diff --git a/Makefile b/Makefile index 58719016b3..64a025568f 100644 --- a/Makefile +++ b/Makefile @@ -25,10 +25,6 @@ build-and-push-airlock-processor: build-airlock-processor push-airlock-processor help: ## 💬 This help message :) @grep -E '[a-zA-Z_-]+:.*?## .*$$' $(firstword $(MAKEFILE_LIST)) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-25s\033[0m %s\n", $$1, $$2}' -# to move your environment from the single 'core' deployment (which includes the firewall) -# toward the shared services model, where it is split out - run the following make target before a tre-deploy -# This will remove + import the resource state into a shared service -migrate-firewall-state: prepare-tf-state bootstrap: $(call target_title, "Bootstrap Terraform") \ @@ -96,15 +92,12 @@ push-resource-processor-vm-porter-image: push-airlock-processor: $(call push_image,"airlock-processor","${MAKEFILE_DIR}/airlock_processor/_version.py") -# # These targets are for a graceful migration of Firewall -# # from terraform state in Core to a Shared Service. -# # See https://github.com/microsoft/AzureTRE/issues/1177 -prepare-tf-state: +migrate-firewall-state: $(call target_title, "Preparing terraform state") \ && . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env \ - && pushd ${MAKEFILE_DIR}/core/terraform > /dev/null && ../../shared_services/firewall/terraform/remove_state.sh && popd > /dev/null \ - && pushd ${MAKEFILE_DIR}/templates/shared_services/firewall/terraform > /dev/null && ./import_state.sh && popd > /dev/null -# / End migration targets + && pushd ${MAKEFILE_DIR}/templates/shared_services/firewall/terraform > /dev/null && ${MAKEFILE_DIR}/core/terraform/firewall/remove_state.sh && popd > /dev/null \ + && pushd ${MAKEFILE_DIR}/core/terraform > /dev/null && ${MAKEFILE_DIR}/core/terraform/firewall/import_state.sh && popd > /dev/null + deploy-core: tre-start $(call target_title, "Deploying TRE") \ @@ -311,8 +304,7 @@ deploy-shared-service: firewall-install: . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \ && $(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \ - DIR=${MAKEFILE_DIR}/templates/shared_services/firewall/ BUNDLE_TYPE=shared_service \ - PROPS="$${FIREWALL_SKU+--firewall_sku $${FIREWALL_SKU} }$${FIREWALL_FORCE_TUNNEL_IP+--firewall_force_tunnel_ip $${FIREWALL_FORCE_TUNNEL_IP} }" + DIR=${MAKEFILE_DIR}/templates/shared_services/firewall/ BUNDLE_TYPE=shared_service static-web-upload: $(call target_title, "Uploading to static website") \ diff --git a/templates/shared_services/firewall/terraform/firewall.tf b/core/terraform/firewall/firewall.tf similarity index 71% rename from templates/shared_services/firewall/terraform/firewall.tf rename to core/terraform/firewall/firewall.tf index 6697a359b6..fd61e2a146 100644 --- a/templates/shared_services/firewall/terraform/firewall.tf +++ b/core/terraform/firewall/firewall.tf @@ -1,43 +1,37 @@ resource "azurerm_public_ip" "fwtransit" { name = "pip-fw-${var.tre_id}" resource_group_name = local.core_resource_group_name - location = data.azurerm_resource_group.rg.location + location = var.location allocation_method = "Static" sku = "Standard" - tags = local.tre_shared_service_tags + tags = var.tre_core_tags lifecycle { ignore_changes = [tags, zones] } } -moved { - from = azurerm_public_ip.fwpip - to = azurerm_public_ip.fwtransit -} - resource "azurerm_public_ip" "fwmanagement" { count = (var.firewall_force_tunnel_ip != "" || local.effective_firewall_sku == "Basic") ? 1 : 0 name = "pip-fw-management-${var.tre_id}" - resource_group_name = local.core_resource_group_name - location = data.azurerm_resource_group.rg.location + resource_group_name = var.resource_group_name + location = var.location allocation_method = "Static" sku = "Standard" - tags = local.tre_shared_service_tags + tags = var.tre_core_tags lifecycle { ignore_changes = [tags, zones] } } - resource "azurerm_firewall" "fw" { name = local.firewall_name resource_group_name = local.core_resource_group_name - location = data.azurerm_resource_group.rg.location + location = var.location sku_tier = local.effective_firewall_sku sku_name = "AZFW_VNet" firewall_policy_id = azurerm_firewall_policy.root.id - tags = local.tre_shared_service_tags + tags = var.tre_core_tags ip_configuration { name = "fw-ip-configuration" - subnet_id = data.azurerm_subnet.firewall.id + subnet_id = var.firewall_subnet_id public_ip_address_id = azurerm_public_ip.fwtransit.id } @@ -45,7 +39,7 @@ resource "azurerm_firewall" "fw" { for_each = (var.firewall_force_tunnel_ip != "" || local.effective_firewall_sku == "Basic") ? [1] : [] content { name = "mgmtconfig" - subnet_id = data.azurerm_subnet.firewall_management.id + subnet_id = var.firewall_management_subnet_id public_ip_address_id = azurerm_public_ip.fwmanagement[0].id } } @@ -60,7 +54,7 @@ data "azurerm_monitor_diagnostic_categories" "firewall" { resource "azurerm_monitor_diagnostic_setting" "firewall" { name = "diagnostics-fw-${var.tre_id}" target_resource_id = azurerm_firewall.fw.id - log_analytics_workspace_id = data.azurerm_log_analytics_workspace.tre.id + log_analytics_workspace_id = var.log_analytics_workspace_id log_analytics_destination_type = "Dedicated" dynamic "enabled_log" { @@ -78,10 +72,10 @@ resource "azurerm_monitor_diagnostic_setting" "firewall" { resource "azurerm_firewall_policy" "root" { name = local.firewall_policy_name - resource_group_name = local.core_resource_group_name - location = data.azurerm_resource_group.rg.location + resource_group_name = var.resource_group_name + location = var.location sku = local.effective_firewall_sku - tags = local.tre_shared_service_tags + tags = var.tre_core_tags lifecycle { ignore_changes = [tags] } } diff --git a/templates/shared_services/firewall/terraform/import_state.sh b/core/terraform/firewall/import_state.sh similarity index 51% rename from templates/shared_services/firewall/terraform/import_state.sh rename to core/terraform/firewall/import_state.sh index ea27f7d513..92ce35ded5 100755 --- a/templates/shared_services/firewall/terraform/import_state.sh +++ b/core/terraform/firewall/import_state.sh @@ -19,7 +19,7 @@ terraform init -input=false -backend=true -reconfigure -upgrade \ -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TRE_ID}-shared-service-firewall" + -backend-config="key=${TRE_ID}" # Import a resource if it exists in Azure but doesn't exist in Terraform tf_state_list="$(terraform state list)" @@ -29,7 +29,9 @@ function import_if_exists() { CMD=$3 # Check if the resource exists in Terraform - TF_RESOURCE_EXISTS=$(echo "$tf_state_list" | grep -q ^"${ADDRESS}"$; echo $?) + echo "Checking if ${ADDRESS} exists in Terraform state..." + ESCAPED_ADDRESS=$(printf '%q' "${ADDRESS}") + TF_RESOURCE_EXISTS=$(echo "$tf_state_list" | grep -q ^"${ESCAPED_ADDRESS}"$; echo $?) if [[ ${TF_RESOURCE_EXISTS} -eq 0 ]]; then echo "${ADDRESS} already in TF State, ignoring..." @@ -44,6 +46,8 @@ function import_if_exists() { ${CMD} > /dev/null AZ_RESOURCE_EXISTS=$? + + # If resource exists in Terraform, it's already managed -- don't do anything # If resource doesn't exist in Terraform and doesn't exist in Azure, it will be created -- don't do anything # If resource doesn't exist in Terraform but exist in Azure, we need to import it @@ -53,45 +57,26 @@ function import_if_exists() { fi } -import_if_exists azurerm_firewall.fw "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}" || echo "Resource already exists" - -# Firewall rules -import_if_exists azurerm_firewall_application_rule_collection.resource_processor_subnet \ - "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}/applicationRuleCollections/arc-resource_processor_subnet" \ - "az network firewall show --ids /subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}/applicationRuleCollections/arc-resource_processor_subnet" - -import_if_exists azurerm_firewall_application_rule_collection.shared_subnet \ - "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}/applicationRuleCollections/arc-shared_subnet" \ - "az network firewall show --ids /subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}/applicationRuleCollections/arc-shared_subnet" - -import_if_exists azurerm_firewall_application_rule_collection.web_app_subnet \ - "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}/applicationRuleCollections/arc-web_app_subnet" \ - "az network firewall show --ids /subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}/applicationRuleCollections/arc-web_app_subnet" +# Firewall +import_if_exists module.firewall.azurerm_firewall.fw "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}" -import_if_exists azurerm_firewall_network_rule_collection.general \ - "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}/networkRuleCollections/general" \ - "az network firewall show --ids /subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}/networkRuleCollections/general" +# Firewall IPs +if [[ "${FIREWALL_SKU}" == "Basic" ]]; then + import_if_exists module.firewall.azurerm_public_ip.fwmanagement[0] "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/publicIPAddresses/pip-fw-management-${TRE_ID}" +fi -import_if_exists azurerm_firewall_network_rule_collection.resource_processor_subnet \ - "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}/networkRuleCollections/nrc-resource_processor_subnet" \ - "az network firewall show --ids /subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}/networkRuleCollections/nrc-resource_processor_subnet" +import_if_exists module.firewall.azurerm_public_ip.fwtransit "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/publicIPAddresses/pip-fw-${TRE_ID}" -import_if_exists azurerm_firewall_network_rule_collection.web_app_subnet \ - "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}/networkRuleCollections/nrc-web_app_subnet" \ - "az network firewall show --ids /subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}/networkRuleCollections/nrc-web_app_subnet" +# Firewall policy +import_if_exists module.firewall.azurerm_firewall_policy.root "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/firewallPolicies/fw-policy-${TRE_ID}" +import_if_exists module.firewall.azurerm_firewall_policy_rule_collection_group.core \ + "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/firewallPolicies/fw-policy-${TRE_ID}/ruleCollectionGroups/rcg-core" # Diagnostic settings -import_if_exists azurerm_monitor_diagnostic_setting.firewall \ - "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}|diagnostics-firewall-${TRE_ID}" \ - "az monitor diagnostic-settings show --resource /subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/rg-${TRE_ID}/providers/microsoft.network/azureFirewalls/fw-${TRE_ID} --name diagnostics-firewall-${TRE_ID}" - - -import_if_exists azurerm_public_ip.fwpip "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/publicIPAddresses/pip-fw-${TRE_ID}" - - -import_if_exists azurerm_subnet_route_table_association.rt_web_app_subnet_association \ - "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/WebAppSubnet" +import_if_exists module.firewall.azurerm_monitor_diagnostic_setting.firewall \ + "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/azureFirewalls/fw-${TRE_ID}|diagnostics-fw-${TRE_ID}" \ + "az monitor diagnostic-settings show --resource /subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/rg-${TRE_ID}/providers/microsoft.network/azureFirewalls/fw-${TRE_ID} --name diagnostics-fw-${TRE_ID}" # Route tables import_if_exists azurerm_route_table.rt \ @@ -102,3 +87,15 @@ import_if_exists azurerm_subnet_route_table_association.rt_shared_subnet_associa import_if_exists azurerm_subnet_route_table_association.rt_resource_processor_subnet_association \ "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/ResourceProcessorSubnet" + +import_if_exists azurerm_subnet_route_table_association.rt_web_app_subnet_association \ + "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/WebAppSubnet" + +import_if_exists azurerm_subnet_route_table_association.rt_airlock_processor_subnet_association \ + "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/AirlockProcessorSubnet" + +import_if_exists azurerm_subnet_route_table_association.rt_airlock_storage_subnet_association \ + "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/AirlockStorageSubnet" + +import_if_exists azurerm_subnet_route_table_association.rt_airlock_events_subnet_association \ + "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/AirlockEventsSubnet" diff --git a/core/terraform/firewall/locals.tf b/core/terraform/firewall/locals.tf new file mode 100644 index 0000000000..8369d9c021 --- /dev/null +++ b/core/terraform/firewall/locals.tf @@ -0,0 +1,14 @@ +locals { + core_resource_group_name = "rg-${var.tre_id}" + firewall_name = "fw-${var.tre_id}" + firewall_diagnostic_categories_enabled = [ + "AZFWApplicationRule", + "AZFWNetworkRule", + "AZFWDnsProxy", + ] + + firewall_policy_name = "fw-policy-${var.tre_id}" + + default_firewall_sku = "Standard" + effective_firewall_sku = coalesce(var.firewall_sku, local.default_firewall_sku) +} diff --git a/core/terraform/firewall/main.tf b/core/terraform/firewall/main.tf new file mode 100644 index 0000000000..a4eb095f9c --- /dev/null +++ b/core/terraform/firewall/main.tf @@ -0,0 +1,9 @@ +terraform { + # In modules we should only specify the min version + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">= 3.117" + } + } +} diff --git a/core/terraform/firewall/outputs.tf b/core/terraform/firewall/outputs.tf new file mode 100644 index 0000000000..a58f89dc2b --- /dev/null +++ b/core/terraform/firewall/outputs.tf @@ -0,0 +1,3 @@ +output "private_ip_address" { + value = azurerm_firewall.fw.ip_configuration[0].private_ip_address +} diff --git a/templates/shared_services/firewall/terraform/remove_state.sh b/core/terraform/firewall/remove_state.sh similarity index 57% rename from templates/shared_services/firewall/terraform/remove_state.sh rename to core/terraform/firewall/remove_state.sh index 3b68a8c2ec..e47cb4ad13 100755 --- a/templates/shared_services/firewall/terraform/remove_state.sh +++ b/core/terraform/firewall/remove_state.sh @@ -12,12 +12,13 @@ terraform init -input=false -backend=true -reconfigure -upgrade \ -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TRE_ID}" + -backend-config="key=${TRE_ID}-shared-service-firewall" tf_state_list="$(terraform state list)" function remove_if_present() { echo -n "Checking $1 ..." - found=$(echo "$tf_state_list" | grep -q ^"$1"$; echo $?) + ESCAPED_ADDRESS=$(printf '%q' "${1}") + found=$(echo "$tf_state_list" | grep -q ^"$ESCAPED_ADDRESS"$; echo $?) if [[ $found -eq 0 ]]; then echo " removing" @@ -27,17 +28,22 @@ function remove_if_present() { fi } +# routetable.tf remove_if_present azurerm_route_table.rt -remove_if_present azurerm_subnet_route_table_association.rt_resource_processor_subnet_association remove_if_present azurerm_subnet_route_table_association.rt_shared_subnet_association +remove_if_present azurerm_subnet_route_table_association.rt_resource_processor_subnet_association remove_if_present azurerm_subnet_route_table_association.rt_web_app_subnet_association -remove_if_present module.firewall -remove_if_present module.firewall.azurerm_public_ip.fwpip -remove_if_present module.firewall.azurerm_monitor_diagnostic_setting.firewall -remove_if_present module.firewall.azurerm_firewall_network_rule_collection.web_app_subnet -remove_if_present module.firewall.azurerm_firewall_network_rule_collection.resource_processor_subnet -remove_if_present module.firewall.azurerm_firewall_network_rule_collection.general -remove_if_present module.firewall.azurerm_firewall_application_rule_collection.web_app_subnet -remove_if_present module.firewall.azurerm_firewall_application_rule_collection.shared_subnet -remove_if_present module.firewall.azurerm_firewall_application_rule_collection.resource_processor_subnet -remove_if_present module.firewall.azurerm_firewall.fw +remove_if_present azurerm_subnet_route_table_association.rt_airlock_processor_subnet_association +remove_if_present azurerm_subnet_route_table_association.rt_airlock_storage_subnet_association +remove_if_present azurerm_subnet_route_table_association.rt_airlock_events_subnet_association + +# rules.tf +remove_if_present azurerm_firewall_network_rule_collection.core + +# firewall.tf +remove_if_present azurerm_public_ip.fwtransit +remove_if_present azurerm_public_ip.fwmanagement[0] +remove_if_present