ansible/test/integration/targets/azure_rm_azurefirewall/tasks/main.yml

278 lines
7.5 KiB
YAML
Raw Normal View History

- name: Fix resource prefix
set_fact:
virtual_network_name: myVirtualNetwork
subnet_name: AzureFirewallSubnet
public_ipaddress_name: myPublicIpAddress
azure_firewall_name: myFirewall
- name: Create virtual network
azure_rm_virtualnetwork:
name: "{{ virtual_network_name }}"
address_prefixes_cidr:
- 10.1.0.0/16
- 172.100.0.0/16
dns_servers:
- 127.0.0.1
- 127.0.0.3
tags:
testing: testing
delete: on-exit
resource_group: "{{ resource_group }}"
- name: Create subnet
azure_rm_subnet:
name: "{{ subnet_name }}"
virtual_network_name: "{{ virtual_network_name }}"
resource_group: "{{ resource_group }}"
address_prefix_cidr: "10.1.0.0/24"
- name: Create public IP address
azure_rm_publicipaddress:
resource_group: "{{ resource_group }}"
allocation_method: Static
name: "{{ public_ipaddress_name }}"
sku: Standard
register: pip_output
- debug:
var: pip_output
- name: Create Azure Firewall
azure_rm_azurefirewall:
resource_group: '{{resource_group}}'
name: '{{azure_firewall_name}}'
#tags:
# key1: value1
application_rule_collections:
- priority: 110
action: deny
rules:
- name: rule1
description: Deny inbound rule
source_addresses:
- 216.58.216.164
- 10.0.0.0/25
protocols:
- type: https
port: '443'
target_fqdns:
- www.test.com
name: apprulecoll
nat_rule_collections:
- priority: 112
action: dnat
rules:
- name: DNAT-HTTPS-traffic
description: D-NAT all outbound web traffic for inspection
source_addresses:
- '*'
destination_addresses:
- "{{ pip_output.state.ip_address }}"
destination_ports:
- '443'
protocols:
- tcp
translated_address: 1.2.3.5
translated_port: '8443'
name: natrulecoll
network_rule_collections:
- priority: 112
action: deny
rules:
- name: L4-traffic
description: Block traffic based on source IPs and ports
protocols:
- tcp
source_addresses:
- 192.168.1.1-192.168.1.12
- 10.1.4.12-10.1.4.255
destination_addresses:
- '*'
destination_ports:
- 443-444
- '8443'
name: netrulecoll
ip_configurations:
- subnet:
virtual_network_name: "{{ virtual_network_name }}"
name: "{{ subnet_name }}"
public_ip_address:
name: "{{ public_ipaddress_name }}"
name: azureFirewallIpConfiguration
register: output
- debug:
var: output
- name: Assert that output has changed
assert:
that:
- output.changed
- name: Create Azure Firewall -- idempotent
azure_rm_azurefirewall:
resource_group: '{{resource_group}}'
name: '{{azure_firewall_name}}'
application_rule_collections:
- priority: 110
action: deny
rules:
- name: rule1
description: Deny inbound rule
source_addresses:
- 216.58.216.164
- 10.0.0.0/25
protocols:
- type: https
port: '443'
target_fqdns:
- www.test.com
name: apprulecoll
nat_rule_collections:
- priority: 112
action: dnat
rules:
- name: DNAT-HTTPS-traffic
description: D-NAT all outbound web traffic for inspection
source_addresses:
- '*'
destination_addresses:
- "{{ pip_output.state.ip_address }}"
destination_ports:
- '443'
protocols:
- tcp
translated_address: 1.2.3.5
translated_port: '8443'
name: natrulecoll
network_rule_collections:
- priority: 112
action: deny
rules:
- name: L4-traffic
description: Block traffic based on source IPs and ports
protocols:
- tcp
source_addresses:
- 192.168.1.1-192.168.1.12
- 10.1.4.12-10.1.4.255
destination_addresses:
- '*'
destination_ports:
- 443-444
- '8443'
name: netrulecoll
ip_configurations:
- subnet:
virtual_network_name: "{{ virtual_network_name }}"
name: "{{ subnet_name }}"
public_ip_address:
name: "{{ public_ipaddress_name }}"
name: azureFirewallIpConfiguration
register: output
- debug:
var: output
- name: Assert that output has not changed
assert:
that:
- not output.changed
- name: Create Azure Firewall -- change something
azure_rm_azurefirewall:
resource_group: '{{resource_group}}'
name: '{{azure_firewall_name}}'
application_rule_collections:
- priority: 110
action: deny
rules:
- name: rule1
description: Deny inbound rule
source_addresses:
- 216.58.216.165
- 10.0.0.0/25
protocols:
- type: https
port: '443'
target_fqdns:
- www.test.com
name: apprulecoll
nat_rule_collections:
- priority: 112
action: dnat
rules:
- name: DNAT-HTTPS-traffic
description: D-NAT all outbound web traffic for inspection
source_addresses:
- '*'
destination_addresses:
- "{{ pip_output.state.ip_address }}"
destination_ports:
- '443'
protocols:
- tcp
translated_address: 1.2.3.6
translated_port: '8443'
name: natrulecoll
network_rule_collections:
- priority: 112
action: deny
rules:
- name: L4-traffic
description: Block traffic based on source IPs and ports
protocols:
- tcp
source_addresses:
- 192.168.1.1-192.168.1.12
- 10.1.4.12-10.1.4.255
destination_addresses:
- '*'
destination_ports:
- 443-445
- '8443'
name: netrulecoll
ip_configurations:
- subnet:
virtual_network_name: "{{ virtual_network_name }}"
name: "{{ subnet_name }}"
public_ip_address:
name: "{{ public_ipaddress_name }}"
name: azureFirewallIpConfiguration
check_mode: yes
register: output
- name: Assert that output has changed
assert:
that:
- output.changed
- name: Get info of the Azure Firewall
azure_rm_azurefirewall_info:
resource_group: '{{resource_group}}'
name: '{{azure_firewall_name}}'
register: output
- assert:
that:
- not output.changed
- output.firewalls['id'] != None
- output.firewalls['name'] != None
- output.firewalls['location'] != None
- output.firewalls['etag'] != None
- output.firewalls['nat_rule_collections'] != None
- output.firewalls['network_rule_collections'] != None
- output.firewalls['ip_configurations'] != None
- output.firewalls['provisioning_state'] != None
- name: Delete Azure Firewall
azure_rm_azurefirewall:
resource_group: '{{resource_group}}'
name: '{{azure_firewall_name}}'
state: absent
register: output
- assert:
that:
- output.changed