Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Azure Firewall Premium (preview) #11438

Closed
gro1m opened this issue Apr 22, 2021 · 2 comments · Fixed by #13190
Closed

Support for Azure Firewall Premium (preview) #11438

gro1m opened this issue Apr 22, 2021 · 2 comments · Fixed by #13190
Labels
enhancement good first issue service/firewall
Milestone
v2.76.0

Comments

@gro1m
Copy link
Contributor

gro1m commented Apr 22, 2021
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Implement Firewall Premium features, as this has high security impact and would allow to free up more websites, as there is the option to do URL filtering, i.e. you can restrict on entire URLs. Details here: https://docs.microsoft.com/en-us/azure/firewall/premium-features

New or Affected Resource(s)

  • azurerm_firewall_policy
  • (azurerm_firewall) # if you would implement azurerm_firewall_policy as sub resource of azurerm_firewall

Potential Terraform Configuration

resource "azurerm_firewall_policy" "example" {
    name                = "example"
    resource_group_name = "example"
    location            = "West Europe"
    sku                   = "Premium"
    dns = {
     servers = ...
     proxy_enabled = ...
    }
   threat_intelligence_mode = "Deny"
   threat_intelligence_allow_list = {
     ip_addresses = [172.0.2.1]
     fqdns = ["www.google.com"]
   }
   intrusion_detection = {
     mode = "off" # "Alert", "Deny"
     configuration = {
       signature_overrides = {
         state = "off" # "Alert", "Deny"
         id = signature_id
         }
       bypass_traffic_settings = {
         name = "bypass_traffic_setting_1"
         description = ""
         protocol = "TCP"
         source_addresses = "*"
         destination_addresses = "*"
         destination_ports = "*"
         source_ip_groups = "*"
         destination_ip_groups = "*"
         }
       }
     }
  transport_security = {
    certificate_authority = {
      key_vault_secret_id = "..." // KeyVaultSecretID - Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault.
      name = "..." // Name - Name of the CA certificate.
    }
  }
}

The intrusion_detection and transport_security blocks would be the new additions to the azurerm_firewall_policy resource. Alternatively, one could also integrate the azurerm_firewall_policy as a sub resource into the azurerm_firewall.

References

Firewall Policy Structure

General Firewall Policy Properties Format

Intrusion Detection Parameter

Transport Layer Security Parameter
This was referenced Jul 25, 2021
Closed
Merged
@manicminer manicminer added this to the v2.74.0 milestone Aug 25, 2021
@katbyte katbyte modified the milestones: v2.74.0, v2.75.0 Aug 27, 2021
@gro1m gro1m mentioned this issue Aug 31, 2021
Merged
@katbyte katbyte modified the milestones: v2.75.0, v2.76.0 Sep 2, 2021
katbyte pushed a commit that referenced this issue Sep 3, 2021
@gro1m
azurerm_firewall_policy_rule_collection_group - support description,d…
cc28a21 
…estination_addresses,destination_urls,terminate_tls,web_categories (#13190)

Fixes #11438
Fixes #12944
Fixes #12086
@github-actions
Copy link

This functionality has been released in v2.76.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 10, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement good first issue service/firewall
Projects
None yet
Milestone
v2.76.0
3 participants
@manicminer @katbyte @gro1m