azurerm_firewall.fw +remove_if_present azurerm_monitor_diagnostic_categories.firewall +remove_if_present azurerm_monitor_diagnostic_setting.firewall +remove_if_present azurerm_firewall_policy.root diff --git a/core/terraform/firewall/rules.tf b/core/terraform/firewall/rules.tf new file mode 100644 index 0000000000..8ff1cc6915 --- /dev/null +++ b/core/terraform/firewall/rules.tf @@ -0,0 +1,198 @@ +resource "azurerm_firewall_policy_rule_collection_group" "core" { + name = "rcg-core" + firewall_policy_id = azurerm_firewall_policy.root.id + priority = 500 + + network_rule_collection { + name = "nrc-general" + priority = 201 + action = "Allow" + + rule { + name = "time" + protocols = [ + "UDP" + ] + destination_addresses = [ + "*" + ] + destination_ports = [ + "123" + ] + source_addresses = [ + "*" + ] + } + } + + network_rule_collection { + name = "nrc-resource-processor-subnet" + priority = 202 + action = "Allow" + + rule { + name = "azure-services" + protocols = [ + "TCP" + ] + destination_addresses = [ + "AzureActiveDirectory", + "AzureResourceManager", + "AzureContainerRegistry", + "Storage", + "AzureKeyVault" + ] + destination_ports = [ + "443" + ] + source_ip_groups = [var.resource_processor_ip_group_id] + } + } + + network_rule_collection { + name = "nrc-web-app-subnet" + priority = 203 + action = "Allow" + + rule { + name = "azure-services" + protocols = [ + "TCP" + ] + destination_addresses = [ + "AzureActiveDirectory", + "AzureContainerRegistry", + "AzureResourceManager" + ] + destination_ports = [ + "443" + ] + source_ip_groups = [var.web_app_ip_group_id] + } + } + + application_rule_collection { + name = "arc-resource-processor-subnet" + priority = 301 + action = "Allow" + + rule { + name = "os-package-sources" + protocols { + port = "443" + type = "Https" + } + protocols { + port = "80" + type = "Http" + } + destination_fqdns = [ + "packages.microsoft.com", + "keyserver.ubuntu.com", + "api.snapcraft.io", + "azure.archive.ubuntu.com", + "security.ubuntu.com", + "entropy.ubuntu.com", + ] + source_ip_groups = [var.resource_processor_ip_group_id] + } + + rule { + name = "docker-sources" + protocols { + port = "443" + type = "Https" + } + protocols { + port = "80" + type = "Http" + } + destination_fqdns = [ + "download.docker.com", + "registry-1.docker.io", + "auth.docker.io", + ] + source_ip_groups = [var.resource_processor_ip_group_id] + } + # This rule is needed to support Gov Cloud. + # The az cli uses msal lib which requires access to this fqdn for authentication. + rule { + name = "microsoft-login" + protocols { + port = "443" + type = "Https" + } + destination_fqdns = [ + "login.microsoftonline.com", + ] + source_ip_groups = [var.resource_processor_ip_group_id] + } + + + } + + application_rule_collection { + name = "arc-shared-subnet" + priority = 302 + action = "Allow" + + rule { + name = "nexus-bootstrap" + protocols { + port = "443" + type = "Https" + } + protocols { + port = "80" + type = "Http" + } + destination_fqdns = [ + "keyserver.ubuntu.com", + "packages.microsoft.com", + "download.docker.com", + "azure.archive.ubuntu.com" + ] + source_ip_groups = [var.shared_services_ip_group_id] + } + } + + application_rule_collection { + name = "arc-web-app-subnet" + priority = 303 + action = "Allow" + + rule { + name = "microsoft-graph" + protocols { + port = "443" + type = "Https" + } + destination_fqdns = [ + var.microsoft_graph_fqdn + ] + source_ip_groups = [var.web_app_ip_group_id] + } + } + + application_rule_collection { + name = "arc-airlock-processor-subnet" + priority = 304 + action = "Allow" + + rule { + name = "functions-runtime" + protocols { + port = "443" + type = "Https" + } + destination_fqdns = [ + "functionscdn.azureedge.net" + ] + source_ip_groups = [var.airlock_processor_ip_group_id] + } + } + + depends_on = [ + azurerm_firewall.fw + ] +} diff --git a/core/terraform/firewall/variables.tf b/core/terraform/firewall/variables.tf new file mode 100644 index 0000000000..458bd0bf1e --- /dev/null +++ b/core/terraform/firewall/variables.tf @@ -0,0 +1,66 @@ +variable "tre_id" { + type = string + description = "Unique TRE ID" +} + +variable "location" { + type = string +} + +variable "resource_group_name" { + type = string +} + +variable "firewall_sku" { + type = string + default = "" +} + +variable "firewall_subnet_id" { + type = string + description = "Subnet ID for the firewall" +} + +variable "firewall_management_subnet_id" { + type = string + description = "Subnet ID for the firewall management" +} + +variable "firewall_force_tunnel_ip" { + type = string + default = "" +} + +variable "tre_core_tags" { + type = map(string) + description = "Tags to apply to all resources" +} + +variable "microsoft_graph_fqdn" { + type = string + description = "Microsoft Graph FQDN" +} + +variable "log_analytics_workspace_id" { + type = string +} + +variable "resource_processor_ip_group_id" { + type = string + description = "Resource Processor IP Group" +} + +variable "web_app_ip_group_id" { + type = string + description = "Web App IP Group" +} + +variable "airlock_processor_ip_group_id" { + type = string + description = "Airlock Processor IP Group" +} + +variable "shared_services_ip_group_id" { + type = string + description = "Shared Services IP Group" +} diff --git a/core/terraform/main.tf b/core/terraform/main.tf index 49693884c1..fd13096d8f 100644 --- a/core/terraform/main.tf +++ b/core/terraform/main.tf @@ -92,6 +92,28 @@ module "network" { arm_environment = var.arm_environment } +module "firewall" { + source = "./firewall" + tre_id = var.tre_id + firewall_sku = var.firewall_sku + firewall_subnet_id = module.network.azure_firewall_subnet_id + firewall_force_tunnel_ip = var.firewall_force_tunnel_ip + location = var.location + resource_group_name = azurerm_resource_group.core.name + tre_core_tags = local.tre_core_tags + microsoft_graph_fqdn = regex("(?:(?P[^:/?