bicep azure firewall 😊 (#133)

* initial version * added roles * removed depends on + updated lock names
Azure · Oct 7, 2021 · e52fcee · e52fcee
1 parent 1436751
commit e52fcee
Show file tree

Hide file tree

Showing 4 changed files with 293 additions and 4 deletions.
diff --git a/.github/workflows/ms.network.azurefirewalls.yml b/.github/workflows/ms.network.azurefirewalls.yml
@@ -81,7 +81,7 @@ jobs:
       - name: "Test module"
         uses: ./.github/actions/templates/validateModuleDeploy
         with:
-          templateFilePath: '${{ env.modulePath }}/deploy.json'
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
           parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}'
           location: '${{ env.defaultLocation }}'
           resourceGroupName: '${{ env.resourceGroupName }}'
@@ -116,7 +116,7 @@ jobs:
         uses: ./.github/actions/templates/deployModule
         with:
           moduleName: '${{ env.moduleName }}'
-          templateFilePath: '${{ env.modulePath }}/deploy.json'
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
           parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}'
           location: '${{ env.defaultLocation }}'
           resourceGroupName: '${{ env.resourceGroupName }}'
@@ -146,7 +146,7 @@ jobs:
       - name: "Publish module"
         uses: ./.github/actions/templates/publishModule
         with:
-          templateFilePath: '${{ env.modulePath }}/deploy.json'
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
           componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}'
           componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}'
           componentTemplateSpecName: '${{ env.moduleName }}'
@@ -178,5 +178,5 @@ jobs:
         uses: ./.github/actions/templates/removeModule
         with:
           moduleName: '${{ env.moduleName }}'
-          templateFilePath: '${{ env.modulePath }}/deploy.json'
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
           resourceGroupName: '${{ env.resourceGroupName }}'
diff --git a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_cuaId.bicep
diff --git a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_rbac.bicep
@@ -0,0 +1,12 @@
+param roleAssignmentObj object
+param builtInRoleNames object
+param resourceName string
+
+resource roleAssignment 'Microsoft.Network/azureFirewalls/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignmentObj.principalIds: {
+  name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}'
+  properties: {
+    roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName)
+    principalId: principalId
+  }
+  dependsOn: []
+}]
diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep
@@ -0,0 +1,277 @@
+@description('Required. Name of the Azure Firewall.')
+param azureFirewallName string
+
+@description('Optional. Name of an Azure Firewall SKU.')
+@allowed([
+  'AZFW_VNet'
+  'AZFW_Hub'
+])
+param azureSkuName string = 'AZFW_VNet'
+
+@description('Optional. Tier of an Azure Firewall.')
+@allowed([
+  'Standard'
+  'Premium'
+])
+param azureSkuTier string = 'Standard'
+
+@description('Optional. Enable the preview feature for DNS proxy.')
+param enableDnsProxy bool = false
+
+@description('Optional. Collection of application rule collections used by Azure Firewall.')
+param applicationRuleCollections array = []
+
+@description('Optional. Collection of network rule collections used by Azure Firewall.')
+param networkRuleCollections array = []
+
+@description('Optional. Collection of NAT rule collections used by Azure Firewall.')
+param natRuleCollections array = []
+
+@description('Required. Shared services Virtual Network resource Id')
+param vNetId string
+
+@description('Optional. Specifies the name of the Public IP used by Azure Firewall. If it\'s not provided, a \'-pip\' suffix will be appended to the Firewall\'s name.')
+param azureFirewallPipName string = ''
+
+@description('Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix.')
+param publicIPPrefixId string = ''
+
+@description('Optional. Diagnostic Storage Account resource identifier')
+param diagnosticStorageAccountId string = ''
+
+@description('Optional. Log Analytics workspace resource identifier')
+param workspaceId string = ''
+
+@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
+@minValue(0)
+@maxValue(365)
+param diagnosticLogsRetentionInDays int = 365
+
+@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
+param eventHubAuthorizationRuleId string = ''
+
+@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
+param eventHubName string = ''
+
+@description('Optional. Location for all resources.')
+param location string = resourceGroup().location
+
+@description('Optional. Zone numbers e.g. 1,2,3.')
+param availabilityZones array = [
+  '1'
+  '2'
+  '3'
+]
+
+@description('Optional. Switch to lock the Firewall from deletion.')
+param lockForDeletion bool = false
+
+@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'')
+param roleAssignments array = []
+
+@description('Optional. Tags of the Automation Account resource.')
+param tags object = {}
+
+@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered')
+param cuaId string = ''
+
+var publicIPPrefix = {
+  id: publicIPPrefixId
+}
+var azureFirewallSubnetId = '${vNetId}/subnets/AzureFirewallSubnet'
+var azureFirewallPipName_var = (empty(azureFirewallPipName) ? '${azureFirewallName}-pip' : azureFirewallPipName)
+var azureFirewallPipId = azureFirewallPip.id
+var diagnosticsMetrics = [
+  {
+    category: 'AllMetrics'
+    timeGrain: null
+    enabled: true
+    retentionPolicy: {
+      enabled: true
+      days: diagnosticLogsRetentionInDays
+    }
+  }
+]
+var diagnosticsLogsAzureFirewall = [
+  {
+    category: 'AzureFirewallApplicationRule'
+    enabled: true
+    retentionPolicy: {
+      enabled: true
+      days: diagnosticLogsRetentionInDays
+    }
+  }
+  {
+    category: 'AzureFirewallNetworkRule'
+    enabled: true
+    retentionPolicy: {
+      enabled: true
