From fa7fb5b465f8d9f76a1fc6be0e9b7265ce9d8f49 Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Thu, 6 Dec 2018 20:14:13 +0000
Subject: [PATCH 01/16] add application rule collection

---
 azurerm/provider.go                           |   1 +
 ...rm_firewall_application_rule_collection.go | 449 ++++++++++++++++++
 2 files changed, 450 insertions(+)
 create mode 100644 azurerm/resource_arm_firewall_application_rule_collection.go

diff --git a/azurerm/provider.go b/azurerm/provider.go
index 9336bc664ac2..5e2d48e5e529 100644
--- a/azurerm/provider.go
+++ b/azurerm/provider.go
@@ -187,6 +187,7 @@ func Provider() terraform.ResourceProvider {
 			"azurerm_express_route_circuit_peering":          resourceArmExpressRouteCircuitPeering(),
 			"azurerm_firewall":                               resourceArmFirewall(),
 			"azurerm_firewall_network_rule_collection":       resourceArmFirewallNetworkRuleCollection(),
+			"azurerm_firewall_application_rule_collection":   resourceArmFirewallApplicationRuleCollection(),
 			"azurerm_function_app":                           resourceArmFunctionApp(),
 			"azurerm_image":                                  resourceArmImage(),
 			"azurerm_iothub":                                 resourceArmIotHub(),
diff --git a/azurerm/resource_arm_firewall_application_rule_collection.go b/azurerm/resource_arm_firewall_application_rule_collection.go
new file mode 100644
index 000000000000..881d8696a1b4
--- /dev/null
+++ b/azurerm/resource_arm_firewall_application_rule_collection.go
@@ -0,0 +1,449 @@
+package azurerm
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/validate"
+
+	"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2018-08-01/network"
+	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/hashicorp/terraform/helper/validation"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
+)
+
+func resourceArmFirewallApplicationRuleCollection() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceArmFirewallApplicationRuleCollectionCreateUpdate,
+		Read:   resourceArmFirewallApplicationRuleCollectionRead,
+		Update: resourceArmFirewallApplicationRuleCollectionCreateUpdate,
+		Delete: resourceArmFirewallApplicationRuleCollectionDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validateAzureFirewallName,
+			},
+
+			"azure_firewall_name": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validateAzureFirewallName,
+			},
+
+			"resource_group_name": resourceGroupNameSchema(),
+
+			"priority": {
+				Type:         schema.TypeInt,
+				Required:     true,
+				ValidateFunc: validation.IntBetween(100, 65000),
+			},
+
+			"action": {
+				Type:     schema.TypeString,
+				Required: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					string(network.AzureFirewallRCActionTypeAllow),
+					string(network.AzureFirewallRCActionTypeDeny),
+				}, false),
+			},
+
+			"rule": {
+				Type:     schema.TypeSet,
+				Required: true,
+				MinItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validation.NoZeroValues,
+						},
+						"description": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+						"source_addresses": {
+							Type:     schema.TypeSet,
+							Required: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+							Set:      schema.HashString,
+						},
+						"fqdn_tags": {
+							Type:     schema.TypeSet,
+							Optional: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+							Set:      schema.HashString,
+							// ConflictsWith: []string{
+							// 	"target_fqdns",
+							// 	"protocol",
+							// },
+						},
+						"target_fqdns": {
+							Type:     schema.TypeSet,
+							Optional: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+							Set:      schema.HashString,
+							// ConflictsWith: []string{"fqdn_tags"},
+						},
+						"protocol": {
+							Type:     schema.TypeList,
+							Optional: true,
+							MinItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"port": {
+										Type:         schema.TypeInt,
+										Optional:     true,
+										ValidateFunc: validate.PortNumber,
+									},
+									"type": {
+										Type:     schema.TypeString,
+										Required: true,
+										ValidateFunc: validation.StringInSlice([]string{
+											string(network.AzureFirewallApplicationRuleProtocolTypeHTTP),
+											string(network.AzureFirewallApplicationRuleProtocolTypeHTTPS),
+										}, false),
+									},
+								},
+							},
+							// Set: resourceArmFirewallApplicationRuleCollectionRuleProtocolHash,
+							// ConflictsWith: []string{"fqdn_tags"},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func resourceArmFirewallApplicationRuleCollectionCreateUpdate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).azureFirewallsClient
+	ctx := meta.(*ArmClient).StopContext
+
+	name := d.Get("name").(string)
+	firewallName := d.Get("azure_firewall_name").(string)
+	resourceGroup := d.Get("resource_group_name").(string)
+
+	azureRMLockByName(firewallName, azureFirewallResourceName)
+	defer azureRMUnlockByName(firewallName, azureFirewallResourceName)
+
+	firewall, err := client.Get(ctx, resourceGroup, firewallName)
+	if err != nil {
+		return fmt.Errorf("Error retrieving Firewall %q (Resource Group %q): %+v", firewallName, resourceGroup, err)
+	}
+
+	if firewall.AzureFirewallPropertiesFormat == nil {
+		return fmt.Errorf("Error expanding Firewall %q (Resource Group %q): `properties` was nil.", firewallName, resourceGroup)
+	}
+	props := *firewall.AzureFirewallPropertiesFormat
+
+	if props.ApplicationRuleCollections == nil {
+		return fmt.Errorf("Error expanding Firewall %q (Resource Group %q): `properties.ApplicationRuleCollections` was nil.", firewallName, resourceGroup)
+	}
+	ruleCollections := *props.ApplicationRuleCollections
+
+	applicationRules := expandArmFirewallApplicationRules(d.Get("rule").(*schema.Set))
+	priority := d.Get("priority").(int)
+	newRuleCollection := network.AzureFirewallApplicationRuleCollection{
+		Name: utils.String(name),
+		AzureFirewallApplicationRuleCollectionPropertiesFormat: &network.AzureFirewallApplicationRuleCollectionPropertiesFormat{
+			Action: &network.AzureFirewallRCAction{
+				Type: network.AzureFirewallRCActionType(d.Get("action").(string)),
+			},
+			Priority: utils.Int32(int32(priority)),
+			Rules:    &applicationRules,
+		},
+	}
+
+	if !d.IsNewResource() {
+		index := -1
+		for i, v := range ruleCollections {
+			if v.Name == nil {
+				continue
+			}
+
+			if *v.Name == name {
+				index = i
+				break
+			}
+		}
+
+		if index == -1 {
+			return fmt.Errorf("Error locating Application Rule Collection %q (Firewall %q / Resource Group %q)", name, firewallName, resourceGroup)
+		}
+
+		ruleCollections[index] = newRuleCollection
+	} else {
+		ruleCollections = append(ruleCollections, newRuleCollection)
+	}
+
+	firewall.AzureFirewallPropertiesFormat.ApplicationRuleCollections = &ruleCollections
+
+	future, err := client.CreateOrUpdate(ctx, resourceGroup, firewallName, firewall)
+	if err != nil {
+		return fmt.Errorf("Error creating/updating Application Rule Collection %q in Firewall %q (Resource Group %q): %+v", name, firewallName, resourceGroup, err)
+	}
+
+	err = future.WaitForCompletionRef(ctx, client.Client)
+	if err != nil {
+		return fmt.Errorf("Error waiting for creation/update of Application Rule Collection %q of Firewall %q (Resource Group %q): %+v", name, firewallName, resourceGroup, err)
+	}
+
+	read, err := client.Get(ctx, resourceGroup, firewallName)
+	if err != nil {
+		return fmt.Errorf("Error retrieving Firewall %q (Resource Group %q): %+v", firewallName, resourceGroup, err)
+	}
+
+	var collectionID string
+	if props := read.AzureFirewallPropertiesFormat; props != nil {
+		if collections := props.ApplicationRuleCollections; collections != nil {
+			for _, collection := range *collections {
+				if collection.Name == nil {
+					continue
+				}
+
+				if *collection.Name == name {
+					collectionID = *collection.ID
+					break
+				}
+			}
+		}
+	}
+
+	if collectionID == "" {
+		return fmt.Errorf("Cannot find ID for Application Rule Collection %q (Azure Firewall %q / Resource Group %q)", name, firewallName, resourceGroup)
+	}
+	d.SetId(collectionID)
+
+	return resourceArmFirewallApplicationRuleCollectionRead(d, meta)
+}
+
+func resourceArmFirewallApplicationRuleCollectionRead(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).azureFirewallsClient
+	ctx := meta.(*ArmClient).StopContext
+
+	id, err := parseAzureResourceID(d.Id())
+	if err != nil {
+		return err
+	}
+
+	resourceGroup := id.ResourceGroup
+	firewallName := id.Path["azureFirewalls"]
+	name := id.Path["applicationRuleCollections"]
+
+	read, err := client.Get(ctx, resourceGroup, firewallName)
+	if err != nil {
+		if utils.ResponseWasNotFound(read.Response) {
+			log.Printf("[DEBUG] Azure Firewall %q (Resource Group %q) was not found - removing from state!", name, resourceGroup)
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("Error retrieving Azure Firewall %q (Resource Group %q): %+v", name, resourceGroup, err)
+	}
+
+	if read.AzureFirewallPropertiesFormat == nil {
+		return fmt.Errorf("Error retrieving Application Rule Collection %q (Firewall %q / Resource Group %q): `props` was nil", name, firewallName, resourceGroup)
+	}
+	props := *read.AzureFirewallPropertiesFormat
+
+	if props.ApplicationRuleCollections == nil {
+		return fmt.Errorf("Error retrieving Application Rule Collection %q (Firewall %q / Resource Group %q): `props.ApplicationRuleCollections` was nil", name, firewallName, resourceGroup)
+	}
+
+	var rule *network.AzureFirewallApplicationRuleCollection
+	for _, r := range *props.ApplicationRuleCollections {
+		if r.Name == nil {
+			continue
+		}
+
+		if *r.Name == name {
+			rule = &r
+			break
+		}
+	}
+
+	if rule == nil {
+		log.Printf("[DEBUG] Application Rule Collection %q was not found on Firewall %q (Resource Group %q) - removing from state!", name, firewallName, resourceGroup)
+		d.SetId("")
+		return nil
+	}
+
+	d.Set("name", rule.Name)
+	d.Set("azure_firewall_name", firewallName)
+	d.Set("resource_group_name", resourceGroup)
+
+	if props := rule.AzureFirewallApplicationRuleCollectionPropertiesFormat; props != nil {
+		if action := props.Action; action != nil {
+			d.Set("action", string(action.Type))
+		}
+
+		if priority := props.Priority; priority != nil {
+			d.Set("priority", int(*priority))
+		}
+
+		flattenedRules := flattenFirewallApplicationRuleCollectionRules(props.Rules)
+		// if err := d.Set("rule", schema.NewSet(resourceArmFirewallApplicationRuleCollectionRuleProtocolHash, flattenedRules)); err != nil {
+		if err := d.Set("rule", flattenedRules); err != nil {
+			return fmt.Errorf("Error setting `rule`: %+v", err)
+		}
+	}
+
+	return nil
+}
+
+func resourceArmFirewallApplicationRuleCollectionDelete(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).azureFirewallsClient
+	ctx := meta.(*ArmClient).StopContext
+
+	id, err := parseAzureResourceID(d.Id())
+	if err != nil {
+		return err
+	}
+
+	resourceGroup := id.ResourceGroup
+	firewallName := id.Path["azureFirewalls"]
+	name := id.Path["applicationRuleCollections"]
+
+	azureRMLockByName(firewallName, azureFirewallResourceName)
+	defer azureRMUnlockByName(firewallName, azureFirewallResourceName)
+
+	firewall, err := client.Get(ctx, resourceGroup, firewallName)
+	if err != nil {
+		if utils.ResponseWasNotFound(firewall.Response) {
+			// assume deleted
+			return nil
+		}
+
+		return fmt.Errorf("Error making Read request on Azure Firewall %q (Resource Group %q): %+v", firewallName, resourceGroup, err)
+	}
+
+	props := firewall.AzureFirewallPropertiesFormat
+	if props == nil {
+		return fmt.Errorf("Error retrieving Application Rule Collection %q (Firewall %q / Resource Group %q): `props` was nil", name, firewallName, resourceGroup)
+	}
+	if props.ApplicationRuleCollections == nil {
+		return fmt.Errorf("Error retrieving Application Rule Collection %q (Firewall %q / Resource Group %q): `props.ApplicationRuleCollections` was nil", name, firewallName, resourceGroup)
+	}
+
+	applicationRules := make([]network.AzureFirewallApplicationRuleCollection, 0)
+	for _, rule := range *props.ApplicationRuleCollections {
+		if rule.Name == nil {
+			continue
+		}
+
+		if *rule.Name != name {
+			applicationRules = append(applicationRules, rule)
+		}
+	}
+	props.ApplicationRuleCollections = &applicationRules
+
+	future, err := client.CreateOrUpdate(ctx, resourceGroup, firewallName, firewall)
+	if err != nil {
+		return fmt.Errorf("Error deleting Application Rule Collection %q from Firewall %q (Resource Group %q): %+v", name, firewallName, resourceGroup, err)
+	}
+
+	err = future.WaitForCompletionRef(ctx, client.Client)
+	if err != nil {
+		return fmt.Errorf("Error waiting for deletion of Application Rule Collection %q from Firewall %q (Resource Group %q): %+v", name, firewallName, resourceGroup, err)
+	}
+
+	return nil
+}
+
+func expandArmFirewallApplicationRules(input *schema.Set) []network.AzureFirewallApplicationRule {
+	appRules := input.List()
+	rules := make([]network.AzureFirewallApplicationRule, 0)
+
+	for _, appRule := range appRules {
+		rule := appRule.(map[string]interface{})
+
+		name := rule["name"].(string)
+		description := rule["description"].(string)
+
+		sourceAddresses := make([]string, 0)
+		for _, v := range rule["source_addresses"].(*schema.Set).List() {
+			sourceAddresses = append(sourceAddresses, v.(string))
+		}
+
+		fqdnTags := make([]string, 0)
+		for _, v := range rule["fqdn_tags"].(*schema.Set).List() {
+			fqdnTags = append(fqdnTags, v.(string))
+		}
+
+		targetFqdns := make([]string, 0)
+		for _, v := range rule["target_fqdns"].(*schema.Set).List() {
+			targetFqdns = append(targetFqdns, v.(string))
+		}
+
+		ruleToAdd := network.AzureFirewallApplicationRule{
+			Name:            utils.String(name),
+			Description:     utils.String(description),
+			SourceAddresses: &sourceAddresses,
+			FqdnTags:        &fqdnTags,
+			TargetFqdns:     &targetFqdns,
+		}
+
+		arProtocols := make([]network.AzureFirewallApplicationRuleProtocol, 0)
+		protocols := rule["protocol"].([]interface{})
+		for _, v := range protocols {
+			protocol := v.(map[string]interface{})
+			port := protocol["port"].(int)
+			p := network.AzureFirewallApplicationRuleProtocol{
+				Port:         utils.Int32(int32(port)),
+				ProtocolType: network.AzureFirewallApplicationRuleProtocolType(protocol["type"].(string)),
+			}
+			arProtocols = append(arProtocols, p)
+		}
+		ruleToAdd.Protocols = &arProtocols
+		rules = append(rules, ruleToAdd)
+	}
+
+	return rules
+}
+
+func flattenFirewallApplicationRuleCollectionRules(rules *[]network.AzureFirewallApplicationRule) []map[string]interface{} {
+	outputs := make([]map[string]interface{}, 0)
+	if rules == nil {
+		return outputs
+	}
+
+	for _, rule := range *rules {
+		output := make(map[string]interface{})
+		if rule.Name != nil {
+			output["name"] = *rule.Name
+		}
+		if rule.Description != nil {
+			output["description"] = *rule.Description
+		}
+		if rule.SourceAddresses != nil {
+			output["source_addresses"] = sliceToSet(*rule.SourceAddresses)
+		}
+		if rule.FqdnTags != nil {
+			output["fqdn_tags"] = sliceToSet(*rule.FqdnTags)
+		}
+		if rule.TargetFqdns != nil {
+			output["target_fqdns"] = sliceToSet(*rule.TargetFqdns)
+		}
+		protocols := make([]map[string]interface{}, 0)
+		if arProtocols := rule.Protocols; arProtocols != nil {
+			for _, p := range *arProtocols {
+				protocol := make(map[string]interface{})
+				if port := p.Port; port != nil {
+					protocol["port"] = int(*port)
+				}
+				protocol["type"] = string(p.ProtocolType)
+				protocols = append(protocols, protocol)
+			}
+		}
+		output["protocol"] = protocols
+		outputs = append(outputs, output)
+	}
+	return outputs
+}

From 02585fe7573aecb7df962da0f93d9cc9aade4bd5 Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Thu, 6 Dec 2018 20:14:13 +0000
Subject: [PATCH 02/16] add application rule collection

---
 azurerm/provider.go                           |   1 +
 ...rm_firewall_application_rule_collection.go | 449 ++++++++++++++++++
 2 files changed, 450 insertions(+)
 create mode 100644 azurerm/resource_arm_firewall_application_rule_collection.go

diff --git a/azurerm/provider.go b/azurerm/provider.go
index 9336bc664ac2..5e2d48e5e529 100644
--- a/azurerm/provider.go
+++ b/azurerm/provider.go
@@ -187,6 +187,7 @@ func Provider() terraform.ResourceProvider {
 			"azurerm_express_route_circuit_peering":          resourceArmExpressRouteCircuitPeering(),
 			"azurerm_firewall":                               resourceArmFirewall(),
 			"azurerm_firewall_network_rule_collection":       resourceArmFirewallNetworkRuleCollection(),
+			"azurerm_firewall_application_rule_collection":   resourceArmFirewallApplicationRuleCollection(),
 			"azurerm_function_app":                           resourceArmFunctionApp(),
 			"azurerm_image":                                  resourceArmImage(),
 			"azurerm_iothub":                                 resourceArmIotHub(),
diff --git a/azurerm/resource_arm_firewall_application_rule_collection.go b/azurerm/resource_arm_firewall_application_rule_collection.go
new file mode 100644
index 000000000000..881d8696a1b4
--- /dev/null
+++ b/azurerm/resource_arm_firewall_application_rule_collection.go
@@ -0,0 +1,449 @@
+package azurerm
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/validate"
+
+	"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2018-08-01/network"
+	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/hashicorp/terraform/helper/validation"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
+)
+
+func resourceArmFirewallApplicationRuleCollection() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceArmFirewallApplicationRuleCollectionCreateUpdate,
+		Read:   resourceArmFirewallApplicationRuleCollectionRead,
+		Update: resourceArmFirewallApplicationRuleCollectionCreateUpdate,
+		Delete: resourceArmFirewallApplicationRuleCollectionDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validateAzureFirewallName,
+			},
+
+			"azure_firewall_name": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validateAzureFirewallName,
+			},
+
+			"resource_group_name": resourceGroupNameSchema(),
+
+			"priority": {
+				Type:         schema.TypeInt,
+				Required:     true,
+				ValidateFunc: validation.IntBetween(100, 65000),
+			},
+
+			"action": {
+				Type:     schema.TypeString,
+				Required: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					string(network.AzureFirewallRCActionTypeAllow),
+					string(network.AzureFirewallRCActionTypeDeny),
+				}, false),
+			},
+
+			"rule": {
+				Type:     schema.TypeSet,
+				Required: true,
+				MinItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validation.NoZeroValues,
+						},
+						"description": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+						"source_addresses": {
+							Type:     schema.TypeSet,
+							Required: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+							Set:      schema.HashString,
+						},
+						"fqdn_tags": {
+							Type:     schema.TypeSet,
+							Optional: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+							Set:      schema.HashString,
+							// ConflictsWith: []string{
+							// 	"target_fqdns",
+							// 	"protocol",
+							// },
+						},
+						"target_fqdns": {
+							Type:     schema.TypeSet,
+							Optional: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+							Set:      schema.HashString,
+							// ConflictsWith: []string{"fqdn_tags"},
+						},
+						"protocol": {
+							Type:     schema.TypeList,
+							Optional: true,
+							MinItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"port": {
+										Type:         schema.TypeInt,
+										Optional:     true,
+										ValidateFunc: validate.PortNumber,
+									},
+									"type": {
+										Type:     schema.TypeString,
+										Required: true,
+										ValidateFunc: validation.StringInSlice([]string{
+											string(network.AzureFirewallApplicationRuleProtocolTypeHTTP),
+											string(network.AzureFirewallApplicationRuleProtocolTypeHTTPS),
+										}, false),
+									},
+								},
+							},
+							// Set: resourceArmFirewallApplicationRuleCollectionRuleProtocolHash,
+							// ConflictsWith: []string{"fqdn_tags"},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func resourceArmFirewallApplicationRuleCollectionCreateUpdate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).azureFirewallsClient
+	ctx := meta.(*ArmClient).StopContext
+
+	name := d.Get("name").(string)
+	firewallName := d.Get("azure_firewall_name").(string)
+	resourceGroup := d.Get("resource_group_name").(string)
+
+	azureRMLockByName(firewallName, azureFirewallResourceName)
+	defer azureRMUnlockByName(firewallName, azureFirewallResourceName)
+
+	firewall, err := client.Get(ctx, resourceGroup, firewallName)
+	if err != nil {
+		return fmt.Errorf("Error retrieving Firewall %q (Resource Group %q): %+v", firewallName, resourceGroup, err)
+	}
+
+	if firewall.AzureFirewallPropertiesFormat == nil {
+		return fmt.Errorf("Error expanding Firewall %q (Resource Group %q): `properties` was nil.", firewallName, resourceGroup)
+	}
+	props := *firewall.AzureFirewallPropertiesFormat
+
+	if props.ApplicationRuleCollections == nil {
+		return fmt.Errorf("Error expanding Firewall %q (Resource Group %q): `properties.ApplicationRuleCollections` was nil.", firewallName, resourceGroup)
+	}
+	ruleCollections := *props.ApplicationRuleCollections
+
+	applicationRules := expandArmFirewallApplicationRules(d.Get("rule").(*schema.Set))
+	priority := d.Get("priority").(int)
+	newRuleCollection := network.AzureFirewallApplicationRuleCollection{
+		Name: utils.String(name),
+		AzureFirewallApplicationRuleCollectionPropertiesFormat: &network.AzureFirewallApplicationRuleCollectionPropertiesFormat{
+			Action: &network.AzureFirewallRCAction{
+				Type: network.AzureFirewallRCActionType(d.Get("action").(string)),
+			},
+			Priority: utils.Int32(int32(priority)),
+			Rules:    &applicationRules,
+		},
+	}
+
+	if !d.IsNewResource() {
+		index := -1
+		for i, v := range ruleCollections {
+			if v.Name == nil {
+				continue
+			}
+
+			if *v.Name == name {
+				index = i
+				break
+			}
+		}
+
+		if index == -1 {
+			return fmt.Errorf("Error locating Application Rule Collection %q (Firewall %q / Resource Group %q)", name, firewallName, resourceGroup)
+		}
+
+		ruleCollections[index] = newRuleCollection
+	} else {
+		ruleCollections = append(ruleCollections, newRuleCollection)
+	}
+
+	firewall.AzureFirewallPropertiesFormat.ApplicationRuleCollections = &ruleCollections
+
+	future, err := client.CreateOrUpdate(ctx, resourceGroup, firewallName, firewall)
+	if err != nil {
+		return fmt.Errorf("Error creating/updating Application Rule Collection %q in Firewall %q (Resource Group %q): %+v", name, firewallName, resourceGroup, err)
+	}
+
+	err = future.WaitForCompletionRef(ctx, client.Client)
+	if err != nil {
+		return fmt.Errorf("Error waiting for creation/update of Application Rule Collection %q of Firewall %q (Resource Group %q): %+v", name, firewallName, resourceGroup, err)
+	}
+
+	read, err := client.Get(ctx, resourceGroup, firewallName)
+	if err != nil {
+		return fmt.Errorf("Error retrieving Firewall %q (Resource Group %q): %+v", firewallName, resourceGroup, err)
+	}
+
+	var collectionID string
+	if props := read.AzureFirewallPropertiesFormat; props != nil {
+		if collections := props.ApplicationRuleCollections; collections != nil {
+			for _, collection := range *collections {
+				if collection.Name == nil {
+					continue
+				}
+
+				if *collection.Name == name {
+					collectionID = *collection.ID
+					break
+				}
+			}
+		}
+	}
+
+	if collectionID == "" {
+		return fmt.Errorf("Cannot find ID for Application Rule Collection %q (Azure Firewall %q / Resource Group %q)", name, firewallName, resourceGroup)
+	}
+	d.SetId(collectionID)
+
+	return resourceArmFirewallApplicationRuleCollectionRead(d, meta)
+}
+
+func resourceArmFirewallApplicationRuleCollectionRead(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).azureFirewallsClient
+	ctx := meta.(*ArmClient).StopContext
+
+	id, err := parseAzureResourceID(d.Id())
+	if err != nil {
+		return err
+	}
+
+	resourceGroup := id.ResourceGroup
+	firewallName := id.Path["azureFirewalls"]
+	name := id.Path["applicationRuleCollections"]
+
+	read, err := client.Get(ctx, resourceGroup, firewallName)
+	if err != nil {
+		if utils.ResponseWasNotFound(read.Response) {
+			log.Printf("[DEBUG] Azure Firewall %q (Resource Group %q) was not found - removing from state!", name, resourceGroup)
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("Error retrieving Azure Firewall %q (Resource Group %q): %+v", name, resourceGroup, err)
+	}
+
+	if read.AzureFirewallPropertiesFormat == nil {
+		return fmt.Errorf("Error retrieving Application Rule Collection %q (Firewall %q / Resource Group %q): `props` was nil", name, firewallName, resourceGroup)
+	}
+	props := *read.AzureFirewallPropertiesFormat
+
+	if props.ApplicationRuleCollections == nil {
+		return fmt.Errorf("Error retrieving Application Rule Collection %q (Firewall %q / Resource Group %q): `props.ApplicationRuleCollections` was nil", name, firewallName, resourceGroup)
+	}
+
+	var rule *network.AzureFirewallApplicationRuleCollection
+	for _, r := range *props.ApplicationRuleCollections {
+		if r.Name == nil {
+			continue
+		}
+
+		if *r.Name == name {
+			rule = &r
+			break
+		}
+	}
+
+	if rule == nil {
+		log.Printf("[DEBUG] Application Rule Collection %q was not found on Firewall %q (Resource Group %q) - removing from state!", name, firewallName, resourceGroup)
+		d.SetId("")
+		return nil
+	}
+
+	d.Set("name", rule.Name)
+	d.Set("azure_firewall_name", firewallName)
+	d.Set("resource_group_name", resourceGroup)
+
+	if props := rule.AzureFirewallApplicationRuleCollectionPropertiesFormat; props != nil {
+		if action := props.Action; action != nil {
+			d.Set("action", string(action.Type))
+		}
+
+		if priority := props.Priority; priority != nil {
+			d.Set("priority", int(*priority))
+		}
+
+		flattenedRules := flattenFirewallApplicationRuleCollectionRules(props.Rules)
+		// if err := d.Set("rule", schema.NewSet(resourceArmFirewallApplicationRuleCollectionRuleProtocolHash, flattenedRules)); err != nil {
+		if err := d.Set("rule", flattenedRules); err != nil {
+			return fmt.Errorf("Error setting `rule`: %+v", err)
+		}
+	}
+
+	return nil
+}
+
+func resourceArmFirewallApplicationRuleCollectionDelete(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).azureFirewallsClient
+	ctx := meta.(*ArmClient).StopContext
+
+	id, err := parseAzureResourceID(d.Id())
+	if err != nil {
+		return err
+	}
+
+	resourceGroup := id.ResourceGroup
+	firewallName := id.Path["azureFirewalls"]
+	name := id.Path["applicationRuleCollections"]
+
+	azureRMLockByName(firewallName, azureFirewallResourceName)
+	defer azureRMUnlockByName(firewallName, azureFirewallResourceName)
+
+	firewall, err := client.Get(ctx, resourceGroup, firewallName)
+	if err != nil {
+		if utils.ResponseWasNotFound(firewall.Response) {
+			// assume deleted
+			return nil
+		}
+
+		return fmt.Errorf("Error making Read request on Azure Firewall %q (Resource Group %q): %+v", firewallName, resourceGroup, err)
+	}
+
+	props := firewall.AzureFirewallPropertiesFormat
+	if props == nil {
+		return fmt.Errorf("Error retrieving Application Rule Collection %q (Firewall %q / Resource Group %q): `props` was nil", name, firewallName, resourceGroup)
+	}
+	if props.ApplicationRuleCollections == nil {
+		return fmt.Errorf("Error retrieving Application Rule Collection %q (Firewall %q / Resource Group %q): `props.ApplicationRuleCollections` was nil", name, firewallName, resourceGroup)
+	}
+
+	applicationRules := make([]network.AzureFirewallApplicationRuleCollection, 0)
+	for _, rule := range *props.ApplicationRuleCollections {
+		if rule.Name == nil {
+			continue
+		}
+
+		if *rule.Name != name {
+			applicationRules = append(applicationRules, rule)
+		}
+	}
+	props.ApplicationRuleCollections = &applicationRules
+
+	future, err := client.CreateOrUpdate(ctx, resourceGroup, firewallName, firewall)
+	if err != nil {
+		return fmt.Errorf("Error deleting Application Rule Collection %q from Firewall %q (Resource Group %q): %+v", name, firewallName, resourceGroup, err)
+	}
+
+	err = future.WaitForCompletionRef(ctx, client.Client)
+	if err != nil {
+		return fmt.Errorf("Error waiting for deletion of Application Rule Collection %q from Firewall %q (Resource Group %q): %+v", name, firewallName, resourceGroup, err)
+	}
+
+	return nil
+}
+
+func expandArmFirewallApplicationRules(input *schema.Set) []network.AzureFirewallApplicationRule {
+	appRules := input.List()
+	rules := make([]network.AzureFirewallApplicationRule, 0)
+
+	for _, appRule := range appRules {
+		rule := appRule.(map[string]interface{})
+
+		name := rule["name"].(string)
+		description := rule["description"].(string)
+
+		sourceAddresses := make([]string, 0)
+		for _, v := range rule["source_addresses"].(*schema.Set).List() {
+			sourceAddresses = append(sourceAddresses, v.(string))
+		}
+
+		fqdnTags := make([]string, 0)
+		for _, v := range rule["fqdn_tags"].(*schema.Set).List() {
+			fqdnTags = append(fqdnTags, v.(string))
+		}
+
+		targetFqdns := make([]string, 0)
+		for _, v := range rule["target_fqdns"].(*schema.Set).List() {
+			targetFqdns = append(targetFqdns, v.(string))
+		}
+
+		ruleToAdd := network.AzureFirewallApplicationRule{
+			Name:            utils.String(name),
+			Description:     utils.String(description),
+			SourceAddresses: &sourceAddresses,
+			FqdnTags:        &fqdnTags,
+			TargetFqdns:     &targetFqdns,
+		}
+
+		arProtocols := make([]network.AzureFirewallApplicationRuleProtocol, 0)
+		protocols := rule["protocol"].([]interface{})
+		for _, v := range protocols {
+			protocol := v.(map[string]interface{})
+			port := protocol["port"].(int)
+			p := network.AzureFirewallApplicationRuleProtocol{
+				Port:         utils.Int32(int32(port)),
+				ProtocolType: network.AzureFirewallApplicationRuleProtocolType(protocol["type"].(string)),
+			}
+			arProtocols = append(arProtocols, p)
+		}
+		ruleToAdd.Protocols = &arProtocols
+		rules = append(rules, ruleToAdd)
+	}
+
+	return rules
+}
+
+func flattenFirewallApplicationRuleCollectionRules(rules *[]network.AzureFirewallApplicationRule) []map[string]interface{} {
+	outputs := make([]map[string]interface{}, 0)
+	if rules == nil {
+		return outputs
+	}
+
+	for _, rule := range *rules {
+		output := make(map[string]interface{})
+		if rule.Name != nil {
+			output["name"] = *rule.Name
+		}
+		if rule.Description != nil {
+			output["description"] = *rule.Description
+		}
+		if rule.SourceAddresses != nil {
+			output["source_addresses"] = sliceToSet(*rule.SourceAddresses)
+		}
+		if rule.FqdnTags != nil {
+			output["fqdn_tags"] = sliceToSet(*rule.FqdnTags)
+		}
+		if rule.TargetFqdns != nil {
+			output["target_fqdns"] = sliceToSet(*rule.TargetFqdns)
+		}
+		protocols := make([]map[string]interface{}, 0)
+		if arProtocols := rule.Protocols; arProtocols != nil {
+			for _, p := range *arProtocols {
+				protocol := make(map[string]interface{})
+				if port := p.Port; port != nil {
+					protocol["port"] = int(*port)
+				}
+				protocol["type"] = string(p.ProtocolType)
+				protocols = append(protocols, protocol)
+			}
+		}
+		output["protocol"] = protocols
+		outputs = append(outputs, output)
+	}
+	return outputs
+}

From ec01897becce23c99525edd708ab1329cd78b650 Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Fri, 7 Dec 2018 07:03:53 +0000
Subject: [PATCH 03/16] rename some vars

---
 ...rm_firewall_application_rule_collection.go | 77 +++++++++----------
 1 file changed, 38 insertions(+), 39 deletions(-)

diff --git a/azurerm/resource_arm_firewall_application_rule_collection.go b/azurerm/resource_arm_firewall_application_rule_collection.go
index 881d8696a1b4..8ebe227d7974 100644
--- a/azurerm/resource_arm_firewall_application_rule_collection.go
+++ b/azurerm/resource_arm_firewall_application_rule_collection.go
@@ -140,12 +140,12 @@ func resourceArmFirewallApplicationRuleCollectionCreateUpdate(d *schema.Resource
 	}
 
 	if firewall.AzureFirewallPropertiesFormat == nil {
-		return fmt.Errorf("Error expanding Firewall %q (Resource Group %q): `properties` was nil.", firewallName, resourceGroup)
+		return fmt.Errorf("Error expanding Firewall %q (Resource Group %q): `properties` was nil", firewallName, resourceGroup)
 	}
 	props := *firewall.AzureFirewallPropertiesFormat
 
 	if props.ApplicationRuleCollections == nil {
-		return fmt.Errorf("Error expanding Firewall %q (Resource Group %q): `properties.ApplicationRuleCollections` was nil.", firewallName, resourceGroup)
+		return fmt.Errorf("Error expanding Firewall %q (Resource Group %q): `properties.ApplicationRuleCollections` was nil", firewallName, resourceGroup)
 	}
 	ruleCollections := *props.ApplicationRuleCollections
 
@@ -357,55 +357,54 @@ func resourceArmFirewallApplicationRuleCollectionDelete(d *schema.ResourceData,
 	return nil
 }
 
-func expandArmFirewallApplicationRules(input *schema.Set) []network.AzureFirewallApplicationRule {
-	appRules := input.List()
-	rules := make([]network.AzureFirewallApplicationRule, 0)
+func expandArmFirewallApplicationRules(inputs *schema.Set) []network.AzureFirewallApplicationRule {
+	outputs := make([]network.AzureFirewallApplicationRule, 0)
 
-	for _, appRule := range appRules {
-		rule := appRule.(map[string]interface{})
+	for _, input := range inputs.List() {
+		rule := input.(map[string]interface{})
 
-		name := rule["name"].(string)
-		description := rule["description"].(string)
+		ruleName := rule["name"].(string)
+		ruleDescription := rule["description"].(string)
 
-		sourceAddresses := make([]string, 0)
+		ruleSourceAddresses := make([]string, 0)
 		for _, v := range rule["source_addresses"].(*schema.Set).List() {
-			sourceAddresses = append(sourceAddresses, v.(string))
+			ruleSourceAddresses = append(ruleSourceAddresses, v.(string))
 		}
 
-		fqdnTags := make([]string, 0)
+		ruleFqdnTags := make([]string, 0)
 		for _, v := range rule["fqdn_tags"].(*schema.Set).List() {
-			fqdnTags = append(fqdnTags, v.(string))
+			ruleFqdnTags = append(ruleFqdnTags, v.(string))
 		}
 
-		targetFqdns := make([]string, 0)
+		ruleTargetFqdns := make([]string, 0)
 		for _, v := range rule["target_fqdns"].(*schema.Set).List() {
-			targetFqdns = append(targetFqdns, v.(string))
+			ruleTargetFqdns = append(ruleTargetFqdns, v.(string))
 		}
 
-		ruleToAdd := network.AzureFirewallApplicationRule{
-			Name:            utils.String(name),
-			Description:     utils.String(description),
-			SourceAddresses: &sourceAddresses,
-			FqdnTags:        &fqdnTags,
-			TargetFqdns:     &targetFqdns,
+		output := network.AzureFirewallApplicationRule{
+			Name:            utils.String(ruleName),
+			Description:     utils.String(ruleDescription),
+			SourceAddresses: &ruleSourceAddresses,
+			FqdnTags:        &ruleFqdnTags,
+			TargetFqdns:     &ruleTargetFqdns,
 		}
 
-		arProtocols := make([]network.AzureFirewallApplicationRuleProtocol, 0)
+		ruleProtocols := make([]network.AzureFirewallApplicationRuleProtocol, 0)
 		protocols := rule["protocol"].([]interface{})
 		for _, v := range protocols {
 			protocol := v.(map[string]interface{})
 			port := protocol["port"].(int)
-			p := network.AzureFirewallApplicationRuleProtocol{
+			ruleProtocol := network.AzureFirewallApplicationRuleProtocol{
 				Port:         utils.Int32(int32(port)),
 				ProtocolType: network.AzureFirewallApplicationRuleProtocolType(protocol["type"].(string)),
 			}
-			arProtocols = append(arProtocols, p)
+			ruleProtocols = append(ruleProtocols, ruleProtocol)
 		}
-		ruleToAdd.Protocols = &arProtocols
-		rules = append(rules, ruleToAdd)
+		output.Protocols = &ruleProtocols
+		outputs = append(outputs, output)
 	}
 
-	return rules
+	return outputs
 }
 
 func flattenFirewallApplicationRuleCollectionRules(rules *[]network.AzureFirewallApplicationRule) []map[string]interface{} {
@@ -416,24 +415,24 @@ func flattenFirewallApplicationRuleCollectionRules(rules *[]network.AzureFirewal
 
 	for _, rule := range *rules {
 		output := make(map[string]interface{})
-		if rule.Name != nil {
-			output["name"] = *rule.Name
+		if ruleName := rule.Name; ruleName != nil {
+			output["name"] = *ruleName
 		}
-		if rule.Description != nil {
-			output["description"] = *rule.Description
+		if ruleDescription := rule.Description; ruleDescription != nil {
+			output["description"] = *ruleDescription
 		}
-		if rule.SourceAddresses != nil {
-			output["source_addresses"] = sliceToSet(*rule.SourceAddresses)
+		if ruleSourceAddresses := rule.SourceAddresses; ruleSourceAddresses != nil {
+			output["source_addresses"] = sliceToSet(*ruleSourceAddresses)
 		}
-		if rule.FqdnTags != nil {
-			output["fqdn_tags"] = sliceToSet(*rule.FqdnTags)
+		if ruleFqdnTags := rule.FqdnTags; ruleFqdnTags != nil {
+			output["fqdn_tags"] = sliceToSet(*ruleFqdnTags)
 		}
-		if rule.TargetFqdns != nil {
-			output["target_fqdns"] = sliceToSet(*rule.TargetFqdns)
+		if ruleTargetFqdns := rule.TargetFqdns; ruleTargetFqdns != nil {
+			output["target_fqdns"] = sliceToSet(*ruleTargetFqdns)
 		}
 		protocols := make([]map[string]interface{}, 0)
-		if arProtocols := rule.Protocols; arProtocols != nil {
-			for _, p := range *arProtocols {
+		if ruleProtocols := rule.Protocols; ruleProtocols != nil {
+			for _, p := range *ruleProtocols {
 				protocol := make(map[string]interface{})
 				if port := p.Port; port != nil {
 					protocol["port"] = int(*port)

From d6cfdf4580704768415a8879883598cd72d86eb7 Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Fri, 7 Dec 2018 07:10:56 +0000
Subject: [PATCH 04/16] add test skeleton

---
 ...rewall_application_rule_collection_test.go | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 azurerm/resource_arm_firewall_application_rule_collection_test.go

diff --git a/azurerm/resource_arm_firewall_application_rule_collection_test.go b/azurerm/resource_arm_firewall_application_rule_collection_test.go
new file mode 100644
index 000000000000..36bc8dd8e18b
--- /dev/null
+++ b/azurerm/resource_arm_firewall_application_rule_collection_test.go
@@ -0,0 +1,25 @@
+package azurerm
+
+import (
+	"testing"
+)
+
+func TestAccAzureRMFirewallApplicationRuleCollection_basic(t *testing.T) {}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_updatedName(t *testing.T) {}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_multipleRuleCollections(t *testing.T) {}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_update(t *testing.T) {}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_disappears(t *testing.T) {}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_multipleRules(t *testing.T) {}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_updateProtocols(t *testing.T) {}
+
+func testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName string) resource.TestCheckFunc {}
+
+func testCheckAzureRMFirewallApplicationRuleCollectionDoesNotExist(resourceName string, collectionName string) resource.TestCheckFunc {)
+
+func testCheckAzureRMFirewallApplicationRuleCollectionDisappears(resourceName string) resource.TestCheckFunc {}
\ No newline at end of file

From 0a92f11b3d6db5270a134fb5474ea995a037757b Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Fri, 7 Dec 2018 16:36:41 +0000
Subject: [PATCH 05/16] use list instead of set

---
 .../resource_arm_firewall_application_rule_collection.go | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/azurerm/resource_arm_firewall_application_rule_collection.go b/azurerm/resource_arm_firewall_application_rule_collection.go
index 8ebe227d7974..3a5919b3e4c2 100644
--- a/azurerm/resource_arm_firewall_application_rule_collection.go
+++ b/azurerm/resource_arm_firewall_application_rule_collection.go
@@ -55,7 +55,7 @@ func resourceArmFirewallApplicationRuleCollection() *schema.Resource {
 			},
 
 			"rule": {
-				Type:     schema.TypeSet,
+				Type:     schema.TypeList,
 				Required: true,
 				MinItems: 1,
 				Elem: &schema.Resource{
@@ -149,7 +149,7 @@ func resourceArmFirewallApplicationRuleCollectionCreateUpdate(d *schema.Resource
 	}
 	ruleCollections := *props.ApplicationRuleCollections
 
-	applicationRules := expandArmFirewallApplicationRules(d.Get("rule").(*schema.Set))
+	applicationRules := expandArmFirewallApplicationRules(d.Get("rule").([]interface{}))
 	priority := d.Get("priority").(int)
 	newRuleCollection := network.AzureFirewallApplicationRuleCollection{
 		Name: utils.String(name),
@@ -289,7 +289,6 @@ func resourceArmFirewallApplicationRuleCollectionRead(d *schema.ResourceData, me
 		}
 
 		flattenedRules := flattenFirewallApplicationRuleCollectionRules(props.Rules)
-		// if err := d.Set("rule", schema.NewSet(resourceArmFirewallApplicationRuleCollectionRuleProtocolHash, flattenedRules)); err != nil {
 		if err := d.Set("rule", flattenedRules); err != nil {
 			return fmt.Errorf("Error setting `rule`: %+v", err)
 		}
@@ -357,10 +356,10 @@ func resourceArmFirewallApplicationRuleCollectionDelete(d *schema.ResourceData,
 	return nil
 }
 
-func expandArmFirewallApplicationRules(inputs *schema.Set) []network.AzureFirewallApplicationRule {
+func expandArmFirewallApplicationRules(inputs []interface{}) []network.AzureFirewallApplicationRule {
 	outputs := make([]network.AzureFirewallApplicationRule, 0)
 
-	for _, input := range inputs.List() {
+	for _, input := range inputs {
 		rule := input.(map[string]interface{})
 
 		ruleName := rule["name"].(string)

From 22f39b353d6d209c04f909582b275806379a0013 Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Fri, 7 Dec 2018 16:37:00 +0000
Subject: [PATCH 06/16] add all the tests

---
 ...rewall_application_rule_collection_test.go | 742 +++++++++++++++++-
 1 file changed, 732 insertions(+), 10 deletions(-)

diff --git a/azurerm/resource_arm_firewall_application_rule_collection_test.go b/azurerm/resource_arm_firewall_application_rule_collection_test.go
index 36bc8dd8e18b..b4e67a734f05 100644
--- a/azurerm/resource_arm_firewall_application_rule_collection_test.go
+++ b/azurerm/resource_arm_firewall_application_rule_collection_test.go
@@ -1,25 +1,747 @@
 package azurerm
 
 import (
+	"fmt"
 	"testing"
+
+	"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2018-08-01/network"
+
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
 )
 
-func TestAccAzureRMFirewallApplicationRuleCollection_basic(t *testing.T) {}
+func TestAccAzureRMFirewallApplicationRuleCollection_basic(t *testing.T) {
+	resourceName := "azurerm_firewall_application_rule_collection.test"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.name", "rule1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.source_addresses.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.target_fqdns.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "443"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Https"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_updatedName(t *testing.T) {
+	resourceName := "azurerm_firewall_application_rule_collection.test"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.name", "rule1"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_updatedName(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.name", "rule2"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_multipleRuleCollections(t *testing.T) {
+	firstRule := "azurerm_firewall_application_rule_collection.test"
+	secondRule := "azurerm_firewall_application_rule_collection.test_add"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstRule),
+					resource.TestCheckResourceAttr(firstRule, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(firstRule, "priority", "100"),
+					resource.TestCheckResourceAttr(firstRule, "action", "Allow"),
+					resource.TestCheckResourceAttr(firstRule, "rule.#", "1"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multiple(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstRule),
+					resource.TestCheckResourceAttr(firstRule, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(firstRule, "priority", "100"),
+					resource.TestCheckResourceAttr(firstRule, "action", "Allow"),
+					resource.TestCheckResourceAttr(firstRule, "rule.#", "1"),
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(secondRule),
+					resource.TestCheckResourceAttr(secondRule, "name", "acctestarc_add"),
+					resource.TestCheckResourceAttr(secondRule, "priority", "200"),
+					resource.TestCheckResourceAttr(secondRule, "action", "Deny"),
+					resource.TestCheckResourceAttr(secondRule, "rule.#", "1"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstRule),
+					resource.TestCheckResourceAttr(firstRule, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(firstRule, "priority", "100"),
+					resource.TestCheckResourceAttr(firstRule, "action", "Allow"),
+					resource.TestCheckResourceAttr(firstRule, "rule.#", "1"),
+					testCheckAzureRMFirewallApplicationRuleCollectionDoesNotExist("azurerm_firewall.test", "acctestarc_add"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_update(t *testing.T) {
+	firstResourceName := "azurerm_firewall_application_rule_collection.test"
+	secondResourceName := "azurerm_firewall_application_rule_collection.test_add"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multiple(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstResourceName),
+					resource.TestCheckResourceAttr(firstResourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(firstResourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(firstResourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(firstResourceName, "rule.#", "1"),
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(secondResourceName),
+					resource.TestCheckResourceAttr(secondResourceName, "name", "acctestarc_add"),
+					resource.TestCheckResourceAttr(secondResourceName, "priority", "200"),
+					resource.TestCheckResourceAttr(secondResourceName, "action", "Deny"),
+					resource.TestCheckResourceAttr(secondResourceName, "rule.#", "1"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleUpdate(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstResourceName),
+					resource.TestCheckResourceAttr(firstResourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(firstResourceName, "priority", "300"),
+					resource.TestCheckResourceAttr(firstResourceName, "action", "Deny"),
+					resource.TestCheckResourceAttr(firstResourceName, "rule.#", "1"),
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(secondResourceName),
+					resource.TestCheckResourceAttr(secondResourceName, "name", "acctestarc_add"),
+					resource.TestCheckResourceAttr(secondResourceName, "priority", "400"),
+					resource.TestCheckResourceAttr(secondResourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(secondResourceName, "rule.#", "1"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_disappears(t *testing.T) {
+	resourceName := "azurerm_firewall_application_rule_collection.test"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					testCheckAzureRMFirewallApplicationRuleCollectionDisappears(resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_multipleRules(t *testing.T) {
+	resourceName := "azurerm_firewall_application_rule_collection.test"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleRules(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "2"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(t *testing.T) {
+	resourceName := "azurerm_firewall_application_rule_collection.test"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "8080"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Http"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "8443"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Https"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_updateProtocols(t *testing.T) {
+	resourceName := "azurerm_firewall_application_rule_collection.test"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "8000"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Http"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "8001"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Https"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleProtocolsUpdate(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "9000"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Https"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "9001"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Http"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "8000"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Http"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "8001"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Https"),
+				),
+			},
+		},
+	})
+}
+
+func testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Ensure we have enough information in state to look up in API
+		rs, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("Not found: %s", resourceName)
+		}
+
+		name := rs.Primary.Attributes["name"]
+		firewallName := rs.Primary.Attributes["azure_firewall_name"]
+		resourceGroup := rs.Primary.Attributes["resource_group_name"]
+
+		client := testAccProvider.Meta().(*ArmClient).azureFirewallsClient
+		ctx := testAccProvider.Meta().(*ArmClient).StopContext
+		read, err := client.Get(ctx, resourceGroup, firewallName)
+		if err != nil {
+			return err
+		}
+
+		found := false
+		for _, collection := range *read.AzureFirewallPropertiesFormat.ApplicationRuleCollections {
+			if *collection.Name == name {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			return fmt.Errorf("Expected Application Rule Collection %q (Firewall %q / Resource Group %q) to exist but it didn't", name, firewallName, resourceGroup)
+		}
+
+		return nil
+	}
+}
+
+func testCheckAzureRMFirewallApplicationRuleCollectionDoesNotExist(resourceName string, collectionName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Ensure we have enough information in state to look up in API
+		rs, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("Not found: %s", resourceName)
+		}
+
+		firewallName := rs.Primary.Attributes["name"]
+		resourceGroup := rs.Primary.Attributes["resource_group_name"]
+
+		client := testAccProvider.Meta().(*ArmClient).azureFirewallsClient
+		ctx := testAccProvider.Meta().(*ArmClient).StopContext
+		read, err := client.Get(ctx, resourceGroup, firewallName)
+		if err != nil {
+			return err
+		}
+
+		for _, collection := range *read.AzureFirewallPropertiesFormat.ApplicationRuleCollections {
+			if *collection.Name == collectionName {
+				return fmt.Errorf("Application Rule Collection %q exists in Firewall %q: %+v", collectionName, firewallName, collection)
+			}
+		}
+
+		return nil
+	}
+}
+
+func testCheckAzureRMFirewallApplicationRuleCollectionDisappears(resourceName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Ensure we have enough information in state to look up in API
+		rs, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("Not found: %s", resourceName)
+		}
+
+		name := rs.Primary.Attributes["name"]
+		firewallName := rs.Primary.Attributes["azure_firewall_name"]
+		resourceGroup := rs.Primary.Attributes["resource_group_name"]
+
+		client := testAccProvider.Meta().(*ArmClient).azureFirewallsClient
+		ctx := testAccProvider.Meta().(*ArmClient).StopContext
+		read, err := client.Get(ctx, resourceGroup, firewallName)
+		if err != nil {
+			return err
+		}
+
+		rules := make([]network.AzureFirewallApplicationRuleCollection, 0)
+		for _, collection := range *read.AzureFirewallPropertiesFormat.ApplicationRuleCollections {
+			if *collection.Name != name {
+				rules = append(rules, collection)
+			}
+		}
+
+		read.AzureFirewallPropertiesFormat.ApplicationRuleCollections = &rules
+		future, err := client.CreateOrUpdate(ctx, resourceGroup, firewallName, read)
+		if err != nil {
+			return fmt.Errorf("Error removing Application Rule Collection from Firewall: %+v", err)
+		}
+
+		err = future.WaitForCompletionRef(ctx, client.Client)
+		if err != nil {
+			return fmt.Errorf("Error waiting for the removal of Application Rule Collection from Firewall: %+v", err)
+		}
+
+		_, err = client.Get(ctx, resourceGroup, firewallName)
+		return err
+	}
+}
+
+func testAccAzureRMFirewallApplicationRuleCollection_basic(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 100
+  action              = "Allow"
+
+  rule {
+    name = "rule1"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
+
+    target_fqdns = [
+      "*.google.com",
+    ]
+
+    protocol {
+      port = 443
+      type = "Https"
+    }
+  }
+}
+`, template)
+}
+
+func testAccAzureRMFirewallApplicationRuleCollection_updatedName(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 100
+  action              = "Allow"
+
+  rule {
+    name = "rule2"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
+
+    target_fqdns = [
+      "*.google.com",
+    ]
+
+    protocol {
+      port = 443
+      type = "Https"
+    }
+  }
+}
+`, template)
+}
+
+func testAccAzureRMFirewallApplicationRuleCollection_multiple(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 100
+  action              = "Allow"
+
+  rule {
+    name = "rule1"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
+
+    target_fqdns = [
+      "*.google.com",
+    ]
+
+    protocol {
+      port = 443
+      type = "Https"
+    }
+  }
+}
+
+resource "azurerm_firewall_application_rule_collection" "test_add" {
+  name                = "acctestarc_add"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 200
+  action              = "Deny"
+
+  rule {
+    name = "acctestruleadd"
+
+    source_addresses = [
+      "192.168.0.1",
+    ]
+
+    target_fqdns = [
+      "*.microsoft.com",
+    ]
+
+    protocol {
+      port = 80
+      type = "Http"
+    }
+  }
+}
+`, template)
+}
+
+func testAccAzureRMFirewallApplicationRuleCollection_multipleUpdate(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 300
+  action              = "Deny"
+
+  rule {
+    name = "rule1"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
+
+    target_fqdns = [
+      "*.google.com",
+    ]
+
+    protocol {
+      port = 443
+      type = "Https"
+    }
+  }
+}
+
+resource "azurerm_firewall_application_rule_collection" "test_add" {
+  name                = "acctestarc_add"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 400
+  action              = "Allow"
+
+  rule {
+    name = "acctestruleadd"
+
+    source_addresses = [
+      "192.168.0.1",
+    ]
+
+    target_fqdns = [
+      "*.microsoft.com",
+    ]
+
+    protocol {
+      port = 80
+      type = "Http"
+    }
+  }
+}
+`, template)
+}
+
+func testAccAzureRMFirewallApplicationRuleCollection_multipleRules(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 100
+  action              = "Allow"
+
+  rule {
+    name = "rule1"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
+
+    target_fqdns = [
+      "*.google.com",
+    ]
+
+    protocol {
+      port = 443
+      type = "Https"
+    }
+  }
+
+  rule {
+    name = "acctestruleadd"
+
+    source_addresses = [
+      "192.168.0.1",
+    ]
+
+    target_fqdns = [
+      "*.microsoft.com",
+    ]
+
+    protocol {
+      port = 80
+      type = "Http"
+    }
+  }
+}
+`, template)
+}
+
+func testAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 100
+  action              = "Allow"
+
+  rule {
+    name = "rule1"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
 
-func TestAccAzureRMFirewallApplicationRuleCollection_updatedName(t *testing.T) {}
+    target_fqdns = [
+      "*.google.com",
+    ]
 
-func TestAccAzureRMFirewallApplicationRuleCollection_multipleRuleCollections(t *testing.T) {}
+    protocol {
+      port = 8000
+      type = "Http"
+    }
 
-func TestAccAzureRMFirewallApplicationRuleCollection_update(t *testing.T) {}
+    protocol {
+      port = 8001
+      type = "Https"
+    }
+  }
+}
+`, template)
+}
 
-func TestAccAzureRMFirewallApplicationRuleCollection_disappears(t *testing.T) {}
+func testAccAzureRMFirewallApplicationRuleCollection_multipleProtocolsUpdate(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
 
-func TestAccAzureRMFirewallApplicationRuleCollection_multipleRules(t *testing.T) {}
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 100
+  action              = "Allow"
 
-func TestAccAzureRMFirewallApplicationRuleCollection_updateProtocols(t *testing.T) {}
+  rule {
+    name = "rule1"
 
-func testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName string) resource.TestCheckFunc {}
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
 
-func testCheckAzureRMFirewallApplicationRuleCollectionDoesNotExist(resourceName string, collectionName string) resource.TestCheckFunc {)
+    target_fqdns = [
+      "*.google.com",
+    ]
 
-func testCheckAzureRMFirewallApplicationRuleCollectionDisappears(resourceName string) resource.TestCheckFunc {}
\ No newline at end of file
+    protocol {
+      port = 9000
+      type = "Https"
+    }
+    protocol {
+      port = 9001
+      type = "Http"
+    }
+  }
+}
+`, template)
+}

From 80800caf310e3e2d52f258fe0e7f1c3a48e1dbd4 Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Tue, 18 Dec 2018 07:22:46 +0000
Subject: [PATCH 07/16] remove comment

---
 azurerm/resource_arm_firewall_application_rule_collection.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/azurerm/resource_arm_firewall_application_rule_collection.go b/azurerm/resource_arm_firewall_application_rule_collection.go
index 3a5919b3e4c2..5ac8329b6a5c 100644
--- a/azurerm/resource_arm_firewall_application_rule_collection.go
+++ b/azurerm/resource_arm_firewall_application_rule_collection.go
@@ -113,7 +113,6 @@ func resourceArmFirewallApplicationRuleCollection() *schema.Resource {
 									},
 								},
 							},
-							// Set: resourceArmFirewallApplicationRuleCollectionRuleProtocolHash,
 							// ConflictsWith: []string{"fqdn_tags"},
 						},
 					},

From cb8ed887b583855c6257f519c2a0a70fb1ca0a46 Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Tue, 18 Dec 2018 07:38:40 +0000
Subject: [PATCH 08/16] line ending

