diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 75fdff887..d81e01b62 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -77,6 +77,7 @@ module hubNetwork './modules/hubNetwork.bicep' = { firewallSkuTier: firewallSkuTier firewallPolicyName: firewallPolicyName firewallThreatIntelMode: firewallThreatIntelMode + firewallIntrusionDetectionMode: firewallIntrusionDetectionMode firewallDiagnosticsLogs: firewallDiagnosticsLogs firewallDiagnosticsMetrics: firewallDiagnosticsMetrics firewallClientIpConfigurationName: firewallClientIpConfigurationName @@ -349,7 +350,21 @@ param firewallName string = 'firewall' param firewallManagementSubnetAddressPrefix string = '10.0.100.64/26' param firewallClientSubnetAddressPrefix string = '10.0.100.0/26' param firewallPolicyName string = 'firewall-policy' + +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) param firewallThreatIntelMode string = 'Alert' + +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +param firewallIntrusionDetectionMode string = 'Alert' + param firewallDiagnosticsLogs array = [ { category: 'AzureFirewallApplicationRule' diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 7f5a21a59..416036160 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "15227849893402646033" + "templateHash": "10286368957514163169" } }, "parameters": { @@ -132,7 +132,21 @@ }, "firewallThreatIntelMode": { "type": "string", - "defaultValue": "Alert" + "defaultValue": "Alert", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ] + }, + "firewallIntrusionDetectionMode": { + "type": "string", + "defaultValue": "Alert", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ] }, "firewallDiagnosticsLogs": { "type": "array", @@ -1134,6 +1148,9 @@ "firewallThreatIntelMode": { "value": "[parameters('firewallThreatIntelMode')]" }, + "firewallIntrusionDetectionMode": { + "value": "[parameters('firewallIntrusionDetectionMode')]" + }, "firewallDiagnosticsLogs": { "value": "[parameters('firewallDiagnosticsLogs')]" }, @@ -1202,7 +1219,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "13599565970900573060" + "templateHash": "5914406162434941149" } }, "parameters": { @@ -1285,7 +1302,20 @@ "type": "string" }, "firewallThreatIntelMode": { - "type": "string" + "type": "string", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ] + }, + "firewallIntrusionDetectionMode": { + "type": "string", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ] }, "firewallDiagnosticsLogs": { "type": "array" @@ -2101,6 +2131,9 @@ "threatIntelMode": { "value": "[parameters('firewallThreatIntelMode')]" }, + "intrusionDetectionMode": { + "value": "[parameters('firewallIntrusionDetectionMode')]" + }, "clientIpConfigurationName": { "value": "[parameters('firewallClientIpConfigurationName')]" }, @@ -2139,7 +2172,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "16515753424142002553" + "templateHash": "6929052309016745644" } }, "parameters": { @@ -2158,7 +2191,20 @@ "type": "string" }, "threatIntelMode": { - "type": "string" + "type": "string", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ] + }, + "intrusionDetectionMode": { + "type": "string", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ] }, "clientIpConfigurationName": { "type": "string" @@ -2204,6 +2250,9 @@ "tags": "[parameters('tags')]", "properties": { "threatIntelMode": "[parameters('threatIntelMode')]", + "intrusionDetection": { + "mode": "[parameters('intrusionDetectionMode')]" + }, "sku": { "tier": "[parameters('skuTier')]" } diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep index 1efc74817..a0089f6b5 100644 --- a/src/bicep/modules/firewall.bicep +++ b/src/bicep/modules/firewall.bicep @@ -3,8 +3,21 @@ param location string = resourceGroup().location param tags object = {} param skuTier string + +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) param threatIntelMode string +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +param intrusionDetectionMode string + param clientIpConfigurationName string param clientIpConfigurationSubnetResourceId string param clientIpConfigurationPublicIPAddressResourceId string @@ -27,6 +40,9 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = { tags: tags properties: { threatIntelMode: threatIntelMode + intrusionDetection:{ + mode: intrusionDetectionMode + } sku: { tier: skuTier } diff --git a/src/bicep/modules/hubNetwork.bicep b/src/bicep/modules/hubNetwork.bicep index 98da70e5e..3783aea53 100644 --- a/src/bicep/modules/hubNetwork.bicep +++ b/src/bicep/modules/hubNetwork.bicep @@ -29,7 +29,20 @@ param routeTableRouteNextHopType string = 'VirtualAppliance' param firewallName string param firewallSkuTier string param firewallPolicyName string + +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) param firewallThreatIntelMode string + +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +param firewallIntrusionDetectionMode string param firewallDiagnosticsLogs array param firewallDiagnosticsMetrics array param firewallClientIpConfigurationName string @@ -201,7 +214,7 @@ module firewall './firewall.bicep' = { firewallPolicyName: firewallPolicyName threatIntelMode: firewallThreatIntelMode - + intrusionDetectionMode: firewallIntrusionDetectionMode clientIpConfigurationName: firewallClientIpConfigurationName clientIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallClientSubnetName}' clientIpConfigurationPublicIPAddressResourceId: firewallClientPublicIPAddress.outputs.id