From ffbd930d8317ce32c4cc460826728b65b8af44cb Mon Sep 17 00:00:00 2001 From: Michael Gross Date: Tue, 31 Aug 2021 11:58:30 +0200 Subject: [PATCH 01/12] enhance firewall policy rule collection group to support Azure Firewall Premium features --- ...l_policy_rule_collection_group_resource.go | 73 +++++++++++++++++-- ...icy_rule_collection_group_resource_test.go | 15 ++++ ...policy_rule_collection_group.html.markdown | 11 +++ 3 files changed, 91 insertions(+), 8 deletions(-) diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go index bafdc6094e86..4917bff195c3 100644 --- a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go +++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go @@ -8,6 +8,7 @@ import ( "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2021-02-01/network" "github.com/hashicorp/go-azure-helpers/response" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "github.com/hashicorp/terraform-provider-azurerm/helpers/tf" azValidate "github.com/hashicorp/terraform-provider-azurerm/helpers/validate" "github.com/hashicorp/terraform-provider-azurerm/internal/clients" @@ -15,7 +16,6 @@ import ( "github.com/hashicorp/terraform-provider-azurerm/internal/services/firewall/parse" "github.com/hashicorp/terraform-provider-azurerm/internal/services/firewall/validate" "github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk" - "github.com/hashicorp/terraform-provider-azurerm/internal/tf/validation" "github.com/hashicorp/terraform-provider-azurerm/internal/timeouts" "github.com/hashicorp/terraform-provider-azurerm/utils" ) @@ -95,6 +95,11 @@ func resourceFirewallPolicyRuleCollectionGroup() *pluginsdk.Resource { Required: true, ValidateFunc: validate.FirewallPolicyRuleName(), }, + "description": { + Type: pluginsdk.TypeString, + Required: true, + ValidateFunc: validate.FirewallPolicyRuleName(), + }, "protocols": { Type: pluginsdk.TypeSet, Required: true, @@ -136,6 +141,18 @@ func resourceFirewallPolicyRuleCollectionGroup() *pluginsdk.Resource { ValidateFunc: validation.StringIsNotEmpty, }, }, + "destination_addresses": { + Type: pluginsdk.TypeSet, + Optional: true, + Elem: &pluginsdk.Schema{ + Type: pluginsdk.TypeString, + ValidateFunc: validation.Any( + validation.IsIPAddress, + validation.IsCIDR, + validation.StringInSlice([]string{`*`}, false), + ), + }, + }, "destination_fqdns": { Type: pluginsdk.TypeSet, Optional: true, @@ -144,6 +161,14 @@ func resourceFirewallPolicyRuleCollectionGroup() *pluginsdk.Resource { ValidateFunc: validation.StringIsNotEmpty, }, }, + "destination_urls": { + Type: pluginsdk.TypeSet, + Optional: true, + Elem: &pluginsdk.Schema{ + Type: pluginsdk.TypeString, + ValidateFunc: validation.StringIsNotEmpty, + }, + }, "destination_fqdn_tags": { Type: pluginsdk.TypeSet, Optional: true, @@ -152,6 +177,18 @@ func resourceFirewallPolicyRuleCollectionGroup() *pluginsdk.Resource { ValidateFunc: validation.StringIsNotEmpty, }, }, + "terminate_tls": { + Type: pluginsdk.TypeBool, + Optional: true, + }, + "web_categories": { + Type: pluginsdk.TypeSet, + Optional: true, + Elem: &pluginsdk.Schema{ + Type: pluginsdk.TypeString, + ValidateFunc: validation.StringIsNotEmpty, + }, + }, }, }, }, @@ -564,13 +601,18 @@ func expandFirewallPolicyRuleApplication(input []interface{}) *[]network.BasicFi }) } output := &network.ApplicationRule{ - Name: utils.String(condition["name"].(string)), - RuleType: network.RuleTypeApplicationRule, - Protocols: &protocols, - SourceAddresses: utils.ExpandStringSlice(condition["source_addresses"].(*pluginsdk.Set).List()), - SourceIPGroups: utils.ExpandStringSlice(condition["source_ip_groups"].(*pluginsdk.Set).List()), - TargetFqdns: utils.ExpandStringSlice(condition["destination_fqdns"].(*pluginsdk.Set).List()), - FqdnTags: utils.ExpandStringSlice(condition["destination_fqdn_tags"].(*pluginsdk.Set).List()), + Name: utils.String(condition["name"].(string)), + Description: utils.String(condition["description"].(string)), + RuleType: network.RuleTypeApplicationRule, + Protocols: &protocols, + SourceAddresses: utils.ExpandStringSlice(condition["source_addresses"].(*pluginsdk.Set).List()), + SourceIPGroups: utils.ExpandStringSlice(condition["source_ip_groups"].(*pluginsdk.Set).List()), + DestinationAddresses: utils.ExpandStringSlice(condition["destination_addresses"].(*pluginsdk.Set).List()), + TargetFqdns: utils.ExpandStringSlice(condition["destination_fqdns"].(*pluginsdk.Set).List()), + TargetUrls: utils.ExpandStringSlice(condition["destination_urls"].(*pluginsdk.Set).List()), + FqdnTags: utils.ExpandStringSlice(condition["destination_fqdn_tags"].(*pluginsdk.Set).List()), + TerminateTLS: utils.Bool(condition["terminate_tls"]), + WebCategories: utils.ExpandStringSlice(condition["web_categories"].(*pluginsdk.Set).List()), } result = append(result, output) } @@ -739,6 +781,16 @@ func flattenFirewallPolicyRuleApplication(input *[]network.BasicFirewallPolicyRu name = *rule.Name } + var description string + if rule.Description != nil { + description = *rule.Description + } + + var terminate_tls bool + if rule.TerminateTLS != nil { + terminate_tls = *rule.TerminateTLS + } + protocols := make([]interface{}, 0) if rule.Protocols != nil { for _, protocol := range *rule.Protocols { @@ -755,11 +807,16 @@ func flattenFirewallPolicyRuleApplication(input *[]network.BasicFirewallPolicyRu output = append(output, map[string]interface{}{ "name": name, + "description": description, "protocols": protocols, "source_addresses": utils.FlattenStringSlice(rule.SourceAddresses), "source_ip_groups": utils.FlattenStringSlice(rule.SourceIPGroups), + "destination_addresses": utils.FlattenStringSlice(rule.DestinationAddresses), + "destination_urls": utils.FlattenStringSlice(rule.TargetUrls), "destination_fqdns": utils.FlattenStringSlice(rule.TargetFqdns), "destination_fqdn_tags": utils.FlattenStringSlice(rule.FqdnTags), + "terminate_tls": terminate_tls, + "web_categories": utils.FlattenStringSlice(rule.WebCategories), }) } diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go index 26ba5816d7aa..8ee42406a22d 100644 --- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go +++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go @@ -174,6 +174,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { action = "Deny" rule { name = "app_rule_collection1_rule1" + description = "app_rule_collection1_rule1" protocols { type = "Http" port = 80 @@ -183,10 +184,15 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { port = 443 } source_addresses = ["10.0.0.1"] + destination_addresses = ["10.0.0.1"] + destination_urls = ["www.google.com/en"] destination_fqdns = ["pluginsdk.io"] + terminate_tls = true + web_categories = ["Liability"] } rule { name = "app_rule_collection1_rule2" + description = "app_rule_collection1_rule2" protocols { type = "Http" port = 80 @@ -196,10 +202,15 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { port = 443 } source_ip_groups = [azurerm_ip_group.test_source.id] + destination_addresses = ["10.0.0.1"] + destination_urls = ["www.google.com/en"] destination_fqdns = ["pluginsdk.io"] + terminate_tls = true + web_categories = ["Liability"] } rule { name = "app_rule_collection1_rule3" + description = "app_rule_collection1_rule3" protocols { type = "Http" port = 80 @@ -209,7 +220,11 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { port = 443 } source_addresses = ["10.0.0.1"] + destination_addresses = ["10.0.0.1"] + destination_urls = ["www.google.com/en"] destination_fqdn_tags = ["WindowsDiagnostics"] + terminate_tls = true + web_categories = ["Liability"] } } diff --git a/website/docs/r/firewall_policy_rule_collection_group.html.markdown b/website/docs/r/firewall_policy_rule_collection_group.html.markdown index 0fa32ceae71e..63a2fb491eb0 100644 --- a/website/docs/r/firewall_policy_rule_collection_group.html.markdown +++ b/website/docs/r/firewall_policy_rule_collection_group.html.markdown @@ -137,16 +137,27 @@ A `rule` (application rule) block supports the following: * `name` - (Required) The name which should be used for this rule. +* `description` - (Optional) The description which should be used for this rule. + * `protocols` - (Required) One or more `protocols` blocks as defined below. * `source_addresses` - (Optional) Specifies a list of source IP addresses (including CIDR and `*`). * `source_ip_groups` - (Optional) Specifies a list of source IP groups. +* `destination_addresses` - (Optional) Specifies a list of destination IP addresses (including CIDR and `*`). + +* `destination_urls` - (Optional) Specifies a list of destination URLs for which policy should hold. + * `destination_fqdns` - (Optional) Specifies a list of destination FQDNs. * `destination_fqdn_tags` - (Optional) Specifies a list of destination FQDN tags. +* `terminate_tls` - (Optional) Boolean specifying if TLS shall be terminated (true) or not (false). + +* `web_categories` - (Optional) Specifies a list of web categories to which access is denied or allowed depending on the value of `action` above. + + --- A `rule` (network rule) block supports the following: From 156647dc83e385ad61ac0e9ce4f43b073fb6fa17 Mon Sep 17 00:00:00 2001 From: Michael Gross Date: Tue, 31 Aug 2021 13:40:32 +0200 Subject: [PATCH 02/12] fix: convert tls_terminate condition to bool --- .../firewall/firewall_policy_rule_collection_group_resource.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go index 4917bff195c3..347d7beb3fb0 100644 --- a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go +++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go @@ -611,7 +611,7 @@ func expandFirewallPolicyRuleApplication(input []interface{}) *[]network.BasicFi TargetFqdns: utils.ExpandStringSlice(condition["destination_fqdns"].(*pluginsdk.Set).List()), TargetUrls: utils.ExpandStringSlice(condition["destination_urls"].(*pluginsdk.Set).List()), FqdnTags: utils.ExpandStringSlice(condition["destination_fqdn_tags"].(*pluginsdk.Set).List()), - TerminateTLS: utils.Bool(condition["terminate_tls"]), + TerminateTLS: utils.Bool(condition["terminate_tls"].(bool)), WebCategories: utils.ExpandStringSlice(condition["web_categories"].