Skip to content

azurermFirewallPolicyRuleCollectionGroup

Manages a Firewall Policy Rule Collection Group.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermFirewallPolicyExample = new azurerm.firewallPolicy.FirewallPolicy(
  this,
  "example_1",
  {
    location: azurermResourceGroupExample.location,
    name: "example-fwpolicy",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermFirewallPolicyExample.overrideLogicalId("example");
const azurermFirewallPolicyRuleCollectionGroupExample =
  new azurerm.firewallPolicyRuleCollectionGroup.FirewallPolicyRuleCollectionGroup(
    this,
    "example_2",
    {
      application_rule_collection: [
        {
          action: "Deny",
          name: "app_rule_collection1",
          priority: 500,
          rule: [
            {
              destination_fqdns: ["*.microsoft.com"],
              name: "app_rule_collection1_rule1",
              protocols: [
                {
                  port: 80,
                  type: "Http",
                },
                {
                  port: 443,
                  type: "Https",
                },
              ],
              source_addresses: ["10.0.0.1"],
            },
          ],
        },
      ],
      firewall_policy_id: azurermFirewallPolicyExample.id,
      name: "example-fwpolicy-rcg",
      nat_rule_collection: [
        {
          action: "Dnat",
          name: "nat_rule_collection1",
          priority: 300,
          rule: [
            {
              destination_address: "192.168.1.1",
              destination_ports: ["80"],
              name: "nat_rule_collection1_rule1",
              protocols: ["TCP", "UDP"],
              source_addresses: ["10.0.0.1", "10.0.0.2"],
              translated_address: "192.168.0.1",
              translated_port: "8080",
            },
          ],
        },
      ],
      network_rule_collection: [
        {
          action: "Deny",
          name: "network_rule_collection1",
          priority: 400,
          rule: [
            {
              destination_addresses: ["192.168.1.1", "192.168.1.2"],
              destination_ports: ["80", "1000-2000"],
              name: "network_rule_collection1_rule1",
              protocols: ["TCP", "UDP"],
              source_addresses: ["10.0.0.1"],
            },
          ],
        },
      ],
      priority: 500,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermFirewallPolicyRuleCollectionGroupExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • name - (Required) The name which should be used for this Firewall Policy Rule Collection Group. Changing this forces a new Firewall Policy Rule Collection Group to be created.

  • firewallPolicyId - (Required) The ID of the Firewall Policy where the Firewall Policy Rule Collection Group should exist. Changing this forces a new Firewall Policy Rule Collection Group to be created.

  • priority - (Required) The priority of the Firewall Policy Rule Collection Group. The range is 100-65000.

  • applicationRuleCollection - (Optional) One or more applicationRuleCollection blocks as defined below.

  • natRuleCollection - (Optional) One or more natRuleCollection blocks as defined below.

  • networkRuleCollection - (Optional) One or more networkRuleCollection blocks as defined below.

A applicationRuleCollection block supports the following:

  • name - (Required) The name which should be used for this application rule collection.

  • action - (Required) The action to take for the application rules in this collection. Possible values are allow and deny.

  • priority - (Required) The priority of the application rule collection. The range is 100 - 65000.

  • rule - (Required) One or more applicationRule (application rule) blocks as defined below.

A networkRuleCollection block supports the following:

  • name - (Required) The name which should be used for this network rule collection.

  • action - (Required) The action to take for the network rules in this collection. Possible values are allow and deny.

  • priority - (Required) The priority of the network rule collection. The range is 100 - 65000.

  • rule - (Required) One or more networkRule (network rule) blocks as defined below.

A natRuleCollection block supports the following:

  • name - (Required) The name which should be used for this NAT rule collection.

  • action - (Required) The action to take for the NAT rules in this collection. Currently, the only possible value is dnat.

  • priority - (Required) The priority of the NAT rule collection. The range is 100 - 65000.

  • rule - (Required) A natRule (NAT rule) block as defined below.

A applicationRule (application rule) block supports the following:

  • name - (Required) The name which should be used for this rule.

  • description - (Optional) The description which should be used for this rule.

  • protocols - (Optional) One or more protocols blocks as defined below. Not required when specifying destinationFqdnTags, but required when specifying destinationFqdns.

  • sourceAddresses - (Optional) Specifies a list of source IP addresses (including CIDR and *).

  • sourceIpGroups - (Optional) Specifies a list of source IP groups.

  • destinationAddresses - (Optional) Specifies a list of destination IP addresses (including CIDR and *).

  • destinationUrls - (Optional) Specifies a list of destination URLs for which policy should hold. Needs Premium SKU for Firewall Policy. Conflicts with destinationFqdns.

  • destinationFqdns - (Optional) Specifies a list of destination FQDNs. Conflicts with destinationUrls.

  • destinationFqdnTags - (Optional) Specifies a list of destination FQDN tags.

  • terminateTls - (Optional) Boolean specifying if TLS shall be terminated (true) or not (false). Must be true when using destinationUrls. Needs Premium SKU for Firewall Policy.

  • webCategories - (Optional) Specifies a list of web categories to which access is denied or allowed depending on the value of action above. Needs Premium SKU for Firewall Policy.

A networkRule (network rule) block supports the following:

  • name - (Required) The name which should be used for this rule.

  • protocols - (Required) Specifies a list of network protocols this rule applies to. Possible values are any, tcp, udp, icmp.

  • destinationPorts - (Required) Specifies a list of destination ports.

  • sourceAddresses - (Optional) Specifies a list of source IP addresses (including CIDR and *).

  • sourceIpGroups - (Optional) Specifies a list of source IP groups.

  • destinationAddresses - (Optional) Specifies a list of destination IP addresses (including CIDR and *) or Service Tags.

  • destinationIpGroups - (Optional) Specifies a list of destination IP groups.

  • destinationFqdns - (Optional) Specifies a list of destination FQDNs.

A natRule (NAT rule) block supports the following:

  • name - (Required) The name which should be used for this rule.

  • protocols - (Required) Specifies a list of network protocols this rule applies to. Possible values are tcp, udp.

  • sourceAddresses - (Optional) Specifies a list of source IP addresses (including CIDR and *).

  • sourceIpGroups - (Optional) Specifies a list of source IP groups.

  • destinationAddress - (Optional) The destination IP address (including CIDR).

  • destinationPorts - (Optional) Specifies a list of destination ports. Only one destination port is supported in a NAT rule.

  • translatedAddress - (Optional) Specifies the translated address.

  • translatedFqdn - (Optional) Specifies the translated FQDN.

\~> NOTE: Exactly one of translatedAddress and translatedFqdn should be set.

  • translatedPort - (Required) Specifies the translated port.

A protocols block supports the following:

  • type - (Required) Protocol type. Possible values are http and https.

  • port - (Required) Port number of the protocol. Range is 0-64000.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Firewall Policy Rule Collection Group.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Firewall Policy Rule Collection Group.
  • read - (Defaults to 5 minutes) Used when retrieving the Firewall Policy Rule Collection Group.
  • update - (Defaults to 30 minutes) Used when updating the Firewall Policy Rule Collection Group.
  • delete - (Defaults to 30 minutes) Used when deleting the Firewall Policy Rule Collection Group.

Import

Firewall Policy Rule Collection Groups can be imported using the resourceId, e.g.

terraform import azurerm_firewall_policy_rule_collection_group.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Network/firewallPolicies/policy1/ruleCollectionGroups/gruop1