This module creates an Azure Firewall attached to a Virtual Hub.
Using this module outside the Virtual Wan module need an existing Virtual Hub.
| Module version | Terraform version | OpenTofu version | AzureRM version |
|---|---|---|---|
| >= 8.x.x | Unverified | 1.8.x | >= 4.0 |
| >= 7.x.x | 1.3.x | >= 3.0 | |
| >= 6.x.x | 1.x | >= 3.0 | |
| >= 5.x.x | 0.15.x | >= 2.0 | |
| >= 4.x.x | 0.13.x / 0.14.x | >= 2.0 | |
| >= 3.x.x | 0.12.x | >= 2.0 | |
| >= 2.x.x | 0.12.x | < 2.0 | |
| < 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper available in the documentation.
module "azure_region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
module "rg" {
source = "claranet/rg/azurerm"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
location = module.azure_region.location
stack = var.stack
}
module "logs" {
source = "claranet/run/azurerm//modules/logs"
version = "x.x.x"
client_name = var.client_name
location = module.azure_region.location
location_short = module.azure_region.location_short
environment = var.environment
stack = var.stack
resource_group_name = module.rg.resource_group_name
}
data "azurerm_virtual_wan" "virtual_wan" {
name = var.virtual_wan_name
resource_group_name = var.virtual_wan_resource_group_name
}
module "virtual_hub" {
source = "claranet/virtual-wan/azurerm//modules/virtual-hub"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
stack = var.stack
location = module.azure_region.location
location_short = module.azure_region.location_short
resource_group_name = module.rg.resource_group_name
virtual_hub_address_prefix = "10.0.0.0/23"
virtual_wan_id = data.azurerm_virtual_wan.virtual_wan.id
extra_tags = local.tags
}
module "firewall" {
source = "claranet/virtual-wan/azurerm//modules/firewall"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
stack = var.stack
location = module.azure_region.location
location_short = module.azure_region.location_short
resource_group_name = module.rg.resource_group_name
logs_destinations_ids = [
module.logs.log_analytics_workspace_id,
]
virtual_hub_id = module.virtual_hub.virtual_hub_id
extra_tags = local.tags
}
locals {
tags = {
env = "prod"
stack = "hub"
}
}| Name | Version |
|---|---|
| azurecaf | ~> 1.2, >= 1.2.22 |
| azurerm | ~> 3.39 |
| Name | Source | Version |
|---|---|---|
| firewall_diagnostic_settings | claranet/diagnostic-settings/azurerm | ~> 7.0.0 |
| Name | Type |
|---|---|
| azurerm_firewall.azfw | resource |
| azurecaf_name.azure_firewall_caf | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| client_name | Name of client. | string |
n/a | yes |
| custom_diagnostic_settings_name | Custom name of the diagnostics settings, name will be 'default' if not set. | string |
"default" |
no |
| custom_name | Custom Firewall's name | string |
null |
no |
| default_tags_enabled | Option to enabled or disable default tags | bool |
true |
no |
| environment | Name of application's environment. | string |
n/a | yes |
| extra_tags | Tags for Firewall resource | map(string) |
{} |
no |
| firewall_availibility_zones | Availability zones in which the Azure Firewall should be created. | list(number) |
[ |
no |
| firewall_dns_servers | List of DNS servers that the Azure Firewall will direct DNS traffic to for the name resolution | list(string) |
null |
no |
| firewall_policy_id | ID of the Firewall Policy applied to this Firewall. | string |
null |
no |
| firewall_private_ip_ranges | List of SNAT private CIDR IP ranges, or the special string IANAPrivateRanges, which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918 |
list(string) |
null |
no |
| firewall_public_ip_count | Number of public IPs to assign to the Firewall. | number |
1 |
no |
| firewall_sku_tier | SKU tier of the Firewall. Possible values are Premium and Standard. |
string |
"Standard" |
no |
| location | Azure location. | string |
n/a | yes |
| location_short | Short string for Azure location. | string |
n/a | yes |
| logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
| logs_destinations_ids | List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the ` |
` character. | list(string) |
n/a |
| logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
| name_prefix | Prefix for generated resources names. | string |
"" |
no |
| name_slug | Slug to use with the generated resources names. | string |
"" |
no |
| name_suffix | Suffix for the generated resources names. | string |
"" |
no |
| resource_group_name | Name of the application's resource group. | string |
n/a | yes |
| stack | Name of application's stack. | string |
n/a | yes |
| virtual_hub_id | ID of the Virtual Hub in which to deploy the Firewall | string |
n/a | yes |
| Name | Description |
|---|---|
| firewall_id | ID of the created firewall |
| firewall_ip_configuration | IP configuration of the created firewall |
| firewall_management_ip_configuration | Management IP configuration of the created firewall |
| firewall_private_ip_address | Private IP address of the firewall |
| firewall_public_ip | Public IP address of the firewall |