mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
249 lines
6.7 KiB
YAML
249 lines
6.7 KiB
YAML
|
- name: Fix resource prefix
|
||
|
set_fact:
|
||
|
virtual_network_name: myVirtualNetwork
|
||
|
subnet_name: AzureFirewallSubnet
|
||
|
public_ipaddress_name: myPublicIpAddress
|
||
|
azure_firewall_name: myFirewall
|
||
|
|
||
|
- name: Create virtual network
|
||
|
azure_rm_virtualnetwork:
|
||
|
name: "{{ virtual_network_name }}"
|
||
|
address_prefixes_cidr:
|
||
|
- 10.1.0.0/16
|
||
|
- 172.100.0.0/16
|
||
|
dns_servers:
|
||
|
- 127.0.0.1
|
||
|
- 127.0.0.3
|
||
|
tags:
|
||
|
testing: testing
|
||
|
delete: on-exit
|
||
|
resource_group: "{{ resource_group }}"
|
||
|
|
||
|
- name: Create subnet
|
||
|
azure_rm_subnet:
|
||
|
name: "{{ subnet_name }}"
|
||
|
virtual_network_name: "{{ virtual_network_name }}"
|
||
|
resource_group: "{{ resource_group }}"
|
||
|
address_prefix_cidr: "10.1.0.0/24"
|
||
|
|
||
|
- name: Create public IP address
|
||
|
azure_rm_publicipaddress:
|
||
|
resource_group: "{{ resource_group }}"
|
||
|
allocation_method: Static
|
||
|
name: "{{ public_ipaddress_name }}"
|
||
|
sku: Standard
|
||
|
register: pip_output
|
||
|
|
||
|
- debug:
|
||
|
var: pip_output
|
||
|
|
||
|
- name: Create Azure Firewall
|
||
|
azure_rm_azurefirewall:
|
||
|
resource_group: '{{resource_group}}'
|
||
|
name: '{{azure_firewall_name}}'
|
||
|
#tags:
|
||
|
# key1: value1
|
||
|
application_rule_collections:
|
||
|
- priority: 110
|
||
|
action: deny
|
||
|
rules:
|
||
|
- name: rule1
|
||
|
description: Deny inbound rule
|
||
|
source_addresses:
|
||
|
- 216.58.216.164
|
||
|
- 10.0.0.0/25
|
||
|
protocols:
|
||
|
- type: https
|
||
|
port: '443'
|
||
|
target_fqdns:
|
||
|
- www.test.com
|
||
|
name: apprulecoll
|
||
|
nat_rule_collections:
|
||
|
- priority: 112
|
||
|
action: dnat
|
||
|
rules:
|
||
|
- name: DNAT-HTTPS-traffic
|
||
|
description: D-NAT all outbound web traffic for inspection
|
||
|
source_addresses:
|
||
|
- '*'
|
||
|
destination_addresses:
|
||
|
- "{{ pip_output.state.ip_address }}"
|
||
|
destination_ports:
|
||
|
- '443'
|
||
|
protocols:
|
||
|
- tcp
|
||
|
translated_address: 1.2.3.5
|
||
|
translated_port: '8443'
|
||
|
name: natrulecoll
|
||
|
network_rule_collections:
|
||
|
- priority: 112
|
||
|
action: deny
|
||
|
rules:
|
||
|
- name: L4-traffic
|
||
|
description: Block traffic based on source IPs and ports
|
||
|
protocols:
|
||
|
- tcp
|
||
|
source_addresses:
|
||
|
- 192.168.1.1-192.168.1.12
|
||
|
- 10.1.4.12-10.1.4.255
|
||
|
destination_addresses:
|
||
|
- '*'
|
||
|
destination_ports:
|
||
|
- 443-444
|
||
|
- '8443'
|
||
|
name: netrulecoll
|
||
|
ip_configurations:
|
||
|
- subnet:
|
||
|
virtual_network_name: "{{ virtual_network_name }}"
|
||
|
name: "{{ subnet_name }}"
|
||
|
public_ip_address:
|
||
|
name: "{{ public_ipaddress_name }}"
|
||
|
name: azureFirewallIpConfiguration
|
||
|
register: output
|
||
|
|
||
|
- debug:
|
||
|
var: output
|
||
|
|
||
|
- name: Assert that output has changed
|
||
|
assert:
|
||
|
that:
|
||
|
- output.changed
|
||
|
|
||
|
- name: Create Azure Firewall -- idempotent
|
||
|
azure_rm_azurefirewall:
|
||
|
resource_group: '{{resource_group}}'
|
||
|
name: '{{azure_firewall_name}}'
|
||
|
application_rule_collections:
|
||
|
- priority: 110
|
||
|
action: deny
|
||
|
rules:
|
||
|
- name: rule1
|
||
|
description: Deny inbound rule
|
||
|
source_addresses:
|
||
|
- 216.58.216.164
|
||
|
- 10.0.0.0/25
|
||
|
protocols:
|
||
|
- type: https
|
||
|
port: '443'
|
||
|
target_fqdns:
|
||
|
- www.test.com
|
||
|
name: apprulecoll
|
||
|
nat_rule_collections:
|
||
|
- priority: 112
|
||
|
action: dnat
|
||
|
rules:
|
||
|
- name: DNAT-HTTPS-traffic
|
||
|
description: D-NAT all outbound web traffic for inspection
|
||
|
source_addresses:
|
||
|
- '*'
|
||
|
destination_addresses:
|
||
|
- "{{ pip_output.state.ip_address }}"
|
||
|
destination_ports:
|
||
|
- '443'
|
||
|
protocols:
|
||
|
- tcp
|
||
|
translated_address: 1.2.3.5
|
||
|
translated_port: '8443'
|
||
|
name: natrulecoll
|
||
|
network_rule_collections:
|
||
|
- priority: 112
|
||
|
action: deny
|
||
|
rules:
|
||
|
- name: L4-traffic
|
||
|
description: Block traffic based on source IPs and ports
|
||
|
protocols:
|
||
|
- tcp
|
||
|
source_addresses:
|
||
|
- 192.168.1.1-192.168.1.12
|
||
|
- 10.1.4.12-10.1.4.255
|
||
|
destination_addresses:
|
||
|
- '*'
|
||
|
destination_ports:
|
||
|
- 443-444
|
||
|
- '8443'
|
||
|
name: netrulecoll
|
||
|
ip_configurations:
|
||
|
- subnet:
|
||
|
virtual_network_name: "{{ virtual_network_name }}"
|
||
|
name: "{{ subnet_name }}"
|
||
|
public_ip_address:
|
||
|
name: "{{ public_ipaddress_name }}"
|
||
|
name: azureFirewallIpConfiguration
|
||
|
register: output
|
||
|
|
||
|
- debug:
|
||
|
var: output
|
||
|
|
||
|
- name: Assert that output has not changed
|
||
|
assert:
|
||
|
that:
|
||
|
- not output.changed
|
||
|
|
||
|
- name: Create Azure Firewall -- change something
|
||
|
azure_rm_azurefirewall:
|
||
|
resource_group: '{{resource_group}}'
|
||
|
name: '{{azure_firewall_name}}'
|
||
|
application_rule_collections:
|
||
|
- priority: 110
|
||
|
action: deny
|
||
|
rules:
|
||
|
- name: rule1
|
||
|
description: Deny inbound rule
|
||
|
source_addresses:
|
||
|
- 216.58.216.165
|
||
|
- 10.0.0.0/25
|
||
|
protocols:
|
||
|
- type: https
|
||
|
port: '443'
|
||
|
target_fqdns:
|
||
|
- www.test.com
|
||
|
name: apprulecoll
|
||
|
nat_rule_collections:
|
||
|
- priority: 112
|
||
|
action: dnat
|
||
|
rules:
|
||
|
- name: DNAT-HTTPS-traffic
|
||
|
description: D-NAT all outbound web traffic for inspection
|
||
|
source_addresses:
|
||
|
- '*'
|
||
|
destination_addresses:
|
||
|
- "{{ pip_output.state.ip_address }}"
|
||
|
destination_ports:
|
||
|
- '443'
|
||
|
protocols:
|
||
|
- tcp
|
||
|
translated_address: 1.2.3.6
|
||
|
translated_port: '8443'
|
||
|
name: natrulecoll
|
||
|
network_rule_collections:
|
||
|
- priority: 112
|
||
|
action: deny
|
||
|
rules:
|
||
|
- name: L4-traffic
|
||
|
description: Block traffic based on source IPs and ports
|
||
|
protocols:
|
||
|
- tcp
|
||
|
source_addresses:
|
||
|
- 192.168.1.1-192.168.1.12
|
||
|
- 10.1.4.12-10.1.4.255
|
||
|
destination_addresses:
|
||
|
- '*'
|
||
|
destination_ports:
|
||
|
- 443-445
|
||
|
- '8443'
|
||
|
name: netrulecoll
|
||
|
ip_configurations:
|
||
|
- subnet:
|
||
|
virtual_network_name: "{{ virtual_network_name }}"
|
||
|
name: "{{ subnet_name }}"
|
||
|
public_ip_address:
|
||
|
name: "{{ public_ipaddress_name }}"
|
||
|
name: azureFirewallIpConfiguration
|
||
|
check_mode: yes
|
||
|
register: output
|
||
|
|
||
|
- name: Assert that output has changed
|
||
|
assert:
|
||
|
that:
|
||
|
- output.changed
|