- name: Fix resource prefix set_fact: virtual_network_name: myVirtualNetwork subnet_name: AzureFirewallSubnet public_ipaddress_name: myPublicIpAddress azure_firewall_name: myFirewall - name: Create virtual network azure_rm_virtualnetwork: name: "{{ virtual_network_name }}" address_prefixes_cidr: - 10.1.0.0/16 - 172.100.0.0/16 dns_servers: - 127.0.0.1 - 127.0.0.3 tags: testing: testing delete: on-exit resource_group: "{{ resource_group }}" - name: Create subnet azure_rm_subnet: name: "{{ subnet_name }}" virtual_network_name: "{{ virtual_network_name }}" resource_group: "{{ resource_group }}" address_prefix_cidr: "10.1.0.0/24" - name: Create public IP address azure_rm_publicipaddress: resource_group: "{{ resource_group }}" allocation_method: Static name: "{{ public_ipaddress_name }}" sku: Standard register: pip_output - debug: var: pip_output - name: Create Azure Firewall azure_rm_azurefirewall: resource_group: '{{resource_group}}' name: '{{azure_firewall_name}}' #tags: # key1: value1 application_rule_collections: - priority: 110 action: deny rules: - name: rule1 description: Deny inbound rule source_addresses: - 216.58.216.164 - 10.0.0.0/25 protocols: - type: https port: '443' target_fqdns: - www.test.com name: apprulecoll nat_rule_collections: - priority: 112 action: dnat rules: - name: DNAT-HTTPS-traffic description: D-NAT all outbound web traffic for inspection source_addresses: - '*' destination_addresses: - "{{ pip_output.state.ip_address }}" destination_ports: - '443' protocols: - tcp translated_address: 1.2.3.5 translated_port: '8443' name: natrulecoll network_rule_collections: - priority: 112 action: deny rules: - name: L4-traffic description: Block traffic based on source IPs and ports protocols: - tcp source_addresses: - 192.168.1.1-192.168.1.12 - 10.1.4.12-10.1.4.255 destination_addresses: - '*' destination_ports: - 443-444 - '8443' name: netrulecoll ip_configurations: - subnet: virtual_network_name: "{{ virtual_network_name }}" name: "{{ subnet_name }}" public_ip_address: name: "{{ public_ipaddress_name }}" name: azureFirewallIpConfiguration register: output - debug: var: output - name: Assert that output has changed assert: that: - output.changed - name: Create Azure Firewall -- idempotent azure_rm_azurefirewall: resource_group: '{{resource_group}}' name: '{{azure_firewall_name}}' application_rule_collections: - priority: 110 action: deny rules: - name: rule1 description: Deny inbound rule source_addresses: - 216.58.216.164 - 10.0.0.0/25 protocols: - type: https port: '443' target_fqdns: - www.test.com name: apprulecoll nat_rule_collections: - priority: 112 action: dnat rules: - name: DNAT-HTTPS-traffic description: D-NAT all outbound web traffic for inspection source_addresses: - '*' destination_addresses: - "{{ pip_output.state.ip_address }}" destination_ports: - '443' protocols: - tcp translated_address: 1.2.3.5 translated_port: '8443' name: natrulecoll network_rule_collections: - priority: 112 action: deny rules: - name: L4-traffic description: Block traffic based on source IPs and ports protocols: - tcp source_addresses: - 192.168.1.1-192.168.1.12 - 10.1.4.12-10.1.4.255 destination_addresses: - '*' destination_ports: - 443-444 - '8443' name: netrulecoll ip_configurations: - subnet: virtual_network_name: "{{ virtual_network_name }}" name: "{{ subnet_name }}" public_ip_address: name: "{{ public_ipaddress_name }}" name: azureFirewallIpConfiguration register: output - debug: var: output - name: Assert that output has not changed assert: that: - not output.changed - name: Create Azure Firewall -- change something azure_rm_azurefirewall: resource_group: '{{resource_group}}' name: '{{azure_firewall_name}}' application_rule_collections: - priority: 110 action: deny rules: - name: rule1 description: Deny inbound rule source_addresses: - 216.58.216.165 - 10.0.0.0/25 protocols: - type: https port: '443' target_fqdns: - www.test.com name: apprulecoll nat_rule_collections: - priority: 112 action: dnat rules: - name: DNAT-HTTPS-traffic description: D-NAT all outbound web traffic for inspection source_addresses: - '*' destination_addresses: - "{{ pip_output.state.ip_address }}" destination_ports: - '443' protocols: - tcp translated_address: 1.2.3.6 translated_port: '8443' name: natrulecoll network_rule_collections: - priority: 112 action: deny rules: - name: L4-traffic description: Block traffic based on source IPs and ports protocols: - tcp source_addresses: - 192.168.1.1-192.168.1.12 - 10.1.4.12-10.1.4.255 destination_addresses: - '*' destination_ports: - 443-445 - '8443' name: netrulecoll ip_configurations: - subnet: virtual_network_name: "{{ virtual_network_name }}" name: "{{ subnet_name }}" public_ip_address: name: "{{ public_ipaddress_name }}" name: azureFirewallIpConfiguration check_mode: yes register: output - name: Assert that output has changed assert: that: - output.changed