From 1005f5dc41db9aa767638957c1ab43bd4bccc6ca Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 18 Jan 2022 10:39:45 +0100 Subject: [PATCH 1/9] update FW --- .../azureFirewalls/deploy.bicep | 24 ++++++++++++------- .../azureFirewalls/readme.md | 7 +++--- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 2aa1724aee..8ea540d1d9 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -15,9 +15,6 @@ param azureSkuName string = 'AZFW_VNet' ]) param azureSkuTier string = 'Standard' -@description('Optional. Enable the preview feature for DNS proxy.') -param enableDnsProxy bool = false - @description('Optional. Collection of application rule collections used by Azure Firewall.') param applicationRuleCollections array = [] @@ -36,6 +33,17 @@ param azureFirewallPipName string = '' @description('Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix.') param publicIPPrefixId string = '' +@description('Optional. Resource ID of the Firewall Policy that should be attached.') +param firewallPolicyId string = '' + +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +@description('Optional. The operation mode for Threat Intel.') +param threatIntelMode string = 'Deny' + @description('Optional. Diagnostic Storage Account resource identifier') param diagnosticStorageAccountId string = '' @@ -188,13 +196,16 @@ resource azureFirewallPip_diagnosticSettings 'Microsoft.Insights/diagnosticSetti scope: azureFirewallPip } -resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-03-01' = { +resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = { name: name location: location zones: length(availabilityZones) == 0 ? null : availabilityZones tags: tags properties: { - threatIntelMode: 'Deny' + threatIntelMode: threatIntelMode + firewallPolicy: empty(firewallPolicyId) ? null : { + id: firewallPolicyId + } ipConfigurations: [ { name: 'IpConf' @@ -212,9 +223,6 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-03-01' = { name: azureSkuName tier: azureSkuTier } - additionalProperties: { - 'Network.DNS.EnableProxy': string(enableDnsProxy) - } applicationRuleCollections: applicationRuleCollections natRuleCollections: natRuleCollections networkRuleCollections: networkRuleCollections diff --git a/arm/Microsoft.Network/azureFirewalls/readme.md b/arm/Microsoft.Network/azureFirewalls/readme.md index 2837ca8868..66781d8df8 100644 --- a/arm/Microsoft.Network/azureFirewalls/readme.md +++ b/arm/Microsoft.Network/azureFirewalls/readme.md @@ -9,7 +9,7 @@ This module deploys a firewall. | `Microsoft.Authorization/locks` | 2017-04-01 | | `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | -| `Microsoft.Network/azureFirewalls` | 2021-03-01 | +| `Microsoft.Network/azureFirewalls` | 2021-05-01 | | `Microsoft.Network/publicIPAddresses` | 2021-02-01 | ## Parameters @@ -27,8 +27,8 @@ This module deploys a firewall. | `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | | `diagnosticStorageAccountId` | string | | | Optional. Diagnostic Storage Account resource identifier | | `diagnosticWorkspaceId` | string | | | Optional. Log Analytics workspace resource identifier | -| `enableDnsProxy` | bool | | | Optional. Enable the preview feature for DNS proxy. | | `firewallLogsToEnable` | array | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | Optional. The name of firewall logs that will be streamed. | +| `firewallPolicyId` | string | | | Optional. Resource ID of the Firewall Policy that should be attached. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | @@ -39,6 +39,7 @@ This module deploys a firewall. | `publicIPPrefixId` | string | | | Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `tags` | object | `{object}` | | Optional. Tags of the Azure Firewall resource. | +| `threatIntelMode` | string | `Deny` | `[Alert, Deny, Off]` | Optional. The operation mode for Threat Intel. | | `vNetId` | string | | | Required. Shared services Virtual Network resource ID | ### Parameter Usage: `roleAssignments` @@ -100,7 +101,7 @@ The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetw ## Template references -- [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/azureFirewalls) +- [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/azureFirewalls) - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) - [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses) From a24a597a716a0fcf1f0ac962b952d7b25a4f5673 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 18 Jan 2022 10:58:13 +0100 Subject: [PATCH 2/9] change name --- arm/Microsoft.Network/azureFirewalls/deploy.bicep | 6 +++--- arm/Microsoft.Network/azureFirewalls/readme.md | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 8ea540d1d9..22df668ad0 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -65,7 +65,7 @@ param diagnosticEventHubName string = '' param location string = resourceGroup().location @description('Optional. Zone numbers e.g. 1,2,3.') -param availabilityZones array = [ +param zones array = [ '1' '2' '3' @@ -166,7 +166,7 @@ resource azureFirewallPip 'Microsoft.Network/publicIPAddresses@2021-02-01' = { sku: { name: 'Standard' } - zones: availabilityZones + zones: zones properties: { publicIPAllocationMethod: 'Static' publicIPAddressVersion: 'IPv4' @@ -199,7 +199,7 @@ resource azureFirewallPip_diagnosticSettings 'Microsoft.Insights/diagnosticSetti resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = { name: name location: location - zones: length(availabilityZones) == 0 ? null : availabilityZones + zones: length(zones) == 0 ? null : zones tags: tags properties: { threatIntelMode: threatIntelMode diff --git a/arm/Microsoft.Network/azureFirewalls/readme.md b/arm/Microsoft.Network/azureFirewalls/readme.md index 66781d8df8..cbab4370ba 100644 --- a/arm/Microsoft.Network/azureFirewalls/readme.md +++ b/arm/Microsoft.Network/azureFirewalls/readme.md @@ -17,7 +17,6 @@ This module deploys a firewall. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `applicationRuleCollections` | array | `[]` | | Optional. Collection of application rule collections used by Azure Firewall. | -| `availabilityZones` | array | `[1, 2, 3]` | | Optional. Zone numbers e.g. 1,2,3. | | `azureFirewallPipName` | string | | | Optional. Specifies the name of the Public IP used by Azure Firewall. If it's not provided, a '-pip' suffix will be appended to the Firewall's name. | | `azureSkuName` | string | `AZFW_VNet` | `[AZFW_VNet, AZFW_Hub]` | Optional. Name of an Azure Firewall SKU. | | `azureSkuTier` | string | `Standard` | `[Standard, Premium]` | Optional. Tier of an Azure Firewall. | @@ -41,6 +40,7 @@ This module deploys a firewall. | `tags` | object | `{object}` | | Optional. Tags of the Azure Firewall resource. | | `threatIntelMode` | string | `Deny` | `[Alert, Deny, Off]` | Optional. The operation mode for Threat Intel. | | `vNetId` | string | | | Required. Shared services Virtual Network resource ID | +| `zones` | array | `[1, 2, 3]` | | Optional. Zone numbers e.g. 1,2,3. | ### Parameter Usage: `roleAssignments` @@ -105,4 +105,4 @@ The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetw - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) - [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-04-01-preview/roleAssignments) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) From 80906a97de474f9ef6610070196a6339724b679f Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 18 Jan 2022 16:23:08 +0100 Subject: [PATCH 3/9] update FW --- .../.parameters/parameters.json | 9 ++ .../azureFirewalls/deploy.bicep | 113 ++++-------------- .../azureFirewalls/readme.md | 10 +- 3 files changed, 31 insertions(+), 101 deletions(-) diff --git a/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json b/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json index 5ad67d13d7..05aecbc2c3 100644 --- a/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json +++ b/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json @@ -12,6 +12,15 @@ "3" ] }, + "ipConfigurations": { + "value": [ + { + "name": "ipConfig01", + "publicIPAddressResourceId": "", + "subnetResourceId": "" + } + ] + }, "applicationRuleCollections": { "value": [ { diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 22df668ad0..51fcf14d38 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -24,14 +24,8 @@ param networkRuleCollections array = [] @description('Optional. Collection of NAT rule collections used by Azure Firewall.') param natRuleCollections array = [] -@description('Required. Shared services Virtual Network resource ID') -param vNetId string - -@description('Optional. Specifies the name of the Public IP used by Azure Firewall. If it\'s not provided, a \'-pip\' suffix will be appended to the Firewall\'s name.') -param azureFirewallPipName string = '' - -@description('Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix.') -param publicIPPrefixId string = '' +@description('Required. List of IP Configurations.') +param ipConfigurations array @description('Optional. Resource ID of the Firewall Policy that should be attached.') param firewallPolicyId string = '' @@ -44,6 +38,13 @@ param firewallPolicyId