From ed29f3c468701a3c87063ccd816613eaa2a65f2e Mon Sep 17 00:00:00 2001 From: Charles Shea Date: Tue, 22 Aug 2023 19:02:39 -0400 Subject: [PATCH 1/9] adding azfw quickstarts --- quickstart/101-azfw-with-fwpolicy/README.md | 230 ++++++++ quickstart/101-azfw-with-fwpolicy/main.tf | 153 +++++ quickstart/101-azfw-with-fwpolicy/outputs.tf | 3 + quickstart/101-azfw-with-fwpolicy/provider.tf | 16 + .../101-azfw-with-fwpolicy/variables.tf | 18 + quickstart/201-azfw-with-secure-hub/README.md | 543 ++++++++++++++++++ quickstart/201-azfw-with-secure-hub/main.tf | 370 ++++++++++++ .../201-azfw-with-secure-hub/outputs.tf | 3 + .../201-azfw-with-secure-hub/provider.tf | 16 + .../201-azfw-with-secure-hub/variables.tf | 30 + 10 files changed, 1382 insertions(+) create mode 100644 quickstart/101-azfw-with-fwpolicy/README.md create mode 100644 quickstart/101-azfw-with-fwpolicy/main.tf create mode 100644 quickstart/101-azfw-with-fwpolicy/outputs.tf create mode 100644 quickstart/101-azfw-with-fwpolicy/provider.tf create mode 100644 quickstart/101-azfw-with-fwpolicy/variables.tf create mode 100644 quickstart/201-azfw-with-secure-hub/README.md create mode 100644 quickstart/201-azfw-with-secure-hub/main.tf create mode 100644 quickstart/201-azfw-with-secure-hub/outputs.tf create mode 100644 quickstart/201-azfw-with-secure-hub/provider.tf create mode 100644 quickstart/201-azfw-with-secure-hub/variables.tf diff --git a/quickstart/101-azfw-with-fwpolicy/README.md b/quickstart/101-azfw-with-fwpolicy/README.md new file mode 100644 index 000000000..5fb781393 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/README.md @@ -0,0 +1,230 @@ +# Deploy Azure Firewall and a Firewall Policy + +This template deploys an Azure Firewall and a Firewall Policy. The Firewall Policy is associated to the Firewall. + +## Resources + +| Terraform Resource Type | Description | +| - | - | +| `azurerm_resource_group` | The resource group all the deployed resources.| +| `azurerm_virtual_network` | The virtual network for the firewall. | +| `azurerm_subnet` |The firewall subnet.| +| `azurerm_public_ip` | The firewall public IP address. | +| `azurerm_firewall` | The premium Azure Firewall. | +| `azurerm_firewall_policy` | The policy associated to the Firewall | +| `azurerm_firewall_policy_rule_collection_group` | the rules collection group for firewall policy | +| `azurerm_ip_group` | The IP group for source addresses. | + +## Variables + +| Name | Description | +|-|-| +| `location` | location for your resources | +| `tags` | tags to organize your resources | +| `fw_sku` | Sku size for your Firewall and Firewall Policy | + +## Example + +```powershell +terraform plan -out main.tfplan + + # azurerm_firewall.fw will be created + + resource "azurerm_firewall" "fw" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "azfw" + + resource_group_name = "azfw-rg" + + sku_name = "AZFW_VNet" + + sku_tier = "Premium" + + threat_intel_mode = (known after apply) + + + ip_configuration { + + name = "azfw-ipconfig" + + private_ip_address = (known after apply) + + public_ip_address_id = (known after apply) + + subnet_id = (known after apply) + } + } + + # azurerm_firewall_policy.azfw_policy will be created + + resource "azurerm_firewall_policy" "azfw_policy" { + + child_policies = (known after apply) + + firewalls = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "azfw-policy" + + resource_group_name = "azfw-rg" + + rule_collection_groups = (known after apply) + + sku = "Premium" + + threat_intelligence_mode = "Alert" + } + + # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created + + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + name = "DefaulApplicationtRuleCollectionGroup" + + priority = 300 + + + application_rule_collection { + + action = "Allow" + + name = "DefaultApplicationRuleCollection" + + priority = 500 + + + rule { + + description = "Allow Windows Update" + + destination_fqdn_tags = [ + + "WindowsUpdate", + ] + + name = "AllowWindowsUpdate" + + source_ip_groups = (known after apply) + + + protocols { + + port = 80 + + type = "Http" + } + + protocols { + + port = 443 + + type = "Https" + } + } + + rule { + + description = "Allow access to Microsoft.com" + + destination_fqdns = [ + + "*.microsoft.com", + ] + + name = "Global Rule" + + source_ip_groups = (known after apply) + + terminate_tls = false + + + protocols { + + port = 443 + + type = "Https" + } + } + } + } + + # azurerm_firewall_policy_rule_collection_group.net_policy_rule_collection_group will be created + + resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + name = "DefaultNetworkRuleCollectionGroup" + + priority = 200 + + + network_rule_collection { + + action = "Allow" + + name = "DefaultNetworkRuleCollection" + + priority = 200 + + + rule { + + destination_addresses = [ + + "132.86.101.172", + ] + + destination_ports = [ + + "123", + ] + + name = "time-windows" + + protocols = [ + + "UDP", + ] + + source_ip_groups = (known after apply) + } + } + } + + # azurerm_ip_group.infra_ip_group will be created + + resource "azurerm_ip_group" "infra_ip_group" { + + cidrs = [ + + "10.40.0.0/24", + + "10.50.0.0/24", + ] + + firewall_ids = (known after apply) + + firewall_policy_ids = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "infra-ip-group" + + resource_group_name = "azfw-rg" + } + + # azurerm_ip_group.workload_ip_group will be created + + resource "azurerm_ip_group" "workload_ip_group" { + + cidrs = [ + + "10.20.0.0/24", + + "10.30.0.0/24", + ] + + firewall_ids = (known after apply) + + firewall_policy_ids = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "workload-ip-group" + + resource_group_name = "azfw-rg" + } + + # azurerm_public_ip.pip_azfw will be created + + resource "azurerm_public_ip" "pip_azfw" { + + allocation_method = "Static" + + ddos_protection_mode = "VirtualNetworkInherited" + + fqdn = (known after apply) + + id = (known after apply) + + idle_timeout_in_minutes = 4 + + ip_address = (known after apply) + + ip_version = "IPv4" + + location = "eastus" + + name = "pip-azfw" + + resource_group_name = "azfw-rg" + + sku = "Standard" + + sku_tier = "Regional" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_resource_group.azfw_rg will be created + + resource "azurerm_resource_group" "azfw_rg" { + + id = (known after apply) + + location = "eastus" + + name = "azfw-rg" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_subnet.azfw_subnet will be created + + resource "azurerm_subnet" "azfw_subnet" { + + address_prefixes = [ + + "10.10.0.0/26", + ] + + enforce_private_link_endpoint_network_policies = (known after apply) + + enforce_private_link_service_network_policies = (known after apply) + + id = (known after apply) + + name = "AzureFirewallSubnet" + + private_endpoint_network_policies_enabled = (known after apply) + + private_link_service_network_policies_enabled = (known after apply) + + resource_group_name = "azfw-rg" + + virtual_network_name = "azfw-vnet" + } + + # azurerm_virtual_network.azfw_vnet will be created + + resource "azurerm_virtual_network" "azfw_vnet" { + + address_space = [ + + "10.10.0.0/24", + ] + + dns_servers = (known after apply) + + guid = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "azfw-vnet" + + resource_group_name = "azfw-rg" + + subnet = (known after apply) + } + +Plan: 10 to add, 0 to change, 0 to destroy. +`````` \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/main.tf b/quickstart/101-azfw-with-fwpolicy/main.tf new file mode 100644 index 000000000..c39981331 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/main.tf @@ -0,0 +1,153 @@ + +// Create a Resource Group +resource "azurerm_resource_group" "azfw_rg" { + name = "azfw-rg" + location = var.location + tags = var.tags +} +// Create a Virtual Network +resource "azurerm_virtual_network" "azfw_vnet" { + name = "azfw-vnet" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + address_space = ["10.10.0.0/24"] + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create IP Groups +resource "azurerm_ip_group" "workload_ip_group" { + name = "workload-ip-group" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + cidrs = ["10.20.0.0/24", "10.30.0.0/24"] + depends_on = [ + azurerm_resource_group.azfw_rg, + azurerm_virtual_network.azfw_vnet + ] +} +resource "azurerm_ip_group" "infra_ip_group" { + name = "infra-ip-group" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + cidrs = ["10.40.0.0/24", "10.50.0.0/24"] + depends_on = [ + azurerm_resource_group.azfw_rg, + azurerm_virtual_network.azfw_vnet + ] +} + +// Create the Azure Firewall Subnet +resource "azurerm_subnet" "azfw_subnet" { + name = "AzureFirewallSubnet" + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.0.0/26"] + depends_on = [ + azurerm_resource_group.azfw_rg, + azurerm_virtual_network.azfw_vnet + ] +} + +// Create a Public IP Address for Azure Firewall +resource "azurerm_public_ip" "pip_azfw" { + name = "pip-azfw" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + allocation_method = "Static" + sku = "Standard" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Firewall Policy +resource "azurerm_firewall_policy" "azfw_policy" { + name = "azfw-policy" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + sku = var.fw_sku + threat_intelligence_mode = "Alert" +} + +// Create a Network Rule Collection Group +// Create a Network Rule Collection +// Create rules for NTP +resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { + name = "DefaultNetworkRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 200 + network_rule_collection { + name = "DefaultNetworkRuleCollection" + action = "Allow" + priority = 200 + rule { + name = "time-windows" + protocols = ["UDP"] + source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] + destination_ports = ["123"] + destination_addresses = ["132.86.101.172"] + } + } +} + +// Create a Azure Firewall Policy Rule Collection Group +// Create a Application Rule Collection +// Create rules for Windows Update +// Create rules for Microsoft.com +resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + name = "DefaulApplicationtRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "DefaultApplicationRuleCollection" + action = "Allow" + priority = 500 + rule { + name = "AllowWindowsUpdate" + + description = "Allow Windows Update" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] + destination_fqdn_tags = ["WindowsUpdate"] + } + rule { + name = "Global Rule" + description = "Allow access to Microsoft.com" + protocols { + type = "Https" + port = 443 + } + destination_fqdns = ["*.microsoft.com"] + terminate_tls = false + source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] + } + } + depends_on = [ + azurerm_firewall_policy.azfw_policy + ] +} + +// Create the Azure Firewall +resource "azurerm_firewall" "fw" { + name = "azfw" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + sku_name = "AZFW_VNet" + sku_tier = var.fw_sku + ip_configuration { + name = "azfw-ipconfig" + subnet_id = azurerm_subnet.azfw_subnet.id + public_ip_address_id = azurerm_public_ip.pip_azfw.id + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id +} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/outputs.tf b/quickstart/101-azfw-with-fwpolicy/outputs.tf new file mode 100644 index 000000000..67ad7df31 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/outputs.tf @@ -0,0 +1,3 @@ +output "rg_name" { + value = azurerm_resource_group.azfw_rg.name +} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/provider.tf b/quickstart/101-azfw-with-fwpolicy/provider.tf new file mode 100644 index 000000000..76b5065bc --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/provider.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.69.0" + } + } +} + +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false // Set to True for Production + } + } +} diff --git a/quickstart/101-azfw-with-fwpolicy/variables.tf b/quickstart/101-azfw-with-fwpolicy/variables.tf new file mode 100644 index 000000000..2a925a383 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/variables.tf @@ -0,0 +1,18 @@ +// Create Variables for Location and Tags +variable "location" { + default = "eastus" +} +variable "tags" { + default = { + environment = "dev" + costcenter = "1234556677" + owner = "cloud team" + workload = "azure firewall" + } +} + +// Create Firewall Variables +variable "fw_sku" { + default = "Premium" # Valid values are Standard and Premium +} + diff --git a/quickstart/201-azfw-with-secure-hub/README.md b/quickstart/201-azfw-with-secure-hub/README.md new file mode 100644 index 000000000..2bdb52b85 --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/README.md @@ -0,0 +1,543 @@ +# Deploy Azure Firewall and a Firewall Policy + +This template deploys an Azure Firewall and a Firewall Policy to a Secure Hub. The Firewall Policy is associated with the Firewall policy. + +## Resources + +| Terraform Resource Type | Description | +| - | - | +| `azurerm_resource_group` | The resource group all the deployed resources.