Platform Firewall Rules

---

This module creates a firewall rule collection group with standardized rules for platform. This includes rules from azure to azure services and exclude rules that are customer or q.beyond specific. The standard ist defined by the q.beyond AG.

Usage

It's very easy to use!

provider "azurerm" {
  features {}
  skip_provider_registration = true
}

resource "azurerm_resource_group" "example" {
  name     = "rg-example-fwp"
  location = local.location
}

resource "azurerm_firewall_policy" "example" {
  name                = "fwp-example"
  resource_group_name = azurerm_resource_group.example.name
  location            = local.location

  dns {
    proxy_enabled = true
  }
}

module "firewall_rules" {
  source = "../.."

  firewall_policy_id  = azurerm_firewall_policy.example.id
  resource_group_name = azurerm_resource_group.example.name
  stage               = "tst"

  ipg_application_lz_id = azurerm_ip_group.application_lz.id
  ipg_platform_id       = azurerm_ip_group.platform.id
}

Requirements

Name	Version
azurerm	>= 3.7.0

Inputs

Name	Description	Type	Default	Required
ipg_application_lz_id	IP ranges for all application landing zones.	string	n/a	yes
ipg_platform_id	IP ranges for the whole platform service, defined by the azure landing zone core modules.	string	n/a	yes
resource_group_name	The name of the resource group in which the firewall policy and the azure firewall are located.	string	n/a	yes
stage	The stage that the resource is located in, e.g. prod, dev.	string	n/a	yes
bastion_config	ipg_bastion_id: If the customer uses bastion, provide the bastion ip-group in this variable. ipg_rdp_access_ids: If RDP access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via RDP. ipg_ssh_access_ids: If SSH access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via SSH.	object({ ipg_bastion_id = string ipg_rdp_access_ids = optional(list(string), []) ipg_ssh_access_ids = optional(list(string), []) })	null	no
firewall_policy_id	For testing use this	string	null	no
ipg_azure_dc_id	The ip addresses of the domain controller located in azure. If the value is not provided, this network rule collection will not be created.	string	null	no
ipg_dnsprivateresolver_id	The ip address of the private dns resolver inbound endpoint. If the value is not provided, this network rule collection will not be created	string	null	no
ipg_entra_connect_id	IP ranges for entra id connect VMs.	string	null	no
ipg_onpremise_dc_id	If the customer still operates domain controller on premise, provide these in this variable.	string	null	no
responsibility	The responsibility means who is responsible for the rule collection, e.g. is this rule collection in this module used as general rule set for the firewall, other responsibilities would be the customer etc.	string	"Platform"	no

Outputs

No outputs.

  ## Resource types

  | Type | Used |
  |------|-------|
    | [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) | 1 |

  **`Used` only includes resource blocks.** `for_each` and `count` meta arguments, as well as resource blocks of modules are not considered.

Modules

No modules.

    ## Resources by Files

        ### main.tf

        | Name | Type |
        |------|------|
              | [azurerm_firewall_policy_rule_collection_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) | resource |

Contribute

Please use Pull requests to contribute.

When a new Feature or Fix is ready to be released, create a new Github release and adhere to Semantic Versioning 2.0.0.