merge with main

CHANGELOG.md

@@ -1,18 +1,28 @@
 ## 3.35.0 (Unreleased)
 
+FEATURES:
+
+* **New Resource:** `azurerm_spring_cloud_application_live_view` [GH-19495]
+
 ENHANCEMENTS:
 
 * `lighthouse`: updating to API version `2022-10-01` [GH-19499]
+* `azurerm_firewall_policy` - support for the `explicit_proxy` block and `auto_learn_private_ranges_mode` property [GH-19313]
+* `azurerm_mssql_virtual_machine` - support for the `days_of_week` property [GH-19553]
+* `azurerm_spring_cloud_gateway_route_config` - support for the `filters`, `predicates`, and `sso_validation_enabled` properties [GH-19493]
 
 BUG FIXES:
 
+* `azurerm_app_service_connection` - correctly pass the secret to the service [GH-19519]
 * `azurerm_automation_software_update_configuration` - fix issue where omitting `tags`and `tag_filter` result in an error [GH-19516]
 * `azurerm_automation_source_control` - a state migration to work around the previously incorrect id casing [GH-19506]
 * `azurerm_automation_webhook` - a state migration to work around the previously incorrect id casing [GH-19506]
 * `azurerm_container_registry_webhook` - a  state migration to work around the previously incorrect id casing [GH-19507]
 * `azurerm_frontdoor_rules_engine` - a state migration to work around the previously incorrect id casing [GH-19512]
 * `azurerm_healthcare_*` - a  state migration to work around the previously incorrect id casing [GH-19511]
 * `azurerm_iothub_x` - a  state migration to work around the previously incorrect id casing [GH-19524]
+* `azurerm_key_vault` - allow for keyvaults in two different subscriptions [GH-19531]
+* `azurerm_lb` - adding/removing a frontend configuration will no longer force recreation a new resource to be created [GH-19548]
 * `azurerm_kusto_*` - a  state migration to work around the previously incorrect id casing [GH-19525]
 * `azurerm_monitor_smart_detector_alert_rule` - a  state migration to work around the previously incorrect id casing [GH-19513]
 

examples/cdn/frontdoor/frontdoor-cmk-byoc-custom-domain/README.md

@@ -30,11 +30,11 @@ For this example you will need to look up the object IDs of the Frontdoor servic
 
 * From the left hand menu select `Azure Active Directory`.
 
-* In the search filter box, near the top of the page, type `Microsoft.AzureFrontDoor-Cdn`.
+* In the search filter box, near the top of the page, type `Microsoft.Azure.Cdn`.
 
-* Click on the `Microsoft.AzureFrontDoor-Cdn` entry in the `Enterprise Applications` results view.
+* Click on the `Microsoft.Azure.Cdn` entry in the `Enterprise Applications` results view.
 
-* This will open the `Enterprise Applications Properties`, copy the `Object ID` and paste it into the examples `main.tf` file where is says `<- Object Id for the Microsoft.AzureFrontDoor-Cdn Enterprise Application.`.
+* This will open the `Enterprise Applications Properties`, copy the `Object ID` and paste it into the examples `main.tf` file where is says `<- Object Id for the Microsoft.Azure.Cdn Enterprise Application.`.
 
 Repeat the above steps for all of the object IDs needed for this example.
 
@@ -44,7 +44,7 @@ The following Key Vault permission are granted by this example:
 
 | Object ID                                | Key Permissions | Secret Permissions   | Certificate Permissions                       |
 |:-----------------------------------------|:---------------:|:--------------------:|:---------------------------------------------:|
-| `Microsoft.AzureFrontDoor-Cdn` Object ID | -               | **Get**              | -                                             |
+| `Microsoft.Azure.Cdn` Object ID | -               | **Get**              | -                                             |
 | Your Personal AAD Object ID              | -               | **Get** and **List** | **Get**, **List**, **Purge** and **Recover**  |
 | Terraform Service Principal              | -               | **Get**              | **Get**, **Import**, **Delete** and **Purge** |
 

examples/cdn/frontdoor/frontdoor-cmk-byoc-custom-domain/main.tf

@@ -23,10 +23,10 @@ resource "azurerm_key_vault" "example" {
     ip_rules       = ["10.0.1.0/24"] # <- this should be the CIDR for your clients IP to allow it through the Key Vault Firewall Policy
   }
 
-  # Grant access to the Frontdoor Enterprise Application(e.g. Microsoft.AzureFrontDoor-Cdn) to the Key Vaults Certificates
+  # Grant access to the Frontdoor Enterprise Application(e.g. Microsoft.Azure.Cdn) to the Key Vaults Certificates
   access_policy {
     tenant_id = data.azurerm_client_config.current.tenant_id
-    object_id = "00000000-0000-0000-0000-000000000000" # <- Object Id for the Microsoft.AzureFrontDoor-Cdn Enterprise Application.
+    object_id = "00000000-0000-0000-0000-000000000000" # <- Object Id for the Microsoft.Azure.Cdn Enterprise Application.
 
     secret_permissions = [
       "Get",

internal/provider/services.go

@@ -152,6 +152,7 @@ func SupportedTypedServices() []sdk.TypedServiceRegistration {
 		orbital.Registration{},
 		streamanalytics.Registration{},
 		search.Registration{},
+		springcloud.Registration{},
 		web.Registration{},
 	}
 	services = append(services, autoRegisteredTypedServices()...)

internal/services/apimanagement/api_management_resource.go

@@ -45,6 +45,7 @@ var (
 	apimTlsEcdheRsaWithAes128CbcShaCiphers   = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
 	apimTlsRsaWithAes128GcmSha256Ciphers     = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256"
 	apimTlsRsaWithAes256CbcSha256Ciphers     = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256"
+	apimTlsRsaWithAes256GcmSha384Ciphers     = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_GCM_SHA384"
 	apimTlsRsaWithAes128CbcSha256Ciphers     = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256"
 	apimTlsRsaWithAes256CbcShaCiphers        = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA"
 	apimTlsRsaWithAes128CbcShaCiphers        = "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA"
@@ -381,6 +382,11 @@ func resourceApiManagementSchema() map[string]*pluginsdk.Schema {
 						Optional: true,
 						Default:  false,
 					},
+					"tls_rsa_with_aes256_gcm_sha384_ciphers_enabled": {
+						Type:     pluginsdk.TypeBool,
+						Optional: true,
+						Default:  false,
+					},
 					"tls_rsa_with_aes256_cbc_sha_ciphers_enabled": {
 						Type:     pluginsdk.TypeBool,
 						Optional: true,
@@ -1583,6 +1589,7 @@ func expandApiManagementCustomProperties(d *pluginsdk.ResourceData, skuIsConsump
 	tlsEcdheRsaWithAes256CbcShaCiphers := false
 	tlsEcdheRsaWithAes128CbcShaCiphers := false
 	tlsRsaWithAes128GcmSha256Ciphers := false
+	tlsRsaWithAes256GcmSha384Ciphers := false
 	tlsRsaWithAes256CbcSha256Ciphers := false
 	tlsRsaWithAes128CbcSha256Ciphers := false
 	tlsRsaWithAes256CbcShaCiphers := false
@@ -1606,6 +1613,7 @@ func expandApiManagementCustomProperties(d *pluginsdk.ResourceData, skuIsConsump
 		tlsEcdheRsaWithAes256CbcShaCiphers = v["tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled"].(bool)
 		tlsEcdheRsaWithAes128CbcShaCiphers = v["tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled"].(bool)
 		tlsRsaWithAes128GcmSha256Ciphers = v["tls_rsa_with_aes128_gcm_sha256_ciphers_enabled"].(bool)
+		tlsRsaWithAes256GcmSha384Ciphers = v["tls_rsa_with_aes256_gcm_sha384_ciphers_enabled"].(bool)
 		tlsRsaWithAes256CbcSha256Ciphers = v["tls_rsa_with_aes256_cbc_sha256_ciphers_enabled"].(bool)
 		tlsRsaWithAes128CbcSha256Ciphers = v["tls_rsa_with_aes128_cbc_sha256_ciphers_enabled"].(bool)
 		tlsRsaWithAes256CbcShaCiphers = v["tls_rsa_with_aes256_cbc_sha_ciphers_enabled"].(bool)
@@ -1672,6 +1680,7 @@ func expandApiManagementCustomProperties(d *pluginsdk.ResourceData, skuIsConsump
 		customProperties[apimTlsEcdheRsaWithAes256CbcShaCiphers] = utils.String(strconv.FormatBool(tlsEcdheRsaWithAes256CbcShaCiphers))
 		customProperties[apimTlsEcdheRsaWithAes128CbcShaCiphers] = utils.String(strconv.FormatBool(tlsEcdheRsaWithAes128CbcShaCiphers))
 		customProperties[apimTlsRsaWithAes128GcmSha256Ciphers] = utils.String(strconv.FormatBool(tlsRsaWithAes128GcmSha256Ciphers))
+		customProperties[apimTlsRsaWithAes256GcmSha384Ciphers] = utils.String(strconv.FormatBool(tlsRsaWithAes256GcmSha384Ciphers))
 		customProperties[apimTlsRsaWithAes256CbcSha256Ciphers] = utils.String(strconv.FormatBool(tlsRsaWithAes256CbcSha256Ciphers))
 		customProperties[apimTlsRsaWithAes128CbcSha256Ciphers] = utils.String(strconv.FormatBool(tlsRsaWithAes128CbcSha256Ciphers))
 		customProperties[apimTlsRsaWithAes256CbcShaCiphers] = utils.String(strconv.FormatBool(tlsRsaWithAes256CbcShaCiphers))
@@ -1717,6 +1726,7 @@ func flattenApiManagementSecurityCustomProperties(input map[string]*string, skuI
 		output["tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheEcdsaWithAes128CbcShaCiphers)
 		output["tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes256CbcShaCiphers)
 		output["tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsEcdheRsaWithAes128CbcShaCiphers)
+		output["tls_rsa_with_aes256_gcm_sha384_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256GcmSha384Ciphers)
 		output["tls_rsa_with_aes128_gcm_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128GcmSha256Ciphers)
 		output["tls_rsa_with_aes256_cbc_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes256CbcSha256Ciphers)
 		output["tls_rsa_with_aes128_cbc_sha256_ciphers_enabled"] = parseApiManagementNilableDictionary(input, apimTlsRsaWithAes128CbcSha256Ciphers)

