Feature Request: Enable Policy Analytics on Firewall Policy

[PKS-Milestone2]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Hi, I would like functionality to enable Policy Analytics on the Firewall policy created with this module.

Is your feature request related to a problem?

No

Describe the solution you'd like

In settings.connectivity.tf i would like the option to enable Policy Analytics.

Additional context

[egnirra]

You can add it like this using custom settings as a workaround.

    advanced = {
      custom_settings_by_resource_type = {
        azurerm_firewall_policy = {
          connectivity = {
            swedencentral = {
              name = "my-fw-policy-01" // Must be the actual name of the fw policy
              insights = [
                {
                  enabled                            = true
                  default_log_analytics_workspace_id = "your law id"
                  retention_in_days                  = 30
                }
              ]
            }
          }
        }
      }
    }

[AErmie]

Any idea/guidance on how to enabled this through the root CAF module?

In the CAF connectivity locals.tf file, there is a reference to azurerm_firewall_policy but it is unclear how to properly configure this. It's position in the code implies it is part of the azure_firewall block, but when we test this, it did not work.

This does not work:

locals {
  configure_connectivity_resources = {
    advanced = {
      custom_settings_by_resource_type = {
        azurerm_firewall_policy = {
          connectivity = {
            (var.primary_location) = {
              insights = [
                {
                  enabled = true
                  default_log_analytics_workspace_id = "log-analytics-workspace-id"
                  retention_in_days                  = 30
                }
              ]
            }
          }
        }
      }
    }
    settings = {
      vwan_hub_networks = [
        {
          enabled = true
          config = {
            ... <SINP>

            azure_firewall = {
              enabled = true
              config = {
                enable_dns_proxy              = true
                dns_servers                   = []
                sku_tier                      = "Standard"
                base_policy_id                = ""
                private_ip_ranges             = []
                threat_intelligence_mode      = ""
                threat_intelligence_allowlist = {}
                availability_zones = {
                  zone_1 = true
                  zone_2 = true
                  zone_3 = true
                }
              }
            }
            spoke_virtual_network_resource_ids        = []
            secure_spoke_virtual_network_resource_ids = []
            enable_virtual_hub_connections            = false
          }
        },
      ]
    }
  }
}

When I manually enable the feature, and re-run terraform plan for the CAF module, it shows that Firewall Policy Insights will be removed. I'm just not able to clearly see where the feature is supposed to be defined.

CAF terraform plan output:

Terraform will perform the following actions:

  # module.connectivity.module.alz.azurerm_firewall_policy.virtual_wan["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/caf-connectivity/providers/Microsoft.Network/firewallPolicies/fw-hub-canadacentral-policy"] will be updated in-place
  ~ resource "azurerm_firewall_policy" "virtual_wan" {
        id                                = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/caf-connectivity/providers/Microsoft.Network/firewallPolicies/fw-hub-canadacentral-policy"
        name                              = "fw-hub-canadacentral-policy"
        tags                              = {
            "deployedBy" = "azure-lz-core-caf"
        }
        # (10 unchanged attributes hidden)

      - insights {
          - default_log_analytics_workspace_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/caf-mgmt/providers/Microsoft.OperationalInsights/workspaces/lz-caf-la" -> null
          - enabled                            = true -> null
          - retention_in_days                  = 30 -> null
        }

        # (1 unchanged block hidden)
    }

[AErmie]

For anyone else that comes across this issue, here's the code that worked for me.

# Configure custom connectivity resources settings
locals {
  configure_connectivity_resources = {
    settings = {
    <SNIP>
      }
    }
    # Set the default location
    location = var.primary_location
    # Create a custom tags input
    tags = var.connectivity_resources_tags

    advanced = {
      custom_settings_by_resource_type = {
        azurerm_firewall_policy = {
          virtual_wan = { # IMPORTANT: 'connectivity' is used with traditional hub-and-spoke, 'virtual_wan' is used with the Virtual WAN configuration
            canadacentral = { # IMPORTANT: Required to be hard-coded to the region (ie. can't use `var.primary_location`)
              insights = [
                {
                  enabled = true
                  # IMPORTANT: The Log Analytics Workspace ID needs to be the entire Resource ID, not just the LAW name
                  # Also, the Resource ID as it is copied from the portal, has incorrect casing for the 'resourceGroups' and 'Microsoft.OperationalInsights' sections!
                  default_log_analytics_workspace_id = "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.OperationalInsights/workspaces/<LOG_ANALYTICS_WORKSPACE>"
                  retention_in_days                  = 30
                }
              ]
            }
          }
        }
      }
    }
  }
}