resource "azurerm_firewall" "this" { location = var.location name = var.name resource_group_name = var.resource_group_name sku_name = var.firewall_sku_name sku_tier = var.firewall_sku_tier firewall_policy_id = var.firewall_policy_id private_ip_ranges = var.firewall_private_ip_ranges tags = var.tags zones = var.firewall_zones dynamic "ip_configuration" { for_each = var.firewall_ip_configuration == null ? [] : var.firewall_ip_configuration content { name = ip_configuration.value.name public_ip_address_id = ip_configuration.value.public_ip_address_id subnet_id = ip_configuration.value.subnet_id } } dynamic "management_ip_configuration" { for_each = var.firewall_management_ip_configuration == null ? [] : [var.firewall_management_ip_configuration] content { name = management_ip_configuration.value.name public_ip_address_id = management_ip_configuration.value.public_ip_address_id subnet_id = management_ip_configuration.value.subnet_id } } dynamic "timeouts" { for_each = var.firewall_timeouts == null ? [] : [var.firewall_timeouts] content { create = timeouts.value.create delete = timeouts.value.delete read = timeouts.value.read update = timeouts.value.update } } dynamic "virtual_hub" { for_each = var.firewall_virtual_hub == null ? [] : [var.firewall_virtual_hub] content { virtual_hub_id = virtual_hub.value.virtual_hub_id public_ip_count = virtual_hub.value.public_ip_count } } } # Assigning Roles to the Firewall based on the provided configurations. resource "azurerm_role_assignment" "this" { for_each = var.role_assignments principal_id = each.value.principal_id scope = azurerm_firewall.this.id condition = each.value.condition condition_version = each.value.condition_version delegated_managed_identity_resource_id = each.value.delegated_managed_identity_resource_id principal_type = each.value.principal_type role_definition_id = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? each.value.role_definition_id_or_name : null role_definition_name = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? null : each.value.role_definition_id_or_name skip_service_principal_aad_check = each.value.skip_service_principal_aad_check } resource "azurerm_monitor_diagnostic_setting" "this" { for_each = var.diagnostic_settings name = each.value.name != null ? each.value.name : "diag-${var.name}" target_resource_id = azurerm_firewall.this.id eventhub_authorization_rule_id = each.value.event_hub_authorization_rule_resource_id eventhub_name = each.value.event_hub_name log_analytics_destination_type = each.value.log_analytics_destination_type log_analytics_workspace_id = each.value.workspace_resource_id partner_solution_id = each.value.marketplace_partner_resource_id storage_account_id = each.value.storage_account_resource_id dynamic "enabled_log" { for_each = each.value.log_categories content { category = enabled_log.value } } dynamic "enabled_log" { for_each = each.value.log_groups content { category_group = enabled_log.value } } dynamic "metric" { for_each = each.value.metric_categories content { category = metric.value } } } resource "azurerm_management_lock" "this" { count = var.lock != null ? 1 : 0 lock_level = var.lock.kind name = coalesce(var.lock.name, "lock-${var.lock.kind}") scope = azurerm_firewall.this.id notes = var.lock.kind == "CanNotDelete" ? "Cannot delete the resource or its child resources." : "Cannot delete or modify the resource or its child resources." }