search

PaloAltoNetworks / terraform-azurerm-swfw-modules

Terraform Reusable Modules for Software Firewalls on Azure
https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm
MIT License
5 stars 8 forks source link

Add support for Public IP Address Prefix on Load Balancer frontend IP and Azure Public IP resources in `loadbalancer` sub-module #55

Closed jinkang23 closed 1 month ago

jinkang23 commented 3 months ago

Is your feature request related to a problem?

In loadbalancer sub-module, both azurerm_public_ip resource and azurerm_lb resource does not allow a way to pass in a public_ip_prefix_id. This is necessary in cases where we want to either 1) BYO-IP with Custom IP Prefix, or 2) reserve a static range of Azure public IPs. In our case, we have onboarded a /24 range via BYO-IP with Custom IP Prefix and have created a smaller /28 range as Azure Public IP prefix. We want to be able to have the Public IP of the Load Balancer to be allocated from this Azure Public IP Prefix instead.

Describe the solution you'd like

Here's an example of adding azure_public_ip_prefix_id... 

resource "azurerm_public_ip" "this" {
  for_each = { for k, v in var.frontend_ips : k => v if v.create_public_ip }

  name                = each.value.public_ip_name
  resource_group_name = var.resource_group_name
  location            = var.region
  allocation_method   = "Static"
  sku                 = "Standard"
  zones               = var.zones

  public_ip_prefix_id = each.value.public_ip_prefix_id

  tags                = var.tags
}
resource "azurerm_lb" "this" {
  name                = var.name
  resource_group_name = var.resource_group_name
  location            = var.region
  sku                 = "Standard"
  tags                = var.tags

  dynamic "frontend_ip_configuration" {
    for_each = var.frontend_ips
    iterator = frontend_ip
    content {
      name = frontend_ip.value.name
      public_ip_address_id = frontend_ip.value.create_public_ip ? (
        azurerm_public_ip.this[frontend_ip.key].id
      ) : try(data.azurerm_public_ip.this[frontend_ip.key].id, null)

      public_ip_prefix_id = frontend_ip.value.create_public_ip ? null : try(frontend_ip.value.public_ip_prefix_id, null)

      subnet_id                     = frontend_ip.value.subnet_id
      private_ip_address_allocation = frontend_ip.value.private_ip_address != null ? "Static" : null
      private_ip_address            = frontend_ip.value.private_ip_address
      zones                         = frontend_ip.value.subnet_id != null ? var.zones : null

      gateway_load_balancer_frontend_ip_configuration_id = frontend_ip.value.gwlb_fip_id
    }
  }

 ....

Describe alternatives you've considered.

No response

Additional context

No response

acelebanski commented 3 months ago

Hello @jinkang23, thanks for raising this. I suppose you wanted to use a Public IP Prefix as an LB frontend for outbound traffic from VM-Series firewalls. I implemented the improvements in PR #64. Should be released soon when approved.

jinkang23 commented 3 months ago

Hi @acelebanski - Yes, and thank you for working this feature request!

acelebanski commented 2 months ago

Hello @jinkang23, I changed the PR associated with this issue. We changed the approach and we're going to offer this functionality with the new public_ip module (PR #80).