So first of all, Azure CAF (aztfmod) and Terraform enterprise scale are two different solutions. This Azure Landing Zone Comparison blog post explain the difference.

When you say you want to deploy firewall rules, I assume you want to deploy a azurerm_firewall_policy_rule_collection_group, i.e. rules based on IP, Port, Protocol etc.

Terraform Enterprise scale

Does not include support for deploying these fine grained firewall_policy_rule_collection_group. You can however configure azurerm_firewall_policy via the exposed variables described here.

If you want to deploy a firewall_policy_rule_collection_group your best bet is to deploy that in your own module and connect it to the policy deployed by the enterprise scale module via firewall_policy_id.

Aztfmod

In aztfmod, there’s two places firewall rules come into place, depending on which Level of Azure CAF modules you’re targeting

• Level 2: Core platform connectivity -> this is where you’d want to configure rules for your central hub
• Level 3: Application Landing zones vending machine -> if you offer e.g. on-premise connectivity to your subscription, you may need to configure additional firewall rules for each spoke network.

Here’s an example how to configure the hub firewall rules in level 2
examples/networking/firewall/103-firewall-policies/configuration.tfvars

azurerm_firewall_policy_rule_collection_groups = {
  group1 = {
    #firewall_policy_id = "Azure Resource ID"
    firewall_policy_key = "policy1"
    name                = "example-fwpolicy-rcg"
    priority            = 500

    application_rule_collections = {
      rule1 = {
        name     = "app_rule_collection1"
        priority = 500
        action   = "Deny"
        rules = {
          rule1 = {
            name = "app_rule_collection1_rule1"
            protocols = {
              1 = {
                type = "Http"
                port = 80
              }
              2 = {
                type = "Https"
                port = 443
              }
            }
            source_addresses  = ["10.0.0.1"]
            destination_fqdns = ["*.microsoft.com"]
          }
        }
      }
    }

    network_rule_collections = {
      group1 = {
        name     = "network_rule_collection1"
        priority = 400
        action   = "Deny"
        rules = {
          rule1 = {
            name                  = "network_rule_collection1_rule1"
            protocols             = ["TCP", "UDP"]
            source_addresses      = ["10.0.0.1"]
            destination_addresses = ["192.168.1.1", "192.168.1.2"]
            destination_ports     = ["80", "1000-2000"]
          }
        }
      }
    }

In general this seems to be closer to what you want.

Some caveat about both Microsoft Landing Zone approaches here.

Doing the integration between level 2 and 3 (in aztfmod language) is quite a bit complex and from my experience and can quickly become hard to keep track of doing manually which rules belong to which spoke. Consider implementing an automated (or at least semi-automated) virtual network self-service for spoke networks. This service can then build the firewall rule group variables for aztfmod dynamically for example.