From 8980173c43fa25bf6f1c2a4fba15302a5bfaf405 Mon Sep 17 00:00:00 2001 From: QBY-MarkusMaring <106068259+QBY-MarkusMaring@users.noreply.github.com> Date: Tue, 21 May 2024 13:46:33 +0200 Subject: [PATCH 1/6] added rules for entra connect --- main.tf | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 5 ++++ 2 files changed, 71 insertions(+) diff --git a/main.tf b/main.tf index 89162db..5f0b799 100644 --- a/main.tf +++ b/main.tf @@ -134,5 +134,71 @@ resource "azurerm_firewall_policy_rule_collection_group" "this" { port = 443 } } + + rule { + name = "allow-certificate-verification-outbound" + source_ip_groups = [var.ipg_application_lz_id, var.ipg_platform_id] + destination_fqdns = [ + "mscrl.microsoft.com", + "*.verisign.com", + "*.entrust.net", + "*.crl3.digicert.com", + "*.crl4.digicert.com", + "*.digicert.cn", + "*.ocsp.digicert.com", + "*.www.d-trust.net", + "*.root-c3-ca2-2009.ocsp.d-trust.net", + "*.crl.microsoft.com", + "*.oneocsp.microsoft.com", + "*.ocsp.msocsp.com" + ] + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + } + } + + dynamic "application_rule_collection" { + for_each = var.ipg_entra_connect_id == null ? [] : [var.ipg_entra_connect_id] + content { + name = "rc-application_entra_connect_outbound-${var.stage}" + priority = 155 + action = "Allow" + + rule { + name = "allow-entra-connect-outbound" + source_ip_groups = [var.ipg_entra_connect_id] + destination_fqdns = [ + "*.management.core.windows.net", + "*.graph.windows.net", + "secure.aadcdn.microsoftonline-p.com", + "*.microsoftonline.com" + "*.blob.core.windows.net", + "*.aadconnecthealth.azure.com" + "*.adhybridhealth.azure.com", + "management.azure.com", + "policykeyservice.dc.ad.msft.net", + "login.windows.net", + "www.office.com", # Used for discovery purposes during registration + "aadcdn.msftauth.net", + "aadcdn.msauth.net", + "autoupdate.msappproxy.net", + "www.microsoft.com" + ] + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + } + } } } diff --git a/variables.tf b/variables.tf index 5e00888..1e1b351 100644 --- a/variables.tf +++ b/variables.tf @@ -63,4 +63,9 @@ variable "bastion_config" { ipg_ssh_access_ids: If SSH access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via SSH. ``` DOC +} + +variable "ipg_entra_connect_id" { + type = string + description = "IP ranges for entra id connect VMs." } \ No newline at end of file From c9b05060cb5ccb4712d8a0510d109835ddcd7caa Mon Sep 17 00:00:00 2001 From: QBY-MarkusMaring <106068259+QBY-MarkusMaring@users.noreply.github.com> Date: Tue, 21 May 2024 13:47:26 +0200 Subject: [PATCH 2/6] updated example --- examples/advanced/ip_groups.tf | 12 ++++++++++++ examples/advanced/main.tf | 1 + 2 files changed, 13 insertions(+) diff --git a/examples/advanced/ip_groups.tf b/examples/advanced/ip_groups.tf index edd7aca..02c463e 100644 --- a/examples/advanced/ip_groups.tf +++ b/examples/advanced/ip_groups.tf @@ -65,6 +65,18 @@ resource "azurerm_ip_group" "bastion" { cidrs = ["10.0.2.0/24"] + lifecycle { + ignore_changes = [tags] + } +} + +resource "azurerm_ip_group" "entra_connect" { + name = "ipg-entra-connect" + location = local.location + resource_group_name = azurerm_resource_group.example.name + + cidrs = ["10.0.2.0/24"] + lifecycle { ignore_changes = [tags] } diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf index 8b51da9..c24c541 100644 --- a/examples/advanced/main.tf +++ b/examples/advanced/main.tf @@ -29,6 +29,7 @@ module "firewall_rules" { ipg_azure_dc_id = azurerm_ip_group.azure_dc.id ipg_application_lz_id = azurerm_ip_group.application_lz.id ipg_platform_id = azurerm_ip_group.platform.id + ipg_entra_connect_id = azurerm_ip_group.entra_connect.id bastion_config = { ipg_bastion_id = azurerm_ip_group.bastion.id ipg_rdp_access_ids = [azurerm_ip_group.application_lz.id] From 80a5f111b10dc528c270d51e8d1a08821519d368 Mon Sep 17 00:00:00 2001 From: QBY-MarkusMaring <106068259+QBY-MarkusMaring@users.noreply.github.com> Date: Tue, 21 May 2024 13:49:53 +0200 Subject: [PATCH 3/6] added missing comma --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 5f0b799..9eb0976 100644 --- a/main.tf +++ b/main.tf @@ -177,7 +177,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "this" { "*.management.core.windows.net", "*.graph.windows.net", "secure.aadcdn.microsoftonline-p.com", - "*.microsoftonline.com" + "*.microsoftonline.com", "*.blob.core.windows.net", "*.aadconnecthealth.azure.com" "*.adhybridhealth.azure.com", From d93c4225ee823009ae82ccccaa38269556ff2b35 Mon Sep 17 00:00:00 2001 From: QBY-MarkusMaring <106068259+QBY-MarkusMaring@users.noreply.github.com> Date: Tue, 21 May 2024 13:50:33 +0200 Subject: [PATCH 4/6] fix missing comma x2 --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 9eb0976..b91b08a 100644 --- a/main.tf +++ b/main.tf @@ -179,7 +179,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "this" { "secure.aadcdn.microsoftonline-p.com", "*.microsoftonline.com", "*.blob.core.windows.net", - "*.aadconnecthealth.azure.com" + "*.aadconnecthealth.azure.com", "*.adhybridhealth.azure.com", "management.azure.com", "policykeyservice.dc.ad.msft.net", From a787770904d27e72e646115d805ee2753556ca5b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 21 May 2024 11:59:26 +0000 Subject: [PATCH 5/6] terraform-docs: automated action --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4c12baa..7985479 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ module "firewall_rules" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [ipg\_application\_lz\_id](#input\_ipg\_application\_lz\_id) | IP ranges for all application landing zones. | `string` | n/a | yes | +| [ipg\_entra\_connect\_id](#input\_ipg\_entra\_connect\_id) | IP ranges for entra id connect VMs. | `string` | n/a | yes | | [ipg\_platform\_id](#input\_ipg\_platform\_id) | IP ranges for the whole platform service, defined by the azure landing zone core modules. | `string` | n/a | yes | | [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which the firewall policy and the azure firewall are located. | `string` | n/a | yes | | [stage](#input\_stage) | The stage that the resource is located in, e.g. prod, dev. | `string` | n/a | yes | From f77aba630f773fad371a15662f128afced1b4f99 Mon Sep 17 00:00:00 2001 From: QBY-MarkusMaring <106068259+QBY-MarkusMaring@users.noreply.github.com> Date: Tue, 21 May 2024 14:00:25 +0200 Subject: [PATCH 6/6] Update CHANGELOG.md --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f921773..5bc7ad0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,11 @@ and this module adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0. ## [Unreleased] +## [2.1.0] - 2024-05-21 + +### Added +- Rules for entra connect + ## [2.0.1] - 2024-04-29 ### Fixed