From b0fd673ee91797bcc5857715ed649dd456a273de Mon Sep 17 00:00:00 2001 From: xuwu1 Date: Wed, 16 Nov 2022 16:45:42 +0800 Subject: [PATCH 1/3] add explicit proxy and auto learn priavte range property support --- .../firewall/firewall_policy_resource.go | 104 ++++++++++++++++++ .../firewall/firewall_policy_resource_test.go | 18 +++ website/docs/r/firewall_policy.html.markdown | 20 ++++ 3 files changed, 142 insertions(+) diff --git a/internal/services/firewall/firewall_policy_resource.go b/internal/services/firewall/firewall_policy_resource.go index dac329f65880..b881c9f2db75 100644 --- a/internal/services/firewall/firewall_policy_resource.go +++ b/internal/services/firewall/firewall_policy_resource.go @@ -83,6 +83,7 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac IntrusionDetection: expandFirewallPolicyIntrusionDetection(d.Get("intrusion_detection").([]interface{})), TransportSecurity: expandFirewallPolicyTransportSecurity(d.Get("tls_certificate").([]interface{})), Insights: expandFirewallPolicyInsights(d.Get("insights").([]interface{})), + ExplicitProxy: expandFirewallPolicyExplicitProxy(d.Get("explicit_proxy").([]interface{})), }, Identity: expandedIdentity, Location: utils.String(location.Normalize(d.Get("location").(string))), @@ -111,6 +112,13 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac } } + if v, ok := d.GetOk("auto_learn_private_ranges_mode"); ok { + if props.FirewallPolicyPropertiesFormat.Snat == nil { + props.FirewallPolicyPropertiesFormat.Snat = &network.FirewallPolicySNAT{} + } + props.FirewallPolicyPropertiesFormat.Snat.AutoLearnPrivateRanges = network.AutoLearnPrivateRangesMode(v.(string)) + } + locks.ByName(id.Name, azureFirewallPolicyResourceName) defer locks.UnlockByName(id.Name, azureFirewallPolicyResourceName) @@ -201,10 +209,19 @@ func resourceFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) err return fmt.Errorf("setting `private_ip_ranges`: %+v", err) } + if err := d.Set("auto_learn_private_ranges_mode", prop.Snat.AutoLearnPrivateRanges); err != nil { + return fmt.Errorf("setting `auto_learn_private_ranges_mode`: %+v", err) + } + if err := d.Set("insights", flattenFirewallPolicyInsights(prop.Insights)); err != nil { return fmt.Errorf(`setting "insights": %+v`, err) } + proxySettings := flattenFirewallPolicyExplicitProxy(prop.ExplicitProxy) + if err := d.Set("explicit_proxy", proxySettings); err != nil { + return fmt.Errorf("setting `explicit_proxy`: %+v", err) + } + if prop.SQL != nil && prop.SQL.AllowSQLRedirect != nil { if err := d.Set("sql_redirect_allowed", prop.SQL.AllowSQLRedirect); err != nil { return fmt.Errorf("setting `sql_redirect_allowed`: %+v", err) @@ -381,6 +398,31 @@ func expandFirewallPolicyInsights(input []interface{}) *network.FirewallPolicyIn return output } +func expandFirewallPolicyExplicitProxy(input []interface{}) *network.ExplicitProxy { + if len(input) == 0 || input[0] == nil { + return nil + } + + raw := input[0].(map[string]interface{}) + if raw == nil { + return nil + } + + output := &network.ExplicitProxy{ + EnableExplicitProxy: utils.Bool(raw["enabled"].(bool)), + HTTPPort: utils.Int32(int32(raw["http_port"].(int))), + HTTPSPort: utils.Int32(int32(raw["https_port"].(int))), + PacFilePort: utils.Int32(int32(raw["pac_file_port"].(int))), + PacFile: utils.String(raw["pac_file"].(string)), + } + + if val, ok := raw["enable_pac_file"]; ok { + output.EnablePacFile = utils.Bool(val.