internal/services/appservice/helpers/web_app_schema.go

@@ -3821,6 +3821,9 @@ func FlattenAppSettings(input web.StringDictionary) (map[string]string, *int) {
 		"WEBSITE_HTTPLOGGING_CONTAINER_URL",
 		"WEBSITE_HTTPLOGGING_RETENTION_DAYS",
 		"WEBSITE_VNET_ROUTE_ALL",
+		"spring.datasource.password",
+		"spring.datasource.url",
+		"spring.datasource.username",
 		maxPingFailures,
 	}
 

internal/services/cdn/cdn_endpoint_custom_domain_resource_test.go

@@ -292,7 +292,7 @@ data "azurerm_client_config" "test" {
 }
 
 data "azuread_service_principal" "test" {
-  display_name = "Microsoft.AzureFrontDoor-Cdn"
+  display_name = "Microsoft.Azure.Cdn"
 }
 
 resource "azurerm_key_vault" "test" {

internal/services/firewall/firewall_policy_resource.go

@@ -83,6 +83,7 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac
 			IntrusionDetection:   expandFirewallPolicyIntrusionDetection(d.Get("intrusion_detection").([]interface{})),
 			TransportSecurity:    expandFirewallPolicyTransportSecurity(d.Get("tls_certificate").([]interface{})),
 			Insights:             expandFirewallPolicyInsights(d.Get("insights").([]interface{})),
+			ExplicitProxy:        expandFirewallPolicyExplicitProxy(d.Get("explicit_proxy").([]interface{})),
 		},
 		Identity: expandedIdentity,
 		Location: utils.String(location.Normalize(d.Get("location").(string))),
@@ -111,6 +112,15 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac
 		}
 	}
 
