azurerm_firewall: support snat private ip ranges

azurerm/internal/services/network/firewall_resource.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"log"
 	"regexp"
+	"strings"
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-03-01/network"
@@ -79,6 +80,20 @@ func resourceArmFirewall() *schema.Resource {
 				},
 			},
 
+			"private_ip_ranges": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				Computed: true, // By default, service will set it as "IANAPrivateRanges"
+				MinItems: 1,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+					ValidateFunc: validation.Any(
+						validation.IsCIDR,
+						validation.StringInSlice([]string{"IANAPrivateRanges"}, false),
+					),
+				},
+			},
+
 			"zones": azure.SchemaMultipleZones(),
 
 			"tags": tags.Schema(),
@@ -134,11 +149,21 @@ func resourceArmFirewallCreateUpdate(d *schema.ResourceData, meta interface{}) e
 		Location: &location,
 		Tags:     tags.Expand(t),
 		AzureFirewallPropertiesFormat: &network.AzureFirewallPropertiesFormat{
-			IPConfigurations: ipConfigs,
+			IPConfigurations:     ipConfigs,
+			AdditionalProperties: make(map[string]*string),
 		},
 		Zones: zones,
 	}
 
+	privateIpRanges := "IANAPrivateRanges"
+	if v, ok := d.GetOk("private_ip_ranges"); ok {
+		rangeSlice := utils.ExpandStringSlice(v.(*schema.Set).List())
+		if rangeSlice != nil {
+			privateIpRanges = strings.Join(*rangeSlice, ",")
+			parameters.AdditionalProperties["Network.SNAT.PrivateRanges"] = &privateIpRanges
+		}
+	}
+
 	if !d.IsNewResource() {
 		exists, err2 := client.Get(ctx, resourceGroup, name)
 		if err2 != nil {
@@ -214,6 +239,17 @@ func resourceArmFirewallRead(d *schema.ResourceData, meta interface{}) error {
 		}
 	}
 
+	var privateIpRanges []interface{}
+	if props := read.AdditionalProperties; props != nil {
+		if v, ok := props["Network.SNAT.PrivateRanges"]; ok && v != nil {
+			ranges := strings.Split(*v, ",")
+			privateIpRanges = utils.FlattenStringSlice(&ranges)
+		}
+	}
+	if err := d.Set("private_ip_ranges", privateIpRanges); err != nil {
+		return fmt.Errorf("Error setting `private_ip_ranges`: %+v", err)
+	}
+
 	if err := d.Set("zones", azure.FlattenZones(read.Zones)); err != nil {
 		return fmt.Errorf("Error setting `zones`: %+v", err)
 	}

azurerm/internal/services/network/tests/firewall_resource_test.go

@@ -326,6 +326,8 @@ resource "azurerm_firewall" "test" {
     subnet_id            = azurerm_subnet.test.id
     public_ip_address_id = azurerm_public_ip.test.id
   }
+
+  private_ip_ranges = ["IANAPrivateRanges", "10.0.0.0/16"]
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger)
 }

website/docs/r/firewall.html.markdown

@@ -66,6 +66,8 @@ The following arguments are supported:
 
 * `ip_configuration` - (Required) A `ip_configuration` block as documented below.
 
+* `private_ip_ranges` - (Optional) A list of SNAT private CIDR IP ranges, or the special string `IANAPrivateRanges`, which indicates Azure Firewall does not SNAT when the destination IP address is a private range per IANA RFC 1918. Defaults to a list contains only `IANAPrivateRanges`.
+
 * `zones` - (Optional) Specifies the availability zones in which the Azure Firewall should be created.
 
 -> **Please Note**: Availability Zones are [only supported in several regions at this time](https://docs.microsoft.com/en-us/azure/availability-zones/az-overview).