feat: support multiple public ips in connectivity firewall

[tobiasehlert]

Overview/Summary

This PR gives the possibility to the connectivity module the option to specify how many public IPs you want to have deployed as part of your landing zone.

The default is set to be one, but when specifying more, you get multiple IPs provisioned and associated with the firewall in the hub_network.

The naming of azurerm_public_ip resource are -pip, -pip-2, pip-3 and so on, so nothing gets removed.

This PR fixes/adds/changes/removes

1. fixes feature request: Azure Firewall Configuration does not support Specific Public IP addresses or multiple Public IP addresses #1083
2. fixes How to add a second IP to Azure Firewall #879

Breaking Changes

None.

Testing Evidence

Please provide any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate).

Terraform will perform the following actions:

  # module.enterprise_scale.azurerm_firewall.connectivity["/subscriptions/<subscription-id>/resourceGroups/myalz-connectivity-swedencentral/providers/Microsoft.Network/azureFirewalls/myalz-fw-swedencentral"] will be updated in-place
  ~ resource "azurerm_firewall" "connectivity" {
        id                  = "/subscriptions/<subscription-id>/resourceGroups/myalz-connectivity-swedencentral/providers/Microsoft.Network/azureFirewalls/myalz-fw-swedencentral"
        name                = "myalz-fw-swedencentral"
        tags                = {
            "deployedBy"   = "terraform/azure/caf-enterprise-scale"
        }
        # (10 unchanged attributes hidden)

      + ip_configuration {
          + name                 = "myalz-fw-swedencentral-pip-2"
          + public_ip_address_id = "/subscriptions/<subscription-id>/resourceGroups/myalz-connectivity-swedencentral/providers/Microsoft.Network/publicIPAddresses/myalz-fw-swedencentral-pip-2"
        }

        # (2 unchanged blocks hidden)
    }

  # module.enterprise_scale.azurerm_public_ip.connectivity["/subscriptions/<subscription-id>/resourceGroups/myalz-connectivity-swedencentral/providers/Microsoft.Network/publicIPAddresses/myalz-fw-swedencentral-pip-2"] will be created
  + resource "azurerm_public_ip" "connectivity" {
      + allocation_method       = "Static"
      + ddos_protection_mode    = "VirtualNetworkInherited"
      + fqdn                    = (known after apply)
      + id                      = (known after apply)
      + idle_timeout_in_minutes = 4
      + ip_address              = (known after apply)
      + ip_version              = "IPv4"
      + location                = "swedencentral"
      + name                    = "myalz-fw-swedencentral-pip-2"
      + resource_group_name     = "myalz-connectivity-swedencentral"
      + sku                     = "Standard"
      + sku_tier                = "Regional"
      + tags                    = {
          + "deployedBy"   = "terraform/azure/caf-enterprise-scale"
        }
      + zones                   = [
          + "1",
          + "2",
          + "3",
        ]
    }

Plan: 1 to add, 1 to change, 0 to destroy.

As part of this Pull Request I have

• Checked for duplicate Pull Requests
• Associated it with relevant issues, for tracking and closure.
• Ensured my code/branch is up-to-date with the latest changes in the main branch
• Performed testing and provided evidence.
• Updated relevant and associated documentation.

[magnus-longva-bouvet]

index b666ac8..49bcf28 100644
--- a/02-connectivity/main.tf
+++ b/02-connectivity/main.tf
@@ -13,8 +13,7 @@ resource "azurerm_virtual_wan" "vwan" {
 
 
 module "connectivity" {
-  source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "6.2.1"
+  source = "github.com/tobiasehlert/terraform-azurerm-caf-enterprise-scale.git?ref=feat-multiple-public-ips-in-hub-firewall"
 
   # Disable telemetry
   disable_telemetry = true
diff --git a/02-connectivity/settings.nwe.vwan.connectivity.tf b/02-connectivity/settings.nwe.vwan.connectivity.tf
index fe655a1..28db3f5 100644
--- a/02-connectivity/settings.nwe.vwan.connectivity.tf
+++ b/02-connectivity/settings.nwe.vwan.connectivity.tf
@@ -39,6 +39,7 @@ locals {
         azure_firewall = {
           enabled = true
           config = {
+            public_ip_count               = 8
             enable_dns_proxy              = true
             dns_servers                   = [azurerm_private_dns_resolver_inbound_endpoint.dns_hub_ext_vnet_nwe.ip_configurations[0].private_ip_address]
             sku_tier                      = "Premium" 

After making these changes in my Terraform configuration, I only get changes to outputs. Am I missing something obvious?

Changes to Outputs:
  ~ configuration                     = {
      ~ settings = {
          ~ vwan_hub_networks    = [
              ~ {
                  ~ config  = {
                      ~ azure_firewall                            = {
                          ~ config  = {
                              + public_ip_count               = 8
                                # (8 unchanged attributes hidden)
                            }
                            # (1 unchanged attribute hidden)
                        }
                        # (10 unchanged attributes hidden)
                    }
                    # (1 unchanged attribute hidden)
                },
            ]
            # (3 unchanged attributes hidden)
        }
        tags     = {}
        # (2 unchanged attributes hidden)
    }

[tobiasehlert]

@magnus-longva-bouvet, oh yeah.. I only added that for hub_networks and not for vwan_hub_networks.
I don't run the vwan_hub_networks so have a hard time verifying that it fully works.

[tobiasehlert]

Can maybe @matt-FFFFFF review this PR?
Would be great to have multiple public IPs supported :)

[matt-FFFFFF]

/azp run unit

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[Copilot]

Pull Request Overview

This PR adds support for deploying multiple public IPs for the connectivity firewall, allowing users to specify the number of public IPs via the new parameter "public_ip_count".

• Added "public_ip_count" to the root README.md.
• Added "public_ip_count" to the modules/connectivity/README.md.

Reviewed Changes

Copilot reviewed 2 out of 5 changed files in this pull request and generated no comments.

File	Description
README.md	Documentation update to include the public_ip_count parameter
modules/connectivity/README.md	Documentation update to include the public_ip_count parameter

Files not reviewed (3)

• modules/connectivity/locals.tf: Language not supported
• modules/connectivity/variables.tf: Language not supported
• variables.tf: Language not supported

[tobiasehlert]

@matt-FFFFFF, is there something that I can do in terms of this PR?

[eehret]

Is this PR stalled somehow? We really need this. Is there anything we can do to help move this along?