Skip to content

Commit

Permalink
new dns proxy enabled property
Browse files Browse the repository at this point in the history
  • Loading branch information
wuxu92 committed Nov 8, 2023
1 parent b36aa02 commit c3c4b16
Show file tree
Hide file tree
Showing 7 changed files with 81 additions and 37 deletions.
12 changes: 11 additions & 1 deletion internal/services/firewall/firewall_data_source.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,12 @@ func firewallDataSource() *pluginsdk.Resource {
},
},

"dns_proxy_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
Computed: true,
},

"virtual_hub": {
Type: pluginsdk.TypeList,
Computed: true,
Expand Down Expand Up @@ -192,7 +198,11 @@ func firewallDataSourceRead(d *pluginsdk.ResourceData, meta interface{}) error {

d.Set("threat_intel_mode", string(pointer.From(props.ThreatIntelMode)))

if err := d.Set("dns_servers", flattenFirewallDNSServers(props.AdditionalProperties)); err != nil {
dnsProxyEnabeld, dnsServers := flattenFirewallAdditionalProperty(props.AdditionalProperties)
if err := d.Set("dns_proxy_enabled", dnsProxyEnabeld); err != nil {
return fmt.Errorf("setting `dns_proxy_enabled`: %+v", err)
}
if err := d.Set("dns_servers", dnsServers); err != nil {
return fmt.Errorf("setting `dns_servers`: %+v", err)
}

Expand Down
2 changes: 1 addition & 1 deletion internal/services/firewall/firewall_data_source_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ data "azurerm_firewall" "test" {
name = azurerm_firewall.test.name
resource_group_name = azurerm_resource_group.test.name
}
`, FirewallResource{}.enableDNS(data, dnsServers...))
`, FirewallResource{}.enableDNS(data, true, dnsServers...))
}

func (FirewallDataSource) withManagementIp(data acceptance.TestData) string {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -879,7 +879,7 @@ resource "azurerm_firewall_network_rule_collection" "test" {
]
}
}
`, FirewallResource{}.enableDNS(data, "1.1.1.1", "8.8.8.8"))
`, FirewallResource{}.enableDNS(data, true, "1.1.1.1", "8.8.8.8"))
}

func (r FirewallNetworkRuleCollectionResource) noSource(data acceptance.TestData) string {
Expand Down
63 changes: 37 additions & 26 deletions internal/services/firewall/firewall_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ func resourceFirewall() *pluginsdk.Resource {

"resource_group_name": commonschema.ResourceGroupName(),

//lintignore:S013
// lintignore:S013
"sku_name": {
Type: pluginsdk.TypeString,
Required: true,
Expand All @@ -74,7 +74,7 @@ func resourceFirewall() *pluginsdk.Resource {
}, false),
},

//lintignore:S013
// lintignore:S013
"sku_tier": {
Type: pluginsdk.TypeString,
Required: true,
Expand Down Expand Up @@ -172,6 +172,12 @@ func resourceFirewall() *pluginsdk.Resource {
},
},

"dns_proxy_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
Computed: true,
},

"private_ip_ranges": {
Type: pluginsdk.TypeSet,
Optional: true,
Expand Down Expand Up @@ -327,7 +333,7 @@ func resourceFirewallCreateUpdate(d *pluginsdk.ResourceData, meta interface{}) e
parameters.Properties.Sku.Tier = pointer.To(azurefirewalls.AzureFirewallSkuTier(skuTier))
}

if dnsServerSetting := expandFirewallDNSServers(d.Get("dns_servers").([]interface{})); dnsServerSetting != nil {
if dnsServerSetting := expandFirewallAdditionalProperty(d); dnsServerSetting != nil {
for k, v := range dnsServerSetting {
attrs := *parameters.Properties.AdditionalProperties
attrs[k] = v
Expand Down Expand Up @@ -429,7 +435,11 @@ func resourceFirewallRead(d *pluginsdk.ResourceData, meta interface{}) error {

d.Set("threat_intel_mode", string(pointer.From(props.ThreatIntelMode)))

if err := d.Set("dns_servers", flattenFirewallDNSServers(props.AdditionalProperties)); err != nil {
dnsProxyEnabled, dnsServers := flattenFirewallAdditionalProperty(props.AdditionalProperties)
if err := d.Set("dns_proxy_enabled", dnsProxyEnabled); err != nil {
return fmt.Errorf("setting `dns_proxy_enabled`: %+v", err)
}
if err := d.Set("dns_servers", dnsServers); err != nil {
return fmt.Errorf("setting `dns_servers`: %+v", err)
}

