From 026cda971993a443b0dd38b5c6943389dfcf8237 Mon Sep 17 00:00:00 2001 From: Pranay Deokar Date: Fri, 12 Jan 2024 16:13:14 +0530 Subject: [PATCH] feat: added attributes --- .github/workflows/auto_assignee.yml | 14 ++ .github/workflows/automerge.yml | 12 ++ .../{changelog.yml => changelog.yaml} | 4 +- .github/workflows/readme.yml | 5 +- .github/workflows/semantic-releaser.yml | 30 --- .github/workflows/static-checks.yml | 77 ------- .github/workflows/tf-checks.yml | 26 +++ .github/workflows/tflint.yml | 11 + .github/workflows/tfsec.yml | 4 +- _example/basic/versions.tf | 13 ++ _example/complete/example.tf | 10 +- _example/complete/versions.tf | 13 ++ .../firewall-with-isolated-rules/example.tf | 4 +- .../firewall-with-isolated-rules/versions.tf | 13 ++ .../firewall-with-public-ip-prefix/example.tf | 4 +- .../versions.tf | 13 ++ deepsource.toml | 4 + main.tf | 145 +++++++++++-- variables.tf | 191 ++++++++++++++++-- versions.tf | 5 +- 20 files changed, 434 insertions(+), 164 deletions(-) create mode 100644 .github/workflows/auto_assignee.yml create mode 100644 .github/workflows/automerge.yml rename .github/workflows/{changelog.yml => changelog.yaml} (82%) delete mode 100644 .github/workflows/semantic-releaser.yml delete mode 100644 .github/workflows/static-checks.yml create mode 100644 .github/workflows/tf-checks.yml create mode 100644 .github/workflows/tflint.yml create mode 100644 _example/basic/versions.tf create mode 100644 _example/complete/versions.tf create mode 100644 _example/firewall-with-isolated-rules/versions.tf create mode 100644 _example/firewall-with-public-ip-prefix/versions.tf create mode 100644 deepsource.toml diff --git a/.github/workflows/auto_assignee.yml b/.github/workflows/auto_assignee.yml new file mode 100644 index 0000000..d10f4a1 --- /dev/null +++ b/.github/workflows/auto_assignee.yml @@ -0,0 +1,14 @@ +name: Auto Assign PRs + +on: + pull_request: + types: [opened, reopened] + + workflow_dispatch: +jobs: + assignee: + uses: clouddrove/github-shared-workflows/.github/workflows/auto_assignee.yml@1.0.10 + secrets: + GITHUB: ${{ secrets.GITHUB }} + with: + assignees: 'clouddrove-ci' diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml new file mode 100644 index 0000000..88f2f1d --- /dev/null +++ b/.github/workflows/automerge.yml @@ -0,0 +1,12 @@ +--- +name: Auto merge +on: + pull_request: +jobs: + auto-merge: + uses: clouddrove/github-shared-workflows/.github/workflows/auto_merge.yml@1.0.10 + secrets: + GITHUB: ${{ secrets.GITHUB }} + with: + tfcheck: 'basic-example / Check code format' +... diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yaml similarity index 82% rename from .github/workflows/changelog.yml rename to .github/workflows/changelog.yaml index 4b735f5..c2a8cd4 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yaml @@ -7,7 +7,7 @@ on: workflow_dispatch: jobs: changelog: - uses: clouddrove/github-shared-workflows/.github/workflows/changelog.yml@master + uses: clouddrove/github-shared-workflows/.github/workflows/changelog.yml@1.0.10 secrets: inherit with: - branch: 'master' \ No newline at end of file + branch: 'master' diff --git a/.github/workflows/readme.yml b/.github/workflows/readme.yml index 03b477f..1eb0243 100644 --- a/.github/workflows/readme.yml +++ b/.github/workflows/readme.yml @@ -13,7 +13,7 @@ jobs: uses: actions/checkout@master - name: 'Set up Python 3.7' - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: '3.x' @@ -25,7 +25,6 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: 'pre-commit check errors' uses: pre-commit/action@v3.0.0 continue-on-error: true @@ -51,4 +50,4 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TERRAFORM }} # required - if: always() \ No newline at end of file + if: always() diff --git a/.github/workflows/semantic-releaser.yml b/.github/workflows/semantic-releaser.yml deleted file mode 100644 index c6911b9..0000000 --- a/.github/workflows/semantic-releaser.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Release - -on: - push: - branches: - - main - paths: - - '**.tf' - - '!_example/**.tf' - -jobs: - release: - name: Release - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - persist-credentials: false - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: 14 - - - name: Release - env: - GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }} - run: npx semantic-release diff --git a/.github/workflows/static-checks.yml b/.github/workflows/static-checks.yml deleted file mode 100644 index 7bf6ae8..0000000 --- a/.github/workflows/static-checks.yml +++ /dev/null @@ -1,77 +0,0 @@ -name: static-checks - -on: - pull_request: - -jobs: - versionExtract: - name: Get min/max versions - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@main - outputs: - minVersion: ${{ steps.minMax.outputs.minVersion }} - maxVersion: ${{ steps.minMax.outputs.maxVersion }} - - versionEvaluate: - name: Evaluate Terraform versions - runs-on: ubuntu-latest - needs: versionExtract - strategy: - fail-fast: false - matrix: - version: - - ${{ needs.versionExtract.outputs.minVersion }} - - ${{ needs.versionExtract.outputs.maxVersion }} - directory: - - _example/basic/ - - _example/complete/ - - _example/firewall-with-isolated-rules/ - - _example/firewall-with-public-ip-prefix/ - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Install Terraform v${{ matrix.version }} - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{ matrix.version }} - - - name: Init & validate v${{ matrix.version }} - run: | - cd ${{ matrix.directory }} - terraform init - terraform validate - - name: tflint - uses: reviewdog/action-tflint@master - with: - tflint_version: v0.29.0 - github_token: ${{ secrets.GITHUB_TOKEN }} - working_directory: ${{ matrix.directory }} - fail_on_error: 'true' - filter_mode: 'nofilter' - flags: '--module' - - format: - name: Check code format - runs-on: ubuntu-latest - needs: versionExtract - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Install Terraform v${{ needs.versionExtract.outputs.maxVersion }} - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{ needs.versionExtract.outputs.maxVersion }} - - - name: Check Terraform format changes - run: terraform fmt --recursive -check=true \ No newline at end of file diff --git a/.github/workflows/tf-checks.yml b/.github/workflows/tf-checks.yml new file mode 100644 index 0000000..3f844a7 --- /dev/null +++ b/.github/workflows/tf-checks.yml @@ -0,0 +1,26 @@ +name: tf-checks +on: + push: + branches: [ master ] + pull_request: + workflow_dispatch: +jobs: + basic-example: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@1.0.10 + with: + working_directory: './_example/basic/' + + complete-example: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@1.0.10 + with: + working_directory: './_example/complete/' + + firewall-with-isolated-rules: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@1.0.10 + with: + working_directory: './_example/firewall-with-isolated-rules/' + + firewall-with-public-ip-prefix: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@1.0.10 + with: + working_directory: './_example/firewall-with-public-ip-prefix/' \ No newline at end of file diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml new file mode 100644 index 0000000..e52fe96 --- /dev/null +++ b/.github/workflows/tflint.yml @@ -0,0 +1,11 @@ +name: tf-lint +on: + push: + branches: [ master ] + pull_request: + workflow_dispatch: +jobs: + tf-lint: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-lint.yml@1.0.10 + secrets: + GITHUB: ${{ secrets.GITHUB }} diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 9aaf588..cac5e20 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -5,7 +5,7 @@ on: workflow_dispatch: jobs: tfsec: - uses: clouddrove/github-shared-workflows/.github/workflows/tfsec.yml@master + uses: clouddrove/github-shared-workflows/.github/workflows/tfsec.yml@1.0.10 secrets: inherit with: - working_directory: '.' \ No newline at end of file + working_directory: '.' diff --git a/_example/basic/versions.tf b/_example/basic/versions.tf new file mode 100644 index 0000000..6a65607 --- /dev/null +++ b/_example/basic/versions.tf @@ -0,0 +1,13 @@ +# Terraform version +terraform { + required_version = ">= 1.6.6" +} + +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">=3.85.0" + } + } +} \ No newline at end of file diff --git a/_example/complete/example.tf b/_example/complete/example.tf index 8f18673..9e21baf 100644 --- a/_example/complete/example.tf +++ b/_example/complete/example.tf @@ -27,12 +27,12 @@ module "resource_group" { module "vnet" { depends_on = [module.resource_group] source = "clouddrove/vnet/azure" - version = "1.0.3" + version = "1.0.4" name = local.name environment = local.environment resource_group_name = module.resource_group.resource_group_name location = module.resource_group.resource_group_location - address_space = "10.0.0.0/16" + address_spaces = ["10.0.0.0/16"] } ##----------------------------------------------------------------------------- @@ -42,15 +42,15 @@ module "vnet" { module "name_specific_subnet" { depends_on = [module.vnet] source = "clouddrove/subnet/azure" - version = "1.0.2" + version = "1.1.0" name = local.name environment = local.environment resource_group_name = module.resource_group.resource_group_name location = module.resource_group.resource_group_location - virtual_network_name = join("", module.vnet.vnet_name) + virtual_network_name = module.vnet.vnet_name #subnet specific_name_subnet = true - specific_subnet_names = "AzureFirewallSubnet" + specific_subnet_names = ["AzureFirewallSubnet"] subnet_prefixes = ["10.0.1.0/24"] # route_table routes = [ diff --git a/_example/complete/versions.tf b/_example/complete/versions.tf new file mode 100644 index 0000000..6a65607 --- /dev/null +++ b/_example/complete/versions.tf @@ -0,0 +1,13 @@ +# Terraform version +terraform { + required_version = ">= 1.6.6" +} + +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">=3.85.0" + } + } +} \ No newline at end of file diff --git a/_example/firewall-with-isolated-rules/example.tf b/_example/firewall-with-isolated-rules/example.tf index dee445c..1951aaa 100644 --- a/_example/firewall-with-isolated-rules/example.tf +++ b/_example/firewall-with-isolated-rules/example.tf @@ -27,7 +27,7 @@ module "resource_group" { module "vnet" { depends_on = [module.resource_group] source = "clouddrove/vnet/azure" - version = "1.0.3" + version = "1.0.4" name = local.name environment = local.environment resource_group_name = module.resource_group.resource_group_name @@ -42,7 +42,7 @@ module "vnet" { module "name_specific_subnet" { depends_on = [module.vnet] source = "clouddrove/subnet/azure" - version = "1.0.2" + version = "1.1.0" name = local.name environment = local.environment resource_group_name = module.resource_group.resource_group_name diff --git a/_example/firewall-with-isolated-rules/versions.tf b/_example/firewall-with-isolated-rules/versions.tf new file mode 100644 index 0000000..6a65607 --- /dev/null +++ b/_example/firewall-with-isolated-rules/versions.tf @@ -0,0 +1,13 @@ +# Terraform version +terraform { + required_version = ">= 1.6.6" +} + +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">=3.85.0" + } + } +} \ No newline at end of file diff --git a/_example/firewall-with-public-ip-prefix/example.tf b/_example/firewall-with-public-ip-prefix/example.tf index c0971fa..073c75f 100644 --- a/_example/firewall-with-public-ip-prefix/example.tf +++ b/_example/firewall-with-public-ip-prefix/example.tf @@ -27,7 +27,7 @@ module "resource_group" { module "vnet" { depends_on = [module.resource_group] source = "clouddrove/vnet/azure" - version = "1.0.3" + version = "1.0.4" name = local.name environment = local.environment resource_group_name = module.resource_group.resource_group_name @@ -42,7 +42,7 @@ module "vnet" { module "name_specific_subnet" { depends_on = [module.vnet] source = "clouddrove/subnet/azure" - version = "1.0.2" + version = "1.1.0" name = local.name environment = local.environment resource_group_name = module.resource_group.resource_group_name diff --git a/_example/firewall-with-public-ip-prefix/versions.tf b/_example/firewall-with-public-ip-prefix/versions.tf new file mode 100644 index 0000000..6a65607 --- /dev/null +++ b/_example/firewall-with-public-ip-prefix/versions.tf @@ -0,0 +1,13 @@ +# Terraform version +terraform { + required_version = ">= 1.6.6" +} + +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">=3.85.0" + } + } +} \ No newline at end of file diff --git a/deepsource.toml b/deepsource.toml new file mode 100644 index 0000000..18b001a --- /dev/null +++ b/deepsource.toml @@ -0,0 +1,4 @@ +version = 1 + +[[analyzers]] +name = "terraform" \ No newline at end of file diff --git a/main.tf b/main.tf index d122759..059239a 100644 --- a/main.tf +++ b/main.tf @@ -3,6 +3,7 @@ ##----------------------------------------------------------------------------- module "labels" { source = "clouddrove/labels/azure" + version = "1.0.0" name = var.name environment = var.environment managedby = var.managedby @@ -70,10 +71,13 @@ resource "azurerm_firewall" "firewall" { threat_intel_mode = var.threat_intel_mode sku_tier = var.sku_tier sku_name = var.sku_name - firewall_policy_id = join("", azurerm_firewall_policy.policy.*.id) + firewall_policy_id = azurerm_firewall_policy.policy[0].id + zones = var.zone != null ? [var.zone] : [] tags = module.labels.tags private_ip_ranges = var.firewall_private_ip_ranges dns_servers = var.dns_servers + dns_proxy_enabled = var.dns_proxy_enabled + dynamic "ip_configuration" { for_each = var.public_ip_names iterator = it @@ -107,6 +111,23 @@ resource "azurerm_firewall" "firewall" { } } + dynamic "virtual_hub" { + for_each = var.virtual_hub != null ? [var.virtual_hub] : [] + content { + virtual_hub_id = virtual_hub.value.virtual_hub_id + public_ip_count = virtual_hub.value.public_ip_count + } + } + + dynamic "management_ip_configuration" { + for_each = var.enable_forced_tunneling ? [1] : [] + content { + name = lower("${var.firewall_config.name}-forced-tunnel") + subnet_id = azurerm_subnet.fw-mgnt-snet.0.id + public_ip_address_id = azurerm_public_ip.fw-mgnt-pip.0.id + } + } + lifecycle { ignore_changes = [ tags, @@ -125,11 +146,97 @@ resource "azurerm_firewall_policy" "policy" { resource_group_name = var.resource_group_name location = var.location sku = var.sku_policy + base_policy_id = var.base_policy + dynamic "identity" { for_each = var.identity_type != null && var.sku_policy == "Premium" && var.sku_tier == "Premium" ? [1] : [] content { type = var.identity_type - identity_ids = var.identity_type == "UserAssigned" ? [join("", azurerm_user_assigned_identity.identity.*.id)] : null + identity_ids = var.identity_type == "UserAssigned" ? [azurerm_user_assigned_identity.identity[0].id] : null + } + } + + dynamic "dns" { + for_each = var.dns != null ? var.dns : [] + content { + proxy_enabled = dns.value.proxy_enabled + servers = toset(dns.value.servers) + } + } + + dynamic "insights" { + for_each = var.enable_insights ? [1] : [] + content { + enabled = var.insights_enabled + default_log_analytics_workspace_id = var.default_log_analytics_workspace_id + retention_in_days = var.insights_retention_in_days + + dynamic "log_analytics_workspace" { + for_each = var.log_analytics_workspace_location != null ? [1] : [] + content { + id = var.log_analytics_id + firewall_location = var.firewall_loc + } + } + } + } + + dynamic "threat_intelligence_allowlist" { + for_each = var.threat_ia != null ? [var.threat_ia] : [] + content { + ip_addresses = threat_intelligence_allowlist.value.ip_addresses + fqdns = threat_intelligence_allowlist.value.fqdns + } + } + + dynamic "tls_certificate" { + for_each = var.tls_certificate != null ? var.tls_certificate : [] + content { + key_vault_secret_id = tls_certificate.value.key_vault_secret_id + name = tls_certificate.value.name + } + } + + dynamic "explicit_proxy" { + for_each = var.explict_proxy != null ? var.explict_proxy : [] + content { + enabled = explicit_proxy.value.enabled + http_port = explicit_proxy.value.http_port + https_port = explicit_proxy.value.https_port + enable_pac_file = explicit_proxy.value.enable_pac_file + pac_file_port = explicit_proxy.value.pac_file_port + pac_file = explicit_proxy.value.pac_file_sas_url + } + } + + dynamic "intrusion_detection" { + for_each = var.intrusion_detection != null ? var.intrusion_detection : [] + content { + mode = intrusion_detection.value.mode + private_ranges = toset(intrusion_detection.value.private_ranges) + + dynamic "signature_overrides" { + for_each = intrusion_detection.value.signature_overrides != null ? intrusion_detection.value.signature_overrides : [] + + content { + id = signature_overrides.value.id + state = signature_overrides.value.state + } + } + + dynamic "traffic_bypass" { + for_each = intrusion_detection.value.traffic_bypass != null ? intrusion_detection.value.traffic_bypass : [] + content { + name = traffic_bypass.value.name + protocol = traffic_bypass.value.protocol + description = traffic_bypass.value.description + destination_addresses = traffic_bypass.value.destination_addresses + destination_ip_groups = traffic_bypass.value.destination_ip_groups + destination_ports = traffic_bypass.value.destination_ports + source_addresses = traffic_bypass.value.source_addresses + source_ip_groups = traffic_bypass.value.source_ip_groups + } + } } } } @@ -152,7 +259,7 @@ resource "azurerm_user_assigned_identity" "identity" { resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { count = var.enabled && var.policy_rule_enabled ? 1 : 0 name = var.app_policy_collection_group - firewall_policy_id = var.firewall_policy_id == null ? join("", azurerm_firewall_policy.policy.*.id) : var.firewall_policy_id + firewall_policy_id = var.firewall_policy_id == null ? azurerm_firewall_policy.policy[0].id : var.firewall_policy_id priority = 300 dynamic "application_rule_collection" { @@ -190,7 +297,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collec resource "azurerm_firewall_policy_rule_collection_group" "network_policy_rule_collection_group" { count = var.enabled && var.policy_rule_enabled ? 1 : 0 name = var.net_policy_collection_group - firewall_policy_id = var.firewall_policy_id == null ? join("", azurerm_firewall_policy.policy.*.id) : var.firewall_policy_id + firewall_policy_id = var.firewall_policy_id == null ? azurerm_firewall_policy.policy[0].id : var.firewall_policy_id priority = 200 @@ -225,7 +332,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "network_policy_rule_co resource "azurerm_firewall_policy_rule_collection_group" "nat_policy_rule_collection_group" { count = var.enabled && var.dnat-destination_ip && var.policy_rule_enabled ? 1 : 0 name = var.nat_policy_collection_group - firewall_policy_id = var.firewall_policy_id == null ? join("", azurerm_firewall_policy.policy.*.id) : var.firewall_policy_id + firewall_policy_id = var.firewall_policy_id == null ? azurerm_firewall_policy.policy[0].id : var.firewall_policy_id priority = 100 dynamic "nat_rule_collection" { @@ -264,24 +371,20 @@ resource "azurerm_monitor_diagnostic_setting" "firewall_diagnostic-setting" { log_analytics_workspace_id = var.log_analytics_workspace_id # log_analytics_destination_type = var.log_analytics_destination_type - log { - - category_group = "AllLogs" - enabled = true - - retention_policy { - enabled = var.retention_policy_enabled - days = var.days + dynamic "enabled_log" { + for_each = var.log_enabled ? ["allLogs"] : [] + content { + category_group = enabled_log.value } } - - metric { - category = "AllMetrics" - enabled = true - - retention_policy { - enabled = var.retention_policy_enabled - days = var.days + dynamic "metric" { + for_each = var.metric_enabled ? ["AllMetrics"] : [] + content { + category = metric.value + enabled = true } } + lifecycle { + ignore_changes = [enabled_log, metric] + } } diff --git a/variables.tf b/variables.tf index 2c7069f..8846a4c 100644 --- a/variables.tf +++ b/variables.tf @@ -2,19 +2,19 @@ #Description : Terraform label module variables. variable "name" { type = string - default = "" + default = null description = "Name (e.g. `app` or `cluster`)." } variable "environment" { type = string - default = "" + default = null description = "Environment (e.g. `prod`, `dev`, `staging`)." } variable "repository" { type = string - default = "" + default = null description = "Terraform current module repo" } @@ -26,45 +26,48 @@ variable "label_order" { variable "managedby" { type = string - default = "" + default = null description = "ManagedBy, eg ''." } variable "enabled" { type = bool - description = "Set to false to prevent the module from creating any resources." default = true + description = "Set to false to prevent the module from creating any resources." } variable "resource_group_name" { + type = string + default = null description = "A container that holds related resources for an Azure solution" - default = "" } variable "tags" { - description = "A map of tags to add to all resources" type = map(string) default = {} + description = "A map of tags to add to all resources" } #Public IP variable "public_ip_allocation_method" { - description = "Defines the allocation method for this IP address. Possible values are Static or Dynamic" + type = string default = "Static" + description = "Defines the allocation method for this IP address. Possible values are Static or Dynamic" } variable "public_ip_sku" { - description = "The SKU of the Public IP. Accepted values are Basic and Standard. Defaults to Basic" + type = string default = "Standard" + description = "The SKU of the Public IP. Accepted values are Basic and Standard. Defaults to Basic" } #firewall variable "threat_intel_mode" { - description = "(Optional) The operation mode for threat intelligence-based filtering. Possible values are: Off, Alert, Deny. Defaults to Alert." - default = "Alert" type = string + default = "Alert" + description = "(Optional) The operation mode for threat intelligence-based filtering. Possible values are: Off, Alert, Deny. Defaults to Alert." validation { condition = contains(["Off", "Alert", "Deny"], var.threat_intel_mode) @@ -73,22 +76,73 @@ variable "threat_intel_mode" { } variable "sku_tier" { - description = "Specifies the firewall sku tier" - default = "Standard" type = string + default = "Standard" + description = "Specifies the firewall sku tier" } variable "sku_policy" { - description = "Specifies the firewall-policy sku" default = "Standard" type = string + description = "Specifies the firewall-policy sku" +} + +variable "base_policy" { + type = string + default = null + description = "Specifies the firewall-base-policy-id" +} + + +variable "dns" { + type = list(object({ + proxy_enabled = optional(bool, false) + servers = set(string) + })) + default = null + description = "The DNS block within the firewall policy" +} + +variable "enable_insights" { + type = bool + default = false + description = "Whether to enable insights functionality in the Firewall Policy" +} + +variable "insights_enabled" { + type = bool + default = false + description = "Whether the insights functionality is enabled for this Firewall Policy" +} + +variable "default_log_analytics_workspace_id" { + type = string + default = null + description = "The ID of the default Log Analytics Workspace for Firewall Policy logs" +} + +variable "insights_retention_in_days" { + type = number + default = 30 + description = "The log retention period in days for Firewall Policy insights" +} + +variable "log_analytics_workspace_location" { + type = string + default = null + description = "The location of the Log Analytics Workspace for Firewall Policy insights" +} + +variable "threat_ia" { + type = string + default = null + description = "The location of the Log Analytics Workspace for Firewall Policy insights" } variable "sku_name" { type = string default = "AZFW_VNet" description = "(optional) describe your variable" - } variable "subnet_id" { @@ -113,7 +167,6 @@ variable "app_policy_collection_group" { type = string default = "DefaultApplicationRuleCollectionGroup" description = "(optional) Name of app policy group" - } variable "additional_public_ips" { @@ -154,10 +207,16 @@ variable "enable_ip_subnet" { variable "location" { type = string - default = "" + default = null description = "The location/region where the virtual network is created. Changing this forces a new resource to be created." } +variable "zone" { + type = string + default = null + description = "The Zone for the resources (e.g., `1`, `2`, `3`)." +} + variable "firewall_private_ip_ranges" { description = "A list of SNAT private CIDR IP ranges, or the special string `IANAPrivateRanges`, which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918." type = list(string) @@ -170,10 +229,49 @@ variable "dns_servers" { default = null } +variable "dns_proxy_enabled" { + type = bool + default = false + description = "Flag to enable DNS Proxy on the firewall." +} + +variable "virtual_hub" { + type = object({ + virtual_hub_id = string + public_ip_count = number + }) + default = null + description = "An Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager. Use secured virtual hubs to easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection." +} + +variable "enable_forced_tunneling" { + type = bool + default = false + description = "Route all Internet-bound traffic to a designated next hop instead of going directly to the Internet" +} + +variable "firewall_config" { + type = string + default = null + description = "Manages an Azure Firewall configuration" +} + variable "dnat-destination_ip" { - description = "Variable to specify that you have destination ip to attach to policy or not.(Destination ip is public ip that is attached to firewall)" type = bool default = true + description = "Variable to specify that you have destination ip to attach to policy or not.(Destination ip is public ip that is attached to firewall)" +} + +variable "firewall_loc" { + type = string + default = null + description = "log analytics workspace id to pass it to destination details of diagnosys setting of NSG." +} + +variable "log_analytics_id" { + type = string + default = null + description = "log analytics workspace id to pass it to destination details of diagnosys setting of NSG." } # Diagnosis Settings Enable @@ -184,6 +282,18 @@ variable "enable_diagnostic" { description = "Set to false to prevent the module from creating the diagnosys setting for the NSG Resource.." } +variable "metric_enabled" { + type = bool + default = true + description = "Is this Diagnostic Metric enabled? Defaults to True." +} + +variable "log_enabled" { + type = string + default = true + description = " Is this Diagnostic Log enabled? Defaults to true." +} + variable "storage_account_id" { type = string default = null @@ -288,3 +398,48 @@ variable "enable_prefix_subnet" { default = false description = "Should subnet id be attached to first public ip name specified in public ip prefix name varible. To be true when there is no individual public ip." } + +variable "tls_certificate" { + type = list(object({ + key_vault_secret_id = string + name = string + })) + default = null + description = "The tls_certificate block within the firewall policy" +} + +variable "explict_proxy" { + type = list(object({ + enabled = optional(bool, true) + http_port = optional(number) + https_port = optional(number) + enable_pac_file = optional(bool) + pac_file_port = optional(number) + pac_file_sas_url = optional(string) + })) + default = null + description = "The explict proxy block within the firewall policy" +} + +variable "intrusion_detection" { + type = list(object({ + mode = optional(string, "Alert") + private_ranges = optional(set(string)) + signature_overrides = optional(list(object({ + id = optional(string) + state = optional(string) + }))) + traffic_bypass = optional(list(object({ + name = optional(string) + protocol = optional(string) + description = optional(string) + destination_addresses = optional(list(string)) + destination_ip_groups = optional(list(string)) + destination_ports = optional(list(string)) + source_addresses = optional(list(string)) + source_ip_groups = optional(list(string)) + }))) + })) + default = null + description = "The instruction detection block" +} \ No newline at end of file diff --git a/versions.tf b/versions.tf index 6ad51f9..6a65607 100644 --- a/versions.tf +++ b/versions.tf @@ -1,12 +1,13 @@ +# Terraform version terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.6.6" } terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">=2.90.0" + version = ">=3.85.0" } } } \ No newline at end of file