Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

firewall_policy_resource - support for the private_ranges and allow_sql_redirect properties #17842

Merged
merged 7 commits into from
Aug 16, 2022
Merged

firewall_policy_resource - support for the private_ranges and allow_sql_redirect properties #17842

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
5ac2d9a
add explicit_proxy for firewall_policy_resource
wuxu92 Jul 29, 2022
3294019
fix acc test
wuxu92 Aug 3, 2022
9a13427
refactor schema name for pr
wuxu92 Aug 10, 2022
cc6fb05
Update website/docs/r/firewall_policy.html.markdown
katbyte Aug 10, 2022
6fafaa5
update acc test for pr rerun
wuxu92 Aug 10, 2022
af79315
Merge branch 'main' into v/firewallPolicyV1
wuxu92 Aug 10, 2022
df45fd9
fix firewall policy sql_redirect_allowed rename
wuxu92 Aug 12, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 41 additions & 3 deletions internal/services/firewall/firewall_policy_resource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
logAnalytiscValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/loganalytics/validate"
"github.com/hashicorp/terraform-provider-azurerm/internal/tags"
"github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk"
"github.com/hashicorp/terraform-provider-azurerm/internal/tf/suppress"
"github.com/hashicorp/terraform-provider-azurerm/internal/tf/validation"
"github.com/hashicorp/terraform-provider-azurerm/internal/timeouts"
"github.com/hashicorp/terraform-provider-azurerm/utils"
Expand Down Expand Up @@ -98,6 +99,12 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac
}
}

if v, ok := d.GetOk("allow_sql_redirect"); ok {
props.FirewallPolicyPropertiesFormat.SQL = &network.FirewallPolicySQL{
AllowSQLRedirect: utils.Bool(v.(bool)),
}
}

if v, ok := d.GetOk("private_ip_ranges"); ok {
privateIPRanges := utils.ExpandStringSlice(v.([]interface{}))
props.FirewallPolicyPropertiesFormat.Snat = &network.FirewallPolicySNAT{
Expand Down Expand Up @@ -198,6 +205,12 @@ func resourceFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) err
if err := d.Set("insights", flattenFirewallPolicyInsights(prop.Insights)); err != nil {
return fmt.Errorf(`setting "insights": %+v`, err)
}

if prop.SQL != nil && prop.SQL.AllowSQLRedirect != nil {
if err := d.Set("allow_sql_redirect", prop.SQL.AllowSQLRedirect); err != nil {
return fmt.Errorf("setting `allow_sql_redirect`: %+v", err)
}
}
}

flattenedIdentity, err := flattenFirewallPolicyIdentity(resp.Identity)
Expand Down Expand Up @@ -297,10 +310,16 @@ func expandFirewallPolicyIntrusionDetection(input []interface{}) *network.Firewa
})
}

var privateRanges []string
for _, v := range raw["private_ranges"].([]interface{}) {
privateRanges = append(privateRanges, v.(string))
}

return &network.FirewallPolicyIntrusionDetection{
Mode: network.FirewallPolicyIntrusionDetectionStateType(raw["mode"].(string)),
Configuration: &network.FirewallPolicyIntrusionDetectionConfiguration{
SignatureOverrides: &signatureOverrides,
PrivateRanges: &privateRanges,
BypassTrafficSettings: &trafficBypass,
},
}
Expand Down Expand Up @@ -460,12 +479,12 @@ func flattenFirewallPolicyIntrusionDetection(input *network.FirewallPolicyIntrus
description = *bypass.Description
}

sourceAddresses := make([]string, 0)
var sourceAddresses []string
if bypass.SourceAddresses != nil {
sourceAddresses = *bypass.SourceAddresses
}

destinationAddresses := make([]string, 0)
var destinationAddresses []string
if bypass.DestinationAddresses != nil {
destinationAddresses = *bypass.DestinationAddresses
}
Expand Down Expand Up @@ -497,12 +516,17 @@ func flattenFirewallPolicyIntrusionDetection(input *network.FirewallPolicyIntrus
})
}
}
var privateRanges []string
if privates := input.Configuration.PrivateRanges; privates != nil {
privateRanges = *privates
}

return []interface{}{
map[string]interface{}{
"mode": string(input.Mode),
"signature_overrides": signatureOverrides,
"traffic_bypass": trafficBypass,
"private_ranges": privateRanges,
},
}
}
Expand Down Expand Up @@ -727,6 +751,13 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
},
},
},
"private_ranges": {
Type: pluginsdk.TypeList,
Optional: true,
Elem: &pluginsdk.Schema{
Type: pluginsdk.TypeString,
},
},
"traffic_bypass": {
Type: pluginsdk.TypeList,
Optional: true,
Expand All @@ -743,12 +774,14 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
"protocol": {
Type: pluginsdk.TypeString,
Required: true,
// protocol to be one of [ICMP ANY TCP UDP] but response may be "Any"
DiffSuppressFunc: suppress.CaseDifference,
ValidateFunc: validation.StringInSlice([]string{
string(network.FirewallPolicyIntrusionDetectionProtocolICMP),
string(network.FirewallPolicyIntrusionDetectionProtocolANY),
string(network.FirewallPolicyIntrusionDetectionProtocolTCP),
string(network.FirewallPolicyIntrusionDetectionProtocolUDP),
}, false),
}, true),
},
"source_addresses": {
Type: pluginsdk.TypeSet,
Expand Down Expand Up @@ -851,6 +884,11 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
},
},

"allow_sql_redirect": {
Type: pluginsdk.TypeBool,
Optional: true,
},

"child_policies": {
Type: pluginsdk.TypeList,
Computed: true,
Expand Down
19 changes: 8 additions & 11 deletions internal/services/firewall/firewall_policy_resource_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,13 +127,6 @@ func TestAccFirewallPolicy_updatePremium(t *testing.T) {
),
},
data.ImportStep(),
{
Config: r.basic(data),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
})
}

Expand Down Expand Up @@ -287,11 +280,14 @@ resource "azurerm_firewall_policy" "test" {
state = "Alert"
id = "1"
}
private_ranges = ["172.111.111.111"]
traffic_bypass {
name = "Name bypass traffic settings"
description = "Description bypass traffic settings"
protocol = "ANY"
destination_ports = ["*"]
name = "Name bypass traffic settings"
description = "Description bypass traffic settings"
destination_addresses = []
source_addresses = []
protocol = "Any"
destination_ports = ["*"]
source_ip_groups = [
azurerm_ip_group.test_source.id,
]
Expand All @@ -300,6 +296,7 @@ resource "azurerm_firewall_policy" "test" {
]
}
}
allow_sql_redirect = true
identity {
type = "UserAssigned"
identity_ids = [
Expand Down
4 changes: 4 additions & 0 deletions website/docs/r/firewall_policy.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,8 @@ The following arguments are supported:

* `tls_certificate` - (Optional) A `tls_certificate` block as defined below.

* `allow_sql_redirect` - (Optional) Whether SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999.
wuxu92 marked this conversation as resolved.
Show resolved Hide resolved

---

A `dns` block supports the following:
Expand Down Expand Up @@ -97,6 +99,8 @@ A `intrusion_detection` block supports the following:

* `traffic_bypass` - (Optional) One or more `traffic_bypass` blocks as defined below.

* `private_ranges` - (Optional) A list of Private IP address ranges to identify traffic direction. By default, only ranges defined by IANA RFC 1918 are considered private IP addresses.

---

A `log_analytics_workspace` block supports the following:
Expand Down