Expand Down Expand Up @@ -638,37 +648,38 @@ func flattenFirewallIPConfigurations(input *[]azurefirewalls.AzureFirewallIPConf
return result
}

func expandFirewallDNSServers(input []interface{}) map[string]string {
if len(input) == 0 {
return nil
}

var servers []string
for _, server := range input {
servers = append(servers, server.(string))
}

func expandFirewallAdditionalProperty(d *pluginsdk.ResourceData) map[string]string {
// Swagger issue asking finalize these properties: https://github.com/Azure/azure-rest-api-specs/issues/11278
return map[string]string{
"Network.DNS.EnableProxy": "true",
"Network.DNS.Servers": strings.Join(servers, ","),
res := map[string]string{}
if servers := d.Get("dns_servers").([]interface{}); len(servers) > 0 {
var servs []string
for _, server := range servers {
servs = append(servs, server.(string))
}
res["Network.DNS.EnableProxy"] = "true"
res["Network.DNS.Servers"] = strings.Join(servs, ",")
}
if enabled := d.Get("dns_proxy_enabled").(bool); enabled {
res["Network.DNS.EnableProxy"] = "true"
}
return res
}

func flattenFirewallDNSServers(input *map[string]string) []interface{} {
func flattenFirewallAdditionalProperty(input *map[string]string) (enabled interface{}, servers []interface{}) {
if input == nil || len(*input) == 0 {
return nil
return nil, nil
}

attrs := *input
enabled := attrs["Network.DNS.EnableProxy"] == "true"

if !enabled {
return nil
if enabledPtr, ok := (*input)["Network.DNS.EnableProxy"]; ok {
enabled = enabledPtr == "true"
}

servers := strings.Split(attrs["Network.DNS.Servers"], ",")
return utils.FlattenStringSlice(&servers)
if serversPtr, ok := (*input)["Network.DNS.Servers"]; ok {
for _, val := range strings.Split(serversPtr, ",") {
servers = append(servers, val)
}
}
return
}

func expandFirewallPrivateIpRange(input []interface{}) map[string]string {
Expand Down
35 changes: 27 additions & 8 deletions internal/services/firewall/firewall_resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,14 +68,21 @@ func TestAccFirewall_enableDNS(t *testing.T) {
},
data.ImportStep(),
{
Config: r.enableDNS(data, "1.1.1.1", "8.8.8.8"),
Config: r.enableDNS(data, true, "1.1.1.1"),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
{
Config: r.enableDNS(data, "1.1.1.1"),
Config: r.enableDNS(data, true),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
{
Config: r.enableDNS(data, false),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
Expand Down Expand Up @@ -502,10 +509,20 @@ resource "azurerm_firewall" "test" {
`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger)
}

func (FirewallResource) enableDNS(data acceptance.TestData, dnsServers ...string) string {
servers := make([]string, len(dnsServers))
for idx, server := range dnsServers {
servers[idx] = fmt.Sprintf(`"%s"`, server)
func (FirewallResource) enableDNS(data acceptance.TestData, enableProxy bool, dnsServers ...string) string {
dnsServersStr := ""
if len(dnsServers) > 0 {
servers := make([]string, len(dnsServers))
for idx, server := range dnsServers {
servers[idx] = fmt.Sprintf(`"%s"`, server)
}
dnsServersStr = fmt.Sprintf("dns_servers = [%s]", strings.Join(servers, ", "))
}
enableProxyStr := ""
if enableProxy {
enableProxyStr = "dns_proxy_enabled = true"
} else {
enableProxyStr = "dns_proxy_enabled = false"
}

return fmt.Sprintf(`
Expand Down Expand Up @@ -553,9 +570,11 @@ resource "azurerm_firewall" "test" {
public_ip_address_id = azurerm_public_ip.test.id
}
threat_intel_mode = "Deny"
dns_servers = [%s]
%s
%s
}
`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, strings.Join(servers, ","))
`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger,
dnsServersStr, enableProxyStr)
}

func (FirewallResource) withManagementIp(data acceptance.TestData) string {
Expand Down
2 changes: 2 additions & 0 deletions website/docs/d/firewall.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ The following attributes are exported:

* `dns_servers` - The list of DNS servers that the Azure Firewall will direct DNS traffic to for name resolution.

* `dns_proxy_enabled` - Whether DNS proxy is enabled. It will forward DNS requests to the DNS servers when it is `true`.

* `management_ip_configuration` - A `management_ip_configuration` block as defined below, which allows force-tunnelling of traffic to be performed by the firewall.

* `threat_intel_mode` - The operation mode for threat intelligence-based filtering.
Expand Down
2 changes: 2 additions & 0 deletions website/docs/r/firewall.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,8 @@ The following arguments are supported:

* `dns_servers` - (Optional) A list of DNS servers that the Azure Firewall will direct DNS traffic to the for name resolution.

* `dns_proxy_enabled` - (Optional) Whether DNS proxy is enabled. It will forward DNS requests to the DNS servers when set to `true`. It will be set to `true` if `dns_servers` provided with a not empty list.

* `private_ip_ranges` - (Optional) A list of SNAT private CIDR IP ranges, or the special string `IANAPrivateRanges`, which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918.

* `management_ip_configuration` - (Optional) A `management_ip_configuration` block as documented below, which allows force-tunnelling of traffic to be performed by the firewall. Adding or removing this block or changing the `subnet_id` in an existing block forces a new resource to be created. Changing this forces a new resource to be created.
Expand Down

0 comments on commit c3c4b16

Please sign in to comment.