firewall_policy_resource - support for the private_ranges and `al…

…low_sql_redirect` properties (#17842) Co-authored-by: xuwu1 <xuwu1@microsoft.com> Co-authored-by: kt <kt@katbyte.me>
hashicorp · Aug 16, 2022 · 5aecd3a · 5aecd3a
1 parent 5e55968
commit 5aecd3a
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 14 deletions.
diff --git a/internal/services/firewall/firewall_policy_resource.go b/internal/services/firewall/firewall_policy_resource.go
@@ -20,6 +20,7 @@ import (
 	logAnalytiscValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/loganalytics/validate"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/tags"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/suppress"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/validation"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/timeouts"
 	"github.com/hashicorp/terraform-provider-azurerm/utils"
@@ -98,6 +99,12 @@ func resourceFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interfac
 		}
 	}
 
+	if v, ok := d.GetOk("sql_redirect_allowed"); ok {
+		props.FirewallPolicyPropertiesFormat.SQL = &network.FirewallPolicySQL{
+			AllowSQLRedirect: utils.Bool(v.(bool)),
+		}
+	}
+
 	if v, ok := d.GetOk("private_ip_ranges"); ok {
 		privateIPRanges := utils.ExpandStringSlice(v.([]interface{}))
 		props.FirewallPolicyPropertiesFormat.Snat = &network.FirewallPolicySNAT{
@@ -198,6 +205,12 @@ func resourceFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) err
 		if err := d.Set("insights", flattenFirewallPolicyInsights(prop.Insights)); err != nil {
 			return fmt.Errorf(`setting "insights": %+v`, err)
 		}
+
+		if prop.SQL != nil && prop.SQL.AllowSQLRedirect != nil {
+			if err := d.Set("sql_redirect_allowed", prop.SQL.AllowSQLRedirect); err != nil {
+				return fmt.Errorf("setting `sql_redirect_allowed`: %+v", err)
+			}
+		}
 	}
 
 	flattenedIdentity, err := flattenFirewallPolicyIdentity(resp.Identity)
@@ -297,10 +310,16 @@ func expandFirewallPolicyIntrusionDetection(input []interface{}) *network.Firewa
 		})
 	}
 
+	var privateRanges []string
+	for _, v := range raw["private_ranges"].([]interface{}) {
+		privateRanges = append(privateRanges, v.(string))
+	}
+
 	return &network.FirewallPolicyIntrusionDetection{
 		Mode: network.FirewallPolicyIntrusionDetectionStateType(raw["mode"].(string)),
 		Configuration: &network.FirewallPolicyIntrusionDetectionConfiguration{
 			SignatureOverrides:    &signatureOverrides,
+			PrivateRanges:         &privateRanges,
 			BypassTrafficSettings: &trafficBypass,
 		},
 	}
@@ -460,12 +479,12 @@ func flattenFirewallPolicyIntrusionDetection(input *network.FirewallPolicyIntrus
 				description = *bypass.Description
 			}
 
-			sourceAddresses := make([]string, 0)
+			var sourceAddresses []string
 			if bypass.SourceAddresses != nil {
 				sourceAddresses = *bypass.SourceAddresses
 			}
 
-			destinationAddresses := make([]string, 0)
+			var destinationAddresses []string
 			if bypass.DestinationAddresses != nil {
 				destinationAddresses = *bypass.DestinationAddresses
 			}
@@ -497,12 +516,17 @@ func flattenFirewallPolicyIntrusionDetection(input *network.FirewallPolicyIntrus
 			})
 		}
 	}
+	var privateRanges []string
+	if privates := input.Configuration.PrivateRanges; privates != nil {
+		privateRanges = *privates
+	}
 
