new dns proxy enabled property

hashicorp · Sep 11, 2023 · 4bfb6eb · 4bfb6eb
1 parent 749399b
commit 4bfb6eb
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 37 deletions.
diff --git a/internal/services/firewall/firewall_data_source.go b/internal/services/firewall/firewall_data_source.go
@@ -117,6 +117,12 @@ func firewallDataSource() *pluginsdk.Resource {
 				},
 			},
 
+			"dns_proxy_enabled": {
+				Type:     pluginsdk.TypeBool,
+				Optional: true,
+				Computed: true,
+			},
+
 			"virtual_hub": {
 				Type:     pluginsdk.TypeList,
 				Computed: true,
@@ -191,7 +197,11 @@ func firewallDataSourceRead(d *pluginsdk.ResourceData, meta interface{}) error {
 
 		d.Set("threat_intel_mode", string(props.ThreatIntelMode))
 
-		if err := d.Set("dns_servers", flattenFirewallDNSServers(props.AdditionalProperties)); err != nil {
+		dnsProxyEnabeld, dnsServers := flattenFirewallAdditionalProperty(props.AdditionalProperties)
+		if err := d.Set("dns_proxy_enabled", dnsProxyEnabeld); err != nil {
+			return fmt.Errorf("setting `dns_proxy_enabled`: %+v", err)
+		}
+		if err := d.Set("dns_servers", dnsServers); err != nil {
 			return fmt.Errorf("setting `dns_servers`: %+v", err)
 		}
 

diff --git a/internal/services/firewall/firewall_data_source_test.go b/internal/services/firewall/firewall_data_source_test.go
@@ -153,7 +153,7 @@ data "azurerm_firewall" "test" {
   name                = azurerm_firewall.test.name
   resource_group_name = azurerm_resource_group.test.name
 }
-`, FirewallResource{}.enableDNS(data, dnsServers...))
+`, FirewallResource{}.enableDNS(data, true, dnsServers...))
 }
 
 func (FirewallDataSource) withManagementIp(data acceptance.TestData) string {

diff --git a/internal/services/firewall/firewall_network_rule_collection_resource_test.go b/internal/services/firewall/firewall_network_rule_collection_resource_test.go
@@ -875,7 +875,7 @@ resource "azurerm_firewall_network_rule_collection" "test" {
     ]
   }
 }
-`, FirewallResource{}.enableDNS(data, "1.1.1.1", "8.8.8.8"))
+`, FirewallResource{}.enableDNS(data, true, "1.1.1.1", "8.8.8.8"))
 }
 
 func (r FirewallNetworkRuleCollectionResource) noSource(data acceptance.TestData) string {

diff --git a/internal/services/firewall/firewall_resource.go b/internal/services/firewall/firewall_resource.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/hashicorp/go-azure-helpers/lang/pointer"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonids"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonschema"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/location"
@@ -171,6 +172,12 @@ func resourceFirewall() *pluginsdk.Resource {
 				},
 			},
 
+			"dns_proxy_enabled": {
+				Type:     pluginsdk.TypeBool,
+				Optional: true,
+				Computed: true,
+			},
+
 			"private_ip_ranges": {
 				Type:     pluginsdk.TypeSet,
 				Optional: true,
@@ -326,7 +333,7 @@ func resourceFirewallCreateUpdate(d *pluginsdk.ResourceData, meta interface{}) e
 		parameters.Sku.Tier = network.AzureFirewallSkuTier(skuTier)
 	}
 
-	if dnsServerSetting := expandFirewallDNSServers(d.Get("dns_servers").([]interface{})); dnsServerSetting != nil {
+	if dnsServerSetting := expandFirewallAdditionalProperty(d); dnsServerSetting != nil {
 		for k, v := range dnsServerSetting {
 			parameters.AdditionalProperties[k] = v
 		}
@@ -426,7 +433,11 @@ func resourceFirewallRead(d *pluginsdk.ResourceData, meta interface{}) error {
 
 		d.Set("threat_intel_mode", string(props.ThreatIntelMode))
 
-		if err := d.Set("dns_servers", flattenFirewallDNSServers(props.AdditionalProperties)); err != nil {
+		dnsProxyEnabled, dnsServers := flattenFirewallAdditionalProperty(props.AdditionalProperties)
+		if err := d.Set("dns_proxy_enabled", dnsProxyEnabled); err != nil {
+			return fmt.Errorf("setting `dns_proxy_enabled`: %+v", err)
+		}
+		if err := d.Set("dns_servers", dnsServers); err != nil {
 			return fmt.Errorf("setting `dns_servers`: %+v", err)
 		}
 
@@ -625,42 +636,38 @@ func flattenFirewallIPConfigurations(input *[]network.AzureFirewallIPConfigurati
 	return result
 }
 
