Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_firewall - dns_settings block to fix dns_servers, dns_proxy_enabled logic #20519

Merged
merged 2 commits into from
Dec 7, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion internal/services/firewall/firewall_data_source.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,12 @@ func firewallDataSource() *pluginsdk.Resource {
},
},

"dns_proxy_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
Computed: true,
},

"virtual_hub": {
Type: pluginsdk.TypeList,
Computed: true,
Expand Down Expand Up @@ -192,7 +198,11 @@ func firewallDataSourceRead(d *pluginsdk.ResourceData, meta interface{}) error {

d.Set("threat_intel_mode", string(pointer.From(props.ThreatIntelMode)))

if err := d.Set("dns_servers", flattenFirewallDNSServers(props.AdditionalProperties)); err != nil {
dnsProxyEnabeld, dnsServers := flattenFirewallAdditionalProperty(props.AdditionalProperties)
if err := d.Set("dns_proxy_enabled", dnsProxyEnabeld); err != nil {
return fmt.Errorf("setting `dns_proxy_enabled`: %+v", err)
}
if err := d.Set("dns_servers", dnsServers); err != nil {
return fmt.Errorf("setting `dns_servers`: %+v", err)
}

Expand Down
2 changes: 1 addition & 1 deletion internal/services/firewall/firewall_data_source_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ data "azurerm_firewall" "test" {
name = azurerm_firewall.test.name
resource_group_name = azurerm_resource_group.test.name
}
`, FirewallResource{}.enableDNS(data, dnsServers...))
`, FirewallResource{}.enableDNS(data, true, dnsServers...))
}

func (FirewallDataSource) withManagementIp(data acceptance.TestData) string {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -879,7 +879,7 @@ resource "azurerm_firewall_network_rule_collection" "test" {
]
}
}
`, FirewallResource{}.enableDNS(data, "1.1.1.1", "8.8.8.8"))
`, FirewallResource{}.enableDNS(data, true, "1.1.1.1", "8.8.8.8"))
}

func (r FirewallNetworkRuleCollectionResource) noSource(data acceptance.TestData) string {
Expand Down
21 changes: 3 additions & 18 deletions internal/services/firewall/firewall_policy_resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ func TestAccFirewallPolicy_updatePremium(t *testing.T) {

data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.basic(data),
Config: r.basicPremium(data),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
Expand Down Expand Up @@ -522,36 +522,20 @@ resource "azurerm_key_vault_access_policy" "test" {
object_id = azurerm_user_assigned_identity.test.principal_id

key_permissions = [
"Backup",
"Create",
"Delete",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Update"
]

certificate_permissions = [
"Backup",
"Create",
"Get",
"List",
"Import",
"Purge",
"Delete",
"Recover",
"ManageContacts",
]

secret_permissions = [
"Get",
"List",
"Set",
"Purge",
"Delete",
"Recover"
]
}

Expand Down Expand Up @@ -582,6 +566,7 @@ resource "azurerm_key_vault_access_policy" "test2" {
"Purge",
"Delete",
"Recover",
"ManageContacts",
]

secret_permissions = [
Expand Down
63 changes: 37 additions & 26 deletions internal/services/firewall/firewall_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ func resourceFirewall() *pluginsdk.Resource {

"resource_group_name": commonschema.ResourceGroupName(),

//lintignore:S013
// lintignore:S013
"sku_name": {
Type: pluginsdk.TypeString,
Required: true,
Expand All @@ -74,7 +74,7 @@ func resourceFirewall() *pluginsdk.Resource {
}, false),
},

//lintignore:S013
// lintignore:S013
"sku_tier": {
Type: pluginsdk.TypeString,
Required: true,
Expand Down Expand Up @@ -172,6 +172,12 @@ func resourceFirewall() *pluginsdk.Resource {
},
},

"dns_proxy_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
Computed: true,
},

"private_ip_ranges": {
Type: pluginsdk.TypeSet,
Optional: true,
Expand Down Expand Up @@ -327,7 +333,7 @@ func resourceFirewallCreateUpdate(d *pluginsdk.ResourceData, meta interface{}) e
parameters.Properties.Sku.Tier = pointer.To(azurefirewalls.AzureFirewallSkuTier(skuTier))
}

if dnsServerSetting := expandFirewallDNSServers(d.Get("dns_servers").([]interface{})); dnsServerSetting != nil {
if dnsServerSetting := expandFirewallAdditionalProperty(d); dnsServerSetting != nil {
for k, v := range dnsServerSetting {
attrs := *parameters.Properties.AdditionalProperties
attrs[k] = v
Expand Down Expand Up @@ -429,7 +435,11 @@ func resourceFirewallRead(d *pluginsdk.ResourceData, meta interface{}) error {

d.Set("threat_intel_mode", string(pointer.From(props.ThreatIntelMode)))

if err := d.Set("dns_servers", flattenFirewallDNSServers(props.AdditionalProperties)); err != nil {
dnsProxyEnabled, dnsServers := flattenFirewallAdditionalProperty(props.AdditionalProperties)
if err := d.Set("dns_proxy_enabled", dnsProxyEnabled); err != nil {
return fmt.Errorf("setting `dns_proxy_enabled`: %+v", err)
}
if err := d.Set("dns_servers", dnsServers); err != nil {
return fmt.Errorf("setting `dns_servers`: %+v", err)
}

Expand Down Expand Up @@ -638,37 +648,38 @@ func flattenFirewallIPConfigurations(input *[]azurefirewalls.AzureFirewallIPConf
return result
}

func expandFirewallDNSServers(input []interface{}) map[string]string {
if len(input) == 0 {
return nil
}

var servers []string
for _, server := range input {
servers = append(servers, server.(string))
}

func expandFirewallAdditionalProperty(d *pluginsdk.ResourceData) map[string]string {
// Swagger issue asking finalize these properties: https://github.com/Azure/azure-rest-api-specs/issues/11278
return map[string]string{
"Network.DNS.EnableProxy": "true",
"Network.DNS.Servers": strings.Join(servers, ","),
res := map[string]string{}
if servers := d.Get("dns_servers").([]interface{}); len(servers) > 0 {
var servs []string
for _, server := range servers {
servs = append(servs, server.(string))
}
res["Network.DNS.EnableProxy"] = "true"
res["Network.DNS.Servers"] = strings.Join(servs, ",")
}
if enabled := d.Get("dns_proxy_enabled").(bool); enabled {
res["Network.DNS.EnableProxy"] = "true"
}
return res
}

func flattenFirewallDNSServers(input *map[string]string) []interface{} {
func flattenFirewallAdditionalProperty(input *map[string]string) (enabled interface{}, servers []interface{}) {
if input == nil || len(*input) == 0 {
return nil
return nil, nil
}

attrs := *input
enabled := attrs["Network.DNS.EnableProxy"] == "true"

if !enabled {
return nil
if enabledPtr, ok := (*input)["Network.DNS.EnableProxy"]; ok {
enabled = enabledPtr == "true"
}

servers := strings.Split(attrs["Network.DNS.Servers"], ",")
return utils.FlattenStringSlice(&servers)
if serversPtr, ok := (*input)["Network.DNS.Servers"]; ok {
for _, val := range strings.Split(serversPtr, ",") {
servers = append(servers, val)
}
}
return
}

func expandFirewallPrivateIpRange(input []interface{}) map[string]string {
Expand Down
35 changes: 27 additions & 8 deletions internal/services/firewall/firewall_resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,14 +68,21 @@ func TestAccFirewall_enableDNS(t *testing.T) {
},
data.ImportStep(),
{
Config: r.enableDNS(data, "1.1.1.1", "8.8.8.8"),
Config: r.enableDNS(data, true, "1.1.1.1"),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
{
Config: r.enableDNS(data, "1.1.1.1"),
Config: r.enableDNS(data, true),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
{
Config: r.enableDNS(data, false),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
Expand Down Expand Up @@ -502,10 +509,20 @@ resource "azurerm_firewall" "test" {
`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger)
}

func (FirewallResource) enableDNS(data acceptance.TestData, dnsServers ...string) string {
servers := make([]string, len(dnsServers))
for idx, server := range dnsServers {
servers[idx] = fmt.Sprintf(`"%s"`, server)
func (FirewallResource) enableDNS(data acceptance.TestData, enableProxy bool, dnsServers ...string) string {
dnsServersStr := ""
if len(dnsServers) > 0 {
servers := make([]string, len(dnsServers))
for idx, server := range dnsServers {
servers[idx] = fmt.Sprintf(`"%s"`, server)
}
dnsServersStr = fmt.Sprintf("dns_servers = [%s]", strings.Join(servers, ", "))
}
enableProxyStr := ""
if enableProxy {
enableProxyStr = "dns_proxy_enabled = true"
} else {
enableProxyStr = "dns_proxy_enabled = false"
}

return fmt.Sprintf(`
Expand Down Expand Up @@ -553,9 +570,11 @@ resource "azurerm_firewall" "test" {
public_ip_address_id = azurerm_public_ip.test.id
}
threat_intel_mode = "Deny"
dns_servers = [%s]
%s
%s
}
`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, strings.Join(servers, ","))
`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger,
dnsServersStr, enableProxyStr)
}

func (FirewallResource) withManagementIp(data acceptance.TestData) string {
Expand Down
2 changes: 2 additions & 0 deletions website/docs/d/firewall.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ The following attributes are exported:

* `dns_servers` - The list of DNS servers that the Azure Firewall will direct DNS traffic to for name resolution.

* `dns_proxy_enabled` - Whether DNS proxy is enabled. It will forward DNS requests to the DNS servers when it is `true`.

* `management_ip_configuration` - A `management_ip_configuration` block as defined below, which allows force-tunnelling of traffic to be performed by the firewall.

* `threat_intel_mode` - The operation mode for threat intelligence-based filtering.
Expand Down
2 changes: 2 additions & 0 deletions website/docs/r/firewall.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,8 @@ The following arguments are supported:

* `dns_servers` - (Optional) A list of DNS servers that the Azure Firewall will direct DNS traffic to the for name resolution.

* `dns_proxy_enabled` - (Optional) Whether DNS proxy is enabled. It will forward DNS requests to the DNS servers when set to `true`. It will be set to `true` if `dns_servers` provided with a not empty list.

* `private_ip_ranges` - (Optional) A list of SNAT private CIDR IP ranges, or the special string `IANAPrivateRanges`, which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918.

* `management_ip_configuration` - (Optional) A `management_ip_configuration` block as documented below, which allows force-tunnelling of traffic to be performed by the firewall. Adding or removing this block or changing the `subnet_id` in an existing block forces a new resource to be created. Changing this forces a new resource to be created.
Expand Down
Loading