Azure · nachoalonsoportillo · Feb 14, 2023 · Feb 13, 2023 · Feb 13, 2023 · Feb 14, 2023
diff --git a/.github/workflows/firewall.yml b/.github/workflows/firewall.yml
@@ -0,0 +1,77 @@
+name: Module:firewall
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main  
+    paths:
+      - '.github/workflows/firewall.yml'
+      - 'terraform/firewall/**'
+      - '.github/actions/**'
+
+env:
+  terraform_workingdir: "terraform/firewall"  
+  GH_TOKEN: ${{ secrets.GH_TOKEN }}
+  ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+  ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+  ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
+
+jobs:     
+  terraform-lint:
+    name: Run Terraform lint
+    runs-on: ubuntu-latest
+    defaults:
+         run:
+          working-directory: "${{ env.terraform_workingdir }}"
+
+    steps:
+    - uses: actions/checkout@v3
+    - uses: hashicorp/setup-terraform@v2
+
+    - name: Terraform fmt
+      id: fmt
+      run: terraform fmt -check
+      continue-on-error: false
+
+  terraform-sec:
+    name: Run Terraform tfsec
+    needs: 
+      - terraform-lint
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Run tfsec with reviewdog output on the PR
+      uses: ./.github/actions/run-terraform-sec
+
+  terratest:
+    name: Run Terratest
+    needs: 
+      - terraform-sec
+    runs-on: ubuntu-latest
+
+    defaults:
+          run:
+            working-directory: "${{ env.terraform_workingdir }}/test"
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v2
+      with:
+          go-version: 1.18.2
+
+    - name: Setup Dependencies
+      run:  go mod init test && go mod tidy
+      env:
+        GOPATH: "/home/runner/work/azure-labs-modules/azure-labs-modules/${{ env.terraform_workingdir }}"
+
+    - name: Unit-test
+      run: go test -v -timeout 45m
+      env:
+        GOPATH: "/home/runner/work/azure-labs-modules/azure-labs-modules/${{ env.terraform_workingdir }}"
diff --git a/terraform/firewall/main.tf b/terraform/firewall/main.tf
@@ -0,0 +1,105 @@
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall
+
+resource "azurerm_firewall" "adl_afw" {
+  name                = "afw-${var.basename}"
+  location            = var.location
+  resource_group_name = var.rg_name
+  sku_name            = var.sku_name
+  sku_tier            = var.sku_tier
+  zones               = var.zones
+  threat_intel_mode   = var.threat_intel_mode
+  firewall_policy_id  = azurerm_firewall_policy.adl_afw_afwp[0].id
+  dynamic "ip_configuration" {
+    iterator = pip
+    for_each = var.sku_name != "AZFW_Hub" ? azurerm_public_ip.adl_afw_pip_config : []
+    content {
+      name                 = lower("fw_ip_config_${pip.value.name}")
+      subnet_id            = contains([pip.value.name], "pip-${var.basename}-1") ? var.subnet_id : null
+      public_ip_address_id = pip.value.id
+    }
+  }
+  dynamic "management_ip_configuration" {
+    for_each = var.management_subnet_id != null ? [1] : []
+    content {
+      name                 = lower("fw_ip_management_${azurerm_public_ip.adl_afw_pip_mngmt[0].name}")
+      subnet_id            = var.management_subnet_id != null ? var.management_subnet_id : null
+      public_ip_address_id = azurerm_public_ip.adl_afw_pip_mngmt[0].id
+    }
+  }
+  # dynamic "virtual_hub" {
+  #   for_each = var.sku_name == "AZFW_Hub" ? [1] : []
+  #   content {
+  #     virtual_hub_id  = azurerm_virtual_hub.adl_afw_vhub[0].id
+  #     public_ip_count = var.pip_count
+  #   }
+  # }
+  tags = var.tags
+
+  count = var.module_enabled ? 1 : 0
+}
+
+# Public IP for the firewall
+
+resource "azurerm_public_ip" "adl_afw_pip_config" {
+  count               = var.sku_name != "AZFW_Hub" && var.module_enabled ? var.public_ip_count : 0
+  name                = "pip-${var.basename}-${count.index + 1}"
+  location            = var.location
+  resource_group_name = var.rg_name
+  zones               = var.zones
+  allocation_method   = var.pip_allocation_method
+  sku                 = var.pip_sku
+
+  tags = var.tags
+}
+
+resource "azurerm_public_ip" "adl_afw_pip_mngmt" {
+  count               = var.sku_name != "AZFW_Hub" && var.module_enabled ? 1 : 0
+  name                = "pip-${var.basename}-mngmt"
+  location            = var.location
+  resource_group_name = var.rg_name
+  zones               = var.zones
+  allocation_method   = var.pip_allocation_method
+  sku                 = var.pip_sku
+
+  tags = var.tags
+}
+
+# Firewall policy
+
+resource "azurerm_firewall_policy" "adl_afw_afwp" {
+  name                = "afwp-${var.basename}"
+  resource_group_name = var.rg_name
+  location            = var.location
+  sku                 = var.sku_policy
+
+  dynamic "dns" {
+    for_each = var.proxy_enabled != false ? [1] : []
+    content {
+      proxy_enabled = true
+      servers       = var.dns_servers != null ? var.dns_servers : null
+    }
+  }
+  tags = var.tags
+
+  count = var.module_enabled ? 1 : 0
+}
+
+# # Virtual Hub
+
+# resource "azurerm_virtual_wan" "adl_afw_vwan" {
+#   name                = "vwan-${var.basename}"
+#   resource_group_name = var.rg_name
+#   location            = var.location
+
+#   count = var.sku_name == "AZFW_Hub" && var.module_enabled ? 1 : 0
+# }
+
+# resource "azurerm_virtual_hub" "adl_afw_vhub" {
+#   name                = "vhub-${var.basename}"
+#   resource_group_name = var.rg_name
+#   location            = var.location
+#   virtual_wan_id      = azurerm_virtual_wan.adl_afw_vwan[0].id
+#   address_prefix      = "10.0.1.0/24"
+
+#   count = var.sku_name == "AZFW_Hub" && var.module_enabled ? 1 : 0
+# }
diff --git a/terraform/firewall/outputs.tf b/terraform/firewall/outputs.tf
@@ -0,0 +1,20 @@
+output "id" {
+  value = (
+    length(azurerm_firewall.adl_afw) > 0 ?
+    azurerm_firewall.adl_afw[0].id : ""
+  )
+}
+
+output "name" {
+  value = (
+    length(azurerm_firewall.adl_afw) > 0 ?
+    azurerm_firewall.adl_afw[0].name : ""
+  )
+}
+
+output "resource_group_name" {
+  value = (
+    length(azurerm_firewall.adl_afw) > 0 ?
+    azurerm_firewall.adl_afw[0].resource_group_name : ""
+  )
+}
diff --git a/terraform/firewall/test/firewall.tf b/terraform/firewall/test/firewall.tf
@@ -0,0 +1,51 @@
+module "firewall" {
+  source = "../"
+
+  basename = random_string.postfix.result
+  rg_name  = module.local_rg.name
+  location = var.location
+
+  subnet_id            = module.local_snet_default.id
+  management_subnet_id = module.local_snet_mngmt.id
+
+  tags = {}
+}
+
+# Modules dependencies
+
+module "local_rg" {
+  source = "../../resource-group"
+
+  basename = random_string.postfix.result
+  location = var.location
+
+  tags = local.tags
+}
+
+module "local_vnet" {
+  source = "../../virtual-network"
+
+  rg_name  = module.local_rg.name
+  basename = random_string.postfix.result
+  location = var.location
+
+  address_space = ["10.0.0.0/16"]
+}
+
+module "local_snet_default" {
+  source = "../../subnet"
+
+  rg_name          = module.local_rg.name
+  name             = "AzureFirewallSubnet"
+  vnet_name        = module.local_vnet.name
+  address_prefixes = ["10.0.6.0/24"]
+}
+
+module "local_snet_mngmt" {
+  source = "../../subnet"
+
+  rg_name          = module.local_rg.name
+  name             = "AzureFirewallManagementSubnet"
+  vnet_name        = module.local_vnet.name
+  address_prefixes = ["10.0.5.0/24"]
+}
diff --git a/terraform/firewall/test/locals.tf b/terraform/firewall/test/locals.tf
@@ -0,0 +1,7 @@
+locals {
+  tags = {
+    Project = "Azure/azure-data-labs-modules"
+    Module  = "firewall"
+    Toolkit = "Terraform"
+  }
+}
diff --git a/terraform/firewall/test/outputs.tf b/terraform/firewall/test/outputs.tf
@@ -0,0 +1,11 @@
+output "id" {
+  value = module.firewall.id
+}
+
+output "name" {
+  value = module.firewall.name
+}
+
+output "resource_group_name" {
+  value = module.firewall.resource_group_name
+}
diff --git a/terraform/firewall/test/providers.tf b/terraform/firewall/test/providers.tf
@@ -0,0 +1,19 @@
+terraform {
+  backend "azurerm" {
+    resource_group_name  = "rg-adl-terraform-state"
+    storage_account_name = "stadlterraformstate"
+    container_name       = "default"
+    key                  = "firewall.terraform.tfstate"
+  }
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "= 3.43.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
diff --git a/terraform/firewall/test/unit_test.go b/terraform/firewall/test/unit_test.go
@@ -0,0 +1,36 @@
+package test
+
+import (
+	"testing"
+	"github.com/gruntwork-io/terratest/modules/terraform"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestModule(t *testing.T) {
+	t.Parallel()
+
+	terraformOptions := &terraform.Options{
+		TerraformDir: "./",
+		Lock: true,
+		LockTimeout: "1800s",
+		// VarFiles: []string{"terraform_unitest.tfvars"},
+	}
+
+	// At the end of the test, run `terraform destroy` to clean up any resources that were created
+	defer terraform.Destroy(t, terraformOptions)
+
+	// Is used mainly for debugging, fail early if plan is not possible
+	terraform.InitAndPlan(t, terraformOptions)
+
+	// This will run `terraform init` and `terraform apply` and fail the test if there are any errors
+	terraform.InitAndApply(t, terraformOptions)
+
+	// Check if the outputs exist
+	assert := assert.New(t)
+	id := terraform.Output(t, terraformOptions, "id")
+	assert.NotNil(id)
+	name := terraform.Output(t, terraformOptions, "name")
+	assert.NotNil(name)
+	resource_group_name := terraform.Output(t, terraformOptions, "resource_group_name")
+	assert.NotNil(resource_group_name)
+}
diff --git a/terraform/firewall/test/variables.tf b/terraform/firewall/test/variables.tf
@@ -0,0 +1,10 @@
+resource "random_string" "postfix" {
+  length  = 8
+  special = false
+  upper   = false
+}
+
+variable "location" {
+  type    = string
+  default = "North Europe"
+}