Terraform Azure Module Template

With our comprehensive DevOps toolkit - streamline operations, automate workflows, enhance collaboration and, most importantly, deploy with confidence.

---

We are a group of DevOps engineers and architects collaborating to build standardized, scalable, and secure infrastructure in today's ever-evolving digital landscape. Rooted in a strong belief in automation and modular design—much like microservices—we focus on decomposing infrastructure into smaller, reusable components such as databases, clusters, and more. These components are built to follow industry best practices and are easy to manage, scale, and secure.

This repository is part of the terraform-az-modules organization and provides open-source, reusable Terraform modules. It includes practical examples and workflows to help users quickly understand, implement, and improve their infrastructure with minimal configuration and high maintainability.

Prerequisites and Providers

This table contains both Prerequisites and Providers:

Description	Name	Version
Prerequisite	Terraform	>= 1.6.6
Provider	azure	>= 3.116.0

Examples

IMPORTANT: Since the master branch used in source varies based on new modifications, we recommend using the release versions.

📌 For additional usage examples, check the complete list under examples/ directory.

Providers

Name	Version
azurerm	>=3.116.0

Modules

Name	Source	Version
labels	terraform-az-modules/tags/azurerm	1.0.2

Resources

Name	Type
azurerm_firewall.firewall	resource
azurerm_firewall_policy.policy	resource
azurerm_firewall_policy_rule_collection_group.app_policy	resource
azurerm_firewall_policy_rule_collection_group.nat_policy	resource
azurerm_firewall_policy_rule_collection_group.network_policy	resource
azurerm_monitor_diagnostic_setting.firewall_diagnostic	resource
azurerm_public_ip.public_ip	resource
azurerm_public_ip_prefix.pip_prefix	resource
azurerm_user_assigned_identity.identity	resource

Inputs

Name	Description	Type	Default	Required
app_policy_collection_group	(optional) Name of app policy group	string	"DefaultApplicationRuleCollectionGroup"	no
application_rule_collection	List of application rule collections for the firewall policy.	list(object({ name = string priority = number action = string rules = list(object({ name = string source_addresses = optional(list(string), []) # Optional: List of source IP addresses source_ip_groups = optional(list(string), []) # Optional: List of source IP groups destination_fqdns = optional(list(string), []) # Optional: List of destination FQDNs destination_ip_groups = optional(list(string), []) # Optional: List of destination IP groups protocols = list(object({ port = optional(number, null) # Optional: Port number type = optional(string, null) # Optional: Protocol type (e.g., TCP, UDP) })) })) }))	[]	no
custom_name	Override default naming convention	string	null	no
deployment_mode	Specifies how the infrastructure/resource is deployed	string	"terraform"	no
dns_servers	DNS Servers to use with Azure Firewall. Using this also activate DNS Proxy.	list(string)	null	no
enable_diagnostic	Set to false to prevent the module from creating the diagnosys setting for the firewall Resource..	bool	false	no
enabled	Set to false to prevent the module from creating any resources.	bool	true	no
environment	Environment (e.g. prod, dev, staging).	string	""	no
eventhub_authorization_rule_id	Eventhub authorization rule id to pass it to destination details of diagnosys setting of firewall.	string	null	no
eventhub_name	Eventhub Name to pass it to destination details of diagnosys setting of firewall.	string	null	no
extra_tags	Variable to pass extra tags.	map(string)	null	no
firewall_enable	values are true or false. Set to true to enable the firewall creation. If set to false, no firewall will be created.	bool	false	no
firewall_policy_id	The ID of the Firewall Policy.	string	null	no
firewall_private_ip_ranges	A list of SNAT private CIDR IP ranges, or the special string IANAPrivateRanges, which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918.	list(string)	null	no
identity_type	Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).	string	"UserAssigned"	no
label_order	Order of labels in the resource name. The order of labels in the resource name. The default order is ['name', 'environment', 'location']. You can change this to ['environment', 'name', 'location'] or any other order as per your requirements.	list(any)	[ "name", "environment", "location" ]	no
location	The location/region where the firewall is created. Changing this forces a new resource to be created.	string	""	no
log_analytics_destination_type	Possible values are AzureDiagnostics and Dedicated, default to AzureDiagnostics. When set to Dedicated, logs sent to a Log Analytics workspace will go into resource specific tables, instead of the legacy AzureDiagnostics table.	string	"AzureDiagnostics"	no
log_analytics_workspace_id	log analytics workspace id to pass it to destination details of diagnosys setting of firewall.	string	null	no
logs	List of logs to enable for the diagnosys setting.	list(object({ category_group = optional(string) category = optional(string) }))	[]	no
managedby	ManagedBy, eg 'terraform-az-modules'.	string	"terraform-az-modules"	no
metric_enabled	Set to true to enable metrics for the diagnosys setting.	bool	false	no
name	Name (e.g. app or cluster).	string	""	no
nat_policy_collection_group	(optional) Name of nat policy group	string	"DefaultDnatRuleCollectionGroup"	no
nat_rule_collection	List of NAT rule collections for the firewall policy.	list(object({ name = string priority = number description = optional(string, null) # Optional: Description of the NAT rule collection rules = list(object({ name = string protocols = list(string) # List of protocols (e.g., TCP, UDP) source_addresses = optional(list(string), []) # Optional: List of source IP addresses destination_address = optional(string, null) # Optional: List of destination IP addresses destination_ports = optional(list(string), []) # Optional: List of destination ports translated_address = string # Required: Internal IP to which traffic is forwarded translated_port = optional(string, null) # Optional: Internal port to which traffic is forwarded source_ip_groups = optional(list(string), []) # Optional: List of source IP groups destination_ip_groups = optional(list(string), []) # Optional: List of destination IP groups })) }))	[]	no
net_policy_collection_group	(optional) Name of network policy group	string	"DefaultNetworkRuleCollectionGroup"	no
network_rule_collection	List of network rule collections for the firewall policy.	list(object({ name = string priority = number action = string description = optional(string, null) # Optional: Description of the rule collection rules = list(object({ name = string protocols = list(string) # List of protocols (e.g., TCP, UDP, ICMP) source_addresses = optional(list(string), []) # Optional: List of source IP addresses source_ip_groups = optional(list(string), []) # Optional: List of source IP groups destination_addresses = optional(list(string), []) # Optional: List of destination IP addresses destination_ip_groups = optional(list(string), []) # Optional: List of destination IP groups destination_ports = optional(list(string), []) # Optional: List of destination ports destination_fqdns = optional(list(string), []) # Optional: List of destination FQDNs })) }))	[]	no
policy_rule_enabled	Flag used to control creation of policy rules.	bool	false	no
public_ip_allocation_method	Defines the allocation method for this IP address. Possible values are Static or Dynamic	string	"Static"	no
public_ip_names	List of public IP names to create.	list(string)	[]	no
public_ip_prefix_enable	Flag to control creation of public ip prefix resource.	bool	false	no
public_ip_prefix_ip_version	The IP Version to use, IPv6 or IPv4. Changing this forces a new resource to be created. Default is IPv4	string	"IPv4"	no
public_ip_prefix_length	Specifies the number of bits of the prefix. The value can be set between 0 (4,294,967,296 addresses) and 31 (2 addresses). Defaults to 28(16 addresses). Changing this forces a new resource to be created.	number	28	no
public_ip_prefix_sku	SKU for public ip prefix. Default to standard.	string	"Standard"	no
public_ip_sku	The SKU of the Public IP. Accepted values are Basic and Standard. Defaults to Standard	string	"Standard"	no
repository	Terraform current module repo	string	"https://github.com/terraform-az-modules/terraform-azure-firewall"	no
resource_group_name	A container that holds related resources for an Azure solution	string	""	no
resource_position_prefix	Controls the placement of the resource type keyword (e.g., "vnet", "ddospp") in the resource name. - If true, the keyword is prepended: "vnet-core-dev". - If false, the keyword is appended: "core-dev-vnet". This helps maintain naming consistency based on organizational preferences.	bool	true	no
sku_name	SKU name of the Firewall. Possible values are AZFW_VNet and AZFW_Hub.	string	"AZFW_VNet"	no
sku_policy	Specifies the firewall-policy sku	string	"Standard"	no
sku_tier	Specifies the firewall sku tier	string	"Standard"	no
storage_account_id	Storage account id to pass it to destination details of diagnosys setting of firewall.	string	null	no
subnet_id	The ID of the subnet to attach the firewall to. If not specified, the module will create a new subnet named 'AzureFirewallSubnet' in the specified virtual network.	string	""	no
threat_intel_mode	(Optional) The operation mode for threat intelligence-based filtering. Possible values are: Off, Alert, Deny. Defaults to Alert.	string	"Alert"	no

Outputs

Name	Description
firewall_id	Firewall ID
firewall_name	Firewall name
firewall_policy_id	value of firewall policy ID
public_ip_addresses	value of public IP addresses
public_ip_ids	The IDs of all public IPs
public_ip_prefix_id	value of public IP prefix ID

Module Dependencies

This module has dependencies on:

• Labels Module: Provides resource tagging.

📑 Changelog

Refer here.

✨ Contributors

Big thanks to our contributors for elevating our project with their dedication and expertise! But, we do not wish to stop there, would like to invite contributions from the community in improving these projects and making them more versatile for better reach. Remember, every bit of contribution is immensely valuable, as, together, we are moving in only 1 direction, i.e. forward.

If you're considering contributing to our project, here are a few quick guidelines that we have been following (Got a suggestion? We are all ears!):

• Fork the Repository: Create a new branch for your feature or bug fix.
• Coding Standards: You know the drill.
• Clear Commit Messages: Write clear and concise commit messages to facilitate understanding.
• Thorough Testing: Test your changes thoroughly before submitting a pull request.
• Documentation Updates: Include relevant documentation updates if your changes impact it.

Feedback

Spot a bug or have thoughts to share with us? Let's squash it together! Log it in our issue tracker, feel free to drop us an email at hello@clouddrove.com).

Show some love with a ★ on our GitHub! if our work has brightened your day! – your feedback fuels our journey!

🚀 Our Accomplishment

We have 50+ Azure Terraform modules 🙌. You could consider them finished, but, with enthusiasts like yourself, we are able to ever improve them, so we call our status - improvement in progress.

• Terraform Module Registry: Discover our Terraform modules here.

Tap into our capabilities

We provide a platform for organizations to engage with experienced, top-tier DevOps and Cloud professionals. Tap into our pool of certified engineers and architects to elevate your DevOps and Cloud solutions.

At Azure Terraform Modules Organisation, we have extensive experience in designing, building, and migrating environments; securing infrastructure; consulting; monitoring; optimizing; automating; and maintaining complex, large-scale modern systems. With a strong client presence across American and European regions, our certified experts deliver robust and scalable cloud solutions.

Write to us at hello@clouddrove.com.

We are The Cloud Experts!

---

We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.