Open PKS-Milestone2 opened 4 months ago
You can add it like this using custom settings as a workaround.
advanced = {
custom_settings_by_resource_type = {
azurerm_firewall_policy = {
connectivity = {
swedencentral = {
name = "my-fw-policy-01" // Must be the actual name of the fw policy
insights = [
{
enabled = true
default_log_analytics_workspace_id = "your law id"
retention_in_days = 30
}
]
}
}
}
}
}
Any idea/guidance on how to enabled this through the root CAF module?
In the CAF connectivity locals.tf file, there is a reference to azurerm_firewall_policy
but it is unclear how to properly configure this. It's position in the code implies it is part of the azure_firewall
block, but when we test this, it did not work.
This does not work:
locals {
configure_connectivity_resources = {
advanced = {
custom_settings_by_resource_type = {
azurerm_firewall_policy = {
connectivity = {
(var.primary_location) = {
insights = [
{
enabled = true
default_log_analytics_workspace_id = "log-analytics-workspace-id"
retention_in_days = 30
}
]
}
}
}
}
}
settings = {
vwan_hub_networks = [
{
enabled = true
config = {
... <SINP>
azure_firewall = {
enabled = true
config = {
enable_dns_proxy = true
dns_servers = []
sku_tier = "Standard"
base_policy_id = ""
private_ip_ranges = []
threat_intelligence_mode = ""
threat_intelligence_allowlist = {}
availability_zones = {
zone_1 = true
zone_2 = true
zone_3 = true
}
}
}
spoke_virtual_network_resource_ids = []
secure_spoke_virtual_network_resource_ids = []
enable_virtual_hub_connections = false
}
},
]
}
}
}
When I manually enable the feature, and re-run terraform plan
for the CAF module, it shows that Firewall Policy Insights will be removed. I'm just not able to clearly see where the feature is supposed to be defined.
CAF terraform plan output:
Terraform will perform the following actions:
# module.connectivity.module.alz.azurerm_firewall_policy.virtual_wan["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/caf-connectivity/providers/Microsoft.Network/firewallPolicies/fw-hub-canadacentral-policy"] will be updated in-place
~ resource "azurerm_firewall_policy" "virtual_wan" {
id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/caf-connectivity/providers/Microsoft.Network/firewallPolicies/fw-hub-canadacentral-policy"
name = "fw-hub-canadacentral-policy"
tags = {
"deployedBy" = "azure-lz-core-caf"
}
# (10 unchanged attributes hidden)
- insights {
- default_log_analytics_workspace_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/caf-mgmt/providers/Microsoft.OperationalInsights/workspaces/lz-caf-la" -> null
- enabled = true -> null
- retention_in_days = 30 -> null
}
# (1 unchanged block hidden)
}
For anyone else that comes across this issue, here's the code that worked for me.
# Configure custom connectivity resources settings
locals {
configure_connectivity_resources = {
settings = {
<SNIP>
}
}
# Set the default location
location = var.primary_location
# Create a custom tags input
tags = var.connectivity_resources_tags
advanced = {
custom_settings_by_resource_type = {
azurerm_firewall_policy = {
virtual_wan = { # IMPORTANT: 'connectivity' is used with traditional hub-and-spoke, 'virtual_wan' is used with the Virtual WAN configuration
canadacentral = { # IMPORTANT: Required to be hard-coded to the region (ie. can't use `var.primary_location`)
insights = [
{
enabled = true
# IMPORTANT: The Log Analytics Workspace ID needs to be the entire Resource ID, not just the LAW name
# Also, the Resource ID as it is copied from the portal, has incorrect casing for the 'resourceGroups' and 'Microsoft.OperationalInsights' sections!
default_log_analytics_workspace_id = "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.OperationalInsights/workspaces/<LOG_ANALYTICS_WORKSPACE>"
retention_in_days = 30
}
]
}
}
}
}
}
}
}
Community Note
Description
Hi, I would like functionality to enable Policy Analytics on the Firewall policy created with this module.
Is your feature request related to a problem?
No
Describe the solution you'd like
In settings.connectivity.tf i would like the option to enable Policy Analytics.
Additional context