diff --git a/modules/firewall/CHANGELOG.md b/modules/firewall/CHANGELOG.md new file mode 100644 index 0000000..825c32f --- /dev/null +++ b/modules/firewall/CHANGELOG.md @@ -0,0 +1 @@ +# Changelog diff --git a/modules/firewall/README.md b/modules/firewall/README.md new file mode 100644 index 0000000..79fd017 --- /dev/null +++ b/modules/firewall/README.md @@ -0,0 +1,31 @@ +# Firewall + +This module creates a [Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall). + +## Usage + +```hcl +module "firewall" { + source = "https://github.com/gofrontier-com/azurerm-terraform-modules/releases/download/firewall/[VERSION]/module.tar.gz//src" + + environment = "con" + identifier = "main" + location = "uksouth" + resource_group_name = module.resource_group.name + zone = "pla" + + log_analytics_workspace_id = var.log_analytics_workspace_id + + tags = { + WorkloadType = "PlatformLZ/virtual-wan" + } +} +``` + +## Known issues + +_None._ + +## Contributing + +See . diff --git a/modules/firewall/VERSION b/modules/firewall/VERSION new file mode 100644 index 0000000..d3827e7 --- /dev/null +++ b/modules/firewall/VERSION @@ -0,0 +1 @@ +1.0 diff --git a/modules/firewall/src/locals.tf b/modules/firewall/src/locals.tf new file mode 100644 index 0000000..6a78776 --- /dev/null +++ b/modules/firewall/src/locals.tf @@ -0,0 +1,14 @@ +locals { + identifier = replace(lower(var.identifier), "/[^a-z1-9]/", "") + + short_locations = { + "uksouth" = "uks" + "ukwest" = "ukw" + } + + tags = { + Environment = var.environment + Location = var.location + Zone = var.zone + } +} diff --git a/modules/firewall/src/main.tf b/modules/firewall/src/main.tf new file mode 100644 index 0000000..b53fa52 --- /dev/null +++ b/modules/firewall/src/main.tf @@ -0,0 +1,49 @@ +resource "azurerm_firewall" "main" { + name = "fw-${var.zone}-${var.environment}-${lookup(local.short_locations, var.location)}-${local.identifier}" + resource_group_name = var.resource_group_name + location = var.location + + firewall_policy_id = var.firewall_policy_id + sku_name = var.sku_name + sku_tier = var.sku_tier + + dynamic "virtual_hub" { + for_each = var.virtual_hub_id != null ? [{}] : [] + + content { + virtual_hub_id = var.virtual_hub_id + } + } + + tags = merge(var.tags, local.tags) +} + +resource "azurerm_monitor_diagnostic_setting" "main" { + name = "log-analytics" + target_resource_id = azurerm_firewall.main.id + log_analytics_workspace_id = var.log_analytics_workspace_id + + dynamic "enabled_log" { + for_each = var.log_categories + + content { + category = enabled_log.value + } + } + + dynamic "enabled_log" { + for_each = var.log_category_groups + + content { + category_group = enabled_log.value + } + } + + dynamic "metric" { + for_each = var.metric_categories + + content { + category = metric.value + } + } +} diff --git a/modules/firewall/src/outputs.tf b/modules/firewall/src/outputs.tf new file mode 100644 index 0000000..ca72626 --- /dev/null +++ b/modules/firewall/src/outputs.tf @@ -0,0 +1,15 @@ +output "id" { + value = azurerm_firewall.main.id +} + +output "ip_configuration" { + value = azurerm_firewall.main.ip_configuration +} + +output "name" { + value = azurerm_firewall.main.name +} + +output "virtual_hub" { + value = azurerm_firewall.main.virtual_hub +} diff --git a/modules/firewall/src/variables.tf b/modules/firewall/src/variables.tf new file mode 100644 index 0000000..543c7ba --- /dev/null +++ b/modules/firewall/src/variables.tf @@ -0,0 +1,68 @@ +variable "environment" { + type = string +} + +variable "firewall_policy_id" { + type = string + default = null +} + +variable "identifier" { + type = string +} + +variable "location" { + type = string +} + +variable "log_analytics_workspace_id" { + type = string +} + +# https://learn.microsoft.com/en-us/azure/azure-monitor/reference/supported-logs/microsoft-network-azurefirewalls-logs +variable "log_categories" { + type = list(string) + default = [] +} + +variable "log_category_groups" { + type = list(string) + default = [ + "allLogs" + ] +} + +variable "metric_categories" { + type = list(string) + default = [ + "AllMetrics" + ] +} + +variable "resource_group_name" { + type = string +} + +variable "sku_name" { + type = string + default = "AZFW_Hub" +} + +variable "sku_tier" { + type = string + default = "Standard" +} + +variable "tags" { + type = map(string) + default = {} +} + +variable "virtual_hub_id" { + type = string + default = null +} + +variable "zone" { + type = string +} diff --git a/modules/firewall/test/main.tf b/modules/firewall/test/main.tf new file mode 100644 index 0000000..c9c72f4 --- /dev/null +++ b/modules/firewall/test/main.tf @@ -0,0 +1,19 @@ +provider "azurerm" { + features {} +} + +module "firewall" { + source = "../src" + + environment = "foo" + identifier = "bar" + location = "uksouth" + resource_group_name = "qux" + zone = "corge" + + log_analytics_workspace_id = "grault" + + tags = { + Foo = "Bar" + } +} diff --git a/modules/firewall/test/terraform.tf b/modules/firewall/test/terraform.tf new file mode 100644 index 0000000..762ef2e --- /dev/null +++ b/modules/firewall/test/terraform.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.5" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.85" + } + } +}