| +| `azurerm_virtual_wan` | The virtual wan for the virtual hub | +| `azurerm_virtual_hub` | The virtual hub for the firewall | +| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | +| `azurerm_virtual_hub_connection` | The connection between the virtual hub and the virtual network spoke | +| `azurerm_public_ip` | The firewall public IP address and public access to the jump vm. | +| `azurerm_firewall_policy` | The policy associated to the Firewall | +| `azurerm_firewall_policy_rule_collection_group` | the rules collection group to add network and application rule collections for firewall policy | +| `azurerm_firewall` | The premium Azure Firewall. | +| `azurerm_virtual_network` | The virtual network for the firewall. | +| `azurerm_subnet` | The subnets for jump and workload vms. | +| `azurerm_network_interface` | The nics for the jump and workload vms | +| `azurerm_network_security_group` | The nsg for the jump and workload vms | +| `azurerm_network_interface_security_group_association` | The association between the nics and the nsgs | +| `azurerm_virtual_machine` | The jump and workload vms for testing | +| `azurerm_route_table` | The route table for the jump vms | +| `azurerm_subnet_route_table_association` | The association between the subnets and the route tables | +| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | + +## Variables + +| Name | Description | +|-|-| +| `location` | location for your resources | +| `tags` | tags to organize your resources | +| `fw_sku` | Sku size for your Firewall and Firewall Policy | +| `vm_size` | Sku size for your jump and workload vms | +| `admin_username` | admin username for the jump and workload vms | +| `admin_password` | admin password for the jump and workload vms | + +## Example + +```powershell +Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + + create + +Terraform will perform the following actions: + + # azurerm_firewall.fw will be created + + resource "azurerm_firewall" "fw" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "fw-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + sku_name = "AZFW_Hub" + + sku_tier = "Premium" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + threat_intel_mode = (known after apply) + + + virtual_hub { + + private_ip_address = (known after apply) + + public_ip_addresses = (known after apply) + + public_ip_count = 1 + + virtual_hub_id = (known after apply) + } + } + + # azurerm_firewall_policy.azfw_policy will be created + + resource "azurerm_firewall_policy" "azfw_policy" { + + child_policies = (known after apply) + + firewalls = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "policy-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + rule_collection_groups = (known after apply) + + sku = "Premium" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + threat_intelligence_mode = "Alert" + } + + # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created + + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + name = "DefaulApplicationtRuleCollectionGroup" + + priority = 300 + + + application_rule_collection { + + action = "Allow" + + name = "DefaultApplicationRuleCollection" + + priority = 100 + + + rule { + + description = "Allow access to Microsoft.com" + + destination_fqdns = [ + + "*.microsoft.com", + ] + + name = "Allow-MSFT" + + source_addresses = [ + + "*", + ] + + terminate_tls = false + + + protocols { + + port = 443 + + type = "Https" + } + + protocols { + + port = 80 + + type = "Http" + } + } + } + } + + # azurerm_network_interface.vm_jump_nic will be created + + resource "azurerm_network_interface" "vm_jump_nic" { + + applied_dns_servers = (known after apply) + + dns_servers = (known after apply) + + enable_accelerated_networking = false + + enable_ip_forwarding = false + + id = (known after apply) + + internal_dns_name_label = (known after apply) + + internal_domain_name_suffix = (known after apply) + + location = "eastus" + + mac_address = (known after apply) + + name = "nic-jump" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_machine_id = (known after apply) + + + ip_configuration { + + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + + name = "ipconfig-jump" + + primary = (known after apply) + + private_ip_address = (known after apply) + + private_ip_address_allocation = "Dynamic" + + private_ip_address_version = "IPv4" + + public_ip_address_id = (known after apply) + + subnet_id = (known after apply) + } + } + + # azurerm_network_interface.vm_workload_nic will be created + + resource "azurerm_network_interface" "vm_workload_nic" { + + applied_dns_servers = (known after apply) + + dns_servers = (known after apply) + + enable_accelerated_networking = false + + enable_ip_forwarding = false + + id = (known after apply) + + internal_dns_name_label = (known after apply) + + internal_domain_name_suffix = (known after apply) + + location = "eastus" + + mac_address = (known after apply) + + name = "nic-workload" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_machine_id = (known after apply) + + + ip_configuration { + + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + + name = "ipconfig-workload" + + primary = (known after apply) + + private_ip_address = (known after apply) + + private_ip_address_allocation = "Dynamic" + + private_ip_address_version = "IPv4" + + subnet_id = (known after apply) + } + } + + # azurerm_network_interface_security_group_association.vm_jump_nsg_association will be created + + resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { + + id = (known after apply) + + network_interface_id = (known after apply) + + network_security_group_id = (known after apply) + } + + # azurerm_network_interface_security_group_association.vm_workload_nsg_association will be created + + resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { + + id = (known after apply) + + network_interface_id = (known after apply) + + network_security_group_id = (known after apply) + } + + # azurerm_network_security_group.vm_jump_nsg will be created + + resource "azurerm_network_security_group" "vm_jump_nsg" { + + id = (known after apply) + + location = "eastus" + + name = "nsg-jump" + + resource_group_name = "rg-azfw-securehub-eus" + + security_rule = [ + + { + + access = "Allow" + + description = "" + + destination_address_prefix = "*" + + destination_address_prefixes = [] + + destination_application_security_group_ids = [] + + destination_port_range = "3389" + + destination_port_ranges = [] + + direction = "Inbound" + + name = "Allow-RDP" + + priority = 300 + + protocol = "Tcp" + + source_address_prefix = "*" + + source_address_prefixes = [] + + source_application_security_group_ids = [] + + source_port_range = "*" + + source_port_ranges = [] + }, + ] + } + + # azurerm_network_security_group.vm_workload_nsg will be created + + resource "azurerm_network_security_group" "vm_workload_nsg" { + + id = (known after apply) + + location = "eastus" + + name = "nsg-workload" + + resource_group_name = "rg-azfw-securehub-eus" + + security_rule = (known after apply) + } + + # azurerm_public_ip.pip_azfw will be created + + resource "azurerm_public_ip" "pip_azfw" { + + allocation_method = "Static" + + ddos_protection_mode = "VirtualNetworkInherited" + + fqdn = (known after apply) + + id = (known after apply) + + idle_timeout_in_minutes = 4 + + ip_address = (known after apply) + + ip_version = "IPv4" + + location = "eastus" + + name = "pip-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + sku = "Standard" + + sku_tier = "Regional" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_public_ip.vm_jump_pip will be created + + resource "azurerm_public_ip" "vm_jump_pip" { + + allocation_method = "Static" + + ddos_protection_mode = "VirtualNetworkInherited" + + fqdn = (known after apply) + + id = (known after apply) + + idle_timeout_in_minutes = 4 + + ip_address = (known after apply) + + ip_version = "IPv4" + + location = "eastus" + + name = "pip-jump" + + resource_group_name = "rg-azfw-securehub-eus" + + sku = "Standard" + + sku_tier = "Regional" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_resource_group.azfw_rg will be created + + resource "azurerm_resource_group" "azfw_rg" { + + id = (known after apply) + + location = "eastus" + + name = "rg-azfw-securehub-eus" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_route_table.rt will be created + + resource "azurerm_route_table" "rt" { + + disable_bgp_route_propagation = false + + id = (known after apply) + + location = "eastus" + + name = "rt-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + route = [ + + { + + address_prefix = "0.0.0.0/0" + + name = "jump-to-internet" + + next_hop_in_ip_address = "" + + next_hop_type = "Internet" + }, + ] + + subnets = (known after apply) + } + + # azurerm_subnet.jump_subnet will be created + + resource "azurerm_subnet" "jump_subnet" { + + address_prefixes = [ + + "10.10.2.0/24", + ] + + enforce_private_link_endpoint_network_policies = (known after apply) + + enforce_private_link_service_network_policies = (known after apply) + + id = (known after apply) + + name = "subnet-jump" + + private_endpoint_network_policies_enabled = (known after apply) + + private_link_service_network_policies_enabled = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_network_name = "vnet-azfw-securehub-eus" + } + + # azurerm_subnet.workload_subnet will be created + + resource "azurerm_subnet" "workload_subnet" { + + address_prefixes = [ + + "10.10.1.0/24", + ] + + enforce_private_link_endpoint_network_policies = (known after apply) + + enforce_private_link_service_network_policies = (known after apply) + + id = (known after apply) + + name = "subnet-workload" + + private_endpoint_network_policies_enabled = (known after apply) + + private_link_service_network_policies_enabled = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_network_name = "vnet-azfw-securehub-eus" + } + + # azurerm_subnet_route_table_association.jump_subnet_rt_association will be created + + resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + + id = (known after apply) + + route_table_id = (known after apply) + + subnet_id = (known after apply) + } + + # azurerm_virtual_hub.azfw_vwan_hub will be created + + resource "azurerm_virtual_hub" "azfw_vwan_hub" { + + address_prefix = "10.20.0.0/23" + + default_route_table_id = (known after apply) + + hub_routing_preference = "ExpressRoute" + + id = (known after apply) + + location = "eastus" + + name = "hub-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + virtual_router_asn = (known after apply) + + virtual_router_auto_scale_min_capacity = 2 + + virtual_router_ips = (known after apply) + + virtual_wan_id = (known after apply) + } + + # azurerm_virtual_hub_connection.azfw_vwan_hub_connection will be created + + resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { + + id = (known after apply) + + internet_security_enabled = true + + name = "hub-to-spoke" + + remote_virtual_network_id = (known after apply) + + virtual_hub_id = (known after apply) + + + routing { + + associated_route_table_id = (known after apply) + + + propagated_route_table { + + labels = [ + + "VNet", + ] + + route_table_ids = (known after apply) + } + } + } + + # azurerm_virtual_hub_route_table.vhub_rt will be created + + resource "azurerm_virtual_hub_route_table" "vhub_rt" { + + id = (known after apply) + + labels = [ + + "VNet", + ] + + name = "vhub-rt-azfw-securehub-eus" + + virtual_hub_id = (known after apply) + + + route { + + destinations = [ + + "0.0.0.0/0", + ] + + destinations_type = "CIDR" + + name = "InternetToFirewall" + + next_hop = (known after apply) + + next_hop_type = "ResourceId" + } + + route { + + destinations = [ + + "10.10.1.0/24", + ] + + destinations_type = "CIDR" + + name = "workload-SNToFirewall" + + next_hop = (known after apply) + + next_hop_type = "ResourceId" + } + } + + # azurerm_virtual_network.azfw_vnet will be created + + resource "azurerm_virtual_network" "azfw_vnet" { + + address_space = [ + + "10.10.0.0/16", + ] + + dns_servers = (known after apply) + + guid = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "vnet-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + subnet = (known after apply) + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_virtual_wan.azfw_vwan will be created + + resource "azurerm_virtual_wan" "azfw_vwan" { + + allow_branch_to_branch_traffic = true + + disable_vpn_encryption = false + + id = (known after apply) + + location = "eastus" + + name = "vwan-azfw-securehub-eus" + + office365_local_breakout_category = "None" + + resource_group_name = "rg-azfw-securehub-eus" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + type = "Standard" + } + + # azurerm_windows_virtual_machine.vm_jump will be created + + resource "azurerm_windows_virtual_machine" "vm_jump" { + + admin_password = (sensitive value) + + admin_username = "azureuser" + + allow_extension_operations = true + + bypass_platform_safety_checks_on_user_schedule_enabled = false + + computer_name = (known after apply) + + enable_automatic_updates = true + + extensions_time_budget = "PT1H30M" + + hotpatching_enabled = false + + id = (known after apply) + + location = "eastus" + + max_bid_price = -1 + + name = "jump-vm" + + network_interface_ids = (known after apply) + + patch_assessment_mode = "ImageDefault" + + patch_mode = "AutomaticByOS" + + platform_fault_domain = -1 + + priority = "Regular" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + provision_vm_agent = true + + public_ip_address = (known after apply) + + public_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + size = "Standard_D2_v3" + + virtual_machine_id = (known after apply) + + + os_disk { + + caching = "ReadWrite" + + disk_size_gb = (known after apply) + + name = (known after apply) + + storage_account_type = "Standard_LRS" + + write_accelerator_enabled = false + } + + + source_image_reference { + + offer = "WindowsServer" + + publisher = "MicrosoftWindowsServer" + + sku = "2019-Datacenter" + + version = "latest" + } + } + + # azurerm_windows_virtual_machine.vm_workload will be created + + resource "azurerm_windows_virtual_machine" "vm_workload" { + + admin_password = (sensitive value) + + admin_username = "azureuser" + + allow_extension_operations = true + + bypass_platform_safety_checks_on_user_schedule_enabled = false + + computer_name = (known after apply) + + enable_automatic_updates = true + + extensions_time_budget = "PT1H30M" + + hotpatching_enabled = false + + id = (known after apply) + + location = "eastus" + + max_bid_price = -1 + + name = "workload-vm" + + network_interface_ids = (known after apply) + + patch_assessment_mode = "ImageDefault" + + patch_mode = "AutomaticByOS" + + platform_fault_domain = -1 + + priority = "Regular" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + provision_vm_agent = true + + public_ip_address = (known after apply) + + public_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + size = "Standard_D2_v3" + + virtual_machine_id = (known after apply) + + + os_disk { + + caching = "ReadWrite" + + disk_size_gb = (known after apply) + + name = (known after apply) + + storage_account_type = "Standard_LRS" + + write_accelerator_enabled = false + } + + + source_image_reference { + + offer = "WindowsServer" + + publisher = "MicrosoftWindowsServer" + + sku = "2019-Datacenter" + + version = "latest" + } + } + +Plan: 23 to add, 0 to change, 0 to destroy. +`````` \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/main.tf b/quickstart/201-azfw-with-secure-hub/main.tf new file mode 100644 index 000000000..46c99695c --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/main.tf @@ -0,0 +1,370 @@ + +// Create a Resource Group +resource "azurerm_resource_group" "azfw_rg" { + name = "rg-azfw-securehub-eus" + location = var.location + tags = var.tags +} + +// Create resources for Azure Virtual WAN +// Create a Azure Vwan +resource "azurerm_virtual_wan" "azfw_vwan" { + name = "vwan-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + tags = azurerm_resource_group.azfw_rg.tags + allow_branch_to_branch_traffic = true + disable_vpn_encryption = false + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Vwan Hub +resource "azurerm_virtual_hub" "azfw_vwan_hub" { + name = "hub-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_wan_id = azurerm_virtual_wan.azfw_vwan.id + address_prefix = "10.20.0.0/23" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_virtual_wan.azfw_vwan + ] +} + +// Create a Azure VWan Hub Connection +resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { + name = "hub-to-spoke" + virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id + remote_virtual_network_id = azurerm_virtual_network.azfw_vnet.id + internet_security_enabled = true + routing { + associated_route_table_id = azurerm_virtual_hub_route_table.vhub_rt.id + propagated_route_table { + route_table_ids = [azurerm_virtual_hub_route_table.vhub_rt.id] + labels = ["VNet"] + } + } + depends_on = [ + azurerm_virtual_hub.azfw_vwan_hub, + azurerm_virtual_network.azfw_vnet + ] +} + +// Create resources for Azure Firewall +// Create a Public IP Address for Azure Firewall +resource "azurerm_public_ip" "pip_azfw" { + name = "pip-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + allocation_method = "Static" + sku = "Standard" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Firewall Policy +resource "azurerm_firewall_policy" "azfw_policy" { + name = "policy-azfw-securehub-eus" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + sku = "Premium" + threat_intelligence_mode = "Alert" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Firewall Policy Rule Collection Group +// Create a Application Rule Collection +// Create rules for Windows Update +// Create rules for Microsoft.com +resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + name = "DefaulApplicationtRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "DefaultApplicationRuleCollection" + action = "Allow" + priority = 100 + rule { + name = "Allow-MSFT" + description = "Allow access to Microsoft.com" + protocols { + type = "Https" + port = 443 + } + protocols { + type = "Http" + port = 80 + } + destination_fqdns = ["*.microsoft.com"] + terminate_tls = false + source_addresses = ["*"] + } + } + depends_on = [ + azurerm_firewall_policy.azfw_policy + ] +} + +// Create the Azure Firewall +resource "azurerm_firewall" "fw" { + name = "fw-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + sku_name = "AZFW_Hub" + sku_tier = var.fw_sku + tags = azurerm_resource_group.azfw_rg.tags + virtual_hub { + virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id + public_ip_count = 1 + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + depends_on = [ + azurerm_firewall_policy.azfw_policy, + azurerm_virtual_hub.azfw_vwan_hub + ] +} + +// Create Virtual Network, Subnets, PIP, NICs, NSGs, and NIC-NSG associations +// Create a Virtual Network +resource "azurerm_virtual_network" "azfw_vnet" { + name = "vnet-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + address_space = ["10.10.0.0/16"] + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Subnet for Workload VMs +resource "azurerm_subnet" "workload_subnet" { + name = "subnet-workload" + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.1.0/24"] + depends_on = [ + azurerm_virtual_network.azfw_vnet + ] +} + +// Create a Subnet for Jump VM +resource "azurerm_subnet" "jump_subnet" { + name = "subnet-jump" + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.2.0/24"] + + depends_on = [ + azurerm_virtual_network.azfw_vnet, + azurerm_route_table.rt + ] +} + +// Create a NIC for Workload VM +resource "azurerm_network_interface" "vm_workload_nic" { + name = "nic-workload" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + + ip_configuration { + name = "ipconfig-workload" + subnet_id = azurerm_subnet.workload_subnet.id + private_ip_address_allocation = "Dynamic" + } + depends_on = [ + azurerm_subnet.workload_subnet + ] +} + +// Create a PIP for Jump VM +resource "azurerm_public_ip" "vm_jump_pip" { + name = "pip-jump" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + allocation_method = "Static" + sku = "Standard" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a NIC for Jump VM +resource "azurerm_network_interface" "vm_jump_nic" { + name = "nic-jump" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + + ip_configuration { + name = "ipconfig-jump" + subnet_id = azurerm_subnet.jump_subnet.id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.vm_jump_pip.id + } + depends_on = [ + azurerm_subnet.jump_subnet, + azurerm_public_ip.vm_jump_pip + ] +} + +// Create a NSG for Workload VM +resource "azurerm_network_security_group" "vm_workload_nsg" { + name = "nsg-workload" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a NSG for Jump VM +resource "azurerm_network_security_group" "vm_jump_nsg" { + name = "nsg-jump" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + security_rule { + name = "Allow-RDP" + priority = 300 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Associate NSG for Workload VM NIC +resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { + network_interface_id = azurerm_network_interface.vm_workload_nic.id + network_security_group_id = azurerm_network_security_group.vm_workload_nsg.id + depends_on = [ + azurerm_network_interface.vm_workload_nic, + azurerm_network_security_group.vm_workload_nsg + ] +} + +// Associate NSG for Jump VM NIC +resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { + network_interface_id = azurerm_network_interface.vm_jump_nic.id + network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id + depends_on = [ + azurerm_network_interface.vm_jump_nic, + azurerm_network_security_group.vm_jump_nsg + ] +} + +// Create Virtual Machines for testing +// Create a Workload Virtual Machine +resource "azurerm_windows_virtual_machine" "vm_workload" { + name = "workload-vm" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + size = var.vm_size + admin_username = var.admin_username + admin_password = var.admin_password + network_interface_ids = [azurerm_network_interface.vm_workload_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + depends_on = [ + azurerm_network_interface.vm_workload_nic + ] +} + +// Create a Jump Virtual Machine +resource "azurerm_windows_virtual_machine" "vm_jump" { + name = "jump-vm" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + size = var.vm_size + admin_username = var.admin_username + admin_password = var.admin_password + network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + depends_on = [ + azurerm_network_interface.vm_jump_nic + ] +} + +// Create Routing for testing +// Create a Route Table +resource "azurerm_route_table" "rt" { + name = "rt-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + disable_bgp_route_propagation = false + route { + name = "jump-to-internet" + address_prefix = "0.0.0.0/0" + next_hop_type = "Internet" + } + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Associate Route Table to Jump VM Subnet +resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + subnet_id = azurerm_subnet.jump_subnet.id + route_table_id = azurerm_route_table.rt.id + depends_on = [ + azurerm_subnet.jump_subnet, + azurerm_route_table.rt + ] +} + +// Creat a Virtual Hub Route Table +resource "azurerm_virtual_hub_route_table" "vhub_rt" { + name = "vhub-rt-azfw-securehub-eus" + virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id + route { + name = "workload-SNToFirewall" + destinations_type = "CIDR" + destinations = ["10.10.1.0/24"] + next_hop_type = "ResourceId" + next_hop = azurerm_firewall.fw.id + } + route { + name = "InternetToFirewall" + destinations_type = "CIDR" + destinations = ["0.0.0.0/0"] + next_hop_type = "ResourceId" + next_hop = azurerm_firewall.fw.id + } + labels = ["VNet"] + depends_on = [ + azurerm_virtual_hub.azfw_vwan_hub, + azurerm_firewall.fw + ] +} + diff --git a/quickstart/201-azfw-with-secure-hub/outputs.tf b/quickstart/201-azfw-with-secure-hub/outputs.tf new file mode 100644 index 000000000..67ad7df31 --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/outputs.tf @@ -0,0 +1,3 @@ +output "rg_name" { + value = azurerm_resource_group.azfw_rg.name +} \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/provider.tf b/quickstart/201-azfw-with-secure-hub/provider.tf new file mode 100644 index 000000000..76b5065bc --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/provider.