Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix/make azurerm_firewall_policy premium tier features available #12769

Merged
Merged
Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
05303da
First draft for intrusion detection and transport security support
gro1m Jul 28, 2021
90afc30
Fix some stuff
gro1m Jul 28, 2021
f659edc
Fix bypass traffic settings
gro1m Jul 28, 2021
4a51c89
Remove unnecessary stuff and cleanup
gro1m Jul 28, 2021
5997db8
Add test file
gro1m Jul 28, 2021
33fddff
make fmt again
gro1m Jul 28, 2021
bd21562
address unit test error
gro1m Jul 28, 2021
80d140d
address review
gro1m Jul 29, 2021
1e7df3c
fix website lint error
gro1m Jul 29, 2021
5e32a25
update docs; make fmt; make terrafmt
gro1m Jul 29, 2021
b0307f8
update tests with certs
gro1m Jul 29, 2021
e5d02be
update docs
gro1m Jul 29, 2021
fb2a1a1
fix read
gro1m Jul 29, 2021
cb51083
address review: fix object_id in azurerm_key_vault resource for Premi…
gro1m Jul 30, 2021
2142ce4
Fix Complete Premium Test (partially)
gro1m Jul 30, 2021
8fc3809
fix part of firewall policy test
gro1m Jul 30, 2021
a18cc2e
some more fixes
gro1m Jul 30, 2021
8af6a7f
separate resource firewall policy tls certificate$
gro1m Aug 1, 2021
a52d9b8
Use user managed identity as the other identities are not supported
gro1m Aug 2, 2021
f9699d3
resolve merge conflict
gro1m Aug 2, 2021
297ab37
resolve merge conflict
gro1m Aug 9, 2021
c736404
update to new repo structure
gro1m Aug 9, 2021
b02df31
adapt to new folder structure
gro1m Aug 9, 2021
82fb183
resolve merge conflict
gro1m Aug 9, 2021
8261490
delete .github for now
gro1m Aug 9, 2021
a3b11a2
update
gro1m Aug 11, 2021
5281336
add .github without golint.yaml
gro1m Aug 11, 2021
7355941
fix test
gro1m Aug 11, 2021
0167c7e
make fmt & make terrafmt
gro1m Aug 11, 2021
7d20de3
add golint.yaml after giving workflow permissions to GitLab token
gro1m Aug 11, 2021
bc23fc5
small refactoring
gro1m Aug 11, 2021
d6ecb2e
address linter errors
gro1m Aug 11, 2021
aaf53d5
add second key vault access policy for the client service principal
gro1m Aug 16, 2021
2ec96cc
add explicit key vault certificate resource `depends_on` to key vault…
gro1m Aug 16, 2021
62a6154
fix flattening and expanding FirewallPolicyIdentity
gro1m Aug 16, 2021
bacf354
fix identity assignment
gro1m Aug 17, 2021
fde0888
address review
gro1m Aug 18, 2021
093409f
address review: fix user managed identities
gro1m Aug 18, 2021
190f0f5
update docs
gro1m Aug 18, 2021
71bf730
make terrafmt
gro1m Aug 18, 2021
0fcc721
fix expandFirewallPolicyIntrusionDetection
gro1m Aug 19, 2021
308be98
fix expandFirewallPolicyIntrusionDetection
gro1m Aug 19, 2021
64dd031
fix test ip groups
gro1m Aug 19, 2021
4480d29
fix conflicting intrusion detection attirbutes in test
gro1m Aug 19, 2021
e477637
make terrafmt
gro1m Aug 19, 2021
e65e5d9
address review on flattenFirewallPolicyIntrusionDetection
gro1m Aug 23, 2021
d0a4390
Protocol casing is unpredictable
manicminer Aug 24, 2021
f1b50ca
Remove lifecycle blocks
manicminer Aug 24, 2021
e1062f5
generate pfx and update firewall policy tests accordingly
gro1m Aug 25, 2021
9e547df
Remove commented schema fields
manicminer Aug 25, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ func FirewallDataSourcePolicyRead(d *pluginsdk.ResourceData, meta interface{}) e
resp, err := client.Get(ctx, resourceGroup, name, "")
if err != nil {
if utils.ResponseWasNotFound(resp.Response) {
return fmt.Errorf("Firewall Policy %q (Resource Group %q) was not found", name, resourceGroup)
return fmt.Errorf("firewall Policy %q (Resource Group %q) was not found", name, resourceGroup)
}

return fmt.Errorf("retrieving Firewall Policy %q (Resource Group %q): %+v", name, resourceGroup, err)
Expand Down
215 changes: 215 additions & 0 deletions azurerm/internal/services/firewall/firewall_policy_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,131 @@ func resourceFirewallPolicy() *pluginsdk.Resource {
},
},

"intrusion_detection": {
Type: pluginsdk.TypeList,
Optional: true,
MaxItems: 1,
Elem: &pluginsdk.Resource{
Schema: map[string]*pluginsdk.Schema{
"mode": {
Type: pluginsdk.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(network.FirewallPolicyIntrusionDetectionStateTypeOff),
string(network.FirewallPolicyIntrusionDetectionStateTypeAlert),
string(network.FirewallPolicyIntrusionDetectionStateTypeDeny),
}, false),
Optional: true,
},
"signature_overrides": {
Type: pluginsdk.TypeList,
Optional: true,
Elem: &pluginsdk.Resource{
Schema: map[string]*pluginsdk.Schema{
"state": {
Type: pluginsdk.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(network.FirewallPolicyIntrusionDetectionStateTypeOff),
string(network.FirewallPolicyIntrusionDetectionStateTypeAlert),
string(network.FirewallPolicyIntrusionDetectionStateTypeDeny),
}, false),
Optional: true,
},
"id": {
Type: pluginsdk.TypeString,
Optional: true,
},
},
},
},
"traffic_bypass": {
Type: pluginsdk.TypeList,
Optional: true,
Elem: &pluginsdk.Resource{
Schema: map[string]*pluginsdk.Schema{
"name": {
Type: pluginsdk.TypeString,
Required: true,
},
"description": {
Type: pluginsdk.TypeString,
Optional: true,
},
"protocol": {
Type: pluginsdk.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice([]string{
string(network.FirewallPolicyIntrusionDetectionProtocolICMP),
string(network.FirewallPolicyIntrusionDetectionProtocolANY),
string(network.FirewallPolicyIntrusionDetectionProtocolTCP),
string(network.FirewallPolicyIntrusionDetectionProtocolUDP),
}, false),
},
"source_addresses": {
Type: pluginsdk.TypeSet,
Optional: true,
Elem: &pluginsdk.Schema{
Type: pluginsdk.TypeString,
ValidateFunc: validation.IsIPv4Address,
},
},
"destination_addresses": {
Type: pluginsdk.TypeSet,
Optional: true,
Elem: &pluginsdk.Schema{
Type: pluginsdk.TypeString,
ValidateFunc: validation.IsIPv4Address,
},
},
"destination_ports": {
Type: pluginsdk.TypeSet,
Optional: true,
Elem: &pluginsdk.Schema{
Type: pluginsdk.TypeString,
ValidateFunc: validation.IsIPv4Address,
},
},
"source_ip_groups": {
Type: pluginsdk.TypeSet,
Optional: true,
Elem: &pluginsdk.Schema{
Type: pluginsdk.TypeString,
ValidateFunc: validation.IsIPv4Address,
},
},
"destination_ip_groups": {
Type: pluginsdk.TypeSet,
Optional: true,
Elem: &pluginsdk.Schema{
Type: pluginsdk.TypeString,
ValidateFunc: validation.IsIPv4Address,
},
},
},
},
},
},
},
},

"tls_certificate": {
Type: pluginsdk.TypeList,
Optional: true,
MaxItems: 1,
MinItems: 1,
Elem: &pluginsdk.Resource{
Schema: map[string]*pluginsdk.Schema{
"key_vault_secret_id": {
Type: pluginsdk.TypeString,
Required: true,
},
"name": {
Type: pluginsdk.TypeString,
Required: true,
},
},
},
},