(*pluginsdk.Set).List()), } result = append(result, output) From c246487668108afc19d48cc016c87482dc0b7baf Mon Sep 17 00:00:00 2001 From: Michael Gross Date: Tue, 31 Aug 2021 14:03:45 +0200 Subject: [PATCH 03/12] make terrafmt --- ...icy_rule_collection_group_resource_test.go | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go index 8ee42406a22d..b45c8c777d01 100644 --- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go +++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go @@ -173,7 +173,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { priority = 500 action = "Deny" rule { - name = "app_rule_collection1_rule1" + name = "app_rule_collection1_rule1" description = "app_rule_collection1_rule1" protocols { type = "Http" @@ -183,15 +183,15 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { type = "Https" port = 443 } - source_addresses = ["10.0.0.1"] + source_addresses = ["10.0.0.1"] destination_addresses = ["10.0.0.1"] - destination_urls = ["www.google.com/en"] - destination_fqdns = ["pluginsdk.io"] - terminate_tls = true - web_categories = ["Liability"] + destination_urls = ["www.google.com/en"] + destination_fqdns = ["pluginsdk.io"] + terminate_tls = true + web_categories = ["Liability"] } rule { - name = "app_rule_collection1_rule2" + name = "app_rule_collection1_rule2" description = "app_rule_collection1_rule2" protocols { type = "Http" @@ -201,15 +201,15 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { type = "Https" port = 443 } - source_ip_groups = [azurerm_ip_group.test_source.id] + source_ip_groups = [azurerm_ip_group.test_source.id] destination_addresses = ["10.0.0.1"] - destination_urls = ["www.google.com/en"] - destination_fqdns = ["pluginsdk.io"] - terminate_tls = true - web_categories = ["Liability"] + destination_urls = ["www.google.com/en"] + destination_fqdns = ["pluginsdk.io"] + terminate_tls = true + web_categories = ["Liability"] } rule { - name = "app_rule_collection1_rule3" + name = "app_rule_collection1_rule3" description = "app_rule_collection1_rule3" protocols { type = "Http" @@ -221,10 +221,10 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { } source_addresses = ["10.0.0.1"] destination_addresses = ["10.0.0.1"] - destination_urls = ["www.google.com/en"] + destination_urls = ["www.google.com/en"] destination_fqdn_tags = ["WindowsDiagnostics"] - terminate_tls = true - web_categories = ["Liability"] + terminate_tls = true + web_categories = ["Liability"] } } From afe6fbcf81d1d835206c2fc4098993eb7d3d3fa2 Mon Sep 17 00:00:00 2001 From: Michael Gross Date: Wed, 1 Sep 2021 08:38:59 +0200 Subject: [PATCH 04/12] fix web_categories in test --- .../firewall_policy_rule_collection_group_resource_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go index b45c8c777d01..90ca0a50bad6 100644 --- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go +++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go @@ -188,7 +188,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { destination_urls = ["www.google.com/en"] destination_fqdns = ["pluginsdk.io"] terminate_tls = true - web_categories = ["Liability"] + web_categories = ["News"] } rule { name = "app_rule_collection1_rule2" @@ -206,7 +206,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { destination_urls = ["www.google.com/en"] destination_fqdns = ["pluginsdk.io"] terminate_tls = true - web_categories = ["Liability"] + web_categories = ["News"] } rule { name = "app_rule_collection1_rule3" @@ -224,7 +224,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { destination_urls = ["www.google.com/en"] destination_fqdn_tags = ["WindowsDiagnostics"] terminate_tls = true - web_categories = ["Liability"] + web_categories = ["News"] } } From 9145c332a5428fd8c076fe58e3e3db1c754910c3 Mon Sep 17 00:00:00 2001 From: Michael Gross Date: Wed, 1 Sep 2021 08:43:39 +0200 Subject: [PATCH 05/12] set protocols attribute to optional as only required for Target FQDNs but not for FQDN tags --- .../firewall/firewall_policy_rule_collection_group_resource.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go index 347d7beb3fb0..a9f7be35c673 100644 --- a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go +++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go @@ -102,7 +102,7 @@ func resourceFirewallPolicyRuleCollectionGroup() *pluginsdk.Resource { }, "protocols": { Type: pluginsdk.TypeSet, - Required: true, + Optional: true, Elem: &pluginsdk.Resource{ Schema: map[string]*pluginsdk.Schema{ "type": { From b1d34a5d3c8de8c78c7821640291252023aab314 Mon Sep 17 00:00:00 2001 From: Michael Gross Date: Wed, 1 Sep 2021 18:15:31 +0200 Subject: [PATCH 06/12] resolve test conflicts --- .../firewall_policy_rule_collection_group_resource_test.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go index 90ca0a50bad6..4d7f2fada627 100644 --- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go +++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go @@ -144,6 +144,7 @@ resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" resource_group_name = azurerm_resource_group.test.name location = azurerm_resource_group.test.location + sku = "Premium" dns { network_rule_fqdn_enabled = false proxy_enabled = true @@ -186,7 +187,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { source_addresses = ["10.0.0.1"] destination_addresses = ["10.0.0.1"] destination_urls = ["www.google.com/en"] - destination_fqdns = ["pluginsdk.io"] terminate_tls = true web_categories = ["News"] } @@ -203,7 +203,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { } source_ip_groups = [azurerm_ip_group.test_source.id] destination_addresses = ["10.0.0.1"] - destination_urls = ["www.google.com/en"] destination_fqdns = ["pluginsdk.io"] terminate_tls = true web_categories = ["News"] @@ -222,7 +221,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { source_addresses = ["10.0.0.1"] destination_addresses = ["10.0.0.1"] destination_urls = ["www.google.com/en"] - destination_fqdn_tags = ["WindowsDiagnostics"] terminate_tls = true web_categories = ["News"] } From f175f12f9a8b88529b932bd7f9c72aee5e9c11bb Mon Sep 17 00:00:00 2001 From: Michael Gross Date: Wed, 1 Sep 2021 18:27:41 +0200 Subject: [PATCH 07/12] update docs --- ...firewall_policy_rule_collection_group.html.markdown | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/website/docs/r/firewall_policy_rule_collection_group.html.markdown b/website/docs/r/firewall_policy_rule_collection_group.html.markdown index 63a2fb491eb0..259d6f0b355a 100644 --- a/website/docs/r/firewall_policy_rule_collection_group.html.markdown +++ b/website/docs/r/firewall_policy_rule_collection_group.html.markdown @@ -139,7 +139,7 @@ A `rule` (application rule) block supports the following: * `description` - (Optional) The description which should be used for this rule. -* `protocols` - (Required) One or more `protocols` blocks as defined below. +* `protocols` - (Optional) One or more `protocols` blocks as defined below. Not required when specifying `destination_fqdn_tags`, but required when specifying `destination_fqdns`. * `source_addresses` - (Optional) Specifies a list of source IP addresses (including CIDR and `*`). @@ -147,15 +147,15 @@ A `rule` (application rule) block supports the following: * `destination_addresses` - (Optional) Specifies a list of destination IP addresses (including CIDR and `*`). -* `destination_urls` - (Optional) Specifies a list of destination URLs for which policy should hold. +* `destination_urls` - (Optional) Specifies a list of destination URLs for which policy should hold. Needs Premium SKU for Firewall Policy. Conflicts with `destination_fqdns`. -* `destination_fqdns` - (Optional) Specifies a list of destination FQDNs. +* `destination_fqdns` - (Optional) Specifies a list of destination FQDNs. Conflicts with `destination_urls`. * `destination_fqdn_tags` - (Optional) Specifies a list of destination FQDN tags. -* `terminate_tls` - (Optional) Boolean specifying if TLS shall be terminated (true) or not (false). +* `terminate_tls` - (Optional) Boolean specifying if TLS shall be terminated (true) or not (false). Needs Premium SKU for Firewall Policy. -* `web_categories` - (Optional) Specifies a list of web categories to which access is denied or allowed depending on the value of `action` above. +* `web_categories` - (Optional) Specifies a list of web categories to which access is denied or allowed depending on the value of `action` above. Needs Premium SKU for Firewall Policy. --- From 706a2a24558ff96230e7215766f6656c1b0609f7 Mon Sep 17 00:00:00 2001 From: Michael Gross Date: Thu, 2 Sep 2021 21:28:37 +0200 Subject: [PATCH 08/12] fix tests --- ...l_policy_rule_collection_group_resource.go | 2 +- ...icy_rule_collection_group_resource_test.go | 323 +++++++++++++++++- 2 files changed, 318 insertions(+), 7 deletions(-) diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go index a9f7be35c673..521432e3e6f0 100644 --- a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go +++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go @@ -97,7 +97,7 @@ func resourceFirewallPolicyRuleCollectionGroup() *pluginsdk.Resource { }, "description": { Type: pluginsdk.TypeString, - Required: true, + Optional: true, ValidateFunc: validate.FirewallPolicyRuleName(), }, "protocols": { diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go index 4d7f2fada627..3529188fc8f7 100644 --- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go +++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go @@ -113,12 +113,18 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" + lifecycle { + ignore_changes = [tags] + } } resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" resource_group_name = azurerm_resource_group.test.name location = azurerm_resource_group.test.location + lifecycle { + ignore_changes = [tags] + } } resource "azurerm_firewall_policy_rule_collection_group" "test" { @@ -134,10 +140,291 @@ func (FirewallPolicyRuleCollectionGroupResource) complete(data acceptance.TestDa provider "azurerm" { features {} } +resource "azurerm_resource_group" "test" { + name = "acctestRG-fwpolicy-RCG-%[1]d" + location = "%[2]s" + lifecycle { + ignore_changes = [tags] + } +} +resource "azurerm_firewall_policy" "test" { + name = "acctest-fwpolicy-RCG-%[1]d" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + dns { + network_rule_fqdn_enabled = false + proxy_enabled = true + } + lifecycle { + ignore_changes = [tags] + } +} +resource "azurerm_ip_group" "test_source" { + name = "acctestIpGroupForFirewallPolicySource" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + cidrs = ["1.2.3.4/32", "12.34.56.0/24"] + lifecycle { + ignore_changes = [tags] + } +} +resource "azurerm_ip_group" "test_destination" { + name = "acctestIpGroupForFirewallPolicyDest" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + cidrs = ["192.168.0.0/25", "192.168.0.192/26"] + lifecycle { + ignore_changes = [tags] + } +} +resource "azurerm_firewall_policy_rule_collection_group" "test" { + name = "acctest-fwpolicy-RCG-%[1]d" + firewall_policy_id = azurerm_firewall_policy.test.id + priority = 500 + application_rule_collection { + name = "app_rule_collection1" + priority = 500 + action = "Deny" + rule { + name = "app_rule_collection1_rule1" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + source_addresses = ["10.0.0.1"] + destination_fqdns = ["pluginsdk.io"] + } + rule { + name = "app_rule_collection1_rule2" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + source_ip_groups = [azurerm_ip_group.test_source.id] + destination_fqdns = ["pluginsdk.io"] + } + rule { + name = "app_rule_collection1_rule3" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + source_addresses = ["10.0.0.1"] + destination_fqdn_tags = ["WindowsDiagnostics"] + } + } + network_rule_collection { + name = "network_rule_collection1" + priority = 400 + action = "Deny" + rule { + name = "network_rule_collection1_rule1" + protocols = ["TCP", "UDP"] + source_addresses = ["10.0.0.1"] + destination_addresses = ["192.168.1.1", "ApiManagement"] + destination_ports = ["80", "1000-2000"] + } + rule { + name = "network_rule_collection1_rule2" + protocols = ["TCP", "UDP"] + source_addresses = ["10.0.0.1"] + destination_fqdns = ["time.windows.com"] + destination_ports = ["80", "1000-2000"] + } + rule { + name = "network_rule_collection1_rule3" + protocols = ["TCP", "UDP"] + source_ip_groups = [azurerm_ip_group.test_source.id] + destination_ip_groups = [azurerm_ip_group.test_destination.id] + destination_ports = ["80", "1000-2000"] + } + rule { + name = "network_rule_collection1_rule4" + protocols = ["ICMP"] + source_ip_groups = [azurerm_ip_group.test_source.id] + destination_ip_groups = [azurerm_ip_group.test_destination.id] + destination_ports = ["*"] + } + } + nat_rule_collection { + name = "nat_rule_collection1" + priority = 300 + action = "Dnat" + rule { + name = "nat_rule_collection1_rule1" + protocols = ["TCP", "UDP"] + source_addresses = ["10.0.0.1", "10.0.0.2"] + destination_address = "192.168.1.1" + destination_ports = ["80"] + translated_address = "192.168.0.1" + translated_port = "8080" + } + rule { + name = "nat_rule_collection1_rule2" + protocols = ["TCP", "UDP"] + source_ip_groups = [azurerm_ip_group.test_source.id] + destination_address = "192.168.1.1" + destination_ports = ["80"] + translated_address = "192.168.0.1" + translated_port = "8080" + } + } +} +`, data.RandomInteger, data.Locations.Primary) +} + +func (FirewallPolicyRuleCollectionGroupResource) update(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} +resource "azurerm_resource_group" "test" { + name = "acctestRG-fwpolicy-RCG-%[1]d" + location = "%[2]s" + lifecycle { + ignore_changes = [tags] + } +} +resource "azurerm_firewall_policy" "test" { + name = "acctest-fwpolicy-RCG-%[1]d" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + dns { + network_rule_fqdn_enabled = false + proxy_enabled = true + } +} +resource "azurerm_ip_group" "test_source" { + name = "acctestIpGroupForFirewallPolicySource" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + cidrs = ["1.2.3.4/32", "12.34.56.0/24"] +} +resource "azurerm_ip_group" "test_destination" { + name = "acctestIpGroupForFirewallPolicyDest" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + cidrs = ["192.168.0.0/25", "192.168.0.192/26"] +} +resource "azurerm_firewall_policy_rule_collection_group" "test" { + name = "acctest-fwpolicy-RCG-%[1]d" + firewall_policy_id = azurerm_firewall_policy.test.id + priority = 500 + application_rule_collection { + name = "app_rule_collection1" + priority = 500 + action = "Deny" + rule { + name = "app_rule_collection1_rule1" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + source_addresses = ["10.0.0.1", "10.0.0.2"] + destination_fqdns = ["pluginsdk.io"] + } + rule { + name = "app_rule_collection1_rule2" + protocols { + type = "Http" + port = 80 + } + source_ip_groups = [azurerm_ip_group.test_source.id] + destination_fqdns = ["pluginsdk.io"] + } + rule { + name = "app_rule_collection1_rule3" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + source_addresses = ["10.0.0.1", "10.0.0.2"] + destination_fqdn_tags = ["WindowsDiagnostics"] + } + } + network_rule_collection { + name = "network_rule_collection1" + priority = 400 + action = "Deny" + rule { + name = "network_rule_collection1_rule1" + protocols = ["TCP", "UDP"] + source_addresses = ["10.0.0.1"] + destination_addresses = ["192.168.1.2", "ApiManagement"] + destination_ports = ["80", "1-65535"] + } + rule { + name = "network_rule_collection1_rule2" + protocols = ["TCP", "UDP"] + source_addresses = ["10.0.0.1", "10.0.0.2"] + destination_fqdns = ["time.windows.com"] + destination_ports = ["80", "1-65535"] + } + rule { + name = "network_rule_collection1_rule3" + protocols = ["TCP"] + source_ip_groups = [azurerm_ip_group.test_source.id] + destination_ip_groups = [azurerm_ip_group.test_destination.id] + destination_ports = ["80", "1-65535"] + } + rule { + name = "network_rule_collection1_rule4" + protocols = ["ICMP"] + source_ip_groups = [azurerm_ip_group.test_source.id] + destination_ip_groups = [azurerm_ip_group.test_destination.id] + destination_ports = ["*"] + } + } + nat_rule_collection { + name = "nat_rule_collection1" + priority = 300 + action = "Dnat" + rule { + name = "nat_rule_collection1_rule1" + protocols = ["TCP", "UDP"] + source_addresses = ["10.0.0.1", "10.0.0.2"] + destination_address = "192.168.1.1" + destination_ports = ["80"] + translated_address = "192.168.0.1" + translated_port = "8080" + } + } +} +`, data.RandomInteger, data.Locations.Primary) +} + +func (FirewallPolicyRuleCollectionGroupResource) completePremium(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" + lifecycle { + ignore_changes = [tags] + } } resource "azurerm_firewall_policy" "test" { @@ -149,6 +436,9 @@ resource "azurerm_firewall_policy" "test" { network_rule_fqdn_enabled = false proxy_enabled = true } + lifecycle { + ignore_changes = [tags] + } } resource "azurerm_ip_group" "test_source" { @@ -156,6 +446,9 @@ resource "azurerm_ip_group" "test_source" { location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["1.2.3.4/32", "12.34.56.0/24"] + lifecycle { + ignore_changes = [tags] + } } resource "azurerm_ip_group" "test_destination" { @@ -163,6 +456,9 @@ resource "azurerm_ip_group" "test_destination" { location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["192.168.0.0/25", "192.168.0.192/26"] + lifecycle { + ignore_changes = [tags] + } } resource "azurerm_firewall_policy_rule_collection_group" "test" { @@ -287,7 +583,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { `, data.RandomInteger, data.Locations.Primary) } -func (FirewallPolicyRuleCollectionGroupResource) update(data acceptance.TestData) string { +func (FirewallPolicyRuleCollectionGroupResource) updatePremium(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { features {} @@ -296,6 +592,9 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" + lifecycle { + ignore_changes = [tags] + } } resource "azurerm_firewall_policy" "test" { @@ -332,6 +631,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { action = "Deny" rule { name = "app_rule_collection1_rule1" + description = "app_rule_collection1_rule1" protocols { type = "Http" port = 80 @@ -340,20 +640,28 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { type = "Https" port = 443 } - source_addresses = ["10.0.0.1", "10.0.0.2"] - destination_fqdns = ["pluginsdk.io"] + source_addresses = ["10.0.0.1"] + destination_addresses = ["10.0.0.1"] + destination_urls = ["www.google.com/en"] + terminate_tls = true + web_categories = ["News"] } rule { name = "app_rule_collection1_rule2" + description = "app_rule_collection1_rule2" protocols { type = "Http" port = 80 } - source_ip_groups = [azurerm_ip_group.test_source.id] - destination_fqdns = ["pluginsdk.io"] + source_ip_groups = [azurerm_ip_group.test_source.id] + destination_addresses = ["10.0.0.1"] + destination_fqdns = ["pluginsdk.io"] + terminate_tls = true + web_categories = ["News"] } rule { name = "app_rule_collection1_rule3" + description = "app_rule_collection1_rule3" protocols { type = "Http" port = 80 @@ -363,7 +671,10 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { port = 443 } source_addresses = ["10.0.0.1", "10.0.0.2"] - destination_fqdn_tags = ["WindowsDiagnostics"] + destination_addresses = ["10.0.0.1", "10.0.0.2"] + destination_urls = ["www.google.com/en"] + terminate_tls = true + web_categories = ["News"] } } From 8d1760c6349ece82d8d46287a94d476fcb86441c Mon Sep 17 00:00:00 2001 From: Michael Gross Date: Thu, 2 Sep 2021 21:32:41 +0200 Subject: [PATCH 09/12] remove lifecycle ignore_changes blocks --- ...icy_rule_collection_group_resource_test.go | 36 ------------------- 1 file changed, 36 deletions(-) diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go index 3529188fc8f7..f70470ca8499 100644 --- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go +++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go @@ -113,18 +113,12 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" resource_group_name = azurerm_resource_group.test.name location = azurerm_resource_group.test.location - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy_rule_collection_group" "test" { @@ -143,9 +137,6 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" @@ -155,27 +146,18 @@ resource "azurerm_firewall_policy" "test" { network_rule_fqdn_enabled = false proxy_enabled = true } - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_ip_group" "test_source" { name = "acctestIpGroupForFirewallPolicySource" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["1.2.3.4/32", "12.34.56.0/24"] - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_ip_group" "test_destination" { name = "acctestIpGroupForFirewallPolicyDest" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["192.168.0.0/25", "192.168.0.192/26"] - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy_rule_collection_group" "test" { name = "acctest-fwpolicy-RCG-%[1]d" @@ -293,9 +275,6 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" @@ -422,9 +401,6 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy" "test" { @@ -436,9 +412,6 @@ resource "azurerm_firewall_policy" "test" { network_rule_fqdn_enabled = false proxy_enabled = true } - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_ip_group" "test_source" { @@ -446,9 +419,6 @@ resource "azurerm_ip_group" "test_source" { location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["1.2.3.4/32", "12.34.56.0/24"] - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_ip_group" "test_destination" { @@ -456,9 +426,6 @@ resource "azurerm_ip_group" "test_destination" { location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["192.168.0.0/25", "192.168.0.192/26"] - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy_rule_collection_group" "test" { @@ -592,9 +559,6 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy" "test" { From b12912808ce6a3e478a72ed9a5443d2d565c07b8 Mon Sep 17 00:00:00 2001 From: Michael Gross Date: Thu, 2 Sep 2021 21:42:53 +0200 Subject: [PATCH 10/12] add tests for Premium --- ...icy_rule_collection_group_resource_test.go | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go index f70470ca8499..65e2eb24ea2c 100644 --- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go +++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go @@ -46,6 +46,21 @@ func TestAccFirewallPolicyRuleCollectionGroup_complete(t *testing.T) { }) } +func TestAccFirewallPolicyRuleCollectionGroup_completePremium(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_firewall_policy_rule_collection_group", "test") + r := FirewallPolicyRuleCollectionGroupResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.completePremium(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + }) +} + func TestAccFirewallPolicyRuleCollectionGroup_update(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_firewall_policy_rule_collection_group", "test") r := FirewallPolicyRuleCollectionGroupResource{} @@ -75,6 +90,35 @@ func TestAccFirewallPolicyRuleCollectionGroup_update(t *testing.T) { }) } +func TestAccFirewallPolicyRuleCollectionGroup_updatePremium(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_firewall_policy_rule_collection_group", "test") + r := FirewallPolicyRuleCollectionGroupResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.completePremium(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.updatePremium(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.completePremium(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + }) +} + func TestAccFirewallPolicyRuleCollectionGroup_requiresImport(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_firewall_policy_rule_collection_group", "test") r := FirewallPolicyRuleCollectionGroupResource{} From 05d3e670bc4a89f5c7ca83b54b0fc9cdcd5f841d Mon Sep 17 00:00:00 2001 From: Michael Gross Date: Thu, 2 Sep 2021 21:53:13 +0200 Subject: [PATCH 11/12] all tests pass (also Premium) --- ...icy_rule_collection_group_resource_test.go | 60 ++++++++++++------- 1 file changed, 39 insertions(+), 21 deletions(-) diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go index 65e2eb24ea2c..b732e2f52da4 100644 --- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go +++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go @@ -153,18 +153,21 @@ func (FirewallPolicyRuleCollectionGroupResource) basic(data acceptance.TestData) provider "azurerm" { features {} } - resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" + lifecycle { + ignore_changes = [tags] + } } - resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" resource_group_name = azurerm_resource_group.test.name location = azurerm_resource_group.test.location + lifecycle { + ignore_changes = [tags] + } } - resource "azurerm_firewall_policy_rule_collection_group" "test" { name = "acctest-fwpolicy-RCG-%[1]d" firewall_policy_id = azurerm_firewall_policy.test.id @@ -181,6 +184,9 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" + lifecycle { + ignore_changes = [tags] + } } resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" @@ -190,18 +196,27 @@ resource "azurerm_firewall_policy" "test" { network_rule_fqdn_enabled = false proxy_enabled = true } + lifecycle { + ignore_changes = [tags] + } } resource "azurerm_ip_group" "test_source" { name = "acctestIpGroupForFirewallPolicySource" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["1.2.3.4/32", "12.34.56.0/24"] + lifecycle { + ignore_changes = [tags] + } } resource "azurerm_ip_group" "test_destination" { name = "acctestIpGroupForFirewallPolicyDest" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["192.168.0.0/25", "192.168.0.192/26"] + lifecycle { + ignore_changes = [tags] + } } resource "azurerm_firewall_policy_rule_collection_group" "test" { name = "acctest-fwpolicy-RCG-%[1]d" @@ -319,6 +334,9 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" + lifecycle { + ignore_changes = [tags] + } } resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" @@ -441,12 +459,13 @@ func (FirewallPolicyRuleCollectionGroupResource) completePremium(data acceptance provider "azurerm" { features {} } - resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" + lifecycle { + ignore_changes = [tags] + } } - resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" resource_group_name = azurerm_resource_group.test.name @@ -456,22 +475,28 @@ resource "azurerm_firewall_policy" "test" { network_rule_fqdn_enabled = false proxy_enabled = true } + lifecycle { + ignore_changes = [tags] + } } - resource "azurerm_ip_group" "test_source" { name = "acctestIpGroupForFirewallPolicySource" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["1.2.3.4/32", "12.34.56.0/24"] + lifecycle { + ignore_changes = [tags] + } } - resource "azurerm_ip_group" "test_destination" { name = "acctestIpGroupForFirewallPolicyDest" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["192.168.0.0/25", "192.168.0.192/26"] + lifecycle { + ignore_changes = [tags] + } } - resource "azurerm_firewall_policy_rule_collection_group" "test" { name = "acctest-fwpolicy-RCG-%[1]d" firewall_policy_id = azurerm_firewall_policy.test.id @@ -532,7 +557,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { web_categories = ["News"] } } - network_rule_collection { name = "network_rule_collection1" priority = 