Skip to content

Latest commit

 

History

History
98 lines (70 loc) · 5.46 KB

File metadata and controls

98 lines (70 loc) · 5.46 KB

Platform Firewall Rules

GitHub tag License


This module creates a firewall rule collection group with standardized rules for platform. This includes rules from azure to azure services and exclude rules that are customer or q.beyond specific. The standard ist defined by the q.beyond AG.

Usage

It's very easy to use!

provider "azurerm" {
  features {}
  skip_provider_registration = true
}

resource "azurerm_resource_group" "example" {
  name     = "rg-example-fwp"
  location = local.location
}

resource "azurerm_firewall_policy" "example" {
  name                = "fwp-example"
  resource_group_name = azurerm_resource_group.example.name
  location            = local.location

  dns {
    proxy_enabled = true
  }
}

module "firewall_rules" {
  source = "../.."

  firewall_policy_id  = azurerm_firewall_policy.example.id
  resource_group_name = azurerm_resource_group.example.name
  stage               = "tst"

  ipg_application_lz_id = azurerm_ip_group.application_lz.id
  ipg_platform_id       = azurerm_ip_group.platform.id
}

Requirements

Name Version
azurerm >= 3.7.0

Inputs

Name Description Type Default Required
ipg_application_lz_id IP ranges for all application landing zones. string n/a yes
ipg_platform_id IP ranges for the whole platform service, defined by the azure landing zone core modules. string n/a yes
resource_group_name The name of the resource group in which the firewall policy and the azure firewall are located. string n/a yes
stage The stage that the resource is located in, e.g. prod, dev. string n/a yes
bastion_config
ipg_bastion_id: If the customer uses bastion, provide the bastion ip-group in this variable.
ipg_rdp_access_ids: If RDP access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via RDP.
ipg_ssh_access_ids: If SSH access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via SSH.
object({
ipg_bastion_id = string
ipg_rdp_access_ids = optional(list(string), [])
ipg_ssh_access_ids = optional(list(string), [])
})
null no
firewall_policy_id For testing use this string null no
ipg_azure_dc_id The ip addresses of the domain controller located in azure. If the value is not provided, this network rule collection will not be created. string null no
ipg_dnsprivateresolver_id The ip address of the private dns resolver inbound endpoint. If the value is not provided, this network rule collection will not be created string null no
ipg_entra_connect_id IP ranges for entra id connect VMs. string null no
ipg_onpremise_dc_id If the customer still operates domain controller on premise, provide these in this variable. string null no
responsibility The responsibility means who is responsible for the rule collection, e.g. is this rule collection in this module used as general rule set for the firewall, other responsibilities would be the customer etc. string "Platform" no

Outputs

No outputs.

  ## Resource types

  | Type | Used |
  |------|-------|
    | [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) | 1 |

  **`Used` only includes resource blocks.** `for_each` and `count` meta arguments, as well as resource blocks of modules are not considered.

Modules

No modules.

    ## Resources by Files

        ### main.tf

        | Name | Type |
        |------|------|
              | [azurerm_firewall_policy_rule_collection_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) | resource |

Contribute

Please use Pull requests to contribute.

When a new Feature or Fix is ready to be released, create a new Github release and adhere to Semantic Versioning 2.0.0.