#]+):)?(?://(?P[^/?#:]*))?", module.terraform_azurerm_environment_configuration.microsoft_graph_endpoint).fqdn + log_analytics_workspace_id = module.azure_monitor.log_analytics_workspace_id + firewall_management_subnet_id = module.network.firewall_management_subnet_id + resource_processor_ip_group_id = module.network.resource_processor_ip_group_id + shared_services_ip_group_id = module.network.shared_services_ip_group_id + web_app_ip_group_id = module.network.web_app_ip_group_id + airlock_processor_ip_group_id = module.network.airlock_processor_ip_group_id + + depends_on = [ + module.network, + ] +} + module "appgateway" { source = "./appgateway" tre_id = var.tre_id diff --git a/core/terraform/network/outputs.tf b/core/terraform/network/outputs.tf index 3e0aab407d..56b9a62ed7 100644 --- a/core/terraform/network/outputs.tf +++ b/core/terraform/network/outputs.tf @@ -10,6 +10,10 @@ output "azure_firewall_subnet_id" { value = azurerm_subnet.azure_firewall.id } +output "firewall_management_subnet_id" { + value = azurerm_subnet.firewall_management.id +} + output "app_gw_subnet_id" { value = azurerm_subnet.app_gw.id } @@ -83,3 +87,20 @@ output "queue_core_dns_zone_id" { output "table_core_dns_zone_id" { value = azurerm_private_dns_zone.private_dns_zones["privatelink.table.core.windows.net"].id } + +# IP Groups +output "resource_processor_ip_group_id" { + value = azurerm_ip_group.resource_processor.id +} + +output "shared_services_ip_group_id" { + value = azurerm_ip_group.shared.id +} + +output "airlock_processor_ip_group_id" { + value = azurerm_ip_group.airlock_processor.id +} + +output "web_app_ip_group_id" { + value = azurerm_ip_group.webapp.id +} diff --git a/core/terraform/routetable.tf b/core/terraform/routetable.tf new file mode 100644 index 0000000000..3901b521eb --- /dev/null +++ b/core/terraform/routetable.tf @@ -0,0 +1,95 @@ +resource "azurerm_route_table" "rt" { + name = "rt-${var.tre_id}" + resource_group_name = azurerm_resource_group.core.name + location = var.location + tags = local.tre_core_tags + + lifecycle { ignore_changes = [tags] } + + route { + name = "DefaultRoute" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = module.firewall.private_ip_address + } +} + +resource "azurerm_subnet_route_table_association" "rt_shared_subnet_association" { + subnet_id = module.network.shared_subnet_id + route_table_id = azurerm_route_table.rt.id + + depends_on = [ + module.firewall + ] +} + +resource "azurerm_subnet_route_table_association" "rt_resource_processor_subnet_association" { + subnet_id = module.network.resource_processor_subnet_id + route_table_id = azurerm_route_table.rt.id + + # Not waiting for the rules will block traffic prematurally. + depends_on = [ + module.firewall + ] +} + +resource "azurerm_subnet_route_table_association" "rt_web_app_subnet_association" { + subnet_id = module.network.web_app_subnet_id + route_table_id = azurerm_route_table.rt.id + + depends_on = [ + module.firewall + ] +} + +resource "azurerm_subnet_route_table_association" "rt_airlock_processor_subnet_association" { + subnet_id = module.network.airlock_processor_subnet_id + route_table_id = azurerm_route_table.rt.id + + depends_on = [ + module.firewall + ] +} + +resource "azurerm_subnet_route_table_association" "rt_airlock_storage_subnet_association" { + subnet_id = module.network.airlock_storage_subnet_id + route_table_id = azurerm_route_table.rt.id + + depends_on = [ + module.firewall + ] +} + +resource "azurerm_subnet_route_table_association" "rt_airlock_events_subnet_association" { + subnet_id = module.network.airlock_events_subnet_id + route_table_id = azurerm_route_table.rt.id + + depends_on = [ + module.firewall + ] +} + + +resource "azurerm_route_table" "fw_tunnel_rt" { + count = var.firewall_force_tunnel_ip != "" ? 1 : 0 + name = "rt-fw-tunnel-${var.tre_id}" + resource_group_name = azurerm_resource_group.core.name + location = azurerm_resource_group.core.location + bgp_route_propagation_enabled = true + tags = local.tre_core_tags + lifecycle { ignore_changes = [tags] } + + route { + name = "ForceTunnelRoute" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = var.firewall_force_tunnel_ip + } +} + +resource "azurerm_subnet_route_table_association" "rt_fw_tunnel_subnet_association" { + count = var.firewall_force_tunnel_ip != "" ? 1 : 0 + subnet_id = module.network.azure_firewall_subnet_id + route_table_id = azurerm_route_table.fw_tunnel_rt[0].id +} + diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf index 1f1004d8bb..21985144be 100644 --- a/core/terraform/variables.tf +++ b/core/terraform/variables.tf @@ -186,6 +186,11 @@ variable "firewall_sku" { default = "" } +variable "firewall_force_tunnel_ip" { + type = string + default = "" +} + variable "app_gateway_sku" { description = "Application Gateway SKU" type = string diff --git a/core/version.txt b/core/version.txt index 663d6b3572..ea370a8e55 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.22" +__version__ = "0.12.0" diff --git a/templates/shared_services/firewall/porter.yaml b/templates/shared_services/firewall/porter.yaml index ffba80504b..77bf4aeeb3 100644 --- a/templates/shared_services/firewall/porter.yaml +++ b/templates/shared_services/firewall/porter.yaml @@ -45,18 +45,8 @@ parameters: type: string default: "W10=" # b64 for [] description: "Network rule collection array" - - name: firewall_sku - type: string - default: Standard - description: The firewall and its policy SKU tier - - name: microsoft_graph_fqdn - type: string - default: "graph.microsoft.com" - name: arm_environment type: string - - name: firewall_force_tunnel_ip - type: string - default: "" mixins: - terraform: @@ -70,9 +60,6 @@ install: tre_resource_id: ${ bundle.parameters.id } api_driven_rule_collections_b64: ${ bundle.parameters.rule_collections } api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections } - firewall_sku: ${ bundle.parameters.firewall_sku } - microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn } - firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -89,9 +76,6 @@ upgrade: tre_resource_id: ${ bundle.parameters.id } api_driven_rule_collections_b64: ${ bundle.parameters.rule_collections } api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections } - firewall_sku: ${ bundle.parameters.firewall_sku } - microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn } - firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -108,9 +92,6 @@ uninstall: tre_resource_id: ${ bundle.parameters.id } api_driven_rule_collections_b64: ${ bundle.parameters.rule_collections } api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections } - firewall_sku: ${ bundle.parameters.firewall_sku } - microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn } - firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/shared_services/firewall/template_schema.json b/templates/shared_services/firewall/template_schema.json index 23b0f8a526..c92f7544c8 100644 --- a/templates/shared_services/firewall/template_schema.json +++ b/templates/shared_services/firewall/template_schema.json @@ -6,22 +6,6 @@ "description": "Provides Firewall shared service", "required": [], "properties": { - "firewall_sku": { - "type": "string", - "title": "Firewall SKU", - "description": "The SKU that will be used when deploying The Firewall.", - "default": "Standard", - "enum": [ - "Basic", - "Standard", - "Premium" - ] - }, - "firewall_force_tunnel_ip": { - "type": "string", - "title": "Force Tunnel IP", - "description": "Optionally specify an IP address to forward all traffic to" - }, "rule_collections": { "$id": "#properties/rule_collections", "title": "application rule collections", diff --git a/templates/shared_services/firewall/terraform/data.tf b/templates/shared_services/firewall/terraform/data.tf index 8eb3d9da07..fe32363738 100644 --- a/templates/shared_services/firewall/terraform/data.tf +++ b/templates/shared_services/firewall/terraform/data.tf @@ -1,80 +1,3 @@ -data "azurerm_subnet" "firewall" { - name = "AzureFirewallSubnet" - virtual_network_name = "vnet-${var.tre_id}" - resource_group_name = local.core_resource_group_name -} - -data "azurerm_subnet" "firewall_management" { - name = "AzureFirewallManagementSubnet" - virtual_network_name = "vnet-${var.tre_id}" - resource_group_name = local.core_resource_group_name -} - -data "azurerm_subnet" "shared" { - name = "SharedSubnet" - virtual_network_name = "vnet-${var.tre_id}" - resource_group_name = local.core_resource_group_name -} - -data "azurerm_subnet" "resource_processor" { - name = "ResourceProcessorSubnet" - virtual_network_name = "vnet-${var.tre_id}" - resource_group_name = local.core_resource_group_name -} - -data "azurerm_subnet" "web_app" { - name = "WebAppSubnet" - virtual_network_name = "vnet-${var.tre_id}" - resource_group_name = local.core_resource_group_name -} - -data "azurerm_subnet" "airlock_processor" { - name = "AirlockProcessorSubnet" - virtual_network_name = "vnet-${var.tre_id}" - resource_group_name = local.core_resource_group_name -} - -data "azurerm_subnet" "airlock_storage" { - name = "AirlockStorageSubnet" - virtual_network_name = "vnet-${var.tre_id}" - resource_group_name = local.core_resource_group_name -} - -data "azurerm_subnet" "airlock_events" { - name = "AirlockEventsSubnet" - virtual_network_name = "vnet-${var.tre_id}" - resource_group_name = local.core_resource_group_name -} - -data "azurerm_log_analytics_workspace" "tre" { - name = "log-${var.tre_id}" - resource_group_name = local.core_resource_group_name -} - -data "azurerm_resource_group" "rg" { - name = local.core_resource_group_name -} - -data "azurerm_ip_group" "resource_processor" { - name = "ipg-resource-processor" - resource_group_name = local.core_resource_group_name -} - -data "azurerm_ip_group" "shared" { - name = "ipg-shared" - resource_group_name = local.core_resource_group_name -} - -data "azurerm_ip_group" "web" { - name = "ipg-web-app" - resource_group_name = local.core_resource_group_name -} - -data "azurerm_ip_group" "airlock_processor" { - name = "ipg-airlock-processor" - resource_group_name = local.core_resource_group_name -} - data "azurerm_ip_group" "referenced" { for_each = toset(distinct(flatten( [for collection in concat(local.api_driven_network_rule_collection, local.api_driven_application_rule_collection) : @@ -84,3 +7,8 @@ data "azurerm_ip_group" "referenced" { name = each.value resource_group_name = local.core_resource_group_name } + +data "azurerm_firewall_policy" "root" { + name = local.firewall_policy_name + resource_group_name = local.core_resource_group_name +} diff --git a/templates/shared_services/firewall/terraform/locals.tf b/templates/shared_services/firewall/terraform/locals.tf index 83762737da..4d50f511cd 100644 --- a/templates/shared_services/firewall/terraform/locals.tf +++ b/templates/shared_services/firewall/terraform/locals.tf @@ -1,11 +1,5 @@ locals { core_resource_group_name = "rg-${var.tre_id}" - firewall_name = "fw-${var.tre_id}" - firewall_diagnostic_categories_enabled = [ - "AZFWApplicationRule", - "AZFWNetworkRule", - "AZFWDnsProxy", - ] tre_shared_service_tags = { tre_id = var.tre_id tre_shared_service_id = var.tre_resource_id @@ -15,7 +9,4 @@ locals { api_driven_network_rule_collection = jsondecode(base64decode(var.api_driven_network_rule_collections_b64)) firewall_policy_name = "fw-policy-${var.tre_id}" - - default_firewall_sku = "Standard" - effective_firewall_sku = coalesce(var.firewall_sku, local.default_firewall_sku) } diff --git a/templates/shared_services/firewall/terraform/routetable.tf b/templates/shared_services/firewall/terraform/routetable.tf deleted file mode 100644 index 23202788eb..0000000000 --- a/templates/shared_services/firewall/terraform/routetable.tf +++ /dev/null @@ -1,114 +0,0 @@ -resource "azurerm_route_table" "rt" { - name = "rt-${var.tre_id}" - resource_group_name = local.core_resource_group_name - location = data.azurerm_resource_group.rg.location - bgp_route_propagation_enabled = true - tags = local.tre_shared_service_tags - - lifecycle { ignore_changes = [tags] } - - route { - name = "DefaultRoute" - address_prefix = "0.0.0.0/0" - next_hop_type = "VirtualAppliance" - next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration[0].private_ip_address - } -} - -resource "azurerm_subnet_route_table_association" "rt_shared_subnet_association" { - subnet_id = data.azurerm_subnet.shared.id - route_table_id = azurerm_route_table.rt.id - - depends_on = [ - azurerm_firewall.fw, - azurerm_firewall_policy_rule_collection_group.core, - azurerm_firewall_policy_rule_collection_group.dynamic_network, - azurerm_firewall_policy_rule_collection_group.dynamic_application - ] -} - -resource "azurerm_subnet_route_table_association" "rt_resource_processor_subnet_association" { - subnet_id = data.azurerm_subnet.resource_processor.id - route_table_id = azurerm_route_table.rt.id - - # Not waiting for the rules will block traffic prematurally. - depends_on = [ - azurerm_firewall.fw, - azurerm_firewall_policy_rule_collection_group.core, - azurerm_firewall_policy_rule_collection_group.dynamic_network, - azurerm_firewall_policy_rule_collection_group.dynamic_application - ] -} - -resource "azurerm_subnet_route_table_association" "rt_web_app_subnet_association" { - subnet_id = data.azurerm_subnet.web_app.id - route_table_id = azurerm_route_table.rt.id - - depends_on = [ - azurerm_firewall.fw, - azurerm_firewall_policy_rule_collection_group.core, - azurerm_firewall_policy_rule_collection_group.dynamic_network, - azurerm_firewall_policy_rule_collection_group.dynamic_application - ] -} - -resource "azurerm_subnet_route_table_association" "rt_airlock_processor_subnet_association" { - subnet_id = data.azurerm_subnet.airlock_processor.id - route_table_id = azurerm_route_table.rt.id - - depends_on = [ - azurerm_firewall.fw, - azurerm_firewall_policy_rule_collection_group.core, - azurerm_firewall_policy_rule_collection_group.dynamic_network, - azurerm_firewall_policy_rule_collection_group.dynamic_application - ] -} - -resource "azurerm_subnet_route_table_association" "rt_airlock_storage_subnet_association" { - subnet_id = data.azurerm_subnet.airlock_storage.id - route_table_id = azurerm_route_table.rt.id - - depends_on = [ - azurerm_firewall.fw, - azurerm_firewall_policy_rule_collection_group.core, - azurerm_firewall_policy_rule_collection_group.dynamic_network, - azurerm_firewall_policy_rule_collection_group.dynamic_application - ] -} - -resource "azurerm_subnet_route_table_association" "rt_airlock_events_subnet_association" { - subnet_id = data.azurerm_subnet.airlock_events.id - route_table_id = azurerm_route_table.rt.id - - depends_on = [ - azurerm_firewall.fw, - azurerm_firewall_policy_rule_collection_group.core, - azurerm_firewall_policy_rule_collection_group.dynamic_network, - azurerm_firewall_policy_rule_collection_group.dynamic_application - ] -} - -resource "azurerm_route_table" "fw_tunnel_rt" { - count = var.firewall_force_tunnel_ip != "" ? 1 : 0 - name = "rt-fw-tunnel-${var.tre_id}" - resource_group_name = local.core_resource_group_name - location = data.azurerm_resource_group.rg.location - bgp_route_propagation_enabled = true - tags = local.tre_shared_service_tags - - lifecycle { ignore_changes = [tags] } - - route { - name = "ForceTunnelRoute" - address_prefix = "0.0.0.0/0" - next_hop_type = "VirtualAppliance" - next_hop_in_ip_address = var.firewall_force_tunnel_ip - } -} - -resource "azurerm_subnet_route_table_association" "rt_fw_tunnel_subnet_association" { - count = var.firewall_force_tunnel_ip != "" ? 1 : 0 - subnet_id = data.azurerm_subnet.firewall.id - route_table_id = azurerm_route_table.fw_tunnel_rt[0].id -} - diff --git a/templates/shared_services/firewall/terraform/rules.tf b/templates/shared_services/firewall/terraform/rules.tf index 53991a6ce1..c9225f3c86 100644 --- a/templates/shared_services/firewall/terraform/rules.tf +++ b/templates/shared_services/firewall/terraform/rules.tf @@ -1,206 +1,6 @@ -resource "azurerm_firewall_policy_rule_collection_group" "core" { - name = "rcg-core" - firewall_policy_id = azurerm_firewall_policy.root.id - priority = 500 - - network_rule_collection { - name = "nrc-general" - priority = 201 - action = "Allow" - - rule { - name = "time" - protocols = [ - "UDP" - ] - destination_addresses = [ - "*" - ] - destination_ports = [ - "123" - ] - source_addresses = [ - "*" - ] - } - } - - network_rule_collection { - name = "nrc-resource-processor-subnet" - priority = 202 - action = "Allow" - - rule { - name = "azure-services" - protocols = [ - "TCP" - ] - destination_addresses = [ - "AzureActiveDirectory", - "AzureResourceManager", - "AzureContainerRegistry", - "Storage", - "AzureKeyVault" - ] - destination_ports = [ - "443" - ] - source_ip_groups = [data.azurerm_ip_group.resource_processor.id] - } - } - - network_rule_collection { - name = "nrc-web-app-subnet" - priority = 203 - action = "Allow" - - rule { - name = "azure-services" - protocols = [ - "TCP" - ] - destination_addresses = [ - "AzureActiveDirectory", - "AzureContainerRegistry", - "AzureResourceManager" - ] - destination_ports = [ - "443" - ] - source_ip_groups = [data.azurerm_ip_group.web.id] - } - } - - application_rule_collection { - name = "arc-resource-processor-subnet" - priority = 301 - action = "Allow" - - rule { - name = "os-package-sources" - protocols { - port = "443" - type = "Https" - } - protocols { - port = "80" - type = "Http" - } - destination_fqdns = [ - "packages.microsoft.com", - "keyserver.ubuntu.com", - "api.snapcraft.io", - "azure.archive.ubuntu.com", - "security.ubuntu.com", - "entropy.ubuntu.com", - ] - source_ip_groups = [data.azurerm_ip_group.resource_processor.id] - } - - rule { - name = "docker-sources" - protocols { - port = "443" - type = "Https" - } - protocols { - port = "80" - type = "Http" - } - destination_fqdns = [ - "download.docker.com", - "registry-1.docker.io", - "auth.docker.io", - ] - source_ip_groups = [data.azurerm_ip_group.resource_processor.id] - } - # This rule is needed to support Gov Cloud. - # The az cli uses msal lib which requires access to this fqdn for authentication. - rule { - name = "microsoft-login" - protocols { - port = "443" - type = "Https" - } - destination_fqdns = [ - "login.microsoftonline.com", - ] - source_ip_groups = [data.azurerm_ip_group.resource_processor.id] - } - - - } - - application_rule_collection { - name = "arc-shared-subnet" - priority = 302 - action = "Allow" - - rule { - name = "nexus-bootstrap" - protocols { - port = "443" - type = "Https" - } - protocols { - port = "80" - type = "Http" - } - destination_fqdns = [ - "keyserver.ubuntu.com", - "packages.microsoft.com", - "download.docker.com", - "azure.archive.ubuntu.com" - ] - source_ip_groups = [data.azurerm_ip_group.shared.id] - } - } - - application_rule_collection { - name = "arc-web-app-subnet" - priority = 303 - action = "Allow" - - rule { - name = "microsoft-graph" - protocols { - port = "443" - type = "Https" - } - destination_fqdns = [ - var.microsoft_graph_fqdn - ] - source_ip_groups = [data.azurerm_ip_group.web.id] - } - } - - application_rule_collection { - name = "arc-airlock-processor-subnet" - priority = 304 - action = "Allow" - - rule { - name = "functions-runtime" - protocols { - port = "443" - type = "Https" - } - destination_fqdns = [ - "functionscdn.azureedge.net" - ] - source_ip_groups = [data.azurerm_ip_group.airlock_processor.id] - } - } - - depends_on = [ - azurerm_firewall.fw - ] -} - - resource "azurerm_firewall_policy_rule_collection_group" "dynamic_network" { name = "rcg-dynamic-network" - firewall_policy_id = azurerm_firewall_policy.root.id + firewall_policy_id = data.azurerm_firewall_policy.root.id priority = 510 dynamic "network_rule_collection" { @@ -215,8 +15,8 @@ resource "azurerm_firewall_policy_rule_collection_group" "dynamic_network" { for_each = network_rule_collection.value.rules content { - name = rule.value.name - # description = rule.value.description + name = rule.value.name + description = rule.value.description source_addresses = try(rule.value.source_addresses, []) source_ip_groups = concat( try(rule.value.source_ip_group_ids, []), @@ -231,15 +31,11 @@ resource "azurerm_firewall_policy_rule_collection_group" "dynamic_network" { } } } - - depends_on = [ - azurerm_firewall_policy_rule_collection_group.core - ] } resource "azurerm_firewall_policy_rule_collection_group" "dynamic_application" { name = "rcg-dynamic-application" - firewall_policy_id = azurerm_firewall_policy.root.id + firewall_policy_id = data.azurerm_firewall_policy.root.id priority = 520 dynamic "application_rule_collection" { diff --git a/templates/shared_services/firewall/terraform/variables.tf b/templates/shared_services/firewall/terraform/variables.tf index 1140c25f40..9ac2916b11 100644 --- a/templates/shared_services/firewall/terraform/variables.tf +++ b/templates/shared_services/firewall/terraform/variables.tf @@ -3,11 +3,6 @@ variable "tre_id" { description = "Unique TRE ID" } -variable "microsoft_graph_fqdn" { - type = string - description = "Microsoft Graph FQDN" -} - variable "tre_resource_id" { type = string description = "Resource ID" @@ -22,13 +17,3 @@ variable "api_driven_network_rule_collections_b64" { type = string default = "W10=" #b64 for [] } - -variable "firewall_sku" { - type = string - default = "" -} - -variable "firewall_force_tunnel_ip" { - type = string - default = "" -}