@drunk-pulumi/azure 0.0.19

package/VNet/FirewallRules/AksFirewallRules.js

@@ -0,0 +1,250 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const types_1 = require("@pulumi/azure-native/types");
+const getDnatRules = ({ startPriority, publicIpAddresses, dNATs, }) => {
+    const rules = new Array();
+    rules.push({
+        name: 'dnat-rules',
+        action: { type: types_1.enums.network.AzureFirewallNatRCActionType.Dnat },
+        priority: ++startPriority,
+        rules: dNATs.flatMap((nat) => {
+            const httpsRule = {
+                name: `${nat.name}-inbound-443`,
+                description: `Forward port 443 external IpAddress of ${nat.name} to internal IpAddress`,
+                sourceAddresses: [nat.externalIpAddress],
+                destinationAddresses: publicIpAddresses,
+                destinationPorts: ['443'],
+                protocols: ['TCP'],
+                translatedAddress: nat.internalIpAddress,
+                translatedPort: '443',
+            };
+            const httpRule = {
+                name: `${nat.name}-inbound-80`,
+                description: `Forward port 80 external IpAddress of ${nat.name} to internal IpAddress`,
+                sourceAddresses: [nat.externalIpAddress],
+                destinationAddresses: publicIpAddresses,
+                destinationPorts: ['80'],
+                protocols: ['TCP'],
+                translatedAddress: nat.internalIpAddress,
+                translatedPort: '80',
+            };
+            return nat.allowHttp ? [httpsRule, httpRule] : [httpsRule];
+        }),
+    });
+    return rules;
+};
+const getAksNetRules = ({ startPriority, location = 'SoutheastAsia', vnetAddressSpace, }) => {
+    location = location.toLowerCase();
+    const rules = new Array();
+    //============= Standard Rules for AKS ================== //
+    //https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic
+    rules.push({
+        name: 'aks-net-rules',
+        action: { type: types_1.enums.network.AzureFirewallRCActionType.Allow },
+        priority: ++startPriority,
+        rules: [
+            // {
+            //   name: 'aks-vpn',
+            //   description:
+            //     'For OPEN VPN tunneled secure communication between the nodes and the control plane for AzureCloud.SoutheastAsia',
+            //   protocols: ['UDP'],
+            //   sourceAddresses: vnetAddressSpace,
+            //   destinationAddresses: [`AzureCloud.${location}`],
+            //   destinationPorts: ['1194'],
+            // },
+            {
+                name: 'aks-tcp',
+                description: 'For tunneled secure communication between the nodes and the control plane for AzureCloud.SoutheastAsia',
+                protocols: ['TCP'],
+                sourceAddresses: vnetAddressSpace,
+                destinationAddresses: [`AzureCloud.${location}`],
+                destinationPorts: ['443', '9000'],
+            },
+            {
+                name: 'aks-time',
+                description: 'Required for Network Time Protocol (NTP) time synchronization on Linux nodes.',
+                protocols: ['UDP'],
+                sourceAddresses: vnetAddressSpace,
+                destinationFqdns: ['ntp.ubuntu.com'],
+                destinationPorts: ['123'],
+            },
+            {
+                name: 'aks-time_others',
+                description: 'Required for Network Time Protocol (NTP) time synchronization on Linux nodes.',
+                protocols: ['UDP'],
+                sourceAddresses: vnetAddressSpace,
+                destinationAddresses: ['*'],
+                destinationPorts: ['123'],
+            },
+            // {
+            //   name: 'aks-control-server',
+            //   description:
+            //     'Required if running pods/deployments that access the API Server, those pods/deployments would use the API IP.',
+            //   protocols: ['TCP'],
+            //   sourceAddresses: vnetAddressSpace,
+            //   destinationAddresses: ['10.0.0.0/16'],//Ask default is '10.0.0.0/16'
+            //   destinationPorts: ['443', '10250', '10251'],
+            // },
+            {
+                name: 'azure-services-tags',
+                description: 'Allows internal services to connect to Azure Resources.',
+                protocols: ['TCP'],
+                sourceAddresses: vnetAddressSpace,
+                destinationAddresses: [
+                    'AzureContainerRegistry.SoutheastAsia',
+                    'MicrosoftContainerRegistry.SoutheastAsia',
+                    'AzureActiveDirectory',
+                    'AzureMonitor.SoutheastAsia',
+                    'AppConfiguration',
+                    'AzureKeyVault.SoutheastAsia',
+                    //'AzureSignalR', This already using private endpoint
+                    //'DataFactory.SoutheastAsia',
+                    //'EventHub.SoutheastAsia',
+                    'ServiceBus.SoutheastAsia',
+                    //'Sql.SoutheastAsia', This already using private endpoint
+                    'Storage.SoutheastAsia',
+                ],
+                destinationPorts: ['443'],
+            },
+            {
+                name: 'others-dns',
+                description: 'Others DNS.',
+                protocols: ['TCP', 'UDP'],
+                sourceAddresses: vnetAddressSpace,
+                destinationAddresses: ['*'],
+                destinationPorts: ['53'],
+            },
+        ],
+    });
+    return rules;
+};
+const getAksAppRules = ({ startPriority, vnetAddressSpace, }) => {
+    const rules = new Array();
+    //============= Standard Rules for AKS ================== //
+    //https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic
+    //AzureKubernetesService
+    rules.push({
+        name: 'aks-services-fqdn-rules',
+        action: { type: types_1.enums.network.AzureFirewallRCActionType.Allow },
+        priority: ++startPriority,
+        rules: [
+            {
+                name: 'aks-services',
+                description: 'Allows pods to access AzureKubernetesService',
+                sourceAddresses: vnetAddressSpace,
+                //AzureKubernetesService is allow to access google.com
+                fqdnTags: ['AzureKubernetesService'],
+            },
+            {
+                name: 'aks-fqdn',
+                description: 'Azure Global required FQDN',
+                sourceAddresses: vnetAddressSpace,
+                targetFqdns: [
+                    //AKS mater
+                    '*.hcp.southeastasia.azmk8s.io',
+                    //Microsoft Container Registry
+                    'mcr.microsoft.com',
+                    'data.mcr.microsoft.com',
+                    '*.data.mcr.microsoft.com',
+                    //Azure management
+                    'management.azure.com',
+                    'login.microsoftonline.com',
+                    //Microsoft trusted package repository
+                    'packages.microsoft.com',
+                    //Azure CDN
+                    'acs-mirror.azureedge.net',
+                    //CosmosDb
+                    '*.documents.azure.com',
+                ],
+                protocols: [{ protocolType: 'Https', port: 443 }],
+            },
+            {
+                name: 'azure-monitors',
+                sourceAddresses: vnetAddressSpace,
+                targetFqdns: [
+                    'dc.services.visualstudio.com',
+                    '*.ods.opinsights.azure.com',
+                    '*.oms.opinsights.azure.com',
+                    '*.monitoring.azure.com',
+                    '*.services.visualstudio.com',
+                ],
+                protocols: [{ protocolType: 'Https', port: 443 }],
+            },
+            {
+                name: 'azure-policy',
+                sourceAddresses: vnetAddressSpace,
+                targetFqdns: [
+                    '*.policy.core.windows.net',
+                    'gov-prod-policy-data.trafficmanager.net',
+                    'raw.githubusercontent.com',
+                    'dc.services.visualstudio.com',
+                ],
+                protocols: [{ protocolType: 'Https', port: 443 }],
+            },
+            {
+                //TODO Allow Docker Access is potential risk once we have budget and able to upload external images to ACR then remove docker.
+                name: 'docker-services',
+                sourceAddresses: vnetAddressSpace,
+                targetFqdns: [
+                    'quay.io', //For Cert Manager
+                    '*.quay.io',
+                    'auth.docker.io',
+                    '*.auth.docker.io',
+                    '*.cloudflare.docker.io',
+                    'docker.io',
+                    'cloudflare.docker.io',
+                    'cloudflare.docker.com',
+                    '*.cloudflare.docker.com',
+                    '*.registry-1.docker.io',
+                    'registry-1.docker.io',
+                ],
+                protocols: [{ protocolType: 'Https', port: 443 }],
+            },
+            {
+                //TODO Allow external registry is potential risk once we have budget and able to upload external images to ACR then remove docker.
+                name: 'k8s-services',
+                sourceAddresses: vnetAddressSpace,
+                targetFqdns: [
+                    'k8s.gcr.io', //nginx images
+                    '*.k8s.io',
+                    'asia-east1-docker.pkg.dev',
+                    '*.gcr.io',
+                    '*.googleapis.com',
+                ],
+                protocols: [{ protocolType: 'Https', port: 443 }],
+            },
+            {
+                name: 'ubuntu-services',
+                sourceAddresses: vnetAddressSpace,
+                targetFqdns: [
+                    'security.ubuntu.com',
+                    'azure.archive.ubuntu.com',
+                    'changelogs.ubuntu.com',
+                ],
+                protocols: [{ protocolType: 'Https', port: 443 }],
+            },
+        ],
+    });
+    return rules;
+};
+exports.default = ({ startPriority, vnetAddressSpace, ...others }) => {
+    const natRuleCollections = getDnatRules({
+        startPriority,
+        ...others,
+    });
+    const networkRuleCollections = getAksNetRules({
+        startPriority,
+        vnetAddressSpace,
+        ...others,
+    });
+    const applicationRuleCollections = getAksAppRules({
+        startPriority,
+        vnetAddressSpace,
+    });
+    return {
+        natRuleCollections,
+        networkRuleCollections,
+        applicationRuleCollections,
+    };
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQWtzRmlyZXdhbGxSdWxlcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9WTmV0L0ZpcmV3YWxsUnVsZXMvQWtzRmlyZXdhbGxSdWxlcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUFBLHNEQUFvRTtBQW9CcEUsTUFBTSxZQUFZLEdBQUcsQ0FBQyxFQUNwQixhQUFhLEVBQ2IsaUJBQWlCLEVBQ2pCLEtBQUssR0FDUSxFQUE0RCxFQUFFO0lBQzNFLE1BQU0sS0FBSyxHQUFHLElBQUksS0FBSyxFQUFxRCxDQUFDO0lBRTdFLEtBQUssQ0FBQyxJQUFJLENBQUM7UUFDVCxJQUFJLEVBQUUsWUFBWTtRQUNsQixNQUFNLEVBQUUsRUFBRSxJQUFJLEVBQUUsYUFBSyxDQUFDLE9BQU8sQ0FBQyw0QkFBNEIsQ0FBQyxJQUFJLEVBQUU7UUFDakUsUUFBUSxFQUFFLEVBQUUsYUFBYTtRQUV6QixLQUFLLEVBQUUsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFO1lBQzNCLE1BQU0sU0FBUyxHQUFHO2dCQUNoQixJQUFJLEVBQUUsR0FBRyxHQUFHLENBQUMsSUFBSSxjQUFjO2dCQUMvQixXQUFXLEVBQUUsMENBQTBDLEdBQUcsQ0FBQyxJQUFJLHdCQUF3QjtnQkFDdkYsZUFBZSxFQUFFLENBQUMsR0FBRyxDQUFDLGlCQUFpQixDQUFDO2dCQUN4QyxvQkFBb0IsRUFBRSxpQkFBaUI7Z0JBQ3ZDLGdCQUFnQixFQUFFLENBQUMsS0FBSyxDQUFDO2dCQUN6QixTQUFTLEVBQUUsQ0FBQyxLQUFLLENBQUM7Z0JBQ2xCLGlCQUFpQixFQUFFLEdBQUcsQ0FBQyxpQkFBaUI7Z0JBQ3hDLGNBQWMsRUFBRSxLQUFLO2FBQ3RCLENBQUM7WUFFRixNQUFNLFFBQVEsR0FBRztnQkFDZixJQUFJLEVBQUUsR0FBRyxHQUFHLENBQUMsSUFBSSxhQUFhO2dCQUM5QixXQUFXLEVBQUUseUNBQXlDLEdBQUcsQ0FBQyxJQUFJLHdCQUF3QjtnQkFDdEYsZUFBZSxFQUFFLENBQUMsR0FBRyxDQUFDLGlCQUFpQixDQUFDO2dCQUN4QyxvQkFBb0IsRUFBRSxpQkFBaUI7Z0JBQ3ZDLGdCQUFnQixFQUFFLENBQUMsSUFBSSxDQUFDO2dCQUN4QixTQUFTLEVBQUUsQ0FBQyxLQUFLLENBQUM7Z0JBQ2xCLGlCQUFpQixFQUFFLEdBQUcsQ0FBQyxpQkFBaUI7Z0JBQ3hDLGNBQWMsRUFBRSxJQUFJO2FBQ3JCLENBQUM7WUFDRixPQUFPLEdBQUcsQ0FBQyxTQUFTLENBQUMsQ0FBQyxDQUFDLENBQUMsU0FBUyxFQUFFLFFBQVEsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBQzdELENBQUMsQ0FBQztLQUNILENBQUMsQ0FBQztJQUVILE9BQU8sS0FBSyxDQUFDO0FBQ2YsQ0FBQyxDQUFDO0FBUUYsTUFBTSxjQUFjLEdBQUcsQ0FBQyxFQUN0QixhQUFhLEVBQ2IsUUFBUSxHQUFHLGVBQWUsRUFDMUIsZ0JBQWdCLEdBQ0osRUFBMkQsRUFBRTtJQUN6RSxRQUFRLEdBQUcsUUFBUSxDQUFDLFdBQVcsRUFBRSxDQUFDO0lBRWxDLE1BQU0sS0FBSyxHQUNULElBQUksS0FBSyxFQUF5RCxDQUFDO0lBQ3JFLDREQUE0RDtJQUM1RCxpRUFBaUU7SUFFakUsS0FBSyxDQUFDLElBQUksQ0FBQztRQUNULElBQUksRUFBRSxlQUFlO1FBQ3JCLE1BQU0sRUFBRSxFQUFFLElBQUksRUFBRSxhQUFLLENBQUMsT0FBTyxDQUFDLHlCQUF5QixDQUFDLEtBQUssRUFBRTtRQUMvRCxRQUFRLEVBQUUsRUFBRSxhQUFhO1FBQ3pCLEtBQUssRUFBRTtZQUNMLElBQUk7WUFDSixxQkFBcUI7WUFDckIsaUJBQWlCO1lBQ2pCLHlIQUF5SDtZQUN6SCx3QkFBd0I7WUFDeEIsdUNBQXVDO1lBQ3ZDLHNEQUFzRDtZQUN0RCxnQ0FBZ0M7WUFDaEMsS0FBSztZQUNMO2dCQUNFLElBQUksRUFBRSxTQUFTO2dCQUNmLFdBQVcsRUFDVCx3R0FBd0c7Z0JBQzFHLFNBQVMsRUFBRSxDQUFDLEtBQUssQ0FBQztnQkFDbEIsZUFBZSxFQUFFLGdCQUFnQjtnQkFDakMsb0JBQW9CLEVBQUUsQ0FBQyxjQUFjLFFBQVEsRUFBRSxDQUFDO2dCQUNoRCxnQkFBZ0IsRUFBRSxDQUFDLEtBQUssRUFBRSxNQUFNLENBQUM7YUFDbEM7WUFDRDtnQkFDRSxJQUFJLEVBQUUsVUFBVTtnQkFDaEIsV0FBVyxFQUNULCtFQUErRTtnQkFDakYsU0FBUyxFQUFFLENBQUMsS0FBSyxDQUFDO2dCQUNsQixlQUFlLEVBQUUsZ0JBQWdCO2dCQUNqQyxnQkFBZ0IsRUFBRSxDQUFDLGdCQUFnQixDQUFDO2dCQUNwQyxnQkFBZ0IsRUFBRSxDQUFDLEtBQUssQ0FBQzthQUMxQjtZQUNEO2dCQUNFLElBQUksRUFBRSxpQkFBaUI7Z0JBQ3ZCLFdBQVcsRUFDVCwrRUFBK0U7Z0JBQ2pGLFNBQVMsRUFBRSxDQUFDLEtBQUssQ0FBQztnQkFDbEIsZUFBZSxFQUFFLGdCQUFnQjtnQkFDakMsb0JBQW9CLEVBQUUsQ0FBQyxHQUFHLENBQUM7Z0JBQzNCLGdCQUFnQixFQUFFLENBQUMsS0FBSyxDQUFDO2FBQzFCO1lBQ0QsSUFBSTtZQUNKLGdDQUFnQztZQUNoQyxpQkFBaUI7WUFDakIsdUhBQXVIO1lBQ3ZILHdCQUF3QjtZQUN4Qix1Q0FBdUM7WUFDdkMseUVBQXlFO1lBQ3pFLGlEQUFpRDtZQUNqRCxLQUFLO1lBQ0w7Z0JBQ0UsSUFBSSxFQUFFLHFCQUFxQjtnQkFDM0IsV0FBVyxFQUFFLHlEQUF5RDtnQkFDdEUsU0FBUyxFQUFFLENBQUMsS0FBSyxDQUFDO2dCQUNsQixlQUFlLEVBQUUsZ0JBQWdCO2dCQUNqQyxvQkFBb0IsRUFBRTtvQkFDcEIsc0NBQXNDO29CQUN0QywwQ0FBMEM7b0JBQzFDLHNCQUFzQjtvQkFDdEIsNEJBQTRCO29CQUM1QixrQkFBa0I7b0JBQ2xCLDZCQUE2QjtvQkFDN0IscURBQXFEO29CQUNyRCw4QkFBOEI7b0JBQzlCLDJCQUEyQjtvQkFDM0IsMEJBQTBCO29CQUMxQiwwREFBMEQ7b0JBQzFELHVCQUF1QjtpQkFDeEI7Z0JBQ0QsZ0JBQWdCLEVBQUUsQ0FBQyxLQUFLLENBQUM7YUFDMUI7WUFDRDtnQkFDRSxJQUFJLEVBQUUsWUFBWTtnQkFDbEIsV0FBVyxFQUFFLGFBQWE7Z0JBQzFCLFNBQVMsRUFBRSxDQUFDLEtBQUssRUFBRSxLQUFLLENBQUM7Z0JBQ3pCLGVBQWUsRUFBRSxnQkFBZ0I7Z0JBQ2pDLG9CQUFvQixFQUFFLENBQUMsR0FBRyxDQUFDO2dCQUMzQixnQkFBZ0IsRUFBRSxDQUFDLElBQUksQ0FBQzthQUN6QjtTQUNGO0tBQ0YsQ0FBQyxDQUFDO0lBRUgsT0FBTyxLQUFLLENBQUM7QUFDZixDQUFDLENBQUM7QUFFRixNQUFNLGNBQWMsR0FBRyxDQUFDLEVBQ3RCLGFBQWEsRUFDYixnQkFBZ0IsR0FHakIsRUFBK0QsRUFBRTtJQUNoRSxNQUFNLEtBQUssR0FDVCxJQUFJLEtBQUssRUFBNkQsQ0FBQztJQUN6RSw0REFBNEQ7SUFDNUQsaUVBQWlFO0lBRWpFLHdCQUF3QjtJQUN4QixLQUFLLENBQUMsSUFBSSxDQUFDO1FBQ1QsSUFBSSxFQUFFLHlCQUF5QjtRQUMvQixNQUFNLEVBQUUsRUFBRSxJQUFJLEVBQUUsYUFBSyxDQUFDLE9BQU8sQ0FBQyx5QkFBeUIsQ0FBQyxLQUFLLEVBQUU7UUFDL0QsUUFBUSxFQUFFLEVBQUUsYUFBYTtRQUN6QixLQUFLLEVBQUU7WUFDTDtnQkFDRSxJQUFJLEVBQUUsY0FBYztnQkFDcEIsV0FBVyxFQUFFLDhDQUE4QztnQkFDM0QsZUFBZSxFQUFFLGdCQUFnQjtnQkFDakMsc0RBQXNEO2dCQUN0RCxRQUFRLEVBQUUsQ0FBQyx3QkFBd0IsQ0FBQzthQUNyQztZQUNEO2dCQUNFLElBQUksRUFBRSxVQUFVO2dCQUNoQixXQUFXLEVBQUUsNEJBQTRCO2dCQUN6QyxlQUFlLEVBQUUsZ0JBQWdCO2dCQUNqQyxXQUFXLEVBQUU7b0JBQ1gsV0FBVztvQkFDWCwrQkFBK0I7b0JBQy9CLDhCQUE4QjtvQkFDOUIsbUJBQW1CO29CQUNuQix3QkFBd0I7b0JBQ3hCLDBCQUEwQjtvQkFDMUIsa0JBQWtCO29CQUNsQixzQkFBc0I7b0JBQ3RCLDJCQUEyQjtvQkFDM0Isc0NBQXNDO29CQUN0Qyx3QkFBd0I7b0JBQ3hCLFdBQVc7b0JBQ1gsMEJBQTBCO29CQUMxQixVQUFVO29CQUNWLHVCQUF1QjtpQkFDeEI7Z0JBQ0QsU0FBUyxFQUFFLENBQUMsRUFBRSxZQUFZLEVBQUUsT0FBTyxFQUFFLElBQUksRUFBRSxHQUFHLEVBQUUsQ0FBQzthQUNsRDtZQUNEO2dCQUNFLElBQUksRUFBRSxnQkFBZ0I7Z0JBQ3RCLGVBQWUsRUFBRSxnQkFBZ0I7Z0JBQ2pDLFdBQVcsRUFBRTtvQkFDWCw4QkFBOEI7b0JBQzlCLDRCQUE0QjtvQkFDNUIsNEJBQTRCO29CQUM1Qix3QkFBd0I7b0JBQ3hCLDZCQUE2QjtpQkFDOUI7Z0JBQ0QsU0FBUyxFQUFFLENBQUMsRUFBRSxZQUFZLEVBQUUsT0FBTyxFQUFFLElBQUksRUFBRSxHQUFHLEVBQUUsQ0FBQzthQUNsRDtZQUNEO2dCQUNFLElBQUksRUFBRSxjQUFjO2dCQUNwQixlQUFlLEVBQUUsZ0JBQWdCO2dCQUNqQyxXQUFXLEVBQUU7b0JBQ1gsMkJBQTJCO29CQUMzQix5Q0FBeUM7b0JBQ3pDLDJCQUEyQjtvQkFDM0IsOEJBQThCO2lCQUMvQjtnQkFDRCxTQUFTLEVBQUUsQ0FBQyxFQUFFLFlBQVksRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLEdBQUcsRUFBRSxDQUFDO2FBQ2xEO1lBQ0Q7Z0JBQ0UsOEhBQThIO2dCQUM5SCxJQUFJLEVBQUUsaUJBQWlCO2dCQUN2QixlQUFlLEVBQUUsZ0JBQWdCO2dCQUNqQyxXQUFXLEVBQUU7b0JBQ1gsU0FBUyxFQUFFLGtCQUFrQjtvQkFDN0IsV0FBVztvQkFDWCxnQkFBZ0I7b0JBQ2hCLGtCQUFrQjtvQkFDbEIsd0JBQXdCO29CQUN4QixXQUFXO29CQUNYLHNCQUFzQjtvQkFDdEIsdUJBQXVCO29CQUN2Qix5QkFBeUI7b0JBQ3pCLHdCQUF3QjtvQkFDeEIsc0JBQXNCO2lCQUN2QjtnQkFDRCxTQUFTLEVBQUUsQ0FBQyxFQUFFLFlBQVksRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLEdBQUcsRUFBRSxDQUFDO2FBQ2xEO1lBQ0Q7Z0JBQ0Usa0lBQWtJO2dCQUNsSSxJQUFJLEVBQUUsY0FBYztnQkFDcEIsZUFBZSxFQUFFLGdCQUFnQjtnQkFDakMsV0FBVyxFQUFFO29CQUNYLFlBQVksRUFBRSxjQUFjO29CQUM1QixVQUFVO29CQUNWLDJCQUEyQjtvQkFDM0IsVUFBVTtvQkFDVixrQkFBa0I7aUJBQ25CO2dCQUNELFNBQVMsRUFBRSxDQUFDLEVBQUUsWUFBWSxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsR0FBRyxFQUFFLENBQUM7YUFDbEQ7WUFDRDtnQkFDRSxJQUFJLEVBQUUsaUJBQWlCO2dCQUN2QixlQUFlLEVBQUUsZ0JBQWdCO2dCQUNqQyxXQUFXLEVBQUU7b0JBQ1gscUJBQXFCO29CQUNyQiwwQkFBMEI7b0JBQzFCLHVCQUF1QjtpQkFDeEI7Z0JBQ0QsU0FBUyxFQUFFLENBQUMsRUFBRSxZQUFZLEVBQUUsT0FBTyxFQUFFLElBQUksRUFBRSxHQUFHLEVBQUUsQ0FBQzthQUNsRDtTQUNGO0tBQ0YsQ0FBQyxDQUFDO0lBRUgsT0FBTyxLQUFLLENBQUM7QUFDZixDQUFDLENBQUM7QUFPRixrQkFBZSxDQUFDLEVBQ2QsYUFBYSxFQUNiLGdCQUFnQixFQUNoQixHQUFHLE1BQU0sRUFDUSxFQUF1QixFQUFFO0lBQzFDLE1BQU0sa0JBQWtCLEdBQUcsWUFBWSxDQUFDO1FBQ3RDLGFBQWE7UUFDYixHQUFHLE1BQU07S0FDVixDQUFDLENBQUM7SUFFSCxNQUFNLHNCQUFzQixHQUFHLGNBQWMsQ0FBQztRQUM1QyxhQUFhO1FBQ2IsZ0JBQWdCO1FBQ2hCLEdBQUcsTUFBTTtLQUNWLENBQUMsQ0FBQztJQUVILE1BQU0sMEJBQTBCLEdBQUcsY0FBYyxDQUFDO1FBQ2hELGFBQWE7UUFDYixnQkFBZ0I7S0FDakIsQ0FBQyxDQUFDO0lBRUgsT0FBTztRQUNMLGtCQUFrQjtRQUNsQixzQkFBc0I7UUFDdEIsMEJBQTBCO0tBQzNCLENBQUM7QUFDSixDQUFDLENBQUMifQ==

