Merge pull request #2 from bcgov/fw-dns-code-migrate

Code migration
bcgov · Aug 27, 2024 · d5f3bcc · d5f3bcc
2 parents 403b6d7 + 31bbf27
commit d5f3bcc
Show file tree

Hide file tree

Showing 34 changed files with 845 additions and 0 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,21 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.6.0
+  hooks:
+  -   id: trailing-whitespace
+  -   id: end-of-file-fixer
+  -   id: mixed-line-ending
+  -   id: check-yaml
+  -   id: check-json
+  -   id: check-added-large-files
+  -   id: check-shebang-scripts-are-executable
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.92.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+  hooks:
+  - id: terraform_fmt
+    args:
+    - --args=-recursive
+  - id: terraform_docs
+    args:
+      - --hook-config=--add-to-existing-file=true     # Boolean. true or false
+      - --hook-config=--create-file-if-not-exist=true # Boolean. true or false
diff --git a/azure_firewall/README.md b/azure_firewall/README.md
@@ -0,0 +1,25 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+No modules.
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/azure_firewall/firewall_policy_rcg/README.md b/azure_firewall/firewall_policy_rcg/README.md
@@ -0,0 +1,44 @@
+# firewall_policy_rcg
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.8.0, < 2.0.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=3.112.0, < 4.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >=3.112.0, < 4.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_firewall_policy_rule_collection_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_firewall_policy.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/firewall_policy) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_firewall_policy_name"></a> [firewall\_policy\_name](#input\_firewall\_policy\_name) | The name of the Azure Firewall Policy. | `string` | n/a | yes |
+| <a name="input_firewall_policy_resource_group_name"></a> [firewall\_policy\_resource\_group\_name](#input\_firewall\_policy\_resource\_group\_name) | The name of the resource group in which the Azure Firewall Policy exists. | `string` | n/a | yes |
+| <a name="input_firewall_policy_rule_collection_group"></a> [firewall\_policy\_rule\_collection\_group](#input\_firewall\_policy\_rule\_collection\_group) | The Azure Firewall Policy Rule Collection Group. | <pre>list(object({<br>    name     = string<br>    priority = number<br><br>    application_rule_collection = optional(list(object({<br>      name     = string<br>      action   = string<br>      priority = number<br>      rule = list(object({<br>        name        = string<br>        description = optional(string)<br>        protocols = optional(list(object({<br>          type = string<br>          port = number<br>        })))<br>        http_headers = optional(list(object({<br>          name  = string<br>          value = string<br>        })))<br>        source_addresses      = optional(list(string))<br>        source_ip_groups      = optional(list(string))<br>        destination_addresses = optional(list(string))<br>        destination_urls      = optional(list(string))<br>        destination_fqdns     = optional(list(string))<br>        destination_fqdn_tags = optional(list(string))<br>        terminate_tls         = optional(bool)<br>        web_categories        = optional(list(string))<br>      }))<br>    })))<br><br>    network_rule_collection = optional(list(object({<br>      name     = string<br>      action   = string<br>      priority = number<br><br>      rule = list(object({<br>        name                  = string<br>        description           = optional(string)<br>        protocols             = optional(list(string))<br>        destination_ports     = list(string)<br>        source_addresses      = optional(list(string))<br>        source_ip_groups      = optional(list(string))<br>        destination_addresses = optional(list(string))<br>        destination_ip_groups = optional(list(string))<br>        destination_fqdns     = optional(list(string))<br>      }))<br>    })))<br><br>    nat_rule_collection = optional(list(object({<br>      name     = string<br>      action   = string<br>      priority = number<br><br>      rule = object({<br>        name                = string<br>        description         = optional(string)<br>        protocols           = list(string)<br>        source_addresses    = optional(list(string))<br>        source_ip_groups    = optional(list(string))<br>        destination_address = optional(string)<br>        destination_ports   = optional(list(string))<br>        translated_address  = optional(string)<br>        translated_fqdn     = optional(string)<br>        translated_port     = string<br>      })<br>    })))<br>  }))</pre> | `[]` | no |
+| <a name="input_subscription_id_connectivity"></a> [subscription\_id\_connectivity](#input\_subscription\_id\_connectivity) | Subscription ID to use for "connectivity" resources. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_firewall_policy_id"></a> [firewall\_policy\_id](#output\_firewall\_policy\_id) | n/a |
+| <a name="output_firewall_policy_rule_collection_group"></a> [firewall\_policy\_rule\_collection\_group](#output\_firewall\_policy\_rule\_collection\_group) | n/a |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/azure_firewall/firewall_policy_rcg/data.tf b/azure_firewall/firewall_policy_rcg/data.tf
@@ -0,0 +1,7 @@
+# Get the current client configuration from the AzureRM provider
+data "azurerm_client_config" "current" {}
+
+data "azurerm_firewall_policy" "this" {
+  name                = var.firewall_policy_name
+  resource_group_name = var.firewall_policy_resource_group_name
+}
diff --git a/azure_firewall/firewall_policy_rcg/locals.tf b/azure_firewall/firewall_policy_rcg/locals.tf
diff --git a/azure_firewall/firewall_policy_rcg/main.tf b/azure_firewall/firewall_policy_rcg/main.tf
@@ -0,0 +1,110 @@
+resource "azurerm_firewall_policy_rule_collection_group" "this" {
+  for_each = {
+    for group in var.firewall_policy_rule_collection_group : group.name => group
+  }
+
+  name               = each.value.name
+  firewall_policy_id = data.azurerm_firewall_policy.this.id
+  priority           = each.value.priority
+
+  dynamic "application_rule_collection" {
+    for_each = each.value.application_rule_collection != null ? {
+      for application_rule_collection in each.value.application_rule_collection : application_rule_collection.name => application_rule_collection
+    } : {}
+
+    content {
+      name     = application_rule_collection.value.name
+      action   = application_rule_collection.value.action
+      priority = application_rule_collection.value.priority
+
+      dynamic "rule" {
+        for_each = application_rule_collection.value.rule
+
+        content {
+          name        = each.value.name
+          description = lookup(rule.value, "description", null)
+
+          dynamic "protocols" {
+            for_each = rule.value.protocols
+
+            content {
+              type = lookup(protocols.value, "type", "Https")
+              port = lookup(protocols.value, "port", 0)
+            }
+          }
+
+          dynamic "http_headers" {
+            for_each = rule.value.http_headers != null ? [rule.value.http_headers] : []
+
+            content {
+              name  = lookup(http_headers.value, "name", null)
+              value = lookup(http_headers.value, "value", null)
+            }
+          }
+
+          source_addresses      = lookup(rule.value, "source_addresses", null)
+          source_ip_groups      = lookup(rule.value, "source_ip_groups", null)
+          destination_addresses = lookup(rule.value, "destination_addresses", null)
+          destination_urls      = lookup(rule.value, "destination_urls", null)
+          destination_fqdns     = lookup(rule.value, "destination_fqdns", null)
+          destination_fqdn_tags = lookup(rule.value, "destination_fqdn_tags", null)
+          terminate_tls         = lookup(rule.value, "terminate_tls", null)
+          web_categories        = lookup(rule.value, "web_categories", null)
+        }
+      }
+    }
+  }
+
+  dynamic "network_rule_collection" {
+    for_each = each.value.network_rule_collection != null ? {
+      for network_rule_collection in each.value.network_rule_collection : network_rule_collection.name => network_rule_collection
+    } : {}
+
+    content {
+      name     = lookup(network_rule_collection.value, "name")
+      action   = lookup(network_rule_collection.value, "action", "Deny")
+      priority = lookup(network_rule_collection.value, "priority", 100)
+
+      dynamic "rule" {
+        for_each = network_rule_collection.value.rule
+
+        content {
+          name                  = lookup(rule.value, "name")
+          description           = lookup(rule.value, "description", null)
+          protocols             = lookup(rule.value, "protocols", ["Any"])
+          destination_ports     = lookup(rule.value, "destination_ports", ["*"])
+          source_addresses      = lookup(rule.value, "source_addresses", [])
+          source_ip_groups      = lookup(rule.value, "source_ip_groups", [])
+          destination_addresses = lookup(rule.value, "destination_addresses", [])
+          destination_ip_groups = lookup(rule.value, "destination_ip_groups", [])
+          destination_fqdns     = lookup(rule.value, "destination_fqdns", [])
+        }
+      }
+    }
+  }
+
+  dynamic "nat_rule_collection" {
+    for_each = each.value.nat_rule_collection != null ? {
+      for nat_rule_collection in each.value.nat_rule_collection : nat_rule_collection.name => nat_rule_collection
+    } : {}
+
+    content {
+      name     = nat_rule_collection.value.name
+      action   = nat_rule_collection.value.action
+      priority = nat_rule_collection.value.priority
+
+      rule {
+        name                = nat_rule_collection.value.rule.name
+        description         = nat_rule_collection.value.rule.description
+        protocols           = nat_rule_collection.value.rule.protocols
+        source_addresses    = nat_rule_collection.value.rule.source_addresses
+        source_ip_groups    = nat_rule_collection.value.rule.source_ip_groups
+        destination_address = nat_rule_collection.value.rule.destination_address
+        destination_ports   = nat_rule_collection.value.rule.destination_ports
+        translated_address  = nat_rule_collection.value.rule.translated_address
+        translated_fqdn     = nat_rule_collection.value.rule.translated_fqdn
+        translated_port     = nat_rule_collection.value.rule.translated_port
+      }
+    }
+  }
+}
diff --git a/azure_firewall/firewall_policy_rcg/outputs.tf b/azure_firewall/firewall_policy_rcg/outputs.tf
@@ -0,0 +1,59 @@
+output "firewall_policy_id" {
+  value = data.azurerm_firewall_policy.this.id
+}
+
+output "firewall_policy_rule_collection_group" {
+  value = {
+    for idx, group in azurerm_firewall_policy_rule_collection_group.this : idx => {
+      name     = group.name
+      priority = group.priority
+
+      application_rule_collection = [
+        for arc in group.application_rule_collection : {
+          name     = arc.name
+          action   = arc.action
+          priority = arc.priority
+
+          rule = [
+            for r in arc.rule : {
+              name                  = r.name
+              description           = r.description
+              protocols             = r.protocols
+              http_headers          = r.http_headers
+              source_addresses      = r.source_addresses
+              source_ip_groups      = r.source_ip_groups
+              destination_addresses = r.destination_addresses
+              destination_urls      = r.destination_urls
+              destination_fqdns     = r.destination_fqdns
+              destination_fqdn_tags = r.destination_fqdn_tags
+              terminate_tls         = r.terminate_tls
+              web_categories        = r.web_categories
+            }
+          ]
+        }
+      ]
+
+      network_rule_collection = [
+        for nrc in group.network_rule_collection : {
+          name     = nrc.name
+          action   = nrc.action
+          priority = nrc.priority
+
+          rule = [
+            for r in nrc.rule : {
+              name                  = r.name
+              description           = r.description
+              protocols             = r.protocols
+              destination_ports     = r.destination_ports
+              source_addresses      = r.source_addresses
+              source_ip_groups      = r.source_ip_groups
+              destination_addresses = r.destination_addresses
+              destination_ip_groups = r.destination_ip_groups
+              destination_fqdns     = r.destination_fqdns
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
diff --git a/azure_firewall/firewall_policy_rcg/provider.tf b/azure_firewall/firewall_policy_rcg/provider.tf
@@ -0,0 +1,17 @@
+terraform {
+  required_version = ">=1.8.0, < 2.0.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=3.112.0, < 4.0.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  use_oidc = true
+  features {}
+
+  subscription_id = var.subscription_id_connectivity
+}
diff --git a/azure_firewall/firewall_policy_rcg/variables-firewall-policy.tf b/azure_firewall/firewall_policy_rcg/variables-firewall-policy.tf
@@ -0,0 +1,9 @@
+variable "firewall_policy_name" {
+  description = "The name of the Azure Firewall Policy."
+  type        = string
+}
+
+variable "firewall_policy_resource_group_name" {
+  description = "The name of the resource group in which the Azure Firewall Policy exists."
+  type        = string
+}
diff --git a/azure_firewall/firewall_policy_rcg/variables-fwpolicy-rcg.tf b/azure_firewall/firewall_policy_rcg/variables-fwpolicy-rcg.tf
@@ -0,0 +1,72 @@
+# Firewall Policy Rule Collection Group
+variable "firewall_policy_rule_collection_group" {
+  description = "The Azure Firewall Policy Rule Collection Group."
+  type = list(object({
+    name     = string
+    priority = number
+
+    application_rule_collection = optional(list(object({
+      name     = string
+      action   = string
+      priority = number
+      rule = list(object({
+        name        = string
+        description = optional(string)
+        protocols = optional(list(object({
+          type = string
+          port = number
+        })))
+        http_headers = optional(list(object({
+          name  = string
+          value = string
+        })))
+        source_addresses      = optional(list(string))
+        source_ip_groups      = optional(list(string))
+        destination_addresses = optional(list(string))
+        destination_urls      = optional(list(string))
+        destination_fqdns     = optional(list(string))
+        destination_fqdn_tags = optional(list(string))
+        terminate_tls         = optional(bool)
+        web_categories        = optional(list(string))
+      }))
+    })))
+
+    network_rule_collection = optional(list(object({
+      name     = string
+      action   = string
+      priority = number
+
+      rule = list(object({
+        name                  = string
+        description           = optional(string)
+        protocols             = optional(list(string))
+        destination_ports     = list(string)
+        source_addresses      = optional(list(string))
+        source_ip_groups      = optional(list(string))
+        destination_addresses = optional(list(string))
+        destination_ip_groups = optional(list(string))
+        destination_fqdns     = optional(list(string))
+      }))
+    })))
+
+    nat_rule_collection = optional(list(object({
+      name     = string
+      action   = string
+      priority = number
+
+      rule = object({
+        name                = string
+        description         = optional(string)
+        protocols           = list(string)
+        source_addresses    = optional(list(string))
+        source_ip_groups    = optional(list(string))
+        destination_address = optional(string)
+        destination_ports   = optional(list(string))
+        translated_address  = optional(string)
+        translated_fqdn     = optional(string)
+        translated_port     = string
+      })
+    })))
+  }))
+  default = []
+}
diff --git a/azure_firewall/firewall_policy_rcg/variables.tf b/azure_firewall/firewall_policy_rcg/variables.tf
@@ -0,0 +1,4 @@
+variable "subscription_id_connectivity" {
+  type        = string
+  description = "Subscription ID to use for \"connectivity\" resources."
+}