Fix: Bug Fixes (#53)

Author: luke-taylor

README.md

@@ -28,7 +28,7 @@ module "hubnetworks" {
       firewall = {
         subnet_address_prefix = "192.168.1.0/24"
         sku_tier              = "Premium"
-        sku_name              = "AZFW_Hub"
+        sku_name              = "AZFW_VNet"
       }
     }
   }
@@ -127,31 +127,39 @@ Description: A map of the hub virtual networks to create. The map key is an arbi
   - `sku_name` - The name of the SKU to use for the Azure Firewall. Possible values include `AZFW_Hub`, `AZFW_VNet`.
   - `sku_tier` - The tier of the SKU to use for the Azure Firewall. Possible values include `Basic`, `Standard`, `Premium`.
   - `subnet_address_prefix` - The IPv4 address prefix to use for the Azure Firewall subnet in CIDR format. Needs to be a part of the virtual network's address space.
-  - `subnet_route_table_id` = (Optional) The resource id of the Route Table which should be associated with the Azure Firewall subnet. If not specified the module will assign the generated route table.
-  - `name` - (Optional) The name of the firewall resource. If not specified will use `afw-{vnetname}`.
   - `dns_servers` - (Optional) A list of DNS server IP addresses for the Azure Firewall.
   - `firewall_policy_id` - (Optional) The resource id of the Azure Firewall Policy to associate with the Azure Firewall.
+  - `management_subnet_address_prefix` - (Optional) The IPv4 address prefix to use for the Azure Firewall management subnet in CIDR format. Needs to be a part of the virtual network's address space.
+  - `name` - (Optional) The name of the firewall resource. If not specified will use `afw-{vnetname}`.
   - `private_ip_ranges` - (Optional) A list of private IP ranges to use for the Azure Firewall, to which the firewall will not NAT traffic. If not specified will use RFC1918.
+  - `subnet_route_table_id` = (Optional) The resource id of the Route Table which should be associated with the Azure Firewall subnet. If not specified the module will assign the generated route table.
+  - `tags` - (Optional) A map of tags to apply to the Azure Firewall. If not specified
   - `threat_intel_mode` - (Optional) The threat intelligence mode for the Azure Firewall. Possible values include `Alert`, `Deny`, `Off`.
   - `zones` - (Optional) A list of availability zones to use for the Azure Firewall. If not specified will be `null`.
-  - `tags` - (Optional) A map of tags to apply to the Azure Firewall. If not specified
   - `default_ip_configuration` - (Optional) An object with the following fields. If not specified the defaults below will be used:
     - `name` - (Optional) The name of the default IP configuration. If not specified will use `default`.
     - `public_ip_config` - (Optional) An object with the following fields:
       - `name` - (Optional) The name of the public IP configuration. If not specified will use `pip-afw-{vnetname}`.
       - `zones` - (Optional) A list of availability zones to use for the public IP configuration. If not specified will be `null`.
       - `ip_version` - (Optional) The IP version to use for the public IP configuration. Possible values include `IPv4`, `IPv6`. If not specified will be `IPv4`.
       - `sku_tier` - (Optional) The SKU tier to use for the public IP configuration. Possible values include `Regional`, `Global`. If not specified will be `Regional`.
+  - `management_ip_configuration` - (Optional) An object with the following fields. If not specified the defaults below will be used:
+    - `name` - (Optional) The name of the management IP configuration. If not specified will use `defaultMgmt`.
+    - `public_ip_config` - (Optional) An object with the following fields:
+      - `name` - (Optional) The name of the public IP configuration. If not specified will use `pip-afw-mgmt-<Map Key>`.
+      - `zones` - (Optional) A list of availability zones to use for the public IP configuration. If not specified will be `null`.
+      - `ip_version` - (Optional) The IP version to use for the public IP configuration. Possible values include `IPv4`, `IPv6`. If not specified will be `IPv4`.
+      - `sku_tier` - (Optional) The SKU tier to use for the public IP configuration. Possible values include `Regional`, `Global`. If not specified will be `Regional`.
