azurerm_firewall_policy - support for explicit_proxy and `auto_le…

…arn_private_ranges_mode` properties (#19313)
hashicorp · Dec 5, 2022 · 23411a2 · 23411a2
1 parent 2c83384
commit 23411a2
Show file tree

Hide file tree

Showing 3 changed files with 142 additions and 0 deletions.
diff --git a/internal/services/firewall/firewall_policy_resource.go b/internal/services/firewall/firewall_policy_resource.go
@@ -83,6 +83,7 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac
 			IntrusionDetection:   expandFirewallPolicyIntrusionDetection(d.Get("intrusion_detection").([]interface{})),
 			TransportSecurity:    expandFirewallPolicyTransportSecurity(d.Get("tls_certificate").([]interface{})),
 			Insights:             expandFirewallPolicyInsights(d.Get("insights").([]interface{})),
+			ExplicitProxy:        expandFirewallPolicyExplicitProxy(d.Get("explicit_proxy").([]interface{})),
 		},
 		Identity: expandedIdentity,
 		Location: utils.String(location.Normalize(d.Get("location").(string))),
@@ -111,6 +112,15 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac
 		}
 	}
 
+	if v, ok := d.GetOk("auto_learn_private_ranges_enabled"); ok {
+		if props.FirewallPolicyPropertiesFormat.Snat == nil {
+			props.FirewallPolicyPropertiesFormat.Snat = &network.FirewallPolicySNAT{}
+		}
+		if v.(bool) {
+			props.FirewallPolicyPropertiesFormat.Snat.AutoLearnPrivateRanges = network.AutoLearnPrivateRangesModeEnabled
+		}
+	}
+
 	locks.ByName(id.Name, azureFirewallPolicyResourceName)
 	defer locks.UnlockByName(id.Name, azureFirewallPolicyResourceName)
 
@@ -194,17 +204,28 @@ func resourceFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) err
 		}
 
 		var privateIPRanges []interface{}
+		var isAutoLearnPrivateRangeEnabled bool
 		if prop.Snat != nil {
 			privateIPRanges = utils.FlattenStringSlice(prop.Snat.PrivateRanges)
+			isAutoLearnPrivateRangeEnabled = prop.Snat.AutoLearnPrivateRanges == network.AutoLearnPrivateRangesModeEnabled
 		}
 		if err := d.Set("private_ip_ranges", privateIPRanges); err != nil {
 			return fmt.Errorf("setting `private_ip_ranges`: %+v", err)
 		}
 
+		if err := d.Set("auto_learn_private_ranges_enabled", isAutoLearnPrivateRangeEnabled); err != nil {
+			return fmt.Errorf("setting `auto_learn_private_ranges_enabled`: %+v", err)
+		}
+
 		if err := d.Set("insights", flattenFirewallPolicyInsights(prop.Insights)); err != nil {
 			return fmt.Errorf(`setting "insights": %+v`, err)
 		}
 
+		proxySettings := flattenFirewallPolicyExplicitProxy(prop.ExplicitProxy)
+		if err := d.Set("explicit_proxy", proxySettings); err != nil {
+			return fmt.Errorf("setting `explicit_proxy`: %+v", err)
+		}
+
 		if prop.SQL != nil && prop.SQL.AllowSQLRedirect != nil {
 			if err := d.Set("sql_redirect_allowed", prop.SQL.AllowSQLRedirect); err != nil {
 				return fmt.Errorf("setting `sql_redirect_allowed`: %+v", err)
@@ -381,6 +402,31 @@ func expandFirewallPolicyInsights(input []interface{}) *network.FirewallPolicyIn
 	return output
 }
 
+func expandFirewallPolicyExplicitProxy(input []interface{}) *network.ExplicitProxy {
+	if len(input) == 0 || input[0] == nil {
+		return nil
+	}
+
+	raw := input[0].(map[string]interface{})
+	if raw == nil {
+		return nil
+	}
+
+	output := &network.ExplicitProxy{
+		EnableExplicitProxy: utils.Bool(raw["enabled"].(bool)),
+		HTTPPort:            utils.Int32(int32(raw["http_port"].(int))),
+		HTTPSPort:           utils.Int32(int32(raw["https_port"].(int))),
+		PacFilePort:         utils.Int32(int32(raw["pac_file_port"].(int))),
+		PacFile:             utils.String(raw["pac_file"].(string)),
+	}
+
+	if val, ok := raw["enable_pac_file"]; ok {
+		output.EnablePacFile = utils.Bool(val.(bool))
+	}
+
+	return output
+}
+
 func expandFirewallPolicyLogAnalyticsResources(defaultWorkspaceId string, workspaces []interface{}) *network.FirewallPolicyLogAnalyticsResources {
 	output := &network.FirewallPolicyLogAnalyticsResources{
 		DefaultWorkspaceID: &network.SubResource{
@@ -589,6 +635,21 @@ func flattenFirewallPolicyInsights(input *network.FirewallPolicyInsights) []inte
 	}
 }
 
+func flattenFirewallPolicyExplicitProxy(input *network.ExplicitProxy) (result []interface{}) {
+	if input == nil {
+		return
+	}
+	output := map[string]interface{}{
+		"enabled":         input.EnableExplicitProxy,
+		"http_port":       input.HTTPPort,
+		"https_port":      input.HTTPSPort,
+		"enable_pac_file": input.EnablePacFile,
+		"pac_file_port":   input.PacFilePort,
+		"pac_file":        input.PacFile,
+	}
+	return []interface{}{output}
+}
+
 func flattenFirewallPolicyLogAnalyticsResources(input *network.FirewallPolicyLogAnalyticsResources) (string, []interface{}) {
 	if input == nil {
 		return "", []interface{}{}
@@ -883,6 +944,44 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
 			},
 		},
 
+		"explicit_proxy": {
+			Type:     pluginsdk.TypeList,
+			Optional: true,
+			MaxItems: 1,
+			Elem: &pluginsdk.Resource{
+				Schema: map[string]*schema.Schema{
+					"enabled": {
+						Type:     pluginsdk.TypeBool,
+						Optional: true,
+					},
+					"http_port": {
+						Type:         pluginsdk.TypeInt,
+						Optional:     true,
+						ValidateFunc: validation.IntBetween(0, 35536),
+					},
+					"https_port": {
+						Type:         pluginsdk.TypeInt,
+						Optional:     true,
+						ValidateFunc: validation.IntBetween(0, 35536),
+					},
+					"enable_pac_file": {
+						Type:     pluginsdk.TypeBool,
+						Optional: true,
+					},
+					"pac_file_port": {
+						Type:         pluginsdk.TypeInt,
+						Optional:     true,
+						ValidateFunc: validation.IntBetween(0, 35536),
+					},
+					"pac_file": {
+						Type:         pluginsdk.TypeString,
+						Optional:     true,
+						ValidateFunc: validation.StringIsNotEmpty,
+					},
+				},
+			},
+		},
+
 		"sql_redirect_allowed": {
 			Type:     pluginsdk.TypeBool,
 			Optional: true,
@@ -925,6 +1024,11 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
 			},
 		},
 
+		"auto_learn_private_ranges_enabled": {
+			Type:     pluginsdk.TypeBool,
+			Optional: true,
+		},
+
 		"tags": tags.Schema(),
 	}
 }
diff --git a/internal/services/firewall/firewall_policy_resource_test.go b/internal/services/firewall/firewall_policy_resource_test.go
@@ -248,6 +248,15 @@ resource "azurerm_firewall_policy" "test" {
     ip_addresses = ["1.1.1.1", "2.2.2.2", "10.0.0.0/16"]
     fqdns        = ["foo.com", "bar.com"]
   }
+  explicit_proxy {
+    enabled         = true
+    http_port       = 8087
+    https_port      = 8088
+    enable_pac_file = true
+    pac_file_port   = 8089
+    pac_file        = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%%3D"
+  }
+  auto_learn_private_ranges_enabled = true
   dns {
     servers       = ["1.1.1.1", "3.3.3.3", "2.2.2.2"]
     proxy_enabled = true
@@ -274,6 +283,15 @@ resource "azurerm_firewall_policy" "test" {
     ip_addresses = ["1.1.1.1", "2.2.2.2", "10.0.0.0/16"]
     fqdns        = ["foo.com", "bar.com"]
   }
+  explicit_proxy {
+    enabled         = true
+    http_port       = 8087
+    https_port      = 8088
+    enable_pac_file = true
+    pac_file_port   = 8089
+    pac_file        = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%%3D"
+  }
+  auto_learn_private_ranges_enabled = true
   dns {
     servers       = ["1.1.1.1", "2.2.2.2"]
     proxy_enabled = true

diff --git a/website/docs/r/firewall_policy.html.markdown b/website/docs/r/firewall_policy.html.markdown
@@ -49,6 +49,8 @@ The following arguments are supported:
 
 * `private_ip_ranges` - (Optional) A list of private IP ranges to which traffic will not be SNAT.
 
+* `auto_learn_private_ranges_enabled` - (Optional) Whether enable auto learn private ip range. Defaults to `false`.
+
 * `sku` - (Optional) The SKU Tier of the Firewall Policy. Possible values are `Standard`, `Premium` and `Basic`. Changing this forces a new Firewall Policy to be created.
 
 * `tags` - (Optional) A mapping of tags which should be assigned to the Firewall Policy.
@@ -61,6 +63,8 @@ The following arguments are supported:
 
 * `sql_redirect_allowed` - (Optional) Whether SQL Redirect traffic filtering is allowed. Enabling this flag requires no rule using ports between `11000`-`11999`.
 
+* `explicit_proxy` - (Optional) A `explicit_proxy` block as defined below.
+
 ---
 
 A `dns` block supports the following:
@@ -153,6 +157,22 @@ A `traffic_bypass` block supports the following:
 
 * `source_ip_groups` - (Optional) Specifies a list of source IP groups that shall be bypassed by intrusion detection.
 
+---
+
+A `explicit_proxy` block supports the following:
+
+* `enabled` (Optional) Whether the explicit proxy is enabled for this Firewall Policy.
+
+* `http_port` (Optional) The port number for explicit http protocol.
+
+* `https_port` (Optional) The port number for explicit proxy https protocol.
+
+* `enable_pac_file` (Optional) Whether the pac file port and url need to be provided.
+
+* `pac_file_port` (Optional) Specifies a port number for firewall to serve PAC file.
+
+* `pac_file` (Optional) Specifies a SAS URL for PAC file.
+
 ## Attributes Reference
 
 In addition to the Arguments listed above - the following Attributes are exported: