feat: support multiple public ips on firewall

.github/policies/eventResponder.yml

@@ -17,6 +17,13 @@ configuration:
         then:
           - addLabel:
               label: "Needs: Triage :mag:"
+          - addReply:
+              reply: |
+                > [!IMPORTANT]
+                > **The "Needs: Triage :mag:" label must be removed once the triage process is complete!**
+
+                > [!TIP]
+                > For additional guidance on how to triage this issue/PR, see the [Terraform Issue Triage](https://azure.github.io/Azure-Verified-Modules/help-support/issue-triage/terraform-issue-triage) documentation.
 
       - description: 'ITA09 - When #RR is used in an issue, add the "Needs: Author Feedback :ear:" label'
         if:
@@ -47,7 +54,7 @@ configuration:
               label: "Status: Won't Fix :broken_heart:"
           - closeIssue
 
-      - description: 'ITA11 - When a reply from anyone to an issue occurs, remove the "Needs: Author Feedback :ear:" label and label with "Needs: Attention :wave:"'
+      - description: 'ITA11 - When the author replies, remove the "Needs: Author Feedback :ear:" label and label with "Needs: Attention :wave:"'
         if:
           - or:
               - payloadType: Pull_Request_Review_Comment
@@ -57,9 +64,13 @@ configuration:
                 action: Closed
           - hasLabel:
               label: "Needs: Author Feedback :ear:"
+          - isActivitySender:
+              issueAuthor: true
         then:
           - removeLabel:
               label: "Needs: Author Feedback :ear:"
+          - removeLabel:
+              label: "Status: No Recent Activity :zzz:"
           - addLabel:
               label: "Needs: Attention :wave:"
 
@@ -89,12 +100,14 @@ configuration:
                   label: "Type: New Module Proposal :bulb:"
               - hasLabel:
                   label: "Type: Question/Feedback :raising_hand:"
+              - hasLabel:
+                  label: "Type: Security Bug :lock:"
           - isAssignedToSomeone
         then:
           - removeLabel:
               label: "Needs: Triage :mag:"
 
-      - description: 'ITA20 - If the type is feature request, add the "Type: Feature Request :heavy_plus_sign:" label on the issue'
+      - description: 'ITA20 - If the type is feature request, assign the "Type: Feature Request :heavy_plus_sign:" label on the issue'
         if:
           - payloadType: Issues
           - isAction:
@@ -111,7 +124,7 @@ configuration:
           - addLabel:
               label: "Type: Feature Request :heavy_plus_sign:"
 
-      - description: 'ITA21 - If the type is bug, add the "Type: Bug :bug:" label on the issue'
+      - description: 'ITA21 - If the type is bug, assign the "Type: Bug :bug:" label on the issue'
         if:
           - payloadType: Issues
           - isAction:
@@ -128,6 +141,23 @@ configuration:
           - addLabel:
               label: "Type: Bug :bug:"
 
+      - description: 'ITA22 - If the type is security bug, assign the "Type: Security Bug :lock:" label on the issue'
+        if:
+          - payloadType: Issues
+          - isAction:
+              action: Opened
+          - bodyContains:
+              pattern: |
+                ### Issue Type?
+
+                Security Bug
+          - not:
+              hasLabel:
+                label: "Type: Security Bug :lock:"
+        then:
+          - addLabel:
+              label: "Type: Security Bug :lock:"
+
       - description: 'ITA23 - Remove the "Status: In PR" label from an issue when it''s closed.'
         if:
           - payloadType: Issues

.github/policies/scheduledSearches.yml

@@ -23,6 +23,8 @@ configuration:
           - isOpen
           - hasLabel:
               label: "Needs: Triage :mag:"
+          - isNotLabeledWith:
+              label: "Status: Response Overdue :triangular_flag_on_post:"
           - noActivitySince:
               days: 5
         actions:
@@ -52,6 +54,8 @@ configuration:
           - isOpen
           - hasLabel:
               label: "Needs: Triage :mag:"
+          - isNotLabeledWith:
+              label: "Status: Response Overdue :triangular_flag_on_post:"
           - noActivitySince:
               days: 3
         actions:
@@ -86,6 +90,8 @@ configuration:
           - isOpen
           - hasLabel:
               label: "Status: Response Overdue :triangular_flag_on_post:"
+          - isNotLabeledWith:
+              label: "Needs: Immediate Attention :bangbang:"
           - noActivitySince:
               days: 5
         actions:
@@ -102,7 +108,7 @@ configuration:
           - addLabel:
               label: "Needs: Immediate Attention :bangbang:"
 
-      - description: "ITA02TF.2 - Label issues as Needs Immediate Attention and leave comment if after an additional 3 business days there's still no update to the issue."
+      - description: "ITA02TF.2 - Label and comment issues as Needs Immediate Attention and leave comment if after an additional 3 business days there's still no update to the issue."
         frequencies:
           - weekday:
               day: Thursday
@@ -115,6 +121,8 @@ configuration:
           - isOpen
           - hasLabel:
               label: "Status: Response Overdue :triangular_flag_on_post:"
+          - isNotLabeledWith:
+              label: "Needs: Immediate Attention :bangbang:"
           - noActivitySince:
               days: 3
         actions:
@@ -123,7 +131,7 @@ configuration:
                 - Azure/avm-core-team-technical-terraform
               replyTemplate: |
                 > [!CAUTION]
-                > **This issue requires the AVM Core Team's (${mentionees}) immediate attention as  it hasn't been responded to within 6 business days. **
+                > **This issue requires the AVM Core Team's (${mentionees}) immediate attention as  it hasn't been responded to within 6 business days.**
 
                 > [!TIP]
                 > - To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
@@ -175,12 +183,11 @@ configuration:
           - assignTo:
               user: Azure/terraform-avm
 
-      - description: "ITA04 - Label issues that have been marked as requiring author feedback but have not had any activity for 4 days."
+      - description: "ITA04 - Label issues and PRs that have been marked as requiring author feedback but have not had any activity for 4 days."
         frequencies:
           - hourly:
               hour: 3
         filters:
-          - isIssue
           - isOpen
           - hasLabel:
               label: "Needs: Author Feedback :ear:"
@@ -196,48 +203,4 @@ configuration:
           - addReply:
               reply: |
                 > [!IMPORTANT]
-                > @${issueAuthor}, this issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for **4 days**. It will be closed if no further activity occurs **within 3 days of this comment**.
-
-      - description: 'ITA05A - Close issues that have been marked as requiring author feedback but have not had any activity for 3 days, unless it''s been marked with the "Status long term" label.'
-        frequencies:
-          - hourly:
-              hour: 3
-        filters:
-          - isIssue
-          - isOpen
-          - hasLabel:
-              label: "Needs: Author Feedback :ear:"
-          - hasLabel:
-              label: "Status: No Recent Activity :zzz:"
-          - isNotLabeledWith:
-              label: "Needs: Module Owner :mega:"
-          - noActivitySince:
-              days: 3
-        actions:
-          - addReply:
-              reply: |
-                > [!WARNING]
-                > @${issueAuthor}, this issue will now be closed, as it has been marked as requiring author feedback but has not had any activity for **7 days**.
-          - closeIssue
-
-      - description: 'ITA05B - Close issues that have been marked as requiring author feedback but have not had any activity for 3 days, unless it''s been marked with the "Status long term" label.'
-        frequencies:
-          - hourly:
-              hour: 3
-        filters:
-          - isIssue
-          - isOpen
-          - hasLabel:
-              label: "Needs: Author Feedback :ear:"
-          - hasLabel:
-              label: "Status: No Recent Activity :zzz:"
-          - isNotLabeledWith:
-              label: "Status: Long Term :hourglass_flowing_sand:"
-          - noActivitySince:
-              days: 3
-        actions:
-          - addReply:
-              reply: |
-                > [!WARNING]
-                > @${issueAuthor}, this issue will now be closed, as it has been marked as requiring author feedback but has not had any activity for **7 days**.
-          - closeIssue
+                > @${issueAuthor}, this issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for **4 days**.

