qbeyond · May 30, 2024 · May 30, 2024 · May 30, 2024 · May 30, 2024 · May 30, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,13 @@ and this module adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [2.1.1] - 2024-05-30
+
+### Fixed
+
+- `ipg_entra_connect_id` is now optional as intended
+- allow `crl3.digicert.com`, `crl4.digicert.com` and `ocsp.digicert.com` for Entra connect
+
 ## [2.1.0] - 2024-05-21
 
 ### Added

diff --git a/README.md b/README.md
@@ -55,14 +55,14 @@ module "firewall_rules" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_ipg_application_lz_id"></a> [ipg\_application\_lz\_id](#input\_ipg\_application\_lz\_id) | IP ranges for all application landing zones. | `string` | n/a | yes |
-| <a name="input_ipg_entra_connect_id"></a> [ipg\_entra\_connect\_id](#input\_ipg\_entra\_connect\_id) | IP ranges for entra id connect VMs. | `string` | n/a | yes |
 | <a name="input_ipg_platform_id"></a> [ipg\_platform\_id](#input\_ipg\_platform\_id) | IP ranges for the whole platform service, defined by the azure landing zone core modules. | `string` | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which the firewall policy and the azure firewall are located. | `string` | n/a | yes |
 | <a name="input_stage"></a> [stage](#input\_stage) | The stage that the resource is located in, e.g. prod, dev. | `string` | n/a | yes |
-| <a name="input_bastion_config"></a> [bastion\_config](#input\_bastion\_config) | <pre>ipg_bastion_id: If the customer uses bastion, provide the bastion ip-group in this variable.<br>  ipg_rdp_access_ids: If RDP access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via RDP.<br>  ipg_ssh_access_ids: If SSH access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via SSH.</pre> | <pre>object({<br>    ipg_bastion_id = string<br>    ipg_rdp_access_ids = optional(list(string), [])<br>    ipg_ssh_access_ids = optional(list(string), [])<br>  })</pre> | `null` | no |
+| <a name="input_bastion_config"></a> [bastion\_config](#input\_bastion\_config) | <pre>ipg_bastion_id: If the customer uses bastion, provide the bastion ip-group in this variable.<br>  ipg_rdp_access_ids: If RDP access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via RDP.<br>  ipg_ssh_access_ids: If SSH access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via SSH.</pre> | <pre>object({<br>    ipg_bastion_id     = string<br>    ipg_rdp_access_ids = optional(list(string), [])<br>    ipg_ssh_access_ids = optional(list(string), [])<br>  })</pre> | `null` | no |
 | <a name="input_firewall_policy_id"></a> [firewall\_policy\_id](#input\_firewall\_policy\_id) | For testing use this | `string` | `null` | no |
 | <a name="input_ipg_azure_dc_id"></a> [ipg\_azure\_dc\_id](#input\_ipg\_azure\_dc\_id) | The ip addresses of the domain controller located in azure. If the value is not provided, this network rule collection will not be created. | `string` | `null` | no |
 | <a name="input_ipg_dnsprivateresolver_id"></a> [ipg\_dnsprivateresolver\_id](#input\_ipg\_dnsprivateresolver\_id) | The ip address of the private dns resolver inbound endpoint. If the value is not provided, this network rule collection will not be created | `string` | `null` | no |
+| <a name="input_ipg_entra_connect_id"></a> [ipg\_entra\_connect\_id](#input\_ipg\_entra\_connect\_id) | IP ranges for entra id connect VMs. | `string` | `null` | no |
 | <a name="input_ipg_onpremise_dc_id"></a> [ipg\_onpremise\_dc\_id](#input\_ipg\_onpremise\_dc\_id) | If the customer still operates domain controller on premise, provide these in this variable. | `string` | `null` | no |
 | <a name="input_responsibility"></a> [responsibility](#input\_responsibility) | The responsibility means who is responsible for the rule collection, e.g. is this rule collection in this module used as general rule set for the firewall, other responsibilities would be the customer etc. | `string` | `"Platform"` | no |
 ## Outputs

diff --git a/main.tf b/main.tf
@@ -136,15 +136,18 @@ resource "azurerm_firewall_policy_rule_collection_group" "this" {
     }
 
     rule {
-      name              = "allow-certificate-verification-outbound"
-      source_ip_groups  = [var.ipg_application_lz_id, var.ipg_platform_id]
+      name             = "allow-certificate-verification-outbound"
+      source_ip_groups = [var.ipg_application_lz_id, var.ipg_platform_id]
       destination_fqdns = [
         "mscrl.microsoft.com",
         "*.verisign.com",
         "*.entrust.net",
+        "crl3.digicert.com",
         "*.crl3.digicert.com",
+        "crl4.digicert.com",
         "*.crl4.digicert.com",
         "*.digicert.cn",
+        "ocsp.digicert.com",
         "*.ocsp.digicert.com",
         "*.www.d-trust.net",
         "*.root-c3-ca2-2009.ocsp.d-trust.net",
@@ -171,8 +174,8 @@ resource "azurerm_firewall_policy_rule_collection_group" "this" {
       action   = "Allow"
 
       rule {
-        name              = "allow-entra-connect-outbound"
-        source_ip_groups  = [var.ipg_entra_connect_id]
+        name             = "allow-entra-connect-outbound"
+        source_ip_groups = [var.ipg_entra_connect_id]
         destination_fqdns = [
           "*.management.core.windows.net",
           "*.graph.windows.net",
@@ -188,7 +191,10 @@ resource "azurerm_firewall_policy_rule_collection_group" "this" {
           "aadcdn.msftauth.net",
           "aadcdn.msauth.net",
           "autoupdate.msappproxy.net",
-          "www.microsoft.com"
+          "www.microsoft.com",
+          "*.registration.msappproxy.net",       # used for SSO registration
+          "*.passwordreset.microsoftonline.com", # used for password writeback
+          "*.servicebus.windows.net"             # used for password writeback
         ]
         protocols {
           type = "Http"

diff --git a/variables.tf b/variables.tf
@@ -51,11 +51,11 @@ variable "ipg_platform_id" {
 
 variable "bastion_config" {
   type = object({
-    ipg_bastion_id = string
+    ipg_bastion_id     = string
     ipg_rdp_access_ids = optional(list(string), [])
     ipg_ssh_access_ids = optional(list(string), [])
   })
-  default = null 
+  default     = null
   description = <<-DOC
   ```
     ipg_bastion_id: If the customer uses bastion, provide the bastion ip-group in this variable.
@@ -68,4 +68,5 @@ variable "bastion_config" {
 variable "ipg_entra_connect_id" {
   type        = string
   description = "IP ranges for entra id connect VMs."
-}
+  default     = null
+}