From a75d8c2194682c6b36c7f5ce59d0ebbbe11c9c93 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Thu, 2 Dec 2021 14:00:10 +0100 Subject: [PATCH 01/24] add Azure firewall policy ID --- arm/Microsoft.Network/azureFirewalls/deploy.bicep | 8 +++++++- arm/Microsoft.Network/azureFirewalls/readme.md | 5 +++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 1ad0af286c..42cf1e9969 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -56,6 +56,9 @@ param eventHubName string = '' @description('Optional. Location for all resources.') param location string = resourceGroup().location +@description('Optional. Resource ID of an existing firewall policy.') +param firewallPolicyIResourceId string = '' + @description('Optional. Zone numbers e.g. 1,2,3.') param availabilityZones array = [ '1' @@ -188,7 +191,7 @@ resource azureFirewallPip_diagnosticSettings 'Microsoft.Insights/diagnosticSetti scope: azureFirewallPip } -resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = { +resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-03-01' = { name: name location: location zones: length(availabilityZones) == 0 ? null : availabilityZones @@ -215,6 +218,9 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = { additionalProperties: { 'Network.DNS.EnableProxy': string(enableDnsProxy) } + firewallPolicy: { + id: empty(firewallPolicyIResourceId) ? null : firewallPolicyIResourceId + } applicationRuleCollections: applicationRuleCollections natRuleCollections: natRuleCollections networkRuleCollections: networkRuleCollections diff --git a/arm/Microsoft.Network/azureFirewalls/readme.md b/arm/Microsoft.Network/azureFirewalls/readme.md index 1fe1d6a437..28c89daa31 100644 --- a/arm/Microsoft.Network/azureFirewalls/readme.md +++ b/arm/Microsoft.Network/azureFirewalls/readme.md @@ -9,7 +9,7 @@ This module deploys a firewall. | `Microsoft.Authorization/locks` | 2016-09-01 | | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | | `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | -| `Microsoft.Network/azureFirewalls` | 2021-02-01 | +| `Microsoft.Network/azureFirewalls` | 2021-03-01 | | `Microsoft.Network/publicIPAddresses` | 2021-02-01 | ## Parameters @@ -28,6 +28,7 @@ This module deploys a firewall. | `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `firewallLogsToEnable` | array | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | Optional. The name of firewall logs that will be streamed. | +| `firewallPolicyIResourceId` | string | | | Optional. Resource ID of an existing firewall policy. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | @@ -103,5 +104,5 @@ The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetw - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) -- [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/azureFirewalls) +- [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/azureFirewalls) - [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses) From c330790d4e2710738342bca8737a1350e04daa6d Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 09:19:01 +0100 Subject: [PATCH 02/24] adding firewall policy --- .../azureFirewalls/deploy.bicep | 2 +- .../.bicep/nested_cuaId.bicep | 1 + .../firewallPolicies/deploy.bicep | 145 ++++++++++++++++++ .../.bicep/nested_cuaId.bicep | 1 + .../ruleCollectionGroups/deploy.bicep | 41 +++++ .../ruleCollectionGroups/readme.md | 46 ++++++ .../ruleGroups/.bicep/nested_cuaId.bicep | 1 + .../firewallPolicies/ruleGroups/deploy.bicep | 41 +++++ .../firewallPolicies/ruleGroups/readme.md | 46 ++++++ .../queueServices/queues/deploy.bicep | 4 +- .../queueServices/queues/readme.md | 4 +- 11 files changed, 327 insertions(+), 5 deletions(-) create mode 100644 arm/Microsoft.Network/firewallPolicies/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.Network/firewallPolicies/deploy.bicep create mode 100644 arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep create mode 100644 arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/readme.md create mode 100644 arm/Microsoft.Network/firewallPolicies/ruleGroups/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.Network/firewallPolicies/ruleGroups/deploy.bicep create mode 100644 arm/Microsoft.Network/firewallPolicies/ruleGroups/readme.md diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 42cf1e9969..bab988d974 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -77,7 +77,7 @@ param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleAssignments array = [] -@description('Optional. Tags of the Automation Account resource.') +@description('Optional. Tags of the Azure Firewall resource.') param tags object = {} @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') diff --git a/arm/Microsoft.Network/firewallPolicies/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/firewallPolicies/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep new file mode 100644 index 0000000000..31260c0841 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -0,0 +1,145 @@ +@description('Required. Name of the Firewall Policy.') +param name string + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. Tags of the Firewall policy resource.') +param tags object = {} + +@description('Optional. Enables system assigned managed identity on the resource.') +param systemAssignedIdentity bool = false + +@description('Optional. The ID(s) to assign to the resource.') +param userAssignedIdentities object = {} + +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' + +@description('Optional. Rule collection groups.') +param ruleCollectionGroups array = [] + +@description('Optional. Rule groups.') +param ruleGroups array = [] + +var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') + +var identity = identityType != 'None' ? { + type: identityType + userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +} : null + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { + name: name + location: location + tags: tags + identity: identity + properties: { + basePolicy: { + id: 'string' + } + dnsSettings: { + enableProxy: bool + requireProxyForNetworkRules: bool + servers: [ 'string' ] + } + explicitProxySettings: { + enableExplicitProxy: bool + httpPort: int + httpsPort: int + pacFile: 'string' + pacFilePort: int + } + insights: { + isEnabled: bool + logAnalyticsResources: { + defaultWorkspaceId: { + id: 'string' + } + workspaces: [ + { + region: 'string' + workspaceId: { + id: 'string' + } + } + ] + } + retentionDays: int + } + intrusionDetection: { + configuration: { + bypassTrafficSettings: [ + { + description: 'string' + destinationAddresses: [ 'string' ] + destinationIpGroups: [ 'string' ] + destinationPorts: [ 'string' ] + name: 'string' + protocol: 'string' + sourceAddresses: [ 'string' ] + sourceIpGroups: [ 'string' ] + } + ] + signatureOverrides: [ + { + id: 'string' + mode: 'string' + } + ] + } + mode: 'string' + } + sku: { + tier: 'string' + } + snat: { + privateRanges: [ 'string' ] + } + sql: { + allowSqlRedirect: bool + } + threatIntelMode: 'string' + threatIntelWhitelist: { + fqdns: [ 'string' ] + ipAddresses: [ 'string' ] + } + transportSecurity: { + certificateAuthority: { + keyVaultSecretId: 'string' + name: 'string' + } + } + } +} + +module ruleCollectionGroups_resource 'ruleCollectionGroups/deploy.bicep' = [for (ruleCollectionGroup, index) in ruleCollectionGroups: { + name: '${uniqueString(deployment().name, location)}-ruleCollectionGroup-${index}' + params: { + firewallPolicyName: firewallPolicy.name + name: ruleCollectionGroup.name + priority: ruleCollectionGroup.priority + ruleCollections: ruleCollectionGroup.ruleCollections + } + dependsOn: [ + firewallPolicy + ] +}] + +module ruleGroups_resource 'ruleGroups/deploy.bicep' = [for (ruleGroup, index) in ruleGroups: { + name: '${uniqueString(deployment().name, location)}-ruleGroup-${index}' + params: { + firewallPolicyName: firewallPolicy.name + name: ruleGroup.name + priority: ruleGroup.priority + rules: ruleGroup.rules + } + dependsOn: [ + firewallPolicy + ] +}] diff --git a/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep new file mode 100644 index 0000000000..1a0239832f --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep @@ -0,0 +1,41 @@ +@description('Required. Name of the Firewall Policy.') +param firewallPolicyName string + +@description('Required. The name of the rule collection group to deploy') +param name string + +@description('Required. Priority of the Firewall Policy Rule Collection Group resource.') +param priority int + +@description('Optional. Group of Firewall Policy rule collections.') +param ruleCollections array = [] + +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' + +resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' existing = { + name: firewallPolicyName +} + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource ruleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-03-01' = { + name: name + parent: firewallPolicy + properties: { + priority: priority + ruleCollections: ruleCollections + } +} + +@description('The name of the deployed rule collection group') +output ruleCollectionGroupName string = ruleCollectionGroup.name + +@description('The resource ID of the deployed rule collection group') +output ruleCollectionGroupResourceId string = ruleCollectionGroup.id + +@description('The resource group of the deployed rule collection group') +output ruleCollectionGroupResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/readme.md b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/readme.md new file mode 100644 index 0000000000..058596d729 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/readme.md @@ -0,0 +1,46 @@ +# Network Firewall Policies Rule Collection Groups `[Microsoft.Network/firewallPolicies/ruleCollectionGroups]` + +This module deploys Network Firewall Policies Rule Collection Groups. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/firewallPolicies/ruleCollectionGroups` | 2021-03-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `firewallPolicyName` | string | | | Required. Name of the Firewall Policy. | +| `name` | string | | | Required. The name of the rule collection group to deploy | +| `priority` | int | | | Required. Priority of the Firewall Policy Rule Collection Group resource. | +| `ruleCollections` | array | `[]` | | Optional. Group of Firewall Policy rule collections. | + +### Parameter Usage: `ruleCollections` + +For remaining properties, see [FirewallPolicyRuleCollection objects](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/firewallpolicies/rulecollectiongroups?tabs=json#firewallpolicyrulecollection-objects) + +```json +"ruleCollections": [ + { + "name": "string", + "priority": "int", + "ruleCollectionType": "string" + // For remaining properties, see FirewallPolicyRuleCollection objects + } +] +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `ruleCollectionGroupName` | string | The name of the deployed rule collection group | +| `ruleCollectionGroupResourceGroup` | string | The resource group of the deployed rule collection group | +| `ruleCollectionGroupResourceId` | string | The resource ID of the deployed rule collection group | + +## Template references + +- [Firewallpolicies/Rulecollectiongroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/firewallPolicies/ruleCollectionGroups) diff --git a/arm/Microsoft.Network/firewallPolicies/ruleGroups/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/firewallPolicies/ruleGroups/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/ruleGroups/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Network/firewallPolicies/ruleGroups/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/ruleGroups/deploy.bicep new file mode 100644 index 0000000000..0e17e529cb --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/ruleGroups/deploy.bicep @@ -0,0 +1,41 @@ +@description('Required. Name of the Firewall Policy.') +param firewallPolicyName string + +@description('Required. The name of the rule group to deploy') +param name string + +@description('Required. Priority of the Firewall Policy Rule Group resource.') +param priority int + +@description('Optional. Group of Firewall rules.') +param rules array = [] + +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' + +resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' existing = { + name: firewallPolicyName +} + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource ruleGroup 'Microsoft.Network/firewallPolicies/ruleGroups@2020-04-01' = { + name: name + parent: firewallPolicy + properties: { + priority: priority + rules: rules + } +} + +@description('The name of the deployed rule group') +output ruleGroupName string = ruleGroup.name + +@description('The resource ID of the deployed rule group') +output ruleGroupResourceId string = ruleGroup.id + +@description('The resource group of the deployed rule group') +output ruleGroupResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.Network/firewallPolicies/ruleGroups/readme.md b/arm/Microsoft.Network/firewallPolicies/ruleGroups/readme.md new file mode 100644 index 0000000000..24cdf44aa1 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/ruleGroups/readme.md @@ -0,0 +1,46 @@ +# Network Firewall Policies Rule Groups `[Microsoft.Network/firewallPolicies/ruleGroups]` + +This module deploys Network FirewallPolicies Rule Groups. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/firewallPolicies/ruleGroups` | 2020-04-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `firewallPolicyName` | string | | | Required. Name of the Firewall Policy. | +| `name` | string | | | Required. The name of the rule group to deploy | +| `priority` | int | | | Required. Priority of the Firewall Policy Rule Group resource. | +| `rules` | array | `[]` | | Optional. Group of Firewall rules. | + +### Parameter Usage: `rules` + +For remaining properties, see [FirewallPolicyRule objects](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-04-01/firewallpolicies/rulegroups?tabs=json#firewallpolicyrule-objects) + +```json +"rules": [ + { + "name": "string", + "priority": "int", + "ruleType": "string" + // For remaining properties, see FirewallPolicyRule objects + } +] +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `ruleGroupName` | string | The name of the deployed rule group | +| `ruleGroupResourceGroup` | string | The resource group of the deployed rule group | +| `ruleGroupResourceId` | string | The resource ID of the deployed rule group | + +## Template references + +- [Firewallpolicies/Rulegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-04-01/firewallPolicies/ruleGroups) diff --git a/arm/Microsoft.Storage/storageAccounts/queueServices/queues/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/queueServices/queues/deploy.bicep index 946f15b004..0a7841ac89 100644 --- a/arm/Microsoft.Storage/storageAccounts/queueServices/queues/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/queueServices/queues/deploy.bicep @@ -5,10 +5,10 @@ param storageAccountName string @description('Optional. The name of the queue service') param queueServicesName string = 'default' -@description('The name of the storage queue to deploy') +@description('Required. The name of the storage queue to deploy') param name string -@description('A name-value pair that represents queue metadata.') +@description('Required. A name-value pair that represents queue metadata.') param metadata object = {} @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it\'s fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') diff --git a/arm/Microsoft.Storage/storageAccounts/queueServices/queues/readme.md b/arm/Microsoft.Storage/storageAccounts/queueServices/queues/readme.md index 3104ca58c9..0664c92dc1 100644 --- a/arm/Microsoft.Storage/storageAccounts/queueServices/queues/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/queueServices/queues/readme.md @@ -14,8 +14,8 @@ This module deployes a storage account queue | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | -| `metadata` | object | `{object}` | | A name-value pair that represents queue metadata. | -| `name` | string | | | The name of the storage queue to deploy | +| `metadata` | object | `{object}` | | Required. A name-value pair that represents queue metadata. | +| `name` | string | | | Required. The name of the storage queue to deploy | | `queueServicesName` | string | `default` | | Optional. The name of the queue service | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `storageAccountName` | string | | | Required. Name of the Storage Account. | From 7d704257f20382b700a379d1c8752b50730f3e82 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 10:37:49 +0100 Subject: [PATCH 03/24] update parameters --- .../firewallPolicies/deploy.bicep | 159 ++++++++++++------ 1 file changed, 112 insertions(+), 47 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index 31260c0841..1b4625ed52 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -13,6 +13,94 @@ param systemAssignedIdentity bool = false @description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} +@description('Optional. Resource ID of the base policy.') +param basePolicyResourceId string = '' + +@description('Optional. Enable DNS Proxy on Firewalls attached to the Firewall Policy.') +param enableProxy bool = false + +@description('Optional. FQDNs in Network Rules are supported when set to true.') +param requireProxyForNetworkRules bool = false + +@description('Optional. List of Custom DNS Servers.') +param servers array = [] + +@description('Optional. When set to true, explicit proxy mode is enabled.') +param enableExplicitProxy bool = false + +@description('Optional. Port number for explicit proxy http protocol, cannot be greater than 64000.') +@maxValue(64000) +param httpPort int = 0 + +@description('Optional. Port number for explicit proxy https protocol, cannot be greater than 64000.') +@maxValue(64000) +param httpsPort int = 0 + +@description('Optional. SAS URL for PAC file.') +param pacFile string = '' + +@description('Optional. Port number for firewall to serve PAC file.') +param pacFilePort int = 0 + +@description('Optional. A flag to indicate if the insights are enabled on the policy.') +param isEnabled bool = false + +@description('Optional. Default Log Analytics Resource ID for Firewall Policy Insights.') +param defaultWorkspaceId string = '' + +@description('Optional. List of workspaces for Firewall Policy Insights.') +param workspaces array = [] + +@description('Optional. Number of days the insights should be enabled on the policy.') +param retentionDays int = 365 + +@description('Optional. List of rules for traffic to bypass.') +param bypassTrafficSettings array = [] + +@description('Optional. List of specific signatures states.') +param signatureOverrides array = [] + +@description('Optional. The configuring of intrusion detection.') +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +param mode string = 'Off' + +@description('Optional. Tier of Firewall Policy.') +@allowed([ + 'Premium' + 'Standard' +]) +param tier string = 'Standard' + +@description('Optional. List of private IP addresses/IP address ranges to not be SNAT.') +param privateRanges array = [] + +@description('Optional. A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999.') +param allowSqlRedirect bool = false + +@description('Optional. The operation mode for Threat Intel.') +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +param threatIntelMode string = 'Off' + +@description('Optional. List of FQDNs for the ThreatIntel Allowlist.') +param fqdns array = [] + +@description('Optional. List of IP addresses for the ThreatIntel Allowlist.') +param ipAddresses array = [] + +@description('Optional. Secret Id of (base-64 encoded unencrypted pfx) Secret or Certificate object stored in KeyVault. ') +param keyVaultSecretId string = '' + +@description('Optional. Name of the CA certificate.') +param certificateName string = '' + @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' @@ -41,78 +129,55 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { identity: identity properties: { basePolicy: { - id: 'string' + id: !empty(basePolicyResourceId) ? basePolicyResourceId : null } dnsSettings: { - enableProxy: bool - requireProxyForNetworkRules: bool - servers: [ 'string' ] + enableProxy: enableProxy + requireProxyForNetworkRules: requireProxyForNetworkRules + servers: servers } explicitProxySettings: { - enableExplicitProxy: bool - httpPort: int - httpsPort: int - pacFile: 'string' - pacFilePort: int + enableExplicitProxy: enableExplicitProxy + httpPort: (httpPort > 0) ? httpPort : null + httpsPort: (httpsPort > 0) ? httpsPort : null + pacFile: !empty(pacFile) ? pacFile : null + pacFilePort: (pacFilePort > 0) ? pacFilePort : null } insights: { - isEnabled: bool + isEnabled: isEnabled logAnalyticsResources: { defaultWorkspaceId: { - id: 'string' + id: !empty(defaultWorkspaceId) ? defaultWorkspaceId : null } - workspaces: [ - { - region: 'string' - workspaceId: { - id: 'string' - } - } - ] + workspaces: !empty(workspaces) ? workspaces : null } - retentionDays: int + retentionDays: retentionDays } intrusionDetection: { configuration: { - bypassTrafficSettings: [ - { - description: 'string' - destinationAddresses: [ 'string' ] - destinationIpGroups: [ 'string' ] - destinationPorts: [ 'string' ] - name: 'string' - protocol: 'string' - sourceAddresses: [ 'string' ] - sourceIpGroups: [ 'string' ] - } - ] - signatureOverrides: [ - { - id: 'string' - mode: 'string' - } - ] + bypassTrafficSettings: !empty(bypassTrafficSettings) ? bypassTrafficSettings : null + signatureOverrides: !empty(signatureOverrides) ? signatureOverrides : null } - mode: 'string' + mode: mode } sku: { - tier: 'string' + tier: tier } snat: { - privateRanges: [ 'string' ] + privateRanges: !empty(privateRanges) ? privateRanges : null } sql: { - allowSqlRedirect: bool + allowSqlRedirect: allowSqlRedirect } - threatIntelMode: 'string' + threatIntelMode: threatIntelMode threatIntelWhitelist: { - fqdns: [ 'string' ] - ipAddresses: [ 'string' ] + fqdns: !empty(fqdns) ? fqdns : null + ipAddresses: !empty(ipAddresses) ? ipAddresses : null } transportSecurity: { certificateAuthority: { - keyVaultSecretId: 'string' - name: 'string' + keyVaultSecretId: !empty(keyVaultSecretId) ? keyVaultSecretId : null + name: !empty(certificateName) ? certificateName : null } } } From 15a100f51efd844057ed40abeabf418c0b04b0f0 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 10:38:28 +0100 Subject: [PATCH 04/24] add readme --- .../firewallPolicies/readme.md | 94 +++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 arm/Microsoft.Network/firewallPolicies/readme.md diff --git a/arm/Microsoft.Network/firewallPolicies/readme.md b/arm/Microsoft.Network/firewallPolicies/readme.md new file mode 100644 index 0000000000..fff5bd2279 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/readme.md @@ -0,0 +1,94 @@ +# Network FirewallPolicies `[Microsoft.Network/firewallPolicies]` + +This module deploys Network FirewallPolicies. +// TODO: Replace Resource and fill in description + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/firewallPolicies` | 2021-03-01 | +| `Microsoft.Network/firewallPolicies/ruleCollectionGroups` | 2021-03-01 | +| `Microsoft.Network/firewallPolicies/ruleGroups` | 2020-04-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `allowSqlRedirect` | bool | | | Optional. A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | +| `basePolicyResourceId` | string | | | Optional. Resource ID of the base policy. | +| `bypassTrafficSettings` | array | `[]` | | Optional. List of rules for traffic to bypass. | +| `certificateName` | string | | | Optional. Name of the CA certificate. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `defaultWorkspaceId` | string | | | Optional. Default Log Analytics Resource ID for Firewall Policy Insights. | +| `enableExplicitProxy` | bool | | | Optional. When set to true, explicit proxy mode is enabled. | +| `enableProxy` | bool | | | Optional. Enable DNS Proxy on Firewalls attached to the Firewall Policy. | +| `fqdns` | array | `[]` | | Optional. List of FQDNs for the ThreatIntel Allowlist. | +| `httpPort` | int | | | Optional. Port number for explicit proxy http protocol, cannot be greater than 64000. | +| `httpsPort` | int | | | Optional. Port number for explicit proxy https protocol, cannot be greater than 64000. | +| `ipAddresses` | array | `[]` | | Optional. List of IP addresses for the ThreatIntel Allowlist. | +| `isEnabled` | bool | | | Optional. A flag to indicate if the insights are enabled on the policy. | +| `keyVaultSecretId` | string | | | Optional. Secret Id of (base-64 encoded unencrypted pfx) Secret or Certificate object stored in KeyVault. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `mode` | string | `Off` | `[Alert, Deny, Off]` | Optional. The configuring of intrusion detection. | +| `name` | string | | | Required. Name of the Firewall Policy. | +| `pacFile` | string | | | Optional. SAS URL for PAC file. | +| `pacFilePort` | int | | | Optional. Port number for firewall to serve PAC file. | +| `privateRanges` | array | `[]` | | Optional. List of private IP addresses/IP address ranges to not be SNAT. | +| `requireProxyForNetworkRules` | bool | | | Optional. FQDNs in Network Rules are supported when set to true. | +| `retentionDays` | int | `365` | | Optional. Number of days the insights should be enabled on the policy. | +| `ruleCollectionGroups` | _[ruleCollectionGroups](ruleCollectionGroups/readme.md)_ array | `[]` | | Optional. Rule collection groups. | +| `ruleGroups` | _[ruleGroups](ruleGroups/readme.md)_ array | `[]` | | Optional. Rule groups. | +| `servers` | array | `[]` | | Optional. List of Custom DNS Servers. | +| `signatureOverrides` | array | `[]` | | Optional. List of specific signatures states. | +| `systemAssignedIdentity` | bool | | | Optional. Enables system assigned managed identity on the resource. | +| `tags` | object | `{object}` | | Optional. Tags of the Firewall policy resource. | +| `threatIntelMode` | string | `Off` | `[Alert, Deny, Off]` | Optional. The operation mode for Threat Intel. | +| `tier` | string | `Standard` | `[Premium, Standard]` | Optional. Tier of Firewall Policy. | +| `userAssignedIdentities` | object | `{object}` | | Optional. The ID(s) to assign to the resource. | +| `workspaces` | array | `[]` | | Optional. List of workspaces for Firewall Policy Insights. | + +### Parameter Usage: `` + +// TODO: Fill in Parameter usage + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +}, +``` + +## Outputs + +| Output Name | Type | +| :-- | :-- | + +## Template references + +- [Firewallpolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/firewallPolicies) +- [Firewallpolicies/Rulecollectiongroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/firewallPolicies/ruleCollectionGroups) +- [Firewallpolicies/Rulegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-04-01/firewallPolicies/ruleGroups) From 435eaad340315f109f0f791bdc4359669164661d Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 10:38:54 +0100 Subject: [PATCH 05/24] update readme --- arm/Microsoft.Network/firewallPolicies/readme.md | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/readme.md b/arm/Microsoft.Network/firewallPolicies/readme.md index fff5bd2279..36337807f5 100644 --- a/arm/Microsoft.Network/firewallPolicies/readme.md +++ b/arm/Microsoft.Network/firewallPolicies/readme.md @@ -1,7 +1,6 @@ -# Network FirewallPolicies `[Microsoft.Network/firewallPolicies]` +# Network Firewall Policies `[Microsoft.Network/firewallPolicies]` -This module deploys Network FirewallPolicies. -// TODO: Replace Resource and fill in description +This module deploys Network Firewall Policies. ## Resource Types @@ -48,10 +47,6 @@ This module deploys Network FirewallPolicies. | `userAssignedIdentities` | object | `{object}` | | Optional. The ID(s) to assign to the resource. | | `workspaces` | array | `[]` | | Optional. List of workspaces for Firewall Policy Insights. | -### Parameter Usage: `` - -// TODO: Fill in Parameter usage - ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. From b5370ee9606c105a045af771d1db6115661b1b94 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 12:39:50 +0100 Subject: [PATCH 06/24] add pipeline --- .../workflows/ms.network.firewallpolicies.yml | 180 ++++++++++++++++++ .../.parameters/parameters.json | 9 + 2 files changed, 189 insertions(+) create mode 100644 .github/workflows/ms.network.firewallpolicies.yml create mode 100644 arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json diff --git a/.github/workflows/ms.network.firewallpolicies.yml b/.github/workflows/ms.network.firewallpolicies.yml new file mode 100644 index 0000000000..9978c4ab47 --- /dev/null +++ b/.github/workflows/ms.network.firewallpolicies.yml @@ -0,0 +1,180 @@ +name: 'Network: FirewallPolicies' + +on: + workflow_dispatch: + inputs: + removeDeployment: + type: boolean + description: 'Remove deployed module' + required: false + default: 'true' + versioningOption: + type: choice + description: 'The mode to handle the version increments [major|minor|patch]' + required: false + default: 'patch' + options: + - major + - minor + - patch + customVersion: + description: 'Custom version to apply. Used only if higher than latest' + required: false + default: '0.0.1' + push: + branches: + - main + paths: + - '.github/actions/templates/**' + - '.github/workflows/ms.network.firewallpolicies.yml' + - 'arm/Microsoft.Network/firewallPolicies/**' + - '!*/**/readme.md' + +env: + modulePath: 'arm/Microsoft.Network/firewallPolicies' + workflowPath: '.github/workflows/ms.network.firewallpolicies.yml' + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' + ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' + +jobs: + ############################ + # SET INPUT PARAMETERS # + ############################ + job_set_workflow_param: + runs-on: ubuntu-20.04 + name: 'Set input parameters to output variables' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Set input parameters' + id: get-workflow-param + uses: ./.github/actions/templates/getWorkflowInput + with: + workflowPath: '${{ env.workflowPath}}' + outputs: + removeDeployment: ${{ steps.get-workflow-param.outputs.removeDeployment }} + versioningOption: ${{ steps.get-workflow-param.outputs.versioningOption }} + customVersion: ${{ steps.get-workflow-param.outputs.customVersion }} + + ################## + # UNIT TESTS # + ################## + # Global tests + # ------------ + job_tests_module_global: + runs-on: ubuntu-20.04 + name: 'Run global module tests' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Test module' + uses: ./.github/actions/templates/validateModuleGeneral + with: + modulePath: '${{ env.modulePath }}' + + # Global API tests + # ---------------- + job_tests_module_global_api: + runs-on: ubuntu-20.04 + name: 'Run global API module tests' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Test module' + uses: ./.github/actions/templates/validateModuleApis + with: + modulePath: '${{ env.modulePath }}' + + ########################### + # Deployment module tests # + ########################### + job_module_deploy_validation: + runs-on: ubuntu-20.04 + name: 'Run deployment validation module tests' + needs: + - job_set_workflow_param + - job_tests_module_global + - job_tests_module_global_api + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + # ----------- # + ## Dry Run ## + # ----------- # + - name: 'Test module with parameter file [${{ matrix.parameterFilePaths }}]' + uses: ./.github/actions/templates/validateModuleDeploy + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # ------------------- # + ## Deploy & Remove ## + # ------------------- # + - name: 'Deploy module with parameter file [${{ matrix.parameterFilePaths }}]' + id: step_deploy + uses: ./.github/actions/templates/deployModule + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ needs.job_set_workflow_param.outputs.removeDeployment }}' + + ############### + # PUBLISH # + ############### + job_publish_module: + name: 'Publish module' + if: contains(fromJson('["refs/heads/main", "refs/heads/master"]'), github.ref) + runs-on: ubuntu-20.04 + needs: + - job_set_workflow_param + - job_module_deploy_validation + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: 'Publish module' + uses: ./.github/actions/templates/publishModule + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + versioningOption: '${{ needs.job_set_workflow_param.outputs.versioningOption }}' + customVersion: '${{ needs.job_set_workflow_param.outputs.customVersion }}' + templateSpecsRGName: '${{ env.templateSpecsRGName }}' + templateSpecsRGLocation: '${{ env.templateSpecsRGLocation }}' + templateSpecsDescription: '${{ env.templateSpecsDescription }}' + templateSpecsDoPublish: '${{ env.templateSpecsDoPublish }}' + bicepRegistryName: '${{ env.bicepRegistryName }}' + bicepRegistryRGName: '${{ env.bicepRegistryRGName }}' + bicepRegistryDoPublish: '${{ env.bicepRegistryDoPublish }}' diff --git a/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json b/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json new file mode 100644 index 0000000000..93d66698ea --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "sxx-az-fwpol-x-001" + } + } +} From b55053d75212f364cb21c920a8f7b1b1e325759c Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 12:54:13 +0100 Subject: [PATCH 07/24] add trigger --- .github/workflows/ms.network.firewallpolicies.