Add Azure firewall policy module

.github/workflows/ms.network.firewallpolicies.yml

@@ -0,0 +1,180 @@
+name: 'Network: FirewallPolicies'
+
+on:
+  workflow_dispatch:
+    inputs:
+      removeDeployment:
+        type: boolean
+        description: 'Remove deployed module'
+        required: false
+        default: 'true'
+      versioningOption:
+        type: choice
+        description: 'The mode to handle the version increments [major|minor|patch]'
+        required: false
+        default: 'patch'
+        options:
+          - major
+          - minor
+          - patch
+      customVersion:
+        description: 'Custom version to apply. Used only if higher than latest'
+        required: false
+        default: '0.0.1'
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/actions/templates/**'
+      - '.github/workflows/ms.network.firewallpolicies.yml'
+      - 'arm/Microsoft.Network/firewallPolicies/**'
+      - '!*/**/readme.md'
+
+env:
+  modulePath: 'arm/Microsoft.Network/firewallPolicies'
+  workflowPath: '.github/workflows/ms.network.firewallpolicies.yml'
+  AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+  ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
+  ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}'
+  ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}'
+  DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}'
+
+jobs:
+  ############################
+  #   SET INPUT PARAMETERS   #
+  ############################
+  job_set_workflow_param:
+    runs-on: ubuntu-20.04
+    name: 'Set input parameters to output variables'
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: 'Set input parameters'
+        id: get-workflow-param
+        uses: ./.github/actions/templates/getWorkflowInput
+        with:
+          workflowPath: '${{ env.workflowPath}}'
+    outputs:
+      removeDeployment: ${{ steps.get-workflow-param.outputs.removeDeployment }}
+      versioningOption: ${{ steps.get-workflow-param.outputs.versioningOption }}
+      customVersion: ${{ steps.get-workflow-param.outputs.customVersion }}
+
+  ##################
+  #   UNIT TESTS   #
+  ##################
+  # Global tests
+  # ------------
+  job_tests_module_global:
+    runs-on: ubuntu-20.04
+    name: 'Run global module tests'
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: 'Test module'
+        uses: ./.github/actions/templates/validateModuleGeneral
+        with:
+          modulePath: '${{ env.modulePath }}'
+
+  # Global API tests
+  # ----------------
+  job_tests_module_global_api:
+    runs-on: ubuntu-20.04
+    name: 'Run global API module tests'
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: 'Test module'
+        uses: ./.github/actions/templates/validateModuleApis
+        with:
+          modulePath: '${{ env.modulePath }}'
+
+  ###########################
+  # Deployment module tests #
+  ###########################
+  job_module_deploy_validation:
+    runs-on: ubuntu-20.04
+    name: 'Run deployment validation module tests'
+    needs:
+      - job_set_workflow_param
+      - job_tests_module_global
+      - job_tests_module_global_api
+    strategy:
+      fail-fast: false
+      matrix:
+        parameterFilePaths: ['min.parameters.json', 'parameters.json']
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Set environment variables
+        uses: deep-mm/set-variables@v1.0
+        with:
+          # Name of variable file
+          variableFileName: 'variables.module' # Don't write .json here
+      # ----------- #
+      ##  Dry Run  ##
+      # ----------- #
+      - name: 'Test module with parameter file [${{ matrix.parameterFilePaths }}]'
+        uses: ./.github/actions/templates/validateModuleDeploy
+        with:
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
+          parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}'
+          location: '${{ env.defaultLocation }}'
+          resourceGroupName: '${{ env.resourceGroupName }}'
+          subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
+          managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}'
+      # ------------------- #
+      ##  Deploy & Remove  ##
+      # ------------------- #
+      - name: 'Deploy module with parameter file [${{ matrix.parameterFilePaths }}]'
+        id: step_deploy
+        uses: ./.github/actions/templates/deployModule
+        with:
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
+          parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}'
+          location: '${{ env.defaultLocation }}'
+          resourceGroupName: '${{ env.resourceGroupName }}'
+          subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
+          managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}'
+          removeDeployment: '${{ needs.job_set_workflow_param.outputs.removeDeployment }}'
+
+  ###############
+  #   PUBLISH   #
+  ###############
+  job_publish_module:
+    name: 'Publish module'
+    if: contains(fromJson('["refs/heads/main", "refs/heads/master"]'), github.ref)
+    runs-on: ubuntu-20.04
+    needs:
+      - job_set_workflow_param
+      - job_module_deploy_validation
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Set environment variables
+        uses: deep-mm/set-variables@v1.0
+        with:
+          # Name of variable file
+          variableFileName: 'variables.module' # Don't write .json here
+      - name: 'Publish module'
+        uses: ./.github/actions/templates/publishModule
+        with:
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
+          versioningOption: '${{ needs.job_set_workflow_param.outputs.versioningOption }}'
+          customVersion: '${{ needs.job_set_workflow_param.outputs.customVersion }}'
+          templateSpecsRGName: '${{ env.templateSpecsRGName }}'
+          templateSpecsRGLocation: '${{ env.templateSpecsRGLocation }}'
+          templateSpecsDescription: '${{ env.templateSpecsDescription }}'
+          templateSpecsDoPublish: '${{ env.templateSpecsDoPublish }}'
+          bicepRegistryName: '${{ env.bicepRegistryName }}'
+          bicepRegistryRGName: '${{ env.bicepRegistryRGName }}'
+          bicepRegistryDoPublish: '${{ env.bicepRegistryDoPublish }}'