+      days: diagnosticLogsRetentionInDays
+    }
+  }
+  {
+    category: 'AzureFirewallDnsProxy'
+    enabled: true
+    retentionPolicy: {
+      enabled: true
+      days: diagnosticLogsRetentionInDays
+    }
+  }
+]
+var diagnosticsLogsPublicIp = [
+  {
+    category: 'DDoSProtectionNotifications'
+    enabled: true
+    retentionPolicy: {
+      enabled: true
+      days: diagnosticLogsRetentionInDays
+    }
+  }
+  {
+    category: 'DDoSMitigationFlowLogs'
+    enabled: true
+    retentionPolicy: {
+      enabled: true
+      days: diagnosticLogsRetentionInDays
+    }
+  }
+  {
+    category: 'DDoSMitigationReports'
+    enabled: true
+    retentionPolicy: {
+      enabled: true
+      days: diagnosticLogsRetentionInDays
+    }
+  }
+]
+var builtInRoleNames = {
+  'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
+  'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')
+  'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  'Avere Cluster Create': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a7b1b19a-0e83-4fe5-935c-faaefbfd18c3')
+  'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4f8fab4f-1852-4a58-a46a-8eaf358af14a')
+  'Azure Service Deploy Release Management Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','21d96096-b162-414a-8302-d8354f9d91b2')
+  'CAL-Custom-Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','7b266cd7-0bba-4ae2-8423-90ede5e1e898')
+  'ExpressRoute Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a48d7896-14b4-4889-afef-fbb65a96e5a2')
+  'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293')
+  'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893')
+  'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e')
+  'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae')
+  'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44')
+  'masterreader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a48d7796-14b4-4889-afef-fbb65a93e5a2')
+  'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa')
+  'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb')
+  'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05')
+  'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4d97b98b-1d4f-4787-a291-c67834d212e7')
+  'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608')
+  'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') 
+}
+
+module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) {
+  name: 'pid-${cuaId}'
+  params: {}
+}
+
+resource azureFirewallPip 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
+  name: azureFirewallPipName_var
+  location: location
+  tags: tags
+  sku: {
+    name: 'Standard'
+  }
+  zones: availabilityZones
+  properties: {
+    publicIPAllocationMethod: 'Static'
+    publicIPAddressVersion: 'IPv4'
+    publicIPPrefix: ((!empty(publicIPPrefixId)) ? publicIPPrefix : json('null'))
+  }
+}
+
+resource azureFirewallPip_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) {
+  name: '${azureFirewallPip.name}-doNotDelete'
+  properties: {
+    level: 'CanNotDelete'
+  }
+}
+
+resource azureFirewallPip_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) {
+  name: '${azureFirewallPip.name}-diagnosticSettings'
+  properties: {
+    storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId)
+    workspaceId: (empty(workspaceId) ? json('null') : workspaceId)
+    eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId)
+    eventHubName: (empty(eventHubName) ? json('null') : eventHubName)
+    metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics)
+    logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogsPublicIp)
+  }
+}
+
+resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = {
+  name: azureFirewallName
+  location: location
+  zones: ((length(availabilityZones) == 0) ? json('null') : availabilityZones)
+  tags: tags
+  properties: {
+    threatIntelMode: 'Deny'
+    ipConfigurations: [
+      {
+        name: 'IpConf'
+        properties: {
+          subnet: {
+            id: azureFirewallSubnetId
+          }
+          publicIPAddress: {
+            id: azureFirewallPipId
+          }
+        }
+      }
+    ]
+    sku: {
+      name: azureSkuName
+      tier: azureSkuTier
+    }
+    additionalProperties: {
+      'Network.DNS.EnableProxy': string(enableDnsProxy)
+    }
+    applicationRuleCollections: applicationRuleCollections
+    natRuleCollections: natRuleCollections
+    networkRuleCollections: networkRuleCollections
+  }
+}
+
+resource azureFirewall_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) {
+  name: '${azureFirewall.name}-doNotDelete'
+  properties: {
+    level: 'CanNotDelete'
+  }
+}
+
+resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) {
+  name: '${azureFirewall.name}-diagnosticSettings'
+  properties: {
+    storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId)
+    workspaceId: (empty(workspaceId) ? json('null') : workspaceId)
+    eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId)
+    eventHubName: (empty(eventHubName) ? json('null') : eventHubName)
+    metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics)
+    logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogsAzureFirewall)
+  }
+}
+
+module rbac_name './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: {
+  name: 'rbac-${deployment().name}${index}'
+  params: {
+    roleAssignmentObj: roleAssignment
+    builtInRoleNames: builtInRoleNames
+    resourceName: azureFirewall.name
+  }
+}]
+
+output azureFirewallResourceId string = azureFirewall.id
+output azureFirewallName string = azureFirewall.name
+output azureFirewallResourceGroup string = resourceGroup().name
+output azureFirewallPrivateIp string = azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress
+output azureFirewallPublicIp string = azureFirewallPip.properties.ipAddress
+output applicationRuleCollections array = applicationRuleCollections
+output networkRuleCollections array = networkRuleCollections
+output natRuleCollections array = natRuleCollections