Skip to content

Commit

Permalink
Merge pull request #5 from qbeyond/feature/optional-dns-resolver
Browse files Browse the repository at this point in the history
Feature/optional dns resolver
  • Loading branch information
QBY-ChristianHartmann authored Apr 9, 2024
2 parents eed924b + 225653f commit d5e0447
Show file tree
Hide file tree
Showing 10 changed files with 276 additions and 137 deletions.
14 changes: 14 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,20 @@ and this module adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.

## [Unreleased]

## [1.2.0] - 2024-04-08

### Added
- platform rules for bastion

### Changed
- made rules for private dns resolver and azure dcs optional
- changed internal ordering of rules

### Removed

### Fixed


## [1.1.0] - 2023-11-17

### Added
Expand Down
76 changes: 19 additions & 57 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,51 +14,14 @@ It's very easy to use!
```hcl
provider "azurerm" {
features {}
skip_provider_registration = true
}
resource "azurerm_resource_group" "example" {
name = "rg-example-fw"
name = "rg-example-fwp"
location = local.location
}
resource "azurerm_virtual_network" "example" {
name = "vnet-example"
address_space = ["10.0.0.0/16"]
location = local.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "AzureFirewallSubnet" # Must be exact 'AzureFirewallSubnet'
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.0.0/16"]
}
resource "azurerm_public_ip" "example" {
name = "pip-example"
location = local.location
resource_group_name = azurerm_resource_group.example.name
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_firewall" "example" {
name = "fw-example"
location = local.location
resource_group_name = azurerm_resource_group.example.name
sku_name = "AZFW_VNet"
sku_tier = "Standard"
firewall_policy_id = azurerm_firewall_policy.example.id
ip_configuration {
name = "ip-config"
subnet_id = azurerm_subnet.example.id
public_ip_address_id = azurerm_public_ip.example.id
}
}
resource "azurerm_firewall_policy" "example" {
name = "fwp-example"
resource_group_name = azurerm_resource_group.example.name
Expand All @@ -79,11 +42,8 @@ module "firewall_rules" {
stage = "prd"
default_location = local.location
ipg_azure_dc_id = azurerm_ip_group.azure_dc.id
ipg_onpremise_dc_id = azurerm_ip_group.onpremise_dc.id
ipg_application_lz_id = azurerm_ip_group.application_lz.id
ipg_dnsprivateresolver_id = azurerm_ip_group.dnsprivateresolver.id
ipg_platform_id = azurerm_ip_group.platform.id
ipg_application_lz_id = azurerm_ip_group.application_lz.id
ipg_platform_id = azurerm_ip_group.platform.id
}
```

