Add Forced Tunneling to the Hub Firewall configuration (#202)

* - Added Management subnet to SACA Virtual Network

* - Added route table to management subnet

* - Added TIME provider to Docerkfile
- Added Route Table to HUB module
- Added TIME provder declaration to SACA-HUB main.tf

* - Updated FW related variable names
- Added management IP config to firewall

* - Removed AZURERM provider arg for 2.50

* - Added new line at end of file

* - Updated variable names in template files

* - Update variable names

* update global tf vars generator

* - Added additional fields to the frontend json

* - Added route table field to frontend json

* - Updated variable names in modules

* - Added missing variable to json sample

Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com>

.devcontainer/Dockerfile

@@ -42,16 +42,22 @@ RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/0.13.4/terraf
 ENV TF_PLUGIN_CACHE_DIR=/usr/lib/tf-plugins
 ARG AZURERM_LOCAL_PATH="${TF_PLUGIN_CACHE_DIR}/registry.terraform.io/hashicorp/azurerm/2.55.0/linux_amd64"
 ARG RANDOM_LOCAL_PATH="${TF_PLUGIN_CACHE_DIR}/registry.terraform.io/hashicorp/random/3.1.0/linux_amd64"
+ARG TIME_LOCAL_PATH="${TF_PLUGIN_CACHE_DIR}/registry.terraform.io/hashicorp/time/0.7.1/linux_amd64"
 ARG AZURERM_PROVIDER=https://releases.hashicorp.com/terraform-provider-azurerm/2.55.0/terraform-provider-azurerm_2.55.0_linux_amd64.zip
 ARG RANDOM_PROVIDER=https://releases.hashicorp.com/terraform-provider-random/3.1.0/terraform-provider-random_3.1.0_linux_amd64.zip
+ARG TIME_PROVIDER=https://releases.hashicorp.com/terraform-provider-time/0.7.1/terraform-provider-time_0.7.1_linux_amd64.zip
 RUN wget -O azurerm.zip ${AZURERM_PROVIDER} \
     && wget -O random.zip ${RANDOM_PROVIDER} \
+    && wget -O time.zip ${TIME_PROVIDER} \
     && mkdir -p ${AZURERM_LOCAL_PATH} \
     && mkdir -p ${RANDOM_LOCAL_PATH} \
+    && mkdir -p ${TIME_LOCAL_PATH} \
     && unzip azurerm.zip -d ${AZURERM_LOCAL_PATH} \
     && unzip random.zip -d ${RANDOM_LOCAL_PATH} \
+    && unzip time.zip -d ${TIME_LOCAL_PATH} \
     && rm azurerm.zip \
-    && rm random.zip
+    && rm random.zip \
+    && rm time.zip
 
 # Install the Microsoft package key
 RUN wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb \

src/core/saca-hub/main.tf

@@ -33,6 +33,10 @@ provider "azurerm" {
 provider "random" {
 }
 
+provider "time" {
+  version = "0.7.1"
+}
+
 resource "azurerm_resource_group" "hub" {
   location = var.mlz_location
   name     = var.saca_rgname
@@ -43,13 +47,15 @@ resource "azurerm_resource_group" "hub" {
 }
 
 module "saca-hub-network" {
-  depends_on             = [azurerm_resource_group.hub]
-  source                 = "../../modules/hub"
-  location               = var.mlz_location
-  resource_group_name    = azurerm_resource_group.hub.name
-  vnet_name              = var.saca_vnetname
-  vnet_address_space     = var.vnet_address_space
-  firewall_address_space = var.firewall_address_space
+  depends_on               = [azurerm_resource_group.hub]
+  source                   = "../../modules/hub"
+  location                 = var.mlz_location
+  resource_group_name      = azurerm_resource_group.hub.name
+  vnet_name                = var.saca_vnetname
+  vnet_address_space       = var.vnet_address_space
+  client_address_space     = var.client_address_space
+  management_address_space = var.management_address_space
+  routetable_name          = var.management_routetable_name
 
   log_analytics_workspace_name              = var.saca_lawsname
   log_analytics_workspace_sku               = "PerGB2018"
@@ -66,18 +72,21 @@ locals {
 }
 
