Merge pull request #7437 from magodo/firewall_threat_intel

firewall_resource: support `threat_intel_mode`
hashicorp · Jun 23, 2020 · 6ca8e56 · 6ca8e56
2 parents e334a15 + 0e138b9
commit 6ca8e56
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/azurerm/internal/services/network/firewall_resource.go b/azurerm/internal/services/network/firewall_resource.go
@@ -79,6 +79,17 @@ func resourceArmFirewall() *schema.Resource {
 				},
 			},
 
+			"threat_intel_mode": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  string(network.AzureFirewallThreatIntelModeAlert),
+				ValidateFunc: validation.StringInSlice([]string{
+					string(network.AzureFirewallThreatIntelModeOff),
+					string(network.AzureFirewallThreatIntelModeAlert),
+					string(network.AzureFirewallThreatIntelModeDeny),
+				}, false),
+			},
+
 			"zones": azure.SchemaMultipleZones(),
 
 			"tags": tags.Schema(),
@@ -135,6 +146,7 @@ func resourceArmFirewallCreateUpdate(d *schema.ResourceData, meta interface{}) e
 		Tags:     tags.Expand(t),
 		AzureFirewallPropertiesFormat: &network.AzureFirewallPropertiesFormat{
 			IPConfigurations: ipConfigs,
+			ThreatIntelMode:  network.AzureFirewallThreatIntelMode(d.Get("threat_intel_mode").(string)),
 		},
 		Zones: zones,
 	}
@@ -212,6 +224,7 @@ func resourceArmFirewallRead(d *schema.ResourceData, meta interface{}) error {
 		if err := d.Set("ip_configuration", flattenArmFirewallIPConfigurations(props.IPConfigurations)); err != nil {
 			return fmt.Errorf("Error setting `ip_configuration`: %+v", err)
 		}
+		d.Set("threat_intel_mode", string(props.ThreatIntelMode))
 	}
 
 	if err := d.Set("zones", azure.FlattenZones(read.Zones)); err != nil {

diff --git a/azurerm/internal/services/network/tests/firewall_resource_test.go b/azurerm/internal/services/network/tests/firewall_resource_test.go
@@ -326,6 +326,7 @@ resource "azurerm_firewall" "test" {
     subnet_id            = azurerm_subnet.test.id
     public_ip_address_id = azurerm_public_ip.test.id
   }
+  threat_intel_mode = "Deny"
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger)
 }
@@ -405,6 +406,7 @@ resource "azurerm_firewall" "import" {
     subnet_id            = azurerm_subnet.test.id
     public_ip_address_id = azurerm_public_ip.test.id
   }
+  threat_intel_mode = azurerm_firewall.test.threat_intel_mode
 }
 `, template)
 }

diff --git a/website/docs/r/firewall.html.markdown b/website/docs/r/firewall.html.markdown
@@ -66,6 +66,8 @@ The following arguments are supported:
 
 * `ip_configuration` - (Required) A `ip_configuration` block as documented below.
 
+* `threat_intel_mode` - (Optional) The operation mode for threat intelligence-based filtering. Possible values are: `Off`, `Alert` and `Deny`. Defaults to `Alert`
+
 * `zones` - (Optional) Specifies the availability zones in which the Azure Firewall should be created.
 
 -> **Please Note**: Availability Zones are [only supported in several regions at this time](https://docs.microsoft.com/en-us/azure/availability-zones/az-overview).