From 5ac2d9a65caa15f1966aad4d9acd2e501f87e352 Mon Sep 17 00:00:00 2001 From: xuwu1 Date: Fri, 29 Jul 2022 11:24:59 +0800 Subject: [PATCH 1/6] add explicit_proxy for firewall_policy_resource --- .../firewall/firewall_policy_resource.go | 44 +++++++++++++++++-- .../firewall/firewall_policy_resource_test.go | 12 +++-- website/docs/r/firewall_policy.html.markdown | 4 ++ 3 files changed, 53 insertions(+), 7 deletions(-) diff --git a/internal/services/firewall/firewall_policy_resource.go b/internal/services/firewall/firewall_policy_resource.go index e9086275bc69..e3f9dba473f5 100644 --- a/internal/services/firewall/firewall_policy_resource.go +++ b/internal/services/firewall/firewall_policy_resource.go @@ -20,6 +20,7 @@ import ( logAnalytiscValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/loganalytics/validate" "github.com/hashicorp/terraform-provider-azurerm/internal/tags" "github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk" + "github.com/hashicorp/terraform-provider-azurerm/internal/tf/suppress" "github.com/hashicorp/terraform-provider-azurerm/internal/tf/validation" "github.com/hashicorp/terraform-provider-azurerm/internal/timeouts" "github.com/hashicorp/terraform-provider-azurerm/utils" @@ -98,6 +99,12 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac } } + if v, ok := d.GetOk("allow_sql_redirect"); ok { + props.FirewallPolicyPropertiesFormat.SQL = &network.FirewallPolicySQL{ + AllowSQLRedirect: utils.Bool(v.(bool)), + } + } + if v, ok := d.GetOk("private_ip_ranges"); ok { privateIPRanges := utils.ExpandStringSlice(v.([]interface{})) props.FirewallPolicyPropertiesFormat.Snat = &network.FirewallPolicySNAT{ @@ -198,6 +205,12 @@ func resourceFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) err if err := d.Set("insights", flattenFirewallPolicyInsights(prop.Insights)); err != nil { return fmt.Errorf(`setting "insights": %+v`, err) } + + if prop.SQL != nil && prop.SQL.AllowSQLRedirect != nil { + if err := d.Set("allow_sql_redirect", prop.SQL.AllowSQLRedirect); err != nil { + return fmt.Errorf("setting `allow_sql_redirect`: %+v", err) + } + } } flattenedIdentity, err := flattenFirewallPolicyIdentity(resp.Identity) @@ -297,10 +310,16 @@ func expandFirewallPolicyIntrusionDetection(input []interface{}) *network.Firewa }) } + var privateRanges []string + for _, v := range raw["private_ranges"].([]interface{}) { + privateRanges = append(privateRanges, v.(string)) + } + return &network.FirewallPolicyIntrusionDetection{ Mode: network.FirewallPolicyIntrusionDetectionStateType(raw["mode"].(string)), Configuration: &network.FirewallPolicyIntrusionDetectionConfiguration{ SignatureOverrides: &signatureOverrides, + PrivateRanges: &privateRanges, BypassTrafficSettings: &trafficBypass, }, } @@ -460,12 +479,12 @@ func flattenFirewallPolicyIntrusionDetection(input *network.FirewallPolicyIntrus description = *bypass.Description } - sourceAddresses := make([]string, 0) + var sourceAddresses []string if bypass.SourceAddresses != nil { sourceAddresses = *bypass.SourceAddresses } - destinationAddresses := make([]string, 0) + var destinationAddresses []string if bypass.DestinationAddresses != nil { destinationAddresses = *bypass.DestinationAddresses } @@ -497,12 +516,17 @@ func flattenFirewallPolicyIntrusionDetection(input *network.FirewallPolicyIntrus }) } } + var privateRanges []string + if privates := input.Configuration.PrivateRanges; privates != nil { + privateRanges = *privates + } return []interface{}{ map[string]interface{}{ "mode": string(input.Mode), "signature_overrides": signatureOverrides, "traffic_bypass": trafficBypass, + "private_ranges": privateRanges, }, } } @@ -727,6 +751,13 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema { }, }, }, + "private_ranges": { + Type: pluginsdk.TypeList, + Optional: true, + Elem: &pluginsdk.Schema{ + Type: pluginsdk.TypeString, + }, + }, "traffic_bypass": { Type: pluginsdk.TypeList, Optional: true, @@ -743,12 +774,14 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema { "protocol": { Type: pluginsdk.TypeString, Required: true, + // protocol to be one of [ICMP ANY TCP