README.md

@@ -177,10 +177,9 @@ Description: A map of the hub virtual networks to create. The map key is an arbi
   - `subnet_route_table_id` = (Optional) The resource id of the Route Table which should be associated with the Azure Firewall subnet. If not specified the module will assign the generated route table.
   - `tags` - (Optional) A map of tags to apply to the Azure Firewall. If not specified
   - `zones` - (Optional) A list of availability zones to use for the Azure Firewall. If not specified will be `null`.
-  - `default_ip_configuration` - (Optional) An object with the following fields. If not specified the defaults below will be used:
-    - `name` - (Optional) The name of the default IP configuration. If not specified will use `default`.
+  - `default_ip_configurations` - (Optional) A map of the default IP configuration for the Azure Firewall. If not specified the defaults below will be used:
     - `public_ip_config` - (Optional) An object with the following fields:
-      - `name` - (Optional) The name of the public IP configuration. If not specified will use `pip-fw-{vnetname}`.
+      - `name` - (Optional) The name of the public IP configuration. If not specified will use `pip-fw-{vnetname}-<Map Key>`.
       - `zones` - (Optional) A list of availability zones to use for the public IP configuration. If not specified will be `null`.
       - `ip_version` - (Optional) The IP version to use for the public IP configuration. Possible values include `IPv4`, `IPv6`. If not specified will be `IPv4`.
       - `sku_tier` - (Optional) The SKU tier to use for the public IP configuration. Possible values include `Regional`, `Global`. If not specified will be `Regional`.
@@ -303,6 +302,15 @@ map(object({
           zones      = optional(set(string))
         }))
       }))
+      ip_configurations = optional(map(object({
+        name = optional(string)
+        public_ip_config = optional(object({
+          ip_version = optional(string, "IPv4")
+          name       = optional(string)
+          sku_tier   = optional(string, "Regional")
+          zones      = optional(set(string))
+        }))
+      })))
       management_ip_configuration = optional(object({
         name = optional(string)
         public_ip_config = optional(object({

SUPPORT.md

@@ -6,7 +6,7 @@
 
 This project uses GitHub Issues to track bugs and feature requests. Please search the existing issues before filing new issues to avoid duplicates. For new issues, file your bug or feature request as a new issue.
 
-Issues can be created and searched through for existing [issues here](https://github.com/Azure/terraform-azurerm-avm-ptn-hubnetworking/issues).
+Issues can be created and searched through for existing [issues here](../../issues).
 
 Please provide as much information as possible when filing an issue. Include screenshots or correlation IDs if possible (please redact any sensitive information).
 

avm

@@ -11,6 +11,8 @@ if [ ! "$(command -v "$CONTAINER_RUNTIME")" ]; then
     exit 1
 fi
 
+AVM_IMAGE=${AVM_IMAGE:-mcr.microsoft.com/azterraform}
+
 if [ -z "$1" ]; then
     echo "Error: Please provide a make target. See https://github.com/Azure/tfmod-scaffold/blob/main/avmmakefile for available targets."
     echo
@@ -26,7 +28,7 @@ fi
 # Check if we are running in a container
 # If we are then just run make directly
 if [ -z "$AVM_IN_CONTAINER" ]; then
-  $CONTAINER_RUNTIME run --pull always --user "$(id -u):$(id -g)" --rm -v "$(pwd)":/src -w /src -v $AZURE_CONFIG_DIR:/azureconfig -e AZURE_CONFIG_DIR=/azureconfig -e GITHUB_TOKEN -e GITHUB_REPOSITORY -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e GITHUB_REPOSITORY_OWNER mcr.microsoft.com/azterraform make "$1"
+  $CONTAINER_RUNTIME run --pull always --user "$(id -u):$(id -g)" --rm -v "$(pwd)":/src -w /src -v $AZURE_CONFIG_DIR:/azureconfig -e AZURE_CONFIG_DIR=/azureconfig -e GITHUB_TOKEN -e GITHUB_REPOSITORY -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e GITHUB_REPOSITORY_OWNER $AVM_IMAGE make "$1"
 else
   make "$1"
 fi

avm.bat

@@ -11,13 +11,21 @@ IF ERRORLEVEL 1 (
     exit /b
 )
 
+IF DEFINED AVM_IMAGE (SET "AVM_IMAGE=%AVM_IMAGE%") ELSE (SET "AVM_IMAGE=mcr.microsoft.com/azterraform")
+
 REM Check if a make target is provided
 IF "%~1"=="" (
     echo Error: Please provide a make target. See https://github.com/Azure/tfmod-scaffold/blob/main/avmmakefile for available targets.
     exit /b
 )
 
+IF DEFINED NO_PULL (
+    SET "PULL_ARG="
+) ELSE (
+    SET "PULL_ARG=--pull always"
+)
+
 REM Run the make target with CONTAINER_RUNTIME
-%CONTAINER_RUNTIME% run --pull always --rm -v "%cd%":/src -w /src --user "1000:1000" -e GITHUB_TOKEN -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER mcr.microsoft.com/azterraform make %1
+%CONTAINER_RUNTIME% run %PULL_ARG% --rm -v "%cd%":/src -w /src --user "1000:1000" -e GITHUB_TOKEN -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER %AVM_IMAGE% make %1
 
 ENDLOCAL

examples/azure_landing_zone_firewall/README.md

@@ -76,6 +76,7 @@ module "hub_mesh" {
         sku_tier                         = "Standard"
         zones                            = ["1", "2", "3"]
         default_ip_configuration = {
+          name = "primary-pip"
           public_ip_config = {
             name  = "pip-fw-hub-primary"
             zones = ["1", "2", "3"]

examples/azure_landing_zone_firewall/main.tf

@@ -70,6 +70,7 @@ module "hub_mesh" {
         sku_tier                         = "Standard"
         zones                            = ["1", "2", "3"]
         default_ip_configuration = {
+          #name = "primary-pip"
           public_ip_config = {
             name  = "pip-fw-hub-primary"
             zones = ["1", "2", "3"]
@@ -136,10 +137,12 @@ module "hub_mesh" {
         sku_name                         = "AZFW_VNet"
         sku_tier                         = "Standard"
         zones                            = ["1", "2", "3"]
-        default_ip_configuration = {
-          public_ip_config = {
-            name  = "pip-fw-hub-secondary"
-            zones = ["1", "2", "3"]
+        ip_configurations = {
+          default = {
+            public_ip_config = {
+              name  = "pip-fw-hub-secondary"
+              zones = ["1", "2", "3"]
+            }
           }
         }
         management_ip_enabled = false

examples/basic/README.md

@@ -51,9 +51,18 @@ module "hub" {
         sku_tier                         = "Standard"
         subnet_address_prefix            = "10.0.1.0/24"
         management_subnet_address_prefix = "10.0.2.0/24"
-        default_ip_configuration = {
-          public_ip_config = {
-            zones = ["1", "2", "3"]
+        default_ip_configurations = {
+          primary = {
+            public_ip_config = {
+              name  = "pip-hub-primary-1"
+              zones = ["1", "2", "3"]
+            }
+          }
+          secondary = {
+            public_ip_config = {
+              name  = "pip-hub-secondary-2"
+              zones = ["1", "2", "3"]
+            }
           }
         }
         management_ip_configuration = {
@@ -129,7 +138,7 @@ The following outputs are exported:
 
 Description: n/a
 
-### <a name="output_firewall_ip_address"></a> [firewall\_ip\_address](#output\_firewall\_ip\_address)
+### <a name="output_firewall_ip_addresses"></a> [firewall\_ip\_addresses](#output\_firewall\_ip\_addresses)
 
 Description: n/a
 

examples/basic/main.tf

@@ -45,9 +45,20 @@ module "hub" {
         sku_tier                         = "Standard"
         subnet_address_prefix            = "10.0.1.0/24"
         management_subnet_address_prefix = "10.0.2.0/24"
-        default_ip_configuration = {
-          public_ip_config = {
-            zones = ["1", "2", "3"]
+        ip_configurations = {
+          primary = {
+            name  = "primary-ip-config"
+            public_ip_config = {
+              name  = "pip-hub-primary-1"
+              zones = ["1", "2", "3"]
+            }
+          }
+          secondary = {
+            name  = "secondary-ip-config"
+            public_ip_config = {
+              name  = "pip-hub-secondary-2"
+              zones = ["1", "2", "3"]
+            }
           }
         }
         management_ip_configuration = {
@@ -65,8 +76,3 @@ module "hub" {
     }
   }
 }
-
-
-
-
-

examples/basic/outputs.tf

@@ -2,8 +2,8 @@ output "firewall_id" {
   value = module.hub.firewalls["hub"].id
 }
 
-output "firewall_ip_address" {
-  value = module.hub.firewalls["hub"].public_ip_address
+output "firewall_ip_addresses" {
+  value = module.hub.firewalls["hub"].public_ip_addresses
 }
 
 output "resource_group_id" {