---
 ...rewall_application_rule_collection_test.go | 1493 ++++++++---------
 1 file changed, 746 insertions(+), 747 deletions(-)

diff --git a/azurerm/resource_arm_firewall_application_rule_collection_test.go b/azurerm/resource_arm_firewall_application_rule_collection_test.go
index b4e67a734f05..e531e1b3947d 100644
--- a/azurerm/resource_arm_firewall_application_rule_collection_test.go
+++ b/azurerm/resource_arm_firewall_application_rule_collection_test.go
@@ -1,747 +1,746 @@
-package azurerm
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2018-08-01/network"
-
-	"github.com/hashicorp/terraform/helper/acctest"
-	"github.com/hashicorp/terraform/helper/resource"
-	"github.com/hashicorp/terraform/terraform"
-)
-
-func TestAccAzureRMFirewallApplicationRuleCollection_basic(t *testing.T) {
-	resourceName := "azurerm_firewall_application_rule_collection.test"
-	ri := acctest.RandInt()
-	location := testLocation()
-
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testCheckAzureRMFirewallDestroy,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
-					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
-					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.name", "rule1"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.source_addresses.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.target_fqdns.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "443"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Https"),
-				),
-			},
-			{
-				ResourceName:      resourceName,
-				ImportState:       true,
-				ImportStateVerify: true,
-			},
-		},
-	})
-}
-
-func TestAccAzureRMFirewallApplicationRuleCollection_updatedName(t *testing.T) {
-	resourceName := "azurerm_firewall_application_rule_collection.test"
-	ri := acctest.RandInt()
-	location := testLocation()
-
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testCheckAzureRMFirewallDestroy,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
-					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
-					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.name", "rule1"),
-				),
-			},
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_updatedName(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
-					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
-					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.name", "rule2"),
-				),
-			},
-		},
-	})
-}
-
-func TestAccAzureRMFirewallApplicationRuleCollection_multipleRuleCollections(t *testing.T) {
-	firstRule := "azurerm_firewall_application_rule_collection.test"
-	secondRule := "azurerm_firewall_application_rule_collection.test_add"
-	ri := acctest.RandInt()
-	location := testLocation()
-
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testCheckAzureRMFirewallDestroy,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstRule),
-					resource.TestCheckResourceAttr(firstRule, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(firstRule, "priority", "100"),
-					resource.TestCheckResourceAttr(firstRule, "action", "Allow"),
-					resource.TestCheckResourceAttr(firstRule, "rule.#", "1"),
-				),
-			},
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_multiple(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstRule),
-					resource.TestCheckResourceAttr(firstRule, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(firstRule, "priority", "100"),
-					resource.TestCheckResourceAttr(firstRule, "action", "Allow"),
-					resource.TestCheckResourceAttr(firstRule, "rule.#", "1"),
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(secondRule),
-					resource.TestCheckResourceAttr(secondRule, "name", "acctestarc_add"),
-					resource.TestCheckResourceAttr(secondRule, "priority", "200"),
-					resource.TestCheckResourceAttr(secondRule, "action", "Deny"),
-					resource.TestCheckResourceAttr(secondRule, "rule.#", "1"),
-				),
-			},
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstRule),
-					resource.TestCheckResourceAttr(firstRule, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(firstRule, "priority", "100"),
-					resource.TestCheckResourceAttr(firstRule, "action", "Allow"),
-					resource.TestCheckResourceAttr(firstRule, "rule.#", "1"),
-					testCheckAzureRMFirewallApplicationRuleCollectionDoesNotExist("azurerm_firewall.test", "acctestarc_add"),
-				),
-			},
-		},
-	})
-}
-
-func TestAccAzureRMFirewallApplicationRuleCollection_update(t *testing.T) {
-	firstResourceName := "azurerm_firewall_application_rule_collection.test"
-	secondResourceName := "azurerm_firewall_application_rule_collection.test_add"
-	ri := acctest.RandInt()
-	location := testLocation()
-
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testCheckAzureRMFirewallDestroy,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_multiple(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstResourceName),
-					resource.TestCheckResourceAttr(firstResourceName, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(firstResourceName, "priority", "100"),
-					resource.TestCheckResourceAttr(firstResourceName, "action", "Allow"),
-					resource.TestCheckResourceAttr(firstResourceName, "rule.#", "1"),
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(secondResourceName),
-					resource.TestCheckResourceAttr(secondResourceName, "name", "acctestarc_add"),
-					resource.TestCheckResourceAttr(secondResourceName, "priority", "200"),
-					resource.TestCheckResourceAttr(secondResourceName, "action", "Deny"),
-					resource.TestCheckResourceAttr(secondResourceName, "rule.#", "1"),
-				),
-			},
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleUpdate(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstResourceName),
-					resource.TestCheckResourceAttr(firstResourceName, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(firstResourceName, "priority", "300"),
-					resource.TestCheckResourceAttr(firstResourceName, "action", "Deny"),
-					resource.TestCheckResourceAttr(firstResourceName, "rule.#", "1"),
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(secondResourceName),
-					resource.TestCheckResourceAttr(secondResourceName, "name", "acctestarc_add"),
-					resource.TestCheckResourceAttr(secondResourceName, "priority", "400"),
-					resource.TestCheckResourceAttr(secondResourceName, "action", "Allow"),
-					resource.TestCheckResourceAttr(secondResourceName, "rule.#", "1"),
-				),
-			},
-		},
-	})
-}
-
-func TestAccAzureRMFirewallApplicationRuleCollection_disappears(t *testing.T) {
-	resourceName := "azurerm_firewall_application_rule_collection.test"
-	ri := acctest.RandInt()
-	location := testLocation()
-
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testCheckAzureRMFirewallDestroy,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
-					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
-					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
-					testCheckAzureRMFirewallApplicationRuleCollectionDisappears(resourceName),
-				),
-				ExpectNonEmptyPlan: true,
-			},
-		},
-	})
-}
-
-func TestAccAzureRMFirewallApplicationRuleCollection_multipleRules(t *testing.T) {
-	resourceName := "azurerm_firewall_application_rule_collection.test"
-	ri := acctest.RandInt()
-	location := testLocation()
-
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testCheckAzureRMFirewallDestroy,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
-					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
-					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
-				),
-			},
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleRules(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
-					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
-					resource.TestCheckResourceAttr(resourceName, "rule.#", "2"),
-				),
-			},
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
-					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
-					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
-				),
-			},
-		},
-	})
-}
-
-func TestAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(t *testing.T) {
-	resourceName := "azurerm_firewall_application_rule_collection.test"
-	ri := acctest.RandInt()
-	location := testLocation()
-
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testCheckAzureRMFirewallDestroy,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
-					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
-					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "2"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "8080"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Http"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "8443"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Https"),
-				),
-			},
-			{
-				ResourceName:      resourceName,
-				ImportState:       true,
-				ImportStateVerify: true,
-			},
-		},
-	})
-}
-
-func TestAccAzureRMFirewallApplicationRuleCollection_updateProtocols(t *testing.T) {
-	resourceName := "azurerm_firewall_application_rule_collection.test"
-	ri := acctest.RandInt()
-	location := testLocation()
-
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testCheckAzureRMFirewallDestroy,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
-					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
-					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "2"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "8000"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Http"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "8001"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Https"),
-				),
-			},
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleProtocolsUpdate(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
-					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
-					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "2"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "9000"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Https"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "9001"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Http"),
-				),
-			},
-			{
-				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(ri, location),
-				Check: resource.ComposeTestCheckFunc(
-					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
-					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
-					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
-					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "2"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "8000"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Http"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "8001"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Https"),
-				),
-			},
-		},
-	})
-}
-
-func testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName string) resource.TestCheckFunc {
-	return func(s *terraform.State) error {
-		// Ensure we have enough information in state to look up in API
-		rs, ok := s.RootModule().Resources[resourceName]
-		if !ok {
-			return fmt.Errorf("Not found: %s", resourceName)
-		}
-
-		name := rs.Primary.Attributes["name"]
-		firewallName := rs.Primary.Attributes["azure_firewall_name"]
-		resourceGroup := rs.Primary.Attributes["resource_group_name"]
-
-		client := testAccProvider.Meta().(*ArmClient).azureFirewallsClient
-		ctx := testAccProvider.Meta().(*ArmClient).StopContext
-		read, err := client.Get(ctx, resourceGroup, firewallName)
-		if err != nil {
-			return err
-		}
-
-		found := false
-		for _, collection := range *read.AzureFirewallPropertiesFormat.ApplicationRuleCollections {
-			if *collection.Name == name {
-				found = true
-				break
-			}
-		}
-
-		if !found {
-			return fmt.Errorf("Expected Application Rule Collection %q (Firewall %q / Resource Group %q) to exist but it didn't", name, firewallName, resourceGroup)
-		}
-
-		return nil
-	}
-}
-
-func testCheckAzureRMFirewallApplicationRuleCollectionDoesNotExist(resourceName string, collectionName string) resource.TestCheckFunc {
-	return func(s *terraform.State) error {
-		// Ensure we have enough information in state to look up in API
-		rs, ok := s.RootModule().Resources[resourceName]
-		if !ok {
-			return fmt.Errorf("Not found: %s", resourceName)
-		}
-
-		firewallName := rs.Primary.Attributes["name"]
-		resourceGroup := rs.Primary.Attributes["resource_group_name"]
-
-		client := testAccProvider.Meta().(*ArmClient).azureFirewallsClient
-		ctx := testAccProvider.Meta().(*ArmClient).StopContext
-		read, err := client.Get(ctx, resourceGroup, firewallName)
-		if err != nil {
-			return err
-		}
-
-		for _, collection := range *read.AzureFirewallPropertiesFormat.ApplicationRuleCollections {
-			if *collection.Name == collectionName {
-				return fmt.Errorf("Application Rule Collection %q exists in Firewall %q: %+v", collectionName, firewallName, collection)
-			}
-		}
-
-		return nil
-	}
-}
-
-func testCheckAzureRMFirewallApplicationRuleCollectionDisappears(resourceName string) resource.TestCheckFunc {
-	return func(s *terraform.State) error {
-		// Ensure we have enough information in state to look up in API
-		rs, ok := s.RootModule().Resources[resourceName]
-		if !ok {
-			return fmt.Errorf("Not found: %s", resourceName)
-		}
-
-		name := rs.Primary.Attributes["name"]
-		firewallName := rs.Primary.Attributes["azure_firewall_name"]
-		resourceGroup := rs.Primary.Attributes["resource_group_name"]
-
-		client := testAccProvider.Meta().(*ArmClient).azureFirewallsClient
-		ctx := testAccProvider.Meta().(*ArmClient).StopContext
-		read, err := client.Get(ctx, resourceGroup, firewallName)
-		if err != nil {
-			return err
-		}
-
-		rules := make([]network.AzureFirewallApplicationRuleCollection, 0)
-		for _, collection := range *read.AzureFirewallPropertiesFormat.ApplicationRuleCollections {
-			if *collection.Name != name {
-				rules = append(rules, collection)
-			}
-		}
-
-		read.AzureFirewallPropertiesFormat.ApplicationRuleCollections = &rules
-		future, err := client.CreateOrUpdate(ctx, resourceGroup, firewallName, read)
-		if err != nil {
-			return fmt.Errorf("Error removing Application Rule Collection from Firewall: %+v", err)
-		}
-
-		err = future.WaitForCompletionRef(ctx, client.Client)
-		if err != nil {
-			return fmt.Errorf("Error waiting for the removal of Application Rule Collection from Firewall: %+v", err)
-		}
-
-		_, err = client.Get(ctx, resourceGroup, firewallName)
-		return err
-	}
-}
-
-func testAccAzureRMFirewallApplicationRuleCollection_basic(rInt int, location string) string {
-	template := testAccAzureRMFirewall_basic(rInt, location)
-	return fmt.Sprintf(`
-%s
-
-resource "azurerm_firewall_application_rule_collection" "test" {
-  name                = "acctestarc"
-  azure_firewall_name = "${azurerm_firewall.test.name}"
-  resource_group_name = "${azurerm_resource_group.test.name}"
-  priority            = 100
-  action              = "Allow"
-
-  rule {
-    name = "rule1"
-
-    source_addresses = [
-      "10.0.0.0/16",
-    ]
-
-    target_fqdns = [
-      "*.google.com",
-    ]
-
-    protocol {
-      port = 443
-      type = "Https"
-    }
-  }
-}
-`, template)
-}
-
-func testAccAzureRMFirewallApplicationRuleCollection_updatedName(rInt int, location string) string {
-	template := testAccAzureRMFirewall_basic(rInt, location)
-	return fmt.Sprintf(`
-%s
-
-resource "azurerm_firewall_application_rule_collection" "test" {
-  name                = "acctestarc"
-  azure_firewall_name = "${azurerm_firewall.test.name}"
-  resource_group_name = "${azurerm_resource_group.test.name}"
-  priority            = 100
-  action              = "Allow"
-
-  rule {
-    name = "rule2"
-
-    source_addresses = [
-      "10.0.0.0/16",
-    ]
-
-    target_fqdns = [
-      "*.google.com",
-    ]
-
-    protocol {
-      port = 443
-      type = "Https"
-    }
-  }
-}
-`, template)
-}
-
-func testAccAzureRMFirewallApplicationRuleCollection_multiple(rInt int, location string) string {
-	template := testAccAzureRMFirewall_basic(rInt, location)
-	return fmt.Sprintf(`
-%s
-
-resource "azurerm_firewall_application_rule_collection" "test" {
-  name                = "acctestarc"
-  azure_firewall_name = "${azurerm_firewall.test.name}"
-  resource_group_name = "${azurerm_resource_group.test.name}"
-  priority            = 100
-  action              = "Allow"
-
-  rule {
-    name = "rule1"
-
-    source_addresses = [
-      "10.0.0.0/16",
-    ]
-
-    target_fqdns = [
-      "*.google.com",
-    ]
-
-    protocol {
-      port = 443
-      type = "Https"
-    }
-  }
-}
-
-resource "azurerm_firewall_application_rule_collection" "test_add" {
-  name                = "acctestarc_add"
-  azure_firewall_name = "${azurerm_firewall.test.name}"
-  resource_group_name = "${azurerm_resource_group.test.name}"
-  priority            = 200
-  action              = "Deny"
-
-  rule {
-    name = "acctestruleadd"
-
-    source_addresses = [
-      "192.168.0.1",
-    ]
-
-    target_fqdns = [
-      "*.microsoft.com",
-    ]
-
-    protocol {
-      port = 80
-      type = "Http"
-    }
-  }
-}
-`, template)
-}
-
-func testAccAzureRMFirewallApplicationRuleCollection_multipleUpdate(rInt int, location string) string {
-	template := testAccAzureRMFirewall_basic(rInt, location)
-	return fmt.Sprintf(`
-%s
-
-resource "azurerm_firewall_application_rule_collection" "test" {
-  name                = "acctestarc"
-  azure_firewall_name = "${azurerm_firewall.test.name}"
-  resource_group_name = "${azurerm_resource_group.test.name}"
-  priority            = 300
-  action              = "Deny"
-
-  rule {
-    name = "rule1"
-
-    source_addresses = [
-      "10.0.0.0/16",
