From 88f7e1719efdf72b5d308a30137612de5594377a Mon Sep 17 00:00:00 2001 From: "Till Markus (INST-CSS/BSV-OS)" Date: Thu, 28 Mar 2019 07:29:43 +0100 Subject: [PATCH 1/5] application gateway: add advanced ssl_policies --- azurerm/resource_arm_application_gateway.go | 160 ++++++++- .../resource_arm_application_gateway_test.go | 322 +++++++++++++++++- .../docs/r/application_gateway.html.markdown | 26 +- 3 files changed, 496 insertions(+), 12 deletions(-) diff --git a/azurerm/resource_arm_application_gateway.go b/azurerm/resource_arm_application_gateway.go index 58bea99717ab..5aca35066e72 100644 --- a/azurerm/resource_arm_application_gateway.go +++ b/azurerm/resource_arm_application_gateway.go @@ -14,6 +14,15 @@ import ( "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" ) +// See https://github.com/Azure/azure-sdk-for-go/blob/master/services/network/mgmt/2018-04-01/network/models.go +func possibleArmApplicationGatewaySslCipherSuiteValues() []string { + cipherSuites := make([]string, 0) + for _, cipherSuite := range network.PossibleApplicationGatewaySslCipherSuiteValues() { + cipherSuites = append(cipherSuites, string(cipherSuite)) + } + return cipherSuites +} + func resourceArmApplicationGateway() *schema.Resource { return &schema.Resource{ Create: resourceArmApplicationGatewayCreateUpdate, @@ -635,8 +644,9 @@ func resourceArmApplicationGateway() *schema.Resource { // TODO: @tombuildsstuff deprecate this in favour of a full `ssl_protocol` block in the future "disabled_ssl_protocols": { - Type: schema.TypeList, - Optional: true, + Type: schema.TypeList, + Optional: true, + Deprecated: "has been replaced by `ssl_policy`.`disabled_protocols`", Elem: &schema.Schema{ Type: schema.TypeString, DiffSuppressFunc: suppress.CaseDifference, @@ -648,6 +658,66 @@ func resourceArmApplicationGateway() *schema.Resource { }, }, + "ssl_policy": { + Type: schema.TypeList, + Optional: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "disabled_protocols": { + Type: schema.TypeList, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + DiffSuppressFunc: suppress.CaseDifference, + ValidateFunc: validation.StringInSlice([]string{ + string(network.TLSv10), + string(network.TLSv11), + string(network.TLSv12), + }, true), + }, + }, + + "policy_type": { + Type: schema.TypeString, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validation.StringInSlice([]string{ + string(network.Custom), + string(network.Predefined), + }, true), + }, + }, + + "policy_name": { + Type: schema.TypeString, + Optional: true, + }, + + "cipher_suites": { + Type: schema.TypeList, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + DiffSuppressFunc: suppress.CaseDifference, + ValidateFunc: validation.StringInSlice(possibleArmApplicationGatewaySslCipherSuiteValues(), true), + }, + }, + + "min_protocol_version": { + Type: schema.TypeString, + Optional: true, + DiffSuppressFunc: suppress.CaseDifference, + ValidateFunc: validation.StringInSlice([]string{ + string(network.TLSv10), + string(network.TLSv11), + string(network.TLSv12), + }, true), + }, + }, + }, + }, + "enable_http2": { Type: schema.TypeBool, Optional: true, @@ -1228,6 +1298,10 @@ func resourceArmApplicationGatewayRead(d *schema.ResourceData, meta interface{}) return fmt.Errorf("Error setting `disabled_ssl_protocols`: %+v", setErr) } + if setErr := d.Set("ssl_policy", flattenApplicationGatewaySslPolicy(props.SslPolicy)); setErr != nil { + return fmt.Errorf("Error setting `ssl_policy`: %+v", setErr) + } + d.Set("enable_http2", props.EnableHTTP2) httpListeners, err := flattenApplicationGatewayHTTPListeners(props.HTTPListeners) @@ -1661,16 +1735,86 @@ func flattenApplicationGatewayConnectionDraining(input *network.ApplicationGatew } func expandApplicationGatewaySslPolicy(d *schema.ResourceData) *network.ApplicationGatewaySslPolicy { - vs := d.Get("disabled_ssl_protocols").([]interface{}) - results := make([]network.ApplicationGatewaySslProtocol, 0) + policy := network.ApplicationGatewaySslPolicy{} + vs := d.Get("ssl_policy").([]interface{}) + if len(vs) == 0 { + return &policy + } + v := vs[0].(map[string]interface{}) + + disabledSSLPolicies := make([]network.ApplicationGatewaySslProtocol, 0) + for _, policy := range v["disabled_protocols"].([]interface{}) { + disabledSSLPolicies = append(disabledSSLPolicies, network.ApplicationGatewaySslProtocol(policy.(string))) + } + if len(disabledSSLPolicies) == 0 { + for _, policy := range d.Get("disabled_ssl_protocols").([]interface{}) { + disabledSSLPolicies = append(disabledSSLPolicies, network.ApplicationGatewaySslProtocol(policy.(string))) + } + } + + if len(disabledSSLPolicies) > 0 { + policy = network.ApplicationGatewaySslPolicy{ + DisabledSslProtocols: &disabledSSLPolicies, + } + } else { + policyType := network.ApplicationGatewaySslPolicyType(v["policy_type"].(string)) + + if policyType == network.Predefined { + policyName := network.ApplicationGatewaySslPolicyName(v["policy_name"].(string)) + + policy = network.ApplicationGatewaySslPolicy{ + PolicyType: policyType, + PolicyName: policyName, + } + } else if policyType == network.Custom { + minProtocolVersion := network.ApplicationGatewaySslProtocol(v["min_protocol_version"].(string)) + + cipherSuites := make([]network.ApplicationGatewaySslCipherSuite, 0) + for _, cipherSuite := range v["cipher_suites"].([]interface{}) { + cipherSuites = append(cipherSuites, network.ApplicationGatewaySslCipherSuite(cipherSuite.(string))) + } - for _, v := range vs { - results = append(results, network.ApplicationGatewaySslProtocol(v.(string))) + policy = network.ApplicationGatewaySslPolicy{ + PolicyType: policyType, + MinProtocolVersion: minProtocolVersion, + CipherSuites: &cipherSuites, + } + } } - return &network.ApplicationGatewaySslPolicy{ - DisabledSslProtocols: &results, + return &policy +} + +func flattenApplicationGatewaySslPolicy(input *network.ApplicationGatewaySslPolicy) []interface{} { + results := make([]interface{}, 0) + + if input == nil { + return results } + + output := map[string]interface{}{} + output["policy_name"] = input.PolicyName + output["policy_type"] = input.PolicyType + output["min_protocol_version"] = input.MinProtocolVersion + + if input.CipherSuites != nil { + cipherSuites := make([]interface{}, 0) + for _, v := range *input.CipherSuites { + cipherSuites = append(cipherSuites, string(v)) + } + output["cipher_suites"] = cipherSuites + } + + if input.DisabledSslProtocols != nil { + disabledSslProtocols := make([]interface{}, 0) + for _, v := range *input.DisabledSslProtocols { + disabledSslProtocols = append(disabledSslProtocols, string(v)) + } + output["disabled_protocols"] = disabledSslProtocols + } + + results = append(results, output) + return results } func flattenApplicationGatewayDisabledSSLProtocols(input *network.ApplicationGatewaySslPolicy) []interface{} { diff --git a/azurerm/resource_arm_application_gateway_test.go b/azurerm/resource_arm_application_gateway_test.go index 3f62b1c5fbcf..de24a815660f 100644 --- a/azurerm/resource_arm_application_gateway_test.go +++ b/azurerm/resource_arm_application_gateway_test.go @@ -725,6 +725,72 @@ func TestAccAzureRMApplicationGateway_webApplicationFirewall_exclusions(t *testi }) } +func TestAccAzureRMApplicationGateway_sslPolicy_policyType_predefined(t *testing.T) { + resourceName := "azurerm_application_gateway.test" + ri := tf.AccRandTimeInt() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMApplicationGatewayDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMApplicationGateway_sslPolicy_policyType_predefined(ri, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMApplicationGatewayExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "ssl_policy.0.policy_type", "Predefined"), + resource.TestCheckResourceAttr(resourceName, "ssl_policy.0.policy_name", "AppGwSslPolicy20170401S"), + ), + }, + }, + }) +} + +func TestAccAzureRMApplicationGateway_sslPolicy_policyType_custom(t *testing.T) { + resourceName := "azurerm_application_gateway.test" + ri := tf.AccRandTimeInt() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMApplicationGatewayDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMApplicationGateway_sslPolicy_policyType_custom(ri, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMApplicationGatewayExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "ssl_policy.0.policy_type", "Custom"), + resource.TestCheckResourceAttr(resourceName, "ssl_policy.0.min_protocol_version", "TLSv1_1"), + resource.TestCheckResourceAttr(resourceName, "ssl_policy.0.cipher_suites.0", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), + resource.TestCheckResourceAttr(resourceName, "ssl_policy.0.cipher_suites.1", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"), + resource.TestCheckResourceAttr(resourceName, "ssl_policy.0.cipher_suites.2", "TLS_RSA_WITH_AES_128_GCM_SHA256"), + ), + }, + }, + }) +} + +func TestAccAzureRMApplicationGateway_sslPolicy_disabledSslProtocols(t *testing.T) { + resourceName := "azurerm_application_gateway.test" + ri := tf.AccRandTimeInt() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMApplicationGatewayDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMApplicationGateway_sslPolicy_disabledSslProtocols(ri, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMApplicationGatewayExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "ssl_policy.0.disabled_protocols.0", "TLSv1_0"), + resource.TestCheckResourceAttr(resourceName, "ssl_policy.0.disabled_protocols.1", "TLSv1_1"), + ), + }, + }, + }) +} + func testCheckAzureRMApplicationGatewayExists(resourceName string) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[resourceName] @@ -2293,9 +2359,259 @@ resource "azurerm_application_gateway" "test" { capacity = 1 } - disabled_ssl_protocols = [ - "TLSv1_0", - ] + ssl_policy { + policy_name = "AppGwSslPolicy20170401S" + policy_type = "Predefined" + } + + waf_configuration { + enabled = true + firewall_mode = "Detection" + rule_set_type = "OWASP" + rule_set_version = "3.0" + } + + gateway_ip_configuration { + name = "my-gateway-ip-configuration" + subnet_id = "${azurerm_subnet.test.id}" + } + + frontend_port { + name = "${local.frontend_port_name}" + port = 80 + } + + frontend_ip_configuration { + name = "${local.frontend_ip_configuration_name}" + public_ip_address_id = "${azurerm_public_ip.test.id}" + } + + backend_address_pool { + name = "${local.backend_address_pool_name}" + } + + backend_http_settings { + name = "${local.http_setting_name}" + cookie_based_affinity = "Disabled" + port = 80 + protocol = "Http" + request_timeout = 1 + } + + http_listener { + name = "${local.listener_name}" + frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" + frontend_port_name = "${local.frontend_port_name}" + protocol = "Http" + } + + request_routing_rule { + name = "${local.request_routing_rule_name}" + rule_type = "Basic" + http_listener_name = "${local.listener_name}" + backend_address_pool_name = "${local.backend_address_pool_name}" + backend_http_settings_name = "${local.http_setting_name}" + } +} +`, template, rInt) +} + +func testAccAzureRMApplicationGateway_sslPolicy_policyType_predefined(rInt int, location string) string { + template := testAccAzureRMApplicationGateway_template(rInt, location) + return fmt.Sprintf(` +%s + +# since these variables are re-used - a locals block makes this more maintainable +locals { + backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" + frontend_port_name = "${azurerm_virtual_network.test.name}-feport" + frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip" + http_setting_name = "${azurerm_virtual_network.test.name}-be-htst" + listener_name = "${azurerm_virtual_network.test.name}-httplstn" + request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" +} + +resource "azurerm_application_gateway" "test" { + name = "acctestag-%d" + resource_group_name = "${azurerm_resource_group.test.name}" + location = "${azurerm_resource_group.test.location}" + + sku { + name = "WAF_Medium" + tier = "WAF" + capacity = 1 + } + + ssl_policy { + policy_name = "AppGwSslPolicy20170401S" + policy_type = "Predefined" + } + + waf_configuration { + enabled = true + firewall_mode = "Detection" + rule_set_type = "OWASP" + rule_set_version = "3.0" + } + + gateway_ip_configuration { + name = "my-gateway-ip-configuration" + subnet_id = "${azurerm_subnet.test.id}" + } + + frontend_port { + name = "${local.frontend_port_name}" + port = 80 + } + + frontend_ip_configuration { + name = "${local.frontend_ip_configuration_name}" + public_ip_address_id = "${azurerm_public_ip.test.id}" + } + + backend_address_pool { + name = "${local.backend_address_pool_name}" + } + + backend_http_settings { + name = "${local.http_setting_name}" + cookie_based_affinity = "Disabled" + port = 80 + protocol = "Http" + request_timeout = 1 + } + + http_listener { + name = "${local.listener_name}" + frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" + frontend_port_name = "${local.frontend_port_name}" + protocol = "Http" + } + + request_routing_rule { + name = "${local.request_routing_rule_name}" + rule_type = "Basic" + http_listener_name = "${local.listener_name}" + backend_address_pool_name = "${local.backend_address_pool_name}" + backend_http_settings_name = "${local.http_setting_name}" + } +} +`, template, rInt) +} + +func testAccAzureRMApplicationGateway_sslPolicy_policyType_custom(rInt int, location string) string { + template := testAccAzureRMApplicationGateway_template(rInt, location) + return fmt.Sprintf(` +%s + +# since these variables are re-used - a locals block makes this more maintainable +locals { + backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" + frontend_port_name = "${azurerm_virtual_network.test.name}-feport" + frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip" + http_setting_name = "${azurerm_virtual_network.test.name}-be-htst" + listener_name = "${azurerm_virtual_network.test.name}-httplstn" + request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" +} + +resource "azurerm_application_gateway" "test" { + name = "acctestag-%d" + resource_group_name = "${azurerm_resource_group.test.name}" + location = "${azurerm_resource_group.test.location}" + + sku { + name = "WAF_Medium" + tier = "WAF" + capacity = 1 + } + + ssl_policy { + policy_type = "Custom" + min_protocol_version = "TLSv1_1" + cipher_suites = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"] + } + + waf_configuration { + enabled = true + firewall_mode = "Detection" + rule_set_type = "OWASP" + rule_set_version = "3.0" + } + + gateway_ip_configuration { + name = "my-gateway-ip-configuration" + subnet_id = "${azurerm_subnet.test.id}" + } + + frontend_port { + name = "${local.frontend_port_name}" + port = 80 + } + + frontend_ip_configuration { + name = "${local.frontend_ip_configuration_name}" + public_ip_address_id = "${azurerm_public_ip.test.id}" + } + + backend_address_pool { + name = "${local.backend_address_pool_name}" + } + + backend_http_settings { + name = "${local.http_setting_name}" + cookie_based_affinity = "Disabled" + port = 80 + protocol = "Http" + request_timeout = 1 + } + + http_listener { + name = "${local.listener_name}" + frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" + frontend_port_name = "${local.frontend_port_name}" + protocol = "Http" + } + + request_routing_rule { + name = "${local.request_routing_rule_name}" + rule_type = "Basic" + http_listener_name = "${local.listener_name}" + backend_address_pool_name = "${local.backend_address_pool_name}" + backend_http_settings_name = "${local.http_setting_name}" + } +} +`, template, rInt) +} + +func testAccAzureRMApplicationGateway_sslPolicy_disabledSslProtocols(rInt int, location string) string { + template := testAccAzureRMApplicationGateway_template(rInt, location) + return fmt.Sprintf(` +%s + +# since these variables are re-used - a locals block makes this more maintainable +locals { + backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" + frontend_port_name = "${azurerm_virtual_network.test.name}-feport" + frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip" + http_setting_name = "${azurerm_virtual_network.test.name}-be-htst" + listener_name = "${azurerm_virtual_network.test.name}-httplstn" + request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" +} + +resource "azurerm_application_gateway" "test" { + name = "acctestag-%d" + resource_group_name = "${azurerm_resource_group.test.name}" + location = "${azurerm_resource_group.test.location}" + + sku { + name = "WAF_Medium" + tier = "WAF" + capacity = 1 + } + + ssl_policy { + disabled_protocols = ["TLSv1_0", "TLSv1_1"] + } waf_configuration { enabled = true diff --git a/website/docs/r/application_gateway.html.markdown b/website/docs/r/application_gateway.html.markdown index 93ea15f20050..e400cde1468f 100644 --- a/website/docs/r/application_gateway.html.markdown +++ b/website/docs/r/application_gateway.html.markdown @@ -147,7 +147,9 @@ The following arguments are supported: * `authentication_certificate` - (Optional) One or more `authentication_certificate` blocks as defined below. -* `disabled_ssl_protocols` - (Optional) A list of SSL Protocols which should be disabled on this Application Gateway. Possible values are `TLSv1_0`, `TLSv1_1` and `TLSv1_2`. +* `disabled_ssl_protocols` - Deprecated: replaced by `ssl_policy`. (Optional) A list of SSL Protocols which should be disabled on this Application Gateway. Possible values are `TLSv1_0`, `TLSv1_1` and `TLSv1_2`. Not compatible with `ssl_policy` + +* `ssl_policy` (Optional) ssl policys block as defined below. * `enable_http2` - (Optional) Is HTTP2 enabled on the application gateway resource? Defaults to `false`. @@ -381,6 +383,28 @@ A `url_path_map` block supports the following: * `path_rule` - (Required) One or more `path_rule` blocks as defined above. +--- + +A `ssl_policy` block supports the following: + +* `policy_type` - (Optional) The Type of the Policy. Required if `policy_name` is set. Possible values are `Predefined` and `Custom`. Not compatible with `disabled_protocols`. + +For `policy_type`=`Predefined`: + +* `policy_name` - (Optional) The Name of the Policy e.g AppGwSslPolicy20170401S. Required if `policy_type` is set to `Predefined`. Possible values can change over time and +are published here https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview. Not compatible with `disabled_protocols`. + +For `policy_type`=`Custom`: + +* `min_protocol_version` - (Optional) The minimal TLS version Required if `policy_type` is set to `Custom`. Possible values can change over time and are published here https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview. Not compatible with `disabled_protocols` + +* `cipher_suites` - (Optional) A List of accepted cipher suites Required if `policy_type` is set to `Custom`. Example ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"]. Possible values can change over time and are published here https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview. Not compatible with `disabled_protocols` + +For `disabled_protocols`: + +* `disabled_protocols` - (Optional) A list of SSL Protocols which should be disabled on this Application Gateway. Possible values are `TLSv1_0`, `TLSv1_1` and `TLSv1_2`. Not compatible with `policy_name` / `policy_type` + + --- A `waf_configuration` block supports the following: From 83e211691f630026e4d2ba02f1801662fbf18c63 Mon Sep 17 00:00:00 2001 From: "Till Markus (INST-CSS/BSV-OS)" Date: Fri, 3 May 2019 13:46:42 +0200 Subject: [PATCH 2/5] resource_arm_application_gateway: set disabled_protocols Computed: true to overcome conflicts in state with new ssl_policy block --- azurerm/resource_arm_application_gateway.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/azurerm/resource_arm_application_gateway.go b/azurerm/resource_arm_application_gateway.go index 5aca35066e72..b507a967181d 100644 --- a/azurerm/resource_arm_application_gateway.go +++ b/azurerm/resource_arm_application_gateway.go @@ -646,6 +646,7 @@ func resourceArmApplicationGateway() *schema.Resource { "disabled_ssl_protocols": { Type: schema.TypeList, Optional: true, + Computed: true, Deprecated: "has been replaced by `ssl_policy`.`disabled_protocols`", Elem: &schema.Schema{ Type: schema.TypeString, @@ -666,6 +667,7 @@ func resourceArmApplicationGateway() *schema.Resource { "disabled_protocols": { Type: schema.TypeList, Optional: true, + Computed: true, Elem: &schema.Schema{ Type: schema.TypeString, DiffSuppressFunc: suppress.CaseDifference, From 626783f7cb9c6800b7701be3dd3cc7ae3affaf6a Mon Sep 17 00:00:00 2001 From: "Till Markus (INST-CSS/BSV-OS)" Date: Sun, 5 May 2019 22:13:56 +0200 Subject: [PATCH 3/5] resource_arm_application_gateway: extend docs --- azurerm/resource_arm_application_gateway.go | 69 +++---- .../resource_arm_application_gateway_test.go | 176 ++++++++++++++---- .../docs/r/application_gateway.html.markdown | 24 ++- 3 files changed, 189 insertions(+), 80 deletions(-) diff --git a/azurerm/resource_arm_application_gateway.go b/azurerm/resource_arm_application_gateway.go index b507a967181d..7cba2593a0bb 100644 --- a/azurerm/resource_arm_application_gateway.go +++ b/azurerm/resource_arm_application_gateway.go @@ -642,7 +642,7 @@ func resourceArmApplicationGateway() *schema.Resource { }, }, - // TODO: @tombuildsstuff deprecate this in favour of a full `ssl_protocol` block in the future + // TODO: remove in 2.0 "disabled_ssl_protocols": { Type: schema.TypeList, Optional: true, @@ -662,6 +662,7 @@ func resourceArmApplicationGateway() *schema.Resource { "ssl_policy": { Type: schema.TypeList, Optional: true, + Computed: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "disabled_protocols": { @@ -669,13 +670,12 @@ func resourceArmApplicationGateway() *schema.Resource { Optional: true, Computed: true, Elem: &schema.Schema{ - Type: schema.TypeString, - DiffSuppressFunc: suppress.CaseDifference, + Type: schema.TypeString, ValidateFunc: validation.StringInSlice([]string{ string(network.TLSv10), string(network.TLSv11), string(network.TLSv12), - }, true), + }, false), }, }, @@ -687,7 +687,7 @@ func resourceArmApplicationGateway() *schema.Resource { ValidateFunc: validation.StringInSlice([]string{ string(network.Custom), string(network.Predefined), - }, true), + }, false), }, }, @@ -700,21 +700,19 @@ func resourceArmApplicationGateway() *schema.Resource { Type: schema.TypeList, Optional: true, Elem: &schema.Schema{ - Type: schema.TypeString, - DiffSuppressFunc: suppress.CaseDifference, - ValidateFunc: validation.StringInSlice(possibleArmApplicationGatewaySslCipherSuiteValues(), true), + Type: schema.TypeString, + ValidateFunc: validation.StringInSlice(possibleArmApplicationGatewaySslCipherSuiteValues(), false), }, }, "min_protocol_version": { - Type: schema.TypeString, - Optional: true, - DiffSuppressFunc: suppress.CaseDifference, + Type: schema.TypeString, + Optional: true, ValidateFunc: validation.StringInSlice([]string{ string(network.TLSv10), string(network.TLSv11), string(network.TLSv12), - }, true), + }, false), }, }, }, @@ -1738,40 +1736,39 @@ func flattenApplicationGatewayConnectionDraining(input *network.ApplicationGatew func expandApplicationGatewaySslPolicy(d *schema.ResourceData) *network.ApplicationGatewaySslPolicy { policy := network.ApplicationGatewaySslPolicy{} + disabledSSLPolicies := make([]network.ApplicationGatewaySslProtocol, 0) + vs := d.Get("ssl_policy").([]interface{}) - if len(vs) == 0 { - return &policy + vsdsp := d.Get("disabled_ssl_protocols").([]interface{}) + + if len(vsdsp) == 0 && len(vs) == 0 { + policy = network.ApplicationGatewaySslPolicy{ + DisabledSslProtocols: &disabledSSLPolicies, + } } - v := vs[0].(map[string]interface{}) - disabledSSLPolicies := make([]network.ApplicationGatewaySslProtocol, 0) - for _, policy := range v["disabled_protocols"].([]interface{}) { + for _, policy := range vsdsp { disabledSSLPolicies = append(disabledSSLPolicies, network.ApplicationGatewaySslProtocol(policy.(string))) } - if len(disabledSSLPolicies) == 0 { - for _, policy := range d.Get("disabled_ssl_protocols").([]interface{}) { - disabledSSLPolicies = append(disabledSSLPolicies, network.ApplicationGatewaySslProtocol(policy.(string))) - } - } - if len(disabledSSLPolicies) > 0 { - policy = network.ApplicationGatewaySslPolicy{ - DisabledSslProtocols: &disabledSSLPolicies, - } - } else { + if len(vs) > 0 { + v := vs[0].(map[string]interface{}) policyType := network.ApplicationGatewaySslPolicyType(v["policy_type"].(string)) + for _, policy := range v["disabled_protocols"].([]interface{}) { + disabledSSLPolicies = append(disabledSSLPolicies, network.ApplicationGatewaySslProtocol(policy.(string))) + } + if policyType == network.Predefined { policyName := network.ApplicationGatewaySslPolicyName(v["policy_name"].(string)) - policy = network.ApplicationGatewaySslPolicy{ PolicyType: policyType, PolicyName: policyName, } } else if policyType == network.Custom { minProtocolVersion := network.ApplicationGatewaySslProtocol(v["min_protocol_version"].(string)) - cipherSuites := make([]network.ApplicationGatewaySslCipherSuite, 0) + for _, cipherSuite := range v["cipher_suites"].([]interface{}) { cipherSuites = append(cipherSuites, network.ApplicationGatewaySslCipherSuite(cipherSuite.(string))) } @@ -1784,6 +1781,12 @@ func expandApplicationGatewaySslPolicy(d *schema.ResourceData) *network.Applicat } } + if len(disabledSSLPolicies) > 0 { + policy = network.ApplicationGatewaySslPolicy{ + DisabledSslProtocols: &disabledSSLPolicies, + } + } + return &policy } @@ -1799,21 +1802,21 @@ func flattenApplicationGatewaySslPolicy(input *network.ApplicationGatewaySslPoli output["policy_type"] = input.PolicyType output["min_protocol_version"] = input.MinProtocolVersion + cipherSuites := make([]interface{}, 0) if input.CipherSuites != nil { - cipherSuites := make([]interface{}, 0) for _, v := range *input.CipherSuites { cipherSuites = append(cipherSuites, string(v)) } - output["cipher_suites"] = cipherSuites } + output["cipher_suites"] = cipherSuites + disabledSslProtocols := make([]interface{}, 0) if input.DisabledSslProtocols != nil { - disabledSslProtocols := make([]interface{}, 0) for _, v := range *input.DisabledSslProtocols { disabledSslProtocols = append(disabledSslProtocols, string(v)) } - output["disabled_protocols"] = disabledSslProtocols } + output["disabled_protocols"] = disabledSslProtocols results = append(results, output) return results diff --git a/azurerm/resource_arm_application_gateway_test.go b/azurerm/resource_arm_application_gateway_test.go index de24a815660f..a8da5c3aae0d 100644 --- a/azurerm/resource_arm_application_gateway_test.go +++ b/azurerm/resource_arm_application_gateway_test.go @@ -770,7 +770,7 @@ func TestAccAzureRMApplicationGateway_sslPolicy_policyType_custom(t *testing.T) }) } -func TestAccAzureRMApplicationGateway_sslPolicy_disabledSslProtocols(t *testing.T) { +func TestAccAzureRMApplicationGateway_sslPolicy_disabledProtocols(t *testing.T) { resourceName := "azurerm_application_gateway.test" ri := tf.AccRandTimeInt() @@ -780,7 +780,7 @@ func TestAccAzureRMApplicationGateway_sslPolicy_disabledSslProtocols(t *testing. CheckDestroy: testCheckAzureRMApplicationGatewayDestroy, Steps: []resource.TestStep{ { - Config: testAccAzureRMApplicationGateway_sslPolicy_disabledSslProtocols(ri, testLocation()), + Config: testAccAzureRMApplicationGateway_sslPolicy_disabledProtocols(ri, testLocation()), Check: resource.ComposeTestCheckFunc( testCheckAzureRMApplicationGatewayExists(resourceName), resource.TestCheckResourceAttr(resourceName, "ssl_policy.0.disabled_protocols.0", "TLSv1_0"), @@ -791,6 +791,27 @@ func TestAccAzureRMApplicationGateway_sslPolicy_disabledSslProtocols(t *testing. }) } +func TestAccAzureRMApplicationGateway_disabledSslProtocols(t *testing.T) { + resourceName := "azurerm_application_gateway.test" + ri := tf.AccRandTimeInt() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMApplicationGatewayDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMApplicationGateway_disabledSslProtocols(ri, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMApplicationGatewayExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "disabled_ssl_protocols.0", "TLSv1_0"), + resource.TestCheckResourceAttr(resourceName, "disabled_ssl_protocols.1", "TLSv1_1"), + ), + }, + }, + }) +} + func testCheckAzureRMApplicationGatewayExists(resourceName string) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[resourceName] @@ -2068,7 +2089,7 @@ resource "azurerm_application_gateway" "test" { frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test.id}" + public_ip_address_id = "${azurerm_public_ip.test_standard.id}" } backend_address_pool { @@ -2214,7 +2235,7 @@ resource "azurerm_application_gateway" "test" { frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test.id}" + public_ip_address_id = "${azurerm_public_ip.test_standard.id}" } backend_address_pool { @@ -2293,7 +2314,7 @@ resource "azurerm_application_gateway" "test" { frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test.id}" + public_ip_address_id = "${azurerm_public_ip.test_standard.id}" } backend_address_pool { @@ -2348,14 +2369,22 @@ locals { request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } +resource "azurerm_public_ip" "test_standard" { + name = "acctest-pubip-%d-standard" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + sku = "Standard" + allocation_method = "Static" +} + resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" sku { - name = "WAF_Medium" - tier = "WAF" + name = "Standard_v2" + tier = "Standard_v2" capacity = 1 } @@ -2364,13 +2393,6 @@ resource "azurerm_application_gateway" "test" { policy_type = "Predefined" } - waf_configuration { - enabled = true - firewall_mode = "Detection" - rule_set_type = "OWASP" - rule_set_version = "3.0" - } - gateway_ip_configuration { name = "my-gateway-ip-configuration" subnet_id = "${azurerm_subnet.test.id}" @@ -2431,14 +2453,22 @@ locals { request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } +resource "azurerm_public_ip" "test_standard" { + name = "acctest-pubip-%d-standard" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + sku = "Standard" + allocation_method = "Static" +} + resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" sku { - name = "WAF_Medium" - tier = "WAF" + name = "Standard_v2" + tier = "Standard_v2" capacity = 1 } @@ -2496,7 +2526,7 @@ resource "azurerm_application_gateway" "test" { backend_http_settings_name = "${local.http_setting_name}" } } -`, template, rInt) +`, template, rInt, rInt) } func testAccAzureRMApplicationGateway_sslPolicy_policyType_custom(rInt int, location string) string { @@ -2514,14 +2544,22 @@ locals { request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } +resource "azurerm_public_ip" "test_standard" { + name = "acctest-pubip-%d-standard" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + sku = "Standard" + allocation_method = "Static" +} + resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" sku { - name = "WAF_Medium" - tier = "WAF" + name = "Standard_v2" + tier = "Standard_v2" capacity = 1 } @@ -2531,13 +2569,6 @@ resource "azurerm_application_gateway" "test" { cipher_suites = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"] } - waf_configuration { - enabled = true - firewall_mode = "Detection" - rule_set_type = "OWASP" - rule_set_version = "3.0" - } - gateway_ip_configuration { name = "my-gateway-ip-configuration" subnet_id = "${azurerm_subnet.test.id}" @@ -2580,10 +2611,10 @@ resource "azurerm_application_gateway" "test" { backend_http_settings_name = "${local.http_setting_name}" } } -`, template, rInt) +`, template, rInt, rInt) } -func testAccAzureRMApplicationGateway_sslPolicy_disabledSslProtocols(rInt int, location string) string { +func testAccAzureRMApplicationGateway_sslPolicy_disabledProtocols(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s @@ -2613,16 +2644,87 @@ resource "azurerm_application_gateway" "test" { disabled_protocols = ["TLSv1_0", "TLSv1_1"] } - waf_configuration { - enabled = true - firewall_mode = "Detection" - rule_set_type = "OWASP" - rule_set_version = "3.0" - file_upload_limit_mb = 100 - request_body_check = true - max_request_body_size_kb = 100 + gateway_ip_configuration { + name = "my-gateway-ip-configuration" + subnet_id = "${azurerm_subnet.test.id}" + } + + frontend_port { + name = "${local.frontend_port_name}" + port = 80 + } + + frontend_ip_configuration { + name = "${local.frontend_ip_configuration_name}" + public_ip_address_id = "${azurerm_public_ip.test_standard.id}" + } + + backend_address_pool { + name = "${local.backend_address_pool_name}" + } + + backend_http_settings { + name = "${local.http_setting_name}" + cookie_based_affinity = "Disabled" + port = 80 + protocol = "Http" + request_timeout = 1 + } + + http_listener { + name = "${local.listener_name}" + frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" + frontend_port_name = "${local.frontend_port_name}" + protocol = "Http" + } + + request_routing_rule { + name = "${local.request_routing_rule_name}" + rule_type = "Basic" + http_listener_name = "${local.listener_name}" + backend_address_pool_name = "${local.backend_address_pool_name}" + backend_http_settings_name = "${local.http_setting_name}" + } +} +`, template, rInt, rInt) +} + +func testAccAzureRMApplicationGateway_disabledSslProtocols(rInt int, location string) string { + template := testAccAzureRMApplicationGateway_template(rInt, location) + return fmt.Sprintf(` +%s + +# since these variables are re-used - a locals block makes this more maintainable +locals { + backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" + frontend_port_name = "${azurerm_virtual_network.test.name}-feport" + frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip" + http_setting_name = "${azurerm_virtual_network.test.name}-be-htst" + listener_name = "${azurerm_virtual_network.test.name}-httplstn" + request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" +} + +resource "azurerm_public_ip" "test_standard" { + name = "acctest-pubip-%d-standard" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + sku = "Standard" + allocation_method = "Static" +} + +resource "azurerm_application_gateway" "test" { + name = "acctestag-%d" + resource_group_name = "${azurerm_resource_group.test.name}" + location = "${azurerm_resource_group.test.location}" + + sku { + name = "Standard_v2" + tier = "Standard_v2" + capacity = 1 } + disabled_ssl_protocols = ["TLSv1_0", "TLSv1_1"] + gateway_ip_configuration { name = "my-gateway-ip-configuration" subnet_id = "${azurerm_subnet.test.id}" @@ -2665,7 +2767,7 @@ resource "azurerm_application_gateway" "test" { backend_http_settings_name = "${local.http_setting_name}" } } -`, template, rInt) +`, template, rInt, rInt) } func testAccAzureRMApplicationGateway_connectionDraining(rInt int, location string) string { diff --git a/website/docs/r/application_gateway.html.markdown b/website/docs/r/application_gateway.html.markdown index e400cde1468f..df82bd4ff7f9 100644 --- a/website/docs/r/application_gateway.html.markdown +++ b/website/docs/r/application_gateway.html.markdown @@ -147,9 +147,10 @@ The following arguments are supported: * `authentication_certificate` - (Optional) One or more `authentication_certificate` blocks as defined below. -* `disabled_ssl_protocols` - Deprecated: replaced by `ssl_policy`. (Optional) A list of SSL Protocols which should be disabled on this Application Gateway. Possible values are `TLSv1_0`, `TLSv1_1` and `TLSv1_2`. Not compatible with `ssl_policy` +* `disabled_ssl_protocols` - (Optional / **Deprecated**) A list of SSL Protocols which should be disabled on this Application Gateway. Possible values are `TLSv1_0`, `TLSv1_1` and `TLSv1_2`. +~> **NOTE:** `disabled_ssl_protocols ` has been deprecated in favour of `disabled_protocols` in the `ssl_policy` block. -* `ssl_policy` (Optional) ssl policys block as defined below. +* `ssl_policy` (Optional) a `ssl policy` block as defined below. * `enable_http2` - (Optional) Is HTTP2 enabled on the application gateway resource? Defaults to `false`. @@ -387,22 +388,25 @@ A `url_path_map` block supports the following: A `ssl_policy` block supports the following: -* `policy_type` - (Optional) The Type of the Policy. Required if `policy_name` is set. Possible values are `Predefined` and `Custom`. Not compatible with `disabled_protocols`. +* `disabled_protocols` - (Optional) A list of SSL Protocols which should be disabled on this Application Gateway. Possible values are `TLSv1_0`, `TLSv1_1` and `TLSv1_2`. -For `policy_type`=`Predefined`: +~> **NOTE:** `disabled_protocols` cannot be set when `policy_name` or `policy_type` are set. + +* `policy_type` - (Optional) The Type of the Policy. Possible values are `Predefined` and `Custom`. + +~> **NOTE:** `policy_type` is Required when `policy_name` is set - cannot be set if `disabled_protocols` is set. + +When using a `policy_type` of `Predefined` the following fields are supported: * `policy_name` - (Optional) The Name of the Policy e.g AppGwSslPolicy20170401S. Required if `policy_type` is set to `Predefined`. Possible values can change over time and are published here https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview. Not compatible with `disabled_protocols`. -For `policy_type`=`Custom`: - -* `min_protocol_version` - (Optional) The minimal TLS version Required if `policy_type` is set to `Custom`. Possible values can change over time and are published here https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview. Not compatible with `disabled_protocols` +When using a `policy_type` of `Custom` the following fields are supported: -* `cipher_suites` - (Optional) A List of accepted cipher suites Required if `policy_type` is set to `Custom`. Example ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"]. Possible values can change over time and are published here https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview. Not compatible with `disabled_protocols` +* `cipher_suites` - (Required) A List of accepted cipher suites. Possible values are: `TLS_DHE_DSS_WITH_AES_128_CBC_SHA`, `TLS_DHE_DSS_WITH_AES_128_CBC_SHA256`, `TLS_DHE_DSS_WITH_AES_256_CBC_SHA`, `TLS_DHE_DSS_WITH_AES_256_CBC_SHA256`, `TLS_DHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_DHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_RSA_WITH_3DES_EDE_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_256_CBC_SHA256` and `TLS_RSA_WITH_AES_256_GCM_SHA384`. -For `disabled_protocols`: +* `min_protocol_version` - (Required) The minimal TLS version. Possible values are `TLSv1_0`, `TLSv1_1` and `TLSv1_2`. -* `disabled_protocols` - (Optional) A list of SSL Protocols which should be disabled on this Application Gateway. Possible values are `TLSv1_0`, `TLSv1_1` and `TLSv1_2`. Not compatible with `policy_name` / `policy_type` --- From 88a98dd02973d487f6fe565558b62dff54ebf5d6 Mon Sep 17 00:00:00 2001 From: "Till Markus (INST-CSS/BSV-OS)" Date: Tue, 7 May 2019 09:38:35 +0200 Subject: [PATCH 4/5] resource_arm_application_gateways: set disabledSSLPolicies primarly with ssl_policy.disabled_protocols --- azurerm/resource_arm_application_gateway.go | 3 + .../resource_arm_application_gateway_test.go | 439 ++++++++---------- 2 files changed, 195 insertions(+), 247 deletions(-) diff --git a/azurerm/resource_arm_application_gateway.go b/azurerm/resource_arm_application_gateway.go index 7cba2593a0bb..1105334527a4 100644 --- a/azurerm/resource_arm_application_gateway.go +++ b/azurerm/resource_arm_application_gateway.go @@ -1755,6 +1755,9 @@ func expandApplicationGatewaySslPolicy(d *schema.ResourceData) *network.Applicat v := vs[0].(map[string]interface{}) policyType := network.ApplicationGatewaySslPolicyType(v["policy_type"].(string)) + // reset disabledSSLPolicies here to always use the new disabled_protocols block in favor of disabled_ssl_protocols + disabledSSLPolicies = disabledSSLPolicies[:0] + for _, policy := range v["disabled_protocols"].([]interface{}) { disabledSSLPolicies = append(disabledSSLPolicies, network.ApplicationGatewaySslProtocol(policy.(string))) } diff --git a/azurerm/resource_arm_application_gateway_test.go b/azurerm/resource_arm_application_gateway_test.go index a8da5c3aae0d..49ed8c7654ec 100644 --- a/azurerm/resource_arm_application_gateway_test.go +++ b/azurerm/resource_arm_application_gateway_test.go @@ -724,7 +724,6 @@ func TestAccAzureRMApplicationGateway_webApplicationFirewall_exclusions(t *testi }, }) } - func TestAccAzureRMApplicationGateway_sslPolicy_policyType_predefined(t *testing.T) { resourceName := "azurerm_application_gateway.test" ri := tf.AccRandTimeInt() @@ -769,7 +768,6 @@ func TestAccAzureRMApplicationGateway_sslPolicy_policyType_custom(t *testing.T) }, }) } - func TestAccAzureRMApplicationGateway_sslPolicy_disabledProtocols(t *testing.T) { resourceName := "azurerm_application_gateway.test" ri := tf.AccRandTimeInt() @@ -2089,7 +2087,7 @@ resource "azurerm_application_gateway" "test" { frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test_standard.id}" + public_ip_address_id = "${azurerm_public_ip.test.id}" } backend_address_pool { @@ -2235,7 +2233,7 @@ resource "azurerm_application_gateway" "test" { frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test_standard.id}" + public_ip_address_id = "${azurerm_public_ip.test.id}" } backend_address_pool { @@ -2314,7 +2312,7 @@ resource "azurerm_application_gateway" "test" { frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test_standard.id}" + public_ip_address_id = "${azurerm_public_ip.test.id}" } backend_address_pool { @@ -2369,28 +2367,29 @@ locals { request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } -resource "azurerm_public_ip" "test_standard" { - name = "acctest-pubip-%d-standard" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" - sku = "Standard" - allocation_method = "Static" -} - resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" sku { - name = "Standard_v2" - tier = "Standard_v2" + name = "WAF_Medium" + tier = "WAF" capacity = 1 } - ssl_policy { - policy_name = "AppGwSslPolicy20170401S" - policy_type = "Predefined" + disabled_ssl_protocols = [ + "TLSv1_0", + ] + + waf_configuration { + enabled = true + firewall_mode = "Detection" + rule_set_type = "OWASP" + rule_set_version = "3.0" + file_upload_limit_mb = 100 + request_body_check = true + max_request_body_size_kb = 100 } gateway_ip_configuration { @@ -2438,7 +2437,7 @@ resource "azurerm_application_gateway" "test" { `, template, rInt) } -func testAccAzureRMApplicationGateway_sslPolicy_policyType_predefined(rInt int, location string) string { +func testAccAzureRMApplicationGateway_connectionDraining(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s @@ -2453,35 +2452,16 @@ locals { request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } -resource "azurerm_public_ip" "test_standard" { - name = "acctest-pubip-%d-standard" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" - sku = "Standard" - allocation_method = "Static" -} - resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" + enable_http2 = true sku { - name = "Standard_v2" - tier = "Standard_v2" - capacity = 1 - } - - ssl_policy { - policy_name = "AppGwSslPolicy20170401S" - policy_type = "Predefined" - } - - waf_configuration { - enabled = true - firewall_mode = "Detection" - rule_set_type = "OWASP" - rule_set_version = "3.0" + name = "Standard_Small" + tier = "Standard" + capacity = 2 } gateway_ip_configuration { @@ -2509,6 +2489,11 @@ resource "azurerm_application_gateway" "test" { port = 80 protocol = "Http" request_timeout = 1 + + connection_draining { + enabled = true + drain_timeout_sec = 1984 + } } http_listener { @@ -2526,10 +2511,9 @@ resource "azurerm_application_gateway" "test" { backend_http_settings_name = "${local.http_setting_name}" } } -`, template, rInt, rInt) +`, template, rInt) } - -func testAccAzureRMApplicationGateway_sslPolicy_policyType_custom(rInt int, location string) string { +func testAccAzureRMApplicationGateway_webApplicationFirewall_disabledRuleGroups(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s @@ -2544,6 +2528,7 @@ locals { request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } + resource "azurerm_public_ip" "test_standard" { name = "acctest-pubip-%d-standard" location = "${azurerm_resource_group.test.location}" @@ -2558,15 +2543,35 @@ resource "azurerm_application_gateway" "test" { location = "${azurerm_resource_group.test.location}" sku { - name = "Standard_v2" - tier = "Standard_v2" + name = "WAF_v2" + tier = "WAF_v2" capacity = 1 } - ssl_policy { - policy_type = "Custom" - min_protocol_version = "TLSv1_1" - cipher_suites = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"] + waf_configuration { + enabled = true + firewall_mode = "Detection" + rule_set_type = "OWASP" + rule_set_version = "3.0" + request_body_check = true + max_request_body_size_kb = 128 + file_upload_limit_mb = 100 + + disabled_rule_group { + rule_group_name = "REQUEST-921-PROTOCOL-ATTACK" + rules = [921110, 921151, 921180] + } + + disabled_rule_group { + rule_group_name = "REQUEST-930-APPLICATION-ATTACK-LFI" + rules = [930120, 930130] + } + + disabled_rule_group { + rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI" + } + + } gateway_ip_configuration { @@ -2581,7 +2586,7 @@ resource "azurerm_application_gateway" "test" { frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test.id}" + public_ip_address_id = "${azurerm_public_ip.test_standard.id}" } backend_address_pool { @@ -2614,7 +2619,7 @@ resource "azurerm_application_gateway" "test" { `, template, rInt, rInt) } -func testAccAzureRMApplicationGateway_sslPolicy_disabledProtocols(rInt int, location string) string { +func testAccAzureRMApplicationGateway_webApplicationFirewall_disabledRuleGroups_enabled_some_rules(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s @@ -2629,19 +2634,45 @@ locals { request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } + +resource "azurerm_public_ip" "test_standard" { + name = "acctest-pubip-%d-standard" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + sku = "Standard" + allocation_method = "Static" +} + resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" sku { - name = "WAF_Medium" - tier = "WAF" + name = "WAF_v2" + tier = "WAF_v2" capacity = 1 } - ssl_policy { - disabled_protocols = ["TLSv1_0", "TLSv1_1"] + waf_configuration { + enabled = true + firewall_mode = "Detection" + rule_set_type = "OWASP" + rule_set_version = "3.0" + request_body_check = true + max_request_body_size_kb = 128 + file_upload_limit_mb = 100 + + disabled_rule_group { + rule_group_name = "REQUEST-921-PROTOCOL-ATTACK" + rules = [921110, 921151, 921180] + } + + disabled_rule_group { + rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI" + } + + } gateway_ip_configuration { @@ -2689,7 +2720,7 @@ resource "azurerm_application_gateway" "test" { `, template, rInt, rInt) } -func testAccAzureRMApplicationGateway_disabledSslProtocols(rInt int, location string) string { +func testAccAzureRMApplicationGateway_webApplicationFirewall_exclusions_many(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s @@ -2704,6 +2735,7 @@ locals { request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } + resource "azurerm_public_ip" "test_standard" { name = "acctest-pubip-%d-standard" location = "${azurerm_resource_group.test.location}" @@ -2718,12 +2750,48 @@ resource "azurerm_application_gateway" "test" { location = "${azurerm_resource_group.test.location}" sku { - name = "Standard_v2" - tier = "Standard_v2" + name = "WAF_v2" + tier = "WAF_v2" capacity = 1 } - disabled_ssl_protocols = ["TLSv1_0", "TLSv1_1"] + waf_configuration { + enabled = true + firewall_mode = "Detection" + rule_set_type = "OWASP" + rule_set_version = "3.0" + request_body_check = true + max_request_body_size_kb = 128 + file_upload_limit_mb = 100 + + exclusion { + match_variable = "RequestArgNames" + selector_match_operator = "Equals" + selector = "displayNameHtml" + } + + exclusion { + match_variable = "RequestCookieNames" + selector_match_operator = "EndsWith" + selector = "username" + } + + exclusion { + match_variable = "RequestHeaderNames" + selector_match_operator = "StartsWith" + selector = "ORIGIN" + } + + exclusion { + match_variable = "RequestHeaderNames" + selector_match_operator = "Contains" + selector = "ORIGIN" + } + + exclusion { + match_variable = "RequestHeaderNames" + } + } gateway_ip_configuration { name = "my-gateway-ip-configuration" @@ -2737,7 +2805,7 @@ resource "azurerm_application_gateway" "test" { frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test.id}" + public_ip_address_id = "${azurerm_public_ip.test_standard.id}" } backend_address_pool { @@ -2769,8 +2837,7 @@ resource "azurerm_application_gateway" "test" { } `, template, rInt, rInt) } - -func testAccAzureRMApplicationGateway_connectionDraining(rInt int, location string) string { +func testAccAzureRMApplicationGateway_webApplicationFirewall_exclusions_one(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s @@ -2785,16 +2852,40 @@ locals { request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } +resource "azurerm_public_ip" "test_standard" { + name = "acctest-pubip-%d-standard" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + sku = "Standard" + allocation_method = "Static" +} + resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" - enable_http2 = true sku { - name = "Standard_Small" - tier = "Standard" - capacity = 2 + name = "WAF_v2" + tier = "WAF_v2" + capacity = 1 + } + + waf_configuration { + enabled = true + firewall_mode = "Detection" + rule_set_type = "OWASP" + rule_set_version = "3.0" + request_body_check = true + max_request_body_size_kb = 128 + file_upload_limit_mb = 100 + + exclusion { + match_variable = "RequestArgNames" + selector_match_operator = "Equals" + selector = "displayNameHtml" + } + } gateway_ip_configuration { @@ -2809,7 +2900,7 @@ resource "azurerm_application_gateway" "test" { frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test.id}" + public_ip_address_id = "${azurerm_public_ip.test_standard.id}" } backend_address_pool { @@ -2822,11 +2913,6 @@ resource "azurerm_application_gateway" "test" { port = 80 protocol = "Http" request_timeout = 1 - - connection_draining { - enabled = true - drain_timeout_sec = 1984 - } } http_listener { @@ -2844,14 +2930,14 @@ resource "azurerm_application_gateway" "test" { backend_http_settings_name = "${local.http_setting_name}" } } -`, template, rInt) +`, template, rInt, rInt) } -func testAccAzureRMApplicationGateway_webApplicationFirewall_disabledRuleGroups(rInt int, location string) string { + +func testAccAzureRMApplicationGateway_sslPolicy_policyType_predefined(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s - -# since these variables are re-used - a locals block makes this more maintainable +# since these variables are re-used - a locals block makes this more maintainable locals { backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" frontend_port_name = "${azurerm_virtual_network.test.name}-feport" @@ -2860,8 +2946,6 @@ locals { listener_name = "${azurerm_virtual_network.test.name}-httplstn" request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } - - resource "azurerm_public_ip" "test_standard" { name = "acctest-pubip-%d-standard" location = "${azurerm_resource_group.test.location}" @@ -2869,63 +2953,34 @@ resource "azurerm_public_ip" "test_standard" { sku = "Standard" allocation_method = "Static" } - resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" - sku { - name = "WAF_v2" - tier = "WAF_v2" + name = "Standard_v2" + tier = "Standard_v2" capacity = 1 } - - waf_configuration { - enabled = true - firewall_mode = "Detection" - rule_set_type = "OWASP" - rule_set_version = "3.0" - request_body_check = true - max_request_body_size_kb = 128 - file_upload_limit_mb = 100 - - disabled_rule_group { - rule_group_name = "REQUEST-921-PROTOCOL-ATTACK" - rules = [921110, 921151, 921180] - } - - disabled_rule_group { - rule_group_name = "REQUEST-930-APPLICATION-ATTACK-LFI" - rules = [930120, 930130] - } - - disabled_rule_group { - rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI" - } - - + ssl_policy { + policy_name = "AppGwSslPolicy20170401S" + policy_type = "Predefined" } - gateway_ip_configuration { name = "my-gateway-ip-configuration" subnet_id = "${azurerm_subnet.test.id}" } - frontend_port { name = "${local.frontend_port_name}" port = 80 } - frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" public_ip_address_id = "${azurerm_public_ip.test_standard.id}" } - backend_address_pool { name = "${local.backend_address_pool_name}" } - backend_http_settings { name = "${local.http_setting_name}" cookie_based_affinity = "Disabled" @@ -2933,14 +2988,12 @@ resource "azurerm_application_gateway" "test" { protocol = "Http" request_timeout = 1 } - http_listener { name = "${local.listener_name}" frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" frontend_port_name = "${local.frontend_port_name}" protocol = "Http" } - request_routing_rule { name = "${local.request_routing_rule_name}" rule_type = "Basic" @@ -2952,12 +3005,11 @@ resource "azurerm_application_gateway" "test" { `, template, rInt, rInt) } -func testAccAzureRMApplicationGateway_webApplicationFirewall_disabledRuleGroups_enabled_some_rules(rInt int, location string) string { +func testAccAzureRMApplicationGateway_sslPolicy_policyType_custom(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s - -# since these variables are re-used - a locals block makes this more maintainable +# since these variables are re-used - a locals block makes this more maintainable locals { backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" frontend_port_name = "${azurerm_virtual_network.test.name}-feport" @@ -2966,67 +3018,35 @@ locals { listener_name = "${azurerm_virtual_network.test.name}-httplstn" request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } - - -resource "azurerm_public_ip" "test_standard" { - name = "acctest-pubip-%d-standard" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" - sku = "Standard" - allocation_method = "Static" -} - resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" - sku { - name = "WAF_v2" - tier = "WAF_v2" + name = "WAF_Medium" + tier = "WAF" capacity = 1 } - - waf_configuration { - enabled = true - firewall_mode = "Detection" - rule_set_type = "OWASP" - rule_set_version = "3.0" - request_body_check = true - max_request_body_size_kb = 128 - file_upload_limit_mb = 100 - - disabled_rule_group { - rule_group_name = "REQUEST-921-PROTOCOL-ATTACK" - rules = [921110, 921151, 921180] - } - - disabled_rule_group { - rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI" - } - - + ssl_policy { + policy_type = "Custom" + min_protocol_version = "TLSv1_1" + cipher_suites = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"] } - gateway_ip_configuration { name = "my-gateway-ip-configuration" subnet_id = "${azurerm_subnet.test.id}" } - frontend_port { name = "${local.frontend_port_name}" port = 80 } - frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test_standard.id}" + public_ip_address_id = "${azurerm_public_ip.test.id}" } - backend_address_pool { name = "${local.backend_address_pool_name}" } - backend_http_settings { name = "${local.http_setting_name}" cookie_based_affinity = "Disabled" @@ -3034,14 +3054,12 @@ resource "azurerm_application_gateway" "test" { protocol = "Http" request_timeout = 1 } - http_listener { name = "${local.listener_name}" frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" frontend_port_name = "${local.frontend_port_name}" protocol = "Http" } - request_routing_rule { name = "${local.request_routing_rule_name}" rule_type = "Basic" @@ -3050,15 +3068,14 @@ resource "azurerm_application_gateway" "test" { backend_http_settings_name = "${local.http_setting_name}" } } -`, template, rInt, rInt) +`, template, rInt) } -func testAccAzureRMApplicationGateway_webApplicationFirewall_exclusions_many(rInt int, location string) string { +func testAccAzureRMApplicationGateway_sslPolicy_disabledProtocols(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s - -# since these variables are re-used - a locals block makes this more maintainable +# since these variables are re-used - a locals block makes this more maintainable locals { backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" frontend_port_name = "${azurerm_virtual_network.test.name}-feport" @@ -3067,8 +3084,6 @@ locals { listener_name = "${azurerm_virtual_network.test.name}-httplstn" request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } - - resource "azurerm_public_ip" "test_standard" { name = "acctest-pubip-%d-standard" location = "${azurerm_resource_group.test.location}" @@ -3076,75 +3091,33 @@ resource "azurerm_public_ip" "test_standard" { sku = "Standard" allocation_method = "Static" } - resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" - sku { - name = "WAF_v2" - tier = "WAF_v2" + name = "Standard_v2" + tier = "Standard_v2" capacity = 1 } - - waf_configuration { - enabled = true - firewall_mode = "Detection" - rule_set_type = "OWASP" - rule_set_version = "3.0" - request_body_check = true - max_request_body_size_kb = 128 - file_upload_limit_mb = 100 - - exclusion { - match_variable = "RequestArgNames" - selector_match_operator = "Equals" - selector = "displayNameHtml" - } - - exclusion { - match_variable = "RequestCookieNames" - selector_match_operator = "EndsWith" - selector = "username" - } - - exclusion { - match_variable = "RequestHeaderNames" - selector_match_operator = "StartsWith" - selector = "ORIGIN" - } - - exclusion { - match_variable = "RequestHeaderNames" - selector_match_operator = "Contains" - selector = "ORIGIN" - } - - exclusion { - match_variable = "RequestHeaderNames" - } + ssl_policy { + disabled_protocols = ["TLSv1_0", "TLSv1_1"] } - gateway_ip_configuration { name = "my-gateway-ip-configuration" subnet_id = "${azurerm_subnet.test.id}" } - frontend_port { name = "${local.frontend_port_name}" port = 80 } - frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" public_ip_address_id = "${azurerm_public_ip.test_standard.id}" } - backend_address_pool { name = "${local.backend_address_pool_name}" } - backend_http_settings { name = "${local.http_setting_name}" cookie_based_affinity = "Disabled" @@ -3152,14 +3125,12 @@ resource "azurerm_application_gateway" "test" { protocol = "Http" request_timeout = 1 } - http_listener { name = "${local.listener_name}" frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" frontend_port_name = "${local.frontend_port_name}" protocol = "Http" } - request_routing_rule { name = "${local.request_routing_rule_name}" rule_type = "Basic" @@ -3170,12 +3141,12 @@ resource "azurerm_application_gateway" "test" { } `, template, rInt, rInt) } -func testAccAzureRMApplicationGateway_webApplicationFirewall_exclusions_one(rInt int, location string) string { + +func testAccAzureRMApplicationGateway_disabledSslProtocols(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s - -# since these variables are re-used - a locals block makes this more maintainable +# since these variables are re-used - a locals block makes this more maintainable locals { backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" frontend_port_name = "${azurerm_virtual_network.test.name}-feport" @@ -3184,7 +3155,6 @@ locals { listener_name = "${azurerm_virtual_network.test.name}-httplstn" request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } - resource "azurerm_public_ip" "test_standard" { name = "acctest-pubip-%d-standard" location = "${azurerm_resource_group.test.location}" @@ -3192,54 +3162,31 @@ resource "azurerm_public_ip" "test_standard" { sku = "Standard" allocation_method = "Static" } - resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" - sku { - name = "WAF_v2" - tier = "WAF_v2" + name = "Standard_v2" + tier = "Standard_v2" capacity = 1 } - - waf_configuration { - enabled = true - firewall_mode = "Detection" - rule_set_type = "OWASP" - rule_set_version = "3.0" - request_body_check = true - max_request_body_size_kb = 128 - file_upload_limit_mb = 100 - - exclusion { - match_variable = "RequestArgNames" - selector_match_operator = "Equals" - selector = "displayNameHtml" - } - - } - + disabled_ssl_protocols = ["TLSv1_0", "TLSv1_1"] gateway_ip_configuration { name = "my-gateway-ip-configuration" subnet_id = "${azurerm_subnet.test.id}" } - frontend_port { name = "${local.frontend_port_name}" port = 80 } - frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test_standard.id}" + public_ip_address_id = "${azurerm_public_ip.test.id}" } - backend_address_pool { name = "${local.backend_address_pool_name}" } - backend_http_settings { name = "${local.http_setting_name}" cookie_based_affinity = "Disabled" @@ -3247,14 +3194,12 @@ resource "azurerm_application_gateway" "test" { protocol = "Http" request_timeout = 1 } - http_listener { name = "${local.listener_name}" frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" frontend_port_name = "${local.frontend_port_name}" protocol = "Http" } - request_routing_rule { name = "${local.request_routing_rule_name}" rule_type = "Basic" From f0a839afe3944537b4017f183265d5580614ed6f Mon Sep 17 00:00:00 2001 From: "Till Markus (INST-CSS/BSV-OS)" Date: Sun, 12 May 2019 21:55:20 +0200 Subject: [PATCH 5/5] resource_arm_application_gateway: fix TestAccAzureRMApplicationGateway_disabledSslProtocols --- .../resource_arm_application_gateway_test.go | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/azurerm/resource_arm_application_gateway_test.go b/azurerm/resource_arm_application_gateway_test.go index 49ed8c7654ec..a8389bd18460 100644 --- a/azurerm/resource_arm_application_gateway_test.go +++ b/azurerm/resource_arm_application_gateway_test.go @@ -3018,13 +3018,20 @@ locals { listener_name = "${azurerm_virtual_network.test.name}-httplstn" request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } +resource "azurerm_public_ip" "test_standard" { + name = "acctest-pubip-%d-standard" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + sku = "Standard" + allocation_method = "Static" +} resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" sku { - name = "WAF_Medium" - tier = "WAF" + name = "Standard_v2" + tier = "Standard_v2" capacity = 1 } ssl_policy { @@ -3042,7 +3049,7 @@ resource "azurerm_application_gateway" "test" { } frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test.id}" + public_ip_address_id = "${azurerm_public_ip.test_standard.id}" } backend_address_pool { name = "${local.backend_address_pool_name}" @@ -3068,7 +3075,7 @@ resource "azurerm_application_gateway" "test" { backend_http_settings_name = "${local.http_setting_name}" } } -`, template, rInt) +`, template, rInt, rInt) } func testAccAzureRMApplicationGateway_sslPolicy_disabledProtocols(rInt int, location string) string { @@ -3182,7 +3189,7 @@ resource "azurerm_application_gateway" "test" { } frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test.id}" + public_ip_address_id = "${azurerm_public_ip.test_standard.id}" } backend_address_pool { name = "${local.backend_address_pool_name}"