Merge pull request #9 from qbeyond/feature/add-optional-entra-connect…

…-rules Feature/add optional entra connect rules
qbeyond · May 22, 2024 · 0f5e0f5 · 0f5e0f5
2 parents 129f712 + f77aba6
commit 0f5e0f5
Show file tree

Hide file tree

Showing 6 changed files with 90 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this module adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [2.1.0] - 2024-05-21
+
+### Added
+- Rules for entra connect
+
 ## [2.0.1] - 2024-04-29
 
 ### Fixed

diff --git a/README.md b/README.md
@@ -55,6 +55,7 @@ module "firewall_rules" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_ipg_application_lz_id"></a> [ipg\_application\_lz\_id](#input\_ipg\_application\_lz\_id) | IP ranges for all application landing zones. | `string` | n/a | yes |
+| <a name="input_ipg_entra_connect_id"></a> [ipg\_entra\_connect\_id](#input\_ipg\_entra\_connect\_id) | IP ranges for entra id connect VMs. | `string` | n/a | yes |
 | <a name="input_ipg_platform_id"></a> [ipg\_platform\_id](#input\_ipg\_platform\_id) | IP ranges for the whole platform service, defined by the azure landing zone core modules. | `string` | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which the firewall policy and the azure firewall are located. | `string` | n/a | yes |
 | <a name="input_stage"></a> [stage](#input\_stage) | The stage that the resource is located in, e.g. prod, dev. | `string` | n/a | yes |

diff --git a/examples/advanced/ip_groups.tf b/examples/advanced/ip_groups.tf
@@ -65,6 +65,18 @@ resource "azurerm_ip_group" "bastion" {
 
   cidrs = ["10.0.2.0/24"]
 
+  lifecycle {
+    ignore_changes = [tags]
+  }
+}
+
+resource "azurerm_ip_group" "entra_connect" {
+  name                = "ipg-entra-connect"
+  location            = local.location
+  resource_group_name = azurerm_resource_group.example.name
+
+  cidrs = ["10.0.2.0/24"]
+
   lifecycle {
     ignore_changes = [tags]
   }

diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf
@@ -29,6 +29,7 @@ module "firewall_rules" {
   ipg_azure_dc_id           = azurerm_ip_group.azure_dc.id
   ipg_application_lz_id     = azurerm_ip_group.application_lz.id
   ipg_platform_id           = azurerm_ip_group.platform.id
+  ipg_entra_connect_id      = azurerm_ip_group.entra_connect.id
   bastion_config = {
     ipg_bastion_id     = azurerm_ip_group.bastion.id
     ipg_rdp_access_ids = [azurerm_ip_group.application_lz.id]

diff --git a/main.tf b/main.tf
@@ -134,5 +134,71 @@ resource "azurerm_firewall_policy_rule_collection_group" "this" {
         port = 443
       }
     }
+
+    rule {
+      name              = "allow-certificate-verification-outbound"
+      source_ip_groups  = [var.ipg_application_lz_id, var.ipg_platform_id]
+      destination_fqdns = [
+        "mscrl.microsoft.com",
+        "*.verisign.com",
+        "*.entrust.net",
+        "*.crl3.digicert.com",
+        "*.crl4.digicert.com",
+        "*.digicert.cn",
+        "*.ocsp.digicert.com",
+        "*.www.d-trust.net",
+        "*.root-c3-ca2-2009.ocsp.d-trust.net",
+        "*.crl.microsoft.com",
+        "*.oneocsp.microsoft.com",
+        "*.ocsp.msocsp.com"
+      ]
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      protocols {
+        type = "Https"
+        port = 443
+      }
+    }
+  }
+
+  dynamic "application_rule_collection" {
+    for_each = var.ipg_entra_connect_id == null ? [] : [var.ipg_entra_connect_id]
+    content {
+      name     = "rc-application_entra_connect_outbound-${var.stage}"
+      priority = 155
+      action   = "Allow"
+
+      rule {
+        name              = "allow-entra-connect-outbound"
+        source_ip_groups  = [var.ipg_entra_connect_id]
+        destination_fqdns = [
+          "*.management.core.windows.net",
+          "*.graph.windows.net",
+          "secure.aadcdn.microsoftonline-p.com",
+          "*.microsoftonline.com",
+          "*.blob.core.windows.net",
+          "*.aadconnecthealth.azure.com",
+          "*.adhybridhealth.azure.com",
+          "management.azure.com",
+          "policykeyservice.dc.ad.msft.net",
+          "login.windows.net",
+          "www.office.com", # Used for discovery purposes during registration
+          "aadcdn.msftauth.net",
+          "aadcdn.msauth.net",
+          "autoupdate.msappproxy.net",
+          "www.microsoft.com"
+        ]
+        protocols {
+          type = "Http"
+          port = 80
+        }
+        protocols {
+          type = "Https"
+          port = 443
+        }
+      }
+    }
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -63,4 +63,9 @@ variable "bastion_config" {
     ipg_ssh_access_ids: If SSH access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via SSH.     
   ```
   DOC
+}
+
+variable "ipg_entra_connect_id" {
+  type        = string
+  description = "IP ranges for entra id connect VMs."
 }