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ms.network.firewallpolicies.yml b/.github/workflows/ms.network.firewallpolicies.yml index 9978c4ab47..13d21b8ec6 100644 --- a/.github/workflows/ms.network.firewallpolicies.yml +++ b/.github/workflows/ms.network.firewallpolicies.yml @@ -24,6 +24,7 @@ on: push: branches: - main + - 'users/rahalan/AddFWpolicies' paths: - '.github/actions/templates/**' - '.github/workflows/ms.network.firewallpolicies.yml' From 2aba2c54a3504fbbdf1c4b22c73230573d2f06cf Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 13:02:09 +0100 Subject: [PATCH 08/24] adding outputs --- arm/Microsoft.Network/firewallPolicies/deploy.bicep | 9 +++++++++ arm/Microsoft.Network/firewallPolicies/readme.md | 7 +++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index 1b4625ed52..8e5e19a99e 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -208,3 +208,12 @@ module ruleGroups_resource 'ruleGroups/deploy.bicep' = [for (ruleGroup, index) i firewallPolicy ] }] + +@description('The name of the deployed firewall policy') +output firewallPolicyName string = firewallPolicy.name + +@description('The resource ID of the deployed firewall policy') +output firewallPolicyResourceId string = firewallPolicy.id + +@description('The resource group of the deployed firewall policy') +output firewallPolicyResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.Network/firewallPolicies/readme.md b/arm/Microsoft.Network/firewallPolicies/readme.md index 36337807f5..cea1e9ff89 100644 --- a/arm/Microsoft.Network/firewallPolicies/readme.md +++ b/arm/Microsoft.Network/firewallPolicies/readme.md @@ -79,8 +79,11 @@ You can specify multiple user assigned identities to a resource by providing add ## Outputs -| Output Name | Type | -| :-- | :-- | +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `firewallPolicyName` | string | The name of the deployed firewall policy | +| `firewallPolicyResourceGroup` | string | The resource group of the deployed firewall policy | +| `firewallPolicyResourceId` | string | The resource ID of the deployed firewall policy | ## Template references From b680559cb3a0b89790c3c02d785f465a4baf80f1 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 13:36:06 +0100 Subject: [PATCH 09/24] test --- arm/Microsoft.Network/firewallPolicies/deploy.bicep | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index 8e5e19a99e..c44210c23c 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -174,12 +174,12 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { fqdns: !empty(fqdns) ? fqdns : null ipAddresses: !empty(ipAddresses) ? ipAddresses : null } - transportSecurity: { - certificateAuthority: { - keyVaultSecretId: !empty(keyVaultSecretId) ? keyVaultSecretId : null - name: !empty(certificateName) ? certificateName : null - } - } + // transportSecurity: { + // certificateAuthority: { + // keyVaultSecretId: !empty(keyVaultSecretId) ? keyVaultSecretId : null + // name: !empty(certificateName) ? certificateName : null + // } + // } } } From a67c6f088f7a4aa8d0d672f9f4b2eb6e9d8ba673 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 13:47:05 +0100 Subject: [PATCH 10/24] test#2 --- .../firewallPolicies/deploy.bicep | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index c44210c23c..c5c8a63a9d 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -136,13 +136,13 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { requireProxyForNetworkRules: requireProxyForNetworkRules servers: servers } - explicitProxySettings: { - enableExplicitProxy: enableExplicitProxy - httpPort: (httpPort > 0) ? httpPort : null - httpsPort: (httpsPort > 0) ? httpsPort : null - pacFile: !empty(pacFile) ? pacFile : null - pacFilePort: (pacFilePort > 0) ? pacFilePort : null - } + // explicitProxySettings: { + // enableExplicitProxy: enableExplicitProxy + // httpPort: (httpPort > 0) ? httpPort : null + // httpsPort: (httpsPort > 0) ? httpsPort : null + // pacFile: !empty(pacFile) ? pacFile : null + // pacFilePort: (pacFilePort > 0) ? pacFilePort : null + // } insights: { isEnabled: isEnabled logAnalyticsResources: { From d445c4eac0e85b824675185a2a0c490a0914ac9a Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 14:20:24 +0100 Subject: [PATCH 11/24] test --- arm/Microsoft.Network/firewallPolicies/deploy.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index c5c8a63a9d..7b299cd061 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -171,8 +171,8 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { } threatIntelMode: threatIntelMode threatIntelWhitelist: { - fqdns: !empty(fqdns) ? fqdns : null - ipAddresses: !empty(ipAddresses) ? ipAddresses : null + fqdns: fqdns + ipAddresses: ipAddresses } // transportSecurity: { // certificateAuthority: { From 6140313a0f33c857bac4efefa80511a7dcfe82e1 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 14:57:50 +0100 Subject: [PATCH 12/24] update --- .../firewallPolicies/deploy.bicep | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index 7b299cd061..03fd6972d2 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -128,22 +128,22 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { tags: tags identity: identity properties: { - basePolicy: { - id: !empty(basePolicyResourceId) ? basePolicyResourceId : null - } - dnsSettings: { + basePolicy: !empty(basePolicyResourceId) ? { + id: basePolicyResourceId + } : null + dnsSettings: enableProxy ? { enableProxy: enableProxy requireProxyForNetworkRules: requireProxyForNetworkRules servers: servers - } - // explicitProxySettings: { - // enableExplicitProxy: enableExplicitProxy - // httpPort: (httpPort > 0) ? httpPort : null - // httpsPort: (httpsPort > 0) ? httpsPort : null - // pacFile: !empty(pacFile) ? pacFile : null - // pacFilePort: (pacFilePort > 0) ? pacFilePort : null - // } - insights: { + } : null + explicitProxySettings: enableExplicitProxy ? { + enableExplicitProxy: enableExplicitProxy + httpPort: (httpPort > 0) ? httpPort : null + httpsPort: (httpsPort > 0) ? httpsPort : null + pacFile: !empty(pacFile) ? pacFile : null + pacFilePort: (pacFilePort > 0) ? pacFilePort : null + } : null + insights: isEnabled ? { isEnabled: isEnabled logAnalyticsResources: { defaultWorkspaceId: { @@ -152,34 +152,34 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { workspaces: !empty(workspaces) ? workspaces : null } retentionDays: retentionDays - } - intrusionDetection: { + } : null + intrusionDetection: (mode != 'Off') ? { configuration: { bypassTrafficSettings: !empty(bypassTrafficSettings) ? bypassTrafficSettings : null signatureOverrides: !empty(signatureOverrides) ? signatureOverrides : null } mode: mode - } + } : null sku: { tier: tier } - snat: { - privateRanges: !empty(privateRanges) ? privateRanges : null - } - sql: { + snat: !empty(privateRanges) ? { + privateRanges: privateRanges + } : null + sql: allowSqlRedirect ? { allowSqlRedirect: allowSqlRedirect - } + } : null threatIntelMode: threatIntelMode threatIntelWhitelist: { fqdns: fqdns ipAddresses: ipAddresses } - // transportSecurity: { - // certificateAuthority: { - // keyVaultSecretId: !empty(keyVaultSecretId) ? keyVaultSecretId : null - // name: !empty(certificateName) ? certificateName : null - // } - // } + transportSecurity: (!empty(keyVaultSecretId) || !empty(certificateName)) ? { + certificateAuthority: { + keyVaultSecretId: !empty(keyVaultSecretId) ? keyVaultSecretId : null + name: !empty(certificateName) ? certificateName : null + } + } : null } } From be246939aa3e797c5bc8614e3f352234055c8881 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 15:06:27 +0100 Subject: [PATCH 13/24] test --- arm/Microsoft.Network/firewallPolicies/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index 03fd6972d2..5f9b4a0bd5 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -73,7 +73,7 @@ param mode string = 'Off' 'Premium' 'Standard' ]) -param tier string = 'Standard' +param tier string = 'Premium' @description('Optional. List of private IP addresses/IP address ranges to not be SNAT.') param privateRanges array = [] From 9aeb0f82a75ca7a0667994407ce3c5285cbbb3c0 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 15:33:59 +0100 Subject: [PATCH 14/24] test --- .../firewallPolicies/deploy.bicep | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index 5f9b4a0bd5..a36a77b4c4 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -136,13 +136,13 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { requireProxyForNetworkRules: requireProxyForNetworkRules servers: servers } : null - explicitProxySettings: enableExplicitProxy ? { - enableExplicitProxy: enableExplicitProxy - httpPort: (httpPort > 0) ? httpPort : null - httpsPort: (httpsPort > 0) ? httpsPort : null - pacFile: !empty(pacFile) ? pacFile : null - pacFilePort: (pacFilePort > 0) ? pacFilePort : null - } : null + // explicitProxySettings: enableExplicitProxy ? { + // enableExplicitProxy: enableExplicitProxy + // httpPort: (httpPort > 0) ? httpPort : null + // httpsPort: (httpsPort > 0) ? httpsPort : null + // pacFile: !empty(pacFile) ? pacFile : null + // pacFilePort: (pacFilePort > 0) ? pacFilePort : null + // } : null insights: isEnabled ? { isEnabled: isEnabled logAnalyticsResources: { From 2a543e7858248e8b8d3e27f4a2c979da0922201c Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 15:49:30 +0100 Subject: [PATCH 15/24] test --- arm/Microsoft.Network/firewallPolicies/deploy.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index a36a77b4c4..126cf3605a 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -166,9 +166,9 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { snat: !empty(privateRanges) ? { privateRanges: privateRanges } : null - sql: allowSqlRedirect ? { - allowSqlRedirect: allowSqlRedirect - } : null + // sql: allowSqlRedirect ? { + // allowSqlRedirect: allowSqlRedirect + // } : null threatIntelMode: threatIntelMode threatIntelWhitelist: { fqdns: fqdns From 7c757dcf891d3026f0dde4d42325639443cb510b Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 16:37:32 +0100 Subject: [PATCH 16/24] test --- .../workflows/ms.network.firewallpolicies.yml | 2 +- .../.parameters/min.parameters.json | 9 +++++ .../.parameters/parameters.json | 35 ++++++++++++++++++- 3 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 arm/Microsoft.Network/firewallPolicies/.parameters/min.parameters.json diff --git a/.github/workflows/ms.network.firewallpolicies.yml b/.github/workflows/ms.network.firewallpolicies.yml index 13d21b8ec6..51c2fbf50e 100644 --- a/.github/workflows/ms.network.firewallpolicies.yml +++ b/.github/workflows/ms.network.firewallpolicies.yml @@ -108,7 +108,7 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json'] + parameterFilePaths: ['min.parameters.json', 'parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 diff --git a/arm/Microsoft.Network/firewallPolicies/.parameters/min.parameters.json b/arm/Microsoft.Network/firewallPolicies/.parameters/min.parameters.json new file mode 100644 index 0000000000..93d66698ea --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/.parameters/min.parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "sxx-az-fwpol-x-001" + } + } +} diff --git a/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json b/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json index 93d66698ea..865999d80f 100644 --- a/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json +++ b/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json @@ -3,7 +3,40 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "sxx-az-fwpol-x-001" + "value": "sxx-az-fwpol-x-002" + }, + "ruleGroups": { + "value": [ + { + "name": "sxx-rule-001", + "priority": 5000, + // "action": { + // "type": "Allow" + // }, + "rules": [ + { + "name": "344", + "ipProtocols": [ + "TCP" + ], + "destinationPorts": [ + "3389" + ], + "sourceAddresses": [ + "192.168.1.1" + ], + "sourceIpGroups": [], + "ruleType": "NetworkRule", + "destinationIpGroups": [], + "destinationAddresses": [ + "192.168.1.1" + ], + "destinationFqdns": [] + } + ] //, + // "ruleCollectionType": "FirewallPolicyFilterRuleCollection" + } + ] } } } From 0b8bb688a195cb701644415249a1141908d563ec Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 17:50:27 +0100 Subject: [PATCH 17/24] fix? --- .../firewallPolicies/deploy.bicep | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index 126cf3605a..320f356c96 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -136,13 +136,13 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { requireProxyForNetworkRules: requireProxyForNetworkRules servers: servers } : null - // explicitProxySettings: enableExplicitProxy ? { - // enableExplicitProxy: enableExplicitProxy - // httpPort: (httpPort > 0) ? httpPort : null - // httpsPort: (httpsPort > 0) ? httpsPort : null - // pacFile: !empty(pacFile) ? pacFile : null - // pacFilePort: (pacFilePort > 0) ? pacFilePort : null - // } : null + explicitProxySettings: enableExplicitProxy ? { + enableExplicitProxy: enableExplicitProxy + httpPort: (httpPort > 0) ? httpPort : null + httpsPort: (httpsPort > 0) ? httpsPort : null + pacFile: !empty(pacFile) ? pacFile : null + pacFilePort: (pacFilePort > 0) ? pacFilePort : null + } : {} insights: isEnabled ? { isEnabled: isEnabled logAnalyticsResources: { @@ -166,9 +166,9 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { snat: !empty(privateRanges) ? { privateRanges: privateRanges } : null - // sql: allowSqlRedirect ? { - // allowSqlRedirect: allowSqlRedirect - // } : null + sql: allowSqlRedirect ? { + allowSqlRedirect: allowSqlRedirect + } : {} threatIntelMode: threatIntelMode threatIntelWhitelist: { fqdns: fqdns From c8d58be6ce6f9be6931e42bd03232c54a01d2ce5 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 3 Dec 2021 18:04:52 +0100 Subject: [PATCH 18/24] test --- arm/Microsoft.Network/firewallPolicies/deploy.bicep | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index 320f356c96..608b4ee7e4 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -73,7 +73,7 @@ param mode string = 'Off' 'Premium' 'Standard' ]) -param tier string = 'Premium' +param tier string = 'Standard' @description('Optional. List of private IP addresses/IP address ranges to not be SNAT.') param privateRanges array = [] @@ -136,13 +136,13 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { requireProxyForNetworkRules: requireProxyForNetworkRules servers: servers } : null - explicitProxySettings: enableExplicitProxy ? { + explicitProxySettings: { enableExplicitProxy: enableExplicitProxy httpPort: (httpPort > 0) ? httpPort : null httpsPort: (httpsPort > 0) ? httpsPort : null pacFile: !empty(pacFile) ? pacFile : null pacFilePort: (pacFilePort > 0) ? pacFilePort : null - } : {} + } insights: isEnabled ? { isEnabled: isEnabled logAnalyticsResources: { @@ -166,9 +166,9 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { snat: !empty(privateRanges) ? { privateRanges: privateRanges } : null - sql: allowSqlRedirect ? { + sql: { allowSqlRedirect: allowSqlRedirect - } : {} + } threatIntelMode: threatIntelMode threatIntelWhitelist: { fqdns: fqdns From 4fd052d19f5ac7bdab5af23b6b2b1babafa722d9 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Sun, 5 Dec 2021 14:33:46 +0100 Subject: [PATCH 19/24] revert --- .../firewallPolicies/deploy.bicep | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index 608b4ee7e4..dce3b892ea 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -136,13 +136,13 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { requireProxyForNetworkRules: requireProxyForNetworkRules servers: servers } : null - explicitProxySettings: { - enableExplicitProxy: enableExplicitProxy - httpPort: (httpPort > 0) ? httpPort : null - httpsPort: (httpsPort > 0) ? httpsPort : null - pacFile: !empty(pacFile) ? pacFile : null - pacFilePort: (pacFilePort > 0) ? pacFilePort : null - } + // explicitProxySettings: !enableExplicitProxy ? { + // enableExplicitProxy: enableExplicitProxy + // httpPort: (httpPort > 0) ? httpPort : null + // httpsPort: (httpsPort > 0) ? httpsPort : null + // pacFile: !empty(pacFile) ? pacFile : null + // pacFilePort: (pacFilePort > 0) ? pacFilePort : null + // } : null insights: isEnabled ? { isEnabled: isEnabled logAnalyticsResources: { @@ -166,9 +166,9 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { snat: !empty(privateRanges) ? { privateRanges: privateRanges } : null - sql: { - allowSqlRedirect: allowSqlRedirect - } + // sql: !allowSqlRedirect ? { + // allowSqlRedirect: allowSqlRedirect + // } : null threatIntelMode: threatIntelMode threatIntelWhitelist: { fqdns: fqdns From 5a9d56f4016fee16486a6a61889b7a799f3bf15c Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 6 Dec 2021 09:35:59 +0100 Subject: [PATCH 20/24] update --- .../.parameters/parameters.json | 53 +++++++++++-------- 1 file changed, 30 insertions(+), 23 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json b/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json index 865999d80f..a3254fca0e 100644 --- a/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json +++ b/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json @@ -5,36 +5,43 @@ "name": { "value": "sxx-az-fwpol-x-002" }, - "ruleGroups": { + "ruleCollectionGroups": { "value": [ { "name": "sxx-rule-001", "priority": 5000, - // "action": { - // "type": "Allow" - // }, - "rules": [ + "ruleCollections": [ { - "name": "344", - "ipProtocols": [ - "TCP" + "name": "collection002", + "priority": 5555, + "action": { + "type": "Allow" + }, + "rules": [ + { + "name": "rule002", + "ipProtocols": [ + "TCP", + "UDP" + ], + "destinationPorts": [ + "80" + ], + "sourceAddresses": [ + "*" + ], + "sourceIpGroups": [], + "ruleType": "NetworkRule", + "destinationIpGroups": [], + "destinationAddresses": [ + "*" + ], + "destinationFqdns": [] + } ], - "destinationPorts": [ - "3389" - ], - "sourceAddresses": [ - "192.168.1.1" - ], - "sourceIpGroups": [], - "ruleType": "NetworkRule", - "destinationIpGroups": [], - "destinationAddresses": [ - "192.168.1.1" - ], - "destinationFqdns": [] + "ruleCollectionType": "FirewallPolicyFilterRuleCollection" } - ] //, - // "ruleCollectionType": "FirewallPolicyFilterRuleCollection" + ] } ] } From 8a8c18e1e5b073951b26ea2b395bca7199d1c550 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 6 Dec 2021 10:16:54 +0100 Subject: [PATCH 21/24] remove trigger --- .github/workflows/ms.network.firewallpolicies.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ms.network.firewallpolicies.yml b/.github/workflows/ms.network.firewallpolicies.yml index 51c2fbf50e..424b2aec2d 100644 --- a/.github/workflows/ms.network.firewallpolicies.yml +++ b/.github/workflows/ms.network.firewallpolicies.yml @@ -24,7 +24,6 @@ on: push: branches: - main - - 'users/rahalan/AddFWpolicies' paths: - '.github/actions/templates/**' - '.github/workflows/ms.network.firewallpolicies.yml' From 9cdf0492a36bc1fffaabca3c0e59df2cf6edd68a Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 6 Dec 2021 10:28:06 +0100 Subject: [PATCH 22/24] remove unused code --- .../firewallPolicies/deploy.bicep | 30 ------------------- .../firewallPolicies/readme.md | 6 ---- 2 files changed, 36 deletions(-) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index dce3b892ea..f8730d902f 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -25,23 +25,6 @@ param requireProxyForNetworkRules bool = false @description('Optional. List of Custom DNS Servers.') param servers array = [] -@description('Optional. When set to true, explicit proxy mode is enabled.') -param enableExplicitProxy bool = false - -@description('Optional. Port number for explicit proxy http protocol, cannot be greater than 64000.') -@maxValue(64000) -param httpPort int = 0 - -@description('Optional. Port number for explicit proxy https protocol, cannot be greater than 64000.') -@maxValue(64000) -param httpsPort int = 0 - -@description('Optional. SAS URL for PAC file.') -param pacFile string = '' - -@description('Optional. Port number for firewall to serve PAC file.') -param pacFilePort int = 0 - @description('Optional. A flag to indicate if the insights are enabled on the policy.') param isEnabled bool = false @@ -78,9 +61,6 @@ param tier string = 'Standard' @description('Optional. List of private IP addresses/IP address ranges to not be SNAT.') param privateRanges array = [] -@description('Optional. A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999.') -param allowSqlRedirect bool = false - @description('Optional. The operation mode for Threat Intel.') @allowed([ 'Alert' @@ -136,13 +116,6 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { requireProxyForNetworkRules: requireProxyForNetworkRules servers: servers } : null - // explicitProxySettings: !enableExplicitProxy ? { - // enableExplicitProxy: enableExplicitProxy - // httpPort: (httpPort > 0) ? httpPort : null - // httpsPort: (httpsPort > 0) ? httpsPort : null - // pacFile: !empty(pacFile) ? pacFile : null - // pacFilePort: (pacFilePort > 0) ? pacFilePort : null - // } : null insights: isEnabled ? { isEnabled: isEnabled logAnalyticsResources: { @@ -166,9 +139,6 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { snat: !empty(privateRanges) ? { privateRanges: privateRanges } : null - // sql: !allowSqlRedirect ? { - // allowSqlRedirect: allowSqlRedirect - // } : null threatIntelMode: threatIntelMode threatIntelWhitelist: { fqdns: fqdns diff --git a/arm/Microsoft.Network/firewallPolicies/readme.md b/arm/Microsoft.Network/firewallPolicies/readme.md index cea1e9ff89..c04ba8676e 100644 --- a/arm/Microsoft.Network/firewallPolicies/readme.md +++ b/arm/Microsoft.Network/firewallPolicies/readme.md @@ -14,25 +14,19 @@ This module deploys Network Firewall Policies. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `allowSqlRedirect` | bool | | | Optional. A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | | `basePolicyResourceId` | string | | | Optional. Resource ID of the base policy. | | `bypassTrafficSettings` | array | `[]` | | Optional. List of rules for traffic to bypass. | | `certificateName` | string | | | Optional. Name of the CA certificate. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | | `defaultWorkspaceId` | string | | | Optional. Default Log Analytics Resource ID for Firewall Policy Insights. | -| `enableExplicitProxy` | bool | | | Optional. When set to true, explicit proxy mode is enabled. | | `enableProxy` | bool | | | Optional. Enable DNS Proxy on Firewalls attached to the Firewall Policy. | | `fqdns` | array | `[]` | | Optional. List of FQDNs for the ThreatIntel Allowlist. | -| `httpPort` | int | | | Optional. Port number for explicit proxy http protocol, cannot be greater than 64000. | -| `httpsPort` | int | | | Optional. Port number for explicit proxy https protocol, cannot be greater than 64000. | | `ipAddresses` | array | `[]` | | Optional. List of IP addresses for the ThreatIntel Allowlist. | | `isEnabled` | bool | | | Optional. A flag to indicate if the insights are enabled on the policy. | | `keyVaultSecretId` | string | | | Optional. Secret Id of (base-64 encoded unencrypted pfx) Secret or Certificate object stored in KeyVault. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `mode` | string | `Off` | `[Alert, Deny, Off]` | Optional. The configuring of intrusion detection. | | `name` | string | | | Required. Name of the Firewall Policy. | -| `pacFile` | string | | | Optional. SAS URL for PAC file. | -| `pacFilePort` | int | | | Optional. Port number for firewall to serve PAC file. | | `privateRanges` | array | `[]` | | Optional. List of private IP addresses/IP address ranges to not be SNAT. | | `requireProxyForNetworkRules` | bool | | | Optional. FQDNs in Network Rules are supported when set to true. | | `retentionDays` | int | `365` | | Optional. Number of days the insights should be enabled on the policy. | From 8fb02cf04f8db5828a1bc172a0b6efa3f33a4b0a Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Thu, 9 Dec 2021 11:26:41 +0100 Subject: [PATCH 23/24] minor changes --- arm/Microsoft.Network/azureFirewalls/deploy.bicep | 6 +++--- .../firewallPolicies/deploy.bicep | 14 +++++++------- arm/Microsoft.Network/firewallPolicies/readme.md | 2 +- .../ruleCollectionGroups/deploy.bicep | 8 ++++---- .../firewallPolicies/ruleGroups/deploy.bicep | 8 ++++---- 5 files changed, 19 insertions(+), 19 deletions(-) diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 786e2d6a49..4676802295 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -218,9 +218,9 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-03-01' = { additionalProperties: { 'Network.DNS.EnableProxy': string(enableDnsProxy) } - firewallPolicy: { - id: empty(firewallPolicyIResourceId) ? null : firewallPolicyIResourceId - } + firewallPolicy: !empty(firewallPolicyIResourceId) ? { + id: firewallPolicyIResourceId + } : null applicationRuleCollections: applicationRuleCollections natRuleCollections: natRuleCollections networkRuleCollections: networkRuleCollections diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index f8730d902f..9de4789a19 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -26,7 +26,7 @@ param requireProxyForNetworkRules bool = false param servers array = [] @description('Optional. A flag to indicate if the insights are enabled on the policy.') -param isEnabled bool = false +param insightsIsEnabled bool = false @description('Optional. Default Log Analytics Resource ID for Firewall Policy Insights.') param defaultWorkspaceId string = '' @@ -116,8 +116,8 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { requireProxyForNetworkRules: requireProxyForNetworkRules servers: servers } : null - insights: isEnabled ? { - isEnabled: isEnabled + insights: insightsIsEnabled ? { + isEnabled: insightsIsEnabled logAnalyticsResources: { defaultWorkspaceId: { id: !empty(defaultWorkspaceId) ? defaultWorkspaceId : null @@ -153,8 +153,8 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { } } -module ruleCollectionGroups_resource 'ruleCollectionGroups/deploy.bicep' = [for (ruleCollectionGroup, index) in ruleCollectionGroups: { - name: '${uniqueString(deployment().name, location)}-ruleCollectionGroup-${index}' +module firewallPolicy_ruleCollectionGroups 'ruleCollectionGroups/deploy.bicep' = [for (ruleCollectionGroup, index) in ruleCollectionGroups: { + name: '${uniqueString(deployment().name, location)}-firewallPolicy_ruleCollectionGroups-${index}' params: { firewallPolicyName: firewallPolicy.name name: ruleCollectionGroup.name @@ -166,8 +166,8 @@ module ruleCollectionGroups_resource 'ruleCollectionGroups/deploy.bicep' = [for ] }] -module ruleGroups_resource 'ruleGroups/deploy.bicep' = [for (ruleGroup, index) in ruleGroups: { - name: '${uniqueString(deployment().name, location)}-ruleGroup-${index}' +module firewallPolicy_ruleGroups 'ruleGroups/deploy.bicep' = [for (ruleGroup, index) in ruleGroups: { + name: '${uniqueString(deployment().name, location)}-firewallPolicy_ruleGroups-${index}' params: { firewallPolicyName: firewallPolicy.name name: ruleGroup.name diff --git a/arm/Microsoft.Network/firewallPolicies/readme.md b/arm/Microsoft.Network/firewallPolicies/readme.md index c04ba8676e..b73761e0e2 100644 --- a/arm/Microsoft.Network/firewallPolicies/readme.md +++ b/arm/Microsoft.Network/firewallPolicies/readme.md @@ -21,8 +21,8 @@ This module deploys Network Firewall Policies. | `defaultWorkspaceId` | string | | | Optional. Default Log Analytics Resource ID for Firewall Policy Insights. | | `enableProxy` | bool | | | Optional. Enable DNS Proxy on Firewalls attached to the Firewall Policy. | | `fqdns` | array | `[]` | | Optional. List of FQDNs for the ThreatIntel Allowlist. | +| `insightsIsEnabled ` | bool | | | Optional. A flag to indicate if the insights are enabled on the policy. | | `ipAddresses` | array | `[]` | | Optional. List of IP addresses for the ThreatIntel Allowlist. | -| `isEnabled` | bool | | | Optional. A flag to indicate if the insights are enabled on the policy. | | `keyVaultSecretId` | string | | | Optional. Secret Id of (base-64 encoded unencrypted pfx) Secret or Certificate object stored in KeyVault. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `mode` | string | `Off` | `[Alert, Deny, Off]` | Optional. The configuring of intrusion detection. | diff --git a/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep index 1a0239832f..e34b330d2c 100644 --- a/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep @@ -13,15 +13,15 @@ param ruleCollections array = [] @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' -resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' existing = { - name: firewallPolicyName -} - module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' params: {} } +resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' existing = { + name: firewallPolicyName +} + resource ruleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-03-01' = { name: name parent: firewallPolicy diff --git a/arm/Microsoft.Network/firewallPolicies/ruleGroups/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/ruleGroups/deploy.bicep index 0e17e529cb..f5e365f7df 100644 --- a/arm/Microsoft.Network/firewallPolicies/ruleGroups/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/ruleGroups/deploy.bicep @@ -13,15 +13,15 @@ param rules array = [] @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' -resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' existing = { - name: firewallPolicyName -} - module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' params: {} } +resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' existing = { + name: firewallPolicyName +} + resource ruleGroup 'Microsoft.Network/firewallPolicies/ruleGroups@2020-04-01' = { name: name parent: firewallPolicy From 050bd6bbaa362a62a204e8d5eef3c148184349e5 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Thu, 9 Dec 2021 14:12:21 +0100 Subject: [PATCH 24/24] remove policy id --- arm/Microsoft.Network/azureFirewalls/deploy.bicep | 6 ------ arm/Microsoft.Network/azureFirewalls/readme.md | 1 - 2 files changed, 7 deletions(-) diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 4676802295..ba42051e9f 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -56,9 +56,6 @@ param eventHubName string = '' @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Resource ID of an existing firewall policy.') -param firewallPolicyIResourceId string = '' - @description('Optional. Zone numbers e.g. 1,2,3.') param availabilityZones array = [ '1' @@ -218,9 +215,6 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-03-01' = { additionalProperties: { 'Network.DNS.EnableProxy': string(enableDnsProxy) } - firewallPolicy: !empty(firewallPolicyIResourceId) ? { - id: firewallPolicyIResourceId - } : null applicationRuleCollections: applicationRuleCollections natRuleCollections: natRuleCollections networkRuleCollections: networkRuleCollections diff --git a/arm/Microsoft.Network/azureFirewalls/readme.md b/arm/Microsoft.Network/azureFirewalls/readme.md index 28c89daa31..0ae108df48 100644 --- a/arm/Microsoft.Network/azureFirewalls/readme.md +++ b/arm/Microsoft.Network/azureFirewalls/readme.md @@ -28,7 +28,6 @@ This module deploys a firewall. | `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `firewallLogsToEnable` | array | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | Optional. The name of firewall logs that will be streamed. | -| `firewallPolicyIResourceId` | string | | | Optional. Resource ID of an existing firewall policy. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. |