-    ]
-
-    target_fqdns = [
-      "*.google.com",
-    ]
-
-    protocol {
-      port = 443
-      type = "Https"
-    }
-  }
-}
-
-resource "azurerm_firewall_application_rule_collection" "test_add" {
-  name                = "acctestarc_add"
-  azure_firewall_name = "${azurerm_firewall.test.name}"
-  resource_group_name = "${azurerm_resource_group.test.name}"
-  priority            = 400
-  action              = "Allow"
-
-  rule {
-    name = "acctestruleadd"
-
-    source_addresses = [
-      "192.168.0.1",
-    ]
-
-    target_fqdns = [
-      "*.microsoft.com",
-    ]
-
-    protocol {
-      port = 80
-      type = "Http"
-    }
-  }
-}
-`, template)
-}
-
-func testAccAzureRMFirewallApplicationRuleCollection_multipleRules(rInt int, location string) string {
-	template := testAccAzureRMFirewall_basic(rInt, location)
-	return fmt.Sprintf(`
-%s
-
-resource "azurerm_firewall_application_rule_collection" "test" {
-  name                = "acctestarc"
-  azure_firewall_name = "${azurerm_firewall.test.name}"
-  resource_group_name = "${azurerm_resource_group.test.name}"
-  priority            = 100
-  action              = "Allow"
-
-  rule {
-    name = "rule1"
-
-    source_addresses = [
-      "10.0.0.0/16",
-    ]
-
-    target_fqdns = [
-      "*.google.com",
-    ]
-
-    protocol {
-      port = 443
-      type = "Https"
-    }
-  }
-
-  rule {
-    name = "acctestruleadd"
-
-    source_addresses = [
-      "192.168.0.1",
-    ]
-
-    target_fqdns = [
-      "*.microsoft.com",
-    ]
-
-    protocol {
-      port = 80
-      type = "Http"
-    }
-  }
-}
-`, template)
-}
-
-func testAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(rInt int, location string) string {
-	template := testAccAzureRMFirewall_basic(rInt, location)
-	return fmt.Sprintf(`
-%s
-
-resource "azurerm_firewall_application_rule_collection" "test" {
-  name                = "acctestarc"
-  azure_firewall_name = "${azurerm_firewall.test.name}"
-  resource_group_name = "${azurerm_resource_group.test.name}"
-  priority            = 100
-  action              = "Allow"
-
-  rule {
-    name = "rule1"
-
-    source_addresses = [
-      "10.0.0.0/16",
-    ]
-
-    target_fqdns = [
-      "*.google.com",
-    ]
-
-    protocol {
-      port = 8000
-      type = "Http"
-    }
-
-    protocol {
-      port = 8001
-      type = "Https"
-    }
-  }
-}
-`, template)
-}
-
-func testAccAzureRMFirewallApplicationRuleCollection_multipleProtocolsUpdate(rInt int, location string) string {
-	template := testAccAzureRMFirewall_basic(rInt, location)
-	return fmt.Sprintf(`
-%s
-
-resource "azurerm_firewall_application_rule_collection" "test" {
-  name                = "acctestarc"
-  azure_firewall_name = "${azurerm_firewall.test.name}"
-  resource_group_name = "${azurerm_resource_group.test.name}"
-  priority            = 100
-  action              = "Allow"
-
-  rule {
-    name = "rule1"
-
-    source_addresses = [
-      "10.0.0.0/16",
-    ]
-
-    target_fqdns = [
-      "*.google.com",
-    ]
-
-    protocol {
-      port = 9000
-      type = "Https"
-    }
-    protocol {
-      port = 9001
-      type = "Http"
-    }
-  }
-}
-`, template)
-}
+package azurerm
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2018-08-01/network"
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAzureRMFirewallApplicationRuleCollection_basic(t *testing.T) {
+	resourceName := "azurerm_firewall_application_rule_collection.test"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.name", "rule1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.source_addresses.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.target_fqdns.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "443"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Https"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_updatedName(t *testing.T) {
+	resourceName := "azurerm_firewall_application_rule_collection.test"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.name", "rule1"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_updatedName(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.name", "rule2"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_multipleRuleCollections(t *testing.T) {
+	firstRule := "azurerm_firewall_application_rule_collection.test"
+	secondRule := "azurerm_firewall_application_rule_collection.test_add"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstRule),
+					resource.TestCheckResourceAttr(firstRule, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(firstRule, "priority", "100"),
+					resource.TestCheckResourceAttr(firstRule, "action", "Allow"),
+					resource.TestCheckResourceAttr(firstRule, "rule.#", "1"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multiple(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstRule),
+					resource.TestCheckResourceAttr(firstRule, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(firstRule, "priority", "100"),
+					resource.TestCheckResourceAttr(firstRule, "action", "Allow"),
+					resource.TestCheckResourceAttr(firstRule, "rule.#", "1"),
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(secondRule),
+					resource.TestCheckResourceAttr(secondRule, "name", "acctestarc_add"),
+					resource.TestCheckResourceAttr(secondRule, "priority", "200"),
+					resource.TestCheckResourceAttr(secondRule, "action", "Deny"),
+					resource.TestCheckResourceAttr(secondRule, "rule.#", "1"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstRule),
+					resource.TestCheckResourceAttr(firstRule, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(firstRule, "priority", "100"),
+					resource.TestCheckResourceAttr(firstRule, "action", "Allow"),
+					resource.TestCheckResourceAttr(firstRule, "rule.#", "1"),
+					testCheckAzureRMFirewallApplicationRuleCollectionDoesNotExist("azurerm_firewall.test", "acctestarc_add"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_update(t *testing.T) {
+	firstResourceName := "azurerm_firewall_application_rule_collection.test"
+	secondResourceName := "azurerm_firewall_application_rule_collection.test_add"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multiple(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstResourceName),
+					resource.TestCheckResourceAttr(firstResourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(firstResourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(firstResourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(firstResourceName, "rule.#", "1"),
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(secondResourceName),
+					resource.TestCheckResourceAttr(secondResourceName, "name", "acctestarc_add"),
+					resource.TestCheckResourceAttr(secondResourceName, "priority", "200"),
+					resource.TestCheckResourceAttr(secondResourceName, "action", "Deny"),
+					resource.TestCheckResourceAttr(secondResourceName, "rule.#", "1"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleUpdate(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(firstResourceName),
+					resource.TestCheckResourceAttr(firstResourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(firstResourceName, "priority", "300"),
+					resource.TestCheckResourceAttr(firstResourceName, "action", "Deny"),
+					resource.TestCheckResourceAttr(firstResourceName, "rule.#", "1"),
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(secondResourceName),
+					resource.TestCheckResourceAttr(secondResourceName, "name", "acctestarc_add"),
+					resource.TestCheckResourceAttr(secondResourceName, "priority", "400"),
+					resource.TestCheckResourceAttr(secondResourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(secondResourceName, "rule.#", "1"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_disappears(t *testing.T) {
+	resourceName := "azurerm_firewall_application_rule_collection.test"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					testCheckAzureRMFirewallApplicationRuleCollectionDisappears(resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_multipleRules(t *testing.T) {
+	resourceName := "azurerm_firewall_application_rule_collection.test"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleRules(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "2"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_basic(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(t *testing.T) {
+	resourceName := "azurerm_firewall_application_rule_collection.test"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "8080"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Http"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "8443"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Https"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccAzureRMFirewallApplicationRuleCollection_updateProtocols(t *testing.T) {
+	resourceName := "azurerm_firewall_application_rule_collection.test"
+	ri := acctest.RandInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMFirewallDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "8000"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Http"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "8001"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Https"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleProtocolsUpdate(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "9000"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Https"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "9001"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Http"),
+				),
+			},
+			{
+				Config: testAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "acctestarc"),
+					resource.TestCheckResourceAttr(resourceName, "priority", "100"),
+					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
+					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "8000"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Http"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "8001"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Https"),
+				),
+			},
+		},
+	})
+}
+
+func testCheckAzureRMFirewallApplicationRuleCollectionExists(resourceName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Ensure we have enough information in state to look up in API
+		rs, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("Not found: %s", resourceName)
+		}
+
+		name := rs.Primary.Attributes["name"]
+		firewallName := rs.Primary.Attributes["azure_firewall_name"]
+		resourceGroup := rs.Primary.Attributes["resource_group_name"]
+
+		client := testAccProvider.Meta().(*ArmClient).azureFirewallsClient
+		ctx := testAccProvider.Meta().(*ArmClient).StopContext
+		read, err := client.Get(ctx, resourceGroup, firewallName)
+		if err != nil {
+			return err
+		}
+
+		found := false
+		for _, collection := range *read.AzureFirewallPropertiesFormat.ApplicationRuleCollections {
+			if *collection.Name == name {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			return fmt.Errorf("Expected Application Rule Collection %q (Firewall %q / Resource Group %q) to exist but it didn't", name, firewallName, resourceGroup)
+		}
+
+		return nil
+	}
+}
+
+func testCheckAzureRMFirewallApplicationRuleCollectionDoesNotExist(resourceName string, collectionName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Ensure we have enough information in state to look up in API
+		rs, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("Not found: %s", resourceName)
+		}
+
+		firewallName := rs.Primary.Attributes["name"]
+		resourceGroup := rs.Primary.Attributes["resource_group_name"]
+
+		client := testAccProvider.Meta().(*ArmClient).azureFirewallsClient
+		ctx := testAccProvider.Meta().(*ArmClient).StopContext
+		read, err := client.Get(ctx, resourceGroup, firewallName)
+		if err != nil {
+			return err
+		}
+
+		for _, collection := range *read.AzureFirewallPropertiesFormat.ApplicationRuleCollections {
+			if *collection.Name == collectionName {
+				return fmt.Errorf("Application Rule Collection %q exists in Firewall %q: %+v", collectionName, firewallName, collection)
+			}
+		}
+
+		return nil
+	}
+}
+
+func testCheckAzureRMFirewallApplicationRuleCollectionDisappears(resourceName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Ensure we have enough information in state to look up in API
+		rs, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("Not found: %s", resourceName)
+		}
+
+		name := rs.Primary.Attributes["name"]
+		firewallName := rs.Primary.Attributes["azure_firewall_name"]
+		resourceGroup := rs.Primary.Attributes["resource_group_name"]
+
+		client := testAccProvider.Meta().(*ArmClient).azureFirewallsClient
+		ctx := testAccProvider.Meta().(*ArmClient).StopContext
+		read, err := client.Get(ctx, resourceGroup, firewallName)
+		if err != nil {
+			return err
+		}
+
+		rules := make([]network.AzureFirewallApplicationRuleCollection, 0)
+		for _, collection := range *read.AzureFirewallPropertiesFormat.ApplicationRuleCollections {
+			if *collection.Name != name {
+				rules = append(rules, collection)
+			}
+		}
+
+		read.AzureFirewallPropertiesFormat.ApplicationRuleCollections = &rules
+		future, err := client.CreateOrUpdate(ctx, resourceGroup, firewallName, read)
+		if err != nil {
+			return fmt.Errorf("Error removing Application Rule Collection from Firewall: %+v", err)
+		}
+
+		err = future.WaitForCompletionRef(ctx, client.Client)
+		if err != nil {
+			return fmt.Errorf("Error waiting for the removal of Application Rule Collection from Firewall: %+v", err)
+		}
+
+		_, err = client.Get(ctx, resourceGroup, firewallName)
+		return err
+	}
+}
+
+func testAccAzureRMFirewallApplicationRuleCollection_basic(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 100
+  action              = "Allow"
+
+  rule {
+    name = "rule1"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
+
+    target_fqdns = [
+      "*.google.com",
+    ]
+
+    protocol {
+      port = 443
+      type = "Https"
+    }
+  }
+}
+`, template)
+}
+
+func testAccAzureRMFirewallApplicationRuleCollection_updatedName(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 100
+  action              = "Allow"
+
+  rule {
+    name = "rule2"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
+
+    target_fqdns = [
+      "*.google.com",
+    ]
+
+    protocol {
+      port = 443
+      type = "Https"
+    }
+  }
+}
+`, template)
+}
+
+func testAccAzureRMFirewallApplicationRuleCollection_multiple(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 100
+  action              = "Allow"
+
+  rule {
+    name = "rule1"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
+
+    target_fqdns = [
+      "*.google.com",
+    ]
+
+    protocol {
+      port = 443
+      type = "Https"
+    }
+  }
+}
+
+resource "azurerm_firewall_application_rule_collection" "test_add" {
+  name                = "acctestarc_add"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 200
+  action              = "Deny"
+
+  rule {
+    name = "acctestruleadd"
+
+    source_addresses = [
+      "192.168.0.1",
+    ]
+
+    target_fqdns = [
+      "*.microsoft.com",
+    ]
+
+    protocol {
+      port = 80
+      type = "Http"
+    }
+  }
+}
+`, template)
+}
+
+func testAccAzureRMFirewallApplicationRuleCollection_multipleUpdate(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 300
+  action              = "Deny"
+
+  rule {
+    name = "rule1"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
+
+    target_fqdns = [
+      "*.google.com",
+    ]
+
+    protocol {
+      port = 443
+      type = "Https"
+    }
+  }
+}
+
+resource "azurerm_firewall_application_rule_collection" "test_add" {
+  name                = "acctestarc_add"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 400
+  action              = "Allow"
+
+  rule {
+    name = "acctestruleadd"
+
+    source_addresses = [
+      "192.168.0.1",
+    ]
+
+    target_fqdns = [
+      "*.microsoft.com",
+    ]
+
+    protocol {
+      port = 80
+      type = "Http"
+    }
+  }
+}
+`, template)
+}
+
+func testAccAzureRMFirewallApplicationRuleCollection_multipleRules(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 100
+  action              = "Allow"
+
+  rule {
+    name = "rule1"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
+
+    target_fqdns = [
+      "*.google.com",
+    ]
+
+    protocol {
+      port = 443
+      type = "Https"
+    }
+  }
+
+  rule {
+    name = "acctestruleadd"
+
+    source_addresses = [
+      "192.168.0.1",
+    ]
+
+    target_fqdns = [
+      "*.microsoft.com",
+    ]
+
+    protocol {
+      port = 80
+      type = "Http"
+    }
+  }
+}
+`, template)
+}
+
+func testAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 100
+  action              = "Allow"
+
+  rule {
+    name = "rule1"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
+
+    target_fqdns = [
+      "*.google.com",
+    ]
+
+    protocol {
+      port = 8000
+      type = "Http"
+    }
+
+    protocol {
+      port = 8001
+      type = "Https"
+    }
+  }
+}
+`, template)
+}
+
+func testAccAzureRMFirewallApplicationRuleCollection_multipleProtocolsUpdate(rInt int, location string) string {
+	template := testAccAzureRMFirewall_basic(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "acctestarc"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 100
+  action              = "Allow"
+
+  rule {
+    name = "rule1"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
+
+    target_fqdns = [
+      "*.google.com",
+    ]
+
+    protocol {
+      port = 9000
+      type = "Https"
+    }
+    protocol {
+      port = 9001
+      type = "Http"
+    }
+  }
+}
+`, template)
+}

From 5b01614cc7d1275a74448032d608634f322b3d52 Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Thu, 20 Dec 2018 10:15:40 +0000
Subject: [PATCH 09/16] docs

---
 website/docs/r/firewall.html.markdown         |   2 -
 ..._application_rule_collection.html.markdown | 133 ++++++++++++++++++
 ...wall_network_rule_collection.html.markdown |   6 +-
 3 files changed, 135 insertions(+), 6 deletions(-)
 create mode 100644 website/docs/r/firewall_application_rule_collection.html.markdown

diff --git a/website/docs/r/firewall.html.markdown b/website/docs/r/firewall.html.markdown
index e5e4e6d9d945..2abdc3a16b95 100644
--- a/website/docs/r/firewall.html.markdown
+++ b/website/docs/r/firewall.html.markdown
@@ -11,8 +11,6 @@ description: |-
 
 Manages an Azure Firewall.
 
--> **NOTE** Azure Firewall is currently in Public Preview.
-
 ## Example Usage
 
 ```hcl
diff --git a/website/docs/r/firewall_application_rule_collection.html.markdown b/website/docs/r/firewall_application_rule_collection.html.markdown
new file mode 100644
index 000000000000..41ccbbbbbf63
--- /dev/null
+++ b/website/docs/r/firewall_application_rule_collection.html.markdown
@@ -0,0 +1,133 @@
+---
+layout: "azurerm"
+page_title: "Azure Resource Manager: azurerm_firewall_application_rule_collection"
+sidebar_current: "docs-azurerm-resource-network-firewall-application-rule-collection"
+description: |-
+  Manages an Application Rule Collection within an Azure Firewall.
+
+---
+
+# azurerm_firewall_application_rule_collection
+
+Manages an Application Rule Collection within an Azure Firewall.
+
+## Example Usage
+
+```hcl
+resource "azurerm_resource_group" "test" {
+  name     = "example-resources"
+  location = "North Europe"
+}
+
+resource "azurerm_virtual_network" "test" {
+  name                = "testvnet"
+  address_space       = ["10.0.0.0/16"]
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+}
+
+resource "azurerm_subnet" "test" {
+  name                 = "AzureFirewallSubnet"
+  resource_group_name  = "${azurerm_resource_group.test.name}"
+  virtual_network_name = "${azurerm_virtual_network.test.name}"
+  address_prefix       = "10.0.1.0/24"
+}
+
+resource "azurerm_public_ip" "test" {
+  name                         = "testpip"
+  location                     = "${azurerm_resource_group.test.location}"
+  resource_group_name          = "${azurerm_resource_group.test.name}"
+  public_ip_address_allocation = "Static"
+  sku                          = "Standard"
+}
+
+resource "azurerm_firewall" "test" {
+  name                = "testfirewall"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+
+  ip_configuration {
+    name                          = "configuration"
+    subnet_id                     = "${azurerm_subnet.test.id}"
+    public_ip_address_id          = "${azurerm_public_ip.test.id}"
+  }
+}
+
+resource "azurerm_firewall_application_rule_collection" "test" {
+  name                = "testcollection"
+  azure_firewall_name = "${azurerm_firewall.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  priority            = 100
+  action              = "Allow"
+
+  rule {
+    name = "testrule"
+
+    source_addresses = [
+      "10.0.0.0/16",
+    ]
+
+    destination_ports = [
+      "53",
+    ]
+
+    destination_addresses = [
+      "8.8.8.8",
+      "8.8.4.4",
+    ]
+
+    protocols = [
+      "TCP",
+      "UDP",
+    ]
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) Specifies the name of the Application Rule Collection which must be unique within the Firewall. Changing this forces a new resource to be created.
+
+* `azure_firewall_name` - (Required) Specifies the name of the Firewall in which the Application Rule Collection should be created. Changing this forces a new resource to be created.
+
+* `resource_group_name` - (Required) Specifies the name of the Resource Group in which the Firewall exists. Changing this forces a new resource to be created.
+
+* `priority` - (Required) Specifies the priority of the rule collection. Possible values are between `100` - `65000`.
+
+* `action` - (Required) Specifies the action the rule will apply to matching traffic. Possible values are `Allow` and `Deny`.
+
+* `rule` - (Required) One or more `rule` blocks as defined below.
+
+---
+
+A `rule` block supports the following:
+
+* `name` - (Required) Specifies the name of the rule.
+
+* `description` - (Optional) Specifies a description for the rule.
+
+* `source_addresses` - (Required) A list of source IP addresses and/or IP ranges.
+
+* `fqdn_tags` - (Optional) A list of FQDN tags. Possible values are `AppServiceEnvironment`, `AzureBackup`, `MicrosoftActiveProtectionService`, `WindowsDiagnostics` and `WindowsUpdate`
+
+* `target_fqdns` - (Optional) A list of FQDNs.
+
+* `protocol` - (Optional) One or more `protocol` blocks as defined below.
+
+---
+
+A `protocol` block supports the following:
+
+* `port` - (Optional) Specify a port for the connection.
+
+* `type` - (Required) Specifies the type of conection. Possible values are `Http` or `Https`.
+
+## Import
+
+Azure Firewall Application Rule Collections can be imported using the `resource id`, e.g.
+
+```shell
+terraform import azurerm_firewall_application_rule_collection.test /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/azureFirewalls/myfirewall/applicationRuleCollections/mycollection
+```
diff --git a/website/docs/r/firewall_network_rule_collection.html.markdown b/website/docs/r/firewall_network_rule_collection.html.markdown
index a547cc03892f..1a1fb780610f 100644
--- a/website/docs/r/firewall_network_rule_collection.html.markdown
+++ b/website/docs/r/firewall_network_rule_collection.html.markdown
@@ -11,8 +11,6 @@ description: |-
 
 Manages a Network Rule Collection within an Azure Firewall.
 
--> **NOTE** Azure Firewall is currently in Public Preview.
-
 ## Example Usage
 
 ```hcl
@@ -92,7 +90,7 @@ The following arguments are supported:
 
 * `name` - (Required) Specifies the name of the Network Rule Collection which must be unique within the Firewall. Changing this forces a new resource to be created.
 
-* `azure_firewall_name` - (Required) Specifies the name of the Firewall in which to the Network Rule Collection should be created. Changing this forces a new resource to be created.
+* `azure_firewall_name` - (Required) Specifies the name of the Firewall in which the Network Rule Collection should be created. Changing this forces a new resource to be created.
 
 * `resource_group_name` - (Required) Specifies the name of the Resource Group in which the Firewall exists. Changing this forces a new resource to be created.
 
@@ -120,7 +118,7 @@ A `rule` block supports the following:
 
 ## Import
 
-Azure Firewall Network Rule Collection's can be imported using the `resource id`, e.g.
+Azure Firewall Network Rule Collections can be imported using the `resource id`, e.g.
 
 ```shell
 terraform import azurerm_firewall_network_rule_collection.test /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/azureFirewalls/myfirewall/networkRuleCollections/mycollection

From 8ef53d68a273bbff001c25f4ffe82b9951cf86b9 Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Fri, 28 Dec 2018 09:47:58 +0000
Subject: [PATCH 10/16] add validation to rule expand

---
 ...rm_firewall_application_rule_collection.go | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/azurerm/resource_arm_firewall_application_rule_collection.go b/azurerm/resource_arm_firewall_application_rule_collection.go
index 5ac8329b6a5c..d91343166c8d 100644
--- a/azurerm/resource_arm_firewall_application_rule_collection.go
+++ b/azurerm/resource_arm_firewall_application_rule_collection.go
@@ -80,17 +80,12 @@ func resourceArmFirewallApplicationRuleCollection() *schema.Resource {
 							Optional: true,
 							Elem:     &schema.Schema{Type: schema.TypeString},
 							Set:      schema.HashString,
-							// ConflictsWith: []string{
-							// 	"target_fqdns",
-							// 	"protocol",
-							// },
 						},
 						"target_fqdns": {
 							Type:     schema.TypeSet,
 							Optional: true,
 							Elem:     &schema.Schema{Type: schema.TypeString},
 							Set:      schema.HashString,
-							// ConflictsWith: []string{"fqdn_tags"},
 						},
 						"protocol": {
 							Type:     schema.TypeList,
@@ -113,7 +108,6 @@ func resourceArmFirewallApplicationRuleCollection() *schema.Resource {
 									},
 								},
 							},
-							// ConflictsWith: []string{"fqdn_tags"},
 						},
 					},
 				},
@@ -129,6 +123,10 @@ func resourceArmFirewallApplicationRuleCollectionCreateUpdate(d *schema.Resource
 	name := d.Get("name").(string)
 	firewallName := d.Get("azure_firewall_name").(string)
 	resourceGroup := d.Get("resource_group_name").(string)
+	applicationRules, err := expandArmFirewallApplicationRules(d.Get("rule").([]interface{}))
+	if err != nil {
+		return fmt.Errorf("Error expanding Firewall Application Rules: %+v", err)
+	}
 
 	azureRMLockByName(firewallName, azureFirewallResourceName)
 	defer azureRMUnlockByName(firewallName, azureFirewallResourceName)
@@ -148,7 +146,6 @@ func resourceArmFirewallApplicationRuleCollectionCreateUpdate(d *schema.Resource
 	}
 	ruleCollections := *props.ApplicationRuleCollections
 
-	applicationRules := expandArmFirewallApplicationRules(d.Get("rule").([]interface{}))
 	priority := d.Get("priority").(int)
 	newRuleCollection := network.AzureFirewallApplicationRuleCollection{
 		Name: utils.String(name),
@@ -355,7 +352,7 @@ func resourceArmFirewallApplicationRuleCollectionDelete(d *schema.ResourceData,
 	return nil
 }
 
-func expandArmFirewallApplicationRules(inputs []interface{}) []network.AzureFirewallApplicationRule {
+func expandArmFirewallApplicationRules(inputs []interface{}) ([]network.AzureFirewallApplicationRule, error) {
 	outputs := make([]network.AzureFirewallApplicationRule, 0)
 
 	for _, input := range inputs {
@@ -399,10 +396,15 @@ func expandArmFirewallApplicationRules(inputs []interface{}) []network.AzureFire
 			ruleProtocols = append(ruleProtocols, ruleProtocol)
 		}
 		output.Protocols = &ruleProtocols
+		if len(*output.FqdnTags) > 0 {
+			if len(*output.TargetFqdns) > 0 || len(*output.Protocols) > 0 {
+				return outputs, fmt.Errorf("`fqdn_tags` cannot be used with `target_fqdns` or `protocol`")
+			}
+		}
 		outputs = append(outputs, output)
 	}
 
-	return outputs
+	return outputs, nil
 }
 
 func flattenFirewallApplicationRuleCollectionRules(rules *[]network.AzureFirewallApplicationRule) []map[string]interface{} {

From c2932ec5e9d708829f0ea73de420cf435d5df435 Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Wed, 2 Jan 2019 10:44:29 +0000
Subject: [PATCH 11/16] use utility functions

---
 ...rm_firewall_application_rule_collection.go | 37 ++++++-------------
 ...ce_arm_firewall_network_rule_collection.go |  9 +++--
 2 files changed, 17 insertions(+), 29 deletions(-)

diff --git a/azurerm/resource_arm_firewall_application_rule_collection.go b/azurerm/resource_arm_firewall_application_rule_collection.go
index d91343166c8d..d33865ff0e30 100644
--- a/azurerm/resource_arm_firewall_application_rule_collection.go
+++ b/azurerm/resource_arm_firewall_application_rule_collection.go
@@ -9,6 +9,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2018-08-01/network"
 	"github.com/hashicorp/terraform/helper/schema"
 	"github.com/hashicorp/terraform/helper/validation"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/set"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
 )
 
@@ -187,8 +188,7 @@ func resourceArmFirewallApplicationRuleCollectionCreateUpdate(d *schema.Resource
 		return fmt.Errorf("Error creating/updating Application Rule Collection %q in Firewall %q (Resource Group %q): %+v", name, firewallName, resourceGroup, err)
 	}
 
-	err = future.WaitForCompletionRef(ctx, client.Client)
-	if err != nil {
+	if err = future.WaitForCompletionRef(ctx, client.Client); err != nil {
 		return fmt.Errorf("Error waiting for creation/update of Application Rule Collection %q of Firewall %q (Resource Group %q): %+v", name, firewallName, resourceGroup, err)
 	}
 
@@ -344,8 +344,7 @@ func resourceArmFirewallApplicationRuleCollectionDelete(d *schema.ResourceData,
 		return fmt.Errorf("Error deleting Application Rule Collection %q from Firewall %q (Resource Group %q): %+v", name, firewallName, resourceGroup, err)
 	}
 
-	err = future.WaitForCompletionRef(ctx, client.Client)
-	if err != nil {
+	if err = future.WaitForCompletionRef(ctx, client.Client); err != nil {
 		return fmt.Errorf("Error waiting for deletion of Application Rule Collection %q from Firewall %q (Resource Group %q): %+v", name, firewallName, resourceGroup, err)
 	}
 
@@ -360,28 +359,16 @@ func expandArmFirewallApplicationRules(inputs []interface{}) ([]network.AzureFir
 
 		ruleName := rule["name"].(string)
 		ruleDescription := rule["description"].(string)
-
-		ruleSourceAddresses := make([]string, 0)
-		for _, v := range rule["source_addresses"].(*schema.Set).List() {
-			ruleSourceAddresses = append(ruleSourceAddresses, v.(string))
-		}
-
-		ruleFqdnTags := make([]string, 0)
-		for _, v := range rule["fqdn_tags"].(*schema.Set).List() {
-			ruleFqdnTags = append(ruleFqdnTags, v.(string))
-		}
-
-		ruleTargetFqdns := make([]string, 0)
-		for _, v := range rule["target_fqdns"].(*schema.Set).List() {
-			ruleTargetFqdns = append(ruleTargetFqdns, v.(string))
-		}
+		ruleSourceAddresses := rule["source_addresses"].(*schema.Set).List()
+		ruleFqdnTags := rule["fqdn_tags"].(*schema.Set).List()
+		ruleTargetFqdns := rule["target_fqdns"].(*schema.Set).List()
 
 		output := network.AzureFirewallApplicationRule{
 			Name:            utils.String(ruleName),
 			Description:     utils.String(ruleDescription),
-			SourceAddresses: &ruleSourceAddresses,
-			FqdnTags:        &ruleFqdnTags,
-			TargetFqdns:     &ruleTargetFqdns,
+			SourceAddresses: utils.ExpandStringArray(ruleSourceAddresses),
+			FqdnTags:        utils.ExpandStringArray(ruleFqdnTags),
+			TargetFqdns:     utils.ExpandStringArray(ruleTargetFqdns),
 		}
 
 		ruleProtocols := make([]network.AzureFirewallApplicationRuleProtocol, 0)
@@ -422,13 +409,13 @@ func flattenFirewallApplicationRuleCollectionRules(rules *[]network.AzureFirewal
 			output["description"] = *ruleDescription
 		}
 		if ruleSourceAddresses := rule.SourceAddresses; ruleSourceAddresses != nil {
-			output["source_addresses"] = sliceToSet(*ruleSourceAddresses)
+			output["source_addresses"] = set.FromStringSlice(*ruleSourceAddresses)
 		}
 		if ruleFqdnTags := rule.FqdnTags; ruleFqdnTags != nil {
-			output["fqdn_tags"] = sliceToSet(*ruleFqdnTags)
+			output["fqdn_tags"] = set.FromStringSlice(*ruleFqdnTags)
 		}
 		if ruleTargetFqdns := rule.TargetFqdns; ruleTargetFqdns != nil {
-			output["target_fqdns"] = sliceToSet(*ruleTargetFqdns)
+			output["target_fqdns"] = set.FromStringSlice(*ruleTargetFqdns)
 		}
 		protocols := make([]map[string]interface{}, 0)
 		if ruleProtocols := rule.Protocols; ruleProtocols != nil {
diff --git a/azurerm/resource_arm_firewall_network_rule_collection.go b/azurerm/resource_arm_firewall_network_rule_collection.go
index eda2aed55c1a..0366dd04377c 100644
--- a/azurerm/resource_arm_firewall_network_rule_collection.go
+++ b/azurerm/resource_arm_firewall_network_rule_collection.go
@@ -7,6 +7,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2018-08-01/network"
 	"github.com/hashicorp/terraform/helper/schema"
 	"github.com/hashicorp/terraform/helper/validation"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/set"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/validate"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
 )
@@ -399,13 +400,13 @@ func flattenFirewallNetworkRuleCollectionRules(rules *[]network.AzureFirewallNet
 			output["description"] = *rule.Description
 		}
 		if rule.SourceAddresses != nil {
-			output["source_addresses"] = sliceToSet(*rule.SourceAddresses)
+			output["source_addresses"] = set.FromStringSlice(*rule.SourceAddresses)
 		}
 		if rule.DestinationAddresses != nil {
-			output["destination_addresses"] = sliceToSet(*rule.DestinationAddresses)
+			output["destination_addresses"] = set.FromStringSlice(*rule.DestinationAddresses)
 		}
 		if rule.DestinationPorts != nil {
-			output["destination_ports"] = sliceToSet(*rule.DestinationPorts)
+			output["destination_ports"] = set.FromStringSlice(*rule.DestinationPorts)
 		}
 		protocols := make([]string, 0)
 		if rule.Protocols != nil {
@@ -413,7 +414,7 @@ func flattenFirewallNetworkRuleCollectionRules(rules *[]network.AzureFirewallNet
 				protocols = append(protocols, string(protocol))
 			}
 		}
-		output["protocols"] = sliceToSet(protocols)
+		output["protocols"] = set.FromStringSlice(protocols)
 		outputs = append(outputs, output)
 	}
 	return outputs

From 8884d81d9140f996a3fe1cc6ab8c58aac15d3c48 Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Wed, 2 Jan 2019 10:44:59 +0000
Subject: [PATCH 12/16] move sliceToSet to helpers

---
 azurerm/helpers/set/set.go                    |  8 +++++++
 .../resource_arm_network_security_group.go    | 21 +++++++------------
 2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/azurerm/helpers/set/set.go b/azurerm/helpers/set/set.go
index 0968ad23de28..47d0710d2e6b 100644
--- a/azurerm/helpers/set/set.go
+++ b/azurerm/helpers/set/set.go
@@ -33,3 +33,11 @@ func ToSliceInt32P(set *schema.Set) *[]int32 {
 
 	return &slice
 }
+
+func FromStringSlice(slice []string) *schema.Set {
+	set := &schema.Set{F: schema.HashString}
+	for _, v := range slice {
+		set.Add(v)
+	}
+	return set
+}
diff --git a/azurerm/resource_arm_network_security_group.go b/azurerm/resource_arm_network_security_group.go
index 54fa9eb07818..2957b03af4d6 100644
--- a/azurerm/resource_arm_network_security_group.go
+++ b/azurerm/resource_arm_network_security_group.go
@@ -7,6 +7,7 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/terraform/helper/schema"
 	"github.com/hashicorp/terraform/helper/validation"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/set"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
 )
 
@@ -386,13 +387,13 @@ func flattenNetworkSecurityRules(rules *[]network.SecurityRule) []map[string]int
 					sgRule["destination_address_prefix"] = *props.DestinationAddressPrefix
 				}
 				if props.DestinationAddressPrefixes != nil {
-					sgRule["destination_address_prefixes"] = sliceToSet(*props.DestinationAddressPrefixes)
+					sgRule["destination_address_prefixes"] = set.FromStringSlice(*props.DestinationAddressPrefixes)
 				}
 				if props.DestinationPortRange != nil {
 					sgRule["destination_port_range"] = *props.DestinationPortRange
 				}
 				if props.DestinationPortRanges != nil {
-					sgRule["destination_port_ranges"] = sliceToSet(*props.DestinationPortRanges)
+					sgRule["destination_port_ranges"] = set.FromStringSlice(*props.DestinationPortRanges)
 				}
 
 				destinationApplicationSecurityGroups := make([]string, 0)
@@ -401,13 +402,13 @@ func flattenNetworkSecurityRules(rules *[]network.SecurityRule) []map[string]int
 						destinationApplicationSecurityGroups = append(destinationApplicationSecurityGroups, *g.ID)
 					}
 				}
-				sgRule["destination_application_security_group_ids"] = sliceToSet(destinationApplicationSecurityGroups)
+				sgRule["destination_application_security_group_ids"] = set.FromStringSlice(destinationApplicationSecurityGroups)
 
 				if props.SourceAddressPrefix != nil {
 					sgRule["source_address_prefix"] = *props.SourceAddressPrefix
 				}
 				if props.SourceAddressPrefixes != nil {
-					sgRule["source_address_prefixes"] = sliceToSet(*props.SourceAddressPrefixes)
+					sgRule["source_address_prefixes"] = set.FromStringSlice(*props.SourceAddressPrefixes)
 				}
 
 				sourceApplicationSecurityGroups := make([]string, 0)
@@ -416,13 +417,13 @@ func flattenNetworkSecurityRules(rules *[]network.SecurityRule) []map[string]int
 						sourceApplicationSecurityGroups = append(sourceApplicationSecurityGroups, *g.ID)
 					}
 				}
-				sgRule["source_application_security_group_ids"] = sliceToSet(sourceApplicationSecurityGroups)
+				sgRule["source_application_security_group_ids"] = set.FromStringSlice(sourceApplicationSecurityGroups)
 
 				if props.SourcePortRange != nil {
 					sgRule["source_port_range"] = *props.SourcePortRange
 				}
 				if props.SourcePortRanges != nil {
-					sgRule["source_port_ranges"] = sliceToSet(*props.SourcePortRanges)
+					sgRule["source_port_ranges"] = set.FromStringSlice(*props.SourcePortRanges)
 				}
 
 				sgRule["protocol"] = string(props.Protocol)
@@ -438,14 +439,6 @@ func flattenNetworkSecurityRules(rules *[]network.SecurityRule) []map[string]int
 	return result
 }
 
-func sliceToSet(slice []string) *schema.Set {
-	set := &schema.Set{F: schema.HashString}
-	for _, v := range slice {
-		set.Add(v)
-	}
-	return set
-}
-
 func validateSecurityRule(sgRule map[string]interface{}) error {
 	var err *multierror.Error
 

From 10bbff7f350344a3bed13ae7294809c51d4f262d Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Wed, 2 Jan 2019 10:45:19 +0000
Subject: [PATCH 13/16] fix the check attributes

---
 ...m_firewall_application_rule_collection_test.go | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/azurerm/resource_arm_firewall_application_rule_collection_test.go b/azurerm/resource_arm_firewall_application_rule_collection_test.go
index e531e1b3947d..0b0682f02001 100644
--- a/azurerm/resource_arm_firewall_application_rule_collection_test.go
+++ b/azurerm/resource_arm_firewall_application_rule_collection_test.go
@@ -266,10 +266,10 @@ func TestAccAzureRMFirewallApplicationRuleCollection_multipleProtocols(t *testin
 					resource.TestCheckResourceAttr(resourceName, "action", "Allow"),
 					resource.TestCheckResourceAttr(resourceName, "rule.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.#", "2"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "8080"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "8000"),
 					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Http"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "8443"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Https"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "8001"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.type", "Https"),
 				),
 			},
 			{
@@ -303,7 +303,7 @@ func TestAccAzureRMFirewallApplicationRuleCollection_updateProtocols(t *testing.
 					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "8000"),
 					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Http"),
 					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "8001"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Https"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.type", "Https"),
 				),
 			},
 			{
@@ -318,7 +318,7 @@ func TestAccAzureRMFirewallApplicationRuleCollection_updateProtocols(t *testing.
 					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "9000"),
 					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Https"),
 					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "9001"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Http"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.type", "Http"),
 				),
 			},
 			{
@@ -333,7 +333,7 @@ func TestAccAzureRMFirewallApplicationRuleCollection_updateProtocols(t *testing.
 					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.port", "8000"),
 					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.0.type", "Http"),
 					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "8001"),
-					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.port", "Https"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.protocol.1.type", "Https"),
 				),
 			},
 		},
@@ -435,8 +435,7 @@ func testCheckAzureRMFirewallApplicationRuleCollectionDisappears(resourceName st
 			return fmt.Errorf("Error removing Application Rule Collection from Firewall: %+v", err)
 		}
 
-		err = future.WaitForCompletionRef(ctx, client.Client)
-		if err != nil {
+		if err = future.WaitForCompletionRef(ctx, client.Client); err != nil {
 			return fmt.Errorf("Error waiting for the removal of Application Rule Collection from Firewall: %+v", err)
 		}
 

From cc0a5e29ec858b9b9344246ddc34f5521627c82c Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Wed, 2 Jan 2019 11:28:26 +0000
Subject: [PATCH 14/16] move required properties up

---
 ...arm_firewall_application_rule_collection.go | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/azurerm/resource_arm_firewall_application_rule_collection.go b/azurerm/resource_arm_firewall_application_rule_collection.go
index d33865ff0e30..667537a5c14a 100644
--- a/azurerm/resource_arm_firewall_application_rule_collection.go
+++ b/azurerm/resource_arm_firewall_application_rule_collection.go
@@ -66,16 +66,16 @@ func resourceArmFirewallApplicationRuleCollection() *schema.Resource {
 							Required:     true,
 							ValidateFunc: validation.NoZeroValues,
 						},
-						"description": {
-							Type:     schema.TypeString,
-							Optional: true,
-						},
 						"source_addresses": {
 							Type:     schema.TypeSet,
 							Required: true,
 							Elem:     &schema.Schema{Type: schema.TypeString},
 							Set:      schema.HashString,
 						},
+						"description": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
 						"fqdn_tags": {
 							Type:     schema.TypeSet,
 							Optional: true,
@@ -94,11 +94,6 @@ func resourceArmFirewallApplicationRuleCollection() *schema.Resource {
 							MinItems: 1,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
-									"port": {
-										Type:         schema.TypeInt,
-										Optional:     true,
-										ValidateFunc: validate.PortNumber,
-									},
 									"type": {
 										Type:     schema.TypeString,
 										Required: true,
@@ -107,6 +102,11 @@ func resourceArmFirewallApplicationRuleCollection() *schema.Resource {
 											string(network.AzureFirewallApplicationRuleProtocolTypeHTTPS),
 										}, false),
 									},
+									"port": {
+										Type:         schema.TypeInt,
+										Optional:     true,
+										ValidateFunc: validate.PortNumber,
+									},
 								},
 							},
 						},

From 3efa63ce2bb581abcd396d6f9982b9f304d30058 Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Thu, 3 Jan 2019 10:02:49 +0000
Subject: [PATCH 15/16] update error message

---
 azurerm/resource_arm_firewall_application_rule_collection.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/azurerm/resource_arm_firewall_application_rule_collection.go b/azurerm/resource_arm_firewall_application_rule_collection.go
index 667537a5c14a..560cd3248b40 100644
--- a/azurerm/resource_arm_firewall_application_rule_collection.go
+++ b/azurerm/resource_arm_firewall_application_rule_collection.go
@@ -138,12 +138,12 @@ func resourceArmFirewallApplicationRuleCollectionCreateUpdate(d *schema.Resource
 	}
 
 	if firewall.AzureFirewallPropertiesFormat == nil {
-		return fmt.Errorf("Error expanding Firewall %q (Resource Group %q): `properties` was nil", firewallName, resourceGroup)
+		return fmt.Errorf("Error retrieving Application Rule Collection %q (Firewall %q / Resource Group %q): `properties` was nil", firewallName, resourceGroup)
 	}
 	props := *firewall.AzureFirewallPropertiesFormat
 
 	if props.ApplicationRuleCollections == nil {
-		return fmt.Errorf("Error expanding Firewall %q (Resource Group %q): `properties.ApplicationRuleCollections` was nil", firewallName, resourceGroup)
+		return fmt.Errorf("Error retrieving Application Rule Collection %q (Firewall %q / Resource Group %q): `properties.ApplicationRuleCollections` was nil", firewallName, resourceGroup)
 	}
 	ruleCollections := *props.ApplicationRuleCollections
 

From c485797b1af6d443136bcd4b26626cebafd4590e Mon Sep 17 00:00:00 2001
From: Henry Buckle <h.buckle@outlook.com>
Date: Thu, 3 Jan 2019 10:05:26 +0000
Subject: [PATCH 16/16] update error message

---
 azurerm/resource_arm_firewall_application_rule_collection.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/azurerm/resource_arm_firewall_application_rule_collection.go b/azurerm/resource_arm_firewall_application_rule_collection.go
index 560cd3248b40..5dfb22e348f2 100644
--- a/azurerm/resource_arm_firewall_application_rule_collection.go
+++ b/azurerm/resource_arm_firewall_application_rule_collection.go
@@ -138,12 +138,12 @@ func resourceArmFirewallApplicationRuleCollectionCreateUpdate(d *schema.Resource
 	}
 
 	if firewall.AzureFirewallPropertiesFormat == nil {
-		return fmt.Errorf("Error retrieving Application Rule Collection %q (Firewall %q / Resource Group %q): `properties` was nil", firewallName, resourceGroup)
+		return fmt.Errorf("Error retrieving Application Rule Collections (Firewall %q / Resource Group %q): `properties` was nil", firewallName, resourceGroup)
 	}
 	props := *firewall.AzureFirewallPropertiesFormat
 
 	if props.ApplicationRuleCollections == nil {
-		return fmt.Errorf("Error retrieving Application Rule Collection %q (Firewall %q / Resource Group %q): `properties.ApplicationRuleCollections` was nil", firewallName, resourceGroup)
+		return fmt.Errorf("Error retrieving Application Rule Collections (Firewall %q / Resource Group %q): `properties.ApplicationRuleCollections` was nil", firewallName, resourceGroup)
 	}
 	ruleCollections := *props.ApplicationRuleCollections