Firewall policy as code with Hashicorp Terraform

Page content

Azure badger “in the style of a pixar movie poster, draw a friendly badger configuring a firewall with code” - bing chat

Hashicorp Terraform is a tool for managing infrastructure as code. You describe the desired state in versioned text files and the Terraform tool will drag your infrastructure into that state. Sometimes it feels like creating the code takes longer than just using the admin GUI to get something done. Sometimes it’s MUCH faster… This post describes adding 300 address ranges to a network security rule in just one line. How to create a terraform list from a text file.

Azure firewall policy as code with Terraform

The Azure provider for Terraform has a resources for Azure firewall policy. Use this to create a policy containing your rules. See the resources at the end of this post for more info.

Terraform list from text file

Sometimes you’ll have a firewall rule with lots of IPs or URLs. Here’s how to pull them from a separate data file. The Terraform file function, combined with the split function enables you to create a list based on newline separated file of destination addresses. The chomp function removes those newline characters at the end of a string.

  destination_addresses = split("\n", chomp(file("SomeTextFile.txt")))   // Note: use \r\n for files created on Windows that have both CR and LF line terminators

Now you can use a SaaS provider’s downloadable list of IPs in network security rules and refresh the list without changing code.

  network_rule_collection {
    name     = "Desktops_to_Zoom"
    priority = 1000
    action   = "Allow"
    rule {
      name                  = "zoom_meeting_TCP"
      protocols             = ["TCP"]
      source_addresses      = ["10.0.0.1/24"]
      # https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060548#h_01EJHWF2FSMCD2HFEPMQJMKAM4
      # https://assets.zoom.us/docs/ipranges/ZoomMeetings.txt
      destination_addresses = split("\n", chomp(file("ZoomMeetings.txt")))  // use \r\n for files created on Windows with both CR LF line terminators
      destination_ports     = ["8801-8802"] // add a separate application rule for HTTPS traffic on port 443
    }
    rule {
      name                  = "zoom_meeting_UDP"
      protocols             = ["UDP"]
      source_addresses      = ["10.0.0.1/24"]
      # https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060548#h_01EJHWF2FSMCD2HFEPMQJMKAM4
      # https://assets.zoom.us/docs/ipranges/ZoomMeetings.txt
      destination_addresses = split("\n", chomp(file("ZoomMeetings.txt")))
      destination_ports     = ["3478", "3479", "8801-8810"]
    }
  }

References: