diff --git a/internal/services/firewall/firewall_policy_resource.go b/internal/services/firewall/firewall_policy_resource.go index dac329f65880..675808375104 100644 --- a/internal/services/firewall/firewall_policy_resource.go +++ b/internal/services/firewall/firewall_policy_resource.go @@ -83,6 +83,7 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac IntrusionDetection: expandFirewallPolicyIntrusionDetection(d.Get("intrusion_detection").([]interface{})), TransportSecurity: expandFirewallPolicyTransportSecurity(d.Get("tls_certificate").([]interface{})), Insights: expandFirewallPolicyInsights(d.Get("insights").([]interface{})), + ExplicitProxy: expandFirewallPolicyExplicitProxy(d.Get("explicit_proxy").([]interface{})), }, Identity: expandedIdentity, Location: utils.String(location.Normalize(d.Get("location").(string))), @@ -111,6 +112,15 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac } } + if v, ok := d.GetOk("auto_learn_private_ranges_enabled"); ok { + if props.FirewallPolicyPropertiesFormat.Snat == nil { + props.FirewallPolicyPropertiesFormat.Snat = &network.FirewallPolicySNAT{} + } + if v.(bool) { + props.FirewallPolicyPropertiesFormat.Snat.AutoLearnPrivateRanges = network.AutoLearnPrivateRangesModeEnabled + } + } + locks.ByName(id.Name, azureFirewallPolicyResourceName) defer locks.UnlockByName(id.Name, azureFirewallPolicyResourceName) @@ -194,17 +204,28 @@ func resourceFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) err } var privateIPRanges []interface{} + var isAutoLearnPrivateRangeEnabled bool if prop.Snat != nil { privateIPRanges = utils.FlattenStringSlice(prop.Snat.PrivateRanges) + isAutoLearnPrivateRangeEnabled = prop.Snat.AutoLearnPrivateRanges == network.AutoLearnPrivateRangesModeEnabled } if err := d.Set("private_ip_ranges", privateIPRanges); err != nil { return fmt.Errorf("setting `private_ip_ranges`: %+v", err) } + if err := d.Set("auto_learn_private_ranges_enabled", isAutoLearnPrivateRangeEnabled); err != nil { + return fmt.Errorf("setting `auto_learn_private_ranges_enabled`: %+v", err) + } + if err := d.Set("insights", flattenFirewallPolicyInsights(prop.Insights)); err != nil { return fmt.Errorf(`setting "insights": %+v`, err) } + proxySettings := flattenFirewallPolicyExplicitProxy(prop.ExplicitProxy) + if err := d.Set("explicit_proxy", proxySettings); err != nil { + return fmt.Errorf("setting `explicit_proxy`: %+v", err) + } + if prop.SQL != nil && prop.SQL.AllowSQLRedirect != nil { if err := d.Set("sql_redirect_allowed", prop.SQL.AllowSQLRedirect); err != nil { return fmt.Errorf("setting `sql_redirect_allowed`: %+v", err) @@ -381,6 +402,31 @@ func expandFirewallPolicyInsights(input []interface{}) *network.FirewallPolicyIn return output } +func expandFirewallPolicyExplicitProxy(input []interface{}) *network.ExplicitProxy { + if len(input) == 0 || input[0] == nil { + return nil + } + + raw := input[0].(map[string]interface{}) + if raw == nil { + return nil + } + + output := &network.ExplicitProxy{ + EnableExplicitProxy: utils.Bool(raw["enabled"].(bool)), + HTTPPort: utils.Int32(int32(raw["http_port"].(int))), + HTTPSPort: utils.Int32(int32(raw["https_port"].(int))), + PacFilePort: utils.Int32(int32(raw["pac_file_port"].(int))), + PacFile: utils.String(raw["pac_file"].(string)), + } + + if val, ok := raw["enable_pac_file"]; ok { + output.EnablePacFile = utils.Bool(val.(bool)) + } + + return output +} + func expandFirewallPolicyLogAnalyticsResources(defaultWorkspaceId string, workspaces []interface{}) *network.FirewallPolicyLogAnalyticsResources { output := &network.FirewallPolicyLogAnalyticsResources{ DefaultWorkspaceID: &network.SubResource{ @@ -589,6 +635,21 @@ func flattenFirewallPolicyInsights(input *network.FirewallPolicyInsights) []inte } } +func flattenFirewallPolicyExplicitProxy(input *network.ExplicitProxy) (result []interface{}) { + if input == nil { + return + } + output := map[string]interface{}{ + "enabled": input.EnableExplicitProxy, + "http_port": input.HTTPPort, + "https_port": input.HTTPSPort, + "enable_pac_file": input.EnablePacFile, + "pac_file_port": input.PacFilePort, + "pac_file": input.PacFile, + } + return []interface{}{output} +} + func flattenFirewallPolicyLogAnalyticsResources(input *network.FirewallPolicyLogAnalyticsResources) (string, []interface{}) { if input == nil { return "", []interface{}{} @@ -883,6 +944,44 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema { }, }, + "explicit_proxy": { + Type: pluginsdk.TypeList, + Optional: true, + MaxItems: 1, + Elem: &pluginsdk.Resource{ + Schema: map[string]*schema.Schema{ + "enabled": { + Type: pluginsdk.TypeBool, + Optional: true, + }, + "http_port": { + Type: pluginsdk.TypeInt, + Optional: true, + ValidateFunc: validation.IntBetween(0, 35536), + }, + "https_port": { + Type: pluginsdk.TypeInt, + Optional: true, + ValidateFunc: validation.IntBetween(0, 35536), + }, + "enable_pac_file": { + Type: pluginsdk.TypeBool, + Optional: true, + }, + "pac_file_port": { + Type: pluginsdk.TypeInt, + Optional: true, + ValidateFunc: validation.IntBetween(0, 35536), + }, + "pac_file": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringIsNotEmpty, + }, + }, + }, + }, + "sql_redirect_allowed": { Type: pluginsdk.TypeBool, Optional: true, @@ -925,6 +1024,11 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema { }, }, + "auto_learn_private_ranges_enabled": { + Type: pluginsdk.TypeBool, + Optional: true, + }, + "tags": tags.Schema(), } } diff --git a/internal/services/firewall/firewall_policy_resource_test.go b/internal/services/firewall/firewall_policy_resource_test.go index a5cb552b3fc3..3d2003db82e3 100644 --- a/internal/services/firewall/firewall_policy_resource_test.go +++ b/internal/services/firewall/firewall_policy_resource_test.go @@ -248,6 +248,15 @@ resource "azurerm_firewall_policy" "test" { ip_addresses = ["1.1.1.1", "2.2.2.2", "10.0.0.0/16"] fqdns = ["foo.com", "bar.com"] } + explicit_proxy { + enabled = true + http_port = 8087 + https_port = 8088 + enable_pac_file = true + pac_file_port = 8089 + pac_file = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%%3D" + } + auto_learn_private_ranges_enabled = true dns { servers = ["1.1.1.1", "3.3.3.3", "2.2.2.2"] proxy_enabled = true @@ -274,6 +283,15 @@ resource "azurerm_firewall_policy" "test" { ip_addresses = ["1.1.1.1", "2.2.2.2", "10.0.0.0/16"] fqdns = ["foo.com", "bar.com"] } + explicit_proxy { + enabled = true + http_port = 8087 + https_port = 8088 + enable_pac_file = true + pac_file_port = 8089 + pac_file = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%%3D" + } + auto_learn_private_ranges_enabled = true dns { servers = ["1.1.1.1", "2.2.2.2"] proxy_enabled = true diff --git a/website/docs/r/firewall_policy.html.markdown b/website/docs/r/firewall_policy.html.markdown index 738c69f175bd..9f3730f0d6c3 100644 --- a/website/docs/r/firewall_policy.html.markdown +++ b/website/docs/r/firewall_policy.html.markdown @@ -49,6 +49,8 @@ The following arguments are supported: * `private_ip_ranges` - (Optional) A list of private IP ranges to which traffic will not be SNAT. +* `auto_learn_private_ranges_enabled` - (Optional) Whether enable auto learn private ip range. Defaults to `false`. + * `sku` - (Optional) The SKU Tier of the Firewall Policy. Possible values are `Standard`, `Premium` and `Basic`. Changing this forces a new Firewall Policy to be created. * `tags` - (Optional) A mapping of tags which should be assigned to the Firewall Policy. @@ -61,6 +63,8 @@ The following arguments are supported: * `sql_redirect_allowed` - (Optional) Whether SQL Redirect traffic filtering is allowed. Enabling this flag requires no rule using ports between `11000`-`11999`. +* `explicit_proxy` - (Optional) A `explicit_proxy` block as defined below. + --- A `dns` block supports the following: @@ -153,6 +157,22 @@ A `traffic_bypass` block supports the following: * `source_ip_groups` - (Optional) Specifies a list of source IP groups that shall be bypassed by intrusion detection. +--- + +A `explicit_proxy` block supports the following: + +* `enabled` (Optional) Whether the explicit proxy is enabled for this Firewall Policy. + +* `http_port` (Optional) The port number for explicit http protocol. + +* `https_port` (Optional) The port number for explicit proxy https protocol. + +* `enable_pac_file` (Optional) Whether the pac file port and url need to be provided. + +* `pac_file_port` (Optional) Specifies a port number for firewall to serve PAC file. + +* `pac_file` (Optional) Specifies a SAS URL for PAC file. + ## Attributes Reference In addition to the Arguments listed above - the following Attributes are exported: