|
|
|
- name: Fix resource prefix
|
|
|
|
set_fact:
|
|
|
|
virtual_network_name: myVirtualNetwork
|
|
|
|
subnet_name: AzureFirewallSubnet
|
|
|
|
public_ipaddress_name: myPublicIpAddress
|
|
|
|
azure_firewall_name: myFirewall
|
|
|
|
|
|
|
|
- name: Create virtual network
|
|
|
|
azure_rm_virtualnetwork:
|
|
|
|
name: "{{ virtual_network_name }}"
|
|
|
|
address_prefixes_cidr:
|
|
|
|
- 10.1.0.0/16
|
|
|
|
- 172.100.0.0/16
|
|
|
|
dns_servers:
|
|
|
|
- 127.0.0.1
|
|
|
|
- 127.0.0.3
|
|
|
|
tags:
|
|
|
|
testing: testing
|
|
|
|
delete: on-exit
|
|
|
|
resource_group: "{{ resource_group }}"
|
|
|
|
|
|
|
|
- name: Create subnet
|
|
|
|
azure_rm_subnet:
|
|
|
|
name: "{{ subnet_name }}"
|
|
|
|
virtual_network_name: "{{ virtual_network_name }}"
|
|
|
|
resource_group: "{{ resource_group }}"
|
|
|
|
address_prefix_cidr: "10.1.0.0/24"
|
|
|
|
|
|
|
|
- name: Create public IP address
|
|
|
|
azure_rm_publicipaddress:
|
|
|
|
resource_group: "{{ resource_group }}"
|
|
|
|
allocation_method: Static
|
|
|
|
name: "{{ public_ipaddress_name }}"
|
|
|
|
sku: Standard
|
|
|
|
register: pip_output
|
|
|
|
|
|
|
|
- debug:
|
|
|
|
var: pip_output
|
|
|
|
|
|
|
|
- name: Create Azure Firewall
|
|
|
|
azure_rm_azurefirewall:
|
|
|
|
resource_group: '{{resource_group}}'
|
|
|
|
name: '{{azure_firewall_name}}'
|
|
|
|
#tags:
|
|
|
|
# key1: value1
|
|
|
|
application_rule_collections:
|
|
|
|
- priority: 110
|
|
|
|
action: deny
|
|
|
|
rules:
|
|
|
|
- name: rule1
|
|
|
|
description: Deny inbound rule
|
|
|
|
source_addresses:
|
|
|
|
- 216.58.216.164
|
|
|
|
- 10.0.0.0/25
|
|
|
|
protocols:
|
|
|
|
- type: https
|
|
|
|
port: '443'
|
|
|
|
target_fqdns:
|
|
|
|
- www.test.com
|
|
|
|
name: apprulecoll
|
|
|
|
nat_rule_collections:
|
|
|
|
- priority: 112
|
|
|
|
action: dnat
|
|
|
|
rules:
|
|
|
|
- name: DNAT-HTTPS-traffic
|
|
|
|
description: D-NAT all outbound web traffic for inspection
|
|
|
|
source_addresses:
|
|
|
|
- '*'
|
|
|
|
destination_addresses:
|
|
|
|
- "{{ pip_output.state.ip_address }}"
|
|
|
|
destination_ports:
|
|
|
|
- '443'
|
|
|
|
protocols:
|
|
|
|
- tcp
|
|
|
|
translated_address: 1.2.3.5
|
|
|
|
translated_port: '8443'
|
|
|
|
name: natrulecoll
|
|
|
|
network_rule_collections:
|
|
|
|
- priority: 112
|
|
|
|
action: deny
|
|
|
|
rules:
|
|
|
|
- name: L4-traffic
|
|
|
|
description: Block traffic based on source IPs and ports
|
|
|
|
protocols:
|
|
|
|
- tcp
|
|
|
|
source_addresses:
|
|
|
|
- 192.168.1.1-192.168.1.12
|
|
|
|
- 10.1.4.12-10.1.4.255
|
|
|
|
destination_addresses:
|
|
|
|
- '*'
|
|
|
|
destination_ports:
|
|
|
|
- 443-444
|
|
|
|
- '8443'
|
|
