Update to work with latest changes.

marrobi · marrobi · commit af6ed73df897 · 2025-03-21T11:51:30.000Z
diff --git a/Makefile b/Makefile
@@ -311,6 +311,7 @@ deploy-shared-service:
 	&& ${MAKEFILE_DIR}/devops/scripts/deploy_shared_service.sh $${PROPS}
 
 firewall-install:
+	$(MAKE) migrate-firewall-state
 	. ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \
 	&& $(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \
 	DIR=${MAKEFILE_DIR}/templates/shared_services/firewall/ BUNDLE_TYPE=shared_service
diff --git a/core/terraform/.terraform.lock.hcl b/core/terraform/.terraform.lock.hcl
diff --git a/core/terraform/data.tf b/core/terraform/data.tf
@@ -8,6 +8,11 @@ resource "random_string" "unique_id" {
   min_numeric = 4
 }
 
+data "azurerm_storage_account" "mgmt_storage" {
+  name                = var.mgmt_storage_account_name
+  resource_group_name = var.mgmt_resource_group_name
+}
+
 data "azurerm_container_registry" "mgmt_acr" {
   name                = var.acr_name
   resource_group_name = var.mgmt_resource_group_name
@@ -37,4 +42,4 @@ data "azurerm_monitor_diagnostic_categories" "sb" {
   depends_on = [
     azurerm_servicebus_namespace.sb
   ]
-}
+}
diff --git a/core/terraform/firewall/firewall.tf b/core/terraform/firewall/firewall.tf
@@ -37,7 +37,7 @@ resource "azurerm_firewall" "fw" {
   tags                = var.tre_core_tags
   ip_configuration {
     name                 = "fw-ip-configuration"
-    subnet_id            = data.azurerm_subnet.firewall.id
+    subnet_id            = var.firewall_subnet_id
     public_ip_address_id = var.firewall_force_tunnel_ip != "" ? null : azurerm_public_ip.fwtransit[0].id
   }
 
diff --git a/core/terraform/firewall/import_state.sh b/core/terraform/firewall/import_state.sh
@@ -14,6 +14,9 @@ fi
 
 set -e
 
+# shellcheck disable=SC1091
+source "$(dirname "$0")/../../../devops/scripts/mgmtstorage_enable_public_access.sh"
+
 # Initialise state for Terraform
 terraform init -input=false -backend=true -reconfigure -upgrade \
     -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \
@@ -65,7 +68,7 @@ if [[ "${FIREWALL_SKU}" == "Basic" ]]; then
   import_if_exists module.firewall.azurerm_public_ip.fwmanagement[0] "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/publicIPAddresses/pip-fw-management-${TRE_ID}"
 fi
 
-import_if_exists module.firewall.azurerm_public_ip.fwtransit "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/publicIPAddresses/pip-fw-${TRE_ID}"
+import_if_exists module.firewall.azurerm_public_ip.fwtransit[0] "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/publicIPAddresses/pip-fw-${TRE_ID}"
 
 # Firewall policy
 import_if_exists module.firewall.azurerm_firewall_policy.root "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/firewallPolicies/fw-policy-${TRE_ID}"
@@ -82,20 +85,20 @@ import_if_exists module.firewall.azurerm_monitor_diagnostic_setting.firewall \
 import_if_exists azurerm_route_table.rt \
   "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/routeTables/rt-${TRE_ID}"
 
-import_if_exists azurerm_subnet_route_table_association.rt_shared_subnet_association \
-  "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/SharedSubnet"
+# import_if_exists azurerm_subnet_route_table_association.rt_shared_subnet_association \
+#   "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/SharedSubnet"
 
-import_if_exists azurerm_subnet_route_table_association.rt_resource_processor_subnet_association \
-  "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/ResourceProcessorSubnet"
+# import_if_exists azurerm_subnet_route_table_association.rt_resource_processor_subnet_association \
+#   "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/ResourceProcessorSubnet"
 
-import_if_exists azurerm_subnet_route_table_association.rt_web_app_subnet_association \
-  "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/WebAppSubnet"
+# import_if_exists azurerm_subnet_route_table_association.rt_web_app_subnet_association \
+#   "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/WebAppSubnet"
 