(bool)) + } + + return output +} + func expandFirewallPolicyLogAnalyticsResources(defaultWorkspaceId string, workspaces []interface{}) *network.FirewallPolicyLogAnalyticsResources { output := &network.FirewallPolicyLogAnalyticsResources{ DefaultWorkspaceID: &network.SubResource{ @@ -589,6 +631,21 @@ func flattenFirewallPolicyInsights(input *network.FirewallPolicyInsights) []inte } } +func flattenFirewallPolicyExplicitProxy(input *network.ExplicitProxy) (result []interface{}) { + if input == nil { + return + } + output := map[string]interface{}{ + "enabled": input.EnableExplicitProxy, + "http_port": input.HTTPPort, + "https_port": input.HTTPSPort, + "enable_pac_file": input.EnablePacFile, + "pac_file_port": input.PacFilePort, + "pac_file": input.PacFile, + } + return []interface{}{output} +} + func flattenFirewallPolicyLogAnalyticsResources(input *network.FirewallPolicyLogAnalyticsResources) (string, []interface{}) { if input == nil { return "", []interface{}{} @@ -883,6 +940,44 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema { }, }, + "explicit_proxy": { + Type: pluginsdk.TypeList, + Optional: true, + MaxItems: 1, + Elem: &pluginsdk.Resource{ + Schema: map[string]*schema.Schema{ + "enabled": { + Type: pluginsdk.TypeBool, + Optional: true, + }, + "http_port": { + Type: pluginsdk.TypeInt, + Optional: true, + ValidateFunc: validation.IntBetween(0, 35536), + }, + "https_port": { + Type: pluginsdk.TypeInt, + Optional: true, + ValidateFunc: validation.IntBetween(0, 35536), + }, + "enable_pac_file": { + Type: pluginsdk.TypeBool, + Optional: true, + }, + "pac_file_port": { + Type: pluginsdk.TypeInt, + Optional: true, + ValidateFunc: validation.IntBetween(0, 35536), + }, + "pac_file": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringIsNotEmpty, + }, + }, + }, + }, + "sql_redirect_allowed": { Type: pluginsdk.TypeBool, Optional: true, @@ -925,6 +1020,15 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema { }, }, + "auto_learn_private_ranges_mode": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{ + string(network.AutoLearnPrivateRangesModeEnabled), + string(network.AutoLearnPrivateRangesModeDisabled), + }, false), + }, + "tags": tags.Schema(), } } diff --git a/internal/services/firewall/firewall_policy_resource_test.go b/internal/services/firewall/firewall_policy_resource_test.go index a5cb552b3fc3..d5feae0f041d 100644 --- a/internal/services/firewall/firewall_policy_resource_test.go +++ b/internal/services/firewall/firewall_policy_resource_test.go @@ -248,6 +248,15 @@ resource "azurerm_firewall_policy" "test" { ip_addresses = ["1.1.1.1", "2.2.2.2", "10.0.0.0/16"] fqdns = ["foo.com", "bar.com"] } + explicit_proxy { + enabled = true + http_port = 8087 + https_port = 8088 + enable_pac_file = true + pac_file_port = 8089 + pac_file = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%%3D" + } + auto_learn_private_ranges_mode = "Enabled" dns { servers = ["1.1.1.1", "3.3.3.3", "2.2.2.2"] proxy_enabled = true @@ -274,6 +283,15 @@ resource "azurerm_firewall_policy" "test" { ip_addresses = ["1.1.1.1", "2.2.2.2", "10.0.0.0/16"] fqdns = ["foo.com", "bar.com"] } + explicit_proxy { + enabled = true + http_port = 8087 + https_port = 8088 + enable_pac_file = true + pac_file_port = 8089 + pac_file = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%%3D" + } + auto_learn_private_ranges_mode = "Enabled" dns { servers = ["1.1.1.1", "2.2.2.2"] proxy_enabled = true diff --git a/website/docs/r/firewall_policy.html.markdown b/website/docs/r/firewall_policy.html.markdown index 738c69f175bd..536f9bbdaae5 100644 --- a/website/docs/r/firewall_policy.html.markdown +++ b/website/docs/r/firewall_policy.html.markdown @@ -49,6 +49,8 @@ The following arguments are supported: * `private_ip_ranges` - (Optional) A list of private IP ranges to which traffic will not be