|
|
name: netrulecoll
|
|
|
|
ip_configurations:
|
|
|
|
- subnet:
|
|
|
|
virtual_network_name: "{{ virtual_network_name }}"
|
|
|
|
name: "{{ subnet_name }}"
|
|
|
|
public_ip_address:
|
|
|
|
name: "{{ public_ipaddress_name }}"
|
|
|
|
name: azureFirewallIpConfiguration
|
|
|
|
register: output
|
|
|
|
|
|
|
|
- debug:
|
|
|
|
var: output
|
|
|
|
|
|
|
|
- name: Assert that output has changed
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
- output.changed
|
|
|
|
|
|
|
|
- name: Create Azure Firewall -- idempotent
|
|
|
|
azure_rm_azurefirewall:
|
|
|
|
resource_group: '{{resource_group}}'
|
|
|
|
name: '{{azure_firewall_name}}'
|
|
|
|
application_rule_collections:
|
|
|
|
- priority: 110
|
|
|
|
action: deny
|
|
|
|
rules:
|
|
|
|
- name: rule1
|
|
|
|
description: Deny inbound rule
|
|
|
|
source_addresses:
|
|
|
|
- 216.58.216.164
|
|
|
|
- 10.0.0.0/25
|
|
|
|
protocols:
|
|
|
|
- type: https
|
|
|
|
port: '443'
|
|
|
|
target_fqdns:
|
|
|
|
- www.test.com
|
|
|
|
name: apprulecoll
|
|
|
|
nat_rule_collections:
|
|
|
|
- priority: 112
|
|
|
|
action: dnat
|
|
|
|
rules:
|
|
|
|
- name: DNAT-HTTPS-traffic
|
|
|
|
description: D-NAT all outbound web traffic for inspection
|
|
|
|
source_addresses:
|
|
|
|
- '*'
|
|
|
|
destination_addresses:
|
|
|
|
- "{{ pip_output.state.ip_address }}"
|
|
|
|
destination_ports:
|
|
|
|
- '443'
|
|
|
|
protocols:
|
|
|
|
- tcp
|
|
|
|
translated_address: 1.2.3.5
|
|
|
|
translated_port: '8443'
|
|
|
|
name: natrulecoll
|
|
|
|
network_rule_collections:
|
|
|
|
- priority: 112
|
|
|
|
action: deny
|
|
|
|
rules:
|
|
|
|
- name: L4-traffic
|
|
|
|
description: Block traffic based on source IPs and ports
|
|
|
|
protocols:
|
|
|
|
- tcp
|
|
|
|
source_addresses:
|
|
|
|
- 192.168.1.1-192.168.1.12
|
|
|
|
- 10.1.4.12-10.1.4.255
|
|
|
|
destination_addresses:
|
|
|
|
- '*'
|
|
|
|
destination_ports:
|
|
|
|
- 443-444
|
|
|
|
- '8443'
|
|
|
|
name: netrulecoll
|
|
|
|
ip_configurations:
|
|
|
|
- subnet:
|
|
|
|
virtual_network_name: "{{ virtual_network_name }}"
|
|
|
|
name: "{{ subnet_name }}"
|
|
|
|
public_ip_address:
|
|
|
|
name: "{{ public_ipaddress_name }}"
|
|
|
|
name: azureFirewallIpConfiguration
|
|
|
|
register: output
|
|
|
|
|
|
|
|
- debug:
|
|
|
|
var: output
|
|
|
|
|
|
|
|
- name: Assert that output has not changed
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
- not output.changed
|
|
|
|
|
|
|
|
- name: Create Azure Firewall -- change something
|
|
|
|
azure_rm_azurefirewall:
|
|
|
|
resource_group: '{{resource_group}}'
|
|
|
|
name: '{{azure_firewall_name}}'
|
|
|
|
application_rule_collections:
|
|
|
|
