[Firewall] Add dns proxy settings for network firewall (#1795)

AzureSDKAutomation · Jun 2, 2020 · cf35013 · cf35013
1 parent 96dcf6c
commit cf35013
Show file tree

Hide file tree

Showing 7 changed files with 798 additions and 27 deletions.
diff --git a/src/azure-firewall/azext_firewall/_params.py b/src/azure-firewall/azext_firewall/_params.py
@@ -7,7 +7,8 @@
 import argparse
 
 from azure.cli.core.commands.parameters import (
-    get_resource_name_completion_list, tags_type, get_enum_type, get_location_type, zones_type)
+    get_resource_name_completion_list, tags_type, get_enum_type, get_location_type, zones_type,
+    get_three_state_flag)
 from azure.cli.core.commands.validators import get_default_location_from_resource_group
 
 from knack.arguments import CLIArgumentType
@@ -56,6 +57,12 @@ def load_arguments(self, _):
                                                                                   'The default sku in server end is AZFW_VNet. '
                                                                                   'If you want to attach azure firewall to vhub, you should set sku to AZFW_Hub.')
         c.argument('private_ranges', nargs='+', validator=process_private_ranges, help='Space-separated list of SNAT private range. Validate values are single Ip, Ip prefixes or a single special value "IANAPrivateRanges"')
+
+    with self.argument_context('network firewall', arg_group='DNS') as c:
+        c.argument('dns_servers', nargs='+', help='Space-separated list of DNS server IP addresses')
+        c.argument('enable_dns_proxy', arg_type=get_three_state_flag(), help='Enable DNS Proxy')
+        c.argument('dns_require_proxy_for_network_rules', arg_type=get_three_state_flag(), help='Requires DNS Proxy functionality for FQDNs within Network Rules')
+
     with self.argument_context('network firewall threat-intel-whitelist') as c:
         c.argument('ip_addresses', nargs='+', validator=process_threat_intel_whitelist_ip_addresses, help='Space-separated list of IPv4 addresses.')
         c.argument('fqdns', nargs='+', validator=process_threat_intel_whitelist_fqdns, help='Space-separated list of FQDNs.')

diff --git a/src/azure-firewall/azext_firewall/custom.py b/src/azure-firewall/azext_firewall/custom.py
@@ -65,7 +65,8 @@ def _find_item_at_path(instance, path):
 # region AzureFirewall
 def create_azure_firewall(cmd, resource_group_name, azure_firewall_name, location=None,
                           tags=None, zones=None, private_ranges=None, firewall_policy=None,
-                          virtual_hub=None, sku=None):
+                          virtual_hub=None, sku=None,
+                          dns_servers=None, enable_dns_proxy=None, dns_require_proxy_for_network_rules=None):
     client = network_client_factory(cmd.cli_ctx).azure_firewalls
     AzureFirewall, SubResource, AzureFirewallSku = cmd.get_models('AzureFirewall', 'SubResource', 'AzureFirewallSku')
     sku_instance = AzureFirewallSku(name=sku, tier='Standard')
@@ -80,11 +81,18 @@ def create_azure_firewall(cmd, resource_group_name, azure_firewall_name, locatio
         if firewall.additional_properties is None:
             firewall.additional_properties = {}
         firewall.additional_properties['Network.SNAT.PrivateRanges'] = private_ranges
+
+    firewall.additional_properties['DNSEnableProxy'] = enable_dns_proxy if enable_dns_proxy is not None else False
+    firewall.additional_properties['DNSRequireProxyForNetworkRules'] = \
+        dns_require_proxy_for_network_rules if dns_require_proxy_for_network_rules is not None else True
+    firewall.additional_properties['DNSServer'] = dns_servers
+
     return client.create_or_update(resource_group_name, azure_firewall_name, firewall)
 
 
 def update_azure_firewall(cmd, instance, tags=None, zones=None, private_ranges=None,
-                          firewall_policy=None, virtual_hub=None):
+                          firewall_policy=None, virtual_hub=None,
+                          dns_servers=None, enable_dns_proxy=None, dns_require_proxy_for_network_rules=None):
     SubResource = cmd.get_models('SubResource')
     if tags is not None:
         instance.tags = tags
@@ -101,6 +109,14 @@ def update_azure_firewall(cmd, instance, tags=None, zones=None, private_ranges=N
             instance.virtual_hub = None
         else:
             instance.virtual_hub = SubResource(id=virtual_hub)
+
+    if enable_dns_proxy is not None:
+        instance.additional_properties['DNSEnableProxy'] = enable_dns_proxy
+    if dns_require_proxy_for_network_rules is not None:
+        instance.additional_properties['DNSRequireProxyForNetworkRules'] = dns_require_proxy_for_network_rules
+    if dns_servers is not None:
+        instance.additional_properties['DNSServer'] = dns_servers
+
     return instance
 
 

diff --git a/src/azure-firewall/azext_firewall/tests/latest/recordings/test_azure_firewall_ip_config.yaml b/src/azure-firewall/azext_firewall/tests/latest/recordings/test_azure_firewall_ip_config.yaml
@@ -285,7 +285,7 @@ interactions:
       accept-language:
       - en-US
     method: PUT
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/publicIPAddresses/pubip?api-version=2020-03-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/publicIPAddresses/pubip?api-version=2020-04-01
   response:
     body:
       string: "{\r\n  \"name\": \"pubip\",\r\n  \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/publicIPAddresses/pubip\",\r\n
@@ -391,7 +391,7 @@ interactions:
       - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2
         azure-mgmt-network/9.0.0 Azure-SDK-For-Python AZURECLI/2.0.81
     method: GET
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/publicIPAddresses/pubip?api-version=2020-03-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/publicIPAddresses/pubip?api-version=2020-04-01
   response:
     body:
       string: "{\r\n  \"name\": \"pubip\",\r\n  \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/publicIPAddresses/pubip\",\r\n
@@ -502,7 +502,7 @@ interactions:
       accept-language:
       - en-US
     method: PUT
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/publicIPAddresses/pubip2?api-version=2020-03-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/publicIPAddresses/pubip2?api-version=2020-04-01
   response:
     body:
       string: "{\r\n  \"name\": \"pubip2\",\r\n  \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/publicIPAddresses/pubip2\",\r\n
@@ -608,7 +608,7 @@ interactions:
       - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2
         azure-mgmt-network/9.0.0 Azure-SDK-For-Python AZURECLI/2.0.81
     method: GET
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/publicIPAddresses/pubip2?api-version=2020-03-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/publicIPAddresses/pubip2?api-version=2020-04-01
   response:
     body:
       string: "{\r\n  \"name\": \"pubip2\",\r\n  \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/publicIPAddresses/pubip2\",\r\n
@@ -720,7 +720,7 @@ interactions:
       accept-language:
       - en-US
     method: PUT
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/virtualNetworks/myvnet?api-version=2020-03-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/virtualNetworks/myvnet?api-version=2020-04-01
   response:
     body:
       string: "{\r\n  \"name\": \"myvnet\",\r\n  \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/virtualNetworks/myvnet\",\r\n
@@ -835,7 +835,7 @@ interactions:
       - python/3.8.0 (Windows-10-10.0.18362-SP0) msrest/0.6.10 msrest_azure/0.6.2
         azure-mgmt-network/9.0.0 Azure-SDK-For-Python AZURECLI/2.0.81
     method: GET
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/virtualNetworks/myvnet?api-version=2020-03-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/virtualNetworks/myvnet?api-version=2020-04-01
   response:
     body:
       string: "{\r\n  \"name\": \"myvnet\",\r\n  \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_azure_firewall_ip_config000001/providers/Microsoft.Network/virtualNetworks/myvnet\",\r\n