 
 Type:
 
 ```hcl
 map(object({
-    name                = string
-    address_space       = list(string)
-    location            = string
-    resource_group_name = string
-
+    name                            = string
+    address_space                   = list(string)
+    location                        = string
+    resource_group_name             = string
+    route_table_name                = optional(string)
     bgp_community                   = optional(string)
     ddos_protection_plan_id         = optional(string)
     dns_servers                     = optional(list(string))
@@ -204,24 +212,34 @@ map(object({
     )), {})
 
     firewall = optional(object({
-      sku_name              = string
-      sku_tier              = string
-      subnet_address_prefix = string
-      subnet_route_table_id = optional(string)
-      name                  = optional(string)
-      dns_servers           = optional(list(string))
-      firewall_policy_id    = optional(string)
-      private_ip_ranges     = optional(list(string))
-      threat_intel_mode     = optional(string, "Alert")
-      zones                 = optional(list(string))
-      tags                  = optional(map(string))
+      sku_name                         = string
+      sku_tier                         = string
+      subnet_address_prefix            = string
+      dns_servers                      = optional(list(string))
+      firewall_policy_id               = optional(string)
+      management_subnet_address_prefix = optional(string, null)
+      name                             = optional(string)
+      private_ip_ranges                = optional(list(string))
+      subnet_route_table_id            = optional(string)
+      tags                             = optional(map(string))
+      threat_intel_mode                = optional(string, "Alert")
+      zones                            = optional(list(string))
       default_ip_configuration = optional(object({
         name = optional(string)
         public_ip_config = optional(object({
-          name       = optional(set(string))
+          ip_version = optional(string)
+          name       = optional(string)
+          sku_tier   = optional(string, "Regional")
           zones      = optional(set(string))
+        }))
+      }))
+      management_ip_configuration = optional(object({
+        name = optional(string)
+        public_ip_config = optional(object({
           ip_version = optional(string)
+          name       = optional(string)
           sku_tier   = optional(string, "Regional")
+          zones      = optional(set(string))
         }))
       }))
     }))
@@ -234,7 +252,7 @@ Default: `{}`
 
 Description: Whether enable tracing tags that generated by BridgeCrew Yor.
 
-Type: `string`
+Type: `bool`
 
 Default: `false`
 
@@ -253,8 +271,10 @@ The following resources are used by this module:
 - [azurerm_firewall.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) (resource)
 - [azurerm_management_lock.rg_lock](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock) (resource)
 - [azurerm_public_ip.fw_default_ip_configuration_pip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) (resource)
+- [azurerm_public_ip.fw_management_ip_configuration_pip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) (resource)
 - [azurerm_resource_group.rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
 - [azurerm_route_table.hub_routing](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) (resource)
+- [azurerm_subnet.fw_management_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) (resource)
 - [azurerm_subnet.fw_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) (resource)
 - [azurerm_subnet_route_table_association.fw_subnet_routing_creat](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) (resource)
 - [azurerm_subnet_route_table_association.fw_subnet_routing_external](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) (resource)

_header.md

@@ -27,7 +27,7 @@ module "hubnetworks" {
       firewall = {
         subnet_address_prefix = "192.168.1.0/24"
         sku_tier              = "Premium"
-        sku_name              = "AZFW_Hub"
+        sku_name              = "AZFW_VNet"
       }
     }
   }

locals.tf

@@ -14,19 +14,41 @@ locals {
       default_ip_configuration = {
         name = try(coalesce(vnet.firewall.management_ip_configuration.name, "default"), "default")
       }
+      management_ip_configuration = {
+        name = try(coalesce(vnet.firewall.management_ip_configuration.name, "defaultMgmt"), "defaultMgmt")
+      }
       zones = vnet.firewall.zones
     } if vnet.firewall != null
   }
+  firewall_management_subnets = {
+    for k, v in var.hub_virtual_networks : k => {
+      address_prefixes     = [v.firewall.management_subnet_address_prefix]
+      name                 = "AzureFirewallManagementSubnet"
+      resource_group_name  = v.resource_group_name
+      virtual_network_name = v.name
+    }
+    if try(v.firewall.sku_tier, "FirewallNull") == "Basic" && v.firewall != null
+  }
   fw_default_ip_configuration_pip = {
     for vnet_name, vnet in var.hub_virtual_networks : vnet_name => {
       location            = local.virtual_networks_modules[vnet_name].vnet_location
-      name                = coalesce(vnet.firewall.name, "pip-afw-${vnet_name}")