package/VNet/FirewallRules/DefaultRules.d.ts

@@ -0,0 +1,2 @@
+import { input as inputs } from '@pulumi/azure-native/types';
+export declare const deniedOthersRule: inputs.network.AzureFirewallApplicationRuleCollectionArgs;

package/VNet/FirewallRules/DefaultRules.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deniedOthersRule = void 0;
+const types_1 = require("@pulumi/azure-native/types");
+exports.deniedOthersRule = {
+    name: 'firewall-deny-others-fqdn-rules',
+    action: { type: types_1.enums.network.AzureFirewallRCActionType.Deny },
+    priority: 6001,
+    rules: [
+        {
+            name: 'deny-others-websites',
+            description: 'Denied all others websites',
+            sourceAddresses: ['*'],
+            targetFqdns: ['*'],
+            protocols: [
+                { protocolType: 'Http', port: 80 },
+                { protocolType: 'Https', port: 443 },
+                { protocolType: 'Mssql', port: 1433 },
+            ],
+        },
+    ],
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiRGVmYXVsdFJ1bGVzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL1ZOZXQvRmlyZXdhbGxSdWxlcy9EZWZhdWx0UnVsZXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsc0RBQW9FO0FBRXZELFFBQUEsZ0JBQWdCLEdBQzNCO0lBQ0UsSUFBSSxFQUFFLGlDQUFpQztJQUN2QyxNQUFNLEVBQUUsRUFBRSxJQUFJLEVBQUUsYUFBSyxDQUFDLE9BQU8sQ0FBQyx5QkFBeUIsQ0FBQyxJQUFJLEVBQUU7SUFDOUQsUUFBUSxFQUFFLElBQUk7SUFDZCxLQUFLLEVBQUU7UUFDTDtZQUNFLElBQUksRUFBRSxzQkFBc0I7WUFDNUIsV0FBVyxFQUFFLDRCQUE0QjtZQUN6QyxlQUFlLEVBQUUsQ0FBQyxHQUFHLENBQUM7WUFDdEIsV0FBVyxFQUFFLENBQUMsR0FBRyxDQUFDO1lBQ2xCLFNBQVMsRUFBRTtnQkFDVCxFQUFFLFlBQVksRUFBRSxNQUFNLEVBQUUsSUFBSSxFQUFFLEVBQUUsRUFBRTtnQkFDbEMsRUFBRSxZQUFZLEVBQUUsT0FBTyxFQUFFLElBQUksRUFBRSxHQUFHLEVBQUU7Z0JBQ3BDLEVBQUUsWUFBWSxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsSUFBSSxFQUFFO2FBQ3RDO1NBQ0Y7S0FDRjtDQUNGLENBQUMifQ==

package/VNet/FirewallRules/types.d.ts

@@ -0,0 +1,20 @@
+import { input as inputs } from "@pulumi/azure-native/types";
+import { Input, Output } from "@pulumi/pulumi";
+export interface FirewallRuleProps {
+    name: string;
+    dnatRules?: Array<Input<inputs.network.NatRuleArgs>>;
+    networkRules?: Array<Input<inputs.network.NetworkRuleArgs>>;
+    applicationRules?: Array<Input<inputs.network.ApplicationRuleArgs>>;
+}
+export interface FirewallPolicyProps {
+    enabled: boolean;
+    /**These props for create new policy*/
+    parentPolicyId?: Output<string>;
+    priority?: number;
+    rules?: Array<FirewallRuleProps>;
+}
+export interface FirewallRuleResults {
+    applicationRuleCollections?: inputs.network.AzureFirewallApplicationRuleCollectionArgs[];
+    natRuleCollections?: inputs.network.AzureFirewallNatRuleCollectionArgs[];
+    networkRuleCollections?: inputs.network.AzureFirewallNetworkRuleCollectionArgs[];
+}

package/VNet/FirewallRules/types.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//type FirewallRuleCreator = () => FirewallRuleResults;
+//type FirewallPolicyCreator = () => Omit<FirewallPolicyProps, "enabled">;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidHlwZXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvVk5ldC9GaXJld2FsbFJ1bGVzL3R5cGVzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBeUJBLHVEQUF1RDtBQUN2RCwwRUFBMEUifQ==

