From 8a18990fb8d8072cfbb10b335f108cb468919cd7 Mon Sep 17 00:00:00 2001 From: clouddrove-ci Date: Tue, 10 Jan 2023 10:44:34 +0000 Subject: [PATCH] update README.md --- README.md | 230 +++++++++++++++++++----------------------------------- 1 file changed, 80 insertions(+), 150 deletions(-) diff --git a/README.md b/README.md index f9ad8f5..d6eacca 100644 --- a/README.md +++ b/README.md @@ -4,11 +4,11 @@

- Terraform AZURE FIREWALL + Terraform AZURE STORAGE

- Terraform module to create firewall resource on AZURE. + Terraform module to create storage resource on AZURE.

@@ -24,13 +24,13 @@

- + - + - + @@ -65,144 +65,65 @@ This module has a few dependencies: ## Examples -**IMPORTANT:** Since the `master` branch used in `source` varies based on new modifications, we suggest that you use the release versions [here](https://github.com/clouddrove/terraform-azure-firewall/releases). +**IMPORTANT:** Since the `master` branch used in `source` varies based on new modifications, we suggest that you use the release versions [here](https://github.com/clouddrove/terraform-azure-storage/releases). ### Simple Example Here is an example of how you can use this module in your inventory structure: ```hcl - module "firewall" { - depends_on = [module.name_specific_subnet] - source = "clouddrove/firewall/azure" - name = "app" - environment = "test" - label_order = ["name", "environment"] - resource_group_name = module.resource_group.resource_group_name - location = module.resource_group.resource_group_location - subnet_id = module.name_specific_subnet.specific_subnet_id[0] - public_ip_names = ["vpn_test", "vnet_test"] - - # additional_public_ips = [{ - # name = "public-ip_name", - # public_ip_address_id = "public-ip_resource_id" - # } ] - - - - dnat-destination_ip = false // To be true when public ip associated with firewall is known and dnat policy is to be created. - -application_rule_collection = [ - { - name = "example_app_policy" - priority = 200 - action = "Allow" - rules = [ + module "storage" { + depends_on = [module.resource_group] + source = "clouddrove/storage/azure" + name = "app" + environment = "test" + label_order = ["name", "environment"] + resource_group_name = module.resource_group.resource_group_name + location = module.resource_group.resource_group_location + storage_account_name = "storagestartac" + account_kind = "StorageV2" + account_tier = "Standard" + account_replication_type = "GRS" + enable_https_traffic_only = true + is_hns_enabled = true + sftp_enabled = true + + network_rules = [ { - name = "app_test" - source_addresses = ["*"] // ["X.X.X.X"] - destination_fqdns = ["*"] // ["X.X.X.X"] - protocols = [ - { - port = "443" - type = "Https" - }, - { - port = "80" - type = "Http" - } - ] + default_action = "Deny" + ip_rules = ["0.0.0.0/0"] + bypass = ["AzureServices"] } ] - } -] - -network_rule_collection = [ - { - name = "example_network_policy" - priority = "100" - action = "Allow" - rules = [ - { - name = "ssh" - protocols = ["TCP"] - source_addresses = ["*"] // ["X.X.X.X"] - destination_addresses = ["*"] // ["X.X.X.X"] - destination_ports = ["22"] - } + + ## Storage Account Threat Protection + enable_advanced_threat_protection = true + + ## Storage Container + containers_list = [ + { name = "app-test", access_type = "private" }, ] - }, - { - name = "example_network_policy-2" - priority = "101" - action = "Allow" - rules = [ - { - name = "smtp" - protocols = ["TCP"] - source_addresses = ["*"] // ["X.X.X.X"] - destination_addresses = ["*"] // ["X.X.X.X"] - destination_ports = ["587"] - } - ] - } -] - -nat_rule_collection = [ - { - name = "example_nat_policy" - priority = "101" - rules = [ - { - name = "http" - protocols = ["TCP"] - source_addresses = ["*"] // ["X.X.X.X"] - destination_ports = ["80"] - source_addresses = ["*"] - translated_port = "80" - translated_address = "X.X.X.X" - destination_address = "X.X.X.X" //Public ip associated with firewall - - }, - { - name = "https" - protocols = ["TCP"] - destination_ports = ["443"] - source_addresses = ["*"] - translated_port = "443" - translated_address = "X.X.X.X" - destination_address = "X.X.X.X" //Public ip associated with firewall - } + ## Storage File Share + file_shares = [ + { name = "fileshare1", quota = 5 }, ] - }, - { - name = "example_nat_policy-2" - priority = "100" - rules = [ - { - name = "http" - protocols = ["TCP"] - source_addresses = ["*"] // ["X.X.X.X"] - destination_ports = ["80"] - translated_port = "80" - translated_address = "X.X.X.X " //"10.30.0.194" - destination_address = "X.X.X.X" //Public ip associated with firewall - - }, + ## Storage Tables + tables = ["table1"] + + ## Storage Queues + queues = ["queue1"] + + management_policy = [ { - name = "https" - protocols = ["TCP"] - source_addresses = ["*"] // ["X.X.X.X"] - destination_ports = ["443"] - translated_port = "443" - translated_address = "X.X.X.X" - destination_address = "X.X.X.X" //Public ip associated with firewall + prefix_match = ["app-test/folder_path"] + tier_to_cool_after_days = 0 + tier_to_archive_after_days = 50 + delete_after_days = 100 + snapshot_delete_after_days = 30 } ] - } - ] } ``` @@ -216,40 +137,49 @@ nat_rule_collection = [ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| additional\_public\_ips | List of additional public ips' ids to attach to the firewall. | 

list(object({
    name                 = string,
    public_ip_address_id = string
  }))
| `[]` | no | -| app\_policy\_collection\_group | (optional) Name of app policy group | `string` | `"DefaultApplicationRuleCollectionGroup"` | no | -| application\_rule\_collection | One or more application\_rule\_collection blocks as defined below.. | `map` | `{}` | no | -| dnat-destination\_ip | Variable to specify that you have destination ip to attach to policy or not.(Destination ip is public ip that is attached to firewall) | `bool` | `false` | no | -| dns\_servers | DNS Servers to use with Azure Firewall. Using this also activate DNS Proxy. | `list(string)` | `null` | no | +| access\_tier | Defines the access tier for BlobStorage and StorageV2 accounts. Valid options are Hot and Cool. | `string` | `"Hot"` | no | +| account\_kind | The type of storage account. Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. | `string` | `"StorageV2"` | no | +| account\_replication\_type | Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. Changing this forces a new resource to be created when types LRS, GRS and RAGRS are changed to ZRS, GZRS or RAGZRS and vice versa. | `string` | `""` | no | +| account\_tier | Defines the Tier to use for this storage account. Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid. Changing this forces a new resource to be created. | `string` | `"Standard"` | no | +| containers\_list | List of containers to create and their access levels. | `list(object({ name = string, access_type = string }))` | `[]` | no | +| enable\_advanced\_threat\_protection | Boolean flag which controls if advanced threat protection is enabled. | `bool` | `false` | no | +| enable\_https\_traffic\_only | Boolean flag which forces HTTPS if enabled, see here for more information. | `bool` | `true` | no | | enabled | Set to false to prevent the module from creating any resources. | `bool` | `true` | no | | environment | Environment (e.g. `prod`, `dev`, `staging`). | `string` | `""` | no | -| firewall\_private\_ip\_ranges | A list of SNAT private CIDR IP ranges, or the special string `IANAPrivateRanges`, which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918. | `list(string)` | `null` | no | +| file\_shares | List of containers to create and their access levels. | `list(object({ name = string, quota = number }))` | `[]` | no | +| is\_hns\_enabled | Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2. Changing this forces a new resource to be created. | `bool` | `false` | no | | label\_order | Label order, e.g. sequence of application name and environment `name`,`environment`,'attribute' [`webserver`,`qa`,`devops`,`public`,] . | `list(any)` | `[]` | no | -| location | The location/region where the virtual network is created. Changing this forces a new resource to be created. | `string` | `""` | no | +| location | The location/region to keep all your network resources. To get the list of all locations with table format from azure cli, run 'az account list-locations -o table' | `string` | `"North Europe"` | no | | managedby | ManagedBy, eg ''. | `string` | `""` | no | +| management\_policy | Configure Azure Storage firewalls and virtual networks | 
list(object({
    prefix_match               = set(string),
    tier_to_cool_after_days    = number,
    tier_to_archive_after_days = number,
    delete_after_days          = number,
    snapshot_delete_after_days = number
  }))
| `[]` | no | +| min\_tls\_version | The minimum supported TLS version for the storage account | `string` | `"TLS1_2"` | no | | name | Name (e.g. `app` or `cluster`). | `string` | `""` | no | -| nat\_policy\_collection\_group | (optional) Name of nat policy group | `string` | `"DefaultDnatRuleCollectionGroup"` | no | -| nat\_rule\_collection | One or more nat\_rule\_collection blocks as defined below. | `map` | `{}` | no | -| net\_policy\_collection\_group | (optional) Name of network policy group | `string` | `"DefaultNetworkRuleCollectionGroup"` | no | -| network\_rule\_collection | One or more network\_rule\_collection blocks as defined below. | `map` | `{}` | no | -| public\_ip\_allocation\_method | Defines the allocation method for this IP address. Possible values are Static or Dynamic | `string` | `"Static"` | no | -| public\_ip\_names | n/a | `list(string)` | `[]` | no | -| public\_ip\_sku | The SKU of the Public IP. Accepted values are Basic and Standard. Defaults to Basic | `string` | `"Standard"` | no | +| network\_rules | List of objects that represent the configuration of each network rules. | `map` | `{}` | no | +| queues | List of storages queues | `list(string)` | `[]` | no | | repository | Terraform current module repo | `string` | `""` | no | | resource\_group\_name | A container that holds related resources for an Azure solution | `string` | `""` | no | -| sku\_name | (optional) describe your variable | `string` | `"AZFW_VNet"` | no | -| sku\_tier | Specifies the firewall sku tier | `string` | `"Standard"` | no | -| subnet\_id | Subnet ID | `string` | `""` | no | +| sftp\_enabled | Boolean, enable SFTP for the storage account | `bool` | `false` | no | +| soft\_delete\_retention | Number of retention days for soft delete. If set to null it will disable soft delete all together. | `number` | `30` | no | +| storage\_account\_name | The name of the azure storage account | `string` | `""` | no | +| tables | List of storage tables. | `list(string)` | `[]` | no | | tags | A map of tags to add to all resources | `map(string)` | `{}` | no | -| threat\_intel\_mode | (Optional) The operation mode for threat intelligence-based filtering. Possible values are: Off, Alert, Deny. Defaults to Alert. | `string` | `"Alert"` | no | ## Outputs | Name | Description | |------|-------------| -| firewall\_id | Firewall generated id | -| firewall\_name | Firewall name | -| private\_ip\_address | Firewall private IP | +| containers | Map of containers. | +| file\_shares | Map of Storage SMB file shares. | +| queues | Map of Storage SMB file shares. | +| storage\_account\_id | The ID of the storage account. | +| storage\_account\_name | The name of the storage account. | +| storage\_account\_primary\_location | The primary location of the storage account | +| storage\_account\_primary\_web\_endpoint | The endpoint URL for web storage in the primary location. | +| storage\_account\_primary\_web\_host | The hostname with port if applicable for web storage in the primary location. | +| storage\_primary\_access\_key | The primary access key for the storage account | +| storage\_primary\_connection\_string | The primary connection string for the storage account | +| storage\_secondary\_access\_key | The primary access key for the storage account. | +| tables | Map of Storage SMB file shares. | @@ -265,9 +195,9 @@ You need to run the following command in the testing folder: ## Feedback -If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-azure-firewall/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). +If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-azure-storage/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). -If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-azure-firewall)! +If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-azure-storage)! ## About us