+      name                = try(vnet.firewall.default_ip_configuration.public_ip_config.name, "pip-afw-${vnet_name}")
       resource_group_name = vnet.resource_group_name
       ip_version          = try(vnet.firewall.default_ip_configuration.public_ip_config.ip_version, "IPv4")
       sku_tier            = try(vnet.firewall.default_ip_configuration.public_ip_config.sku_tier, "Regional")
       zones               = try(vnet.firewall.default_ip_configuration.public_ip_config.zones, null)
     } if vnet.firewall != null
   }
+  fw_management_ip_configuration_pip = {
+    for k, v in var.hub_virtual_networks : k => {
+      location            = local.virtual_networks_modules[k].vnet_location
+      name                = try(v.firewall.management_ip_configuration.public_ip_config.name, "pip-afw-mgmt-${k}")
+      resource_group_name = v.resource_group_name
+      ip_version          = try(v.firewall.management_ip_coniguration.public_ip_config.ip_version, "IPv4")
+      sku_tier            = try(v.firewall.management_ip_coniguration.public_ip_config.sku_tier, "Regional")
+      zones               = try(v.firewall.management_ip_coniguration.public_ip_config.zones, null)
+    } if try(v.firewall.sku_tier, "FirewallNull") == "Basic" && v.firewall != null
+  }
   hub_peering_map = {
     for peerconfig in flatten([
       for k_src, v_src in var.hub_virtual_networks :
@@ -64,7 +86,7 @@ locals {
             name                = "${k_dst}-${replace(cidr, "/", "-")}"
             address_prefix      = cidr
             next_hop_type       = "VirtualAppliance"
-            next_hop_ip_address = try(local.firewall_private_ip[k_dst], v_src.hub_router_ip_address)
+            next_hop_ip_address = try(local.firewall_private_ip[k_dst], v_dst.hub_router_ip_address)
           }
         ] if k_src != k_dst && v_dst.mesh_peering_enabled && can(v_dst.routing_address_space[0])
       ])
@@ -108,3 +130,4 @@ locals {
     }
   }
 }
+

main.tf

@@ -132,6 +132,20 @@ resource "azurerm_public_ip" "fw_default_ip_configuration_pip" {
   zones               = each.value.zones
 }
 
+resource "azurerm_public_ip" "fw_management_ip_configuration_pip" {
+  for_each = local.fw_management_ip_configuration_pip
+
+  allocation_method   = "Static"
+  location            = each.value.location
+  name                = each.value.name
+  resource_group_name = each.value.resource_group_name
+  ip_version          = each.value.ip_version
+  sku                 = "Standard"
+  sku_tier            = each.value.sku_tier
+  tags                = {}
+  zones               = each.value.zones
+}
+
 resource "azurerm_subnet" "fw_subnet" {
   for_each = local.firewalls
 
@@ -141,6 +155,19 @@ resource "azurerm_subnet" "fw_subnet" {
   virtual_network_name = module.hub_virtual_networks[each.key].vnet_name
 }
 
+resource "azurerm_subnet" "fw_management_subnet" {
+  for_each = local.firewall_management_subnets
+
+  address_prefixes     = each.value.address_prefixes
+  name                 = each.value.name
+  resource_group_name  = each.value.resource_group_name
+  virtual_network_name = each.value.virtual_network_name
+
+  depends_on = [
+    module.hub_virtual_networks
+  ]
+}
+
 resource "azurerm_subnet_route_table_association" "fw_subnet_routing_creat" {
   for_each = { for vnet_name, fw in local.firewalls : vnet_name => fw if fw.subnet_route_table_id == null }
 
@@ -175,4 +202,14 @@ resource "azurerm_firewall" "fw" {
     public_ip_address_id = azurerm_public_ip.fw_default_ip_configuration_pip[each.key].id
     subnet_id            = azurerm_subnet.fw_subnet[each.key].id
   }
+
+  dynamic "management_ip_configuration" {
+    for_each = each.value.sku_tier == "Basic" ? ["managementIpConfiguration"] : []
+
+    content {
+      name                 = each.value.management_ip_configuration.name
+      public_ip_address_id = azurerm_public_ip.fw_management_ip_configuration_pip[each.key].id
+      subnet_id            = azurerm_subnet.fw_management_subnet[each.key].id
+    }
+  }
 }

outputs.tf

@@ -1,10 +1,11 @@
 output "firewalls" {
   value = {
     for vnet_name, fw in azurerm_firewall.fw : vnet_name => {
-      id                 = fw.id
-      name               = fw.name
-      private_ip_address = try(fw.ip_configuration[0].private_ip_address, null)
-      public_ip_address  = try(azurerm_public_ip.fw_default_ip_configuration_pip[vnet_name].ip_address)
+      id                           = fw.id
+      name                         = fw.name
+      private_ip_address           = try(fw.ip_configuration[0].private_ip_address, null)
+      public_ip_address            = try(azurerm_public_ip.fw_default_ip_configuration_pip[vnet_name].ip_address)
+      management_public_ip_address = try(azurerm_public_ip.fw_management_ip_configuration_pip[vnet_name].ip_address, null)
     }
   }
   description = "A curated output of the firewalls created by this module."
@@ -42,7 +43,7 @@ output "resource_groups" {
 output "virtual_networks" {
   value = {
     for vnet_name, vnet_mod in module.hub_virtual_networks : vnet_name => {
-      name                  = vnet_name
+      name                  = vnet_mod.vnet_name
       resource_group_name   = var.hub_virtual_networks[vnet_name].resource_group_name
       id                    = vnet_mod.vnet_id
       location              = vnet_mod.vnet_location