add explicit_proxy for firewall_policy_resource

hashicorp · Aug 2, 2022 · f374b46 · f374b46
1 parent ee184ed
commit f374b46
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 9 deletions.
diff --git a/internal/services/firewall/firewall_policy_resource.go b/internal/services/firewall/firewall_policy_resource.go
@@ -98,6 +98,12 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac
 		}
 	}
 
+	if v, ok := d.GetOk("allow_sql_redirect"); ok {
+		props.FirewallPolicyPropertiesFormat.SQL = &network.FirewallPolicySQL{
+			AllowSQLRedirect: utils.Bool(v.(bool)),
+		}
+	}
+
 	if v, ok := d.GetOk("private_ip_ranges"); ok {
 		privateIPRanges := utils.ExpandStringSlice(v.([]interface{}))
 		props.FirewallPolicyPropertiesFormat.Snat = &network.FirewallPolicySNAT{
@@ -198,6 +204,12 @@ func resourceFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) err
 		if err := d.Set("insights", flattenFirewallPolicyInsights(prop.Insights)); err != nil {
 			return fmt.Errorf(`setting "insights": %+v`, err)
 		}
+
+		if prop.SQL != nil && prop.SQL.AllowSQLRedirect != nil {
+			if err := d.Set("allow_sql_redirect", prop.SQL.AllowSQLRedirect); err != nil {
+				return fmt.Errorf("setting `allow_sql_redirect`: %+v", err)
+			}
+		}
 	}
 
 	flattenedIdentity, err := flattenFirewallPolicyIdentity(resp.Identity)
@@ -297,10 +309,16 @@ func expandFirewallPolicyIntrusionDetection(input []interface{}) *network.Firewa
 		})
 	}
 
+	var privateRanges []string
+	for _, v := range raw["private_ranges"].([]interface{}) {
+		privateRanges = append(privateRanges, v.(string))
+	}
+
 	return &network.FirewallPolicyIntrusionDetection{
 		Mode: network.FirewallPolicyIntrusionDetectionStateType(raw["mode"].(string)),
 		Configuration: &network.FirewallPolicyIntrusionDetectionConfiguration{
 			SignatureOverrides:    &signatureOverrides,
+			PrivateRanges:         &privateRanges,
 			BypassTrafficSettings: &trafficBypass,
 		},
 	}
@@ -460,12 +478,12 @@ func flattenFirewallPolicyIntrusionDetection(input *network.FirewallPolicyIntrus
 				description = *bypass.Description
 			}
 
-			sourceAddresses := make([]string, 0)
+			var sourceAddresses []string
 			if bypass.SourceAddresses != nil {
 				sourceAddresses = *bypass.SourceAddresses
 			}
 
-			destinationAddresses := make([]string, 0)
+			var destinationAddresses []string
 			if bypass.DestinationAddresses != nil {
 				destinationAddresses = *bypass.DestinationAddresses
 			}
@@ -497,12 +515,17 @@ func flattenFirewallPolicyIntrusionDetection(input *network.FirewallPolicyIntrus
 			})
 		}
 	}
+	var privateRanges []string
+	if privates := input.Configuration.PrivateRanges; privates != nil {
+		privateRanges = *privates
+	}
 
 	return []interface{}{
 		map[string]interface{}{
 			"mode":                string(input.Mode),
 			"signature_overrides": signatureOverrides,
 			"traffic_bypass":      trafficBypass,
+			"private_ranges":      privateRanges,
 		},
 	}
 }
@@ -727,6 +750,15 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
 							},
 						},
 					},
+
+					"private_ranges": {
+						Type:     pluginsdk.TypeList,
+						Optional: true,
+						Elem: &pluginsdk.Schema{
+							Type: pluginsdk.TypeString,
+						},
+					},
+
 					"traffic_bypass": {
 						Type:     pluginsdk.TypeList,
 						Optional: true,
@@ -743,12 +775,13 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
 								"protocol": {
 									Type:     pluginsdk.TypeString,
 									Required: true,
+									// protocol to be one of [ICMP ANY TCP UDP] but response may be "Any"
 									ValidateFunc: validation.StringInSlice([]string{
 										string(network.FirewallPolicyIntrusionDetectionProtocolICMP),
 										string(network.FirewallPolicyIntrusionDetectionProtocolANY),
 										string(network.FirewallPolicyIntrusionDetectionProtocolTCP),
 										string(network.FirewallPolicyIntrusionDetectionProtocolUDP),
-									}, false),
+									}, true),
 								},
 								"source_addresses": {
 									Type:     pluginsdk.TypeSet,
@@ -851,6 +884,11 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
 			},
 		},
 
+		"allow_sql_redirect": {
+			Type:     pluginsdk.TypeBool,
+			Optional: true,
+		},
+
 		"child_policies": {
 			Type:     pluginsdk.TypeList,
 			Computed: true,

diff --git a/internal/services/firewall/firewall_policy_resource_test.go b/internal/services/firewall/firewall_policy_resource_test.go
@@ -258,6 +258,15 @@ resource "azurerm_firewall_policy" "test" {
   tags = {
     env = "Test"
   }
+  intrusion_detection {
+    mode = "Alert"
+    signature_overrides {
+      state = "Alert"
+      id    = "1"
+    }
+    private_ranges = ["172.111.111.111"]
+  }
+  allow_sql_redirect = true
 }
 `, template, data.RandomInteger)
 }
@@ -287,11 +296,14 @@ resource "azurerm_firewall_policy" "test" {
       state = "Alert"
       id    = "1"
     }
+    private_ranges = ["172.111.111.111"]
     traffic_bypass {
-      name              = "Name bypass traffic settings"
-      description       = "Description bypass traffic settings"
-      protocol          = "ANY"
-      destination_ports = ["*"]
+      name                  = "Name bypass traffic settings"
+      description           = "Description bypass traffic settings"
+      destination_addresses = []
+      source_addresses      = []
+      protocol              = "Any"
+      destination_ports     = ["*"]
       source_ip_groups = [
         azurerm_ip_group.test_source.id,
       ]
@@ -300,6 +312,7 @@ resource "azurerm_firewall_policy" "test" {
       ]
     }
   }
+  allow_sql_redirect = true
   identity {
     type = "UserAssigned"
     identity_ids = [
@@ -510,7 +523,7 @@ resource "azurerm_key_vault_certificate" "test" {
 `, data.RandomInteger, "westeurope", data.RandomInteger, data.RandomInteger)
 }
 
-func (FirewallPolicyResource) defaultWorkspaceOnly(data acceptance.TestData) string {
+func (f FirewallPolicyResource) defaultWorkspaceOnly(data acceptance.TestData) string {
 	r := FirewallPolicyResource{}
 	template := r.template(data)
 	return fmt.Sprintf(`
@@ -537,7 +550,7 @@ resource "azurerm_firewall_policy" "test" {
 `, template, data.RandomInteger, data.RandomInteger)
 }
 
-func (FirewallPolicyResource) regionalWorkspace(data acceptance.TestData) string {
+func (f FirewallPolicyResource) regionalWorkspace(data acceptance.TestData) string {
 	r := FirewallPolicyResource{}
 	template := r.template(data)
 	return fmt.Sprintf(`

diff --git a/website/docs/r/firewall_policy.html.markdown b/website/docs/r/firewall_policy.html.markdown
@@ -59,6 +59,8 @@ The following arguments are supported:
 
 * `tls_certificate` - (Optional) A `tls_certificate` block as defined below.
 
+* `allow_sql_redirect` - (Optional) Whether SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999.
+
 ---
 
 A `dns` block supports the following:
@@ -97,6 +99,8 @@ A `intrusion_detection` block supports the following:
 
 * `traffic_bypass` - (Optional) One or more `traffic_bypass` blocks as defined below.
 
+* `private_ranges` - (Optional) A list of Private IP address ranges to identify traffic direction. By default, only ranges defined by IANA RFC 1918 are considered private IP addresses.
+
 ---
 
 A `log_analytics_workspace` block supports the following:
@@ -149,6 +153,7 @@ A `traffic_bypass` block supports the following:
 
 * `source_ip_groups` - (Optional) Specifies a list of source IP groups that shall be bypassed by intrusion detection.
 
+
 ## Attributes Reference
 
 In addition to the Arguments listed above - the following Attributes are exported: