diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index b53d38722b..5197689e13 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -320,6 +320,9 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json templateFilePath: $(templateFilePath) displayName: Load balancer Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/fw.parameters.json + templateFilePath: $(templateFilePath) + displayName: Firewall Public IP - stage: deploy_appi displayName: Deploy application insight diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 83c4d0778f..f7911789d3 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -472,7 +472,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: - ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] + ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json', 'fw.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 diff --git a/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json b/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json index 5ad67d13d7..cdf45ab95a 100644 --- a/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json +++ b/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json @@ -5,13 +5,22 @@ "name": { "value": "sxx-az-azfw-x-001" }, - "availabilityZones": { + "zones": { "value": [ "1", "2", "3" ] }, + "ipConfigurations": { + "value": [ + { + "name": "ipConfig01", + "publicIPAddressResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-sxx-az-pip-x-fw", + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-azfw/subnets/AzureFirewallSubnet" + } + ] + }, "applicationRuleCollections": { "value": [ { @@ -97,9 +106,6 @@ } ] }, - "vNetId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-azfw" - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 2aa1724aee..d5cd69d0e3 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -15,9 +15,6 @@ param azureSkuName string = 'AZFW_VNet' ]) param azureSkuTier string = 'Standard' -@description('Optional. Enable the preview feature for DNS proxy.') -param enableDnsProxy bool = false - @description('Optional. Collection of application rule collections used by Azure Firewall.') param applicationRuleCollections array = [] @@ -27,14 +24,26 @@ param networkRuleCollections array = [] @description('Optional. Collection of NAT rule collections used by Azure Firewall.') param natRuleCollections array = [] -@description('Required. Shared services Virtual Network resource ID') -param vNetId string +@description('Required. List of IP Configurations.') +param ipConfigurations array -@description('Optional. Specifies the name of the Public IP used by Azure Firewall. If it\'s not provided, a \'-pip\' suffix will be appended to the Firewall\'s name.') -param azureFirewallPipName string = '' +@description('Optional. Resource ID of the Firewall Policy that should be attached.') +param firewallPolicyId string = '' -@description('Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix.') -param publicIPPrefixId string = '' +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +@description('Optional. The operation mode for Threat Intel.') +param threatIntelMode string = 'Deny' + +@description('Optional. Zone numbers e.g. 1,2,3.') +param zones array = [ + '1' + '2' + '3' +] @description('Optional. Diagnostic Storage Account resource identifier') param diagnosticStorageAccountId string = '' @@ -56,13 +65,6 @@ param diagnosticEventHubName string = '' @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Zone numbers e.g. 1,2,3.') -param availabilityZones array = [ - '1' - '2' - '3' -] - @allowed([ 'CanNotDelete' 'NotSpecified' @@ -80,36 +82,18 @@ param tags object = {} @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' -var publicIPPrefix = { - id: publicIPPrefixId -} -var azureFirewallSubnetId = '${vNetId}/subnets/AzureFirewallSubnet' -var azureFirewallPipId = azureFirewallPip.id - @description('Optional. The name of firewall logs that will be streamed.') @allowed([ 'AzureFirewallApplicationRule' 'AzureFirewallNetworkRule' 'AzureFirewallDnsProxy' ]) -param firewallLogsToEnable array = [ +param logsToEnable array = [ 'AzureFirewallApplicationRule' 'AzureFirewallNetworkRule' 'AzureFirewallDnsProxy' ] -@description('Optional. The name of public IP logs that will be streamed.') -@allowed([ - 'DDoSProtectionNotifications' - 'DDoSMitigationReports' - 'DDoSMitigationFlowLogs' -]) -param publicIPLogsToEnable array = [ - 'DDoSProtectionNotifications' - 'DDoSMitigationReports' - 'DDoSMitigationFlowLogs' -] - @description('Optional. The name of metrics that will be