? Can Terraform help manage Azure Firewall Policy at scale?

JonGranger
May 11, 2023
221 views
0 votes
2 Answers

I am trying to figure out a way to manage Azure Firewall policy at scale. The resource I am using is a collection group. Does anyone know of a way I could breakout the application and network rule sections to different files (each application would have its own file in the repo).

PS. I am not a developer, still a dumb network guy playing around in a software world.

resource "azurerm_firewall_policy_rule_collection_group" "example" {
  name               = "example-fwpolicy-rcg"
  firewall_policy_id = azurerm_firewall_policy.example.id
  priority           = 500
  application_rule_collection {
    name     = "app_rule_collection1"
    priority = 500
    action   = "Deny"
    rule {
      name = "app_rule_collection1_rule1"
      protocols {
        type = "Http"
        port = 80
      }
      protocols {
        type = "Https"
        port = 443
      }
      source_addresses  = ["10.0.0.1"]
      destination_fqdns = ["*.microsoft.com"]
    }
  }

  network_rule_collection {
    name     = "network_rule_collection1"
    priority = 400
    action   = "Deny"
    rule {
      name                  = "network_rule_collection1_rule1"
      protocols             = ["TCP", "UDP"]
      source_addresses      = ["10.0.0.1"]
      destination_addresses = ["192.168.1.1", "192.168.1.2"]
      destination_ports     = ["80", "1000-2000"]
    }
  }

I have no idea where to even start to fix this issue, it is a bit above my skills.

Tags: azure terraform

Answers

The resource I am using is a collection group. I am going to give dynamic blocks a look though, that may be the best way to solve this problem.

I have created Azure Firewall Policy with Dynamic Block using Terraform.

Firewall.tf

provider  "azurerm"  {
features  {}
}
    resource "azurerm_resource_group" "venkatrg" {
      name     = "firewall-resources"
      location = "West Europe"
    }
    
    resource "azurerm_firewall_policy" "venkatpolicy" {
      name                = "venkat-fwpolicy"
      resource_group_name = azurerm_resource_group.venkatrg.name
      location            = azurerm_resource_group.venkatrg.location
    }
    
    resource "azurerm_firewall_policy_rule_collection_group" "firewall_collection_group" {
      name               = var.network_rule_collections.name
      firewall_policy_id = azurerm_firewall_policy.venkatpolicy.id
      priority           = var.network_rule_collections.priority
    
      dynamic "network_rule_collection" {
        for_each = var.network_rule_collections != null ? var.network_rule_collections : []
        content {
          name     = network_rule_collection.value.name
          priority = network_rule_collection.value.priority
          action   = network_rule_collection.value.action
    
          dynamic "rule" {
            for_each = can(network_rule_collection.value.rules) ? network_rule_collection.value.rules : []
    
            content {
              name                  = rule.value.name
              protocols             = rule.value.protocols
              source_addresses      = rule.value.source_addresses
              destination_addresses = rule.value.destination_addresses
              destination_ports     = rule.value.destination_ports
            }
          }
        }
      }
    }

variable.tf

variable "network_rule_collections" {
  type = list(object({
    name     = string
    priority = number
    action   = string
    rules = list(object({
      name                  = string
      protocols             = list(string)
      source_addresses      = list(string)
      destination_addresses = list(string)
      destination_ports     = list(string)
    }))
  }))
}

Pass the Network rule values in below format.

[{name     = "collection-1",priority = 100,action= "Allow",rules = [{name= "rule-1",protocols = ["TCP"],source_addresses = ["10.0.0.0/24"],destination_addresses = ["10.1.0.0/24"],destination_ports = ["80"]}]}]

Terraform Apply:

Reference: Module with nested dynamic blocks by CavernousNylon

- AlistairRice
- May 9, 2023 at 7:52 pm
- 0 votes
0
I still don’t think this will work, here there would be the need for multiple rules within the same network_rule_collection. You have a firewall collection group, within that group you can have multiple network_rule_collections, within the network_rule_collections you have multiple rules. So for example

1 firewall rule group
2 network rule collections (A & B)
5 rules in network collection A, 2 rules in network collection B

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.