search

Azure / terraform-azurerm-caf-enterprise-scale

Azure landing zones Terraform module
https://aka.ms/alz/tf
MIT License
832 stars 545 forks source link

feature request: Azure Firewall Configuration does not support Specific Public IP addresses or multiple Public IP addresses #1083

Open archmangler opened 1 month ago

archmangler commented 1 month ago

Community Note

Versions

terraform:

all

azure provider:

all

module:

all

Description

Describe the bug

The terraform configuration bloc for Azure Firewall does not support specification of multiple public IP addresses or of a single static public IP address:

            azure_firewall = object({
              enabled = bool
              config = object({
                address_prefix                = string
                enable_dns_proxy              = bool
                dns_servers                   = list(string)
                sku_tier                      = string
                base_policy_id                = string
                private_ip_ranges             = list(string)
                threat_intelligence_mode      = string
                threat_intelligence_allowlist = list(string)
                availability_zones = object({
                  zone_1 = bool
                  zone_2 = bool
                  zone_3 = bool
                })
              })
            })

Steps to Reproduce

  1. Edit the variables.tf in the root module
  2. Attempt to specify a static Public IP address or multiple static public IP addresses

Screenshots

            azure_firewall = object({
              enabled = bool
              config = object({
                address_prefix                = string
                enable_dns_proxy              = bool
                dns_servers                   = list(string)
                sku_tier                      = string
                base_policy_id                = string
                private_ip_ranges             = list(string)
                threat_intelligence_mode      = string
                threat_intelligence_allowlist = list(string)
                availability_zones = object({
                  zone_1 = bool
                  zone_2 = bool
                  zone_3 = bool
                })
              })
            })

Additional context

Lack of support for easily specifying multiple Public IP addresses (static or dynamic) in the configuration means the user is unable to make use of key features of the Azure Firewall.:

matt-FFFFFF commented 1 month ago

Hi this isn't a bug, we will consider this feature for a future release.

cndaan commented 1 week ago

Does anybody have a workaround for adding extra public ip's to the firewall? I tried using the advanced options but this will only override the current public ip address and not add additional public ip's unfortunately

cndaan commented 3 days ago

A workaround for now is to create extra public ip's and add them as overrides in the connectivity settings:

advanced = {
  custom_settings_by_resource_type = {
    azurerm_firewall = {
      connectivity = {
        westeurope = {
          name = "afw-hub-weu-01"
          ip_configuration = [
            {
              name                 = "pip-fw-weu-01"
              private_ip_address   = "10.0.0.4"
              public_ip_address_id = "/subscriptions/<subscription_id>/resourceGroups/<rg_name>/providers/Microsoft.Network/publicIPAddresses/pip-fw-weu-01"
              subnet_id            = "/subscriptions/<subscription_id>/resourceGroups/<rg_name>/providers/Microsoft.Network/virtualNetworks/<vnet_name>/subnets/AzureFirewallSubnet"
            },
            {
              name                 = "pip2-fw-weu-01"
              public_ip_address_id = "/subscriptions/<subscription_id>/resourceGroups/<rg_name>/providers/Microsoft.Network/publicIPAddresses/pip2-fw-weu-01"
            }
          ]
        }
      }
    }
  }
}
archmangler commented 3 days ago

Thanks, Daan. This will help for now!