-func expandFirewallDNSServers(input []interface{}) map[string]*string {
-	if len(input) == 0 {
-		return nil
+func expandFirewallAdditionalProperty(d *pluginsdk.ResourceData) map[string]*string {
+	res := map[string]*string{}
+	if servers := d.Get("dns_servers").([]interface{}); len(servers) > 0 {
+		var servs []string
+		for _, server := range servers {
+			servs = append(servs, server.(string))
+		}
+		res["Network.DNS.EnableProxy"] = pointer.To("true")
+		res["Network.DNS.Servers"] = pointer.To(strings.Join(servs, ","))
 	}
-
-	var servers []string
-	for _, server := range input {
-		servers = append(servers, server.(string))
+	if enabled := d.Get("dns_proxy_enabled").(bool); enabled {
+		res["Network.DNS.EnableProxy"] = pointer.To("true")
 	}
-
 	// Swagger issue asking finalize these properties: https://github.com/Azure/azure-rest-api-specs/issues/11278
-	return map[string]*string{
-		"Network.DNS.EnableProxy": utils.String("true"),
-		"Network.DNS.Servers":     utils.String(strings.Join(servers, ",")),
-	}
+	return res
 }
 
-func flattenFirewallDNSServers(input map[string]*string) []interface{} {
+func flattenFirewallAdditionalProperty(input map[string]*string) (enabled interface{}, servers []interface{}) {
 	if len(input) == 0 {
-		return nil
+		return nil, nil
 	}
 
-	enabled := false
 	if enabledPtr := input["Network.DNS.EnableProxy"]; enabledPtr != nil {
 		enabled = *enabledPtr == "true"
-	}
 
-	if !enabled {
-		return nil
-	}
-
-	servers := []string{}
-	if serversPtr := input["Network.DNS.Servers"]; serversPtr != nil {
-		servers = strings.Split(*serversPtr, ",")
+		if serversPtr := input["Network.DNS.Servers"]; serversPtr != nil {
+			for _, val := range strings.Split(*serversPtr, ",") {
+				servers = append(servers, val)
+			}
+		}
 	}
-	return utils.FlattenStringSlice(&servers)
+	return
 }
 
 func expandFirewallPrivateIpRange(input []interface{}) map[string]*string {

diff --git a/internal/services/firewall/firewall_resource_test.go b/internal/services/firewall/firewall_resource_test.go
@@ -68,14 +68,21 @@ func TestAccFirewall_enableDNS(t *testing.T) {
 		},
 		data.ImportStep(),
 		{
-			Config: r.enableDNS(data, "1.1.1.1", "8.8.8.8"),
+			Config: r.enableDNS(data, true, "1.1.1.1"),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
 			),
 		},
 		data.ImportStep(),
 		{
-			Config: r.enableDNS(data, "1.1.1.1"),
+			Config: r.enableDNS(data, true),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.enableDNS(data, false),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
 			),
@@ -507,10 +514,20 @@ resource "azurerm_firewall" "test" {
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger)
 }
 
-func (FirewallResource) enableDNS(data acceptance.TestData, dnsServers ...string) string {
-	servers := make([]string, len(dnsServers))
-	for idx, server := range dnsServers {
-		servers[idx] = fmt.Sprintf(`"%s"`, server)
+func (FirewallResource) enableDNS(data acceptance.TestData, enableProxy bool, dnsServers ...string) string {
+	dnsServersStr := ""
+	if len(dnsServers) > 0 {
+		servers := make([]string, len(dnsServers))
+		for idx, server := range dnsServers {
+			servers[idx] = fmt.Sprintf(`"%s"`, server)
+		}
+		dnsServersStr = fmt.Sprintf("dns_servers = [%s]", strings.Join(servers, ", "))
+	}
+	enableProxyStr := ""
+	if enableProxy {
+		enableProxyStr = "dns_proxy_enabled = true"
+	} else {
+		enableProxyStr = "dns_proxy_enabled = false"
 	}
 
 	return fmt.Sprintf(`
@@ -558,9 +575,11 @@ resource "azurerm_firewall" "test" {
     public_ip_address_id = azurerm_public_ip.test.id
   }
   threat_intel_mode = "Deny"
-  dns_servers       = [%s]
+  %s
+  %s
 }
-`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, strings.Join(servers, ","))
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger,
+		dnsServersStr, enableProxyStr)
 }
 
 func (FirewallResource) withManagementIp(data acceptance.TestData) string {

diff --git a/website/docs/d/firewall.html.markdown b/website/docs/d/firewall.html.markdown
@@ -48,6 +48,8 @@ The following attributes are exported:
 
 * `dns_servers` - The list of DNS servers that the Azure Firewall will direct DNS traffic to for name resolution.
 
+* `dns_proxy_enabled` - Whether DNS proxy is enabled. It will forward DNS requests to the DNS servers when set to `true`.
+
 * `management_ip_configuration` - A `management_ip_configuration` block as defined below, which allows force-tunnelling of traffic to be performed by the firewall.
 
 * `threat_intel_mode` - The operation mode for threat intelligence-based filtering.

diff --git a/website/docs/r/firewall.html.markdown b/website/docs/r/firewall.html.markdown
@@ -76,6 +76,8 @@ The following arguments are supported:
 
 * `dns_servers` - (Optional) A list of DNS servers that the Azure Firewall will direct DNS traffic to the for name resolution.
 
+* `dns_proxy_enabled` - (Optional) Whether DNS proxy is enabled. It will forward DNS requests to the DNS servers when set to `true`.
+
 * `private_ip_ranges` - (Optional) A list of SNAT private CIDR IP ranges, or the special string `IANAPrivateRanges`, which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918.
 
 * `management_ip_configuration` - (Optional) A `management_ip_configuration` block as documented below, which allows force-tunnelling of traffic to be performed by the firewall. Adding or removing this block or changing the `subnet_id` in an existing block forces a new resource to be created. Changing this forces a new resource to be created.