SNAT. +* `auto_learn_private_ranges_mode` - (Optional) Specify the mode of auto learn private range. Possible values are `Enabled` and `Disabled`. + * `sku` - (Optional) The SKU Tier of the Firewall Policy. Possible values are `Standard`, `Premium` and `Basic`. Changing this forces a new Firewall Policy to be created. * `tags` - (Optional) A mapping of tags which should be assigned to the Firewall Policy. @@ -61,6 +63,8 @@ The following arguments are supported: * `sql_redirect_allowed` - (Optional) Whether SQL Redirect traffic filtering is allowed. Enabling this flag requires no rule using ports between `11000`-`11999`. +* `explicit_proxy` - (Optional) A `explicit_proxy` block as defined below. + --- A `dns` block supports the following: @@ -153,6 +157,22 @@ A `traffic_bypass` block supports the following: * `source_ip_groups` - (Optional) Specifies a list of source IP groups that shall be bypassed by intrusion detection. +--- + +A `explicit_proxy` block supports the following: + +* `enabled` (Optional) Whether the explicit proxy is enabled for this Firewall Policy. + +* `http_port` (Optional) The port number for explicit http protocol. + +* `https_port` (Optional) The port number for explicit proxy https protocol. + +* `enable_pac_file` (Optional) Whether the pac file port and url need to be provided. + +* `pac_file_port` (Optional) Specifies a port number for firewall to serve PAC file. + +* `pac_file` (Optional) Specifies a SAS URL for PAC file. + ## Attributes Reference In addition to the Arguments listed above - the following Attributes are exported: From 0dfc6c186ef62cd4297abbe7c53e946e0a30bc31 Mon Sep 17 00:00:00 2001 From: Xu Wu Date: Fri, 25 Nov 2022 16:19:51 +0800 Subject: [PATCH 2/3] update auto_learn_private_ranges_mode to auto_learn_private_ranges_enabled --- .../firewall/firewall_policy_resource.go | 20 +++++++++---------- .../firewall/firewall_policy_resource_test.go | 4 ++-- website/docs/r/firewall_policy.html.markdown | 2 +- 3 files changed, 12 insertions(+), 14 deletions(-) diff --git a/internal/services/firewall/firewall_policy_resource.go b/internal/services/firewall/firewall_policy_resource.go index b881c9f2db75..59ca064c2a7c 100644 --- a/internal/services/firewall/firewall_policy_resource.go +++ b/internal/services/firewall/firewall_policy_resource.go @@ -112,11 +112,13 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac } } - if v, ok := d.GetOk("auto_learn_private_ranges_mode"); ok { + if v, ok := d.GetOk("auto_learn_private_ranges_enabled"); ok { if props.FirewallPolicyPropertiesFormat.Snat == nil { props.FirewallPolicyPropertiesFormat.Snat = &network.FirewallPolicySNAT{} } - props.FirewallPolicyPropertiesFormat.Snat.AutoLearnPrivateRanges = network.AutoLearnPrivateRangesMode(v.(string)) + if v.(bool) { + props.FirewallPolicyPropertiesFormat.Snat.AutoLearnPrivateRanges = network.AutoLearnPrivateRangesModeEnabled + } } locks.ByName(id.Name, azureFirewallPolicyResourceName) @@ -208,9 +210,9 @@ func resourceFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) err if err := d.Set("private_ip_ranges", privateIPRanges); err != nil { return fmt.Errorf("setting `private_ip_ranges`: %+v", err) } - - if err := d.Set("auto_learn_private_ranges_mode", prop.Snat.AutoLearnPrivateRanges); err != nil { - return fmt.Errorf("setting `auto_learn_private_ranges_mode`: %+v", err) + isAutoLearnPrivateRangeEnabled := prop.Snat.AutoLearnPrivateRanges == network.AutoLearnPrivateRangesModeEnabled + if err := d.Set("auto_learn_private_ranges_enabled", isAutoLearnPrivateRangeEnabled); err != nil { + return fmt.Errorf("setting `auto_learn_private_ranges_enabled`: %+v", err) } if err := d.Set("insights", flattenFirewallPolicyInsights(prop.Insights)); err != nil { @@ -1020,13 +1022,9 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema { }, }, - "auto_learn_private_ranges_mode": { - Type: pluginsdk.TypeString, + "auto_learn_private_ranges_enabled": { + Type: pluginsdk.TypeBool, Optional: true, - ValidateFunc: validation.StringInSlice([]string{ - string(network.AutoLearnPrivateRangesModeEnabled), - string(network.AutoLearnPrivateRangesModeDisabled), - }, false), }, "tags": tags.Schema(), diff --git a/internal/services/firewall/firewall_policy_resource_test.go b/internal/services/firewall/firewall_policy_resource_test.go index d5feae0f041d..3d2003db82e3 100644 --- a/internal/services/firewall/firewall_policy_resource_test.go +++ b/internal/services/firewall/firewall_policy_resource_test.go @@ -256,7 +256,7 @@ resource "azurerm_firewall_policy" "test" { pac_file_port = 8089 pac_file = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%%3D" } - auto_learn_private_ranges_mode = "Enabled" + auto_learn_private_ranges_enabled = true dns { servers = ["1.1.1.1", "3.3.3.3", "2.2.2.2"] proxy_enabled = true @@ -291,7 +291,7 @@ resource "azurerm_firewall_policy" "test" { pac_file_port = 8089 pac_file = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%%3D" } - auto_learn_private_ranges_mode = "Enabled" + auto_learn_private_ranges_enabled = true dns { servers = ["1.1.1.1", "2.2.2.2"] proxy_enabled = true diff --git a/website/docs/r/firewall_policy.html.markdown b/website/docs/r/firewall_policy.html.markdown index 536f9bbdaae5..9f3730f0d6c3 100644 --- a/website/docs/r/firewall_policy.html.markdown +++ b/website/docs/r/firewall_policy.html.markdown @@ -49,7 +49,7 @@ The following arguments are supported: * `private_ip_ranges` - (Optional) A list of private IP ranges to which traffic will not be SNAT. -* `auto_learn_private_ranges_mode` - (Optional) Specify the mode of auto learn private range. Possible values are `Enabled` and `Disabled`. +* `auto_learn_private_ranges_enabled` - (Optional) Whether enable auto learn private ip range. Defaults to `false`. * `sku` - (Optional) The SKU Tier of the Firewall Policy. Possible values are `Standard`, `Premium` and `Basic`. Changing this forces a new Firewall Policy to be created. From be6b3ee7bfa58f6d190199cc02061cbca31fcde7 Mon Sep 17 00:00:00 2001 From: Xu Wu Date: Mon, 28 Nov 2022 09:33:16 +0800 Subject: [PATCH 3/3] fix set auto learn private to stat --- internal/services/firewall/firewall_policy_resource.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/internal/services/firewall/firewall_policy_resource.go b/internal/services/firewall/firewall_policy_resource.go index 59ca064c2a7c..675808375104 100644 --- a/internal/services/firewall/firewall_policy_resource.go +++ b/internal/services/firewall/firewall_policy_resource.go @@ -204,13 +204,15 @@ func resourceFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) err } var privateIPRanges []interface{} + var isAutoLearnPrivateRangeEnabled bool if prop.Snat != nil { privateIPRanges = utils.FlattenStringSlice(prop.Snat.PrivateRanges) + isAutoLearnPrivateRangeEnabled = prop.Snat.AutoLearnPrivateRanges == network.AutoLearnPrivateRangesModeEnabled } if err := d.Set("private_ip_ranges", privateIPRanges); err != nil { return fmt.Errorf("setting `private_ip_ranges`: %+v", err) } - isAutoLearnPrivateRangeEnabled := prop.Snat.AutoLearnPrivateRanges == network.AutoLearnPrivateRangesModeEnabled + if err := d.Set("auto_learn_private_ranges_enabled", isAutoLearnPrivateRangeEnabled); err != nil { return fmt.Errorf("setting `auto_learn_private_ranges_enabled`: %+v", err) }