resource_arm_firewall, resource_arm_firewall_application_rule_collection – Mssql and Threat Intelligence

[BrendanThompson]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The default behaviour of the azurerm_firewall in respect to Threat Intelligence is to enable it as Alert Only, this however is not configurable via the Terraform resource itself, ideally this is something that should be surfaced in the provider as it's available via the API. ( https://docs.microsoft.com/en-us/rest/api/firewall/azurefirewalls/createorupdate#azurefirewallthreatintelmode )

Secondly the azurerm_firewall_application_rule_collection has support via the API to have a protocol of type Mssql this should be available through Terraform as well. Keeping in mind this is currently not available in the backing API client library I have raised an issue there too. ( Azure/azure-sdk-for-go#6003 )

New or Affected Resource(s)

• azurerm_firewall
• azurerm_firewall_application_rule_collection

Potential Terraform Configuration

resource "azurerm_firewall" "this" {
  name                = local.firewall_name
  location            = data.azurerm_resource_group.this.location
  resource_group_name = data.azurerm_resource_group.this.name
  threat_intelligence_mode = "Alert"

  ip_configuration {
    name                 = format("%s-ipconfig", local.firewall_name)
    subnet_id            = module.firewall_subnet.subnet_ids[0]
    public_ip_address_id = azurerm_public_ip.this.id
  }
}

resource "azurerm_firewall_application_rule_collection" "deny_all" {
  count = var.enable_default_rules ? 1 : 0

  name                = "deny-all"
  azure_firewall_name = azurerm_firewall.this.name
  resource_group_name = data.azurerm_resource_group.this.name
  priority            = 65000
  action              = "Deny"

  rule {
    name             = "deny_catch_all"
    source_addresses = ["*"]
    target_fqdns     = ["*"]

    protocol {
      port = "1433"
      type = "Mssql"
    }
  }

}

References

All references are inline.

[ghost]

This has been released in version 1.37.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 1.37.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!