 	return []interface{}{
 		map[string]interface{}{
 			"mode":                string(input.Mode),
 			"signature_overrides": signatureOverrides,
 			"traffic_bypass":      trafficBypass,
+			"private_ranges":      privateRanges,
 		},
 	}
 }
@@ -727,6 +751,13 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
 							},
 						},
 					},
+					"private_ranges": {
+						Type:     pluginsdk.TypeList,
+						Optional: true,
+						Elem: &pluginsdk.Schema{
+							Type: pluginsdk.TypeString,
+						},
+					},
 					"traffic_bypass": {
 						Type:     pluginsdk.TypeList,
 						Optional: true,
@@ -743,12 +774,14 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
 								"protocol": {
 									Type:     pluginsdk.TypeString,
 									Required: true,
+									// protocol to be one of [ICMP ANY TCP UDP] but response may be "Any"
+									DiffSuppressFunc: suppress.CaseDifference,
 									ValidateFunc: validation.StringInSlice([]string{
 										string(network.FirewallPolicyIntrusionDetectionProtocolICMP),
 										string(network.FirewallPolicyIntrusionDetectionProtocolANY),
 										string(network.FirewallPolicyIntrusionDetectionProtocolTCP),
 										string(network.FirewallPolicyIntrusionDetectionProtocolUDP),
-									}, false),
+									}, true),
 								},
 								"source_addresses": {
 									Type:     pluginsdk.TypeSet,
@@ -851,6 +884,11 @@ func resourceFirewallPolicySchema() map[string]*pluginsdk.Schema {
 			},
 		},
 
+		"sql_redirect_allowed": {
+			Type:     pluginsdk.TypeBool,
+			Optional: true,
+		},
+
 		"child_policies": {
 			Type:     pluginsdk.TypeList,
 			Computed: true,

diff --git a/internal/services/firewall/firewall_policy_resource_test.go b/internal/services/firewall/firewall_policy_resource_test.go
@@ -58,6 +58,7 @@ func TestAccFirewallPolicy_complete(t *testing.T) {
 				check.That(data.ResourceName).Key("dns.0.servers.0").HasValue("1.1.1.1"),
 				check.That(data.ResourceName).Key("dns.0.servers.1").HasValue("3.3.3.3"),
 				check.That(data.ResourceName).Key("dns.0.servers.2").HasValue("2.2.2.2"),
+				check.That(data.ResourceName).Key("dns.0.proxy_enabled").HasValue("true"),
 			),
 		},
 		data.ImportStep(),
@@ -127,13 +128,6 @@ func TestAccFirewallPolicy_updatePremium(t *testing.T) {
 			),
 		},
 		data.ImportStep(),
-		{
-			Config: r.basic(data),
-			Check: acceptance.ComposeTestCheckFunc(
-				check.That(data.ResourceName).ExistsInAzure(r),
-			),
-		},
-		data.ImportStep(),
 	})
 }
 
@@ -287,11 +281,14 @@ resource "azurerm_firewall_policy" "test" {
       state = "Alert"
       id    = "1"
     }
+    private_ranges = ["172.111.111.111"]
     traffic_bypass {
-      name              = "Name bypass traffic settings"
-      description       = "Description bypass traffic settings"
-      protocol          = "ANY"
-      destination_ports = ["*"]
+      name                  = "Name bypass traffic settings"
+      description           = "Description bypass traffic settings"
+      destination_addresses = []
+      source_addresses      = []
+      protocol              = "Any"
+      destination_ports     = ["*"]
       source_ip_groups = [
         azurerm_ip_group.test_source.id,
       ]
@@ -300,6 +297,7 @@ resource "azurerm_firewall_policy" "test" {
       ]
     }
   }
+  sql_redirect_allowed = true
   identity {
     type = "UserAssigned"
     identity_ids = [

diff --git a/website/docs/r/firewall_policy.html.markdown b/website/docs/r/firewall_policy.html.markdown
@@ -59,6 +59,8 @@ The following arguments are supported:
 
 * `tls_certificate` - (Optional) A `tls_certificate` block as defined below.
 
+* `sql_redirect_allowed` - (Optional) Whether SQL Redirect traffic filtering is allowed. Enabling this flag requires no rule using ports between `11000`-`11999`.
+
 ---
 
 A `dns` block supports the following:
@@ -97,6 +99,8 @@ A `intrusion_detection` block supports the following:
 
 * `traffic_bypass` - (Optional) One or more `traffic_bypass` blocks as defined below.
 
+* `private_ranges` - (Optional) A list of Private IP address ranges to identify traffic direction. By default, only ranges defined by IANA RFC 1918 are considered private IP addresses.
+
 ---
 
 A `log_analytics_workspace` block supports the following: