Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_firewall_policy - support for explicit_proxy and auto_learn_private_ranges_mode properties #19313

Merged
merged 3 commits into from
Dec 5, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 104 additions & 0 deletions internal/services/firewall/firewall_policy_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac
IntrusionDetection: expandFirewallPolicyIntrusionDetection(d.Get("intrusion_detection").([]interface{})),
TransportSecurity: expandFirewallPolicyTransportSecurity(d.Get("tls_certificate").([]interface{})),
Insights: expandFirewallPolicyInsights(d.Get("insights").([]interface{})),
ExplicitProxy: expandFirewallPolicyExplicitProxy(d.Get("explicit_proxy").([]interface{})),
},
Identity: expandedIdentity,
Location: utils.String(location.Normalize(d.Get("location").(string))),
Expand Down Expand Up @@ -111,6 +112,15 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac
}
}

if v, ok := d.GetOk("auto_learn_private_ranges_enabled"); ok {
if props.FirewallPolicyPropertiesFormat.Snat == nil {
props.FirewallPolicyPropertiesFormat.Snat = &network.FirewallPolicySNAT{}
}
if v.(bool) {
props.FirewallPolicyPropertiesFormat.Snat.AutoLearnPrivateRanges = network.AutoLearnPrivateRangesModeEnabled
}
}

locks.ByName(id.Name, azureFirewallPolicyResourceName)
defer locks.UnlockByName(id.Name, azureFirewallPolicyResourceName)

Expand Down Expand Up @@ -194,17 +204,28 @@ func resourceFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) err
}

var privateIPRanges []interface{}
var isAutoLearnPrivateRangeEnabled bool
if prop.Snat != nil {
privateIPRanges = utils.FlattenStringSlice(prop.Snat.PrivateRanges)
isAutoLearnPrivateRangeEnabled = prop.Snat.AutoLearnPrivateRanges == network.AutoLearnPrivateRangesModeEnabled
}
if err := d.Set("private_ip_ranges", privateIPRanges); err != nil {
return fmt.Errorf("setting `private_ip_ranges`: %+v", err)
}

if err := d.Set("auto_learn_private_ranges_enabled", isAutoLearnPrivateRangeEnabled); err != nil {
return fmt.Errorf("setting `auto_learn_private_ranges_enabled`: %+v", err)
}

if err := d.Set("insights", flattenFirewallPolicyInsights(prop.Insights)); err != nil {
return fmt.Errorf(`setting "insights": %+v`, err)
}

proxySettings := flattenFirewallPolicyExplicitProxy(prop.ExplicitProxy)
if err := d.Set("explicit_proxy", proxySettings); err != nil {
return fmt.Errorf("setting `explicit_proxy`: %+v", err)
}

if prop.SQL != nil && prop.SQL.AllowSQLRedirect != nil {
if err := d.Set("sql_redirect_allowed", prop.SQL.AllowSQLRedirect); err != nil {
return fmt.Errorf("setting `sql_redirect_allowed`: %+v", err)
Expand Down Expand Up @@ -381,6 +402,31 @@ func expandFirewallPolicyInsights(input []interface{}) *network.FirewallPolicyIn
return output
}

func expandFirewallPolicyExplicitProxy(input []interface{}) *network.ExplicitProxy {
if len(input) == 0 || input[0] == nil {
return nil
}

raw := input[0].(map[string]interface{})
if raw == nil {
return nil
}

output := &network.ExplicitProxy{
EnableExplicitProxy: utils.Bool(raw["enabled"].(bool)),
HTTPPort: utils.Int32(int32(raw["http_port"].(int))),
HTTPSPort: utils.Int32(int32(raw["https_port"].(int))),
PacFilePort: utils.Int32(int32(raw["pac_file_port"].(int))),
PacFile: utils.String(raw["pac_file"].(string)),
}

if val, ok := raw["enable_pac_file"]; ok {
output.EnablePacFile = utils.Bool(val.(bool))
}

return output
}

func expandFirewallPolicyLogAnalyticsResources(defaultWorkspaceId string, workspaces []interface{}) *network.FirewallPolicyLogAnalyticsResources {
output := &network.FirewallPolicyLogAnalyticsResources{
DefaultWorkspaceID: &network.SubResource{
Expand Down Expand Up @@ -589,6 +635,21 @@ func flattenFirewallPolicyInsights(input *network.FirewallPolicyInsights) []inte
}
}

func flattenFirewallPolicyExplicitProxy(input *network.ExplicitProxy) (result []interface{}) {
if input == nil {
return
}
output := map[string]interface{}{
"enabled": input.EnableExplicitProxy,
"http_port": input.HTTPPort,
"https_port": input.HTTPSPort,
"enable_pac_file": input.EnablePacFile,
"pac_file_port": input.PacFilePort,
"pac_file": input.PacFile,
}
return []interface{}{output}
}

func flattenFirewallPolicyLogAnalyticsResources(input *network.FirewallPolicyLogAnalyticsResources) (string, []interface{}) {
if input == nil {
return "", []interface{}{}
Expand Down Expand Up @@ -883,6 +944,44 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
},
},

