Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

application gateway: add advanced ssl_policies #3360

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
170 changes: 161 additions & 9 deletions azurerm/resource_arm_application_gateway.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,15 @@ import (
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
)

// See https://github.com/Azure/azure-sdk-for-go/blob/master/services/network/mgmt/2018-04-01/network/models.go
func possibleArmApplicationGatewaySslCipherSuiteValues() []string {
cipherSuites := make([]string, 0)
for _, cipherSuite := range network.PossibleApplicationGatewaySslCipherSuiteValues() {
cipherSuites = append(cipherSuites, string(cipherSuite))
}
return cipherSuites
}

func resourceArmApplicationGateway() *schema.Resource {
return &schema.Resource{
Create: resourceArmApplicationGatewayCreateUpdate,
Expand Down Expand Up @@ -633,10 +642,12 @@ func resourceArmApplicationGateway() *schema.Resource {
},
},

// TODO: @tombuildsstuff deprecate this in favour of a full `ssl_protocol` block in the future
// TODO: remove in 2.0
"disabled_ssl_protocols": {
Type: schema.TypeList,
Optional: true,
Type: schema.TypeList,
Optional: true,
Computed: true,
Deprecated: "has been replaced by `ssl_policy`.`disabled_protocols`",
Elem: &schema.Schema{
Type: schema.TypeString,
DiffSuppressFunc: suppress.CaseDifference,
Expand All @@ -648,6 +659,65 @@ func resourceArmApplicationGateway() *schema.Resource {
},
},

"ssl_policy": {
Type: schema.TypeList,
Optional: true,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"disabled_protocols": {
Type: schema.TypeList,
Optional: true,
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(network.TLSv10),
string(network.TLSv11),
string(network.TLSv12),
}, false),
},
},

"policy_type": {
Type: schema.TypeString,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(network.Custom),
string(network.Predefined),
}, false),
},
},

"policy_name": {
Type: schema.TypeString,
Optional: true,
},

"cipher_suites": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice(possibleArmApplicationGatewaySslCipherSuiteValues(), false),
},
},

"min_protocol_version": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validation.StringInSlice([]string{
string(network.TLSv10),
string(network.TLSv11),
string(network.TLSv12),
}, false),
},
},
},
},

"enable_http2": {
Type: schema.TypeBool,
Optional: true,
Expand Down Expand Up @@ -1228,6 +1298,10 @@ func resourceArmApplicationGatewayRead(d *schema.ResourceData, meta interface{})
return fmt.Errorf("Error setting `disabled_ssl_protocols`: %+v", setErr)
}

if setErr := d.Set("ssl_policy", flattenApplicationGatewaySslPolicy(props.SslPolicy)); setErr != nil {
return fmt.Errorf("Error setting `ssl_policy`: %+v", setErr)
}

d.Set("enable_http2", props.EnableHTTP2)

httpListeners, err := flattenApplicationGatewayHTTPListeners(props.HTTPListeners)
Expand Down Expand Up @@ -1661,16 +1735,94 @@ func flattenApplicationGatewayConnectionDraining(input *network.ApplicationGatew
}

func expandApplicationGatewaySslPolicy(d *schema.ResourceData) *network.ApplicationGatewaySslPolicy {
vs := d.Get("disabled_ssl_protocols").([]interface{})
results := make([]network.ApplicationGatewaySslProtocol, 0)
policy := network.ApplicationGatewaySslPolicy{}
disabledSSLPolicies := make([]network.ApplicationGatewaySslProtocol, 0)

for _, v := range vs {
results = append(results, network.ApplicationGatewaySslProtocol(v.(string)))
vs := d.Get("ssl_policy").([]interface{})
vsdsp := d.Get("disabled_ssl_protocols").([]interface{})

if len(vsdsp) == 0 && len(vs) == 0 {
policy = network.ApplicationGatewaySslPolicy{
DisabledSslProtocols: &disabledSSLPolicies,
}
}

return &network.ApplicationGatewaySslPolicy{
DisabledSslProtocols: &results,
for _, policy := range vsdsp {
disabledSSLPolicies = append(disabledSSLPolicies, network.ApplicationGatewaySslProtocol(policy.(string)))
}

if len(vs) > 0 {
v := vs[0].(map[string]interface{})
policyType := network.ApplicationGatewaySslPolicyType(v["policy_type"].(string))

// reset disabledSSLPolicies here to always use the new disabled_protocols block in favor of disabled_ssl_protocols
disabledSSLPolicies = disabledSSLPolicies[:0]

for _, policy := range v["disabled_protocols"].([]interface{}) {
disabledSSLPolicies = append(disabledSSLPolicies, network.ApplicationGatewaySslProtocol(policy.(string)))
}

if policyType == network.Predefined {
policyName := network.ApplicationGatewaySslPolicyName(v["policy_name"].(string))
policy = network.ApplicationGatewaySslPolicy{
PolicyType: policyType,
PolicyName: policyName,
}
} else if policyType == network.Custom {
minProtocolVersion := network.ApplicationGatewaySslProtocol(v["min_protocol_version"].(string))
cipherSuites := make([]network.ApplicationGatewaySslCipherSuite, 0)

for _, cipherSuite := range v["cipher_suites"].([]interface{}) {
cipherSuites = append(cipherSuites, network.ApplicationGatewaySslCipherSuite(cipherSuite.(string)))
}

policy = network.ApplicationGatewaySslPolicy{
PolicyType: policyType,
MinProtocolVersion: minProtocolVersion,
CipherSuites: &cipherSuites,
}
}
}

if len(disabledSSLPolicies) > 0 {
policy = network.ApplicationGatewaySslPolicy{
DisabledSslProtocols: &disabledSSLPolicies,
}
}

return &policy
}

func flattenApplicationGatewaySslPolicy(input *network.ApplicationGatewaySslPolicy) []interface{} {
results := make([]interface{}, 0)

if input == nil {
return results
}

output := map[string]interface{}{}
output["policy_name"] = input.PolicyName
output["policy_type"] = input.PolicyType
output["min_protocol_version"] = input.MinProtocolVersion

cipherSuites := make([]interface{}, 0)
if input.CipherSuites != nil {
for _, v := range *input.CipherSuites {
cipherSuites = append(cipherSuites, string(v))
}
}
output["cipher_suites"] = cipherSuites

disabledSslProtocols := make([]interface{}, 0)
if input.DisabledSslProtocols != nil {
for _, v := range *input.DisabledSslProtocols {
disabledSslProtocols = append(disabledSslProtocols, string(v))
}
}
output["disabled_protocols"] = disabledSslProtocols

results = append(results, output)
return results
}

func flattenApplicationGatewayDisabledSSLProtocols(input *network.ApplicationGatewaySslPolicy) []interface{} {
Expand Down
Loading