Added firewall policy. Issue #119

src/core/saca-hub/main.tf

@@ -101,6 +101,7 @@ module "saca-firewall" {
   firewall_management_subnet_name = module.saca-hub-network.firewall_management_subnet_name
   client_address_space            = var.client_address_space
   firewall_name                   = var.firewall_name
+  firewall_policy_name            = var.firewall_policy_name
   client_ipconfig_name            = var.client_ipconfig_name
   client_publicip_name            = var.client_publicip_name
   management_ipconfig_name        = var.management_ipconfig_name

src/core/saca-hub/saca-hub.front.json

@@ -108,6 +108,13 @@
 				"description": "Saca Firewall Name",
 				"options": []
 			},
+			{
+				"varname": "firewall_policy_name",
+				"type": "text",
+				"default_val": "firewallpolicy",
+				"description": "Name of the firewall policy to apply to the hub firewall",
+				"options": []
+			},
 			{
 				"varname": "client_ipconfig_name",
 				"type": "text",

src/core/saca-hub/saca-hub.orig.tfvars.json

@@ -16,6 +16,7 @@
     "client_address_space": "{FIREWALL_CLIENT_SPACE}",
     "management_address_space": "{FIREWALL_MANAGEMENT_SPACE}",
     "firewall_name": "{FIREWALL_NAME}",
+    "firewall_policy_name": "{FIREWALL_POLICY_NAME}",
     "client_ipconfig_name": "{FIREWALL_CLIENT_IPCONFIG_NAME}",
     "client_publicip_name": "{FIREWALL_CLIENT_PUBLICIP_NAME}",
     "management_ipconfig_name": "{FIREWALL_MANAGEMENT_IPCONFIG_NAME}",

src/core/saca-hub/saca-hub.tfvars.sample

@@ -24,6 +24,7 @@ tier2_vnetname     = "{TIER2_VNETNAME}"
 client_address_space       = "{FIREWALL_CLIENT_SPACE}"
 management_address_space   = "{FIREWALL_MANAGEMENT_SPACE}"
 firewall_name              = "{FIREWALL_NAME}"
+firewall_policy_name       = "{FIREWALL_POLICY_NAME}"
 client_ipconfig_name       = "{FIREWALL_CLIENT_IPCONFIG_NAME}"
 client_publicip_name       = "{FIREWALL_CLIENT_PUBLICIP_NAME}"
 management_ipconfig_name   = "{FIREWALL_MANAGEMENT_IPCONFIG_NAME}"

src/core/saca-hub/variables.tf

@@ -86,6 +86,11 @@ variable "firewall_name" {
   default     = "mlzDemoFirewall"
 }
 
+variable "firewall_policy_name" {
+  description = "Name of the firewall policy to apply to the hub firewall"
+  default     = "firewallpolicy"
+}
+
 variable "client_ipconfig_name" {
   description = "The name of the Firewall Client IP Configuration"
   default     = "mlzDemoFWClientIpCfg"

src/modules/firewall/main.tf

@@ -39,12 +39,21 @@ resource "azurerm_public_ip" "fw_mgmt_pip" {
   tags                = var.tags
 }
 
+resource "azurerm_firewall_policy" "firewallpolicy" {
+  name                     = var.firewall_policy_name
+  resource_group_name      = data.azurerm_resource_group.hub.name
+  location                 = data.azurerm_resource_group.hub.location
+  sku                      = var.firewall_sku
+  threat_intelligence_mode = "Alert"
+}
+
 resource "azurerm_firewall" "firewall" {
   name                = var.firewall_name
   location            = data.azurerm_resource_group.hub.location
   resource_group_name = data.azurerm_resource_group.hub.name
   sku_tier            = var.firewall_sku
   private_ip_ranges   = var.disable_snat_ip_range
+  firewall_policy_id  = azurerm_firewall_policy.firewallpolicy.id
   tags                = var.tags
 
   ip_configuration {

src/modules/firewall/variables.tf

@@ -36,6 +36,10 @@ variable "firewall_name" {
   description = "The name of the Firewall"
 }
 
+variable "firewall_policy_name" {
+  description = "The name of the firewall policy"
+}
+
 variable "client_ipconfig_name" {
   description = "The name of the Firewall Client IP Configuration"
 }

src/scripts/terraform/create_globals_from_config.sh

@@ -70,4 +70,5 @@ append_kvp "saca_subid" "${mlz_saca_subid}"
 append_kvp "saca_rgname" "rg-saca-${mlz_env_name}"
 append_kvp "saca_vnetname" "vn-saca-${mlz_env_name}"
 append_kvp "firewall_name" "Firewall${mlz_env_name}"
+append_kvp "firewall_policy_name" "firewallpolicy${mlz_env_name}"
 append_kvp "saca_lawsname" "laws-${mlz_env_name}"