diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index ad3076d54..6158300aa 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -42,16 +42,22 @@ RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/0.13.4/terraf ENV TF_PLUGIN_CACHE_DIR=/usr/lib/tf-plugins ARG AZURERM_LOCAL_PATH="${TF_PLUGIN_CACHE_DIR}/registry.terraform.io/hashicorp/azurerm/2.55.0/linux_amd64" ARG RANDOM_LOCAL_PATH="${TF_PLUGIN_CACHE_DIR}/registry.terraform.io/hashicorp/random/3.1.0/linux_amd64" +ARG TIME_LOCAL_PATH="${TF_PLUGIN_CACHE_DIR}/registry.terraform.io/hashicorp/time/0.7.1/linux_amd64" ARG AZURERM_PROVIDER=https://releases.hashicorp.com/terraform-provider-azurerm/2.55.0/terraform-provider-azurerm_2.55.0_linux_amd64.zip ARG RANDOM_PROVIDER=https://releases.hashicorp.com/terraform-provider-random/3.1.0/terraform-provider-random_3.1.0_linux_amd64.zip +ARG TIME_PROVIDER=https://releases.hashicorp.com/terraform-provider-time/0.7.1/terraform-provider-time_0.7.1_linux_amd64.zip RUN wget -O azurerm.zip ${AZURERM_PROVIDER} \ && wget -O random.zip ${RANDOM_PROVIDER} \ + && wget -O time.zip ${TIME_PROVIDER} \ && mkdir -p ${AZURERM_LOCAL_PATH} \ && mkdir -p ${RANDOM_LOCAL_PATH} \ + && mkdir -p ${TIME_LOCAL_PATH} \ && unzip azurerm.zip -d ${AZURERM_LOCAL_PATH} \ && unzip random.zip -d ${RANDOM_LOCAL_PATH} \ + && unzip time.zip -d ${TIME_LOCAL_PATH} \ && rm azurerm.zip \ - && rm random.zip + && rm random.zip \ + && rm time.zip # Install the Microsoft package key RUN wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb \ diff --git a/src/core/saca-hub/main.tf b/src/core/saca-hub/main.tf index e53aed3cf..fd007f733 100644 --- a/src/core/saca-hub/main.tf +++ b/src/core/saca-hub/main.tf @@ -33,6 +33,10 @@ provider "azurerm" { provider "random" { } +provider "time" { + version = "0.7.1" +} + resource "azurerm_resource_group" "hub" { location = var.mlz_location name = var.saca_rgname @@ -43,13 +47,15 @@ resource "azurerm_resource_group" "hub" { } module "saca-hub-network" { - depends_on = [azurerm_resource_group.hub] - source = "../../modules/hub" - location = var.mlz_location - resource_group_name = azurerm_resource_group.hub.name - vnet_name = var.saca_vnetname - vnet_address_space = var.vnet_address_space - firewall_address_space = var.firewall_address_space + depends_on = [azurerm_resource_group.hub] + source = "../../modules/hub" + location = var.mlz_location + resource_group_name = azurerm_resource_group.hub.name + vnet_name = var.saca_vnetname + vnet_address_space = var.vnet_address_space + client_address_space = var.client_address_space + management_address_space = var.management_address_space + routetable_name = var.management_routetable_name log_analytics_workspace_name = var.saca_lawsname log_analytics_workspace_sku = "PerGB2018" @@ -66,18 +72,21 @@ locals { } module "saca-firewall" { - depends_on = [module.saca-hub-network] - source = "../../modules/firewall" - location = var.mlz_location - resource_group_name = module.saca-hub-network.resource_group_name - vnet_name = module.saca-hub-network.virtual_network_name - vnet_address_space = module.saca-hub-network.virtual_network_address_space - firewall_sku = contains(local.firewall_premium_tf_environments, lower(var.tf_environment)) ? "Premium" : "Standard" - firewall_subnet_name = module.saca-hub-network.firewall_subnet_name - firewall_address_space = var.firewall_address_space - saca_fwname = var.saca_fwname - firewall_ipconfig_name = var.firewall_ipconfig_name - public_ip_name = var.public_ip_name + depends_on = [module.saca-hub-network] + source = "../../modules/firewall" + location = var.mlz_location + resource_group_name = module.saca-hub-network.resource_group_name + vnet_name = module.saca-hub-network.virtual_network_name + vnet_address_space = module.saca-hub-network.virtual_network_address_space + firewall_sku = contains(local.firewall_premium_tf_environments, lower(var.tf_environment)) ? "Premium" : "Standard" + firewall_client_subnet_name = module.saca-hub-network.firewall_client_subnet_name + firewall_management_subnet_name = module.saca-hub-network.firewall_management_subnet_name + client_address_space = var.client_address_space + firewall_name = var.firewall_name + client_ipconfig_name = var.client_ipconfig_name + client_publicip_name = var.client_publicip_name + management_ipconfig_name = var.management_ipconfig_name + management_publicip_name = var.management_publicip_name log_analytics_workspace_id = module.saca-hub-network.log_analytics_workspace_id diff --git a/src/core/saca-hub/saca-hub.front.json b/src/core/saca-hub/saca-hub.front.json index d9eb8a33b..bd62ce371 100644 --- a/src/core/saca-hub/saca-hub.front.json +++ b/src/core/saca-hub/saca-hub.front.json @@ -88,31 +88,59 @@ "options": [] }, { - "varname": "firewall_address_space", + "varname": "client_address_space", "type": "text", "default_val": "10.0.100.0/26", - "description": "Address space for the firewall", + "description": "Address space for the client subnet attached to firewall", "options": [] }, { - "varname": "saca_fwname", + "varname": "management_address_space", + "type": "text", + "default_val": "10.0.100.64/26", + "description": "Address space for the management subnet attached to firewall", + "options": [] + }, + { + "varname": "firewall_name", "type": "text", "default_val": "DemoFirewall", "description": "Saca Firewall Name", "options": [] }, { - "varname": "firewall_ipconfig_name", + "varname": "client_ipconfig_name", + "type": "text", + "default_val": "FirewallClientIPConfiguration", + "description": "Name for the IP configuration for the firewall client subnet", + "options": [] + }, + { + "varname": "management_ipconfig_name", + "type": "text", + "default_val": "FirewallManagementIPConfiguration", + "description": "Name for the IP configuration for the firewall management subnet", + "options": [] + }, + { + "varname": "client_publicip_name", + "type": "text", + "default_val": "FirewallClientPublicIP", + "description": "Name for the Public IP attached to the firewall client subnet", + "options": [] + }, + { + "varname": "management_publicip_name", "type": "text", - "default_val": "FirewallIPConfiguration", - "description": "Name for the firewall ipconfig", + "default_val": "FirewallManagementPublicIP", + "description": "Name for the Public IP attached to the firewall management subnet", "options": [] }, { - "varname": "public_ip_name", + "varname": "management_routetable_name", "type": "text", - "default_val": "FirewallPublicIP", - "description": "Name for the Public IP", + "default_val": "FirewallManagementRouteTable", + "description": "Name of the routing table that gets attached to the firewall management subnet", "options": [] }, { diff --git a/src/core/saca-hub/saca-hub.orig.tfvars.json b/src/core/saca-hub/saca-hub.orig.tfvars.json index 25bc9ef52..6411d0694 100644 --- a/src/core/saca-hub/saca-hub.orig.tfvars.json +++ b/src/core/saca-hub/saca-hub.orig.tfvars.json @@ -13,9 +13,13 @@ "tier1_vnetname": "{TIER1_VNETNAME}", "tier2_rgname": "{TIER2_RGNAME}", "tier2_vnetname": "{TIER2_VNETNAME}", - "firewall_address_space": "{SACA_FWSPACE}", - "saca_fwname": "{SACA_FWNAME}", - "firewall_ipconfig_name": "{SACA_FWIPCONFIGNAME}", - "public_ip_name": "{SACA_FWPIPNAME}", + "client_address_space": "{FIREWALL_CLIENT_SPACE}", + "management_address_space": "{FIREWALL_MANAGEMENT_SPACE}", + "firewall_name": "{FIREWALL_NAME}", + "client_ipconfig_name": "{FIREWALL_CLIENT_IPCONFIG_NAME}", + "client_publicip_name": "{FIREWALL_CLIENT_PUBLICIP_NAME}", + "management_ipconfig_name": "{FIREWALL_MANAGEMENT_IPCONFIG_NAME}", + "management_publicip_name": "{FIREWALL_MANAGEMENT_PUBLICIP_NAME}", + "management_routetable_name": "{FIREWALL_MANAGEMENT_ROUTE_TABLE_NAME}", "create_network_watcher": false } \ No newline at end of file diff --git a/src/core/saca-hub/saca-hub.tfvars.sample b/src/core/saca-hub/saca-hub.tfvars.sample index e3be19f9a..49a9ea52b 100644 --- a/src/core/saca-hub/saca-hub.tfvars.sample +++ b/src/core/saca-hub/saca-hub.tfvars.sample @@ -21,7 +21,11 @@ tier2_vnetname = "{TIER2_VNETNAME}" # Firewall configuration section ################################# -firewall_address_space = "{SACA_FWSPACE}" -saca_fwname = "{SACA_FWNAME}" -firewall_ipconfig_name = "{SACA_FWIPCONFIGNAME}" -public_ip_name = "{SACA_FWPIPNAME}" \ No newline at end of file +client_address_space = "{FIREWALL_CLIENT_SPACE}" +management_address_space = "{FIREWALL_MANAGEMENT_SPACE}" +firewall_name = "{FIREWALL_NAME}" +client_ipconfig_name = "{FIREWALL_CLIENT_IPCONFIG_NAME}" +client_publicip_name = "{FIREWALL_CLIENT_PUBLICIP_NAME}" +management_ipconfig_name = "{FIREWALL_MANAGEMENT_IPCONFIG_NAME}" +management_publicip_name = "{FIREWALL_MANAGEMENT_PUBLICIP_NAME}" +management_routetable_name = "{FIREWALL_MANAGEMENT_ROUTE_TABLE_NAME}" diff --git a/src/core/saca-hub/variables.tf b/src/core/saca-hub/variables.tf index e867a9d70..7e0bbd0d6 100644 --- a/src/core/saca-hub/variables.tf +++ b/src/core/saca-hub/variables.tf @@ -65,25 +65,46 @@ variable "vnet_address_space" { # Firewall configuration section ################################# -variable "firewall_address_space" { +variable "client_address_space" { description = "The address space to be used for the Firewall virtual network." default = "10.0.100.0/26" type = string } -variable "saca_fwname" { +variable "management_address_space" { + description = "The address space to be used for the Firewall virtual network subnet used for management traffic." + default = "10.0.100.64/26" + type = string +} + +variable "firewall_name" { description = "Name of the Hub Firewall" default = "mlzDemoFirewall" } -variable "firewall_ipconfig_name" { - description = "The name of the Firewall IP Configuration" - default = "mlzDemoFirewallIpConfiguration" +variable "client_ipconfig_name" { + description = "The name of the Firewall Client IP Configuration" + default = "mlzDemoFWClientIpCfg" +} + +variable "client_publicip_name" { + description = "The name of the Firewall Client Public IP" + default = "mlzDemoFWClientPip" +} + +variable "management_ipconfig_name" { + description = "The name of the Firewall Management IP Configuration" + default = "mlzDemoFWMgmtIpCfg" +} + +variable "management_publicip_name" { + description = "The name of the Firewall Management Public IP" + default = "mlzDemoFWMgmtPip" } -variable "public_ip_name" { - description = "The name of the Firewall Public IP" - default = "mlzDemoFirewallPip" +variable "management_routetable_name" { + description = "The name of the route table applied to the management subnet" + default = "mlzDemoFirewallMgmtRT" } variable "create_network_watcher" { diff --git a/src/core/tier-0/main.tf b/src/core/tier-0/main.tf index 230c5c6a4..5801912f5 100644 --- a/src/core/tier-0/main.tf +++ b/src/core/tier-0/main.tf @@ -60,7 +60,7 @@ data "azurerm_log_analytics_workspace" "hub" { data "azurerm_firewall" "firewall" { provider = azurerm.hub - name = var.saca_fwname + name = var.firewall_name resource_group_name = data.azurerm_resource_group.hub.name } diff --git a/src/core/tier-0/tier-0.front.json b/src/core/tier-0/tier-0.front.json index a888d64f9..1add9f595 100644 --- a/src/core/tier-0/tier-0.front.json +++ b/src/core/tier-0/tier-0.front.json @@ -26,7 +26,7 @@ "options": [] }, { - "varname": "saca_fwname", + "varname": "firewall_name", "type": "text", "default_val": "DemoFirewall", "description": "Saca Firewall Name", diff --git a/src/core/tier-0/tier-0.orig.tfvars.json b/src/core/tier-0/tier-0.orig.tfvars.json index 847c59df1..da9a60165 100644 --- a/src/core/tier-0/tier-0.orig.tfvars.json +++ b/src/core/tier-0/tier-0.orig.tfvars.json @@ -3,7 +3,7 @@ "saca_subid": "{SACA_SUBID}", "saca_rgname": "{SACA_RGNAME}", "saca_vnetname": "{SACA_VNETNAME}", - "saca_fwname": "{SACA_FWNAME}", + "firewall_name": "{firewall_name}", "saca_lawsname": "{SACA_LAWSNAME}", "tier0_subid": "{TIER0_SUBID}", "tier0_rgname": "{TIER0_RGNAME}", diff --git a/src/core/tier-0/tier-0.tfvars.sample b/src/core/tier-0/tier-0.tfvars.sample index fc308be93..d42e26321 100644 --- a/src/core/tier-0/tier-0.tfvars.sample +++ b/src/core/tier-0/tier-0.tfvars.sample @@ -8,7 +8,7 @@ deploymentname = "{TIER0_DEPLOYMENTNAME}" saca_subid = "{SACA_SUBID}" saca_rgname = "{SACA_RGNAME}" saca_vnetname = "{SACA_VNETNAME}" -saca_fwname = "{SACA_FWNAME}" +firewall_name = "{firewall_name}" saca_lawsname = "{SACA_LAWSNAME}" tier0_subid = "{TIER0_SUBID}" tier0_rgname = "{TIER0_RGNAME}" diff --git a/src/core/tier-0/variables.tf b/src/core/tier-0/variables.tf index 677d69ddd..69fb2a221 100644 --- a/src/core/tier-0/variables.tf +++ b/src/core/tier-0/variables.tf @@ -54,7 +54,7 @@ variable "saca_lawsname" { description = "Log Analytics Workspace name for the deployment" } -variable "saca_fwname" { +variable "firewall_name" { description = "Name of the Hub Firewall" } diff --git a/src/core/tier-1/main.tf b/src/core/tier-1/main.tf index cffbce307..5bb270dc5 100644 --- a/src/core/tier-1/main.tf +++ b/src/core/tier-1/main.tf @@ -60,7 +60,7 @@ data "azurerm_log_analytics_workspace" "hub" { data "azurerm_firewall" "firewall" { provider = azurerm.hub - name = var.saca_fwname + name = var.firewall_name resource_group_name = data.azurerm_resource_group.hub.name } diff --git a/src/core/tier-1/tier-1.front.json b/src/core/tier-1/tier-1.front.json index 1ff473e2a..af64190d8 100644 --- a/src/core/tier-1/tier-1.front.json +++ b/src/core/tier-1/tier-1.front.json @@ -26,7 +26,7 @@ "options": [] }, { - "varname": "saca_fwname", + "varname": "firewall_name", "type": "text", "default_val": "DemoFirewall", "description": "Saca Firewall Name", diff --git a/src/core/tier-1/tier-1.orig.tfvars.json b/src/core/tier-1/tier-1.orig.tfvars.json index 852dd8711..cb437d86c 100644 --- a/src/core/tier-1/tier-1.orig.tfvars.json +++ b/src/core/tier-1/tier-1.orig.tfvars.json @@ -3,7 +3,7 @@ "saca_subid": "{SACA_SUBID}", "saca_rgname": "{SACA_RGNAME}", "saca_vnetname": "{SACA_VNETNAME}", - "saca_fwname": "{SACA_FWNAME}", + "firewall_name": "{firewall_name}", "saca_lawsname": "{SACA_LAWSNAME}", "tier1_subid": "{TIER1_SUBID}", "tier1_rgname": "{TIER1_RGNAME}", diff --git a/src/core/tier-1/tier-1.tfvars.sample b/src/core/tier-1/tier-1.tfvars.sample index 5b16a744c..bace698ee 100644 --- a/src/core/tier-1/tier-1.tfvars.sample +++ b/src/core/tier-1/tier-1.tfvars.sample @@ -8,7 +8,7 @@ deploymentname = "{TIER1_DEPLOYMENTNAME}" saca_subid = "{SACA_SUBID}" saca_rgname = "{SACA_RGNAME}" saca_vnetname = "{SACA_VNETNAME}" -saca_fwname = "{SACA_FWNAME}" +firewall_name = "{firewall_name}" saca_lawsname = "{SACA_LAWSNAME}" tier1_subid = "{TIER1_SUBID}" tier1_rgname = "{TIER1_RGNAME}" diff --git a/src/core/tier-1/variables.tf b/src/core/tier-1/variables.tf