+	if v, ok := d.GetOk("auto_learn_private_ranges_enabled"); ok {
+		if props.FirewallPolicyPropertiesFormat.Snat == nil {
+			props.FirewallPolicyPropertiesFormat.Snat = &network.FirewallPolicySNAT{}
+		}
+		if v.(bool) {
+			props.FirewallPolicyPropertiesFormat.Snat.AutoLearnPrivateRanges = network.AutoLearnPrivateRangesModeEnabled
+		}
+	}
+
 	locks.ByName(id.Name, azureFirewallPolicyResourceName)
 	defer locks.UnlockByName(id.Name, azureFirewallPolicyResourceName)
 
@@ -194,17 +204,28 @@ func resourceFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) err
 		}
 
 		var privateIPRanges []interface{}
+		var isAutoLearnPrivateRangeEnabled bool
 		if prop.Snat != nil {
 			privateIPRanges = utils.FlattenStringSlice(prop.Snat.PrivateRanges)
+			isAutoLearnPrivateRangeEnabled = prop.Snat.AutoLearnPrivateRanges == network.AutoLearnPrivateRangesModeEnabled
 		}
 		if err := d.Set("private_ip_ranges", privateIPRanges); err != nil {
 			return fmt.Errorf("setting `private_ip_ranges`: %+v", err)
 		}
 
+		if err := d.Set("auto_learn_private_ranges_enabled", isAutoLearnPrivateRangeEnabled); err != nil {
+			return fmt.Errorf("setting `auto_learn_private_ranges_enabled`: %+v", err)
+		}
+
 		if err := d.Set("insights", flattenFirewallPolicyInsights(prop.Insights)); err != nil {
 			return fmt.Errorf(`setting "insights": %+v`, err)
 		}
 
+		proxySettings := flattenFirewallPolicyExplicitProxy(prop.ExplicitProxy)
+		if err := d.Set("explicit_proxy", proxySettings); err != nil {
+			return fmt.Errorf("setting `explicit_proxy`: %+v", err)
+		}
+
 		if prop.SQL != nil && prop.SQL.AllowSQLRedirect != nil {
 			if err := d.Set("sql_redirect_allowed", prop.SQL.AllowSQLRedirect); err != nil {
 				return fmt.Errorf("setting `sql_redirect_allowed`: %+v", err)
@@ -381,6 +402,31 @@ func expandFirewallPolicyInsights(input []interface{}) *network.FirewallPolicyIn
 	return output
 }
 
+func expandFirewallPolicyExplicitProxy(input []interface{}) *network.ExplicitProxy {
+	if len(input) == 0 || input[0] == nil {
+		return nil
+	}
+
+	raw := input[0].(map[string]interface{})
+	if raw == nil {
+		return nil
+	}
+
+	output := &network.ExplicitProxy{
+		EnableExplicitProxy: utils.Bool(raw["enabled"].(bool)),
+		HTTPPort:            utils.Int32(int32(raw["http_port"].(int))),
+		HTTPSPort:           utils.Int32(int32(raw["https_port"].(int))),
+		PacFilePort:         utils.Int32(int32(raw["pac_file_port"].(int))),
+		PacFile:             utils.String(raw["pac_file"].(string)),
+	}
+
+	if val, ok := raw["enable_pac_file"]; ok {
+		output.EnablePacFile = utils.Bool(val.(bool))
+	}
+
+	return output
+}
+
 func expandFirewallPolicyLogAnalyticsResources(defaultWorkspaceId string, workspaces []interface{}) *network.FirewallPolicyLogAnalyticsResources {
 	output := &network.FirewallPolicyLogAnalyticsResources{
 		DefaultWorkspaceID: &network.SubResource{
@@ -589,6 +635,21 @@ func flattenFirewallPolicyInsights(input *network.FirewallPolicyInsights) []inte
 	}
 }
 
+func flattenFirewallPolicyExplicitProxy(input *network.ExplicitProxy) (result []interface{}) {
+	if input == nil {
+		return
+	}
+	output := map[string]interface{}{
+		"enabled":         input.EnableExplicitProxy,
+		"http_port":       input.HTTPPort,
+		"https_port":      input.HTTPSPort,
+		"enable_pac_file": input.EnablePacFile,
+		"pac_file_port":   input.PacFilePort,
+		"pac_file":        input.PacFile,
+	}
+	return []interface{}{output}
+}
+
 func flattenFirewallPolicyLogAnalyticsResources(input *network.FirewallPolicyLogAnalyticsResources) (string, []interface{}) {
 	if input == nil {
 		return "", []interface{}{}
@@ -883,6 +944,44 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
 			},
 		},
 
