diff --git a/README.md b/README.md index ced9227f9..a27a00aa7 100644 --- a/README.md +++ b/README.md @@ -428,6 +428,7 @@ object({ sku_tier = optional(string, "Standard") base_policy_id = optional(string, "") private_ip_ranges = optional(list(string), []) + public_ip_count = optional(number, 1) threat_intelligence_mode = optional(string, "Alert") threat_intelligence_allowlist = optional(map(list(string)), {}) availability_zones = optional(object({ diff --git a/modules/connectivity/README.md b/modules/connectivity/README.md index 0888525d6..018a79c76 100644 --- a/modules/connectivity/README.md +++ b/modules/connectivity/README.md @@ -229,6 +229,7 @@ object({ sku_tier = optional(string, "Standard") base_policy_id = optional(string, "") private_ip_ranges = optional(list(string), []) + public_ip_count = optional(number, 1) threat_intelligence_mode = optional(string, "Alert") threat_intelligence_allowlist = optional(map(list(string)), {}) availability_zones = optional(object({ diff --git a/modules/connectivity/locals.tf b/modules/connectivity/locals.tf index 4b0ec888a..e497e6131 100644 --- a/modules/connectivity/locals.tf +++ b/modules/connectivity/locals.tf @@ -967,13 +967,16 @@ locals { location = location ip_configuration = try( local.custom_settings.azurerm_firewall["connectivity"][location].ip_configuration, - [ - { - name = local.azfw_pip_name[location] - public_ip_address_id = local.azfw_pip_resource_id[location] - subnet_id = "${local.virtual_network_resource_id[location]}/subnets/AzureFirewallSubnet" + concat([{ + name = local.azfw_pip_name[location] + public_ip_address_id = local.azfw_pip_resource_id[location] + subnet_id = "${local.virtual_network_resource_id[location]}/subnets/AzureFirewallSubnet" + }], [ + for i in range(1, hub_network.config.azure_firewall.config.public_ip_count) : { + name = join("-", [local.azfw_pip_name[location], i + 1]) + public_ip_address_id = join("-", [local.azfw_pip_resource_id[location], i + 1]) } - ] + ]) ) sku_name = "AZFW_VNet" sku_tier = coalesce( @@ -1041,12 +1044,12 @@ locals { concat( length(try(local.custom_settings.azurerm_firewall["connectivity"][location].ip_configuration, local.empty_map)) > 0 ? local.empty_list - : [{ + : [for i in range(hub_network.config.azure_firewall.config.public_ip_count) : { # Resource logic attributes - resource_id = local.azfw_pip_resource_id[location] + resource_id = i == 0 ? local.azfw_pip_resource_id[location] : "${local.azfw_pip_resource_id[location]}-${i + 1}" managed_by_module = local.deploy_azure_firewall[location] # Resource definition attributes - name = local.azfw_pip_name[location] + name = i == 0 ? local.azfw_pip_name[location] : "${local.azfw_pip_name[location]}-${i + 1}" resource_group_name = local.resource_group_names_by_scope_and_location["connectivity"][location] location = location zones = local.azfw_pip_zones[location] diff --git a/modules/connectivity/variables.tf b/modules/connectivity/variables.tf index c72987d0d..1194cad04 100644 --- a/modules/connectivity/variables.tf +++ b/modules/connectivity/variables.tf @@ -127,6 +127,7 @@ variable "settings" { sku_tier = optional(string, "Standard") base_policy_id = optional(string, "") private_ip_ranges = optional(list(string), []) + public_ip_count = optional(number, 1) threat_intelligence_mode = optional(string, "Alert") threat_intelligence_allowlist = optional(map(list(string)), {}) availability_zones = optional(object({ diff --git a/variables.tf b/variables.tf index a62e9b194..389ec58a7 100644 --- a/variables.tf +++ b/variables.tf @@ -240,6 +240,7 @@ variable "configure_connectivity_resources" { sku_tier = optional(string, "Standard") base_policy_id = optional(string, "") private_ip_ranges = optional(list(string), []) + public_ip_count = optional(number, 1) threat_intelligence_mode = optional(string, "Alert") threat_intelligence_allowlist = optional(map(list(string)), {}) availability_zones = optional(object({