string = '' @description('Optional. The operation mode for Threat Intel.') param threatIntelMode string = 'Deny' +@description('Optional. Zone numbers e.g. 1,2,3.') +param zones array = [ + '1' + '2' + '3' +] + @description('Optional. Diagnostic Storage Account resource identifier') param diagnosticStorageAccountId string = '' @@ -64,13 +65,6 @@ param diagnosticEventHubName string = '' @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Zone numbers e.g. 1,2,3.') -param zones array = [ - '1' - '2' - '3' -] - @allowed([ 'CanNotDelete' 'NotSpecified' @@ -88,12 +82,6 @@ param tags object = {} @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' -var publicIPPrefix = { - id: publicIPPrefixId -} -var azureFirewallSubnetId = '${vNetId}/subnets/AzureFirewallSubnet' -var azureFirewallPipId = azureFirewallPip.id - @description('Optional. The name of firewall logs that will be streamed.') @allowed([ 'AzureFirewallApplicationRule' @@ -106,18 +94,6 @@ param firewallLogsToEnable array = [ 'AzureFirewallDnsProxy' ] -@description('Optional. The name of public IP logs that will be streamed.') -@allowed([ - 'DDoSProtectionNotifications' - 'DDoSMitigationReports' - 'DDoSMitigationFlowLogs' -]) -param publicIPLogsToEnable array = [ - 'DDoSProtectionNotifications' - 'DDoSMitigationReports' - 'DDoSMitigationFlowLogs' -] - @description('Optional. The name of metrics that will be streamed.') @allowed([ 'AllMetrics' @@ -126,16 +102,19 @@ param metricsToEnable array = [ 'AllMetrics' ] -var diagnosticsLogsAzureFirewall = [for log in firewallLogsToEnable: { - category: log - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays +var ipConfigurations_var = [for ipConfiguration in ipConfigurations: { + name: ipConfiguration.name + properties: { + publicIPAddress: empty(ipConfiguration.publicIPAddressResourceId) ? null : { + id: ipConfiguration.publicIPAddressResourceId + } + subnet: empty(ipConfiguration.subnetResourceId) ? null : { + id: ipConfiguration.subnetResourceId + } } }] -var diagnosticsLogsPublicIp = [for log in publicIPLogsToEnable: { +var diagnosticsLogsAzureFirewall = [for log in firewallLogsToEnable: { category: log enabled: true retentionPolicy: { @@ -159,43 +138,6 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource azureFirewallPip 'Microsoft.Network/publicIPAddresses@2021-02-01' = { - name: !empty(azureFirewallPipName) ? azureFirewallPipName : '${name}-pip' - location: location - tags: tags - sku: { - name: 'Standard' - } - zones: zones - properties: { - publicIPAllocationMethod: 'Static' - publicIPAddressVersion: 'IPv4' - publicIPPrefix: !empty(publicIPPrefixId) ? publicIPPrefix : null - } -} - -resource azureFirewallPip_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { - name: '${azureFirewallPip.name}-${lock}-lock' - properties: { - level: lock - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - } - scope: azureFirewallPip -} - -resource azureFirewallPip_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: '${azureFirewallPip.name}-diagnosticSettings' - properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogsPublicIp - } - scope: azureFirewallPip -} - resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = { name: name location: location @@ -206,19 +148,7 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = { firewallPolicy: empty(firewallPolicyId) ? null : { id: firewallPolicyId } - ipConfigurations: [ - { - name: 'IpConf' - properties: { - subnet: { - id: azureFirewallSubnetId - } - publicIPAddress: { - id: azureFirewallPipId - } - } - } - ] + ipConfigurations: ipConfigurations_var sku: { name: azureSkuName tier: azureSkuTier @@ -272,9 +202,6 @@ output azureFirewallResourceGroup string = resourceGroup().name @description('The private IP of the Azure Firewall') output azureFirewallPrivateIp string = azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress -@description('The public IP of the Azure Firewall') -output azureFirewallPublicIp string = azureFirewallPip.properties.ipAddress - @description('List of Application Rule Collections') output applicationRuleCollections array = applicationRuleCollections diff --git a/arm/Microsoft.Network/azureFirewalls/readme.md b/arm/Microsoft.Network/azureFirewalls/readme.md index cbab4370ba..baa665d804 100644 --- a/arm/Microsoft.Network/azureFirewalls/readme.md +++ b/arm/Microsoft.Network/azureFirewalls/readme.md @@ -10,14 +10,12 @@ This module deploys a firewall. | `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | | `Microsoft.Network/azureFirewalls` | 2021-05-01 | -| `Microsoft.Network/publicIPAddresses` | 2021-02-01 | ## Parameters | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `applicationRuleCollections` | array | `[]` | | Optional. Collection of application rule collections used by Azure Firewall. | -| `azureFirewallPipName` | string | | | Optional. Specifies the name of the Public IP used by Azure Firewall. If it's not provided, a '-pip' suffix will be appended to the Firewall's name. | | `azureSkuName` | string | `AZFW_VNet` | `[AZFW_VNet, AZFW_Hub]` | Optional. Name of an Azure Firewall SKU. | | `azureSkuTier` | string | `Standard` | `[Standard, Premium]` | Optional. Tier of an Azure Firewall. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | @@ -28,18 +26,16 @@ This module deploys a firewall. | `diagnosticWorkspaceId` | string | | | Optional. Log Analytics workspace resource identifier | | `firewallLogsToEnable` | array | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | Optional. The name of firewall logs that will be streamed. | | `firewallPolicyId` | string | | | Optional. Resource ID of the Firewall Policy that should be attached. | +| `ipConfigurations` | array | | | Required. List of IP Configurations. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | | `name` | string | | | Required. Name of the Azure Firewall. | | `natRuleCollections` | array | `[]` | | Optional. Collection of NAT rule collections used by Azure Firewall. | | `networkRuleCollections` | array | `[]` | | Optional. Collection of network rule collections used by Azure Firewall. | -| `publicIPLogsToEnable` | array | `[DDoSProtectionNotifications, DDoSMitigationReports, DDoSMitigationFlowLogs]` | `[DDoSProtectionNotifications, DDoSMitigationReports, DDoSMitigationFlowLogs]` | Optional. The name of public IP logs that will be streamed. | -| `publicIPPrefixId` | string | | | Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `tags` | object | `{object}` | | Optional. Tags of the Azure Firewall resource. | | `threatIntelMode` | string | `Deny` | `[Alert, Deny, Off]` | Optional. The operation mode for Threat Intel. | -| `vNetId` | string | | | Required. Shared services Virtual Network resource ID | | `zones` | array | `[1, 2, 3]` | | Optional. Zone numbers e.g. 1,2,3. | ### Parameter Usage: `roleAssignments` @@ -88,7 +84,6 @@ Tag names and tag values can be provided as needed. A tag can be left without a | `applicationRuleCollections` | array | List of Application Rule Collections | | `azureFirewallName` | string | The name of the Azure firewall | | `azureFirewallPrivateIp` | string | The private IP of the Azure Firewall | -| `azureFirewallPublicIp` | string | The public IP of the Azure Firewall | | `azureFirewallResourceGroup` | string | The resource group the azure firewall was deployed into | | `azureFirewallResourceId` | string | The resource ID of the Azure firewall | | `natRuleCollections` | array | Collection of NAT rule collections used by Azure Firewall | @@ -104,5 +99,4 @@ The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetw - [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/azureFirewalls) - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) -- [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-04-01-preview/roleAssignments) From 1e5a2f3bf4606d12c5196242a7789ce0a8cd44ad Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Wed, 19 Jan 2022 14:31:01 +0100 Subject: [PATCH 4/9] update --- .../azureFirewalls/.parameters/parameters.json | 9 +++------ arm/Microsoft.Network/azureFirewalls/deploy.bicep | 4 ++-- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json b/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json index 05aecbc2c3..1eb9deaaca 100644 --- a/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json +++ b/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json @@ -5,7 +5,7 @@ "name": { "value": "sxx-az-azfw-x-001" }, - "availabilityZones": { + "zones": { "value": [ "1", "2", @@ -16,8 +16,8 @@ "value": [ { "name": "ipConfig01", - "publicIPAddressResourceId": "", - "subnetResourceId": "" + "publicIPAddressResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-sxx-az-pip-x-bas", + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-azfw/subnets/AzureFirewallSubnet" } ] }, @@ -106,9 +106,6 @@ } ] }, - "vNetId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-azfw" - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 51fcf14d38..187ccd0b76 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -105,10 +105,10 @@ param metricsToEnable array = [ var ipConfigurations_var = [for ipConfiguration in ipConfigurations: { name: ipConfiguration.name properties: { - publicIPAddress: empty(ipConfiguration.publicIPAddressResourceId) ? null : { + publicIPAddress: !contains(ipConfiguration, 'publicIPAddressResourceId') ? null : { id: ipConfiguration.publicIPAddressResourceId } - subnet: empty(ipConfiguration.subnetResourceId) ? null : { + subnet: !contains(ipConfiguration, 'subnetResourceId') ? null : { id: ipConfiguration.subnetResourceId } } From 61b908aa1afb4d318e9e6eb8ee00bf2c4526db22 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Wed, 19 Jan 2022 19:27:05 +0100 Subject: [PATCH 5/9] fix --- arm/Microsoft.Network/azureFirewalls/deploy.