package/VNet/GlobalNetworkPeering.d.ts

@@ -0,0 +1,9 @@
+import { Input } from '@pulumi/pulumi';
+export interface VNetPeeringProps {
+    name: string;
+    localVNetName: Input<string>;
+    localVNetResourceGroupName: Input<string>;
+    globalPeeringVnetId: Input<string>;
+}
+declare const _default: ({ name, localVNetName, localVNetResourceGroupName, globalPeeringVnetId, }: VNetPeeringProps) => void;
+export default _default;

package/VNet/GlobalNetworkPeering.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const StackEnv_1 = require("../Common/StackEnv");
+const network = require("@pulumi/azure-native/network");
+exports.default = ({ name, localVNetName, localVNetResourceGroupName, globalPeeringVnetId, }) => {
+    new network.VirtualNetworkPeering(`${StackEnv_1.stack}-${name}-first-vlk`, {
+        virtualNetworkPeeringName: `${StackEnv_1.stack}-${name}-first-vlk`,
+        virtualNetworkName: localVNetName,
+        resourceGroupName: localVNetResourceGroupName,
+        allowForwardedTraffic: false,
+        allowVirtualNetworkAccess: false,
+        remoteVirtualNetwork: {
+            id: globalPeeringVnetId,
+        },
+    });
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiR2xvYmFsTmV0d29ya1BlZXJpbmcuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvVk5ldC9HbG9iYWxOZXR3b3JrUGVlcmluZy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUFBLGlEQUEyQztBQUMzQyx3REFBd0Q7QUFZeEQsa0JBQWUsQ0FBQyxFQUNkLElBQUksRUFDSixhQUFhLEVBQ2IsMEJBQTBCLEVBQzFCLG1CQUFtQixHQUNGLEVBQUUsRUFBRTtJQUNyQixJQUFJLE9BQU8sQ0FBQyxxQkFBcUIsQ0FBQyxHQUFHLGdCQUFLLElBQUksSUFBSSxZQUFZLEVBQUU7UUFDOUQseUJBQXlCLEVBQUUsR0FBRyxnQkFBSyxJQUFJLElBQUksWUFBWTtRQUN2RCxrQkFBa0IsRUFBRSxhQUFhO1FBQ2pDLGlCQUFpQixFQUFFLDBCQUEwQjtRQUM3QyxxQkFBcUIsRUFBRSxLQUFLO1FBQzVCLHlCQUF5QixFQUFFLEtBQUs7UUFDaEMsb0JBQW9CLEVBQUU7WUFDcEIsRUFBRSxFQUFFLG1CQUFtQjtTQUN4QjtLQUNGLENBQUMsQ0FBQztBQUNMLENBQUMsQ0FBQyJ9

package/VNet/Helper.d.ts

@@ -0,0 +1,33 @@
+import * as network from "@pulumi/azure-native/network";
+import { Output } from "@pulumi/pulumi";
+import * as netmask from "netmask";
+import { FirewallRuleResults } from "./FirewallRules/types";
+export declare const appGatewaySubnetName = "app-gateway";
+export declare const gatewaySubnetName = "GatewaySubnet";
+export declare const azFirewallSubnet = "AzureFirewallSubnet";
+export declare const azFirewallManagementSubnet = "AzureFirewallManagementSubnet";
+export declare const azBastionSubnetName = "AzureBastionSubnet";
+export declare const getIpsRange: (prefix: string) => netmask.Netmask;
+/** Convert IP address and IP address group into range */
+export declare const convertToIpRange: (ipAddress: string[]) => Array<{
+    start: string;
+    end: string;
+}>;
+export declare const getVnetIdFromSubnetId: (subnetId: string) => string;
+/**Merge Firewall Rules Policies with starting priority*/
+export declare const mergeFirewallRules: (rules: Array<FirewallRuleResults>, startPriority?: number) => FirewallRuleResults;
+interface SubnetProps {
+    subnetName: string;
+    vnetAndGroupName: string;
+}
+/**Get Subnet Id from Naming rules*/
+export declare const getSubnetIdByName: ({ subnetName, vnetAndGroupName, }: SubnetProps) => Output<string>;
+export declare const getIpAddressId: ({ name, groupName, }: {
+    name: string;
+    groupName: string;
+}) => Output<string>;
+export declare const getIpAddressResource: ({ name, groupName, }: {
+    name: string;
+    groupName: string;
+}) => Promise<network.GetPublicIPAddressResult>;
+export {};

package/VNet/Helper.js

@@ -0,0 +1,86 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getIpAddressResource = exports.getIpAddressId = exports.getSubnetIdByName = exports.mergeFirewallRules = exports.getVnetIdFromSubnetId = exports.convertToIpRange = exports.getIpsRange = exports.azBastionSubnetName = exports.azFirewallManagementSubnet = exports.azFirewallSubnet = exports.gatewaySubnetName = exports.appGatewaySubnetName = void 0;
+const network = require("@pulumi/azure-native/network");
+const pulumi_1 = require("@pulumi/pulumi");
+const netmask = require("netmask");
+const AzureEnv_1 = require("../Common/AzureEnv");
+const Naming_1 = require("../Common/Naming");
+exports.appGatewaySubnetName = "app-gateway";
+exports.gatewaySubnetName = "GatewaySubnet";
+exports.azFirewallSubnet = "AzureFirewallSubnet";
+exports.azFirewallManagementSubnet = "AzureFirewallManagementSubnet";
+exports.azBastionSubnetName = "AzureBastionSubnet";
+const getIpsRange = (prefix) => {
+    const block = new netmask.Netmask(prefix);
+    //console.debug('getIpsRange', block);
+    return block;
+};
+exports.getIpsRange = getIpsRange;
+/** Convert IP address and IP address group into range */
+const convertToIpRange = (ipAddress) => ipAddress.map((ip) => {
+    if (ip.includes("/")) {
+        const range = (0, exports.getIpsRange)(ip);
+        return { start: range.base, end: range.broadcast };
+    }
+    return { start: ip, end: ip };
+});
+exports.convertToIpRange = convertToIpRange;
+const getVnetIdFromSubnetId = (subnetId) => {
+    //The sample SubnetId is /subscriptions/63a31b41-eb5d-4160-9fc9-d30fc00286c9/resourceGroups/sg-dev-aks-vnet/providers/Microsoft.Network/virtualNetworks/sg-vnet-trans/subnets/aks-main-nodes
+    const id = subnetId.split("/subnets")[0];
+    //console.log(id);
+    return id;
+};
+exports.getVnetIdFromSubnetId = getVnetIdFromSubnetId;
+/**Merge Firewall Rules Policies with starting priority*/
+const mergeFirewallRules = (rules, startPriority = 200) => {
+    const applicationRuleCollections = new Array();
+    const natRuleCollections = new Array();
+    const networkRuleCollections = new Array();
+    //Combined Rules
+    rules.forEach((r) => {
+        if (r.applicationRuleCollections) {
+            applicationRuleCollections.push(...r.applicationRuleCollections);
+        }
+        if (r.natRuleCollections) {
+            natRuleCollections.push(...r.natRuleCollections);
+        }
+        if (r.networkRuleCollections) {
+            networkRuleCollections.push(...r.networkRuleCollections);
+        }
+    });
+    //Update Priority
+    applicationRuleCollections.forEach((a, i) => (a.priority = startPriority + i));
+    natRuleCollections.forEach((a, i) => (a.priority = startPriority + i));
+    networkRuleCollections.forEach((a, i) => (a.priority = startPriority + i));
+    return {
+        applicationRuleCollections,
+        natRuleCollections,
+        networkRuleCollections,
+    };
+};
+exports.mergeFirewallRules = mergeFirewallRules;
+/**Get Subnet Id from Naming rules*/
+const getSubnetIdByName = ({ subnetName, vnetAndGroupName, }) => {
+    const vnetName = (0, Naming_1.getVnetName)(vnetAndGroupName);
+    const group = (0, Naming_1.getResourceGroupName)(vnetAndGroupName);
+    return (0, pulumi_1.interpolate) `/subscriptions/${AzureEnv_1.subscriptionId}/resourceGroups/${group}/providers/Microsoft.Network/virtualNetworks/${vnetName}/subnets/${subnetName}`;
+};
+exports.getSubnetIdByName = getSubnetIdByName;
+const getIpAddressId = ({ name, groupName, }) => {
+    const n = (0, Naming_1.getIpAddressName)(name);
+    const group = (0, Naming_1.getResourceGroupName)(groupName);
+    return (0, pulumi_1.interpolate) `/subscriptions/${AzureEnv_1.subscriptionId}/resourceGroups/${group}/providers/Microsoft.Network/publicIPAddresses/${n}`;
+};
+exports.getIpAddressId = getIpAddressId;
+const getIpAddressResource = ({ name, groupName, }) => {
+    const n = (0, Naming_1.getIpAddressName)(name);
+    const group = (0, Naming_1.getResourceGroupName)(groupName);
+    return network.getPublicIPAddress({
+        publicIpAddressName: n,
+        resourceGroupName: group,
+    });
+};
+exports.getIpAddressResource = getIpAddressResource;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiSGVscGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL1ZOZXQvSGVscGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLHdEQUF3RDtBQUV4RCwyQ0FBcUQ7QUFDckQsbUNBQW1DO0FBRW5DLGlEQUFvRDtBQUNwRCw2Q0FJMEI7QUFHYixRQUFBLG9CQUFvQixHQUFHLGFBQWEsQ0FBQztBQUNyQyxRQUFBLGlCQUFpQixHQUFHLGVBQWUsQ0FBQztBQUNwQyxRQUFBLGdCQUFnQixHQUFHLHFCQUFxQixDQUFDO0FBQ3pDLFFBQUEsMEJBQTBCLEdBQUcsK0JBQStCLENBQUM7QUFDN0QsUUFBQSxtQkFBbUIsR0FBRyxvQkFBb0IsQ0FBQztBQUVqRCxNQUFNLFdBQVcsR0FBRyxDQUFDLE1BQWMsRUFBRSxFQUFFO0lBQzVDLE1BQU0sS0FBSyxHQUFHLElBQUksT0FBTyxDQUFDLE9BQU8sQ0FBQyxNQUFNLENBQUMsQ0FBQztJQUMxQyxzQ0FBc0M7SUFDdEMsT0FBTyxLQUFLLENBQUM7QUFDZixDQUFDLENBQUM7QUFKVyxRQUFBLFdBQVcsZUFJdEI7QUFFRix5REFBeUQ7QUFDbEQsTUFBTSxnQkFBZ0IsR0FBRyxDQUM5QixTQUFtQixFQUNvQixFQUFFLENBQ3pDLFNBQVMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLEVBQUUsRUFBRTtJQUNuQixJQUFJLEVBQUUsQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQztRQUNyQixNQUFNLEtBQUssR0FBRyxJQUFBLG1CQUFXLEVBQUMsRUFBRSxDQUFDLENBQUM7UUFDOUIsT0FBTyxFQUFFLEtBQUssRUFBRSxLQUFLLENBQUMsSUFBSSxFQUFFLEdBQUcsRUFBRSxLQUFLLENBQUMsU0FBUyxFQUFFLENBQUM7SUFDckQsQ0FBQztJQUNELE9BQU8sRUFBRSxLQUFLLEVBQUUsRUFBRSxFQUFFLEdBQUcsRUFBRSxFQUFFLEVBQUUsQ0FBQztBQUNoQyxDQUFDLENBQUMsQ0FBQztBQVRRLFFBQUEsZ0JBQWdCLG9CQVN4QjtBQUVFLE1BQU0scUJBQXFCLEdBQUcsQ0FBQyxRQUFnQixFQUFFLEVBQUU7SUFDeEQsNExBQTRMO0lBQzVMLE1BQU0sRUFBRSxHQUFHLFFBQVEsQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDekMsa0JBQWtCO0lBQ2xCLE9BQU8sRUFBRSxDQUFDO0FBQ1osQ0FBQyxDQUFDO0FBTFcsUUFBQSxxQkFBcUIseUJBS2hDO0FBRUYseURBQXlEO0FBQ2xELE1BQU0sa0JBQWtCLEdBQUcsQ0FDaEMsS0FBaUMsRUFDakMsZ0JBQXdCLEdBQUcsRUFDTixFQUFFO0lBQ3ZCLE1BQU0sMEJBQTBCLEdBQzlCLElBQUksS0FBSyxFQUE2RCxDQUFDO0lBQ3pFLE1BQU0sa0JBQWtCLEdBQ3RCLElBQUksS0FBSyxFQUFxRCxDQUFDO0lBQ2pFLE1BQU0sc0JBQXNCLEdBQzFCLElBQUksS0FBSyxFQUF5RCxDQUFDO0lBRXJFLGdCQUFnQjtJQUNoQixLQUFLLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUU7UUFDbEIsSUFBSSxDQUFDLENBQUMsMEJBQTBCLEVBQUUsQ0FBQztZQUNqQywwQkFBMEIsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUMsMEJBQTBCLENBQUMsQ0FBQztRQUNuRSxDQUFDO1FBQ0QsSUFBSSxDQUFDLENBQUMsa0JBQWtCLEVBQUUsQ0FBQztZQUN6QixrQkFBa0IsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUMsa0JBQWtCLENBQUMsQ0FBQztRQUNuRCxDQUFDO1FBQ0QsSUFBSSxDQUFDLENBQUMsc0JBQXNCLEVBQUUsQ0FBQztZQUM3QixzQkFBc0IsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUMsc0JBQXNCLENBQUMsQ0FBQztRQUMzRCxDQUFDO0lBQ0gsQ0FBQyxDQUFDLENBQUM7SUFFSCxpQkFBaUI7SUFDakIsMEJBQTBCLENBQUMsT0FBTyxDQUNoQyxDQUFDLENBQUMsRUFBRSxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFDLFFBQVEsR0FBRyxhQUFhLEdBQUcsQ0FBQyxDQUFDLENBQzNDLENBQUM7SUFDRixrQkFBa0IsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxRQUFRLEdBQUcsYUFBYSxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDdkUsc0JBQXNCLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUMsUUFBUSxHQUFHLGFBQWEsR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDO0lBRTNFLE9BQU87UUFDTCwwQkFBMEI7UUFDMUIsa0JBQWtCO1FBQ2xCLHNCQUFzQjtLQUN2QixDQUFDO0FBQ0osQ0FBQyxDQUFDO0FBcENXLFFBQUEsa0JBQWtCLHNCQW9DN0I7QUFRRixvQ0FBb0M7QUFDN0IsTUFBTSxpQkFBaUIsR0FBRyxDQUFDLEVBQ2hDLFVBQVUsRUFDVixnQkFBZ0IsR0FDSixFQUFrQixFQUFFO0lBQ2hDLE1BQU0sUUFBUSxHQUFHLElBQUEsb0JBQVcsRUFBQyxnQkFBZ0IsQ0FBQyxDQUFDO0lBQy9DLE1BQU0sS0FBSyxHQUFHLElBQUEsNkJBQW9CLEVBQUMsZ0JBQWdCLENBQUMsQ0FBQztJQUNyRCxPQUFPLElBQUEsb0JBQVcsRUFBQSxrQkFBa0IseUJBQWMsbUJBQW1CLEtBQUssZ0RBQWdELFFBQVEsWUFBWSxVQUFVLEVBQUUsQ0FBQztBQUM3SixDQUFDLENBQUM7QUFQVyxRQUFBLGlCQUFpQixxQkFPNUI7QUFFSyxNQUFNLGNBQWMsR0FBRyxDQUFDLEVBQzdCLElBQUksRUFDSixTQUFTLEdBSVYsRUFBRSxFQUFFO0lBQ0gsTUFBTSxDQUFDLEdBQUcsSUFBQSx5QkFBZ0IsRUFBQyxJQUFJLENBQUMsQ0FBQztJQUNqQyxNQUFNLEtBQUssR0FBRyxJQUFBLDZCQUFvQixFQUFDLFNBQVMsQ0FBQyxDQUFDO0lBQzlDLE9BQU8sSUFBQSxvQkFBVyxFQUFBLGtCQUFrQix5QkFBYyxtQkFBbUIsS0FBSyxrREFBa0QsQ0FBQyxFQUFFLENBQUM7QUFDbEksQ0FBQyxDQUFDO0FBVlcsUUFBQSxjQUFjLGtCQVV6QjtBQUVLLE1BQU0sb0JBQW9CLEdBQUcsQ0FBQyxFQUNuQyxJQUFJLEVBQ0osU0FBUyxHQUlWLEVBQUUsRUFBRTtJQUNILE1BQU0sQ0FBQyxHQUFHLElBQUEseUJBQWdCLEVBQUMsSUFBSSxDQUFDLENBQUM7SUFDakMsTUFBTSxLQUFLLEdBQUcsSUFBQSw2QkFBb0IsRUFBQyxTQUFTLENBQUMsQ0FBQztJQUU5QyxPQUFPLE9BQU8sQ0FBQyxrQkFBa0IsQ0FBQztRQUNoQyxtQkFBbUIsRUFBRSxDQUFDO1FBQ3RCLGlCQUFpQixFQUFFLEtBQUs7S0FDekIsQ0FBQyxDQUFDO0FBQ0wsQ0FBQyxDQUFDO0FBZFcsUUFBQSxvQkFBb0Isd0JBYy9CIn0=