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.69.0" + } + } +} + +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false // Set to True for Production + } + } +} diff --git a/quickstart/201-azfw-with-secure-hub/variables.tf b/quickstart/201-azfw-with-secure-hub/variables.tf new file mode 100644 index 000000000..fd29a8593 --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/variables.tf @@ -0,0 +1,30 @@ +// Create Variables for Location and Tags +variable "location" { + default = "eastus" +} +variable "tags" { + default = { + environment = "dev" + costcenter = "1234556677" + owner = "cloud team" + workload = "azure firewall" + } +} + +// Create Firewall Variables +variable "fw_sku" { + default = "Premium" # Valid values are Standard and Premium +} + +// Create Virtual Machine Sku Size Variables +variable "vm_size" { + default = "Standard_D2_v3" +} + +// Create Admin Username and Password +variable "admin_username" { + default = "azureuser" +} +variable "admin_password" { + default = "P@ssw0rd1234!" +} From a79609c75e0d5e348ca81ddf85436cdd53fd2150 Mon Sep 17 00:00:00 2001 From: Charles Shea Date: Tue, 22 Aug 2023 19:17:23 -0400 Subject: [PATCH 2/9] UPDATE format --- quickstart/101-azfw-with-fwpolicy/README.md | 6 ++---- quickstart/201-azfw-with-secure-hub/README.md | 6 ++---- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/quickstart/101-azfw-with-fwpolicy/README.md b/quickstart/101-azfw-with-fwpolicy/README.md index 5fb781393..ccaac8571 100644 --- a/quickstart/101-azfw-with-fwpolicy/README.md +++ b/quickstart/101-azfw-with-fwpolicy/README.md @@ -1,8 +1,6 @@ # Deploy Azure Firewall and a Firewall Policy -This template deploys an Azure Firewall and a Firewall Policy. The Firewall Policy is associated to the Firewall. - -## Resources +## Resources | Terraform Resource Type | Description | | - | - | @@ -227,4 +225,4 @@ terraform plan -out main.tfplan } Plan: 10 to add, 0 to change, 0 to destroy. -`````` \ No newline at end of file +``` \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/README.md b/quickstart/201-azfw-with-secure-hub/README.md index 2bdb52b85..d49e3ced3 100644 --- a/quickstart/201-azfw-with-secure-hub/README.md +++ b/quickstart/201-azfw-with-secure-hub/README.md @@ -1,8 +1,6 @@ -# Deploy Azure Firewall and a Firewall Policy +# Deploy Azure Firewall and a Firewall Policy to a Secure Hub -This template deploys an Azure Firewall and a Firewall Policy to a Secure Hub. The Firewall Policy is associated with the Firewall policy. - -## Resources +## Resources | Terraform Resource Type | Description | | - | - | From 85c7f846f6a05bf6cf77cee16c4acdb5f4f07e71 Mon Sep 17 00:00:00 2001 From: Charles J Shea <58995422+cshea15@users.noreply.github.com> Date: Mon, 28 Aug 2023 11:11:48 -0400 Subject: [PATCH 3/9] updated files with feedback from pr --- quickstart/101-azfw-with-fwpolicy/README.md | 239 +------- quickstart/101-azfw-with-fwpolicy/main.tf | 57 +- quickstart/101-azfw-with-fwpolicy/outputs.tf | 4 +- quickstart/101-azfw-with-fwpolicy/provider.tf | 2 +- .../101-azfw-with-fwpolicy/variables.tf | 16 +- quickstart/201-azfw-with-secure-hub/README.md | 566 +----------------- quickstart/201-azfw-with-secure-hub/main.tf | 169 ++---- .../201-azfw-with-secure-hub/outputs.tf | 21 +- .../201-azfw-with-secure-hub/provider.tf | 6 +- .../201-azfw-with-secure-hub/variables.tf | 24 +- 10 files changed, 150 insertions(+), 954 deletions(-) diff --git a/quickstart/101-azfw-with-fwpolicy/README.md b/quickstart/101-azfw-with-fwpolicy/README.md index ccaac8571..d8e5a8edc 100644 --- a/quickstart/101-azfw-with-fwpolicy/README.md +++ b/quickstart/101-azfw-with-fwpolicy/README.md @@ -1,228 +1,23 @@ -# Deploy Azure Firewall and a Firewall Policy +# Azure Firewall and Azure Firewall Policy -## Resources +This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with an [Azure Firewall Policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy) -| Terraform Resource Type | Description | -| - | - | -| `azurerm_resource_group` | The resource group all the deployed resources.| -| `azurerm_virtual_network` | The virtual network for the firewall. | -| `azurerm_subnet` |The firewall subnet.| -| `azurerm_public_ip` | The firewall public IP address. | -| `azurerm_firewall` | The premium Azure Firewall. | -| `azurerm_firewall_policy` | The policy associated to the Firewall | -| `azurerm_firewall_policy_rule_collection_group` | the rules collection group for firewall policy | -| `azurerm_ip_group` | The IP group for source addresses. | +## Terraform resource types -## Variables - -| Name | Description | -|-|-| -| `location` | location for your resources | -| `tags` | tags to organize your resources | -| `fw_sku` | Sku size for your Firewall and Firewall Policy | - -## Example - -```powershell -terraform plan -out main.tfplan - - # azurerm_firewall.fw will be created - + resource "azurerm_firewall" "fw" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "azfw" - + resource_group_name = "azfw-rg" - + sku_name = "AZFW_VNet" - + sku_tier = "Premium" - + threat_intel_mode = (known after apply) - - + ip_configuration { - + name = "azfw-ipconfig" - + private_ip_address = (known after apply) - + public_ip_address_id = (known after apply) - + subnet_id = (known after apply) - } - } - - # azurerm_firewall_policy.azfw_policy will be created - + resource "azurerm_firewall_policy" "azfw_policy" { - + child_policies = (known after apply) - + firewalls = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "azfw-policy" - + resource_group_name = "azfw-rg" - + rule_collection_groups = (known after apply) - + sku = "Premium" - + threat_intelligence_mode = "Alert" - } - - # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created - + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + name = "DefaulApplicationtRuleCollectionGroup" - + priority = 300 - - + application_rule_collection { - + action = "Allow" - + name = "DefaultApplicationRuleCollection" - + priority = 500 - - + rule { - + description = "Allow Windows Update" - + destination_fqdn_tags = [ - + "WindowsUpdate", - ] - + name = "AllowWindowsUpdate" - + source_ip_groups = (known after apply) +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) +- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) +- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) +- [azurerm_ip_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/ip_group) +- [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) +- [azurerm_firewall_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy) +- [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) +- [azurerm_firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) - + protocols { - + port = 80 - + type = "Http" - } - + protocols { - + port = 443 - + type = "Https" - } - } - + rule { - + description = "Allow access to Microsoft.com" - + destination_fqdns = [ - + "*.microsoft.com", - ] - + name = "Global Rule" - + source_ip_groups = (known after apply) - + terminate_tls = false - - + protocols { - + port = 443 - + type = "Https" - } - } - } - } - - # azurerm_firewall_policy_rule_collection_group.net_policy_rule_collection_group will be created - + resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + name = "DefaultNetworkRuleCollectionGroup" - + priority = 200 - - + network_rule_collection { - + action = "Allow" - + name = "DefaultNetworkRuleCollection" - + priority = 200 - - + rule { - + destination_addresses = [ - + "132.86.101.172", - ] - + destination_ports = [ - + "123", - ] - + name = "time-windows" - + protocols = [ - + "UDP", - ] - + source_ip_groups = (known after apply) - } - } - } - - # azurerm_ip_group.infra_ip_group will be created - + resource "azurerm_ip_group" "infra_ip_group" { - + cidrs = [ - + "10.40.0.0/24", - + "10.50.0.0/24", - ] - + firewall_ids = (known after apply) - + firewall_policy_ids = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "infra-ip-group" - + resource_group_name = "azfw-rg" - } - - # azurerm_ip_group.workload_ip_group will be created - + resource "azurerm_ip_group" "workload_ip_group" { - + cidrs = [ - + "10.20.0.0/24", - + "10.30.0.0/24", - ] - + firewall_ids = (known after apply) - + firewall_policy_ids = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "workload-ip-group" - + resource_group_name = "azfw-rg" - } - - # azurerm_public_ip.pip_azfw will be created - + resource "azurerm_public_ip" "pip_azfw" { - + allocation_method = "Static" - + ddos_protection_mode = "VirtualNetworkInherited" - + fqdn = (known after apply) - + id = (known after apply) - + idle_timeout_in_minutes = 4 - + ip_address = (known after apply) - + ip_version = "IPv4" - + location = "eastus" - + name = "pip-azfw" - + resource_group_name = "azfw-rg" - + sku = "Standard" - + sku_tier = "Regional" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_resource_group.azfw_rg will be created - + resource "azurerm_resource_group" "azfw_rg" { - + id = (known after apply) - + location = "eastus" - + name = "azfw-rg" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_subnet.azfw_subnet will be created - + resource "azurerm_subnet" "azfw_subnet" { - + address_prefixes = [ - + "10.10.0.0/26", - ] - + enforce_private_link_endpoint_network_policies = (known after apply) - + enforce_private_link_service_network_policies = (known after apply) - + id = (known after apply) - + name = "AzureFirewallSubnet" - + private_endpoint_network_policies_enabled = (known after apply) - + private_link_service_network_policies_enabled = (known after apply) - + resource_group_name = "azfw-rg" - + virtual_network_name = "azfw-vnet" - } +## Variables - # azurerm_virtual_network.azfw_vnet will be created - + resource "azurerm_virtual_network" "azfw_vnet" { - + address_space = [ - + "10.10.0.0/24", - ] - + dns_servers = (known after apply) - + guid = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "azfw-vnet" - + resource_group_name = "azfw-rg" - + subnet = (known after apply) - } +| Name | Description | Default value | +|-|-|-| +| `resource_group_location` | location for your resources | eastus | +| `firewall_sku_tier` | Sku size for your Firewall and Firewall Policy | Premium | -Plan: 10 to add, 0 to change, 0 to destroy. -``` \ No newline at end of file +## Example \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/main.tf b/quickstart/101-azfw-with-fwpolicy/main.tf index c39981331..dd39cae34 100644 --- a/quickstart/101-azfw-with-fwpolicy/main.tf +++ b/quickstart/101-azfw-with-fwpolicy/main.tf @@ -1,74 +1,54 @@ // Create a Resource Group -resource "azurerm_resource_group" "azfw_rg" { +resource "azurerm_resource_group" "rg" { name = "azfw-rg" - location = var.location - tags = var.tags + location = var.resource_group_location } // Create a Virtual Network resource "azurerm_virtual_network" "azfw_vnet" { name = "azfw-vnet" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name address_space = ["10.10.0.0/24"] - depends_on = [ - azurerm_resource_group.azfw_rg - ] } // Create IP Groups resource "azurerm_ip_group" "workload_ip_group" { name = "workload-ip-group" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location cidrs = ["10.20.0.0/24", "10.30.0.0/24"] - depends_on = [ - azurerm_resource_group.azfw_rg, - azurerm_virtual_network.azfw_vnet - ] } resource "azurerm_ip_group" "infra_ip_group" { name = "infra-ip-group" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location cidrs = ["10.40.0.0/24", "10.50.0.0/24"] - depends_on = [ - azurerm_resource_group.azfw_rg, - azurerm_virtual_network.azfw_vnet - ] } // Create the Azure Firewall Subnet resource "azurerm_subnet" "azfw_subnet" { name = "AzureFirewallSubnet" - resource_group_name = azurerm_resource_group.azfw_rg.name + resource_group_name = azurerm_resource_group.rg.name virtual_network_name = azurerm_virtual_network.azfw_vnet.name address_prefixes = ["10.10.0.0/26"] - depends_on = [ - azurerm_resource_group.azfw_rg, - azurerm_virtual_network.azfw_vnet - ] } // Create a Public IP Address for Azure Firewall resource "azurerm_public_ip" "pip_azfw" { name = "pip-azfw" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name allocation_method = "Static" sku = "Standard" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] } // Create a Azure Firewall Policy resource "azurerm_firewall_policy" "azfw_policy" { name = "azfw-policy" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - sku = var.fw_sku + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + sku = var.firewall_sku_tier threat_intelligence_mode = "Alert" } @@ -132,18 +112,15 @@ resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collec source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] } } - depends_on = [ - azurerm_firewall_policy.azfw_policy - ] } // Create the Azure Firewall resource "azurerm_firewall" "fw" { name = "azfw" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name sku_name = "AZFW_VNet" - sku_tier = var.fw_sku + sku_tier = var.firewall_sku_tier ip_configuration { name = "azfw-ipconfig" subnet_id = azurerm_subnet.azfw_subnet.id diff --git a/quickstart/101-azfw-with-fwpolicy/outputs.tf b/quickstart/101-azfw-with-fwpolicy/outputs.tf index 67ad7df31..c765da635 100644 --- a/quickstart/101-azfw-with-fwpolicy/outputs.tf +++ b/quickstart/101-azfw-with-fwpolicy/outputs.tf @@ -1,3 +1,3 @@ -output "rg_name" { - value = azurerm_resource_group.azfw_rg.name +output "resource_group_name" { + value = azurerm_resource_group.rg.name } \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/provider.tf b/quickstart/101-azfw-with-fwpolicy/provider.tf index 76b5065bc..1c5540f8e 100644 --- a/quickstart/101-azfw-with-fwpolicy/provider.tf +++ b/quickstart/101-azfw-with-fwpolicy/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "3.69.0" + version = "~>3.0" } } } diff --git a/quickstart/101-azfw-with-fwpolicy/variables.tf b/quickstart/101-azfw-with-fwpolicy/variables.tf index 2a925a383..83b7760d3 100644 --- a/quickstart/101-azfw-with-fwpolicy/variables.tf +++ b/quickstart/101-azfw-with-fwpolicy/variables.tf @@ -1,18 +1,14 @@ // Create Variables for Location and Tags -variable "location" { +variable "resource_group_location" { + type = string + description = "Location for all resources." default = "eastus" } -variable "tags" { - default = { - environment = "dev" - costcenter = "1234556677" - owner = "cloud team" - workload = "azure firewall" - } -} // Create Firewall Variables -variable "fw_sku" { +variable "firewall_sku_tier" { + type = string + description = "Firewall SKU." default = "Premium" # Valid values are Standard and Premium } diff --git a/quickstart/201-azfw-with-secure-hub/README.md b/quickstart/201-azfw-with-secure-hub/README.md index d49e3ced3..74c8241b4 100644 --- a/quickstart/201-azfw-with-secure-hub/README.md +++ b/quickstart/201-azfw-with-secure-hub/README.md @@ -1,541 +1,33 @@ -# Deploy Azure Firewall and a Firewall Policy to a Secure Hub - -## Resources - -| Terraform Resource Type | Description | -| - | - | -| `azurerm_resource_group` | The resource group all the deployed resources.| -| `azurerm_virtual_wan` | The virtual wan for the virtual hub | -| `azurerm_virtual_hub` | The virtual hub for the firewall | -| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | -| `azurerm_virtual_hub_connection` | The connection between the virtual hub and the virtual network spoke | -| `azurerm_public_ip` | The firewall public IP address and public access to the jump vm. | -| `azurerm_firewall_policy` | The policy associated to the Firewall | -| `azurerm_firewall_policy_rule_collection_group` | the rules collection group to add network and application rule collections for firewall policy | -| `azurerm_firewall` | The premium Azure Firewall. | -| `azurerm_virtual_network` | The virtual network for the firewall. | -| `azurerm_subnet` | The subnets for jump and workload vms. | -| `azurerm_network_interface` | The nics for the jump and workload vms | -| `azurerm_network_security_group` | The nsg for the jump and workload vms | -| `azurerm_network_interface_security_group_association` | The association between the nics and the nsgs | -| `azurerm_virtual_machine` | The jump and workload vms for testing | -| `azurerm_route_table` | The route table for the jump vms | -| `azurerm_subnet_route_table_association` | The association between the subnets and the route tables | -| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | +# Azure Firewall with Secure Hub + +This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) in a [Virtual Secure Hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub) + +## Terraform resource types + +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) +- [azurerm_virtual_wan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_wan) +- [azurerm_virtual_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub) +- [azurerm_virtual_hub_connection](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub_connection) +- [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) +- [azurerm_firewall_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy) +- [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) +- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) +- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) +- [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) +- [azurerm_network_security_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) +- [azurerm_network_interface_security_group_associtation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association +- [azurerm_windows_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine) +- [azurerm_route_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) +- [azurerm_subnet_route_table_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) +- [azurerm_virtual_hub_route_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub_route_table) ## Variables -| Name | Description | -|-|-| -| `location` | location for your resources | -| `tags` | tags to organize your resources | -| `fw_sku` | Sku size for your Firewall and Firewall Policy | -| `vm_size` | Sku size for your jump and workload vms | -| `admin_username` | admin username for the jump and workload vms | -| `admin_password` | admin password for the jump and workload vms | - -## Example - -```powershell -Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: - + create - -Terraform will perform the following actions: - - # azurerm_firewall.fw will be created - + resource "azurerm_firewall" "fw" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "fw-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + sku_name = "AZFW_Hub" - + sku_tier = "Premium" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + threat_intel_mode = (known after apply) - - + virtual_hub { - + private_ip_address = (known after apply) - + public_ip_addresses = (known after apply) - + public_ip_count = 1 - + virtual_hub_id = (known after apply) - } - } - - # azurerm_firewall_policy.azfw_policy will be created - + resource "azurerm_firewall_policy" "azfw_policy" { - + child_policies = (known after apply) - + firewalls = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "policy-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + rule_collection_groups = (known after apply) - + sku = "Premium" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + threat_intelligence_mode = "Alert" - } - - # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created - + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { - + firewall_policy_id = (known after apply) - + id = (known after apply) - + name = "DefaulApplicationtRuleCollectionGroup" - + priority = 300 - - + application_rule_collection { - + action = "Allow" - + name = "DefaultApplicationRuleCollection" - + priority = 100 - - + rule { - + description = "Allow access to Microsoft.com" - + destination_fqdns = [ - + "*.microsoft.com", - ] - + name = "Allow-MSFT" - + source_addresses = [ - + "*", - ] - + terminate_tls = false - - + protocols { - + port = 443 - + type = "Https" - } - + protocols { - + port = 80 - + type = "Http" - } - } - } - } - - # azurerm_network_interface.vm_jump_nic will be created - + resource "azurerm_network_interface" "vm_jump_nic" { - + applied_dns_servers = (known after apply) - + dns_servers = (known after apply) - + enable_accelerated_networking = false - + enable_ip_forwarding = false - + id = (known after apply) - + internal_dns_name_label = (known after apply) - + internal_domain_name_suffix = (known after apply) - + location = "eastus" - + mac_address = (known after apply) - + name = "nic-jump" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_machine_id = (known after apply) - - + ip_configuration { - + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) - + name = "ipconfig-jump" - + primary = (known after apply) - + private_ip_address = (known after apply) - + private_ip_address_allocation = "Dynamic" - + private_ip_address_version = "IPv4" - + public_ip_address_id = (known after apply) - + subnet_id = (known after apply) - } - } - - # azurerm_network_interface.vm_workload_nic will be created - + resource "azurerm_network_interface" "vm_workload_nic" { - + applied_dns_servers = (known after apply) - + dns_servers = (known after apply) - + enable_accelerated_networking = false - + enable_ip_forwarding = false - + id = (known after apply) - + internal_dns_name_label = (known after apply) - + internal_domain_name_suffix = (known after apply) - + location = "eastus" - + mac_address = (known after apply) - + name = "nic-workload" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_machine_id = (known after apply) - - + ip_configuration { - + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) - + name = "ipconfig-workload" - + primary = (known after apply) - + private_ip_address = (known after apply) - + private_ip_address_allocation = "Dynamic" - + private_ip_address_version = "IPv4" - + subnet_id = (known after apply) - } - } - - # azurerm_network_interface_security_group_association.vm_jump_nsg_association will be created - + resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { - + id = (known after apply) - + network_interface_id = (known after apply) - + network_security_group_id = (known after apply) - } - - # azurerm_network_interface_security_group_association.vm_workload_nsg_association will be created - + resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { - + id = (known after apply) - + network_interface_id = (known after apply) - + network_security_group_id = (known after apply) - } - - # azurerm_network_security_group.vm_jump_nsg will be created - + resource "azurerm_network_security_group" "vm_jump_nsg" { - + id = (known after apply) - + location = "eastus" - + name = "nsg-jump" - + resource_group_name = "rg-azfw-securehub-eus" - + security_rule = [ - + { - + access = "Allow" - + description = "" - + destination_address_prefix = "*" - + destination_address_prefixes = [] - + destination_application_security_group_ids = [] - + destination_port_range = "3389" - + destination_port_ranges = [] - + direction = "Inbound" - + name = "Allow-RDP" - + priority = 300 - + protocol = "Tcp" - + source_address_prefix = "*" - + source_address_prefixes = [] - + source_application_security_group_ids = [] - + source_port_range = "*" - + source_port_ranges = [] - }, - ] - } - - # azurerm_network_security_group.vm_workload_nsg will be created - + resource "azurerm_network_security_group" "vm_workload_nsg" { - + id = (known after apply) - + location = "eastus" - + name = "nsg-workload" - + resource_group_name = "rg-azfw-securehub-eus" - + security_rule = (known after apply) - } - - # azurerm_public_ip.pip_azfw will be created - + resource "azurerm_public_ip" "pip_azfw" { - + allocation_method = "Static" - + ddos_protection_mode = "VirtualNetworkInherited" - + fqdn = (known after apply) - + id = (known after apply) - + idle_timeout_in_minutes = 4 - + ip_address = (known after apply) - + ip_version = "IPv4" - + location = "eastus" - + name = "pip-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + sku = "Standard" - + sku_tier = "Regional" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_public_ip.vm_jump_pip will be created - + resource "azurerm_public_ip" "vm_jump_pip" { - + allocation_method = "Static" - + ddos_protection_mode = "VirtualNetworkInherited" - + fqdn = (known after apply) - + id = (known after apply) - + idle_timeout_in_minutes = 4 - + ip_address = (known after apply) - + ip_version = "IPv4" - + location = "eastus" - + name = "pip-jump" - + resource_group_name = "rg-azfw-securehub-eus" - + sku = "Standard" - + sku_tier = "Regional" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_resource_group.azfw_rg will be created - + resource "azurerm_resource_group" "azfw_rg" { - + id = (known after apply) - + location = "eastus" - + name = "rg-azfw-securehub-eus" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_route_table.rt will be created - + resource "azurerm_route_table" "rt" { - + disable_bgp_route_propagation = false - + id = (known after apply) - + location = "eastus" - + name = "rt-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + route = [ - + { - + address_prefix = "0.0.0.0/0" - + name = "jump-to-internet" - + next_hop_in_ip_address = "" - + next_hop_type = "Internet" - }, - ] - + subnets = (known after apply) - } - - # azurerm_subnet.jump_subnet will be created - + resource "azurerm_subnet" "jump_subnet" { - + address_prefixes = [ - + "10.10.2.0/24", - ] - + enforce_private_link_endpoint_network_policies = (known after apply) - + enforce_private_link_service_network_policies = (known after apply) - + id = (known after apply) - + name = "subnet-jump" - + private_endpoint_network_policies_enabled = (known after apply) - + private_link_service_network_policies_enabled = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_network_name = "vnet-azfw-securehub-eus" - } - - # azurerm_subnet.workload_subnet will be created - + resource "azurerm_subnet" "workload_subnet" { - + address_prefixes = [ - + "10.10.1.0/24", - ] - + enforce_private_link_endpoint_network_policies = (known after apply) - + enforce_private_link_service_network_policies = (known after apply) - + id = (known after apply) - + name = "subnet-workload" - + private_endpoint_network_policies_enabled = (known after apply) - + private_link_service_network_policies_enabled = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + virtual_network_name = "vnet-azfw-securehub-eus" - } - - # azurerm_subnet_route_table_association.jump_subnet_rt_association will be created - + resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { - + id = (known after apply) - + route_table_id = (known after apply) - + subnet_id = (known after apply) - } - - # azurerm_virtual_hub.azfw_vwan_hub will be created - + resource "azurerm_virtual_hub" "azfw_vwan_hub" { - + address_prefix = "10.20.0.0/23" - + default_route_table_id = (known after apply) - + hub_routing_preference = "ExpressRoute" - + id = (known after apply) - + location = "eastus" - + name = "hub-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + virtual_router_asn = (known after apply) - + virtual_router_auto_scale_min_capacity = 2 - + virtual_router_ips = (known after apply) - + virtual_wan_id = (known after apply) - } - - # azurerm_virtual_hub_connection.azfw_vwan_hub_connection will be created - + resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { - + id = (known after apply) - + internet_security_enabled = true - + name = "hub-to-spoke" - + remote_virtual_network_id = (known after apply) - + virtual_hub_id = (known after apply) - - + routing { - + associated_route_table_id = (known after apply) - - + propagated_route_table { - + labels = [ - + "VNet", - ] - + route_table_ids = (known after apply) - } - } - } - - # azurerm_virtual_hub_route_table.vhub_rt will be created - + resource "azurerm_virtual_hub_route_table" "vhub_rt" { - + id = (known after apply) - + labels = [ - + "VNet", - ] - + name = "vhub-rt-azfw-securehub-eus" - + virtual_hub_id = (known after apply) - - + route { - + destinations = [ - + "0.0.0.0/0", - ] - + destinations_type = "CIDR" - + name = "InternetToFirewall" - + next_hop = (known after apply) - + next_hop_type = "ResourceId" - } - + route { - + destinations = [ - + "10.10.1.0/24", - ] - + destinations_type = "CIDR" - + name = "workload-SNToFirewall" - + next_hop = (known after apply) - + next_hop_type = "ResourceId" - } - } - - # azurerm_virtual_network.azfw_vnet will be created - + resource "azurerm_virtual_network" "azfw_vnet" { - + address_space = [ - + "10.10.0.0/16", - ] - + dns_servers = (known after apply) - + guid = (known after apply) - + id = (known after apply) - + location = "eastus" - + name = "vnet-azfw-securehub-eus" - + resource_group_name = "rg-azfw-securehub-eus" - + subnet = (known after apply) - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - } - - # azurerm_virtual_wan.azfw_vwan will be created - + resource "azurerm_virtual_wan" "azfw_vwan" { - + allow_branch_to_branch_traffic = true - + disable_vpn_encryption = false - + id = (known after apply) - + location = "eastus" - + name = "vwan-azfw-securehub-eus" - + office365_local_breakout_category = "None" - + resource_group_name = "rg-azfw-securehub-eus" - + tags = { - + "costcenter" = "1234556677" - + "environment" = "dev" - + "owner" = "cloud team" - + "workload" = "azure firewall" - } - + type = "Standard" - } - - # azurerm_windows_virtual_machine.vm_jump will be created - + resource "azurerm_windows_virtual_machine" "vm_jump" { - + admin_password = (sensitive value) - + admin_username = "azureuser" - + allow_extension_operations = true - + bypass_platform_safety_checks_on_user_schedule_enabled = false - + computer_name = (known after apply) - + enable_automatic_updates = true - + extensions_time_budget = "PT1H30M" - + hotpatching_enabled = false - + id = (known after apply) - + location = "eastus" - + max_bid_price = -1 - + name = "jump-vm" - + network_interface_ids = (known after apply) - + patch_assessment_mode = "ImageDefault" - + patch_mode = "AutomaticByOS" - + platform_fault_domain = -1 - + priority = "Regular" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + provision_vm_agent = true - + public_ip_address = (known after apply) - + public_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + size = "Standard_D2_v3" - + virtual_machine_id = (known after apply) - - + os_disk { - + caching = "ReadWrite" - + disk_size_gb = (known after apply) - + name = (known after apply) - + storage_account_type = "Standard_LRS" - + write_accelerator_enabled = false - } - - + source_image_reference { - + offer = "WindowsServer" - + publisher = "MicrosoftWindowsServer" - + sku = "2019-Datacenter" - + version = "latest" - } - } - - # azurerm_windows_virtual_machine.vm_workload will be created - + resource "azurerm_windows_virtual_machine" "vm_workload" { - + admin_password = (sensitive value) - + admin_username = "azureuser" - + allow_extension_operations = true - + bypass_platform_safety_checks_on_user_schedule_enabled = false - + computer_name = (known after apply) - + enable_automatic_updates = true - + extensions_time_budget = "PT1H30M" - + hotpatching_enabled = false - + id = (known after apply) - + location = "eastus" - + max_bid_price = -1 - + name = "workload-vm" - + network_interface_ids = (known after apply) - + patch_assessment_mode = "ImageDefault" - + patch_mode = "AutomaticByOS" - + platform_fault_domain = -1 - + priority = "Regular" - + private_ip_address = (known after apply) - + private_ip_addresses = (known after apply) - + provision_vm_agent = true - + public_ip_address = (known after apply) - + public_ip_addresses = (known after apply) - + resource_group_name = "rg-azfw-securehub-eus" - + size = "Standard_D2_v3" - + virtual_machine_id = (known after apply) - - + os_disk { - + caching = "ReadWrite" - + disk_size_gb = (known after apply) - + name = (known after apply) - + storage_account_type = "Standard_LRS" - + write_accelerator_enabled = false - } - - + source_image_reference { - + offer = "WindowsServer" - + publisher = "MicrosoftWindowsServer" - + sku = "2019-Datacenter" - + version = "latest" - } - } +| Name | Description | Default value | +|-|-|-| +| `location` | location for your resources | eastus | +| `firewall_sku` | Sku size for your Firewall and Firewall Policy | Premium | +| `virtual_machine_size` | Sku size for your jump and workload vms | Standard_D2_v3 | +| `admin_username` | admin username for the jump and workload vms | azureuser | -Plan: 23 to add, 0 to change, 0 to destroy. -`````` \ No newline at end of file +## Example \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/main.tf b/quickstart/201-azfw-with-secure-hub/main.tf index 46c99695c..7e2842d7f 100644 --- a/quickstart/201-azfw-with-secure-hub/main.tf +++ b/quickstart/201-azfw-with-secure-hub/main.tf @@ -1,36 +1,27 @@ // Create a Resource Group -resource "azurerm_resource_group" "azfw_rg" { +resource "azurerm_resource_group" "rg" { name = "rg-azfw-securehub-eus" - location = var.location - tags = var.tags + location = var.resource_group_location } // Create resources for Azure Virtual WAN // Create a Azure Vwan resource "azurerm_virtual_wan" "azfw_vwan" { name = "vwan-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - tags = azurerm_resource_group.azfw_rg.tags + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name allow_branch_to_branch_traffic = true disable_vpn_encryption = false - depends_on = [ - azurerm_resource_group.azfw_rg - ] } // Create a Azure Vwan Hub resource "azurerm_virtual_hub" "azfw_vwan_hub" { name = "hub-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name virtual_wan_id = azurerm_virtual_wan.azfw_vwan.id address_prefix = "10.20.0.0/23" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_virtual_wan.azfw_vwan - ] } // Create a Azure VWan Hub Connection @@ -46,42 +37,29 @@ resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { labels = ["VNet"] } } - depends_on = [ - azurerm_virtual_hub.azfw_vwan_hub, - azurerm_virtual_network.azfw_vnet - ] } // Create resources for Azure Firewall // Create a Public IP Address for Azure Firewall resource "azurerm_public_ip" "pip_azfw" { name = "pip-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name allocation_method = "Static" sku = "Standard" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] } // Create a Azure Firewall Policy resource "azurerm_firewall_policy" "azfw_policy" { name = "policy-azfw-securehub-eus" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - sku = "Premium" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + sku = var.firewall_sku_name threat_intelligence_mode = "Alert" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] } // Create a Azure Firewall Policy Rule Collection Group // Create a Application Rule Collection -// Create rules for Windows Update // Create rules for Microsoft.com resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { name = "DefaulApplicationtRuleCollectionGroup" @@ -107,101 +85,74 @@ resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collec source_addresses = ["*"] } } - depends_on = [ - azurerm_firewall_policy.azfw_policy - ] } // Create the Azure Firewall resource "azurerm_firewall" "fw" { name = "fw-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name sku_name = "AZFW_Hub" - sku_tier = var.fw_sku - tags = azurerm_resource_group.azfw_rg.tags + sku_tier = var.firewall_sku_name virtual_hub { virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id public_ip_count = 1 } firewall_policy_id = azurerm_firewall_policy.azfw_policy.id - depends_on = [ - azurerm_firewall_policy.azfw_policy, - azurerm_virtual_hub.azfw_vwan_hub - ] } // Create Virtual Network, Subnets, PIP, NICs, NSGs, and NIC-NSG associations // Create a Virtual Network resource "azurerm_virtual_network" "azfw_vnet" { name = "vnet-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name address_space = ["10.10.0.0/16"] - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] } // Create a Subnet for Workload VMs resource "azurerm_subnet" "workload_subnet" { name = "subnet-workload" - resource_group_name = azurerm_resource_group.azfw_rg.name + resource_group_name = azurerm_resource_group.rg.name virtual_network_name = azurerm_virtual_network.azfw_vnet.name address_prefixes = ["10.10.1.0/24"] - depends_on = [ - azurerm_virtual_network.azfw_vnet - ] } // Create a Subnet for Jump VM resource "azurerm_subnet" "jump_subnet" { name = "subnet-jump" - resource_group_name = azurerm_resource_group.azfw_rg.name + resource_group_name = azurerm_resource_group.rg.name virtual_network_name = azurerm_virtual_network.azfw_vnet.name address_prefixes = ["10.10.2.0/24"] - - depends_on = [ - azurerm_virtual_network.azfw_vnet, - azurerm_route_table.rt - ] } // Create a NIC for Workload VM resource "azurerm_network_interface" "vm_workload_nic" { name = "nic-workload" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name ip_configuration { name = "ipconfig-workload" subnet_id = azurerm_subnet.workload_subnet.id private_ip_address_allocation = "Dynamic" } - depends_on = [ - azurerm_subnet.workload_subnet - ] } // Create a PIP for Jump VM resource "azurerm_public_ip" "vm_jump_pip" { name = "pip-jump" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name allocation_method = "Static" sku = "Standard" - tags = azurerm_resource_group.azfw_rg.tags - depends_on = [ - azurerm_resource_group.azfw_rg - ] } // Create a NIC for Jump VM resource "azurerm_network_interface" "vm_jump_nic" { name = "nic-jump" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name ip_configuration { name = "ipconfig-jump" @@ -209,27 +160,20 @@ resource "azurerm_network_interface" "vm_jump_nic" { private_ip_address_allocation = "Dynamic" public_ip_address_id = azurerm_public_ip.vm_jump_pip.id } - depends_on = [ - azurerm_subnet.jump_subnet, - azurerm_public_ip.vm_jump_pip - ] } // Create a NSG for Workload VM resource "azurerm_network_security_group" "vm_workload_nsg" { name = "nsg-workload" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name - depends_on = [ - azurerm_resource_group.azfw_rg - ] + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name } // Create a NSG for Jump VM resource "azurerm_network_security_group" "vm_jump_nsg" { name = "nsg-jump" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name security_rule { name = "Allow-RDP" priority = 300 @@ -241,41 +185,29 @@ resource "azurerm_network_security_group" "vm_jump_nsg" { source_address_prefix = "*" destination_address_prefix = "*" } - - depends_on = [ - azurerm_resource_group.azfw_rg - ] } // Associate NSG for Workload VM NIC resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { network_interface_id = azurerm_network_interface.vm_workload_nic.id network_security_group_id = azurerm_network_security_group.vm_workload_nsg.id - depends_on = [ - azurerm_network_interface.vm_workload_nic, - azurerm_network_security_group.vm_workload_nsg - ] } // Associate NSG for Jump VM NIC resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { network_interface_id = azurerm_network_interface.vm_jump_nic.id network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id - depends_on = [ - azurerm_network_interface.vm_jump_nic, - azurerm_network_security_group.vm_jump_nsg - ] } // Create Virtual Machines for testing // Create a Workload Virtual Machine resource "azurerm_windows_virtual_machine" "vm_workload" { name = "workload-vm" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - size = var.vm_size + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + size = var.virtual_machine_size admin_username = var.admin_username - admin_password = var.admin_password + admin_password = random_password.password.result network_interface_ids = [azurerm_network_interface.vm_workload_nic.id] os_disk { caching = "ReadWrite" @@ -287,19 +219,16 @@ resource "azurerm_windows_virtual_machine" "vm_workload" { sku = "2019-Datacenter" version = "latest" } - depends_on = [ - azurerm_network_interface.vm_workload_nic - ] } // Create a Jump Virtual Machine resource "azurerm_windows_virtual_machine" "vm_jump" { name = "jump-vm" - resource_group_name = azurerm_resource_group.azfw_rg.name - location = azurerm_resource_group.azfw_rg.location - size = var.vm_size + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + size = var.virtual_network_name admin_username = var.admin_username - admin_password = var.admin_password + admin_password = random_password.password.result network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] os_disk { caching = "ReadWrite" @@ -311,36 +240,26 @@ resource "azurerm_windows_virtual_machine" "vm_jump" { sku = "2019-Datacenter" version = "latest" } - depends_on = [ - azurerm_network_interface.vm_jump_nic - ] } // Create Routing for testing // Create a Route Table resource "azurerm_route_table" "rt" { name = "rt-azfw-securehub-eus" - location = azurerm_resource_group.azfw_rg.location - resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name disable_bgp_route_propagation = false route { name = "jump-to-internet" address_prefix = "0.0.0.0/0" next_hop_type = "Internet" } - depends_on = [ - azurerm_resource_group.azfw_rg - ] } // Associate Route Table to Jump VM Subnet resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { subnet_id = azurerm_subnet.jump_subnet.id route_table_id = azurerm_route_table.rt.id - depends_on = [ - azurerm_subnet.jump_subnet, - azurerm_route_table.rt - ] } // Creat a Virtual Hub Route Table @@ -362,9 +281,13 @@ resource "azurerm_virtual_hub_route_table" "vhub_rt" { next_hop = azurerm_firewall.fw.id } labels = ["VNet"] - depends_on = [ - azurerm_virtual_hub.azfw_vwan_hub, - azurerm_firewall.fw - ] } +resource "random_password" "password" { + length = 20 + min_lower = 1 + min_upper = 1 + min_numeric = 1 + min_special = 1 + special = true +} diff --git a/quickstart/201-azfw-with-secure-hub/outputs.tf b/quickstart/201-azfw-with-secure-hub/outputs.tf index 67ad7df31..c481cbee8 100644 --- a/quickstart/201-azfw-with-secure-hub/outputs.tf +++ b/quickstart/201-azfw-with-secure-hub/outputs.tf @@ -1,3 +1,18 @@ -output "rg_name" { - value = azurerm_resource_group.azfw_rg.name -} \ No newline at end of file +output "resource_group_name" { + value = azurerm_resource_group.rg.name +} + +output "virtual_hub_name" { + value = azurerm_secure_hub.secure_hub.name +} + +output "jump_admin_password" { + sensitive = true + value = azurerm_secure_hub.vm_jump.admin_password +} + +output "workload_admin_password" { + sensitive = true + value = azurerm_secure_hub.vm_workload.admin_password +} + diff --git a/quickstart/201-azfw-with-secure-hub/provider.tf b/quickstart/201-azfw-with-secure-hub/provider.tf index 76b5065bc..57f3bc9ed 100644 --- a/quickstart/201-azfw-with-secure-hub/provider.tf +++ b/quickstart/201-azfw-with-secure-hub/provider.tf @@ -2,7 +2,11 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "3.69.0" + version = "~>3.0" + } + random = { + source = "hashicorp/random" + version = "~>3.0" } } } diff --git a/quickstart/201-azfw-with-secure-hub/variables.tf b/quickstart/201-azfw-with-secure-hub/variables.tf index fd29a8593..67eab9c09 100644 --- a/quickstart/201-azfw-with-secure-hub/variables.tf +++ b/quickstart/201-azfw-with-secure-hub/variables.tf @@ -1,23 +1,20 @@ // Create Variables for Location and Tags -variable "location" { +variable "resource_group_location" { + type = string + description = "Location for all resources." default = "eastus" } -variable "tags" { - default = { - environment = "dev" - costcenter = "1234556677" - owner = "cloud team" - workload = "azure firewall" - } -} - // Create Firewall Variables -variable "fw_sku" { +variable "firewall_sku_name" { + type = string + description = "SKU name for the firewall." default = "Premium" # Valid values are Standard and Premium } // Create Virtual Machine Sku Size Variables -variable "vm_size" { +variable "virtual_machine_size" { + type = string + description = "Size of the virtual machine." default = "Standard_D2_v3" } @@ -25,6 +22,3 @@ variable "vm_size" { variable "admin_username" { default = "azureuser" } -variable "admin_password" { - default = "P@ssw0rd1234!" -} From 1cadacf03d2974270d565fb975c0de3d0442d8ff Mon Sep 17 00:00:00 2001 From: cshea15 Date: Mon, 28 Aug 2023 13:18:26 -0400 Subject: [PATCH 4/9] made some changes to clean up deployment --- quickstart/101-azfw-with-fwpolicy/provider.tf | 6 +----- quickstart/101-azfw-with-fwpolicy/variables.tf | 8 ++++---- quickstart/201-azfw-with-secure-hub/main.tf | 16 ++++++++-------- quickstart/201-azfw-with-secure-hub/outputs.tf | 6 +++--- quickstart/201-azfw-with-secure-hub/variables.tf | 12 ++++++------ 5 files changed, 22 insertions(+), 26 deletions(-) diff --git a/quickstart/101-azfw-with-fwpolicy/provider.tf b/quickstart/101-azfw-with-fwpolicy/provider.tf index 1c5540f8e..e0f4ae95e 100644 --- a/quickstart/101-azfw-with-fwpolicy/provider.tf +++ b/quickstart/101-azfw-with-fwpolicy/provider.tf @@ -8,9 +8,5 @@ terraform { } provider "azurerm" { - features { - resource_group { - prevent_deletion_if_contains_resources = false // Set to True for Production - } - } + features {} } diff --git a/quickstart/101-azfw-with-fwpolicy/variables.tf b/quickstart/101-azfw-with-fwpolicy/variables.tf index 83b7760d3..964249e4f 100644 --- a/quickstart/101-azfw-with-fwpolicy/variables.tf +++ b/quickstart/101-azfw-with-fwpolicy/variables.tf @@ -1,14 +1,14 @@ // Create Variables for Location and Tags variable "resource_group_location" { - type = string + type = string description = "Location for all resources." - default = "eastus" + default = "eastus" } // Create Firewall Variables variable "firewall_sku_tier" { - type = string + type = string description = "Firewall SKU." - default = "Premium" # Valid values are Standard and Premium + default = "Premium" # Valid values are Standard and Premium } diff --git a/quickstart/201-azfw-with-secure-hub/main.tf b/quickstart/201-azfw-with-secure-hub/main.tf index 7e2842d7f..978ae7b0b 100644 --- a/quickstart/201-azfw-with-secure-hub/main.tf +++ b/quickstart/201-azfw-with-secure-hub/main.tf @@ -34,7 +34,7 @@ resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { associated_route_table_id = azurerm_virtual_hub_route_table.vhub_rt.id propagated_route_table { route_table_ids = [azurerm_virtual_hub_route_table.vhub_rt.id] - labels = ["VNet"] + labels = ["VNet"] } } } @@ -226,7 +226,7 @@ resource "azurerm_windows_virtual_machine" "vm_jump" { name = "jump-vm" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location - size = var.virtual_network_name + size = var.virtual_machine_size admin_username = var.admin_username admin_password = random_password.password.result network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] @@ -284,10 +284,10 @@ resource "azurerm_virtual_hub_route_table" "vhub_rt" { } resource "random_password" "password" { - length = 20 - min_lower = 1 - min_upper = 1 - min_numeric = 1 - min_special = 1 - special = true + length = 20 + min_lower = 1 + min_upper = 1 + min_numeric = 1 + min_special = 1 + special = true } diff --git a/quickstart/201-azfw-with-secure-hub/outputs.tf b/quickstart/201-azfw-with-secure-hub/outputs.tf index c481cbee8..3071a100d 100644 --- a/quickstart/201-azfw-with-secure-hub/outputs.tf +++ b/quickstart/201-azfw-with-secure-hub/outputs.tf @@ -3,16 +3,16 @@ output "resource_group_name" { } output "virtual_hub_name" { - value = azurerm_secure_hub.secure_hub.name + value = azurerm_virtual_hub.azfw_vwan_hub.name } output "jump_admin_password" { sensitive = true - value = azurerm_secure_hub.vm_jump.admin_password + value = azurerm_windows_virtual_machine.vm_jump.admin_password } output "workload_admin_password" { sensitive = true - value = azurerm_secure_hub.vm_workload.admin_password + value = azurerm_windows_virtual_machine.vm_workload.admin_password } diff --git a/quickstart/201-azfw-with-secure-hub/variables.tf b/quickstart/201-azfw-with-secure-hub/variables.tf index 67eab9c09..b0b93851c 100644 --- a/quickstart/201-azfw-with-secure-hub/variables.tf +++ b/quickstart/201-azfw-with-secure-hub/variables.tf @@ -1,21 +1,21 @@ // Create Variables for Location and Tags variable "resource_group_location" { - type = string + type = string description = "Location for all resources." - default = "eastus" + default = "eastus" } // Create Firewall Variables variable "firewall_sku_name" { - type = string + type = string description = "SKU name for the firewall." - default = "Premium" # Valid values are Standard and Premium + default = "Premium" # Valid values are Standard and Premium } // Create Virtual Machine Sku Size Variables variable "virtual_machine_size" { - type = string + type = string description = "Size of the virtual machine." - default = "Standard_D2_v3" + default = "Standard_D2_v3" } // Create Admin Username and Password From 39f24e4450cec05ecacbfd79d4e1cb446c004d53 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Mon, 28 Aug 2023 13:40:12 -0400 Subject: [PATCH 5/9] changing the provider feature --- quickstart/201-azfw-with-secure-hub/provider.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/quickstart/201-azfw-with-secure-hub/provider.tf b/quickstart/201-azfw-with-secure-hub/provider.tf index 57f3bc9ed..bf50b67ec 100644 --- a/quickstart/201-azfw-with-secure-hub/provider.tf +++ b/quickstart/201-azfw-with-secure-hub/provider.tf @@ -13,8 +13,9 @@ terraform { provider "azurerm" { features { - resource_group { - prevent_deletion_if_contains_resources = false // Set to True for Production + virtual_machine { + delete_os_disk_on_deletion = true + skip_shutdown_and_force_delete = true } } } From 4f1a6c18ee880a5cbfe0d3888d6771239bd3dcb8 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Mon, 28 Aug 2023 14:26:30 -0400 Subject: [PATCH 6/9] updated rg prefixes and removed commented lines --- quickstart/101-azfw-with-fwpolicy/main.tf | 20 +++-------- quickstart/101-azfw-with-fwpolicy/outputs.tf | 4 +++ quickstart/101-azfw-with-fwpolicy/provider.tf | 4 +++ .../101-azfw-with-fwpolicy/variables.tf | 8 +++-- quickstart/201-azfw-with-secure-hub/main.tf | 35 +++---------------- .../201-azfw-with-secure-hub/variables.tf | 11 +++--- 6 files changed, 30 insertions(+), 52 deletions(-) diff --git a/quickstart/101-azfw-with-fwpolicy/main.tf b/quickstart/101-azfw-with-fwpolicy/main.tf index dd39cae34..fb684157b 100644 --- a/quickstart/101-azfw-with-fwpolicy/main.tf +++ b/quickstart/101-azfw-with-fwpolicy/main.tf @@ -1,10 +1,12 @@ +resource "random_pet" "rg-name" { + prefix = var.resource_group_name_prefix +} -// Create a Resource Group resource "azurerm_resource_group" "rg" { - name = "azfw-rg" + name = random_pet.rg-name.id location = var.resource_group_location } -// Create a Virtual Network + resource "azurerm_virtual_network" "azfw_vnet" { name = "azfw-vnet" location = azurerm_resource_group.rg.location @@ -12,7 +14,6 @@ resource "azurerm_virtual_network" "azfw_vnet" { address_space = ["10.10.0.0/24"] } -// Create IP Groups resource "azurerm_ip_group" "workload_ip_group" { name = "workload-ip-group" resource_group_name = azurerm_resource_group.rg.name @@ -26,7 +27,6 @@ resource "azurerm_ip_group" "infra_ip_group" { cidrs = ["10.40.0.0/24", "10.50.0.0/24"] } -// Create the Azure Firewall Subnet resource "azurerm_subnet" "azfw_subnet" { name = "AzureFirewallSubnet" resource_group_name = azurerm_resource_group.rg.name @@ -34,7 +34,6 @@ resource "azurerm_subnet" "azfw_subnet" { address_prefixes = ["10.10.0.0/26"] } -// Create a Public IP Address for Azure Firewall resource "azurerm_public_ip" "pip_azfw" { name = "pip-azfw" location = azurerm_resource_group.rg.location @@ -43,7 +42,6 @@ resource "azurerm_public_ip" "pip_azfw" { sku = "Standard" } -// Create a Azure Firewall Policy resource "azurerm_firewall_policy" "azfw_policy" { name = "azfw-policy" resource_group_name = azurerm_resource_group.rg.name @@ -52,9 +50,6 @@ resource "azurerm_firewall_policy" "azfw_policy" { threat_intelligence_mode = "Alert" } -// Create a Network Rule Collection Group -// Create a Network Rule Collection -// Create rules for NTP resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { name = "DefaultNetworkRuleCollectionGroup" firewall_policy_id = azurerm_firewall_policy.azfw_policy.id @@ -73,10 +68,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collec } } -// Create a Azure Firewall Policy Rule Collection Group -// Create a Application Rule Collection -// Create rules for Windows Update -// Create rules for Microsoft.com resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { name = "DefaulApplicationtRuleCollectionGroup" firewall_policy_id = azurerm_firewall_policy.azfw_policy.id @@ -114,7 +105,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collec } } -// Create the Azure Firewall resource "azurerm_firewall" "fw" { name = "azfw" location = azurerm_resource_group.rg.location diff --git a/quickstart/101-azfw-with-fwpolicy/outputs.tf b/quickstart/101-azfw-with-fwpolicy/outputs.tf index c765da635..0dc1d7837 100644 --- a/quickstart/101-azfw-with-fwpolicy/outputs.tf +++ b/quickstart/101-azfw-with-fwpolicy/outputs.tf @@ -1,3 +1,7 @@ output "resource_group_name" { value = azurerm_resource_group.rg.name +} + +output "firewall_name" { + value = azurerm_firewall.azfw.name } \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/provider.tf b/quickstart/101-azfw-with-fwpolicy/provider.tf index e0f4ae95e..18eea7b7d 100644 --- a/quickstart/101-azfw-with-fwpolicy/provider.tf +++ b/quickstart/101-azfw-with-fwpolicy/provider.tf @@ -4,6 +4,10 @@ terraform { source = "hashicorp/azurerm" version = "~>3.0" } + random = { + source = "hashicorp/random" + version = "~>3.0" + } } } diff --git a/quickstart/101-azfw-with-fwpolicy/variables.tf b/quickstart/101-azfw-with-fwpolicy/variables.tf index 964249e4f..935f26ca2 100644 --- a/quickstart/101-azfw-with-fwpolicy/variables.tf +++ b/quickstart/101-azfw-with-fwpolicy/variables.tf @@ -1,11 +1,15 @@ -// Create Variables for Location and Tags variable "resource_group_location" { type = string description = "Location for all resources." default = "eastus" } -// Create Firewall Variables +variable "resource_group_name_prefix" { + type = string + description = "Prefix for the Resource Group Name that's combined with a random id so name is unique in your Azure subcription." + default = "rg" +} + variable "firewall_sku_tier" { type = string description = "Firewall SKU." diff --git a/quickstart/201-azfw-with-secure-hub/main.tf b/quickstart/201-azfw-with-secure-hub/main.tf index 978ae7b0b..d1dc7abf1 100644 --- a/quickstart/201-azfw-with-secure-hub/main.tf +++ b/quickstart/201-azfw-with-secure-hub/main.tf @@ -1,12 +1,12 @@ +resource "random_pet" "rg-name" { + prefix = var.resource_group_name_prefix +} -// Create a Resource Group resource "azurerm_resource_group" "rg" { - name = "rg-azfw-securehub-eus" + name = random_pet.rg-name.id location = var.resource_group_location } -// Create resources for Azure Virtual WAN -// Create a Azure Vwan resource "azurerm_virtual_wan" "azfw_vwan" { name = "vwan-azfw-securehub-eus" location = azurerm_resource_group.rg.location @@ -15,7 +15,6 @@ resource "azurerm_virtual_wan" "azfw_vwan" { disable_vpn_encryption = false } -// Create a Azure Vwan Hub resource "azurerm_virtual_hub" "azfw_vwan_hub" { name = "hub-azfw-securehub-eus" location = azurerm_resource_group.rg.location @@ -24,7 +23,6 @@ resource "azurerm_virtual_hub" "azfw_vwan_hub" { address_prefix = "10.20.0.0/23" } -// Create a Azure VWan Hub Connection resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { name = "hub-to-spoke" virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id @@ -39,8 +37,6 @@ resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { } } -// Create resources for Azure Firewall -// Create a Public IP Address for Azure Firewall resource "azurerm_public_ip" "pip_azfw" { name = "pip-azfw-securehub-eus" location = azurerm_resource_group.rg.location @@ -49,7 +45,6 @@ resource "azurerm_public_ip" "pip_azfw" { sku = "Standard" } -// Create a Azure Firewall Policy resource "azurerm_firewall_policy" "azfw_policy" { name = "policy-azfw-securehub-eus" resource_group_name = azurerm_resource_group.rg.name @@ -58,9 +53,6 @@ resource "azurerm_firewall_policy" "azfw_policy" { threat_intelligence_mode = "Alert" } -// Create a Azure Firewall Policy Rule Collection Group -// Create a Application Rule Collection -// Create rules for Microsoft.com resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { name = "DefaulApplicationtRuleCollectionGroup" firewall_policy_id = azurerm_firewall_policy.azfw_policy.id @@ -87,7 +79,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collec } } -// Create the Azure Firewall resource "azurerm_firewall" "fw" { name = "fw-azfw-securehub-eus" location = azurerm_resource_group.rg.location @@ -101,8 +92,6 @@ resource "azurerm_firewall" "fw" { firewall_policy_id = azurerm_firewall_policy.azfw_policy.id } -// Create Virtual Network, Subnets, PIP, NICs, NSGs, and NIC-NSG associations -// Create a Virtual Network resource "azurerm_virtual_network" "azfw_vnet" { name = "vnet-azfw-securehub-eus" location = azurerm_resource_group.rg.location @@ -110,7 +99,6 @@ resource "azurerm_virtual_network" "azfw_vnet" { address_space = ["10.10.0.0/16"] } -// Create a Subnet for Workload VMs resource "azurerm_subnet" "workload_subnet" { name = "subnet-workload" resource_group_name = azurerm_resource_group.rg.name @@ -118,7 +106,6 @@ resource "azurerm_subnet" "workload_subnet" { address_prefixes = ["10.10.1.0/24"] } -// Create a Subnet for Jump VM resource "azurerm_subnet" "jump_subnet" { name = "subnet-jump" resource_group_name = azurerm_resource_group.rg.name @@ -126,7 +113,6 @@ resource "azurerm_subnet" "jump_subnet" { address_prefixes = ["10.10.2.0/24"] } -// Create a NIC for Workload VM resource "azurerm_network_interface" "vm_workload_nic" { name = "nic-workload" location = azurerm_resource_group.rg.location @@ -139,7 +125,6 @@ resource "azurerm_network_interface" "vm_workload_nic" { } } -// Create a PIP for Jump VM resource "azurerm_public_ip" "vm_jump_pip" { name = "pip-jump" location = azurerm_resource_group.rg.location @@ -148,7 +133,6 @@ resource "azurerm_public_ip" "vm_jump_pip" { sku = "Standard" } -// Create a NIC for Jump VM resource "azurerm_network_interface" "vm_jump_nic" { name = "nic-jump" location = azurerm_resource_group.rg.location @@ -162,14 +146,12 @@ resource "azurerm_network_interface" "vm_jump_nic" { } } -// Create a NSG for Workload VM resource "azurerm_network_security_group" "vm_workload_nsg" { name = "nsg-workload" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name } -// Create a NSG for Jump VM resource "azurerm_network_security_group" "vm_jump_nsg" { name = "nsg-jump" location = azurerm_resource_group.rg.location @@ -187,20 +169,16 @@ resource "azurerm_network_security_group" "vm_jump_nsg" { } } -// Associate NSG for Workload VM NIC resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { network_interface_id = azurerm_network_interface.vm_workload_nic.id network_security_group_id = azurerm_network_security_group.vm_workload_nsg.id } -// Associate NSG for Jump VM NIC resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { network_interface_id = azurerm_network_interface.vm_jump_nic.id network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id } -// Create Virtual Machines for testing -// Create a Workload Virtual Machine resource "azurerm_windows_virtual_machine" "vm_workload" { name = "workload-vm" resource_group_name = azurerm_resource_group.rg.name @@ -221,7 +199,6 @@ resource "azurerm_windows_virtual_machine" "vm_workload" { } } -// Create a Jump Virtual Machine resource "azurerm_windows_virtual_machine" "vm_jump" { name = "jump-vm" resource_group_name = azurerm_resource_group.rg.name @@ -242,8 +219,6 @@ resource "azurerm_windows_virtual_machine" "vm_jump" { } } -// Create Routing for testing -// Create a Route Table resource "azurerm_route_table" "rt" { name = "rt-azfw-securehub-eus" location = azurerm_resource_group.rg.location @@ -256,13 +231,11 @@ resource "azurerm_route_table" "rt" { } } -// Associate Route Table to Jump VM Subnet resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { subnet_id = azurerm_subnet.jump_subnet.id route_table_id = azurerm_route_table.rt.id } -// Creat a Virtual Hub Route Table resource "azurerm_virtual_hub_route_table" "vhub_rt" { name = "vhub-rt-azfw-securehub-eus" virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id diff --git a/quickstart/201-azfw-with-secure-hub/variables.tf b/quickstart/201-azfw-with-secure-hub/variables.tf index b0b93851c..e76f46d92 100644 --- a/quickstart/201-azfw-with-secure-hub/variables.tf +++ b/quickstart/201-azfw-with-secure-hub/variables.tf @@ -1,24 +1,27 @@ -// Create Variables for Location and Tags variable "resource_group_location" { type = string description = "Location for all resources." default = "eastus" } -// Create Firewall Variables + +variable "resource_group_name_prefix" { + type = string + description = "Prefix for the Resource Group Name that's combined with a random id so name is unique in your Azure subcription." + default = "rg" +} + variable "firewall_sku_name" { type = string description = "SKU name for the firewall." default = "Premium" # Valid values are Standard and Premium } -// Create Virtual Machine Sku Size Variables variable "virtual_machine_size" { type = string description = "Size of the virtual machine." default = "Standard_D2_v3" } -// Create Admin Username and Password variable "admin_username" { default = "azureuser" } From 79fa9bdc9e6e3b1ef3de5906225d14f2c374e82d Mon Sep 17 00:00:00 2001 From: cshea15 Date: Mon, 28 Aug 2023 15:42:31 -0400 Subject: [PATCH 7/9] fixed output --- quickstart/101-azfw-with-fwpolicy/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quickstart/101-azfw-with-fwpolicy/outputs.tf b/quickstart/101-azfw-with-fwpolicy/outputs.tf index 0dc1d7837..3d6f89a11 100644 --- a/quickstart/101-azfw-with-fwpolicy/outputs.tf +++ b/quickstart/101-azfw-with-fwpolicy/outputs.tf @@ -3,5 +3,5 @@ output "resource_group_name" { } output "firewall_name" { - value = azurerm_firewall.azfw.name + value = azurerm_firewall.fw.name } \ No newline at end of file From 010c19fe4d5d794152a81599fd629b80aa3b8d53 Mon Sep 17 00:00:00 2001 From: cshea15 Date: Thu, 31 Aug 2023 14:20:54 -0400 Subject: [PATCH 8/9] fixing mistakes --- quickstart/101-azfw-with-fwpolicy/{README.md => readme2.md} | 0 quickstart/101-azfw-with-fwpolicy/variables.tf | 4 ++++ quickstart/201-azfw-with-secure-hub/{README.md => readme2.md} | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) rename quickstart/101-azfw-with-fwpolicy/{README.md => readme2.md} (100%) rename quickstart/201-azfw-with-secure-hub/{README.md => readme2.md} (93%) diff --git a/quickstart/101-azfw-with-fwpolicy/README.md b/quickstart/101-azfw-with-fwpolicy/readme2.md similarity index 100% rename from quickstart/101-azfw-with-fwpolicy/README.md rename to quickstart/101-azfw-with-fwpolicy/readme2.md diff --git a/quickstart/101-azfw-with-fwpolicy/variables.tf b/quickstart/101-azfw-with-fwpolicy/variables.tf index 935f26ca2..eb12bf647 100644 --- a/quickstart/101-azfw-with-fwpolicy/variables.tf +++ b/quickstart/101-azfw-with-fwpolicy/variables.tf @@ -14,5 +14,9 @@ variable "firewall_sku_tier" { type = string description = "Firewall SKU." default = "Premium" # Valid values are Standard and Premium + validation { + condition = contains(["Standard", "Premium"], var.firewall_sku_tier) + error_message = "The sku must be one of the following: Standard, Premium" + } } diff --git a/quickstart/201-azfw-with-secure-hub/README.md b/quickstart/201-azfw-with-secure-hub/readme2.md similarity index 93% rename from quickstart/201-azfw-with-secure-hub/README.md rename to quickstart/201-azfw-with-secure-hub/readme2.md index 74c8241b4..91bacf36d 100644 --- a/quickstart/201-azfw-with-secure-hub/README.md +++ b/quickstart/201-azfw-with-secure-hub/readme2.md @@ -15,7 +15,7 @@ This template deploys an [Azure Firewall](https://registry.terraform.io/provider - [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) - [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) - [azurerm_network_security_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) -- [azurerm_network_interface_security_group_associtation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association +- [azurerm_network_interface_security_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association - [azurerm_windows_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine) - [azurerm_route_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) - [azurerm_subnet_route_table_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) From 23a7bf1fdddc2a47fdde30032f08bdedc09a36fa Mon Sep 17 00:00:00 2001 From: cshea15 Date: Thu, 31 Aug 2023 14:22:10 -0400 Subject: [PATCH 9/9] fixed the readme's --- quickstart/101-azfw-with-fwpolicy/{readme2.md => readme.md} | 0 quickstart/201-azfw-with-secure-hub/{readme2.md => readme.md} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename quickstart/101-azfw-with-fwpolicy/{readme2.md => readme.md} (100%) rename quickstart/201-azfw-with-secure-hub/{readme2.md => readme.md} (100%) diff --git a/quickstart/101-azfw-with-fwpolicy/readme2.md b/quickstart/101-azfw-with-fwpolicy/readme.md similarity index 100% rename from quickstart/101-azfw-with-fwpolicy/readme2.md rename to quickstart/101-azfw-with-fwpolicy/readme.md diff --git a/quickstart/201-azfw-with-secure-hub/readme2.md b/quickstart/201-azfw-with-secure-hub/readme.md similarity index 100% rename from quickstart/201-azfw-with-secure-hub/readme2.md rename to quickstart/201-azfw-with-secure-hub/readme.md