+		"explicit_proxy": {
+			Type:     pluginsdk.TypeList,
+			Optional: true,
+			MaxItems: 1,
+			Elem: &pluginsdk.Resource{
+				Schema: map[string]*schema.Schema{
+					"enabled": {
+						Type:     pluginsdk.TypeBool,
+						Optional: true,
+					},
+					"http_port": {
+						Type:         pluginsdk.TypeInt,
+						Optional:     true,
+						ValidateFunc: validation.IntBetween(0, 35536),
+					},
+					"https_port": {
+						Type:         pluginsdk.TypeInt,
+						Optional:     true,
+						ValidateFunc: validation.IntBetween(0, 35536),
+					},
+					"enable_pac_file": {
+						Type:     pluginsdk.TypeBool,
+						Optional: true,
+					},
+					"pac_file_port": {
+						Type:         pluginsdk.TypeInt,
+						Optional:     true,
+						ValidateFunc: validation.IntBetween(0, 35536),
+					},
+					"pac_file": {
+						Type:         pluginsdk.TypeString,
+						Optional:     true,
+						ValidateFunc: validation.StringIsNotEmpty,
+					},
+				},
+			},
+		},
+
 		"sql_redirect_allowed": {
 			Type:     pluginsdk.TypeBool,
 			Optional: true,
@@ -925,6 +1024,11 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
 			},
 		},
 
+		"auto_learn_private_ranges_enabled": {
+			Type:     pluginsdk.TypeBool,
+			Optional: true,
+		},
+
 		"tags": tags.Schema(),
 	}
 }

internal/services/firewall/firewall_policy_resource_test.go

@@ -248,6 +248,15 @@ resource "azurerm_firewall_policy" "test" {
     ip_addresses = ["1.1.1.1", "2.2.2.2", "10.0.0.0/16"]
     fqdns        = ["foo.com", "bar.com"]
   }
+  explicit_proxy {
+    enabled         = true
+    http_port       = 8087
+    https_port      = 8088
+    enable_pac_file = true
+    pac_file_port   = 8089
+    pac_file        = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%%3D"
+  }
+  auto_learn_private_ranges_enabled = true
   dns {
     servers       = ["1.1.1.1", "3.3.3.3", "2.2.2.2"]
     proxy_enabled = true
@@ -274,6 +283,15 @@ resource "azurerm_firewall_policy" "test" {
     ip_addresses = ["1.1.1.1", "2.2.2.2", "10.0.0.0/16"]
     fqdns        = ["foo.com", "bar.com"]
   }
+  explicit_proxy {
+    enabled         = true
+    http_port       = 8087
+    https_port      = 8088
+    enable_pac_file = true
+    pac_file_port   = 8089
+    pac_file        = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%%3D"
+  }
+  auto_learn_private_ranges_enabled = true
   dns {
     servers       = ["1.1.1.1", "2.2.2.2"]
     proxy_enabled = true

internal/services/keyvault/client/helpers.go

@@ -45,11 +45,12 @@ func (c *Client) BaseUriForKeyVault(ctx context.Context, keyVaultId parse.VaultI
 	lock[cacheKey].Lock()
 	defer lock[cacheKey].Unlock()
 
+	vaultsClient := c.VaultsClient
 	if keyVaultId.SubscriptionId != c.VaultsClient.SubscriptionID {
-		c.VaultsClient = c.KeyVaultClientForSubscription(keyVaultId.SubscriptionId)
+		vaultsClient = c.KeyVaultClientForSubscription(keyVaultId.SubscriptionId)
 	}
 
-	resp, err := c.VaultsClient.Get(ctx, keyVaultId.ResourceGroup, keyVaultId.Name)
+	resp, err := vaultsClient.Get(ctx, keyVaultId.ResourceGroup, keyVaultId.Name)
 	if err != nil {
 		if utils.ResponseWasNotFound(resp.Response) {
 			return nil, fmt.Errorf("%s was not found", keyVaultId)