Expand All @@ -99,37 +59,39 @@ module "firewall_rules" {
|------|-------------|------|---------|:--------:|
| <a name="input_default_location"></a> [default\_location](#input\_default\_location) | The default location used for this module. | `string` | n/a | yes |
| <a name="input_ipg_application_lz_id"></a> [ipg\_application\_lz\_id](#input\_ipg\_application\_lz\_id) | IP ranges for all application landing zones. | `string` | n/a | yes |
| <a name="input_ipg_azure_dc_id"></a> [ipg\_azure\_dc\_id](#input\_ipg\_azure\_dc\_id) | The ip addresses of the domain controller located in azure. | `string` | n/a | yes |
| <a name="input_ipg_dnsprivateresolver_id"></a> [ipg\_dnsprivateresolver\_id](#input\_ipg\_dnsprivateresolver\_id) | The ip address of the private dns resolver inbound endpoint. | `string` | n/a | yes |
| <a name="input_ipg_platform_id"></a> [ipg\_platform\_id](#input\_ipg\_platform\_id) | IP ranges for the whole platform service, defined by the azure landing zone core modules. | `string` | n/a | yes |
| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which the firewall policy and the azure firewall are located. | `string` | n/a | yes |
| <a name="input_stage"></a> [stage](#input\_stage) | The stage that the resource is located in, e.g. prod, dev. | `string` | n/a | yes |
| <a name="input_bastion_config"></a> [bastion\_config](#input\_bastion\_config) | <pre>ipg_bastion_id: If the customer uses bastion, provide the bastion ip-group in this variable.<br> ipg_rdp_access_ids: If rdp access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion.<br> ipg_ssh_access_ids: If ssh access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion.</pre> | <pre>object({<br> ipg_bastion_id = string<br> ipg_rdp_access_ids = optional(list(string), [])<br> ipg_ssh_access_ids = optional(list(string), [])<br> })</pre> | `null` | no |
| <a name="input_firewall_policy_id"></a> [firewall\_policy\_id](#input\_firewall\_policy\_id) | For testing use this | `string` | `null` | no |
| <a name="input_ipg_azure_dc_id"></a> [ipg\_azure\_dc\_id](#input\_ipg\_azure\_dc\_id) | The ip addresses of the domain controller located in azure. If the value is not provided, this network rule collection will not be created. | `string` | `null` | no |
| <a name="input_ipg_dnsprivateresolver_id"></a> [ipg\_dnsprivateresolver\_id](#input\_ipg\_dnsprivateresolver\_id) | The ip address of the private dns resolver inbound endpoint. If the value is not provided, this network rule collection will not be created | `string` | `null` | no |
| <a name="input_ipg_onpremise_dc_id"></a> [ipg\_onpremise\_dc\_id](#input\_ipg\_onpremise\_dc\_id) | If the customer still operates domain controller on premise, provide these in this variable. | `string` | `null` | no |
| <a name="input_responsibility"></a> [responsibility](#input\_responsibility) | The responsibility means who is responsible for the rule collection, e.g. is this rule collection in this module used as general rule set for the firewall, other responsibilities would be the customer etc. | `string` | `"Platform"` | no |
## Outputs

No outputs.

## Resource types

| Type | Used |
|------|-------|
| [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) | 1 |
## Resource types

**`Used` only includes resource blocks.** `for_each` and `count` meta arguments, as well as resource blocks of modules are not considered.
| Type | Used |
|------|-------|
| [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) | 1 |

**`Used` only includes resource blocks.** `for_each` and `count` meta arguments, as well as resource blocks of modules are not considered.

## Modules

No modules.

## Resources by Files
## Resources by Files

### main.tf
### main.tf

| Name | Type |
|------|------|
| [azurerm_firewall_policy_rule_collection_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) | resource |
| Name | Type |
|------|------|
| [azurerm_firewall_policy_rule_collection_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) | resource |

<!-- END_TF_DOCS -->

## Contribute
Expand Down
22 changes: 22 additions & 0 deletions examples/advanced/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

71 changes: 71 additions & 0 deletions examples/advanced/ip_groups.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
resource "azurerm_ip_group" "azure_dc" {
name = "ipg-azure-dcs"
location = local.location
resource_group_name = azurerm_resource_group.example.name

cidrs = ["10.0.0.10/32", "10.0.0.11/32"]

lifecycle {
ignore_changes = [tags]
}
}

resource "azurerm_ip_group" "onpremise_dc" {
name = "ipg-onprem-dcs"
location = local.location
resource_group_name = azurerm_resource_group.example.name

cidrs = []

lifecycle {
ignore_changes = [tags]
}
}

resource "azurerm_ip_group" "dnsprivateresolver" {
name = "ipg-DNSPrivateResolver"
location = local.location
resource_group_name = azurerm_resource_group.example.name

cidrs = ["10.0.1.0/24"]

lifecycle {
ignore_changes = [tags]
}
}

resource "azurerm_ip_group" "application_lz" {
name = "ipg-application-landing-zone"
location = local.location
resource_group_name = azurerm_resource_group.example.name

cidrs = ["10.0.2.0/24"]

lifecycle {
ignore_changes = [tags]
}
}

resource "azurerm_ip_group" "platform" {
name = "ipg-platform"
location = local.location
resource_group_name = azurerm_resource_group.example.name

cidrs = ["10.0.2.0/24"]

lifecycle {
ignore_changes = [tags]
}
}

resource "azurerm_ip_group" "bastion" {
name = "ipg-bastion"
location = local.location
resource_group_name = azurerm_resource_group.example.name

cidrs = ["10.0.2.0/24"]

lifecycle {
ignore_changes = [tags]
}
}
3 changes: 3 additions & 0 deletions examples/advanced/locals.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
locals {
location = "West Europe"
}
40 changes: 40 additions & 0 deletions examples/advanced/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
provider "azurerm" {
features {}
skip_provider_registration = true
}

resource "azurerm_resource_group" "example" {
name = "rg-example-fwp"
location = local.location
}

resource "azurerm_firewall_policy" "example" {
name = "fwp-example"
resource_group_name = azurerm_resource_group.example.name
location = local.location

dns {
proxy_enabled = true
}
}

module "firewall_rules" {
source = "../.."

firewall_policy_id = azurerm_firewall_policy.example.id
resource_group_name = azurerm_resource_group.example.name

responsibility = "Platform"
stage = "prd"
default_location = local.location

ipg_dnsprivateresolver_id = azurerm_ip_group.dnsprivateresolver.id
ipg_azure_dc_id = azurerm_ip_group.azure_dc.id
ipg_application_lz_id = azurerm_ip_group.application_lz.id
ipg_platform_id = azurerm_ip_group.platform.id
bastion_config = {
ipg_bastion_id = azurerm_ip_group.bastion.id
ipg_rdp_access_ids = [azurerm_ip_group.application_lz.id]
ipg_ssh_access_ids = [azurerm_ip_group.application_lz.id]
}
}
14 changes: 13 additions & 1 deletion examples/basic/ip_groups.tf
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ resource "azurerm_ip_group" "application_lz" {
}

resource "azurerm_ip_group" "platform" {
name = "ipg-application-landing-zone"
name = "ipg-platform"
location = local.location
resource_group_name = azurerm_resource_group.example.name

Expand All @@ -57,3 +57,15 @@ resource "azurerm_ip_group" "platform" {
ignore_changes = [tags]
}
}

resource "azurerm_ip_group" "bastion" {
name = "ipg-bastion"
location = local.location
resource_group_name = azurerm_resource_group.example.name

cidrs = ["10.0.2.0/24"]

lifecycle {
ignore_changes = [tags]
}
}
48 changes: 4 additions & 44 deletions examples/basic/main.tf
Original file line number Diff line number Diff line change
@@ -1,50 +1,13 @@
provider "azurerm" {
features {}
skip_provider_registration = true
}

resource "azurerm_resource_group" "example" {
name = "rg-example-fw"
name = "rg-example-fwp"
location = local.location
}

resource "azurerm_virtual_network" "example" {
name = "vnet-example"
address_space = ["10.0.0.0/16"]
location = local.location
resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
name = "AzureFirewallSubnet" # Must be exact 'AzureFirewallSubnet'
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.0.0/16"]
}

resource "azurerm_public_ip" "example" {
name = "pip-example"
location = local.location
resource_group_name = azurerm_resource_group.example.name
allocation_method = "Static"
sku = "Standard"
}

resource "azurerm_firewall" "example" {
name = "fw-example"
location = local.location
resource_group_name = azurerm_resource_group.example.name
sku_name = "AZFW_VNet"
sku_tier = "Standard"

firewall_policy_id = azurerm_firewall_policy.example.id

ip_configuration {
name = "ip-config"
subnet_id = azurerm_subnet.example.id
public_ip_address_id = azurerm_public_ip.example.id
}
}

resource "azurerm_firewall_policy" "example" {
name = "fwp-example"
resource_group_name = azurerm_resource_group.example.name
Expand All @@ -65,9 +28,6 @@ module "firewall_rules" {
stage = "prd"
default_location = local.location

ipg_azure_dc_id = azurerm_ip_group.azure_dc.id
ipg_onpremise_dc_id = azurerm_ip_group.onpremise_dc.id
ipg_application_lz_id = azurerm_ip_group.application_lz.id
ipg_dnsprivateresolver_id = azurerm_ip_group.dnsprivateresolver.id
ipg_platform_id = azurerm_ip_group.platform.id
ipg_application_lz_id = azurerm_ip_group.application_lz.id
ipg_platform_id = azurerm_ip_group.platform.id
}
Loading

0 comments on commit d5e0447

Please sign in to comment.