diff --git a/azurerm/internal/services/network/firewall_resource.go b/azurerm/internal/services/network/firewall_resource.go index 2001354b9c6f..3c7bf4cca01d 100644 --- a/azurerm/internal/services/network/firewall_resource.go +++ b/azurerm/internal/services/network/firewall_resource.go @@ -79,6 +79,17 @@ func resourceArmFirewall() *schema.Resource { }, }, + "threat_intel_mode": { + Type: schema.TypeString, + Optional: true, + Default: string(network.AzureFirewallThreatIntelModeAlert), + ValidateFunc: validation.StringInSlice([]string{ + string(network.AzureFirewallThreatIntelModeOff), + string(network.AzureFirewallThreatIntelModeAlert), + string(network.AzureFirewallThreatIntelModeDeny), + }, false), + }, + "zones": azure.SchemaMultipleZones(), "tags": tags.Schema(), @@ -135,6 +146,7 @@ func resourceArmFirewallCreateUpdate(d *schema.ResourceData, meta interface{}) e Tags: tags.Expand(t), AzureFirewallPropertiesFormat: &network.AzureFirewallPropertiesFormat{ IPConfigurations: ipConfigs, + ThreatIntelMode: network.AzureFirewallThreatIntelMode(d.Get("threat_intel_mode").(string)), }, Zones: zones, } @@ -212,6 +224,7 @@ func resourceArmFirewallRead(d *schema.ResourceData, meta interface{}) error { if err := d.Set("ip_configuration", flattenArmFirewallIPConfigurations(props.IPConfigurations)); err != nil { return fmt.Errorf("Error setting `ip_configuration`: %+v", err) } + d.Set("threat_intel_mode", string(props.ThreatIntelMode)) } if err := d.Set("zones", azure.FlattenZones(read.Zones)); err != nil { diff --git a/azurerm/internal/services/network/tests/firewall_resource_test.go b/azurerm/internal/services/network/tests/firewall_resource_test.go index 7c0ed37b90f6..5a25bc87edf3 100644 --- a/azurerm/internal/services/network/tests/firewall_resource_test.go +++ b/azurerm/internal/services/network/tests/firewall_resource_test.go @@ -326,6 +326,7 @@ resource "azurerm_firewall" "test" { subnet_id = azurerm_subnet.test.id public_ip_address_id = azurerm_public_ip.test.id } + threat_intel_mode = "Deny" } `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) } @@ -405,6 +406,7 @@ resource "azurerm_firewall" "import" { subnet_id = azurerm_subnet.test.id public_ip_address_id = azurerm_public_ip.test.id } + threat_intel_mode = azurerm_firewall.test.threat_intel_mode } `, template) } diff --git a/website/docs/r/firewall.html.markdown b/website/docs/r/firewall.html.markdown index 94d51e34e29d..27eb379230dd 100644 --- a/website/docs/r/firewall.html.markdown +++ b/website/docs/r/firewall.html.markdown @@ -66,6 +66,8 @@ The following arguments are supported: * `ip_configuration` - (Required) A `ip_configuration` block as documented below. +* `threat_intel_mode` - (Optional) The operation mode for threat intelligence-based filtering. Possible values are: `Off`, `Alert` and `Deny`. Defaults to `Alert` + * `zones` - (Optional) Specifies the availability zones in which the Azure Firewall should be created. -> **Please Note**: Availability Zones are [only supported in several regions at this time](https://docs.microsoft.com/en-us/azure/availability-zones/az-overview).