azurermFirewallPolicyRuleCollectionGroup
Manages a Firewall Policy Rule Collection Group.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermFirewallPolicyExample = new azurerm.firewallPolicy.FirewallPolicy(
this,
"example_1",
{
location: azurermResourceGroupExample.location,
name: "example-fwpolicy",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermFirewallPolicyExample.overrideLogicalId("example");
const azurermFirewallPolicyRuleCollectionGroupExample =
new azurerm.firewallPolicyRuleCollectionGroup.FirewallPolicyRuleCollectionGroup(
this,
"example_2",
{
application_rule_collection: [
{
action: "Deny",
name: "app_rule_collection1",
priority: 500,
rule: [
{
destination_fqdns: ["*.microsoft.com"],
name: "app_rule_collection1_rule1",
protocols: [
{
port: 80,
type: "Http",
},
{
port: 443,
type: "Https",
},
],
source_addresses: ["10.0.0.1"],
},
],
},
],
firewall_policy_id: azurermFirewallPolicyExample.id,
name: "example-fwpolicy-rcg",
nat_rule_collection: [
{
action: "Dnat",
name: "nat_rule_collection1",
priority: 300,
rule: [
{
destination_address: "192.168.1.1",
destination_ports: ["80"],
name: "nat_rule_collection1_rule1",
protocols: ["TCP", "UDP"],
source_addresses: ["10.0.0.1", "10.0.0.2"],
translated_address: "192.168.0.1",
translated_port: "8080",
},
],
},
],
network_rule_collection: [
{
action: "Deny",
name: "network_rule_collection1",
priority: 400,
rule: [
{
destination_addresses: ["192.168.1.1", "192.168.1.2"],
destination_ports: ["80", "1000-2000"],
name: "network_rule_collection1_rule1",
protocols: ["TCP", "UDP"],
source_addresses: ["10.0.0.1"],
},
],
},
],
priority: 500,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermFirewallPolicyRuleCollectionGroupExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
name
- (Required) The name which should be used for this Firewall Policy Rule Collection Group. Changing this forces a new Firewall Policy Rule Collection Group to be created. -
firewallPolicyId
- (Required) The ID of the Firewall Policy where the Firewall Policy Rule Collection Group should exist. Changing this forces a new Firewall Policy Rule Collection Group to be created. -
priority
- (Required) The priority of the Firewall Policy Rule Collection Group. The range is 100-65000.
-
applicationRuleCollection
- (Optional) One or moreapplicationRuleCollection
blocks as defined below. -
natRuleCollection
- (Optional) One or morenatRuleCollection
blocks as defined below. -
networkRuleCollection
- (Optional) One or morenetworkRuleCollection
blocks as defined below.
A applicationRuleCollection
block supports the following:
-
name
- (Required) The name which should be used for this application rule collection. -
action
- (Required) The action to take for the application rules in this collection. Possible values areallow
anddeny
. -
priority
- (Required) The priority of the application rule collection. The range is100
-65000
. -
rule
- (Required) One or moreapplicationRule
(application rule) blocks as defined below.
A networkRuleCollection
block supports the following:
-
name
- (Required) The name which should be used for this network rule collection. -
action
- (Required) The action to take for the network rules in this collection. Possible values areallow
anddeny
. -
priority
- (Required) The priority of the network rule collection. The range is100
-65000
. -
rule
- (Required) One or morenetworkRule
(network rule) blocks as defined below.
A natRuleCollection
block supports the following:
-
name
- (Required) The name which should be used for this NAT rule collection. -
action
- (Required) The action to take for the NAT rules in this collection. Currently, the only possible value isdnat
. -
priority
- (Required) The priority of the NAT rule collection. The range is100
-65000
. -
rule
- (Required) AnatRule
(NAT rule) block as defined below.
A applicationRule
(application rule) block supports the following:
-
name
- (Required) The name which should be used for this rule. -
description
- (Optional) The description which should be used for this rule. -
protocols
- (Optional) One or moreprotocols
blocks as defined below. Not required when specifyingdestinationFqdnTags
, but required when specifyingdestinationFqdns
. -
sourceAddresses
- (Optional) Specifies a list of source IP addresses (including CIDR and*
). -
sourceIpGroups
- (Optional) Specifies a list of source IP groups. -
destinationAddresses
- (Optional) Specifies a list of destination IP addresses (including CIDR and*
). -
destinationUrls
- (Optional) Specifies a list of destination URLs for which policy should hold. Needs Premium SKU for Firewall Policy. Conflicts withdestinationFqdns
. -
destinationFqdns
- (Optional) Specifies a list of destination FQDNs. Conflicts withdestinationUrls
. -
destinationFqdnTags
- (Optional) Specifies a list of destination FQDN tags. -
terminateTls
- (Optional) Boolean specifying if TLS shall be terminated (true) or not (false). Must betrue
when usingdestinationUrls
. Needs Premium SKU for Firewall Policy. -
webCategories
- (Optional) Specifies a list of web categories to which access is denied or allowed depending on the value ofaction
above. Needs Premium SKU for Firewall Policy.
A networkRule
(network rule) block supports the following:
-
name
- (Required) The name which should be used for this rule. -
protocols
- (Required) Specifies a list of network protocols this rule applies to. Possible values areany
,tcp
,udp
,icmp
. -
destinationPorts
- (Required) Specifies a list of destination ports. -
sourceAddresses
- (Optional) Specifies a list of source IP addresses (including CIDR and*
). -
sourceIpGroups
- (Optional) Specifies a list of source IP groups. -
destinationAddresses
- (Optional) Specifies a list of destination IP addresses (including CIDR and*
) or Service Tags. -
destinationIpGroups
- (Optional) Specifies a list of destination IP groups. -
destinationFqdns
- (Optional) Specifies a list of destination FQDNs.
A natRule
(NAT rule) block supports the following:
-
name
- (Required) The name which should be used for this rule. -
protocols
- (Required) Specifies a list of network protocols this rule applies to. Possible values aretcp
,udp
. -
sourceAddresses
- (Optional) Specifies a list of source IP addresses (including CIDR and*
). -
sourceIpGroups
- (Optional) Specifies a list of source IP groups. -
destinationAddress
- (Optional) The destination IP address (including CIDR). -
destinationPorts
- (Optional) Specifies a list of destination ports. Only one destination port is supported in a NAT rule. -
translatedAddress
- (Optional) Specifies the translated address. -
translatedFqdn
- (Optional) Specifies the translated FQDN.
\~> NOTE: Exactly one of translatedAddress
and translatedFqdn
should be set.
translatedPort
- (Required) Specifies the translated port.
A protocols
block supports the following:
-
type
- (Required) Protocol type. Possible values arehttp
andhttps
. -
port
- (Required) Port number of the protocol. Range is 0-64000.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Firewall Policy Rule Collection Group.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Firewall Policy Rule Collection Group.read
- (Defaults to 5 minutes) Used when retrieving the Firewall Policy Rule Collection Group.update
- (Defaults to 30 minutes) Used when updating the Firewall Policy Rule Collection Group.delete
- (Defaults to 30 minutes) Used when deleting the Firewall Policy Rule Collection Group.
Import
Firewall Policy Rule Collection Groups can be imported using the resourceId
, e.g.