Firewall policy as code with Hashicorp Terraform
“in the style of a pixar movie poster, draw a friendly badger configuring a firewall with code” - bing chat
Hashicorp Terraform is a tool for managing infrastructure as code. You describe the desired state in versioned text files and the Terraform tool will drag your infrastructure into that state. Sometimes it feels like creating the code takes longer than just using the admin GUI to get something done. Sometimes it’s MUCH faster… This post describes adding 300 address ranges to a network security rule in just one line. How to create a terraform list from a text file.
Azure firewall policy as code with Terraform
The Azure provider for Terraform has a resources for Azure firewall policy. Use this to create a policy containing your rules. See the resources at the end of this post for more info.
Terraform list from text file
Sometimes you’ll have a firewall rule with lots of IPs or URLs. Here’s how to pull them from a separate data file. The Terraform file function, combined with the split function enables you to create a list based on newline separated file of destination addresses. The chomp function removes those newline characters at the end of a string.
destination_addresses = split("\n", chomp(file("SomeTextFile.txt"))) // Note: use \r\n for files created on Windows that have both CR and LF line terminators
Now you can use a SaaS provider’s downloadable list of IPs in network security rules and refresh the list without changing code.
network_rule_collection {
name = "Desktops_to_Zoom"
priority = 1000
action = "Allow"
rule {
name = "zoom_meeting_TCP"
protocols = ["TCP"]
source_addresses = ["10.0.0.1/24"]
# https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060548#h_01EJHWF2FSMCD2HFEPMQJMKAM4
# https://assets.zoom.us/docs/ipranges/ZoomMeetings.txt
destination_addresses = split("\n", chomp(file("ZoomMeetings.txt"))) // use \r\n for files created on Windows with both CR LF line terminators
destination_ports = ["8801-8802"] // add a separate application rule for HTTPS traffic on port 443
}
rule {
name = "zoom_meeting_UDP"
protocols = ["UDP"]
source_addresses = ["10.0.0.1/24"]
# https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060548#h_01EJHWF2FSMCD2HFEPMQJMKAM4
# https://assets.zoom.us/docs/ipranges/ZoomMeetings.txt
destination_addresses = split("\n", chomp(file("ZoomMeetings.txt")))
destination_ports = ["3478", "3479", "8801-8810"]
}
}