From a2a0347e63212e4bfaafc42e5154db67e5f4ea7e Mon Sep 17 00:00:00 2001 From: "Till Markus (INST-CSS/BSV-OS)" Date: Tue, 7 May 2019 09:38:35 +0200 Subject: [PATCH] resource_arm_application_gateways: set disabledSSLPolicies primarly with ssl_policy.disabled_protocols --- azurerm/resource_arm_application_gateway.go | 3 + .../resource_arm_application_gateway_test.go | 291 +++++++----------- 2 files changed, 121 insertions(+), 173 deletions(-) diff --git a/azurerm/resource_arm_application_gateway.go b/azurerm/resource_arm_application_gateway.go index 5899a4187f3e0..907923df0d8ad 100644 --- a/azurerm/resource_arm_application_gateway.go +++ b/azurerm/resource_arm_application_gateway.go @@ -1722,6 +1722,9 @@ func expandApplicationGatewaySslPolicy(d *schema.ResourceData) *network.Applicat v := vs[0].(map[string]interface{}) policyType := network.ApplicationGatewaySslPolicyType(v["policy_type"].(string)) + // reset disabledSSLPolicies here to always use the new disabled_protocols block in favor of disabled_ssl_protocols + disabledSSLPolicies = disabledSSLPolicies[:0] + for _, policy := range v["disabled_protocols"].([]interface{}) { disabledSSLPolicies = append(disabledSSLPolicies, network.ApplicationGatewaySslProtocol(policy.(string))) } diff --git a/azurerm/resource_arm_application_gateway_test.go b/azurerm/resource_arm_application_gateway_test.go index 21cb104cf81e1..cfae4cc2ed211 100644 --- a/azurerm/resource_arm_application_gateway_test.go +++ b/azurerm/resource_arm_application_gateway_test.go @@ -661,7 +661,6 @@ func TestAccAzureRMApplicationGateway_webApplicationFirewall_disabledRuleGroups( }, }) } - func TestAccAzureRMApplicationGateway_sslPolicy_policyType_predefined(t *testing.T) { resourceName := "azurerm_application_gateway.test" ri := tf.AccRandTimeInt() @@ -706,7 +705,6 @@ func TestAccAzureRMApplicationGateway_sslPolicy_policyType_custom(t *testing.T) }, }) } - func TestAccAzureRMApplicationGateway_sslPolicy_disabledProtocols(t *testing.T) { resourceName := "azurerm_application_gateway.test" ri := tf.AccRandTimeInt() @@ -2099,7 +2097,7 @@ resource "azurerm_application_gateway" "test" { frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test_standard.id}" + public_ip_address_id = "${azurerm_public_ip.test.id}" } backend_address_pool { @@ -2251,7 +2249,7 @@ resource "azurerm_application_gateway" "test" { frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test_standard.id}" + public_ip_address_id = "${azurerm_public_ip.test.id}" } backend_address_pool { @@ -2306,28 +2304,29 @@ locals { request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } -resource "azurerm_public_ip" "test_standard" { - name = "acctest-pubip-%d-standard" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" - sku = "Standard" - allocation_method = "Static" -} - resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" sku { - name = "Standard_v2" - tier = "Standard_v2" + name = "WAF_Medium" + tier = "WAF" capacity = 1 } - ssl_policy { - policy_name = "AppGwSslPolicy20170401S" - policy_type = "Predefined" + disabled_ssl_protocols = [ + "TLSv1_0", + ] + + waf_configuration { + enabled = true + firewall_mode = "Detection" + rule_set_type = "OWASP" + rule_set_version = "3.0" + file_upload_limit_mb = 100 + request_body_check = true + max_request_body_size_kb = 100 } gateway_ip_configuration { @@ -2342,7 +2341,7 @@ resource "azurerm_application_gateway" "test" { frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test_standard.id}" + public_ip_address_id = "${azurerm_public_ip.test.id}" } backend_address_pool { @@ -2375,7 +2374,7 @@ resource "azurerm_application_gateway" "test" { `, template, rInt) } -func testAccAzureRMApplicationGateway_sslPolicy_policyType_predefined(rInt int, location string) string { +func testAccAzureRMApplicationGateway_connectionDraining(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s @@ -2390,35 +2389,16 @@ locals { request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } -resource "azurerm_public_ip" "test_standard" { - name = "acctest-pubip-%d-standard" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" - sku = "Standard" - allocation_method = "Static" -} - resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" + enable_http2 = true sku { - name = "Standard_v2" - tier = "Standard_v2" - capacity = 1 - } - - ssl_policy { - policy_name = "AppGwSslPolicy20170401S" - policy_type = "Predefined" - } - - waf_configuration { - enabled = true - firewall_mode = "Detection" - rule_set_type = "OWASP" - rule_set_version = "3.0" + name = "Standard_Small" + tier = "Standard" + capacity = 2 } gateway_ip_configuration { @@ -2446,6 +2426,11 @@ resource "azurerm_application_gateway" "test" { port = 80 protocol = "Http" request_timeout = 1 + + connection_draining { + enabled = true + drain_timeout_sec = 1984 + } } http_listener { @@ -2463,10 +2448,9 @@ resource "azurerm_application_gateway" "test" { backend_http_settings_name = "${local.http_setting_name}" } } -`, template, rInt, rInt) +`, template, rInt) } - -func testAccAzureRMApplicationGateway_sslPolicy_policyType_custom(rInt int, location string) string { +func testAccAzureRMApplicationGateway_webApplicationFirewall_disabledRuleGroups(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s @@ -2481,6 +2465,7 @@ locals { request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } + resource "azurerm_public_ip" "test_standard" { name = "acctest-pubip-%d-standard" location = "${azurerm_resource_group.test.location}" @@ -2495,15 +2480,35 @@ resource "azurerm_application_gateway" "test" { location = "${azurerm_resource_group.test.location}" sku { - name = "Standard_v2" - tier = "Standard_v2" + name = "WAF_v2" + tier = "WAF_v2" capacity = 1 } - ssl_policy { - policy_type = "Custom" - min_protocol_version = "TLSv1_1" - cipher_suites = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"] + waf_configuration { + enabled = true + firewall_mode = "Detection" + rule_set_type = "OWASP" + rule_set_version = "3.0" + request_body_check = true + max_request_body_size_kb = 128 + file_upload_limit_mb = 100 + + disabled_rule_group { + rule_group_name = "REQUEST-921-PROTOCOL-ATTACK" + rules = [921110, 921151, 921180] + } + + disabled_rule_group { + rule_group_name = "REQUEST-930-APPLICATION-ATTACK-LFI" + rules = [930120, 930130] + } + + disabled_rule_group { + rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI" + } + + } gateway_ip_configuration { @@ -2518,7 +2523,7 @@ resource "azurerm_application_gateway" "test" { frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test.id}" + public_ip_address_id = "${azurerm_public_ip.test_standard.id}" } backend_address_pool { @@ -2551,7 +2556,7 @@ resource "azurerm_application_gateway" "test" { `, template, rInt, rInt) } -func testAccAzureRMApplicationGateway_sslPolicy_disabledProtocols(rInt int, location string) string { +func testAccAzureRMApplicationGateway_webApplicationFirewall_disabledRuleGroups_enabled_some_rules(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s @@ -2566,19 +2571,45 @@ locals { request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } + +resource "azurerm_public_ip" "test_standard" { + name = "acctest-pubip-%d-standard" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + sku = "Standard" + allocation_method = "Static" +} + resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" sku { - name = "WAF_Medium" - tier = "WAF" + name = "WAF_v2" + tier = "WAF_v2" capacity = 1 } - ssl_policy { - disabled_protocols = ["TLSv1_0", "TLSv1_1"] + waf_configuration { + enabled = true + firewall_mode = "Detection" + rule_set_type = "OWASP" + rule_set_version = "3.0" + request_body_check = true + max_request_body_size_kb = 128 + file_upload_limit_mb = 100 + + disabled_rule_group { + rule_group_name = "REQUEST-921-PROTOCOL-ATTACK" + rules = [921110, 921151, 921180] + } + + disabled_rule_group { + rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI" + } + + } gateway_ip_configuration { @@ -2626,12 +2657,11 @@ resource "azurerm_application_gateway" "test" { `, template, rInt, rInt) } -func testAccAzureRMApplicationGateway_disabledSslProtocols(rInt int, location string) string { +func testAccAzureRMApplicationGateway_sslPolicy_policyType_predefined(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s - -# since these variables are re-used - a locals block makes this more maintainable +# since these variables are re-used - a locals block makes this more maintainable locals { backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" frontend_port_name = "${azurerm_virtual_network.test.name}-feport" @@ -2640,7 +2670,6 @@ locals { listener_name = "${azurerm_virtual_network.test.name}-httplstn" request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } - resource "azurerm_public_ip" "test_standard" { name = "acctest-pubip-%d-standard" location = "${azurerm_resource_group.test.location}" @@ -2648,39 +2677,34 @@ resource "azurerm_public_ip" "test_standard" { sku = "Standard" allocation_method = "Static" } - resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" - sku { name = "Standard_v2" tier = "Standard_v2" capacity = 1 } - - disabled_ssl_protocols = ["TLSv1_0", "TLSv1_1"] - + ssl_policy { + policy_name = "AppGwSslPolicy20170401S" + policy_type = "Predefined" + } gateway_ip_configuration { name = "my-gateway-ip-configuration" subnet_id = "${azurerm_subnet.test.id}" } - frontend_port { name = "${local.frontend_port_name}" port = 80 } - frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test.id}" + public_ip_address_id = "${azurerm_public_ip.test_standard.id}" } - backend_address_pool { name = "${local.backend_address_pool_name}" } - backend_http_settings { name = "${local.http_setting_name}" cookie_based_affinity = "Disabled" @@ -2688,14 +2712,12 @@ resource "azurerm_application_gateway" "test" { protocol = "Http" request_timeout = 1 } - http_listener { name = "${local.listener_name}" frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" frontend_port_name = "${local.frontend_port_name}" protocol = "Http" } - request_routing_rule { name = "${local.request_routing_rule_name}" rule_type = "Basic" @@ -2707,12 +2729,11 @@ resource "azurerm_application_gateway" "test" { `, template, rInt, rInt) } -func testAccAzureRMApplicationGateway_connectionDraining(rInt int, location string) string { +func testAccAzureRMApplicationGateway_sslPolicy_policyType_custom(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s - -# since these variables are re-used - a locals block makes this more maintainable +# since these variables are re-used - a locals block makes this more maintainable locals { backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" frontend_port_name = "${azurerm_virtual_network.test.name}-feport" @@ -2721,58 +2742,48 @@ locals { listener_name = "${azurerm_virtual_network.test.name}-httplstn" request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } - resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" - enable_http2 = true - sku { - name = "Standard_Small" - tier = "Standard" - capacity = 2 + name = "WAF_Medium" + tier = "WAF" + capacity = 1 + } + ssl_policy { + policy_type = "Custom" + min_protocol_version = "TLSv1_1" + cipher_suites = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"] } - gateway_ip_configuration { name = "my-gateway-ip-configuration" subnet_id = "${azurerm_subnet.test.id}" } - frontend_port { name = "${local.frontend_port_name}" port = 80 } - frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" public_ip_address_id = "${azurerm_public_ip.test.id}" } - backend_address_pool { name = "${local.backend_address_pool_name}" } - backend_http_settings { name = "${local.http_setting_name}" cookie_based_affinity = "Disabled" port = 80 protocol = "Http" request_timeout = 1 - - connection_draining { - enabled = true - drain_timeout_sec = 1984 - } } - http_listener { name = "${local.listener_name}" frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" frontend_port_name = "${local.frontend_port_name}" protocol = "Http" } - request_routing_rule { name = "${local.request_routing_rule_name}" rule_type = "Basic" @@ -2783,12 +2794,12 @@ resource "azurerm_application_gateway" "test" { } `, template, rInt) } -func testAccAzureRMApplicationGateway_webApplicationFirewall_disabledRuleGroups(rInt int, location string) string { + +func testAccAzureRMApplicationGateway_sslPolicy_disabledProtocols(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s - -# since these variables are re-used - a locals block makes this more maintainable +# since these variables are re-used - a locals block makes this more maintainable locals { backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" frontend_port_name = "${azurerm_virtual_network.test.name}-feport" @@ -2797,8 +2808,6 @@ locals { listener_name = "${azurerm_virtual_network.test.name}-httplstn" request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } - - resource "azurerm_public_ip" "test_standard" { name = "acctest-pubip-%d-standard" location = "${azurerm_resource_group.test.location}" @@ -2806,63 +2815,33 @@ resource "azurerm_public_ip" "test_standard" { sku = "Standard" allocation_method = "Static" } - resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" - sku { - name = "WAF_v2" - tier = "WAF_v2" + name = "Standard_v2" + tier = "Standard_v2" capacity = 1 } - - waf_configuration { - enabled = true - firewall_mode = "Detection" - rule_set_type = "OWASP" - rule_set_version = "3.0" - request_body_check = true - max_request_body_size_kb = 128 - file_upload_limit_mb = 100 - - disabled_rule_group { - rule_group_name = "REQUEST-921-PROTOCOL-ATTACK" - rules = [921110, 921151, 921180] - } - - disabled_rule_group { - rule_group_name = "REQUEST-930-APPLICATION-ATTACK-LFI" - rules = [930120, 930130] - } - - disabled_rule_group { - rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI" - } - - + ssl_policy { + disabled_protocols = ["TLSv1_0", "TLSv1_1"] } - gateway_ip_configuration { name = "my-gateway-ip-configuration" subnet_id = "${azurerm_subnet.test.id}" } - frontend_port { name = "${local.frontend_port_name}" port = 80 } - frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" public_ip_address_id = "${azurerm_public_ip.test_standard.id}" } - backend_address_pool { name = "${local.backend_address_pool_name}" } - backend_http_settings { name = "${local.http_setting_name}" cookie_based_affinity = "Disabled" @@ -2870,14 +2849,12 @@ resource "azurerm_application_gateway" "test" { protocol = "Http" request_timeout = 1 } - http_listener { name = "${local.listener_name}" frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" frontend_port_name = "${local.frontend_port_name}" protocol = "Http" } - request_routing_rule { name = "${local.request_routing_rule_name}" rule_type = "Basic" @@ -2889,12 +2866,11 @@ resource "azurerm_application_gateway" "test" { `, template, rInt, rInt) } -func testAccAzureRMApplicationGateway_webApplicationFirewall_disabledRuleGroups_enabled_some_rules(rInt int, location string) string { +func testAccAzureRMApplicationGateway_disabledSslProtocols(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` %s - -# since these variables are re-used - a locals block makes this more maintainable +# since these variables are re-used - a locals block makes this more maintainable locals { backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" frontend_port_name = "${azurerm_virtual_network.test.name}-feport" @@ -2903,8 +2879,6 @@ locals { listener_name = "${azurerm_virtual_network.test.name}-httplstn" request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } - - resource "azurerm_public_ip" "test_standard" { name = "acctest-pubip-%d-standard" location = "${azurerm_resource_group.test.location}" @@ -2912,58 +2886,31 @@ resource "azurerm_public_ip" "test_standard" { sku = "Standard" allocation_method = "Static" } - resource "azurerm_application_gateway" "test" { name = "acctestag-%d" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" - sku { - name = "WAF_v2" - tier = "WAF_v2" + name = "Standard_v2" + tier = "Standard_v2" capacity = 1 } - - waf_configuration { - enabled = true - firewall_mode = "Detection" - rule_set_type = "OWASP" - rule_set_version = "3.0" - request_body_check = true - max_request_body_size_kb = 128 - file_upload_limit_mb = 100 - - disabled_rule_group { - rule_group_name = "REQUEST-921-PROTOCOL-ATTACK" - rules = [921110, 921151, 921180] - } - - disabled_rule_group { - rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI" - } - - - } - + disabled_ssl_protocols = ["TLSv1_0", "TLSv1_1"] gateway_ip_configuration { name = "my-gateway-ip-configuration" subnet_id = "${azurerm_subnet.test.id}" } - frontend_port { name = "${local.frontend_port_name}" port = 80 } - frontend_ip_configuration { name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.test_standard.id}" + public_ip_address_id = "${azurerm_public_ip.test.id}" } - backend_address_pool { name = "${local.backend_address_pool_name}" } - backend_http_settings { name = "${local.http_setting_name}" cookie_based_affinity = "Disabled" @@ -2971,14 +2918,12 @@ resource "azurerm_application_gateway" "test" { protocol = "Http" request_timeout = 1 } - http_listener { name = "${local.listener_name}" frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" frontend_port_name = "${local.frontend_port_name}" protocol = "Http" } - request_routing_rule { name = "${local.request_routing_rule_name}" rule_type = "Basic"