azurerm_web_application_firewall_policy - split create and update f…

…unction to fix lifecycle - ignore changes (#23412)
hashicorp · Dec 7, 2023 · 27a50ee · 27a50ee
1 parent 90301fa
commit 27a50ee
Showing 1 changed file with 64 additions and 32 deletions.
diff --git a/internal/services/network/web_application_firewall_policy_resource.go b/internal/services/network/web_application_firewall_policy_resource.go
@@ -4,7 +4,6 @@
 package network
 
 import (
-	"context"
 	"fmt"
 	"log"
 	"time"
@@ -29,9 +28,9 @@ import (
 
 func resourceWebApplicationFirewallPolicy() *pluginsdk.Resource {
 	resource := &pluginsdk.Resource{
-		Create: resourceWebApplicationFirewallPolicyCreateUpdate,
+		Create: resourceWebApplicationFirewallPolicyCreate,
 		Read:   resourceWebApplicationFirewallPolicyRead,
-		Update: resourceWebApplicationFirewallPolicyCreateUpdate,
+		Update: resourceWebApplicationFirewallPolicyUpdate,
 		Delete: resourceWebApplicationFirewallPolicyDelete,
 		Importer: pluginsdk.ImporterValidatingResourceId(func(id string) error {
 			_, err := webapplicationfirewallpolicies.ParseApplicationGatewayWebApplicationFirewallPolicyID(id)
@@ -473,25 +472,6 @@ func resourceWebApplicationFirewallPolicy() *pluginsdk.Resource {
 
 			"tags": commonschema.Tags(),
 		},
-
-		CustomizeDiff: pluginsdk.CustomizeDiffShim(func(ctx context.Context, diff *pluginsdk.ResourceDiff, v interface{}) error {
-			if !features.FourPointOhBeta() {
-				// Since ConflictsWith cannot be used on these properties and the properties are optional and computed, diff.GetOK may still return value even the property is not configured. Have to check the configuration with GetRawConfig
-				managedRuleSetList := diff.GetRawConfig().AsValueMap()["managed_rules"].AsValueSlice()[0].AsValueMap()["managed_rule_set"].AsValueSlice()
-				for _, managedRuleSetVal := range managedRuleSetList {
-					ruleGroupOverrideList := managedRuleSetVal.AsValueMap()["rule_group_override"].AsValueSlice()
-					for _, ruleGroupOverrideVal := range ruleGroupOverrideList {
-						disabledRules := ruleGroupOverrideVal.AsValueMap()["disabled_rules"]
-						ruleList := ruleGroupOverrideVal.AsValueMap()["rule"].AsValueSlice()
-						if !disabledRules.IsNull() && len(ruleList) != 0 {
-							return fmt.Errorf("`disabled_rules` cannot be set when `rule` is set under `rule_group_override`")
-						}
-					}
-				}
-			}
-
-			return nil
-		}),
 	}
 
 	if !features.FourPointOhBeta() {
@@ -509,25 +489,23 @@ func resourceWebApplicationFirewallPolicy() *pluginsdk.Resource {
 	return resource
 }
 
-func resourceWebApplicationFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interface{}) error {
+func resourceWebApplicationFirewallPolicyCreate(d *pluginsdk.ResourceData, meta interface{}) error {
 	client := meta.(*clients.Client).Network.WebApplicationFirewallPolicies
 	subscriptionId := meta.(*clients.Client).Account.SubscriptionId
-	ctx, cancel := timeouts.ForCreateUpdate(meta.(*clients.Client).StopContext, d)
+	ctx, cancel := timeouts.ForCreate(meta.(*clients.Client).StopContext, d)
 	defer cancel()
 
 	id := webapplicationfirewallpolicies.NewApplicationGatewayWebApplicationFirewallPolicyID(subscriptionId, d.Get("resource_group_name").(string), d.Get("name").(string))
 