arm/Microsoft.Network/azureFirewalls/deploy.bicep

@@ -74,7 +74,7 @@ param lock string = 'NotSpecified'
 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'')
 param roleAssignments array = []
 
-@description('Optional. Tags of the Automation Account resource.')
+@description('Optional. Tags of the Azure Firewall resource.')
 param tags object = {}
 
 @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered')
@@ -188,7 +188,7 @@ resource azureFirewallPip_diagnosticSettings 'Microsoft.Insights/diagnosticSetti
   scope: azureFirewallPip
 }
 
-resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = {
+resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-03-01' = {
   name: name
   location: location
   zones: length(availabilityZones) == 0 ? null : availabilityZones

arm/Microsoft.Network/azureFirewalls/readme.md

@@ -9,7 +9,7 @@ This module deploys a firewall.
 | `Microsoft.Authorization/locks` | 2016-09-01 |
 | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview |
 | `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview |
-| `Microsoft.Network/azureFirewalls` | 2021-02-01 |
+| `Microsoft.Network/azureFirewalls` | 2021-03-01 |
 | `Microsoft.Network/publicIPAddresses` | 2021-02-01 |
 
 ## Parameters
@@ -103,5 +103,5 @@ The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetw
 - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks)
 - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments)
 - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings)
-- [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/azureFirewalls)
+- [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/azureFirewalls)
 - [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses)

arm/Microsoft.Network/firewallPolicies/.bicep/nested_cuaId.bicep

@@ -0,0 +1 @@
+

arm/Microsoft.Network/firewallPolicies/.parameters/min.parameters.json

@@ -0,0 +1,9 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "name": {
+            "value": "sxx-az-fwpol-x-001"
+        }
+    }
+}

arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json

@@ -0,0 +1,49 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "name": {
+            "value": "sxx-az-fwpol-x-002"
+        },
+        "ruleCollectionGroups": {
+            "value": [
+                {
+                    "name": "sxx-rule-001",
+                    "priority": 5000,
+                    "ruleCollections": [
+                        {
+                            "name": "collection002",
+                            "priority": 5555,
+                            "action": {
+                                "type": "Allow"
+                            },
+                            "rules": [
+                                {
+                                    "name": "rule002",
+                                    "ipProtocols": [
+                                        "TCP",
+                                        "UDP"
+                                    ],
+                                    "destinationPorts": [
+                                        "80"
+                                    ],
+                                    "sourceAddresses": [
+                                        "*"
+                                    ],
+                                    "sourceIpGroups": [],
+                                    "ruleType": "NetworkRule",
+                                    "destinationIpGroups": [],
+                                    "destinationAddresses": [
+                                        "*"
+                                    ],
+                                    "destinationFqdns": []
+                                }
+                            ],
+                            "ruleCollectionType": "FirewallPolicyFilterRuleCollection"
+                        }
+                    ]
+                }
+            ]
+        }
+    }
+}