"explicit_proxy": {
Type: pluginsdk.TypeList,
Optional: true,
MaxItems: 1,
Elem: &pluginsdk.Resource{
Schema: map[string]*schema.Schema{
"enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
},
"http_port": {
Type: pluginsdk.TypeInt,
Optional: true,
ValidateFunc: validation.IntBetween(0, 35536),
},
"https_port": {
Type: pluginsdk.TypeInt,
Optional: true,
ValidateFunc: validation.IntBetween(0, 35536),
},
"enable_pac_file": {
Type: pluginsdk.TypeBool,
Optional: true,
},
"pac_file_port": {
Type: pluginsdk.TypeInt,
Optional: true,
ValidateFunc: validation.IntBetween(0, 35536),
},
"pac_file": {
Type: pluginsdk.TypeString,
Optional: true,
ValidateFunc: validation.StringIsNotEmpty,
},
},
},
},

"sql_redirect_allowed": {
Type: pluginsdk.TypeBool,
Optional: true,
Expand Down Expand Up @@ -925,6 +1024,11 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
},
},

"auto_learn_private_ranges_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
},

"tags": tags.Schema(),
}
}
18 changes: 18 additions & 0 deletions internal/services/firewall/firewall_policy_resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,15 @@ resource "azurerm_firewall_policy" "test" {
ip_addresses = ["1.1.1.1", "2.2.2.2", "10.0.0.0/16"]
fqdns = ["foo.com", "bar.com"]
}
explicit_proxy {
enabled = true
http_port = 8087
https_port = 8088
enable_pac_file = true
pac_file_port = 8089
pac_file = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%%3D"
}
auto_learn_private_ranges_enabled = true
dns {
servers = ["1.1.1.1", "3.3.3.3", "2.2.2.2"]
proxy_enabled = true
Expand All @@ -274,6 +283,15 @@ resource "azurerm_firewall_policy" "test" {
ip_addresses = ["1.1.1.1", "2.2.2.2", "10.0.0.0/16"]
fqdns = ["foo.com", "bar.com"]
}
explicit_proxy {
enabled = true
http_port = 8087
https_port = 8088
enable_pac_file = true
pac_file_port = 8089
pac_file = "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%%3D"
}
auto_learn_private_ranges_enabled = true
dns {
servers = ["1.1.1.1", "2.2.2.2"]
proxy_enabled = true
Expand Down
20 changes: 20 additions & 0 deletions website/docs/r/firewall_policy.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ The following arguments are supported:

* `private_ip_ranges` - (Optional) A list of private IP ranges to which traffic will not be SNAT.

* `auto_learn_private_ranges_enabled` - (Optional) Whether enable auto learn private ip range. Defaults to `false`.

* `sku` - (Optional) The SKU Tier of the Firewall Policy. Possible values are `Standard`, `Premium` and `Basic`. Changing this forces a new Firewall Policy to be created.

* `tags` - (Optional) A mapping of tags which should be assigned to the Firewall Policy.
Expand All @@ -61,6 +63,8 @@ The following arguments are supported:

* `sql_redirect_allowed` - (Optional) Whether SQL Redirect traffic filtering is allowed. Enabling this flag requires no rule using ports between `11000`-`11999`.

* `explicit_proxy` - (Optional) A `explicit_proxy` block as defined below.

---

A `dns` block supports the following:
Expand Down Expand Up @@ -153,6 +157,22 @@ A `traffic_bypass` block supports the following:

* `source_ip_groups` - (Optional) Specifies a list of source IP groups that shall be bypassed by intrusion detection.

---

A `explicit_proxy` block supports the following:

* `enabled` (Optional) Whether the explicit proxy is enabled for this Firewall Policy.

* `http_port` (Optional) The port number for explicit http protocol.

* `https_port` (Optional) The port number for explicit proxy https protocol.

* `enable_pac_file` (Optional) Whether the pac file port and url need to be provided.

* `pac_file_port` (Optional) Specifies a port number for firewall to serve PAC file.

* `pac_file` (Optional) Specifies a SAS URL for PAC file.

## Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:
Expand Down