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 187ccd0b76..0ce520158e 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -105,10 +105,10 @@ param metricsToEnable array = [ var ipConfigurations_var = [for ipConfiguration in ipConfigurations: { name: ipConfiguration.name properties: { - publicIPAddress: !contains(ipConfiguration, 'publicIPAddressResourceId') ? null : { + publicIPAddress: !contains(ipConfiguration, 'publicIPAddressResourceId') && !empty(ipConfiguration.publicIPAddressResourceId) ? null : { id: ipConfiguration.publicIPAddressResourceId } - subnet: !contains(ipConfiguration, 'subnetResourceId') ? null : { + subnet: !contains(ipConfiguration, 'subnetResourceId') && !empty(ipConfiguration.subnetResourceId) ? null : { id: ipConfiguration.subnetResourceId } } From 03b8eb46a36607d56cba2771486b080433a8cb9d Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 21 Jan 2022 08:52:45 +0100 Subject: [PATCH 6/9] update FW --- arm/Microsoft.Network/azureFirewalls/deploy.bicep | 8 ++++---- arm/Microsoft.Network/firewallPolicies/deploy.bicep | 12 ++---------- arm/Microsoft.Network/firewallPolicies/readme.md | 1 - 3 files changed, 6 insertions(+), 15 deletions(-) diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 0ce520158e..728e8bf762 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -105,12 +105,12 @@ param metricsToEnable array = [ var ipConfigurations_var = [for ipConfiguration in ipConfigurations: { name: ipConfiguration.name properties: { - publicIPAddress: !contains(ipConfiguration, 'publicIPAddressResourceId') && !empty(ipConfiguration.publicIPAddressResourceId) ? null : { + publicIPAddress: contains(ipConfiguration, 'publicIPAddressResourceId') ? { id: ipConfiguration.publicIPAddressResourceId - } - subnet: !contains(ipConfiguration, 'subnetResourceId') && !empty(ipConfiguration.subnetResourceId) ? null : { + } : null + subnet: contains(ipConfiguration, 'subnetResourceId') ? { id: ipConfiguration.subnetResourceId - } + } : null } }] diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index 9de4789a19..1d297e008e 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -19,9 +19,6 @@ param basePolicyResourceId string = '' @description('Optional. Enable DNS Proxy on Firewalls attached to the Firewall Policy.') param enableProxy bool = false -@description('Optional. FQDNs in Network Rules are supported when set to true.') -param requireProxyForNetworkRules bool = false - @description('Optional. List of Custom DNS Servers.') param servers array = [] @@ -113,7 +110,6 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { } : null dnsSettings: enableProxy ? { enableProxy: enableProxy - requireProxyForNetworkRules: requireProxyForNetworkRules servers: servers } : null insights: insightsIsEnabled ? { @@ -153,6 +149,7 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { } } +@batchSize(1) module firewallPolicy_ruleCollectionGroups 'ruleCollectionGroups/deploy.bicep' = [for (ruleCollectionGroup, index) in ruleCollectionGroups: { name: '${uniqueString(deployment().name, location)}-firewallPolicy_ruleCollectionGroups-${index}' params: { @@ -161,11 +158,9 @@ module firewallPolicy_ruleCollectionGroups 'ruleCollectionGroups/deploy.bicep' = priority: ruleCollectionGroup.priority ruleCollections: ruleCollectionGroup.ruleCollections } - dependsOn: [ - firewallPolicy - ] }] +@batchSize(1) module firewallPolicy_ruleGroups 'ruleGroups/deploy.bicep' = [for (ruleGroup, index) in ruleGroups: { name: '${uniqueString(deployment().name, location)}-firewallPolicy_ruleGroups-${index}' params: { @@ -174,9 +169,6 @@ module firewallPolicy_ruleGroups 'ruleGroups/deploy.bicep' = [for (ruleGroup, in priority: ruleGroup.priority rules: ruleGroup.rules } - dependsOn: [ - firewallPolicy - ] }] @description('The name of the deployed firewall policy') diff --git a/arm/Microsoft.Network/firewallPolicies/readme.md