diff --git a/.github/workflows/readme.yml b/.github/workflows/readme.yml index 5892dcc..d3cbfb6 100644 --- a/.github/workflows/readme.yml +++ b/.github/workflows/readme.yml @@ -51,5 +51,4 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TERRAFORM }} # required - if: always() - + if: always() \ No newline at end of file diff --git a/.idea/.gitignore b/.idea/.gitignore deleted file mode 100644 index 26d3352..0000000 --- a/.idea/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -# Default ignored files -/shelf/ -/workspace.xml diff --git a/.idea/misc.xml b/.idea/misc.xml deleted file mode 100644 index 639900d..0000000 --- a/.idea/misc.xml +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - \ No newline at end of file diff --git a/.idea/modules.xml b/.idea/modules.xml deleted file mode 100644 index d55644e..0000000 --- a/.idea/modules.xml +++ /dev/null @@ -1,8 +0,0 @@ - - - - - - - - \ No newline at end of file diff --git a/.idea/terraform-azure-storage.iml b/.idea/terraform-azure-storage.iml deleted file mode 100644 index d6ebd48..0000000 --- a/.idea/terraform-azure-storage.iml +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - \ No newline at end of file diff --git a/.idea/vcs.xml b/.idea/vcs.xml deleted file mode 100644 index 35eb1dd..0000000 --- a/.idea/vcs.xml +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - \ No newline at end of file diff --git a/.releaserc.json b/.releaserc.json index 548e644..15f87c2 100644 --- a/.releaserc.json +++ b/.releaserc.json @@ -7,4 +7,4 @@ "@semantic-release/release-notes-generator", "@semantic-release/github" ] -} +} \ No newline at end of file diff --git a/MAKEFILE b/Makefile similarity index 100% rename from MAKEFILE rename to Makefile diff --git a/README.md b/README.md index d0ee71b..f9ad8f5 100644 --- a/README.md +++ b/README.md @@ -1 +1,285 @@ -# terraform-module-template \ No newline at end of file + + +

+ + +

+ Terraform AZURE FIREWALL +

+ +

+ Terraform module to create firewall resource on AZURE. +

+ +

+ + + Terraform + + + Licence + + + +

+

+ + + + + + + + + + + +

+
+ + +We eat, drink, sleep and most importantly love **DevOps**. We are working towards strategies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy Bigger problems are always solved by breaking them into smaller manageable problems. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller connected yet manageable pieces within the infrastructure. + +This module is basically combination of [Terraform open source](https://www.terraform.io/) and includes automatation tests and examples. It also helps to create and improve your infrastructure with minimalistic code instead of maintaining the whole infrastructure code yourself. + +We have [*fifty plus terraform modules*][terraform_modules]. A few of them are comepleted and are available for open source usage while a few others are in progress. + + + + +## Prerequisites + +This module has a few dependencies: + +- [Terraform 1.x.x](https://learn.hashicorp.com/terraform/getting-started/install.html) +- [Go](https://golang.org/doc/install) +- [github.com/stretchr/testify/assert](https://github.com/stretchr/testify) +- [github.com/gruntwork-io/terratest/modules/terraform](https://github.com/gruntwork-io/terratest) + + + + + + + +## Examples + + +**IMPORTANT:** Since the `master` branch used in `source` varies based on new modifications, we suggest that you use the release versions [here](https://github.com/clouddrove/terraform-azure-firewall/releases). + + +### Simple Example +Here is an example of how you can use this module in your inventory structure: +```hcl + module "firewall" { + depends_on = [module.name_specific_subnet] + source = "clouddrove/firewall/azure" + name = "app" + environment = "test" + label_order = ["name", "environment"] + resource_group_name = module.resource_group.resource_group_name + location = module.resource_group.resource_group_location + subnet_id = module.name_specific_subnet.specific_subnet_id[0] + public_ip_names = ["vpn_test", "vnet_test"] + + # additional_public_ips = [{ + # name = "public-ip_name", + # public_ip_address_id = "public-ip_resource_id" + # } ] + + + + dnat-destination_ip = false // To be true when public ip associated with firewall is known and dnat policy is to be created. + +application_rule_collection = [ + { + name = "example_app_policy" + priority = 200 + action = "Allow" + rules = [ + { + name = "app_test" + source_addresses = ["*"] // ["X.X.X.X"] + destination_fqdns = ["*"] // ["X.X.X.X"] + protocols = [ + { + port = "443" + type = "Https" + }, + { + port = "80" + type = "Http" + } + ] + } + ] + } +] + +network_rule_collection = [ + { + name = "example_network_policy" + priority = "100" + action = "Allow" + rules = [ + { + name = "ssh" + protocols = ["TCP"] + source_addresses = ["*"] // ["X.X.X.X"] + destination_addresses = ["*"] // ["X.X.X.X"] + destination_ports = ["22"] + } + + ] + }, + { + name = "example_network_policy-2" + priority = "101" + action = "Allow" + rules = [ + { + name = "smtp" + protocols = ["TCP"] + source_addresses = ["*"] // ["X.X.X.X"] + destination_addresses = ["*"] // ["X.X.X.X"] + destination_ports = ["587"] + } + ] + } +] + +nat_rule_collection = [ + { + name = "example_nat_policy" + priority = "101" + rules = [ + { + name = "http" + protocols = ["TCP"] + source_addresses = ["*"] // ["X.X.X.X"] + destination_ports = ["80"] + source_addresses = ["*"] + translated_port = "80" + translated_address = "X.X.X.X" + destination_address = "X.X.X.X" //Public ip associated with firewall + + }, + { + name = "https" + protocols = ["TCP"] + destination_ports = ["443"] + source_addresses = ["*"] + translated_port = "443" + translated_address = "X.X.X.X" + destination_address = "X.X.X.X" //Public ip associated with firewall + + } + ] + }, + + { + name = "example_nat_policy-2" + priority = "100" + rules = [ + { + name = "http" + protocols = ["TCP"] + source_addresses = ["*"] // ["X.X.X.X"] + destination_ports = ["80"] + translated_port = "80" + translated_address = "X.X.X.X " //"10.30.0.194" + destination_address = "X.X.X.X" //Public ip associated with firewall + + }, + { + name = "https" + protocols = ["TCP"] + source_addresses = ["*"] // ["X.X.X.X"] + destination_ports = ["443"] + translated_port = "443" + translated_address = "X.X.X.X" + destination_address = "X.X.X.X" //Public ip associated with firewall + } + ] + } + ] +} + + ``` + + + + + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| additional\_public\_ips | List of additional public ips' ids to attach to the firewall. | 
list(object({
    name                 = string,
    public_ip_address_id = string
  }))
| `[]` | no | +| app\_policy\_collection\_group | (optional) Name of app policy group | `string` | `"DefaultApplicationRuleCollectionGroup"` | no | +| application\_rule\_collection | One or more application\_rule\_collection blocks as defined below.. | `map` | `{}` | no | +| dnat-destination\_ip | Variable to specify that you have destination ip to attach to policy or not.(Destination ip is public ip that is attached to firewall) | `bool` | `false` | no | +| dns\_servers | DNS Servers to use with Azure Firewall. Using this also activate DNS Proxy. | `list(string)` | `null` | no | +| enabled | Set to false to prevent the module from creating any resources. | `bool` | `true` | no | +| environment | Environment (e.g. `prod`, `dev`, `staging`). | `string` | `""` | no | +| firewall\_private\_ip\_ranges | A list of SNAT private CIDR IP ranges, or the special string `IANAPrivateRanges`, which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918. | `list(string)` | `null` | no | +| label\_order | Label order, e.g. sequence of application name and environment `name`,`environment`,'attribute' [`webserver`,`qa`,`devops`,`public`,] . | `list(any)` | `[]` | no | +| location | The location/region where the virtual network is created. Changing this forces a new resource to be created. | `string` | `""` | no | +| managedby | ManagedBy, eg ''. | `string` | `""` | no | +| name | Name (e.g. `app` or `cluster`). | `string` | `""` | no | +| nat\_policy\_collection\_group | (optional) Name of nat policy group | `string` | `"DefaultDnatRuleCollectionGroup"` | no | +| nat\_rule\_collection | One or more nat\_rule\_collection blocks as defined below. | `map` | `{}` | no | +| net\_policy\_collection\_group | (optional) Name of network policy group | `string` | `"DefaultNetworkRuleCollectionGroup"` | no | +| network\_rule\_collection | One or more network\_rule\_collection blocks as defined below. | `map` | `{}` | no | +| public\_ip\_allocation\_method | Defines the allocation method for this IP address. Possible values are Static or Dynamic | `string` | `"Static"` | no | +| public\_ip\_names | n/a | `list(string)` | `[]` | no | +| public\_ip\_sku | The SKU of the Public IP. Accepted values are Basic and Standard. Defaults to Basic | `string` | `"Standard"` | no | +| repository | Terraform current module repo | `string` | `""` | no | +| resource\_group\_name | A container that holds related resources for an Azure solution | `string` | `""` | no | +| sku\_name | (optional) describe your variable | `string` | `"AZFW_VNet"` | no | +| sku\_tier | Specifies the firewall sku tier | `string` | `"Standard"` | no | +| subnet\_id | Subnet ID | `string` | `""` | no | +| tags | A map of tags to add to all resources | `map(string)` | `{}` | no | +| threat\_intel\_mode | (Optional) The operation mode for threat intelligence-based filtering. Possible values are: Off, Alert, Deny. Defaults to Alert. | `string` | `"Alert"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| firewall\_id | Firewall generated id | +| firewall\_name | Firewall name | +| private\_ip\_address | Firewall private IP | + + + + +## Testing +In this module testing is performed with [terratest](https://github.com/gruntwork-io/terratest) and it creates a small piece of infrastructure, matches the output like ARN, ID and Tags name etc and destroy infrastructure in your AWS account. This testing is written in GO, so you need a [GO environment](https://golang.org/doc/install) in your system. + +You need to run the following command in the testing folder: +```hcl + go test -run Test +``` + + + +## Feedback +If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-azure-firewall/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). + +If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-azure-firewall)! + +## About us + +At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. + +

