Skip to content

azurermFirewallPolicy

Manages a Firewall Policy.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermFirewallPolicyExample = new azurerm.firewallPolicy.FirewallPolicy(
  this,
  "example_1",
  {
    location: azurermResourceGroupExample.location,
    name: "example-policy",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermFirewallPolicyExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • location - (Required) The Azure Region where the Firewall Policy should exist. Changing this forces a new Firewall Policy to be created.

  • name - (Required) The name which should be used for this Firewall Policy. Changing this forces a new Firewall Policy to be created.

  • resourceGroupName - (Required) The name of the Resource Group where the Firewall Policy should exist. Changing this forces a new Firewall Policy to be created.

  • basePolicyId - (Optional) The ID of the base Firewall Policy.

  • dns - (Optional) A dns block as defined below.

  • identity - (Optional) An identity block as defined below.

  • insights - (Optional) An insights block as defined below.

  • intrusionDetection - (Optional) A intrusionDetection block as defined below.

  • privateIpRanges - (Optional) A list of private IP ranges to which traffic will not be SNAT.

  • autoLearnPrivateRangesEnabled - (Optional) Whether enable auto learn private ip range.

  • sku - (Optional) The SKU Tier of the Firewall Policy. Possible values are standard, premium and basic. Changing this forces a new Firewall Policy to be created.

  • tags - (Optional) A mapping of tags which should be assigned to the Firewall Policy.

  • threatIntelligenceAllowlist - (Optional) A threatIntelligenceAllowlist block as defined below.

  • threatIntelligenceMode - (Optional) The operation mode for Threat Intelligence. Possible values are alert, deny and off. Defaults to alert.

  • tlsCertificate - (Optional) A tlsCertificate block as defined below.

  • sqlRedirectAllowed - (Optional) Whether SQL Redirect traffic filtering is allowed. Enabling this flag requires no rule using ports between 11000-11999.

  • explicitProxy - (Optional) A explicitProxy block as defined below.

A dns block supports the following:

  • proxyEnabled - (Optional) Whether to enable DNS proxy on Firewalls attached to this Firewall Policy? Defaults to false.

  • servers - (Optional) A list of custom DNS servers' IP addresses.

A identity block supports the following:

  • type - (Required) Specifies the type of Managed Service Identity that should be configured on this Firewall Policy. Only possible value is userAssigned.

  • identityIds - (Required) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Firewall Policy.

An insights block supports the following:

  • enabled - (Required) Whether the insights functionality is enabled for this Firewall Policy.

  • defaultLogAnalyticsWorkspaceId - (Required) The ID of the default Log Analytics Workspace that the Firewalls associated with this Firewall Policy will send their logs to, when there is no location matches in the logAnalyticsWorkspace.

  • retentionInDays - (Optional) The log retention period in days.

  • logAnalyticsWorkspace - (Optional) A list of logAnalyticsWorkspace block as defined below.

A intrusionDetection block supports the following:

  • mode - (Optional) In which mode you want to run intrusion detection: off, alert or deny.

  • signatureOverrides - (Optional) One or more signatureOverrides blocks as defined below.

  • trafficBypass - (Optional) One or more trafficBypass blocks as defined below.

  • privateRanges - (Optional) A list of Private IP address ranges to identify traffic direction. By default, only ranges defined by IANA RFC 1918 are considered private IP addresses.

A logAnalyticsWorkspace block supports the following:

  • id - (Required) The ID of the Log Analytics Workspace that the Firewalls associated with this Firewall Policy will send their logs to when their locations match the firewallLocation.

  • firewallLocation - (Required) The location of the Firewalls, that when matches this Log Analytics Workspace will be used to consume their logs.

A signatureOverrides block supports the following:

  • id - (Optional) 12-digit number (id) which identifies your signature.

  • state - (Optional) state can be any of off, alert or deny.

A threatIntelligenceAllowlist block supports the following:

  • fqdns - (Optional) A list of FQDNs that will be skipped for threat detection.

  • ipAddresses - (Optional) A list of IP addresses or CIDR ranges that will be skipped for threat detection.

A tlsCertificate block supports the following:

  • keyVaultSecretId - (Required) The ID of the Key Vault, where the secret or certificate is stored.

  • name - (Required) The name of the certificate.

A trafficBypass block supports the following:

  • name - (Required) The name which should be used for this bypass traffic setting.

  • protocol - (Required) The protocols any of any, tcp, icmp, udp that shall be bypassed by intrusion detection.

  • description - (Optional) The description for this bypass traffic setting.

  • destinationAddresses - (Optional) Specifies a list of destination IP addresses that shall be bypassed by intrusion detection.

  • destinationIpGroups - (Optional) Specifies a list of destination IP groups that shall be bypassed by intrusion detection.

  • destinationPorts - (Optional) Specifies a list of destination IP ports that shall be bypassed by intrusion detection.

  • sourceAddresses - (Optional) Specifies a list of source addresses that shall be bypassed by intrusion detection.

  • sourceIpGroups - (Optional) Specifies a list of source IP groups that shall be bypassed by intrusion detection.

A explicitProxy block supports the following:

  • enabled - (Optional) Whether the explicit proxy is enabled for this Firewall Policy.

  • httpPort - (Optional) The port number for explicit http protocol.

  • httpsPort - (Optional) The port number for explicit proxy https protocol.

  • enablePacFile - (Optional) Whether the pac file port and url need to be provided.

  • pacFilePort - (Optional) Specifies a port number for firewall to serve PAC file.

  • pacFile - (Optional) Specifies a SAS URL for PAC file.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Firewall Policy.

  • childPolicies - A list of reference to child Firewall Policies of this Firewall Policy.

  • firewalls - A list of references to Azure Firewalls that this Firewall Policy is associated with.

  • ruleCollectionGroups - A list of references to Firewall Policy Rule Collection Groups that belongs to this Firewall Policy.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Firewall Policy.
  • read - (Defaults to 5 minutes) Used when retrieving the Firewall Policy.
  • update - (Defaults to 30 minutes) Used when updating the Firewall Policy.
  • delete - (Defaults to 30 minutes) Used when deleting the Firewall Policy.

Import

Firewall Policies can be imported using the resourceId, e.g.

terraform import azurerm_firewall_policy.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/firewallPolicies/policy1