package/VNet/IpAddress.d.ts

@@ -0,0 +1,17 @@
+import * as network from '@pulumi/azure-native/network';
+import { Input } from '@pulumi/pulumi';
+import { BasicResourceArgs } from '../types';
+interface Props extends BasicResourceArgs {
+    version?: network.IPVersion;
+    publicIPPrefix?: network.PublicIPPrefix;
+    enableDdos?: boolean;
+    ddosCustomPolicyId?: Input<string>;
+    allocationMethod?: network.IPAllocationMethod;
+    sku?: {
+        name?: network.PublicIPAddressSkuName;
+        tier?: network.PublicIPAddressSkuTier;
+    };
+    lock?: boolean;
+}
+declare const _default: ({ name, group, version, publicIPPrefix, enableDdos, ddosCustomPolicyId, allocationMethod, sku, lock, }: Props) => import("@pulumi/azure-native/network/publicIPAddress").PublicIPAddress;
+export default _default;

package/VNet/IpAddress.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const network = require("@pulumi/azure-native/network");
+const AzureEnv_1 = require("../Common/AzureEnv");
+const Naming_1 = require("../Common/Naming");
+const Locker_1 = require("../Core/Locker");
+const StackEnv_1 = require("../Common/StackEnv");
+const getIpName = (name) => (0, Naming_1.getIpAddressName)(name);
+exports.default = ({ name, group, version = network.IPVersion.IPv4, publicIPPrefix, enableDdos, ddosCustomPolicyId, allocationMethod = network.IPAllocationMethod.Static, sku = {
+    name: network.PublicIPAddressSkuName.Basic,
+    tier: network.PublicIPAddressSkuTier.Regional,
+}, lock = true, }) => {
+    name = getIpName(name);
+    const ipAddress = new network.PublicIPAddress(name, {
+        publicIpAddressName: name,
+        ...group,
+        dnsSettings: { domainNameLabel: `${name}-${StackEnv_1.organization}` },
+        publicIPAddressVersion: version,
+        publicIPAllocationMethod: allocationMethod,
+        publicIPPrefix: publicIPPrefix ? { id: publicIPPrefix.id } : undefined,
+        ddosSettings: enableDdos &&
+            ddosCustomPolicyId &&
+            sku.name === network.PublicIPAddressSkuName.Standard
+            ? {
+                protectionMode: enableDdos ? 'Enabled' : 'Disabled',
+                ddosProtectionPlan: { id: ddosCustomPolicyId },
+            }
+            : undefined,
+        sku,
+        zones: AzureEnv_1.isPrd ? ['1', '2', '3'] : undefined,
+        tags: AzureEnv_1.defaultTags,
+    }, { dependsOn: publicIPPrefix });
+    if (lock) {
+        (0, Locker_1.default)({ name, resourceId: ipAddress.id, dependsOn: ipAddress });
+    }
+    return ipAddress;
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiSXBBZGRyZXNzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL1ZOZXQvSXBBZGRyZXNzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBQUEsd0RBQXdEO0FBS3hELGlEQUF3RDtBQUN4RCw2Q0FBb0Q7QUFDcEQsMkNBQW9DO0FBQ3BDLGlEQUFrRDtBQWVsRCxNQUFNLFNBQVMsR0FBRyxDQUFDLElBQVksRUFBRSxFQUFFLENBQUMsSUFBQSx5QkFBZ0IsRUFBQyxJQUFJLENBQUMsQ0FBQztBQUUzRCxrQkFBZSxDQUFDLEVBQ2QsSUFBSSxFQUNKLEtBQUssRUFDTCxPQUFPLEdBQUcsT0FBTyxDQUFDLFNBQVMsQ0FBQyxJQUFJLEVBQ2hDLGNBQWMsRUFDZCxVQUFVLEVBQ1Ysa0JBQWtCLEVBQ2xCLGdCQUFnQixHQUFHLE9BQU8sQ0FBQyxrQkFBa0IsQ0FBQyxNQUFNLEVBQ3BELEdBQUcsR0FBRztJQUNKLElBQUksRUFBRSxPQUFPLENBQUMsc0JBQXNCLENBQUMsS0FBSztJQUMxQyxJQUFJLEVBQUUsT0FBTyxDQUFDLHNCQUFzQixDQUFDLFFBQVE7Q0FDOUMsRUFDRCxJQUFJLEdBQUcsSUFBSSxHQUNMLEVBQUUsRUFBRTtJQUNWLElBQUksR0FBRyxTQUFTLENBQUMsSUFBSSxDQUFDLENBQUM7SUFFdkIsTUFBTSxTQUFTLEdBQUcsSUFBSSxPQUFPLENBQUMsZUFBZSxDQUMzQyxJQUFJLEVBQ0o7UUFDRSxtQkFBbUIsRUFBRSxJQUFJO1FBQ3pCLEdBQUcsS0FBSztRQUNSLFdBQVcsRUFBRSxFQUFFLGVBQWUsRUFBRSxHQUFHLElBQUksSUFBSSx1QkFBWSxFQUFFLEVBQUU7UUFDM0Qsc0JBQXNCLEVBQUUsT0FBTztRQUMvQix3QkFBd0IsRUFBRSxnQkFBZ0I7UUFDMUMsY0FBYyxFQUFFLGNBQWMsQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLEVBQUUsY0FBYyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUMsQ0FBQyxTQUFTO1FBQ3RFLFlBQVksRUFDVixVQUFVO1lBQ1Ysa0JBQWtCO1lBQ2xCLEdBQUcsQ0FBQyxJQUFJLEtBQUssT0FBTyxDQUFDLHNCQUFzQixDQUFDLFFBQVE7WUFDbEQsQ0FBQyxDQUFDO2dCQUNFLGNBQWMsRUFBRSxVQUFVLENBQUMsQ0FBQyxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsVUFBVTtnQkFDbkQsa0JBQWtCLEVBQUUsRUFBRSxFQUFFLEVBQUUsa0JBQWtCLEVBQUU7YUFDL0M7WUFDSCxDQUFDLENBQUMsU0FBUztRQUNmLEdBQUc7UUFDSCxLQUFLLEVBQUUsZ0JBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxTQUFTO1FBQzFDLElBQUksRUFBRSxzQkFBVztLQUNsQixFQUNELEVBQUUsU0FBUyxFQUFFLGNBQWMsRUFBRSxDQUM5QixDQUFDO0lBRUYsSUFBSSxJQUFJLEVBQUUsQ0FBQztRQUNULElBQUEsZ0JBQU0sRUFBQyxFQUFFLElBQUksRUFBRSxVQUFVLEVBQUUsU0FBUyxDQUFDLEVBQUUsRUFBRSxTQUFTLEVBQUUsU0FBUyxFQUFFLENBQUMsQ0FBQztJQUNuRSxDQUFDO0lBRUQsT0FBTyxTQUFTLENBQUM7QUFDbkIsQ0FBQyxDQUFDIn0=