We are The Cloud Experts!

+
+

We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.

+ + [website]: https://clouddrove.com + [github]: https://github.com/clouddrove + [linkedin]: https://cpco.io/linkedin + [twitter]: https://twitter.com/clouddrove/ + [email]: https://clouddrove.com/contact-us.html + [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= diff --git a/README.yaml b/README.yaml index d8282eb..61843ac 100644 --- a/README.yaml +++ b/README.yaml @@ -1,3 +1,5 @@ + + --- # # This is the canonical configuration for the `README.md` @@ -6,7 +8,7 @@ # Name of this project -name: Terraform AZURE FIREWALL +name: Terraform AZURE STORAGE # License of this project license: "APACHE" @@ -25,7 +27,7 @@ badges: # description of this project description: |- - Terraform module to create firewall resource on AZURE. + Terraform module to create storage resource on AZURE. # extra content include: - "terraform.md" @@ -36,14 +38,14 @@ usage: |- ### Simple Example Here is an example of how you can use this module in your inventory structure: ```hcl - module "firewall" { - depends_on = [module.name_specific_subnet] - source = "clouddrove/storage/azure" - name = "app" - environment = "test" - label_order = ["name", "environment"] - resource_group_name = module.resource_group.resource_group_name - location = module.resource_group.resource_group_location + module "storage" { + depends_on = [module.resource_group] + source = "clouddrove/storage/azure" + name = "app" + environment = "test" + label_order = ["name", "environment"] + resource_group_name = module.resource_group.resource_group_name + location = module.resource_group.resource_group_location storage_account_name = "storagestartac" account_kind = "StorageV2" account_tier = "Standard" @@ -53,28 +55,28 @@ usage: |- sftp_enabled = true network_rules = [ - { - default_action = "Deny" - ip_rules = ["0.0.0.0/0"] - bypass = ["AzureServices"] + { + default_action = "Deny" + ip_rules = ["0.0.0.0/0"] + bypass = ["AzureServices"] } - ] + ] - ## Storage Account Threat Protection + ## Storage Account Threat Protection enable_advanced_threat_protection = true - ## Storage Container + ## Storage Container containers_list = [ - { name = "app-test", access_type = "private" }, - ] + { name = "app-test", access_type = "private" }, + ] - ## Storage File Share + ## Storage File Share file_shares = [ - { name = "fileshare1", quota = 5 }, - ] + { name = "fileshare1", quota = 5 }, + ] - ## Storage Tables + ## Storage Tables tables = ["table1"] ## Storage Queues @@ -89,8 +91,6 @@ usage: |- snapshot_delete_after_days = 30 } ] - - } - ``` \ No newline at end of file + ``` diff --git a/_test/azure_storage_test.go b/_test/azure_firewall_test.go similarity index 88% rename from _test/azure_storage_test.go rename to _test/azure_firewall_test.go index cd31a9f..3121d5f 100644 --- a/_test/azure_storage_test.go +++ b/_test/azure_firewall_test.go @@ -24,11 +24,11 @@ func Test(t *testing.T) { defer terraform.Destroy(t, terraformOptions) // To get the value of an output variable, run 'terraform output' - Id := terraform.Output(t, terraformOptions, "storage_account_id") + Id := terraform.Output(t, terraformOptions, "firewall_id") Tags := terraform.OutputMap(t, terraformOptions, "tags") // Check that we get back the outputs that we expect - assert.Equal(t, "test-clouddrove-storage", Tags["Name"]) + assert.Equal(t, "test-clouddrove-firewall", Tags["Name"]) assert.Contains(t, Id, "/subscriptions") } } \ No newline at end of file diff --git a/version.tf b/versions.tf similarity index 89% rename from version.tf rename to versions.tf index 51d04a8..2a69bff 100644 --- a/version.tf +++ b/versions.tf @@ -1,4 +1,3 @@ -# Terraform version terraform { required_version = ">= 1.0.0" }