400 @@ -566,7 +590,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { destination_ports = ["*"] } } - nat_rule_collection { name = "nat_rule_collection1" priority = 300 @@ -599,12 +622,13 @@ func (FirewallPolicyRuleCollectionGroupResource) updatePremium(data acceptance.T provider "azurerm" { features {} } - resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" + lifecycle { + ignore_changes = [tags] + } } - resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" resource_group_name = azurerm_resource_group.test.name @@ -614,21 +638,18 @@ resource "azurerm_firewall_policy" "test" { proxy_enabled = true } } - resource "azurerm_ip_group" "test_source" { name = "acctestIpGroupForFirewallPolicySource" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["1.2.3.4/32", "12.34.56.0/24"] } - resource "azurerm_ip_group" "test_destination" { name = "acctestIpGroupForFirewallPolicyDest" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["192.168.0.0/25", "192.168.0.192/26"] } - resource "azurerm_firewall_policy_rule_collection_group" "test" { name = "acctest-fwpolicy-RCG-%[1]d" firewall_policy_id = azurerm_firewall_policy.test.id @@ -638,7 +659,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { priority = 500 action = "Deny" rule { - name = "app_rule_collection1_rule1" + name = "app_rule_collection1_rule1" description = "app_rule_collection1_rule1" protocols { type = "Http" @@ -655,7 +676,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { web_categories = ["News"] } rule { - name = "app_rule_collection1_rule2" + name = "app_rule_collection1_rule2" description = "app_rule_collection1_rule2" protocols { type = "Http" @@ -668,7 +689,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { web_categories = ["News"] } rule { - name = "app_rule_collection1_rule3" + name = "app_rule_collection1_rule3" description = "app_rule_collection1_rule3" protocols { type = "Http" @@ -685,7 +706,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { web_categories = ["News"] } } - network_rule_collection { name = "network_rule_collection1" priority = 400 @@ -719,7 +739,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" { destination_ports = ["*"] } } - nat_rule_collection { name = "nat_rule_collection1" priority = 300 @@ -742,7 +761,6 @@ func (FirewallPolicyRuleCollectionGroupResource) requiresImport(data acceptance. template := FirewallPolicyRuleCollectionGroupResource{}.basic(data) return fmt.Sprintf(` %s - resource "azurerm_firewall_policy_rule_collection_group" "import" { name = azurerm_firewall_policy_rule_collection_group.test.name firewall_policy_id = azurerm_firewall_policy_rule_collection_group.test.firewall_policy_id From 0c2ba48e3fd43d2faead27d7e973024a4f3dbe23 Mon Sep 17 00:00:00 2001 From: Michael Gross Date: Thu, 2 Sep 2021 21:56:05 +0200 Subject: [PATCH 12/12] remove lifecycle ignore_changes --- ...icy_rule_collection_group_resource_test.go | 36 ------------------- 1 file changed, 36 deletions(-) diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go index b732e2f52da4..32d52379524d 100644 --- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go +++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go @@ -156,17 +156,11 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" resource_group_name = azurerm_resource_group.test.name location = azurerm_resource_group.test.location - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy_rule_collection_group" "test" { name = "acctest-fwpolicy-RCG-%[1]d" @@ -184,9 +178,6 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" @@ -196,27 +187,18 @@ resource "azurerm_firewall_policy" "test" { network_rule_fqdn_enabled = false proxy_enabled = true } - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_ip_group" "test_source" { name = "acctestIpGroupForFirewallPolicySource" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["1.2.3.4/32", "12.34.56.0/24"] - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_ip_group" "test_destination" { name = "acctestIpGroupForFirewallPolicyDest" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["192.168.0.0/25", "192.168.0.192/26"] - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy_rule_collection_group" "test" { name = "acctest-fwpolicy-RCG-%[1]d" @@ -334,9 +316,6 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" @@ -462,9 +441,6 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d" @@ -475,27 +451,18 @@ resource "azurerm_firewall_policy" "test" { network_rule_fqdn_enabled = false proxy_enabled = true } - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_ip_group" "test_source" { name = "acctestIpGroupForFirewallPolicySource" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["1.2.3.4/32", "12.34.56.0/24"] - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_ip_group" "test_destination" { name = "acctestIpGroupForFirewallPolicyDest" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name cidrs = ["192.168.0.0/25", "192.168.0.192/26"] - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy_rule_collection_group" "test" { name = "acctest-fwpolicy-RCG-%[1]d" @@ -625,9 +592,6 @@ provider "azurerm" { resource "azurerm_resource_group" "test" { name = "acctestRG-fwpolicy-RCG-%[1]d" location = "%[2]s" - lifecycle { - ignore_changes = [tags] - } } resource "azurerm_firewall_policy" "test" { name = "acctest-fwpolicy-RCG-%[1]d"