index 3b0464d32..059bcb128 100644 --- a/src/core/tier-1/variables.tf +++ b/src/core/tier-1/variables.tf @@ -54,7 +54,7 @@ variable "saca_lawsname" { description = "Log Analytics Workspace name for the deployment" } -variable "saca_fwname" { +variable "firewall_name" { description = "Name of the Hub Firewall" } diff --git a/src/core/tier-2/main.tf b/src/core/tier-2/main.tf index e66a3784b..8b468b9dc 100644 --- a/src/core/tier-2/main.tf +++ b/src/core/tier-2/main.tf @@ -60,7 +60,7 @@ data "azurerm_log_analytics_workspace" "hub" { data "azurerm_firewall" "firewall" { provider = azurerm.hub - name = var.saca_fwname + name = var.firewall_name resource_group_name = data.azurerm_resource_group.hub.name } diff --git a/src/core/tier-2/tier-2.front.json b/src/core/tier-2/tier-2.front.json index 62cd0b0d4..9ee893e6d 100644 --- a/src/core/tier-2/tier-2.front.json +++ b/src/core/tier-2/tier-2.front.json @@ -26,7 +26,7 @@ "options": [] }, { - "varname": "saca_fwname", + "varname": "firewall_name", "type": "text", "default_val": "DemoFirewall", "description": "Saca Firewall Name", diff --git a/src/core/tier-2/tier-2.orig.tfvars.json b/src/core/tier-2/tier-2.orig.tfvars.json index 2c8a37077..e1bd3ea7b 100644 --- a/src/core/tier-2/tier-2.orig.tfvars.json +++ b/src/core/tier-2/tier-2.orig.tfvars.json @@ -3,7 +3,7 @@ "saca_subid":"{SACA_SUBID}", "saca_rgname":"{SACA_RGNAME}", "saca_vnetname":"{SACA_VNETNAME}", - "saca_fwname":"{SACA_FWNAME}", + "firewall_name":"{firewall_name}", "saca_lawsname":"{SACA_LAWSNAME}", "tier2_subid":"{TIER2_SUBID}", "tier2_rgname":"{TIER2_RGNAME}", diff --git a/src/core/tier-2/tier-2.tfvars.sample b/src/core/tier-2/tier-2.tfvars.sample index d9a45d789..2b588052c 100644 --- a/src/core/tier-2/tier-2.tfvars.sample +++ b/src/core/tier-2/tier-2.tfvars.sample @@ -8,7 +8,7 @@ deploymentname = "{TIER2_DEPLOYMENTNAME}" saca_subid = "{SACA_SUBID}" saca_rgname = "{SACA_RGNAME}" saca_vnetname = "{SACA_VENTNAME}" -saca_fwname = "{SACA_FWNAME}" +firewall_name = "{firewall_name}" saca_lawsname = "{SACA_LAWSNAME}" tier2_subid = "{TIER2_SUBID}" tier2_rgname = "{TIER2_RGNAME}" diff --git a/src/core/tier-2/variables.tf b/src/core/tier-2/variables.tf index 2b05521cc..f8917f8e7 100644 --- a/src/core/tier-2/variables.tf +++ b/src/core/tier-2/variables.tf @@ -54,7 +54,7 @@ variable "saca_lawsname" { description = "Log Analytics Workspace name for the deployment" } -variable "saca_fwname" { +variable "firewall_name" { description = "Name of the Hub Firewall" } diff --git a/src/modules/firewall/main.tf b/src/modules/firewall/main.tf index dff3ff2d3..aa5712cd1 100644 --- a/src/modules/firewall/main.tf +++ b/src/modules/firewall/main.tf @@ -9,14 +9,29 @@ data "azurerm_virtual_network" "hub" { resource_group_name = data.azurerm_resource_group.hub.name } -data "azurerm_subnet" "firewall" { - name = var.firewall_subnet_name +data "azurerm_subnet" "fw_client_sn" { + name = var.firewall_client_subnet_name virtual_network_name = data.azurerm_virtual_network.hub.name resource_group_name = data.azurerm_resource_group.hub.name } -resource "azurerm_public_ip" "firewall" { - name = var.public_ip_name +data "azurerm_subnet" "fw_mgmt_sn" { + name = var.firewall_management_subnet_name + virtual_network_name = data.azurerm_virtual_network.hub.name + resource_group_name = data.azurerm_resource_group.hub.name +} + +resource "azurerm_public_ip" "fw_client_pip" { + name = var.client_publicip_name + location = data.azurerm_resource_group.hub.location + resource_group_name = data.azurerm_resource_group.hub.name + allocation_method = "Static" + sku = "Standard" + tags = var.tags +} + +resource "azurerm_public_ip" "fw_mgmt_pip" { + name = var.management_publicip_name location = data.azurerm_resource_group.hub.location resource_group_name = data.azurerm_resource_group.hub.name allocation_method = "Static" @@ -25,7 +40,7 @@ resource "azurerm_public_ip" "firewall" { } resource "azurerm_firewall" "firewall" { - name = var.saca_fwname + name = var.firewall_name location = data.azurerm_resource_group.hub.location resource_group_name = data.azurerm_resource_group.hub.name sku_tier = var.firewall_sku @@ -33,9 +48,15 @@ resource "azurerm_firewall" "firewall" { tags = var.tags ip_configuration { - name = var.firewall_ipconfig_name - subnet_id = data.azurerm_subnet.firewall.id - public_ip_address_id = azurerm_public_ip.firewall.id + name = var.client_ipconfig_name + subnet_id = data.azurerm_subnet.fw_client_sn.id + public_ip_address_id = azurerm_public_ip.fw_client_pip.id + } + + management_ip_configuration { + name = var.management_ipconfig_name + subnet_id = data.azurerm_subnet.fw_mgmt_sn.id + public_ip_address_id = azurerm_public_ip.fw_mgmt_pip.id } } @@ -86,8 +107,8 @@ resource "azurerm_monitor_diagnostic_setting" "firewall-diagnostics" { } resource "azurerm_monitor_diagnostic_setting" "publicip-diagnostics" { - name = "${azurerm_public_ip.firewall.name}-pip-diagnostics" - target_resource_id = azurerm_public_ip.firewall.id + name = "${azurerm_public_ip.fw_client_pip.name}-pip-diagnostics" + target_resource_id = azurerm_public_ip.fw_client_pip.id storage_account_id = azurerm_storage_account.loganalytics.id log_analytics_workspace_id = var.log_analytics_workspace_id diff --git a/src/modules/firewall/variables.tf b/src/modules/firewall/variables.tf index 9a28c9713..86579ab9e 100644 --- a/src/modules/firewall/variables.tf +++ b/src/modules/firewall/variables.tf @@ -20,24 +20,36 @@ variable "firewall_sku" { description = "The SKU for Azure Firewall" } -variable "firewall_address_space" { +variable "client_address_space" { description = "The address space to be used for the Firewall subnets" } -variable "firewall_subnet_name" { - description = "The name of the Firewall subnet" +variable "firewall_client_subnet_name" { + description = "The name of the Firewall client traffic subnet" } -variable "saca_fwname" { +variable "firewall_management_subnet_name" { + description = "The name of the Firewall management traffic subnet" +} + +variable "firewall_name" { description = "The name of the Firewall" } -variable "firewall_ipconfig_name" { - description = "The name of the Firewall IP Configuration" +variable "client_ipconfig_name" { + description = "The name of the Firewall Client IP Configuration" +} + +variable "client_publicip_name" { + description = "The name of the Firewall Client Public IP" } -variable "public_ip_name" { - description = "The name of the Firewall Public IP" +variable "management_ipconfig_name" { + description = "The name of the Firewall Management IP Configuration" +} + +variable "management_publicip_name" { + description = "The name of the Firewall Management Public IP" } variable "log_analytics_workspace_id" { @@ -58,4 +70,4 @@ variable "disable_snat_ip_range" { description = "The address space to be used to ensure that SNAT is disabled." default = ["0.0.0.0/0"] type = list -} \ No newline at end of file +} diff --git a/src/modules/hub/main.tf b/src/modules/hub/main.tf index 92833c1b4..4e0a418b6 100644 --- a/src/modules/hub/main.tf +++ b/src/modules/hub/main.tf @@ -14,11 +14,50 @@ module "hub-network" { tags = var.tags } -resource "azurerm_subnet" "firewall" { +resource "azurerm_subnet" "fw_client" { name = "AzureFirewallSubnet" resource_group_name = module.hub-network.resource_group_name virtual_network_name = module.hub-network.virtual_network_name - address_prefixes = [cidrsubnet(var.firewall_address_space, 0, 0)] + address_prefixes = [cidrsubnet(var.client_address_space, 0, 0)] +} + +resource "azurerm_subnet" "fw_mgmt" { + name = "AzureFirewallManagementSubnet" + resource_group_name = module.hub-network.resource_group_name + virtual_network_name = module.hub-network.virtual_network_name + address_prefixes = [cidrsubnet(var.management_address_space, 0, 0)] +} + +resource "azurerm_route_table" "routetable" { + name = var.routetable_name + resource_group_name = azurerm_subnet.fw_mgmt.resource_group_name + location = data.azurerm_resource_group.rg.location + disable_bgp_route_propagation = true + tags = var.tags +} + +resource "azurerm_route" "default_route" { + name = "default_route" + resource_group_name = azurerm_route_table.routetable.resource_group_name + route_table_name = azurerm_route_table.routetable.name + address_prefix = "0.0.0.0/0" + next_hop_type = "Internet" +} + +resource "time_sleep" "wait_30_seconds" { + depends_on = [ + azurerm_route.default_route + ] + + create_duration = "30s" +} + +resource "azurerm_subnet_route_table_association" "routetable" { + subnet_id = azurerm_subnet.fw_mgmt.id + route_table_id = azurerm_route_table.routetable.id + depends_on = [ + time_sleep.wait_30_seconds + ] } resource "azurerm_log_analytics_workspace" "loganalytics" { diff --git a/src/modules/hub/output.tf b/src/modules/hub/output.tf index e756ab700..b7f49746b 100644 --- a/src/modules/hub/output.tf +++ b/src/modules/hub/output.tf @@ -20,12 +20,20 @@ output "virtual_network_address_space" { value = module.hub-network.virtual_network_address_space } -output "firewall_subnet_name" { - value = azurerm_subnet.firewall.name +output "firewall_client_subnet_name" { + value = azurerm_subnet.fw_client.name } -output "firewall_subnet_id" { - value = azurerm_subnet.firewall.id +output "firewall_management_subnet_name" { + value = azurerm_subnet.fw_mgmt.name +} + +output "firewall_client_subnet_id" { + value = azurerm_subnet.fw_client.id +} + +output "firewall_mgmt_subnet_id" { + value = azurerm_subnet.fw_mgmt.id } output "log_analytics_workspace_name" { diff --git a/src/modules/hub/variables.tf b/src/modules/hub/variables.tf index 1a08724a4..62e92dc93 100644 --- a/src/modules/hub/variables.tf +++ b/src/modules/hub/variables.tf @@ -18,8 +18,18 @@ variable "vnet_address_space" { type = list(string) } -variable "firewall_address_space" { - description = "The address space to be used for the Firewall virtual network." +variable "client_address_space" { + description = "The address space to be used for the Firewall virtual network subnet used for client traffic." + type = string +} + +variable "management_address_space" { + description = "The address space to be used for the Firewall virtual network subnet used for management traffic." + type = string +} + +variable "routetable_name" { + description = "The name of the route table to be applied to the firewall management subnet." type = string } diff --git a/src/scripts/terraform/create_globals_from_config.sh b/src/scripts/terraform/create_globals_from_config.sh index c2e4332c8..61ad2a1d7 100755 --- a/src/scripts/terraform/create_globals_from_config.sh +++ b/src/scripts/terraform/create_globals_from_config.sh @@ -69,5 +69,5 @@ append_kvp "tier2_vnetname" "vn-t2-${mlz_env_name}" append_kvp "saca_subid" "${mlz_saca_subid}" append_kvp "saca_rgname" "rg-saca-${mlz_env_name}" append_kvp "saca_vnetname" "vn-saca-${mlz_env_name}" -append_kvp "saca_fwname" "Firewall${mlz_env_name}" +append_kvp "firewall_name" "Firewall${mlz_env_name}" append_kvp "saca_lawsname" "laws-${mlz_env_name}"