- priority: 110
|
|
|
|
action: deny
|
|
|
|
rules:
|
|
|
|
- name: rule1
|
|
|
|
description: Deny inbound rule
|
|
|
|
source_addresses:
|
|
|
|
- 216.58.216.165
|
|
|
|
- 10.0.0.0/25
|
|
|
|
protocols:
|
|
|
|
- type: https
|
|
|
|
port: '443'
|
|
|
|
target_fqdns:
|
|
|
|
- www.test.com
|
|
|
|
name: apprulecoll
|
|
|
|
nat_rule_collections:
|
|
|
|
- priority: 112
|
|
|
|
action: dnat
|
|
|
|
rules:
|
|
|
|
- name: DNAT-HTTPS-traffic
|
|
|
|
description: D-NAT all outbound web traffic for inspection
|
|
|
|
source_addresses:
|
|
|
|
- '*'
|
|
|
|
destination_addresses:
|
|
|
|
- "{{ pip_output.state.ip_address }}"
|
|
|
|
destination_ports:
|
|
|
|
- '443'
|
|
|
|
protocols:
|
|
|
|
- tcp
|
|
|
|
translated_address: 1.2.3.6
|
|
|
|
translated_port: '8443'
|
|
|
|
name: natrulecoll
|
|
|
|
network_rule_collections:
|
|
|
|
- priority: 112
|
|
|
|
action: deny
|
|
|
|
rules:
|
|
|
|
- name: L4-traffic
|
|
|
|
description: Block traffic based on source IPs and ports
|
|
|
|
protocols:
|
|
|
|
- tcp
|
|
|
|
source_addresses:
|
|
|
|
- 192.168.1.1-192.168.1.12
|
|
|
|
- 10.1.4.12-10.1.4.255
|
|
|
|
destination_addresses:
|
|
|
|
- '*'
|
|
|
|
destination_ports:
|
|
|
|
- 443-445
|
|
|
|
- '8443'
|
|
|
|
name: netrulecoll
|
|
|
|
ip_configurations:
|
|
|
|
- subnet:
|
|
|
|
virtual_network_name: "{{ virtual_network_name }}"
|
|
|
|
name: "{{ subnet_name }}"
|
|
|
|
public_ip_address:
|
|
|
|
name: "{{ public_ipaddress_name }}"
|
|
|
|
name: azureFirewallIpConfiguration
|
|
|
|
check_mode: yes
|
|
|
|
register: output
|
|
|
|
|
|
|
|
- name: Assert that output has changed
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
- output.changed
|
|
|
|
|
|
|
|
- name: Get info of the Azure Firewall
|
|
|
|
azure_rm_azurefirewall_info:
|
|
|
|
resource_group: '{{resource_group}}'
|
|
|
|
name: '{{azure_firewall_name}}'
|
|
|
|
register: output
|
|
|
|
|
|
|
|
- assert:
|
|
|
|
that:
|
|
|
|
- not output.changed
|
|
|
|
- output.firewalls['id'] != None
|
|
|
|
- output.firewalls['name'] != None
|
|
|
|
- output.firewalls['location'] != None
|
|
|
|
- output.firewalls['etag'] != None
|
|
|
|
- output.firewalls['nat_rule_collections'] != None
|
|
|
|
- output.firewalls['network_rule_collections'] != None
|
|
|
|
- output.firewalls['ip_configurations'] != None
|
|
|
|
- output.firewalls['provisioning_state'] != None
|
|
|
|
|
|
|
|
- name: Delete Azure Firewall
|
|
|
|
azure_rm_azurefirewall:
|
|
|
|
resource_group: '{{resource_group}}'
|
|
|
|
name: '{{azure_firewall_name}}'
|
|
|
|
state: absent
|
|
|
|
register: output
|
|
|
|
|
|
|
|
- assert:
|
|
|
|
that:
|
|
|
|
- output.changed
|