-import_if_exists azurerm_subnet_route_table_association.rt_airlock_processor_subnet_association \
-  "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/AirlockProcessorSubnet"
+# import_if_exists azurerm_subnet_route_table_association.rt_airlock_processor_subnet_association \
+#   "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/AirlockProcessorSubnet"
 
-import_if_exists azurerm_subnet_route_table_association.rt_airlock_storage_subnet_association \
-  "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/AirlockStorageSubnet"
+# import_if_exists azurerm_subnet_route_table_association.rt_airlock_storage_subnet_association \
+#   "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/AirlockStorageSubnet"
 
-import_if_exists azurerm_subnet_route_table_association.rt_airlock_events_subnet_association \
-  "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/AirlockEventsSubnet"
+# import_if_exists azurerm_subnet_route_table_association.rt_airlock_events_subnet_association \
+#   "/subscriptions/${ARM_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_ID}/providers/Microsoft.Network/virtualNetworks/vnet-${TRE_ID}/subnets/AirlockEventsSubnet"
diff --git a/core/terraform/firewall/remove_state.sh b/core/terraform/firewall/remove_state.sh
@@ -8,6 +8,9 @@ echo "REMOVING STATE FOR FIREWALL..."
 
 set -e
 
+# shellcheck disable=SC1091
+source "$(dirname "$0")/../../../devops/scripts/mgmtstorage_enable_public_access.sh"
+
 terraform init -input=false -backend=true -reconfigure -upgrade \
     -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \
     -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \
@@ -41,9 +44,10 @@ remove_if_present azurerm_subnet_route_table_association.rt_airlock_events_subne
 remove_if_present azurerm_firewall_network_rule_collection.core
 
 # firewall.tf
-remove_if_present azurerm_public_ip.fwtransit
+remove_if_present azurerm_public_ip.fwtransit[0]
 remove_if_present azurerm_public_ip.fwmanagement[0]
 remove_if_present azurerm_firewall.fw
 remove_if_present azurerm_monitor_diagnostic_categories.firewall
 remove_if_present azurerm_monitor_diagnostic_setting.firewall
+remove_if_present azurerm_firewall_policy_rule_collection_group.core
 remove_if_present azurerm_firewall_policy.root
diff --git a/core/terraform/main.tf b/core/terraform/main.tf
@@ -194,7 +194,7 @@ module "resource_processor_vmss_porter" {
   service_bus_namespace_fqdn                       = local.service_bus_namespace_fqdn
   service_bus_resource_request_queue               = azurerm_servicebus_queue.workspacequeue.name
   service_bus_deployment_status_update_queue       = azurerm_servicebus_queue.service_bus_deployment_status_update_queue.name
-  mgmt_storage_account_name                        = var.mgmt_storage_account_name
+  mgmt_storage_account_id                          = data.azurerm_storage_account.mgmt_storage.id
   mgmt_resource_group_name                         = var.mgmt_resource_group_name
   terraform_state_container_name                   = var.terraform_state_container_name
   key_vault_name                                   = azurerm_key_vault.kv.name
diff --git a/core/terraform/network/outputs.tf b/core/terraform/network/outputs.tf
@@ -11,7 +11,7 @@ output "azure_firewall_subnet_id" {
 }
 
 output "firewall_management_subnet_id" {
-  value = azurerm_subnet.firewall_management.id
+  value = local.subnet_ids_map["AzureFirewallManagementSubnet"]
 }
 
 output "app_gw_subnet_id" {

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ resource "azurerm_firewall" "fw" {`
`37`	`37`	`tags = var.tre_core_tags`
`38`	`38`	`ip_configuration {`
`39`	`39`	`name = "fw-ip-configuration"`
`40`		`- subnet_id = data.azurerm_subnet.firewall.id`
	`40`	`+ subnet_id = var.firewall_subnet_id`
`41`	`41`	`public_ip_address_id = var.firewall_force_tunnel_ip != "" ? null : azurerm_public_ip.fwtransit[0].id`
`42`	`42`	`}`
`43`	`43`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ output "azure_firewall_subnet_id" {`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`output "firewall_management_subnet_id" {`
`14`		`- value = azurerm_subnet.firewall_management.id`
	`14`	`+ value = local.subnet_ids_map["AzureFirewallManagementSubnet"]`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`output "app_gw_subnet_id" {`