package/VNet/IpAddressPrefix.d.ts

@@ -0,0 +1,22 @@
+import * as network from '@pulumi/azure-native/network';
+import { Input } from '@pulumi/pulumi';
+import { BasicResourceArgs } from '../types';
+type AddressNameType = Array<{
+    name: string;
+}>;
+interface Props extends BasicResourceArgs {
+    prefixLength: number;
+    config?: {
+        version?: network.IPVersion;
+        enableDdos?: boolean;
+        ddosCustomPolicyId?: Input<string>;
+        allocationMethod?: network.IPAllocationMethod;
+    };
+    ipAddresses: AddressNameType;
+    lock?: boolean;
+}
+declare const _default: ({ name, group, prefixLength, ipAddresses, config, lock, }: Props) => {
+    addressPrefix: import("@pulumi/azure-native/network/publicIPPrefix").PublicIPPrefix;
+    addresses: Record<string, import("@pulumi/azure-native/network/publicIPAddress").PublicIPAddress>;
+};
+export default _default;

package/VNet/IpAddressPrefix.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const network = require("@pulumi/azure-native/network");
+const Naming_1 = require("../Common/Naming");
+const Locker_1 = require("../Core/Locker");
+const IpAddress_1 = require("./IpAddress");
+exports.default = ({ name, group, prefixLength, ipAddresses, config = {
+    version: network.IPVersion.IPv4,
+    allocationMethod: network.IPAllocationMethod.Static,
+}, lock, }) => {
+    const n = (0, Naming_1.getIpAddressPrefixName)(name);
+    const addressPrefix = new network.PublicIPPrefix(n, {
+        publicIpPrefixName: n,
+        ...group,
+        prefixLength: prefixLength,
+        sku: { name: 'Standard', tier: 'Regional' },
+    });
+    if (lock) {
+        (0, Locker_1.default)({
+            name,
+            resourceId: addressPrefix.id,
+            dependsOn: addressPrefix,
+        });
+    }
+    const addresses = {};
+    if (ipAddresses) {
+        ipAddresses.forEach((ip, i) => {
+            const n = ip.name ?? `${name}-${i}`;
+            const item = (0, IpAddress_1.default)({
+                ...config,
+                name: n,
+                group,
+                publicIPPrefix: addressPrefix,
+                sku: { name: 'Standard', tier: 'Regional' },
+                lock,
+            });
+            addresses[n] = item;
+        });
+    }
+    return { addressPrefix, addresses };
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiSXBBZGRyZXNzUHJlZml4LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL1ZOZXQvSXBBZGRyZXNzUHJlZml4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBQUEsd0RBQXdEO0FBRXhELDZDQUEwRDtBQUMxRCwyQ0FBb0M7QUFFcEMsMkNBQW9DO0FBa0JwQyxrQkFBZSxDQUFDLEVBQ2QsSUFBSSxFQUNKLEtBQUssRUFDTCxZQUFZLEVBQ1osV0FBVyxFQUNYLE1BQU0sR0FBRztJQUNQLE9BQU8sRUFBRSxPQUFPLENBQUMsU0FBUyxDQUFDLElBQUk7SUFDL0IsZ0JBQWdCLEVBQUUsT0FBTyxDQUFDLGtCQUFrQixDQUFDLE1BQU07Q0FDcEQsRUFDRCxJQUFJLEdBQ0UsRUFBRSxFQUFFO0lBQ1YsTUFBTSxDQUFDLEdBQUcsSUFBQSwrQkFBc0IsRUFBQyxJQUFJLENBQUMsQ0FBQztJQUV2QyxNQUFNLGFBQWEsR0FBRyxJQUFJLE9BQU8sQ0FBQyxjQUFjLENBQUMsQ0FBQyxFQUFFO1FBQ2xELGtCQUFrQixFQUFFLENBQUM7UUFDckIsR0FBRyxLQUFLO1FBQ1IsWUFBWSxFQUFFLFlBQVk7UUFDMUIsR0FBRyxFQUFFLEVBQUUsSUFBSSxFQUFFLFVBQVUsRUFBRSxJQUFJLEVBQUUsVUFBVSxFQUFFO0tBQzVDLENBQUMsQ0FBQztJQUVILElBQUksSUFBSSxFQUFFLENBQUM7UUFDVCxJQUFBLGdCQUFNLEVBQUM7WUFDTCxJQUFJO1lBQ0osVUFBVSxFQUFFLGFBQWEsQ0FBQyxFQUFFO1lBQzVCLFNBQVMsRUFBRSxhQUFhO1NBQ3pCLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRCxNQUFNLFNBQVMsR0FBb0MsRUFBRSxDQUFDO0lBRXRELElBQUksV0FBVyxFQUFFLENBQUM7UUFDaEIsV0FBVyxDQUFDLE9BQU8sQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLEVBQUUsRUFBRTtZQUM1QixNQUFNLENBQUMsR0FBRyxFQUFFLENBQUMsSUFBSSxJQUFJLEdBQUcsSUFBSSxJQUFJLENBQUMsRUFBRSxDQUFDO1lBRXBDLE1BQU0sSUFBSSxHQUFHLElBQUEsbUJBQVMsRUFBQztnQkFDckIsR0FBRyxNQUFNO2dCQUNULElBQUksRUFBRSxDQUFDO2dCQUNQLEtBQUs7Z0JBQ0wsY0FBYyxFQUFFLGFBQWE7Z0JBQzdCLEdBQUcsRUFBRSxFQUFFLElBQUksRUFBRSxVQUFVLEVBQUUsSUFBSSxFQUFFLFVBQVUsRUFBRTtnQkFDM0MsSUFBSTthQUNMLENBQUMsQ0FBQztZQUVILFNBQVMsQ0FBQyxDQUFDLENBQUMsR0FBRyxJQUFJLENBQUM7UUFDdEIsQ0FBQyxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsT0FBTyxFQUFFLGFBQWEsRUFBRSxTQUFTLEVBQUUsQ0FBQztBQUN0QyxDQUFDLENBQUMifQ==

package/VNet/NSGRules/AzADService.d.ts

@@ -0,0 +1,10 @@
+import { Input, Output, Resource } from '@pulumi/pulumi';
+import { ResourceGroupInfo } from '../../types';
+interface Props {
+    startPriority?: number;
+    securityGroupName: Output<string>;
+    group: ResourceGroupInfo;
+    dependsOn?: Input<Input<Resource>[]> | Input<Resource>;
+}
+declare const _default: ({ group, securityGroupName, startPriority, dependsOn, }: Props) => void;
+export default _default;