -output "fw_mgmt_subnet_name" { +output "firewall_management_subnet_name" { value = azurerm_subnet.fw_mgmt.name } -output "fw_client_subnet_id" { +output "firewall_client_subnet_id" { value = azurerm_subnet.fw_client.id } -output "fw_mgmt_subnet_id" { +output "firewall_mgmt_subnet_id" { value = azurerm_subnet.fw_mgmt.id } From 8b95234f148efdca54e0e99810852a8da9c8ab52 Mon Sep 17 00:00:00 2001 From: Byron Boudreaux <16844071+Phydeauxman@users.noreply.github.com> Date: Thu, 13 May 2021 14:18:27 +0000 Subject: [PATCH 13/13] - Added missing variable to json sample --- src/core/saca-hub/saca-hub.orig.tfvars.json | 1 + 1 file changed, 1 insertion(+) diff --git a/src/core/saca-hub/saca-hub.orig.tfvars.json b/src/core/saca-hub/saca-hub.orig.tfvars.json index 16e94c5fa..6411d0694 100644 --- a/src/core/saca-hub/saca-hub.orig.tfvars.json +++ b/src/core/saca-hub/saca-hub.orig.tfvars.json @@ -20,5 +20,6 @@ "client_publicip_name": "{FIREWALL_CLIENT_PUBLICIP_NAME}", "management_ipconfig_name": "{FIREWALL_MANAGEMENT_IPCONFIG_NAME}", "management_publicip_name": "{FIREWALL_MANAGEMENT_PUBLICIP_NAME}", + "management_routetable_name": "{FIREWALL_MANAGEMENT_ROUTE_TABLE_NAME}", "create_network_watcher": false } \ No newline at end of file