-	if d.IsNewResource() {
-		resp, err := client.Get(ctx, id)
-		if err != nil {
-			if !response.WasNotFound(resp.HttpResponse) {
-				return fmt.Errorf("checking for present of existing %s: %+v", id, err)
-			}
-		}
+	resp, err := client.Get(ctx, id)
+	if err != nil {
 		if !response.WasNotFound(resp.HttpResponse) {
-			return tf.ImportAsExistsError("azurerm_web_application_firewall_policy", id.ID())
+			return fmt.Errorf("checking for present of existing %s: %+v", id, err)
 		}
 	}
+	if !response.WasNotFound(resp.HttpResponse) {
+		return tf.ImportAsExistsError("azurerm_web_application_firewall_policy", id.ID())
+	}
 
 	location := azure.NormalizeLocation(d.Get("location").(string))
 	customRules := d.Get("custom_rules").([]interface{})
@@ -559,6 +537,55 @@ func resourceWebApplicationFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData,
 	return resourceWebApplicationFirewallPolicyRead(d, meta)
 }
 
+func resourceWebApplicationFirewallPolicyUpdate(d *pluginsdk.ResourceData, meta interface{}) error {
+	client := meta.(*clients.Client).Network.WebApplicationFirewallPolicies
+	subscriptionId := meta.(*clients.Client).Account.SubscriptionId
+	ctx, cancel := timeouts.ForUpdate(meta.(*clients.Client).StopContext, d)
+	defer cancel()
+
+	id := webapplicationfirewallpolicies.NewApplicationGatewayWebApplicationFirewallPolicyID(subscriptionId, d.Get("resource_group_name").(string), d.Get("name").(string))
+
+	resp, err := client.Get(ctx, id)
+	if err != nil {
+		return fmt.Errorf("retrieving %s: %+v", id, err)
+	}
+
+	if resp.Model == nil {
+		return fmt.Errorf("retrieving %s: model was nil", id)
+	}
+	if resp.Model.Properties == nil {
+		return fmt.Errorf("retrieving %s: properties was nil", id)
+	}
+
+	model := resp.Model
+
+	if d.HasChange("custom_rules") {
+		model.Properties.CustomRules = expandWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(d.Get("custom_rules").([]interface{}))
+	}
+
+	if d.HasChange("policy_settings") {
+		model.Properties.PolicySettings = expandWebApplicationFirewallPolicyPolicySettings(d.Get("policy_settings").([]interface{}))
+	}
+
+	if d.HasChange("managed_rules") {
+		expandedManagedRules, err := expandWebApplicationFirewallPolicyManagedRulesDefinition(d.Get("managed_rules").([]interface{}), d)
+		if err != nil {
+			return err
+		}
+		model.Properties.ManagedRules = pointer.From(expandedManagedRules)
+	}
+
+	if d.HasChange("tags") {
+		model.Tags = tags.Expand(d.Get("tags").(map[string]interface{}))
+	}
+
+	if _, err := client.CreateOrUpdate(ctx, id, *model); err != nil {
+		return fmt.Errorf("creating %s: %+v", id, err)
+	}
+
+	return resourceWebApplicationFirewallPolicyRead(d, meta)
+}
+
 func resourceWebApplicationFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) error {
 	client := meta.(*clients.Client).Network.WebApplicationFirewallPolicies
 	ctx, cancel := timeouts.ForRead(meta.(*clients.Client).StopContext, d)
@@ -893,6 +920,11 @@ func expandWebApplicationFirewallPolicyRuleGroupOverrides(input []interface{}, d
 				return nil, fmt.Errorf("rule group override index %d exceeds raw config length %d", i, len(ruleGroupOverrideList))
 			}
 
+			// Since ConflictsWith cannot be used on these properties and the properties are optional and computed, Have to check the configuration with GetRawConfig
+			if !ruleGroupOverrideList[i].AsValueMap()["rule"].IsNull() && len(ruleGroupOverrideList[i].AsValueMap()["rule"].AsValueSlice()) > 0 && !ruleGroupOverrideList[i].AsValueMap()["disabled_rules"].IsNull() {
+				return nil, fmt.Errorf("`disabled_rules` cannot be set when `rule` is set under `rule_group_override`")
+			}
+
 			if disabledRules := v["disabled_rules"].([]interface{}); !ruleGroupOverrideList[i].AsValueMap()["disabled_rules"].IsNull() {
 				result.Rules = expandWebApplicationFirewallPolicyRules(disabledRules)
 			}