Support for Azure Firewall Manager resources

[jturver1]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Support for Azure Firewall Manager Policies

It would be great to see some MVP support for the relative new Azure Firewall Manager constructs:
Azure Firewall Manager constructs, including "Secure Virtual Hub" configurations
Azure Firewall Manager Firewall Policies (parent, child)
Azure Firewall Manager Policy Rule Collections (Network, Application, DNAT)
Azure Firewall Manager Rule Collection Rules

Firewall Manager will likely supersede Azure Firewall (azurerm_firewall) for deploying and managing Azure Firewall in many cases. It would be fantastic to be able to manage these resources via Terraform.

• azurerm_firewallmanager
• azurerm_firewallmanager_securevirtualhub
• azurerm_firewallmanager_securevirtualhub_routesettings
• azurerm_firewallmanager_securevirtualhub_connections
• azurerm_firewallmanager_securevirtualhub_securityproviders
• azurerm_firewallmanager_firewall
• azurerm_firewallmanager_policy (parent and child)
• azurerm_firewallmanager_policy_rulecollectiongroup
• azurerm_firewallmanager_policy_rulecollectiongroup_applicationrule
• azurerm_firewallmanager_policy_rulecollectiongroup_networkrule
• azurerm_firewallmanager_policy_rulecollectiongroup_dnatrule

This provides an example of how Azure Firewall Manager Policy constructs map to existing Azure Firewall policy in terms of some of the resource types required and their properties:

• https://docs.microsoft.com/en-us/azure/firewall-manager/migrate-to-policy

Potential Terraform Configuration

For MVP, it would be great to have the ability to manage the following resources as a priority/starting point:

1. Azure Firewall Manager Policies, Rule collections, and Rules
2. "Secure Virtual Hubs" and associated Connections, and Route Settings

References

https://docs.microsoft.com/en-us/azure/firewall-manager/
https://docs.microsoft.com/en-us/azure/firewall-manager/migrate-to-policy

[magodo]

@jturver1 Thank you for submitting this feature request 👍

I had a try with the API, feels we can create the following resources, which are almost same as your listing, with some minor changes:

• azurerm_firewall_policy: The firewall policy resource
• azurerm_firewall_policy_rule_collection_group: The firewall rule collection group belonging to some firewall policy resource.

Regarding the firewall resource itself, we shall enhance the existing azurerm_firewall to allow it to specify the firewall_policy.

Currently, I have not looked into the secured virtual hub or hub virtual network. I will update that part here later.

Or do you have any opinion on this?

[jturver1]

Hi Magodo, that sounds great thank you 👍

I agree that the resources above are the priority for now. We want to be able to manage the policy and rule sets on a high frequency basis using Terraform state awareness.

It would be great to have terraform manage the Secure Virtual Hub construct as well, but that will mostly be a deploy and destroy only construct and we can use a null resource with local exec to do that for now.

Many thanks and please keep up your valuable efforts in proactive maintenance of AzureRM they are greatly appreciated.

[jturver1]

Quick update and additional request for the Firewall Manager, Firewall Policy resource configuration:
Can we please include a section to:

• Enable / Disable ThreatIntelligence feature (set mode)
• Manage ThreatIntelligence whitelist

API ref here (evolving fast):

• https://docs.microsoft.com/en-us/rest/api/virtualnetwork/firewallpolicies/createorupdate
  • ThreatIntelligence settings: AzureFirewallThreatIntelMode
  • ThreatIntelligenceWhitelist: FirewallPolicyThreatIntelWhitelist

Many thanks again

[magodo]

@jturver1 These two properties have been covered in the linked PR #7390.

[ersil]

@magodo Is secure virtual hub under consideration for being implemented anytime soon?

[magodo]

@ersil Yes, will be implemented soon.

[zparnold]

@jackofallops @magodo If you want, I can take a crack at this. But it seems like you are already working so I'd prefer not to duplicate

[runemy]

Hi,

I have created an "azure_firewall" and a "azurerm_firewall_policy". But I cannot find any documentation on how to connect these two resources. Have tried to add firewall_policy_id in "azure_firewall", but get message: An argument named "firewall_policy_id" is not expected here.

I cannot find any documentation that describe how to connect an Azure Firewall Policy to an Azure Firewall.

Have I missed something or is this not supported yet?

[tesharp]

@runemy Its currently not supported, but maybe if you wait till Thursday and release 2.36 it will finally be supported :) Just follow this pull request #8879

[ghost]

This has been released in version 2.37.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.37.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!