-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
104 lines (92 loc) · 2.88 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# Resource Group for the Virtual WAN
resource "azurerm_resource_group" "vwan_rg" {
name = "rg-vwan"
location = var.region1
}
# Virtual WAN
resource "azurerm_virtual_wan" "vwan" {
name = "vwan-${local.region_map[var.region1]}-01"
resource_group_name = azurerm_resource_group.vwan_rg.name
location = azurerm_resource_group.vwan_rg.location
}
# LAW
resource "azurerm_log_analytics_workspace" "law1" {
name = "law-${local.region_map[var.region1]}-01"
location = azurerm_resource_group.vwan_rg.location
resource_group_name = azurerm_resource_group.vwan_rg.name
sku = "PerGB2018"
retention_in_days = 30
}
# Central Firewall Policy
resource "azurerm_firewall_policy" "hub_fw_pol" {
name = "fw-pol-01"
resource_group_name = azurerm_resource_group.vwan_rg.name
location = azurerm_resource_group.vwan_rg.location
}
# Firewall Policy Rule Collection Group
resource "azurerm_firewall_policy_rule_collection_group" "hub_fw_pol_rcg" {
name = "fw-pol-rcg-01"
firewall_policy_id = azurerm_firewall_policy.hub_fw_pol.id
priority = 200
network_rule_collection {
name = "nrc-01"
priority = 200
action = "Allow"
rule {
name = "AllowDNS"
protocols = ["UDP"]
source_addresses = ["*"]
destination_addresses = ["168.63.129.16"]
destination_ports = ["53"]
}
rule {
name = "AllowPrivate"
protocols = ["UDP", "TCP", "ICMP"]
source_addresses = ["10.0.0.0/8"]
destination_addresses = ["10.0.0.0/8"]
destination_ports = ["1-65535"]
}
rule {
name = "AllowICMP"
protocols = ["ICMP"]
source_addresses = ["10.0.0.0/8"]
destination_addresses = ["10.0.0.0/8"]
destination_ports = ["1-65535"]
}
rule {
name = "AllowNTP"
protocols = ["UDP"]
source_addresses = ["10.0.0.0/8"]
destination_addresses = ["*"]
destination_ports = ["123"]
}
rule {
name = "AllowRDPInbound"
protocols = ["TCP"]
source_addresses = ["10.0.0.0/8"]
destination_addresses = ["10.0.0.0/8"]
destination_ports = ["3389"]
}
rule {
name = "AllowAzureUpdate"
protocols = ["TCP"]
source_addresses = ["*"]
destination_addresses = ["AzureUpdateDelivery"]
destination_ports = ["*"]
}
}
application_rule_collection {
name = "arc-01"
priority = 201
action = "Allow"
rule {
name = "AllowGoogle"
protocols {
type = "Https"
port = 443
}
source_addresses = ["*"]
destination_fqdns = ["*.google.com"]
}
}
}