Terraform-provider-azurerm: Add support for Azure Firewall

Created on 13 Jul 2018 · 5Comments · Source: terraform-providers/terraform-provider-azurerm

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Azure Firewall is a new managed service on Azure. You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.
This will help with the security automation required by regulated industry like finance.

https://docs.microsoft.com/en-us/azure/firewall/overview

New or Affected Resource(s)

New

azurerm_firewall
azurerm_firewall_ipConfiguration
azurerm_firewall_applicationRuleCollection
azurerm_firewall_networkRuleCollection

Potential Terraform Configuration

resource "azurerm_virtual_network" "vnet" {
  name                = "vnet"
  resource_group_name = "${var.resource_group}"
  location            = "${var.location}"
}

resource "azurerm_public_ip" "pip" {
  name                         = "pip"
  location                     = "${var.location}"
  resource_group_name          = "${var.resource_group}"
  public_ip_address_allocation = "static"
  sku                          = "Standard"
}

resource "azurerm_subnet" "firewall" {
  name                 = "AzureFirewallSubnet"
  resource_group_name  = "${var.resource_group}"
  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
  address_prefix       = "${var.address_prefix}"
}

resource "azurerm_firewall" "fw" {
  name                = "firewall"
  resource_group_name = "${var.resource_group}"
  location            = "${var.location}"
}

# https://docs.microsoft.com/en-us/rest/api/firewall/azurefirewalls/createorupdate#azurefirewallipconfiguration
# would simplify the addition of additional subnets to an existing firewall
resource "azurerm_firewall_ipConfiguration" "spoke1" {
  name                 = "azureFirewallIpConfiguration_spoke1"
  firewall_id          = "${azurerm_firewall.fw.id}"
  public_ip_address_id = "${azurerm_public_ip.pip.id}"
  subnet_id            = "${azurerm_subnet.firewall.id}"
}

# https://docs.microsoft.com/en-us/rest/api/firewall/azurefirewalls/createorupdate#azurefirewallapplicationrule
# https://docs.microsoft.com/en-us/rest/api/firewall/azurefirewalls/createorupdate#azurefirewallapplicationrulecollection
# would simplify the addition to additional rules to an existing firewall
resource "azurerm_firewall_applicationRuleCollection" "apprule_110" {
  name        = "rule_110_deny_https"
  firewall_id = "${azurerm_firewall.fw.id}"
  priority    = 110
  action      = "Deny"

  rules = [
    {
      name        = "rule1"
      description = "Deny inbound rule"

      protocols = [
        {
          protocolType = "Https"
          port         = 443
        },
      ]

      targetUrls = [
        "www.test.com",
      ]

      sourceAddresses = [
        "216.58.216.164",
        "10.0.0.0/24",
      ]
    },
  ]
}

# https://docs.microsoft.com/en-us/rest/api/firewall/azurefirewalls/createorupdate#azurefirewallnetworkrule
# would simplify the addition to additional rules to an existing firewall
resource "azurerm_firewall_networkRuleCollection" "netrule_112" {
  name        = "apprule_112"
  firewall_id = "${azurerm_firewall.fw.id}"
  priority    = 112
  action      = "Deny"

  rules = [
    {
      name        = "D-NAT-web-traffic"
      description = "D-NAT all outbound web traffic for inspection"

      sourceAddresses = [
        "192.168.1.1-192.168.1.12",
        "10.1.4.12-10.1.4.255",
      ]

      destinationPorts = [
        "443-444",
        "8443",
      ]

      destinationAddresses = [
        "*",
      ]

      protocols = [
        "TCP",
        "ICMP",
      ]
    },
  ]
}

output "firewall_id" {
  value = "${azurerm_firewall.fw.id}"
}

output "firewall_publicIPAddress" {
  value = "${azurerm_firewall.fw.publicIPAddress}"
}

output "private_ip_address" {
  value = "${azurerm_firewall.fw.PrivateIPAddress[0]}"
}

References

To create rules

https://docs.microsoft.com/en-us/rest/api/firewall/azurefirewalls/createorupdate

https://docs.microsoft.com/en-us/azure/firewall/public-preview

Powershell sample

https://docs.microsoft.com/en-us/azure/firewall/scripts/sample-create-firewall-test

new-resource servicfirewall

Source

LaurentLesle

👍8

Most helpful comment

I've started working on this, hoping to have a PR ready next week sometime

hbuckle on 19 Jul 2018

👍6

All 5 comments

I've started working on this, hoping to have a PR ready next week sometime

hbuckle on 19 Jul 2018

👍6

Support for Azure Firewall is now available in Terraform: https://www.terraform.io/docs/providers/azurerm/r/firewall.html

tombuildsstuff on 24 Oct 2018

Hi Tom
I can see the azure firewall is being added but it only support Network Rules at the moment. What about Application and NAT rules?

Thanks
Reza

rezamt on 1 Nov 2018

👍1

@rezamt would you mind opening a separate feature request for those? Thanks!

tombuildsstuff on 1 Nov 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!