 module "saca-firewall" {
-  depends_on             = [module.saca-hub-network]
-  source                 = "../../modules/firewall"
-  location               = var.mlz_location
-  resource_group_name    = module.saca-hub-network.resource_group_name
-  vnet_name              = module.saca-hub-network.virtual_network_name
-  vnet_address_space     = module.saca-hub-network.virtual_network_address_space
-  firewall_sku           = contains(local.firewall_premium_tf_environments, lower(var.tf_environment)) ? "Premium" : "Standard"
-  firewall_subnet_name   = module.saca-hub-network.firewall_subnet_name
-  firewall_address_space = var.firewall_address_space
-  saca_fwname            = var.saca_fwname
-  firewall_ipconfig_name = var.firewall_ipconfig_name
-  public_ip_name         = var.public_ip_name
+  depends_on                      = [module.saca-hub-network]
+  source                          = "../../modules/firewall"
+  location                        = var.mlz_location
+  resource_group_name             = module.saca-hub-network.resource_group_name
+  vnet_name                       = module.saca-hub-network.virtual_network_name
+  vnet_address_space              = module.saca-hub-network.virtual_network_address_space
+  firewall_sku                    = contains(local.firewall_premium_tf_environments, lower(var.tf_environment)) ? "Premium" : "Standard"
+  firewall_client_subnet_name     = module.saca-hub-network.firewall_client_subnet_name
+  firewall_management_subnet_name = module.saca-hub-network.firewall_management_subnet_name
+  client_address_space            = var.client_address_space
+  firewall_name                   = var.firewall_name
+  client_ipconfig_name            = var.client_ipconfig_name
+  client_publicip_name            = var.client_publicip_name
+  management_ipconfig_name        = var.management_ipconfig_name
+  management_publicip_name        = var.management_publicip_name
 
   log_analytics_workspace_id = module.saca-hub-network.log_analytics_workspace_id
 

src/core/saca-hub/saca-hub.front.json

@@ -88,31 +88,59 @@
 				"options": []
 			},
 			{
-				"varname": "firewall_address_space",
+				"varname": "client_address_space",
 				"type": "text",
 				"default_val": "10.0.100.0/26",
-				"description": "Address space for the firewall",
+				"description": "Address space for the client subnet attached to firewall",
 				"options": []
 			},
 			{
-				"varname": "saca_fwname",
+				"varname": "management_address_space",
+				"type": "text",
+				"default_val": "10.0.100.64/26",
+				"description": "Address space for the management subnet attached to firewall",
+				"options": []
+			},
+			{
+				"varname": "firewall_name",
 				"type": "text",
 				"default_val": "DemoFirewall",
 				"description": "Saca Firewall Name",
 				"options": []
 			},
 			{
-				"varname": "firewall_ipconfig_name",
+				"varname": "client_ipconfig_name",
+				"type": "text",
+				"default_val": "FirewallClientIPConfiguration",
+				"description": "Name for the IP configuration for the firewall client subnet",
+				"options": []
+			},
+			{
+				"varname": "management_ipconfig_name",
+				"type": "text",
+				"default_val": "FirewallManagementIPConfiguration",
+				"description": "Name for the IP configuration for the firewall management subnet",
+				"options": []
+			},
+			{
+				"varname": "client_publicip_name",
+				"type": "text",
+				"default_val": "FirewallClientPublicIP",
+				"description": "Name for the Public IP attached to the firewall client subnet",
+				"options": []
+			},
+			{
+				"varname": "management_publicip_name",
 				"type": "text",
-				"default_val": "FirewallIPConfiguration",
-				"description": "Name for the firewall ipconfig",
+				"default_val": "FirewallManagementPublicIP",
+				"description": "Name for the Public IP attached to the firewall management subnet",
 				"options": []
 			},
 			{
-				"varname": "public_ip_name",
+				"varname": "management_routetable_name",
 				"type": "text",
-				"default_val": "FirewallPublicIP",
-				"description": "Name for the Public IP",
+				"default_val": "FirewallManagementRouteTable",
+				"description": "Name of the routing table that gets attached to the firewall management subnet",
 				"options": []
 			},
 			{

src/core/saca-hub/saca-hub.orig.tfvars.json

@@ -13,9 +13,13 @@
     "tier1_vnetname": "{TIER1_VNETNAME}",
     "tier2_rgname": "{TIER2_RGNAME}",
     "tier2_vnetname": "{TIER2_VNETNAME}",
-    "firewall_address_space": "{SACA_FWSPACE}",
-    "saca_fwname": "{SACA_FWNAME}",
-    "firewall_ipconfig_name": "{SACA_FWIPCONFIGNAME}",
-    "public_ip_name": "{SACA_FWPIPNAME}",
+    "client_address_space": "{FIREWALL_CLIENT_SPACE}",
+    "management_address_space": "{FIREWALL_MANAGEMENT_SPACE}",
+    "firewall_name": "{FIREWALL_NAME}",
+    "client_ipconfig_name": "{FIREWALL_CLIENT_IPCONFIG_NAME}",
+    "client_publicip_name": "{FIREWALL_CLIENT_PUBLICIP_NAME}",
+    "management_ipconfig_name": "{FIREWALL_MANAGEMENT_IPCONFIG_NAME}",
+    "management_publicip_name": "{FIREWALL_MANAGEMENT_PUBLICIP_NAME}",
+    "management_routetable_name": "{FIREWALL_MANAGEMENT_ROUTE_TABLE_NAME}",
     "create_network_watcher": false
 }

src/core/saca-hub/saca-hub.tfvars.sample

@@ -21,7 +21,11 @@ tier2_vnetname     = "{TIER2_VNETNAME}"
 # Firewall configuration section
 #################################
 
-firewall_address_space = "{SACA_FWSPACE}"
-saca_fwname          = "{SACA_FWNAME}"
-firewall_ipconfig_name = "{SACA_FWIPCONFIGNAME}"
-public_ip_name         = "{SACA_FWPIPNAME}"
+client_address_space       = "{FIREWALL_CLIENT_SPACE}"
+management_address_space   = "{FIREWALL_MANAGEMENT_SPACE}"
+firewall_name              = "{FIREWALL_NAME}"
+client_ipconfig_name       = "{FIREWALL_CLIENT_IPCONFIG_NAME}"
+client_publicip_name       = "{FIREWALL_CLIENT_PUBLICIP_NAME}"
+management_ipconfig_name   = "{FIREWALL_MANAGEMENT_IPCONFIG_NAME}"
+management_publicip_name   = "{FIREWALL_MANAGEMENT_PUBLICIP_NAME}"
+management_routetable_name = "{FIREWALL_MANAGEMENT_ROUTE_TABLE_NAME}"

src/core/saca-hub/variables.tf

@@ -65,25 +65,46 @@ variable "vnet_address_space" {
 # Firewall configuration section
 #################################
 
-variable "firewall_address_space" {
+variable "client_address_space" {
   description = "The address space to be used for the Firewall virtual network."
   default     = "10.0.100.0/26"
   type        = string
 }
 
-variable "saca_fwname" {
+variable "management_address_space" {
+  description = "The address space to be used for the Firewall virtual network subnet used for management traffic."
+  default     = "10.0.100.64/26"
+  type        = string
+}
+
+variable "firewall_name" {
   description = "Name of the Hub Firewall"
   default     = "mlzDemoFirewall"
 }
 
-variable "firewall_ipconfig_name" {
-  description = "The name of the Firewall IP Configuration"
-  default     = "mlzDemoFirewallIpConfiguration"
+variable "client_ipconfig_name" {
+  description = "The name of the Firewall Client IP Configuration"
+  default     = "mlzDemoFWClientIpCfg"
+}
+
+variable "client_publicip_name" {
+  description = "The name of the Firewall Client Public IP"
+  default     = "mlzDemoFWClientPip"
+}
+
+variable "management_ipconfig_name" {
+  description = "The name of the Firewall Management IP Configuration"
+  default     = "mlzDemoFWMgmtIpCfg"
+}
+
+variable "management_publicip_name" {
+  description = "The name of the Firewall Management Public IP"
+  default     = "mlzDemoFWMgmtPip"
 }
 
-variable "public_ip_name" {
-  description = "The name of the Firewall Public IP"
-  default     = "mlzDemoFirewallPip"
+variable "management_routetable_name" {
+  description = "The name of the route table applied to the management subnet"
+  default     = "mlzDemoFirewallMgmtRT"
 }
 
 variable "create_network_watcher" {

src/core/tier-0/main.tf

@@ -60,7 +60,7 @@ data "azurerm_log_analytics_workspace" "hub" {
 
 data "azurerm_firewall" "firewall" {
   provider            = azurerm.hub
-  name                = var.saca_fwname
+  name                = var.firewall_name
   resource_group_name = data.azurerm_resource_group.hub.name
 }
 

src/core/tier-0/tier-0.front.json

@@ -26,7 +26,7 @@
 				"options": []
 			},
 			{
-				"varname": "saca_fwname",
+				"varname": "firewall_name",
 				"type": "text",
 				"default_val": "DemoFirewall",
 				"description": "Saca Firewall Name",

src/core/tier-0/tier-0.orig.tfvars.json

@@ -3,7 +3,7 @@
   "saca_subid": "{SACA_SUBID}",
   "saca_rgname": "{SACA_RGNAME}",
   "saca_vnetname": "{SACA_VNETNAME}",
-  "saca_fwname": "{SACA_FWNAME}",
+  "firewall_name": "{firewall_name}",
   "saca_lawsname": "{SACA_LAWSNAME}",
   "tier0_subid": "{TIER0_SUBID}",
   "tier0_rgname": "{TIER0_RGNAME}",

src/core/tier-0/tier-0.tfvars.sample

@@ -8,7 +8,7 @@ deploymentname = "{TIER0_DEPLOYMENTNAME}"
 saca_subid     = "{SACA_SUBID}"
 saca_rgname    = "{SACA_RGNAME}"
 saca_vnetname  = "{SACA_VNETNAME}"
-saca_fwname    = "{SACA_FWNAME}"
+firewall_name    = "{firewall_name}"
 saca_lawsname  = "{SACA_LAWSNAME}"
 tier0_subid    = "{TIER0_SUBID}"
 tier0_rgname   = "{TIER0_RGNAME}"

src/core/tier-0/variables.tf

@@ -54,7 +54,7 @@ variable "saca_lawsname" {
   description = "Log Analytics Workspace name for the deployment"
 }
 