streamed.') @allowed([ 'AllMetrics' @@ -118,16 +102,19 @@ param metricsToEnable array = [ 'AllMetrics' ] -var diagnosticsLogsAzureFirewall = [for log in firewallLogsToEnable: { - category: log - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays +var ipConfigurations_var = [for ipConfiguration in ipConfigurations: { + name: ipConfiguration.name + properties: { + publicIPAddress: contains(ipConfiguration, 'publicIPAddressResourceId') ? { + id: ipConfiguration.publicIPAddressResourceId + } : null + subnet: contains(ipConfiguration, 'subnetResourceId') ? { + id: ipConfiguration.subnetResourceId + } : null } }] -var diagnosticsLogsPublicIp = [for log in publicIPLogsToEnable: { +var diagnosticsLogs = [for log in logsToEnable: { category: log enabled: true retentionPolicy: { @@ -151,70 +138,21 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource azureFirewallPip 'Microsoft.Network/publicIPAddresses@2021-02-01' = { - name: !empty(azureFirewallPipName) ? azureFirewallPipName : '${name}-pip' - location: location - tags: tags - sku: { - name: 'Standard' - } - zones: availabilityZones - properties: { - publicIPAllocationMethod: 'Static' - publicIPAddressVersion: 'IPv4' - publicIPPrefix: !empty(publicIPPrefixId) ? publicIPPrefix : null - } -} - -resource azureFirewallPip_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { - name: '${azureFirewallPip.name}-${lock}-lock' - properties: { - level: lock - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - } - scope: azureFirewallPip -} - -resource azureFirewallPip_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: '${azureFirewallPip.name}-diagnosticSettings' - properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogsPublicIp - } - scope: azureFirewallPip -} - -resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-03-01' = { +resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = { name: name location: location - zones: length(availabilityZones) == 0 ? null : availabilityZones + zones: length(zones) == 0 ? null : zones tags: tags properties: { - threatIntelMode: 'Deny' - ipConfigurations: [ - { - name: 'IpConf' - properties: { - subnet: { - id: azureFirewallSubnetId - } - publicIPAddress: { - id: azureFirewallPipId - } - } - } - ] + threatIntelMode: threatIntelMode + firewallPolicy: empty(firewallPolicyId) ? null : { + id: firewallPolicyId + } + ipConfigurations: ipConfigurations_var sku: { name: azureSkuName tier: azureSkuTier } - additionalProperties: { - 'Network.DNS.EnableProxy': string(enableDnsProxy) - } applicationRuleCollections: applicationRuleCollections natRuleCollections: natRuleCollections networkRuleCollections: networkRuleCollections @@ -238,7 +176,7 @@ resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticSettings eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null metrics: diagnosticsMetrics - logs: diagnosticsLogsAzureFirewall + logs: diagnosticsLogs } scope: azureFirewall } @@ -264,9 +202,6 @@ output azureFirewallResourceGroup string = resourceGroup().name @description('The private IP of the Azure Firewall') output azureFirewallPrivateIp string = azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress -@description('The public IP of the Azure Firewall') -output azureFirewallPublicIp string = azureFirewallPip.properties.ipAddress - @description('List of Application Rule Collections') output applicationRuleCollections array = applicationRuleCollections diff --git a/arm/Microsoft.Network/azureFirewalls/readme.md b/arm/Microsoft.Network/azureFirewalls/readme.md index 2837ca8868..1abf1e131e 100644 --- a/arm/Microsoft.Network/azureFirewalls/readme.md +++ b/arm/Microsoft.Network/azureFirewalls/readme.md @@ -9,16 +9,13 @@ This module deploys a firewall. | `Microsoft.Authorization/locks` | 2017-04-01 | | `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | -| `Microsoft.Network/azureFirewalls` | 2021-03-01 | -| `Microsoft.Network/publicIPAddresses` | 2021-02-01 | +| `Microsoft.Network/azureFirewalls` | 2021-05-01 | ## Parameters | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `applicationRuleCollections` | array | `[]` | | Optional. Collection of application rule collections used by Azure Firewall. | -| `availabilityZones` | array | `[1, 2, 3]` | | Optional. Zone numbers e.g. 1,2,3. | -| `azureFirewallPipName` | string | | | Optional. Specifies the name of the Public IP used by Azure Firewall. If it's not provided, a '-pip' suffix will be appended to the Firewall's name. | | `azureSkuName` | string | `AZFW_VNet` | `[AZFW_VNet, AZFW_Hub]` | Optional. Name of an Azure Firewall SKU. | | `azureSkuTier` | string | `Standard` | `[Standard, Premium]` | Optional. Tier of an Azure Firewall. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | @@ -27,19 +24,19 @@ This module deploys a firewall. | `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | | `diagnosticStorageAccountId` | string | | | Optional. Diagnostic Storage Account resource identifier | | `diagnosticWorkspaceId` | string | | | Optional. Log Analytics workspace resource identifier | -| `enableDnsProxy` | bool | | | Optional. Enable the preview feature for DNS proxy. | -| `firewallLogsToEnable` | array | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | Optional. The name of firewall logs that will be streamed. | +| `firewallPolicyId` | string | | | Optional. Resource ID of the Firewall Policy that should be attached. | +| `ipConfigurations` | array | | | Required. List of IP Configurations. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | Optional. The name of firewall logs that will be streamed. | | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | | `name` | string | | | Required. Name of the Azure Firewall. | | `natRuleCollections` | array | `[]` | | Optional. Collection of NAT rule collections used by Azure Firewall. | | `networkRuleCollections` | array | `[]` | | Optional. Collection of network rule collections used by Azure Firewall. | -| `publicIPLogsToEnable` | array | `[DDoSProtectionNotifications, DDoSMitigationReports, DDoSMitigationFlowLogs]` | `[DDoSProtectionNotifications, DDoSMitigationReports, DDoSMitigationFlowLogs]` | Optional. The name of public IP logs that will be streamed. | -| `publicIPPrefixId` | string | | | Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `tags` | object | `{object}` | | Optional. Tags of the Azure Firewall resource. | -| `vNetId` | string | | | Required. Shared services Virtual Network resource ID | +| `threatIntelMode` | string | `Deny` | `[Alert, Deny, Off]` | Optional. The operation mode for Threat Intel. | +| `zones` | array | `[1, 2, 3]` | | Optional. Zone numbers e.g. 1,2,3. | ### Parameter Usage: `roleAssignments` @@ -87,7 +84,6 @@ Tag names and tag values can be provided as needed. A tag can be left without a | `applicationRuleCollections` | array | List of Application Rule Collections | | `azureFirewallName` | string | The name of the Azure firewall | | `azureFirewallPrivateIp` | string | The private IP of the Azure Firewall | -| `azureFirewallPublicIp` | string | The public IP of the Azure Firewall | | `azureFirewallResourceGroup` | string | The resource group the azure firewall was deployed into | | `azureFirewallResourceId` | string | The resource ID of the Azure firewall | | `natRuleCollections` | array | Collection of NAT rule collections used by Azure Firewall | @@ -100,8 +96,7 @@ The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetw ## Template references -- [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/azureFirewalls) +- [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/azureFirewalls) - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) -- [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-04-01-preview/roleAssignments) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index 9de4789a19..1d297e008e 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -19,9 +19,6 @@ param basePolicyResourceId string = '' @description('Optional. Enable DNS Proxy on Firewalls attached to the Firewall Policy.') param enableProxy bool = false -@description('Optional. FQDNs in Network Rules are supported when set to true.') -param requireProxyForNetworkRules bool = false - @description('Optional. List of Custom DNS Servers.') param servers array = [] @@ -113,7 +110,6 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { } : null dnsSettings: enableProxy ? { enableProxy: enableProxy - requireProxyForNetworkRules: requireProxyForNetworkRules servers: servers } : null insights: insightsIsEnabled ? { @@ -153,6 +149,7 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { } } +@batchSize(1) module firewallPolicy_ruleCollectionGroups 'ruleCollectionGroups/deploy.bicep' = [for (ruleCollectionGroup, index) in ruleCollectionGroups: { name: '${uniqueString(deployment().name, location)}-firewallPolicy_ruleCollectionGroups-${index}' params: { @@ -161,11 +158,9 @@ module firewallPolicy_ruleCollectionGroups 'ruleCollectionGroups/deploy.bicep' = priority: ruleCollectionGroup.priority ruleCollections: ruleCollectionGroup.ruleCollections } - dependsOn: [ - firewallPolicy - ] }] +@batchSize(1) module firewallPolicy_ruleGroups 'ruleGroups/deploy.bicep' = [for (ruleGroup, index) in ruleGroups: { name: '${uniqueString(deployment().name, location)}-firewallPolicy_ruleGroups-${index}' params: { @@ -174,9 +169,6 @@ module firewallPolicy_ruleGroups 'ruleGroups/deploy.bicep' = [for (ruleGroup, in priority: ruleGroup.priority rules: ruleGroup.rules } - dependsOn: [ - firewallPolicy - ] }] @description('The name of the deployed firewall policy') diff --git a/arm/Microsoft.Network/firewallPolicies/readme.md b/arm/Microsoft.Network/firewallPolicies/readme.md index b02b680e6c..64d892892b 100644 --- a/arm/Microsoft.Network/firewallPolicies/readme.md +++ b/arm/Microsoft.Network/firewallPolicies/readme.md @@ -28,7 +28,6 @@ This module deploys Network Firewall Policies. | `mode` | string | `Off` | `[Alert, Deny, Off]` | Optional. The configuring of intrusion detection. | | `name` | string | | | Required. Name of the Firewall Policy. | | `privateRanges` | array | `[]` | | Optional. List of private IP addresses/IP address ranges to not be SNAT. | -| `requireProxyForNetworkRules` | bool | | | Optional. FQDNs in Network Rules are supported when set to true. | | `retentionDays` | int | `365` | | Optional. Number of days the insights should be enabled on the policy. | | `ruleCollectionGroups` | _[ruleCollectionGroups](ruleCollectionGroups/readme.md)_ array | `[]` | | Optional. Rule collection groups. | | `ruleGroups` | _[ruleGroups](ruleGroups/readme.md)_ array | `[]` | | Optional. Rule groups. | diff --git a/arm/Microsoft.Network/publicIPAddresses/deploy.bicep b/arm/Microsoft.Network/publicIPAddresses/deploy.bicep index f77d8d38d3..9d872aa55c 100644 --- a/arm/Microsoft.Network/publicIPAddresses/deploy.bicep +++ b/arm/Microsoft.Network/publicIPAddresses/deploy.bicep @@ -169,11 +169,14 @@ module publicIpAddress_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, i } }] -@description('The resource group the public IP adress was deployed into') +@description('The resource group the public IP address was deployed into') output publicIPAddressResourceGroup string = resourceGroup().name -@description('The name of the public IP adress') +@description('The name of the public IP address') output publicIPAddressName string = publicIpAddress.name -@description('The resource ID of the public IP adress') +@description('The resource ID of the public IP address') output publicIPAddressResourceId string = publicIpAddress.id + +@description('The public IP address of the of the public IP address resource') +output publicIpAddress string = publicIpAddress.properties.ipAddress diff --git a/arm/Microsoft.Network/publicIPAddresses/readme.md b/arm/Microsoft.Network/publicIPAddresses/readme.md index 087ec39a6d..fd286780f4 100644 --- a/arm/Microsoft.Network/publicIPAddresses/readme.md +++ b/arm/Microsoft.Network/publicIPAddresses/readme.md @@ -76,13 +76,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a | Output Name | Type | Description | | :-- | :-- | :-- | -| `publicIPAddressName` | string | The name of the public IP adress | -| `publicIPAddressResourceGroup` | string | The resource group the public IP adress was deployed into | -| `publicIPAddressResourceId` | string | The resource ID of the public IP adress | +| `publicIpAddress` | string | The public IP address of the of the public IP address resource | +| `publicIPAddressName` | string | The name of the public IP address | +| `publicIPAddressResourceGroup` | string | The resource group the public IP address was deployed into | +| `publicIPAddressResourceId` | string | The resource ID of the public IP address | ## Template references - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) - [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/publicIPAddresses) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-04-01-preview/roleAssignments) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/utilities/pipelines/dependencies/Microsoft.Network/publicIPAddresses/parameters/fw.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/publicIPAddresses/parameters/fw.parameters.json new file mode 100644 index 0000000000..33d85a2091 --- /dev/null +++ b/utilities/pipelines/dependencies/Microsoft.Network/publicIPAddresses/parameters/fw.parameters.json @@ -0,0 +1,22 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "adp-sxx-az-pip-x-fw" + }, + "skuName": { + "value": "Standard" + }, + "publicIPAllocationMethod": { + "value": "Static" + }, + "zones": { + "value": [ + "1", + "2", + "3" + ] + } + } +}