AErmie
commented
1 month ago Code updated in the terraform-azure-lz-project-set repo: https://github.com/bcgov/terraform-azure-lz-project-set/blob/main/main.tf#L58
Pending ability to request a new Project Set in FORGE to test if code adjustments produces the desired results.
vWAN Virtual Hub Connection Internet Traffic unsecured
Changing the vWAN > vHub > Firewall/Firewall Manager (secure hub) > Security configuration > Hub Connections ... enabling "secure internet traffic" does not produce any changes in the CAF core deployment.
Apparently, based on this GitHub issue (secure_spoke_virtual_network_resource_ids doesn't work without additional config outside the module), "we should manage the entire set of vhub connections outside of the CAF module if we need anything beyond just having a connection to the vHUB."
This is actually controlled from the Landing Zone Vending module. Based on this GitHub issue (bug: documentation not correct), and the updated documentation on Virtual WAN values, there is a
vwan_security_configurationobject, that has asecure_internet_trafficproperty. This property controls "Whether to forward internet-bound traffic to the destination specified in the routing policy." Meaning... even though we have the Routing Intent/Policy configured in vWAN to route Internet traffic to the Firewall, this property controls whether that policy is actually used!This means we need to update our azure-lz-project-set template to include this
secure_internet_trafficproperty. Although, this will not retroactively apply to existing Project Sets.Acceptance Criteria
secure_internet_trafficproperty in thevwan_security_configurationobject