Add Firewall module (#48)

frontierhq · Jan 11, 2024 · 2437779 · 2437779
1 parent e13558f
commit 2437779
Show file tree

Hide file tree

Showing 9 changed files with 208 additions and 0 deletions.
diff --git a/modules/firewall/CHANGELOG.md b/modules/firewall/CHANGELOG.md
@@ -0,0 +1 @@
+# Changelog
diff --git a/modules/firewall/README.md b/modules/firewall/README.md
@@ -0,0 +1,31 @@
+# Firewall
+
+This module creates a [Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall).
+
+## Usage
+
+```hcl
+module "firewall" {
+  source = "https://github.com/gofrontier-com/azurerm-terraform-modules/releases/download/firewall/[VERSION]/module.tar.gz//src"
+
+  environment         = "con"
+  identifier          = "main"
+  location            = "uksouth"
+  resource_group_name = module.resource_group.name
+  zone                = "pla"
+
+  log_analytics_workspace_id = var.log_analytics_workspace_id
+
+  tags = {
+    WorkloadType = "PlatformLZ/virtual-wan"
+  }
+}
+```
+
+## Known issues
+
+_None._
+
+## Contributing
+
+See <https://github.com/gofrontier-com/azurerm-terraform-modules/blob/main/README.rst#contributing>.
diff --git a/modules/firewall/VERSION b/modules/firewall/VERSION
@@ -0,0 +1 @@
+1.0
diff --git a/modules/firewall/src/locals.tf b/modules/firewall/src/locals.tf
@@ -0,0 +1,14 @@
+locals {
+  identifier = replace(lower(var.identifier), "/[^a-z1-9]/", "")
+
+  short_locations = {
+    "uksouth" = "uks"
+    "ukwest"  = "ukw"
+  }
+
+  tags = {
+    Environment = var.environment
+    Location    = var.location
+    Zone        = var.zone
+  }
+}
diff --git a/modules/firewall/src/main.tf b/modules/firewall/src/main.tf
@@ -0,0 +1,49 @@
+resource "azurerm_firewall" "main" {
+  name                = "fw-${var.zone}-${var.environment}-${lookup(local.short_locations, var.location)}-${local.identifier}"
+  resource_group_name = var.resource_group_name
+  location            = var.location
+
+  firewall_policy_id = var.firewall_policy_id
+  sku_name           = var.sku_name
+  sku_tier           = var.sku_tier
+
+  dynamic "virtual_hub" {
+    for_each = var.virtual_hub_id != null ? [{}] : []
+
+    content {
+      virtual_hub_id = var.virtual_hub_id
+    }
+  }
+
+  tags = merge(var.tags, local.tags)
+}
+
+resource "azurerm_monitor_diagnostic_setting" "main" {
+  name                       = "log-analytics"
+  target_resource_id         = azurerm_firewall.main.id
+  log_analytics_workspace_id = var.log_analytics_workspace_id
+
+  dynamic "enabled_log" {
+    for_each = var.log_categories
+
+    content {
+      category = enabled_log.value
+    }
+  }
+
+  dynamic "enabled_log" {
+    for_each = var.log_category_groups
+
+    content {
+      category_group = enabled_log.value
+    }
+  }
+
+  dynamic "metric" {
+    for_each = var.metric_categories
+
+    content {
+      category = metric.value
+    }
+  }
+}
diff --git a/modules/firewall/src/outputs.tf b/modules/firewall/src/outputs.tf
@@ -0,0 +1,15 @@
+output "id" {
+  value = azurerm_firewall.main.id
+}
+
+output "ip_configuration" {
+  value = azurerm_firewall.main.ip_configuration
+}
+
+output "name" {
+  value = azurerm_firewall.main.name
+}
+
+output "virtual_hub" {
+  value = azurerm_firewall.main.virtual_hub
+}
diff --git a/modules/firewall/src/variables.tf b/modules/firewall/src/variables.tf
@@ -0,0 +1,68 @@
+variable "environment" {
+  type = string
+}
+
+variable "firewall_policy_id" {
+  type    = string
+  default = null
+}
+
+variable "identifier" {
+  type = string
+}
+
+variable "location" {
+  type = string
+}
+
+variable "log_analytics_workspace_id" {
+  type = string
+}
+
+# https://learn.microsoft.com/en-us/azure/azure-monitor/reference/supported-logs/microsoft-network-azurefirewalls-logs
+variable "log_categories" {
+  type    = list(string)
+  default = []
+}
+
+variable "log_category_groups" {
+  type = list(string)
+  default = [
+    "allLogs"
+  ]
+}
+
+variable "metric_categories" {
+  type = list(string)
+  default = [
+    "AllMetrics"
+  ]
+}
+
+variable "resource_group_name" {
+  type = string
+}
+
+variable "sku_name" {
+  type    = string
+  default = "AZFW_Hub"
+}
+
+variable "sku_tier" {
+  type    = string
+  default = "Standard"
+}
+
+variable "tags" {
+  type    = map(string)
+  default = {}
+}
+
+variable "virtual_hub_id" {
+  type    = string
+  default = null
+}
+
+variable "zone" {
+  type = string
+}
diff --git a/modules/firewall/test/main.tf b/modules/firewall/test/main.tf
@@ -0,0 +1,19 @@
+provider "azurerm" {
+  features {}
+}
+
+module "firewall" {
+  source = "../src"
+
+  environment         = "foo"
+  identifier          = "bar"
+  location            = "uksouth"
+  resource_group_name = "qux"
+  zone                = "corge"
+
+  log_analytics_workspace_id = "grault"
+
+  tags = {
+    Foo = "Bar"
+  }
+}
diff --git a/modules/firewall/test/terraform.tf b/modules/firewall/test/terraform.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = "~> 1.5"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.85"
+    }
+  }
+}