UDP] but response may be "Any" + DiffSuppressFunc: suppress.CaseDifference, ValidateFunc: validation.StringInSlice([]string{ string(network.FirewallPolicyIntrusionDetectionProtocolICMP), string(network.FirewallPolicyIntrusionDetectionProtocolANY), string(network.FirewallPolicyIntrusionDetectionProtocolTCP), string(network.FirewallPolicyIntrusionDetectionProtocolUDP), - }, false), + }, true), }, "source_addresses": { Type: pluginsdk.TypeSet, @@ -851,6 +884,11 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema { }, }, + "allow_sql_redirect": { + Type: pluginsdk.TypeBool, + Optional: true, + }, + "child_policies": { Type: pluginsdk.TypeList, Computed: true, diff --git a/internal/services/firewall/firewall_policy_resource_test.go b/internal/services/firewall/firewall_policy_resource_test.go index 77610b0cec81..80591c91355c 100644 --- a/internal/services/firewall/firewall_policy_resource_test.go +++ b/internal/services/firewall/firewall_policy_resource_test.go @@ -287,11 +287,14 @@ resource "azurerm_firewall_policy" "test" { state = "Alert" id = "1" } + private_ranges = ["172.111.111.111"] traffic_bypass { - name = "Name bypass traffic settings" - description = "Description bypass traffic settings" - protocol = "ANY" - destination_ports = ["*"] + name = "Name bypass traffic settings" + description = "Description bypass traffic settings" + destination_addresses = [] + source_addresses = [] + protocol = "Any" + destination_ports = ["*"] source_ip_groups = [ azurerm_ip_group.test_source.id, ] @@ -300,6 +303,7 @@ resource "azurerm_firewall_policy" "test" { ] } } + allow_sql_redirect = true identity { type = "UserAssigned" identity_ids = [ diff --git a/website/docs/r/firewall_policy.html.markdown b/website/docs/r/firewall_policy.html.markdown index 3b7f9c7de3fb..2e9b969f6b09 100644 --- a/website/docs/r/firewall_policy.html.markdown +++ b/website/docs/r/firewall_policy.html.markdown @@ -59,6 +59,8 @@ The following arguments are supported: * `tls_certificate` - (Optional) A `tls_certificate` block as defined below. +* `allow_sql_redirect` - (Optional) Whether SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. + --- A `dns` block supports the following: @@ -97,6 +99,8 @@ A `intrusion_detection` block supports the following: * `traffic_bypass` - (Optional) One or more `traffic_bypass` blocks as defined below. +* `private_ranges` - (Optional) A list of Private IP address ranges to identify traffic direction. By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. + --- A `log_analytics_workspace` block supports the following: From 329401981c487840d7e1f3afcad93e0a16902132 Mon Sep 17 00:00:00 2001 From: xuwu1 Date: Wed, 3 Aug 2022 14:36:53 +0800 Subject: [PATCH 2/6] fix acc test --- .../services/firewall/firewall_policy_resource_test.go | 7 ------- 1 file changed, 7 deletions(-) diff --git a/internal/services/firewall/firewall_policy_resource_test.go b/internal/services/firewall/firewall_policy_resource_test.go index 80591c91355c..94d687ccbf90 100644 --- a/internal/services/firewall/firewall_policy_resource_test.go +++ b/internal/services/firewall/firewall_policy_resource_test.go @@ -127,13 +127,6 @@ func TestAccFirewallPolicy_updatePremium(t *testing.T) { ), }, data.ImportStep(), - { - Config: r.basic(data), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).ExistsInAzure(r), - ), - }, - data.ImportStep(), }) } From 9a134272b96b471af5f3047dfd626ffacf364787 Mon Sep 17 00:00:00 2001 From: xuwu1 Date: Wed, 10 Aug 2022 11:37:12 +0800 Subject: [PATCH 3/6] refactor schema name for pr --- internal/services/firewall/firewall_policy_resource.go | 8 ++++---- website/docs/r/firewall_policy.html.markdown | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/internal/services/firewall/firewall_policy_resource.go b/internal/services/firewall/firewall_policy_resource.go index e3f9dba473f5..73d701b42af6 100644 --- a/internal/services/firewall/firewall_policy_resource.go +++ b/internal/services/firewall/firewall_policy_resource.go @@ -99,7 +99,7 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac } } - if v, ok := d.GetOk("allow_sql_redirect"); ok { + if v, ok := d.GetOk("sql_redirect_allowed"); ok { props.FirewallPolicyPropertiesFormat.SQL = &network.FirewallPolicySQL{ AllowSQLRedirect: utils.Bool(v.(bool)), } @@ -207,8 +207,8 @@ func resourceFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) err } if prop.SQL != nil && prop.SQL.AllowSQLRedirect != nil { - if err := d.Set("allow_sql_redirect", prop.SQL.AllowSQLRedirect); err != nil { - return fmt.Errorf("setting `allow_sql_redirect`: %+v", err) + if err := d.Set("sql_redirect_allowed", prop.SQL.AllowSQLRedirect); err != nil { + return fmt.Errorf("setting `sql_redirect_allowed`: %+v", err) } } } @@ -884,7 +884,7 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema { }, }, - "allow_sql_redirect": { + "sql_redirect_allowed": { Type: pluginsdk.TypeBool, Optional: true, }, diff --git a/website/docs/r/firewall_policy.html.markdown b/website/docs/r/firewall_policy.html.markdown index 2e9b969f6b09..e549c57e9657 100644 --- a/website/docs/r/firewall_policy.html.markdown +++ b/website/docs/r/firewall_policy.html.markdown @@ -59,7 +59,7 @@ The following arguments are supported: * `tls_certificate` - (Optional) A `tls_certificate` block as defined below. -* `allow_sql_redirect` - (Optional) Whether SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. +* `sql_redirect_allowed` - (Optional) Whether SQL Redirect traffic filtering is allowed. Turning on the flag requires no rule using port 11000-11999. --- From cc6fb05d8f730d729b4d776ef366987c8d259fa1 Mon Sep 17 00:00:00 2001 From: kt Date: Tue, 9 Aug 2022 20:55:09 -0700 Subject: [PATCH 4/6] Update website/docs/r/firewall_policy.html.markdown --- website/docs/r/firewall_policy.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/firewall_policy.html.markdown b/website/docs/r/firewall_policy.html.markdown index e549c57e9657..bcfde26da841 100644 --- a/website/docs/r/firewall_policy.html.markdown +++ b/website/docs/r/firewall_policy.html.markdown @@ -59,7 +59,7 @@ The following arguments are supported: * `tls_certificate` - (Optional) A `tls_certificate` block as defined below. -* `sql_redirect_allowed` - (Optional) Whether SQL Redirect traffic filtering is allowed. Turning on the flag requires no rule using port 11000-11999. +* `sql_redirect_allowed` - (Optional) Whether SQL Redirect traffic filtering is allowed. Enabling this flag requires no rule using ports between `11000`-`11999`. --- From 6fafaa515594379d15656b367848fc99a4b14efa Mon Sep 17 00:00:00 2001 From: xuwu1 Date: Wed, 10 Aug 2022 12:36:07 +0800 Subject: [PATCH 5/6] update acc test for pr rerun --- internal/services/firewall/firewall_policy_resource_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/services/firewall/firewall_policy_resource_test.go b/internal/services/firewall/firewall_policy_resource_test.go index 94d687ccbf90..990ca9be3a0f 100644 --- a/internal/services/firewall/firewall_policy_resource_test.go +++ b/internal/services/firewall/firewall_policy_resource_test.go @@ -58,6 +58,7 @@ func TestAccFirewallPolicy_complete(t *testing.T) { check.That(data.ResourceName).Key("dns.0.servers.0").HasValue("1.1.1.1"), check.That(data.ResourceName).Key("dns.0.servers.1").HasValue("3.3.3.3"), check.That(data.ResourceName).Key("dns.0.servers.2").HasValue("2.2.2.2"), + check.That(data.ResourceName).Key("dns.0.proxy_enabled").HasValue("true"), ), }, data.ImportStep(), From df45fd99198d3fc814f3aed11b91e49a0f893e49 Mon Sep 17 00:00:00 2001 From: xuwu1 Date: Fri, 12 Aug 2022 13:22:07 +0800 Subject: [PATCH 6/6] fix firewall policy sql_redirect_allowed rename --- internal/services/firewall/firewall_policy_resource_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/services/firewall/firewall_policy_resource_test.go b/internal/services/firewall/firewall_policy_resource_test.go index 990ca9be3a0f..5f03e5f6cf8b 100644 --- a/internal/services/firewall/firewall_policy_resource_test.go +++ b/internal/services/firewall/firewall_policy_resource_test.go @@ -297,7 +297,7 @@ resource "azurerm_firewall_policy" "test" { ] } } - allow_sql_redirect = true + sql_redirect_allowed = true identity { type = "UserAssigned" identity_ids = [