"child_policies": {
Type: pluginsdk.TypeList,
Computed: true,
Expand Down Expand Up @@ -197,6 +322,8 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac
ThreatIntelMode: network.AzureFirewallThreatIntelMode(d.Get("threat_intelligence_mode").(string)),
ThreatIntelWhitelist: expandFirewallPolicyThreatIntelWhitelist(d.Get("threat_intelligence_allowlist").([]interface{})),
DNSSettings: expandFirewallPolicyDNSSetting(d.Get("dns").([]interface{})),
IntrusionDetection: expandFirewallPolicyIntrusionDetection(d.Get("intrusion_detection").([]interface{})),
TransportSecurity: expandFirewallPolicyTransportSecurity(d.Get("tls_certificate").([]interface{})),
},
Location: utils.String(location.Normalize(d.Get("location").(string))),
Tags: tags.Expand(d.Get("tags").(map[string]interface{})),
Expand Down Expand Up @@ -276,6 +403,14 @@ func resourceFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) err
return fmt.Errorf(`setting "dns": %+v`, err)
}

if err := d.Set("intrusion_detection", flattenFirewallPolicyIntrusionDetection(resp.IntrusionDetection)); err != nil {
return fmt.Errorf(`setting "intrusion_detection": %+v`, err)
}

if err := d.Set("transport_security", flattenFirewallPolicyTransportSecurity(prop.TransportSecurity)); err != nil {
return fmt.Errorf(`setting "transport_security": %+v`, err)
}

if err := d.Set("child_policies", flattenNetworkSubResourceID(prop.ChildPolicies)); err != nil {
return fmt.Errorf(`setting "child_policies": %+v`, err)
}
Expand Down Expand Up @@ -346,6 +481,58 @@ func expandFirewallPolicyDNSSetting(input []interface{}) *network.DNSSettings {
return output
}

func expandFirewallPolicyIntrusionDetection(input []interface{}) *network.FirewallPolicyIntrusionDetection {

if len(input) == 0 || input[0] == nil {
return nil
}

raw := input[0].(map[string]interface{})

signature_overrides := []network.FirewallPolicyIntrusionDetectionSignatureSpecification{}
for i, v := range signature_overrides {
signature_overrides[i].ID = v.ID
signature_overrides[i].Mode = v.Mode
}

traffic_bypass := []network.FirewallPolicyIntrusionDetectionBypassTrafficSpecifications{}

for i, v := range traffic_bypass {
traffic_bypass[i].Name = v.Name
traffic_bypass[i].Description = v.Description
traffic_bypass[i].Protocol = v.Protocol
traffic_bypass[i].SourceAddresses = v.SourceAddresses
traffic_bypass[i].DestinationAddresses = v.DestinationAddresses
traffic_bypass[i].DestinationPorts = v.DestinationPorts
traffic_bypass[i].SourceIPGroups = v.SourceIPGroups
traffic_bypass[i].DestinationIPGroups = v.DestinationIPGroups
}

return &network.FirewallPolicyIntrusionDetection{
Mode: network.FirewallPolicyIntrusionDetectionStateType(raw["mode"].(string)),
Configuration: &network.FirewallPolicyIntrusionDetectionConfiguration{
SignatureOverrides: &signature_overrides,
BypassTrafficSettings: &traffic_bypass,
},
}

}

func expandFirewallPolicyTransportSecurity(input []interface{}) *network.FirewallPolicyTransportSecurity {
if len(input) == 0 || input[0] == nil {
return nil
}

raw := input[0].(map[string]interface{})

return &network.FirewallPolicyTransportSecurity{
CertificateAuthority: &network.FirewallPolicyCertificateAuthority{
KeyVaultSecretID: utils.String(raw["key_vault_secret_id"].(string)),
Name: utils.String(raw["name"].(string)),
},
}
}

func flattenFirewallPolicyThreatIntelWhitelist(input *network.FirewallPolicyThreatIntelWhitelist) []interface{} {
if input == nil {
return []interface{}{}
Expand Down Expand Up @@ -378,3 +565,31 @@ func flattenFirewallPolicyDNSSetting(input *network.DNSSettings) []interface{} {
},
}
}

func flattenFirewallPolicyIntrusionDetection(input *network.FirewallPolicyIntrusionDetection) []interface{} {

if input == nil {
return []interface{}{}
}

return []interface{}{
map[string]interface{}{
"mode": input.Mode,
"signature_overrides": input.Configuration.SignatureOverrides,
"traffic_bypass": input.Configuration.BypassTrafficSettings,
},
}
}

func flattenFirewallPolicyTransportSecurity(input *network.FirewallPolicyTransportSecurity) []interface{} {
if input == nil {
return []interface{}{}
}

return []interface{}{
map[string]interface{}{
"key_vault_secret_id": input.CertificateAuthority.KeyVaultSecretID,
"name": input.CertificateAuthority.Name,
},
}
}
Loading