-variable "saca_fwname" {
+variable "firewall_name" {
   description = "Name of the Hub Firewall"
 }
 

src/core/tier-1/main.tf

@@ -60,7 +60,7 @@ data "azurerm_log_analytics_workspace" "hub" {
 
 data "azurerm_firewall" "firewall" {
   provider            = azurerm.hub
-  name                = var.saca_fwname
+  name                = var.firewall_name
   resource_group_name = data.azurerm_resource_group.hub.name
 }
 

src/core/tier-1/tier-1.front.json

@@ -26,7 +26,7 @@
 				"options": []
 			},
 			{
-				"varname": "saca_fwname",
+				"varname": "firewall_name",
 				"type": "text",
 				"default_val": "DemoFirewall",
 				"description": "Saca Firewall Name",

src/core/tier-1/tier-1.orig.tfvars.json

@@ -3,7 +3,7 @@
   "saca_subid": "{SACA_SUBID}",
   "saca_rgname": "{SACA_RGNAME}",
   "saca_vnetname": "{SACA_VNETNAME}",
-  "saca_fwname": "{SACA_FWNAME}",
+  "firewall_name": "{firewall_name}",
   "saca_lawsname": "{SACA_LAWSNAME}",
   "tier1_subid": "{TIER1_SUBID}",
   "tier1_rgname": "{TIER1_RGNAME}",

src/core/tier-1/tier-1.tfvars.sample

@@ -8,7 +8,7 @@ deploymentname = "{TIER1_DEPLOYMENTNAME}"
 saca_subid     = "{SACA_SUBID}"
 saca_rgname    = "{SACA_RGNAME}"
 saca_vnetname  = "{SACA_VNETNAME}"
-saca_fwname    = "{SACA_FWNAME}"
+firewall_name    = "{firewall_name}"
 saca_lawsname  = "{SACA_LAWSNAME}"
 tier1_subid    = "{TIER1_SUBID}"
 tier1_rgname   = "{TIER1_RGNAME}"

src/core/tier-1/variables.tf

@@ -54,7 +54,7 @@ variable "saca_lawsname" {
   description = "Log Analytics Workspace name for the deployment"
 }
 
-variable "saca_fwname" {
+variable "firewall_name" {
   description = "Name of the Hub Firewall"
 }
 

src/core/tier-2/main.tf

@@ -60,7 +60,7 @@ data "azurerm_log_analytics_workspace" "hub" {
 
 data "azurerm_firewall" "firewall" {
   provider            = azurerm.hub
-  name                = var.saca_fwname
+  name                = var.firewall_name
   resource_group_name = data.azurerm_resource_group.hub.name
 }
 

src/core/tier-2/tier-2.front.json

@@ -26,7 +26,7 @@
 				"options": []
 			},
 			{
-				"varname": "saca_fwname",
+				"varname": "firewall_name",
 				"type": "text",
 				"default_val": "DemoFirewall",
 				"description": "Saca Firewall Name",

src/core/tier-2/tier-2.orig.tfvars.json

@@ -3,7 +3,7 @@
   "saca_subid":"{SACA_SUBID}",
   "saca_rgname":"{SACA_RGNAME}",
   "saca_vnetname":"{SACA_VNETNAME}",
-  "saca_fwname":"{SACA_FWNAME}",
+  "firewall_name":"{firewall_name}",
   "saca_lawsname":"{SACA_LAWSNAME}",
   "tier2_subid":"{TIER2_SUBID}",
   "tier2_rgname":"{TIER2_RGNAME}",

src/core/tier-2/tier-2.tfvars.sample

@@ -8,7 +8,7 @@ deploymentname = "{TIER2_DEPLOYMENTNAME}"
 saca_subid     = "{SACA_SUBID}"
 saca_rgname    = "{SACA_RGNAME}"
 saca_vnetname  = "{SACA_VENTNAME}"
-saca_fwname    = "{SACA_FWNAME}"
+firewall_name    = "{firewall_name}"
 saca_lawsname  = "{SACA_LAWSNAME}"
 tier2_subid    = "{TIER2_SUBID}"
 tier2_rgname   = "{TIER2_RGNAME}"

src/core/tier-2/variables.tf

@@ -54,7 +54,7 @@ variable "saca_lawsname" {
   description = "Log Analytics Workspace name for the deployment"
 }
 
-variable "saca_fwname" {
+variable "firewall_name" {
   description = "Name of the Hub Firewall"
 }