b/arm/Microsoft.Network/firewallPolicies/readme.md index b02b680e6c..64d892892b 100644 --- a/arm/Microsoft.Network/firewallPolicies/readme.md +++ b/arm/Microsoft.Network/firewallPolicies/readme.md @@ -28,7 +28,6 @@ This module deploys Network Firewall Policies. | `mode` | string | `Off` | `[Alert, Deny, Off]` | Optional. The configuring of intrusion detection. | | `name` | string | | | Required. Name of the Firewall Policy. | | `privateRanges` | array | `[]` | | Optional. List of private IP addresses/IP address ranges to not be SNAT. | -| `requireProxyForNetworkRules` | bool | | | Optional. FQDNs in Network Rules are supported when set to true. | | `retentionDays` | int | `365` | | Optional. Number of days the insights should be enabled on the policy. | | `ruleCollectionGroups` | _[ruleCollectionGroups](ruleCollectionGroups/readme.md)_ array | `[]` | | Optional. Rule collection groups. | | `ruleGroups` | _[ruleGroups](ruleGroups/readme.md)_ array | `[]` | | Optional. Rule groups. | From 9d7cca75d22513e37ef5a308fd028c8347dfc92c Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 21 Jan 2022 11:22:07 +0100 Subject: [PATCH 7/9] update dependencies --- .../platform.dependencies.yml | 3 +++ .github/workflows/platform.dependencies.yml | 2 +- .../.parameters/parameters.json | 2 +- .../parameters/fw.parameters.json | 22 +++++++++++++++++++ 4 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 utilities/pipelines/dependencies/Microsoft.Network/publicIPAddresses/parameters/fw.parameters.json diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index b53d38722b..5197689e13 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -320,6 +320,9 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json templateFilePath: $(templateFilePath) displayName: Load balancer Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/fw.parameters.json + templateFilePath: $(templateFilePath) + displayName: Firewall Public IP - stage: deploy_appi displayName: Deploy application insight diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 83c4d0778f..f7911789d3 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -472,7 +472,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: - ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] + ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json', 'fw.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 diff --git a/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json b/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json index 1eb9deaaca..cdf45ab95a 100644 --- a/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json +++ b/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json @@ -16,7 +16,7 @@ "value": [ { "name": "ipConfig01", - "publicIPAddressResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-sxx-az-pip-x-bas", + "publicIPAddressResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-sxx-az-pip-x-fw", "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-azfw/subnets/AzureFirewallSubnet" } ] diff --git a/utilities/pipelines/dependencies/Microsoft.Network/publicIPAddresses/parameters/fw.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/publicIPAddresses/parameters/fw.parameters.json new file mode 100644 index 0000000000..33d85a2091 --- /dev/null +++ b/utilities/pipelines/dependencies/Microsoft.Network/publicIPAddresses/parameters/fw.parameters.json @@ -0,0 +1,22 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "adp-sxx-az-pip-x-fw" + }, + "skuName": { + "value": "Standard" + }, + "publicIPAllocationMethod": { + "value": "Static" + }, + "zones": { + "value": [ + "1", + "2", + "3" + ] + } + } +} From a058bbcea2a384613e7e7a7fc7112ecd9dfa8085 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 21 Jan 2022 14:43:45 +0100 Subject: [PATCH 8/9] rename var --- arm/Microsoft.Network/azureFirewalls/deploy.bicep | 6 +++--- arm/Microsoft.Network/azureFirewalls/readme.md | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 728e8bf762..d5cd69d0e3 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -88,7 +88,7 @@ param cuaId string = '' 'AzureFirewallNetworkRule' 'AzureFirewallDnsProxy' ]) -param firewallLogsToEnable array = [ +param logsToEnable array = [ 'AzureFirewallApplicationRule' 'AzureFirewallNetworkRule' 'AzureFirewallDnsProxy' @@ -114,7 +114,7 @@ var ipConfigurations_var = [for ipConfiguration in ipConfigurations: { } }] -var diagnosticsLogsAzureFirewall = [for log in firewallLogsToEnable: { +var diagnosticsLogs = [for log in logsToEnable: { category: log enabled: true retentionPolicy: { @@ -176,7 +176,7 @@ resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticSettings eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null metrics: diagnosticsMetrics - logs: diagnosticsLogsAzureFirewall + logs: diagnosticsLogs } scope: azureFirewall } diff --git a/arm/Microsoft.Network/azureFirewalls/readme.md b/arm/Microsoft.Network/azureFirewalls/readme.md index baa665d804..1abf1e131e 100644 --- a/arm/Microsoft.Network/azureFirewalls/readme.md +++ b/arm/Microsoft.Network/azureFirewalls/readme.md @@ -24,11 +24,11 @@ This module deploys a firewall. | `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | | `diagnosticStorageAccountId` | string | | | Optional. Diagnostic Storage Account resource identifier | | `diagnosticWorkspaceId` | string | | | Optional. Log Analytics workspace resource identifier | -| `firewallLogsToEnable` | array | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | Optional. The name of firewall logs that will be streamed. | | `firewallPolicyId` | string | | | Optional. Resource ID of the Firewall Policy that should be attached. | | `ipConfigurations` | array | | | Required. List of IP Configurations. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | Optional. The name of firewall logs that will be streamed. | | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | | `name` | string | | | Required. Name of the Azure Firewall. | | `natRuleCollections` | array | `[]` | | Optional. Collection of NAT rule collections used by Azure Firewall. | @@ -99,4 +99,4 @@ The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetw - [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/azureFirewalls) - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-04-01-preview/roleAssignments) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) From 2bc6b16039f9aae5342dfd457bc23c9acc269d01 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 21 Jan 2022 15:02:57 +0100 Subject: [PATCH 9/9] output PIP of created PIP --- arm/Microsoft.Network/publicIPAddresses/deploy.bicep | 9 ++++++--- arm/Microsoft.Network/publicIPAddresses/readme.md | 9 +++++---- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/arm/Microsoft.Network/publicIPAddresses/deploy.bicep b/arm/Microsoft.Network/publicIPAddresses/deploy.bicep index f77d8d38d3..9d872aa55c 100644 --- a/arm/Microsoft.Network/publicIPAddresses/deploy.bicep +++ b/arm/Microsoft.Network/publicIPAddresses/deploy.bicep @@ -169,11 +169,14 @@ module publicIpAddress_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, i } }] -@description('The resource group the public IP adress was deployed into') +@description('The resource group the public IP address was deployed into') output publicIPAddressResourceGroup string = resourceGroup().name -@description('The name of the public IP adress') +@description('The name of the public IP address') output publicIPAddressName string = publicIpAddress.name -@description('The resource ID of the public IP adress') +@description('The resource ID of the public IP address') output publicIPAddressResourceId string = publicIpAddress.id + +@description('The public IP address of the of the public IP address resource') +output publicIpAddress string = publicIpAddress.properties.ipAddress diff --git a/arm/Microsoft.Network/publicIPAddresses/readme.md b/arm/Microsoft.Network/publicIPAddresses/readme.md index 087ec39a6d..fd286780f4 100644 --- a/arm/Microsoft.Network/publicIPAddresses/readme.md +++ b/arm/Microsoft.Network/publicIPAddresses/readme.md @@ -76,13 +76,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a | Output Name | Type | Description | | :-- | :-- | :-- | -| `publicIPAddressName` | string | The name of the public IP adress | -| `publicIPAddressResourceGroup` | string | The resource group the public IP adress was deployed into | -| `publicIPAddressResourceId` | string | The resource ID of the public IP adress | +| `publicIpAddress` | string | The public IP address of the of the public IP address resource | +| `publicIPAddressName` | string | The name of the public IP address | +| `publicIPAddressResourceGroup` | string | The resource group the public IP address was deployed into | +| `publicIPAddressResourceId` | string | The resource ID of the public IP address | ## Template references - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) - [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/publicIPAddresses) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-04-01-preview/roleAssignments) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments)