From ffbd930d8317ce32c4cc460826728b65b8af44cb Mon Sep 17 00:00:00 2001
From: Michael Gross <leachimgross@gmail.com>
Date: Tue, 31 Aug 2021 11:58:30 +0200
Subject: [PATCH 01/12] enhance firewall policy rule collection group to
 support Azure Firewall Premium features

---
 ...l_policy_rule_collection_group_resource.go | 73 +++++++++++++++++--
 ...icy_rule_collection_group_resource_test.go | 15 ++++
 ...policy_rule_collection_group.html.markdown | 11 +++
 3 files changed, 91 insertions(+), 8 deletions(-)

diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go
index bafdc6094e86..4917bff195c3 100644
--- a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go
+++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2021-02-01/network"
 	"github.com/hashicorp/go-azure-helpers/response"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/hashicorp/terraform-provider-azurerm/helpers/tf"
 	azValidate "github.com/hashicorp/terraform-provider-azurerm/helpers/validate"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
@@ -15,7 +16,6 @@ import (
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/firewall/parse"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/firewall/validate"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk"
-	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/validation"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/timeouts"
 	"github.com/hashicorp/terraform-provider-azurerm/utils"
 )
@@ -95,6 +95,11 @@ func resourceFirewallPolicyRuleCollectionGroup() *pluginsdk.Resource {
 										Required:     true,
 										ValidateFunc: validate.FirewallPolicyRuleName(),
 									},
+									"description": {
+										Type:         pluginsdk.TypeString,
+										Required:     true,
+										ValidateFunc: validate.FirewallPolicyRuleName(),
+									},
 									"protocols": {
 										Type:     pluginsdk.TypeSet,
 										Required: true,
@@ -136,6 +141,18 @@ func resourceFirewallPolicyRuleCollectionGroup() *pluginsdk.Resource {
 											ValidateFunc: validation.StringIsNotEmpty,
 										},
 									},
+									"destination_addresses": {
+										Type:     pluginsdk.TypeSet,
+										Optional: true,
+										Elem: &pluginsdk.Schema{
+											Type: pluginsdk.TypeString,
+											ValidateFunc: validation.Any(
+												validation.IsIPAddress,
+												validation.IsCIDR,
+												validation.StringInSlice([]string{`*`}, false),
+											),
+										},
+									},
 									"destination_fqdns": {
 										Type:     pluginsdk.TypeSet,
 										Optional: true,
@@ -144,6 +161,14 @@ func resourceFirewallPolicyRuleCollectionGroup() *pluginsdk.Resource {
 											ValidateFunc: validation.StringIsNotEmpty,
 										},
 									},
+									"destination_urls": {
+										Type:     pluginsdk.TypeSet,
+										Optional: true,
+										Elem: &pluginsdk.Schema{
+											Type:         pluginsdk.TypeString,
+											ValidateFunc: validation.StringIsNotEmpty,
+										},
+									},
 									"destination_fqdn_tags": {
 										Type:     pluginsdk.TypeSet,
 										Optional: true,
@@ -152,6 +177,18 @@ func resourceFirewallPolicyRuleCollectionGroup() *pluginsdk.Resource {
 											ValidateFunc: validation.StringIsNotEmpty,
 										},
 									},
+									"terminate_tls": {
+										Type:     pluginsdk.TypeBool,
+										Optional: true,
+									},
+									"web_categories": {
+										Type:     pluginsdk.TypeSet,
+										Optional: true,
+										Elem: &pluginsdk.Schema{
+											Type:         pluginsdk.TypeString,
+											ValidateFunc: validation.StringIsNotEmpty,
+										},
+									},
 								},
 							},
 						},
@@ -564,13 +601,18 @@ func expandFirewallPolicyRuleApplication(input []interface{}) *[]network.BasicFi
 			})
 		}
 		output := &network.ApplicationRule{
-			Name:            utils.String(condition["name"].(string)),
-			RuleType:        network.RuleTypeApplicationRule,
-			Protocols:       &protocols,
-			SourceAddresses: utils.ExpandStringSlice(condition["source_addresses"].(*pluginsdk.Set).List()),
-			SourceIPGroups:  utils.ExpandStringSlice(condition["source_ip_groups"].(*pluginsdk.Set).List()),
-			TargetFqdns:     utils.ExpandStringSlice(condition["destination_fqdns"].(*pluginsdk.Set).List()),
-			FqdnTags:        utils.ExpandStringSlice(condition["destination_fqdn_tags"].(*pluginsdk.Set).List()),
+			Name:                 utils.String(condition["name"].(string)),
+			Description:          utils.String(condition["description"].(string)),
+			RuleType:             network.RuleTypeApplicationRule,
+			Protocols:            &protocols,
+			SourceAddresses:      utils.ExpandStringSlice(condition["source_addresses"].(*pluginsdk.Set).List()),
+			SourceIPGroups:       utils.ExpandStringSlice(condition["source_ip_groups"].(*pluginsdk.Set).List()),
+			DestinationAddresses: utils.ExpandStringSlice(condition["destination_addresses"].(*pluginsdk.Set).List()),
+			TargetFqdns:          utils.ExpandStringSlice(condition["destination_fqdns"].(*pluginsdk.Set).List()),
+			TargetUrls:           utils.ExpandStringSlice(condition["destination_urls"].(*pluginsdk.Set).List()),
+			FqdnTags:             utils.ExpandStringSlice(condition["destination_fqdn_tags"].(*pluginsdk.Set).List()),
+			TerminateTLS:         utils.Bool(condition["terminate_tls"]),
+			WebCategories:        utils.ExpandStringSlice(condition["web_categories"].(*pluginsdk.Set).List()),
 		}
 		result = append(result, output)
 	}
@@ -739,6 +781,16 @@ func flattenFirewallPolicyRuleApplication(input *[]network.BasicFirewallPolicyRu
 			name = *rule.Name
 		}
 
+		var description string
+		if rule.Description != nil {
+			description = *rule.Description
+		}
+
+		var terminate_tls bool
+		if rule.TerminateTLS != nil {
+			terminate_tls = *rule.TerminateTLS
+		}
+
 		protocols := make([]interface{}, 0)
 		if rule.Protocols != nil {
 			for _, protocol := range *rule.Protocols {
@@ -755,11 +807,16 @@ func flattenFirewallPolicyRuleApplication(input *[]network.BasicFirewallPolicyRu
 
 		output = append(output, map[string]interface{}{
 			"name":                  name,
+			"description":           description,
 			"protocols":             protocols,
 			"source_addresses":      utils.FlattenStringSlice(rule.SourceAddresses),
 			"source_ip_groups":      utils.FlattenStringSlice(rule.SourceIPGroups),
+			"destination_addresses": utils.FlattenStringSlice(rule.DestinationAddresses),
+			"destination_urls":      utils.FlattenStringSlice(rule.TargetUrls),
 			"destination_fqdns":     utils.FlattenStringSlice(rule.TargetFqdns),
 			"destination_fqdn_tags": utils.FlattenStringSlice(rule.FqdnTags),
+			"terminate_tls":         terminate_tls,
+			"web_categories":        utils.FlattenStringSlice(rule.WebCategories),
 		})
 	}
 
diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
index 26ba5816d7aa..8ee42406a22d 100644
--- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
+++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
@@ -174,6 +174,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
     action   = "Deny"
     rule {
       name = "app_rule_collection1_rule1"
+      description = "app_rule_collection1_rule1"
       protocols {
         type = "Http"
         port = 80
@@ -183,10 +184,15 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
         port = 443
       }
       source_addresses  = ["10.0.0.1"]
+      destination_addresses = ["10.0.0.1"]
+      destination_urls = ["www.google.com/en"]
       destination_fqdns = ["pluginsdk.io"]
+      terminate_tls = true
+      web_categories = ["Liability"]
     }
     rule {
       name = "app_rule_collection1_rule2"
+      description = "app_rule_collection1_rule2"
       protocols {
         type = "Http"
         port = 80
@@ -196,10 +202,15 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
         port = 443
       }
       source_ip_groups  = [azurerm_ip_group.test_source.id]
+      destination_addresses = ["10.0.0.1"]
+      destination_urls = ["www.google.com/en"]
       destination_fqdns = ["pluginsdk.io"]
+      terminate_tls = true
+      web_categories = ["Liability"]
     }
     rule {
       name = "app_rule_collection1_rule3"
+      description = "app_rule_collection1_rule3"
       protocols {
         type = "Http"
         port = 80
@@ -209,7 +220,11 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
         port = 443
       }
       source_addresses      = ["10.0.0.1"]
+      destination_addresses = ["10.0.0.1"]
+      destination_urls = ["www.google.com/en"]
       destination_fqdn_tags = ["WindowsDiagnostics"]
+      terminate_tls = true
+      web_categories = ["Liability"]
     }
   }
 
diff --git a/website/docs/r/firewall_policy_rule_collection_group.html.markdown b/website/docs/r/firewall_policy_rule_collection_group.html.markdown
index 0fa32ceae71e..63a2fb491eb0 100644
--- a/website/docs/r/firewall_policy_rule_collection_group.html.markdown
+++ b/website/docs/r/firewall_policy_rule_collection_group.html.markdown
@@ -137,16 +137,27 @@ A `rule` (application rule) block supports the following:
 
 * `name` - (Required) The name which should be used for this rule.
 
+* `description` - (Optional) The description which should be used for this rule.
+
 * `protocols` - (Required) One or more `protocols` blocks as defined below.
 
 * `source_addresses` - (Optional) Specifies a list of source IP addresses (including CIDR and `*`).
 
 * `source_ip_groups` - (Optional) Specifies a list of source IP groups.
 
+* `destination_addresses` - (Optional) Specifies a list of destination IP addresses (including CIDR and `*`).
+
+* `destination_urls` - (Optional) Specifies a list of destination URLs for which policy should hold.
+
 * `destination_fqdns` - (Optional) Specifies a list of destination FQDNs.
 
 * `destination_fqdn_tags` - (Optional) Specifies a list of destination FQDN tags.
 
+* `terminate_tls` - (Optional) Boolean specifying if TLS shall be terminated (true) or not (false).
+
+* `web_categories` - (Optional) Specifies a list of web categories to which access is denied or allowed depending on the value of `action` above.
+
+
 ---
 
 A `rule` (network rule) block supports the following:

From 156647dc83e385ad61ac0e9ce4f43b073fb6fa17 Mon Sep 17 00:00:00 2001
From: Michael Gross <leachimgross@gmail.com>
Date: Tue, 31 Aug 2021 13:40:32 +0200
Subject: [PATCH 02/12]  fix: convert tls_terminate condition to bool

---
 .../firewall/firewall_policy_rule_collection_group_resource.go  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go
index 4917bff195c3..347d7beb3fb0 100644
--- a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go
+++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go
@@ -611,7 +611,7 @@ func expandFirewallPolicyRuleApplication(input []interface{}) *[]network.BasicFi
 			TargetFqdns:          utils.ExpandStringSlice(condition["destination_fqdns"].(*pluginsdk.Set).List()),
 			TargetUrls:           utils.ExpandStringSlice(condition["destination_urls"].(*pluginsdk.Set).List()),
 			FqdnTags:             utils.ExpandStringSlice(condition["destination_fqdn_tags"].(*pluginsdk.Set).List()),
-			TerminateTLS:         utils.Bool(condition["terminate_tls"]),
+			TerminateTLS:         utils.Bool(condition["terminate_tls"].(bool)),
 			WebCategories:        utils.ExpandStringSlice(condition["web_categories"].(*pluginsdk.Set).List()),
 		}
 		result = append(result, output)

From c246487668108afc19d48cc016c87482dc0b7baf Mon Sep 17 00:00:00 2001
From: Michael Gross <leachimgross@gmail.com>
Date: Tue, 31 Aug 2021 14:03:45 +0200
Subject: [PATCH 03/12] make terrafmt

---
 ...icy_rule_collection_group_resource_test.go | 32 +++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
index 8ee42406a22d..b45c8c777d01 100644
--- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
+++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
@@ -173,7 +173,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
     priority = 500
     action   = "Deny"
     rule {
-      name = "app_rule_collection1_rule1"
+      name        = "app_rule_collection1_rule1"
       description = "app_rule_collection1_rule1"
       protocols {
         type = "Http"
@@ -183,15 +183,15 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
         type = "Https"
         port = 443
       }
-      source_addresses  = ["10.0.0.1"]
+      source_addresses      = ["10.0.0.1"]
       destination_addresses = ["10.0.0.1"]
-      destination_urls = ["www.google.com/en"]
-      destination_fqdns = ["pluginsdk.io"]
-      terminate_tls = true
-      web_categories = ["Liability"]
+      destination_urls      = ["www.google.com/en"]
+      destination_fqdns     = ["pluginsdk.io"]
+      terminate_tls         = true
+      web_categories        = ["Liability"]
     }
     rule {
-      name = "app_rule_collection1_rule2"
+      name        = "app_rule_collection1_rule2"
       description = "app_rule_collection1_rule2"
       protocols {
         type = "Http"
@@ -201,15 +201,15 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
         type = "Https"
         port = 443
       }
-      source_ip_groups  = [azurerm_ip_group.test_source.id]
+      source_ip_groups      = [azurerm_ip_group.test_source.id]
       destination_addresses = ["10.0.0.1"]
-      destination_urls = ["www.google.com/en"]
-      destination_fqdns = ["pluginsdk.io"]
-      terminate_tls = true
-      web_categories = ["Liability"]
+      destination_urls      = ["www.google.com/en"]
+      destination_fqdns     = ["pluginsdk.io"]
+      terminate_tls         = true
+      web_categories        = ["Liability"]
     }
     rule {
-      name = "app_rule_collection1_rule3"
+      name        = "app_rule_collection1_rule3"
       description = "app_rule_collection1_rule3"
       protocols {
         type = "Http"
@@ -221,10 +221,10 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
       }
       source_addresses      = ["10.0.0.1"]
       destination_addresses = ["10.0.0.1"]
-      destination_urls = ["www.google.com/en"]
+      destination_urls      = ["www.google.com/en"]
       destination_fqdn_tags = ["WindowsDiagnostics"]
-      terminate_tls = true
-      web_categories = ["Liability"]
+      terminate_tls         = true
+      web_categories        = ["Liability"]
     }
   }
 

From afe6fbcf81d1d835206c2fc4098993eb7d3d3fa2 Mon Sep 17 00:00:00 2001
From: Michael Gross <leachimgross@gmail.com>
Date: Wed, 1 Sep 2021 08:38:59 +0200
Subject: [PATCH 04/12] fix web_categories in test

---
 .../firewall_policy_rule_collection_group_resource_test.go  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
index b45c8c777d01..90ca0a50bad6 100644
--- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
+++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
@@ -188,7 +188,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
       destination_urls      = ["www.google.com/en"]
       destination_fqdns     = ["pluginsdk.io"]
       terminate_tls         = true
-      web_categories        = ["Liability"]
+      web_categories        = ["News"]
     }
     rule {
       name        = "app_rule_collection1_rule2"
@@ -206,7 +206,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
       destination_urls      = ["www.google.com/en"]
       destination_fqdns     = ["pluginsdk.io"]
       terminate_tls         = true
-      web_categories        = ["Liability"]
+      web_categories        = ["News"]
     }
     rule {
       name        = "app_rule_collection1_rule3"
@@ -224,7 +224,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
       destination_urls      = ["www.google.com/en"]
       destination_fqdn_tags = ["WindowsDiagnostics"]
       terminate_tls         = true
-      web_categories        = ["Liability"]
+      web_categories        = ["News"]
     }
   }
 

From 9145c332a5428fd8c076fe58e3e3db1c754910c3 Mon Sep 17 00:00:00 2001
From: Michael Gross <leachimgross@gmail.com>
Date: Wed, 1 Sep 2021 08:43:39 +0200
Subject: [PATCH 05/12] set protocols attribute to optional as only required
 for Target FQDNs but not for FQDN tags

---
 .../firewall/firewall_policy_rule_collection_group_resource.go  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go
index 347d7beb3fb0..a9f7be35c673 100644
--- a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go
+++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go
@@ -102,7 +102,7 @@ func resourceFirewallPolicyRuleCollectionGroup() *pluginsdk.Resource {
 									},
 									"protocols": {
 										Type:     pluginsdk.TypeSet,
-										Required: true,
+										Optional: true,
 										Elem: &pluginsdk.Resource{
 											Schema: map[string]*pluginsdk.Schema{
 												"type": {

From b1d34a5d3c8de8c78c7821640291252023aab314 Mon Sep 17 00:00:00 2001
From: Michael Gross <leachimgross@gmail.com>
Date: Wed, 1 Sep 2021 18:15:31 +0200
Subject: [PATCH 06/12] resolve test conflicts

---
 .../firewall_policy_rule_collection_group_resource_test.go    | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
index 90ca0a50bad6..4d7f2fada627 100644
--- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
+++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
@@ -144,6 +144,7 @@ resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
   resource_group_name = azurerm_resource_group.test.name
   location            = azurerm_resource_group.test.location
+  sku                 = "Premium"
   dns {
     network_rule_fqdn_enabled = false
     proxy_enabled             = true
@@ -186,7 +187,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
       source_addresses      = ["10.0.0.1"]
       destination_addresses = ["10.0.0.1"]
       destination_urls      = ["www.google.com/en"]
-      destination_fqdns     = ["pluginsdk.io"]
       terminate_tls         = true
       web_categories        = ["News"]
     }
@@ -203,7 +203,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
       }
       source_ip_groups      = [azurerm_ip_group.test_source.id]
       destination_addresses = ["10.0.0.1"]
-      destination_urls      = ["www.google.com/en"]
       destination_fqdns     = ["pluginsdk.io"]
       terminate_tls         = true
       web_categories        = ["News"]
@@ -222,7 +221,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
       source_addresses      = ["10.0.0.1"]
       destination_addresses = ["10.0.0.1"]
       destination_urls      = ["www.google.com/en"]
-      destination_fqdn_tags = ["WindowsDiagnostics"]
       terminate_tls         = true
       web_categories        = ["News"]
     }

From f175f12f9a8b88529b932bd7f9c72aee5e9c11bb Mon Sep 17 00:00:00 2001
From: Michael Gross <leachimgross@gmail.com>
Date: Wed, 1 Sep 2021 18:27:41 +0200
Subject: [PATCH 07/12] update docs

---
 ...firewall_policy_rule_collection_group.html.markdown | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/website/docs/r/firewall_policy_rule_collection_group.html.markdown b/website/docs/r/firewall_policy_rule_collection_group.html.markdown
index 63a2fb491eb0..259d6f0b355a 100644
--- a/website/docs/r/firewall_policy_rule_collection_group.html.markdown
+++ b/website/docs/r/firewall_policy_rule_collection_group.html.markdown
@@ -139,7 +139,7 @@ A `rule` (application rule) block supports the following:
 
 * `description` - (Optional) The description which should be used for this rule.
 
-* `protocols` - (Required) One or more `protocols` blocks as defined below.
+* `protocols` - (Optional) One or more `protocols` blocks as defined below. Not required when specifying `destination_fqdn_tags`, but required when specifying `destination_fqdns`.
 
 * `source_addresses` - (Optional) Specifies a list of source IP addresses (including CIDR and `*`).
 
@@ -147,15 +147,15 @@ A `rule` (application rule) block supports the following:
 
 * `destination_addresses` - (Optional) Specifies a list of destination IP addresses (including CIDR and `*`).
 
-* `destination_urls` - (Optional) Specifies a list of destination URLs for which policy should hold.
+* `destination_urls` - (Optional) Specifies a list of destination URLs for which policy should hold. Needs Premium SKU for Firewall Policy. Conflicts with `destination_fqdns`.
 
-* `destination_fqdns` - (Optional) Specifies a list of destination FQDNs.
+* `destination_fqdns` - (Optional) Specifies a list of destination FQDNs. Conflicts with `destination_urls`.
 
 * `destination_fqdn_tags` - (Optional) Specifies a list of destination FQDN tags.
 
-* `terminate_tls` - (Optional) Boolean specifying if TLS shall be terminated (true) or not (false).
+* `terminate_tls` - (Optional) Boolean specifying if TLS shall be terminated (true) or not (false). Needs Premium SKU for Firewall Policy.
 
-* `web_categories` - (Optional) Specifies a list of web categories to which access is denied or allowed depending on the value of `action` above.
+* `web_categories` - (Optional) Specifies a list of web categories to which access is denied or allowed depending on the value of `action` above. Needs Premium SKU for Firewall Policy.
 
 
 ---

From 706a2a24558ff96230e7215766f6656c1b0609f7 Mon Sep 17 00:00:00 2001
From: Michael Gross <leachimgross@gmail.com>
Date: Thu, 2 Sep 2021 21:28:37 +0200
Subject: [PATCH 08/12] fix tests

---
 ...l_policy_rule_collection_group_resource.go |   2 +-
 ...icy_rule_collection_group_resource_test.go | 323 +++++++++++++++++-
 2 files changed, 318 insertions(+), 7 deletions(-)

diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go
index a9f7be35c673..521432e3e6f0 100644
--- a/internal/services/firewall/firewall_policy_rule_collection_group_resource.go
+++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource.go
@@ -97,7 +97,7 @@ func resourceFirewallPolicyRuleCollectionGroup() *pluginsdk.Resource {
 									},
 									"description": {
 										Type:         pluginsdk.TypeString,
-										Required:     true,
+										Optional:     true,
 										ValidateFunc: validate.FirewallPolicyRuleName(),
 									},
 									"protocols": {
diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
index 4d7f2fada627..3529188fc8f7 100644
--- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
+++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
@@ -113,12 +113,18 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
   resource_group_name = azurerm_resource_group.test.name
   location            = azurerm_resource_group.test.location
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 
 resource "azurerm_firewall_policy_rule_collection_group" "test" {
@@ -134,10 +140,291 @@ func (FirewallPolicyRuleCollectionGroupResource) complete(data acceptance.TestDa
 provider "azurerm" {
   features {}
 }
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-fwpolicy-RCG-%[1]d"
+  location = "%[2]s"
+  lifecycle {
+    ignore_changes = [tags]
+  }
+}
+resource "azurerm_firewall_policy" "test" {
+  name                = "acctest-fwpolicy-RCG-%[1]d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+  dns {
+    network_rule_fqdn_enabled = false
+    proxy_enabled             = true
+  }
+  lifecycle {
+    ignore_changes = [tags]
+  }
+}
+resource "azurerm_ip_group" "test_source" {
+  name                = "acctestIpGroupForFirewallPolicySource"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  cidrs               = ["1.2.3.4/32", "12.34.56.0/24"]
+  lifecycle {
+    ignore_changes = [tags]
+  }
+}
+resource "azurerm_ip_group" "test_destination" {
+  name                = "acctestIpGroupForFirewallPolicyDest"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  cidrs               = ["192.168.0.0/25", "192.168.0.192/26"]
+  lifecycle {
+    ignore_changes = [tags]
+  }
+}
+resource "azurerm_firewall_policy_rule_collection_group" "test" {
+  name               = "acctest-fwpolicy-RCG-%[1]d"
+  firewall_policy_id = azurerm_firewall_policy.test.id
+  priority           = 500
+  application_rule_collection {
+    name     = "app_rule_collection1"
+    priority = 500
+    action   = "Deny"
+    rule {
+      name = "app_rule_collection1_rule1"
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      protocols {
+        type = "Https"
+        port = 443
+      }
+      source_addresses  = ["10.0.0.1"]
+      destination_fqdns = ["pluginsdk.io"]
+    }
+    rule {
+      name = "app_rule_collection1_rule2"
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      protocols {
+        type = "Https"
+        port = 443
+      }
+      source_ip_groups  = [azurerm_ip_group.test_source.id]
+      destination_fqdns = ["pluginsdk.io"]
+    }
+    rule {
+      name = "app_rule_collection1_rule3"
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      protocols {
+        type = "Https"
+        port = 443
+      }
+      source_addresses      = ["10.0.0.1"]
+      destination_fqdn_tags = ["WindowsDiagnostics"]
+    }
+  }
+  network_rule_collection {
+    name     = "network_rule_collection1"
+    priority = 400
+    action   = "Deny"
+    rule {
+      name                  = "network_rule_collection1_rule1"
+      protocols             = ["TCP", "UDP"]
+      source_addresses      = ["10.0.0.1"]
+      destination_addresses = ["192.168.1.1", "ApiManagement"]
+      destination_ports     = ["80", "1000-2000"]
+    }
+    rule {
+      name              = "network_rule_collection1_rule2"
+      protocols         = ["TCP", "UDP"]
+      source_addresses  = ["10.0.0.1"]
+      destination_fqdns = ["time.windows.com"]
+      destination_ports = ["80", "1000-2000"]
+    }
+    rule {
+      name                  = "network_rule_collection1_rule3"
+      protocols             = ["TCP", "UDP"]
+      source_ip_groups      = [azurerm_ip_group.test_source.id]
+      destination_ip_groups = [azurerm_ip_group.test_destination.id]
+      destination_ports     = ["80", "1000-2000"]
+    }
+    rule {
+      name                  = "network_rule_collection1_rule4"
+      protocols             = ["ICMP"]
+      source_ip_groups      = [azurerm_ip_group.test_source.id]
+      destination_ip_groups = [azurerm_ip_group.test_destination.id]
+      destination_ports     = ["*"]
+    }
+  }
+  nat_rule_collection {
+    name     = "nat_rule_collection1"
+    priority = 300
+    action   = "Dnat"
+    rule {
+      name                = "nat_rule_collection1_rule1"
+      protocols           = ["TCP", "UDP"]
+      source_addresses    = ["10.0.0.1", "10.0.0.2"]
+      destination_address = "192.168.1.1"
+      destination_ports   = ["80"]
+      translated_address  = "192.168.0.1"
+      translated_port     = "8080"
+    }
+    rule {
+      name                = "nat_rule_collection1_rule2"
+      protocols           = ["TCP", "UDP"]
+      source_ip_groups    = [azurerm_ip_group.test_source.id]
+      destination_address = "192.168.1.1"
+      destination_ports   = ["80"]
+      translated_address  = "192.168.0.1"
+      translated_port     = "8080"
+    }
+  }
+}
+`, data.RandomInteger, data.Locations.Primary)
+}
+
+func (FirewallPolicyRuleCollectionGroupResource) update(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-fwpolicy-RCG-%[1]d"
+  location = "%[2]s"
+  lifecycle {
+    ignore_changes = [tags]
+  }
+}
+resource "azurerm_firewall_policy" "test" {
+  name                = "acctest-fwpolicy-RCG-%[1]d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+  dns {
+    network_rule_fqdn_enabled = false
+    proxy_enabled             = true
+  }
+}
+resource "azurerm_ip_group" "test_source" {
+  name                = "acctestIpGroupForFirewallPolicySource"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  cidrs               = ["1.2.3.4/32", "12.34.56.0/24"]
+}
+resource "azurerm_ip_group" "test_destination" {
+  name                = "acctestIpGroupForFirewallPolicyDest"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  cidrs               = ["192.168.0.0/25", "192.168.0.192/26"]
+}
+resource "azurerm_firewall_policy_rule_collection_group" "test" {
+  name               = "acctest-fwpolicy-RCG-%[1]d"
+  firewall_policy_id = azurerm_firewall_policy.test.id
+  priority           = 500
+  application_rule_collection {
+    name     = "app_rule_collection1"
+    priority = 500
+    action   = "Deny"
+    rule {
+      name = "app_rule_collection1_rule1"
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      protocols {
+        type = "Https"
+        port = 443
+      }
+      source_addresses  = ["10.0.0.1", "10.0.0.2"]
+      destination_fqdns = ["pluginsdk.io"]
+    }
+    rule {
+      name = "app_rule_collection1_rule2"
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      source_ip_groups  = [azurerm_ip_group.test_source.id]
+      destination_fqdns = ["pluginsdk.io"]
+    }
+    rule {
+      name = "app_rule_collection1_rule3"
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      protocols {
+        type = "Https"
+        port = 443
+      }
+      source_addresses      = ["10.0.0.1", "10.0.0.2"]
+      destination_fqdn_tags = ["WindowsDiagnostics"]
+    }
+  }
+  network_rule_collection {
+    name     = "network_rule_collection1"
+    priority = 400
+    action   = "Deny"
+    rule {
+      name                  = "network_rule_collection1_rule1"
+      protocols             = ["TCP", "UDP"]
+      source_addresses      = ["10.0.0.1"]
+      destination_addresses = ["192.168.1.2", "ApiManagement"]
+      destination_ports     = ["80", "1-65535"]
+    }
+    rule {
+      name              = "network_rule_collection1_rule2"
+      protocols         = ["TCP", "UDP"]
+      source_addresses  = ["10.0.0.1", "10.0.0.2"]
+      destination_fqdns = ["time.windows.com"]
+      destination_ports = ["80", "1-65535"]
+    }
+    rule {
+      name                  = "network_rule_collection1_rule3"
+      protocols             = ["TCP"]
+      source_ip_groups      = [azurerm_ip_group.test_source.id]
+      destination_ip_groups = [azurerm_ip_group.test_destination.id]
+      destination_ports     = ["80", "1-65535"]
+    }
+    rule {
+      name                  = "network_rule_collection1_rule4"
+      protocols             = ["ICMP"]
+      source_ip_groups      = [azurerm_ip_group.test_source.id]
+      destination_ip_groups = [azurerm_ip_group.test_destination.id]
+      destination_ports     = ["*"]
+    }
+  }
+  nat_rule_collection {
+    name     = "nat_rule_collection1"
+    priority = 300
+    action   = "Dnat"
+    rule {
+      name                = "nat_rule_collection1_rule1"
+      protocols           = ["TCP", "UDP"]
+      source_addresses    = ["10.0.0.1", "10.0.0.2"]
+      destination_address = "192.168.1.1"
+      destination_ports   = ["80"]
+      translated_address  = "192.168.0.1"
+      translated_port     = "8080"
+    }
+  }
+}
+`, data.RandomInteger, data.Locations.Primary)
+}
+
+func (FirewallPolicyRuleCollectionGroupResource) completePremium(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
 
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 
 resource "azurerm_firewall_policy" "test" {
@@ -149,6 +436,9 @@ resource "azurerm_firewall_policy" "test" {
     network_rule_fqdn_enabled = false
     proxy_enabled             = true
   }
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 
 resource "azurerm_ip_group" "test_source" {
@@ -156,6 +446,9 @@ resource "azurerm_ip_group" "test_source" {
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["1.2.3.4/32", "12.34.56.0/24"]
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 
 resource "azurerm_ip_group" "test_destination" {
@@ -163,6 +456,9 @@ resource "azurerm_ip_group" "test_destination" {
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["192.168.0.0/25", "192.168.0.192/26"]
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 
 resource "azurerm_firewall_policy_rule_collection_group" "test" {
@@ -287,7 +583,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
 `, data.RandomInteger, data.Locations.Primary)
 }
 
-func (FirewallPolicyRuleCollectionGroupResource) update(data acceptance.TestData) string {
+func (FirewallPolicyRuleCollectionGroupResource) updatePremium(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
   features {}
@@ -296,6 +592,9 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 
 resource "azurerm_firewall_policy" "test" {
@@ -332,6 +631,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
     action   = "Deny"
     rule {
       name = "app_rule_collection1_rule1"
+      description = "app_rule_collection1_rule1"
       protocols {
         type = "Http"
         port = 80
@@ -340,20 +640,28 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
         type = "Https"
         port = 443
       }
-      source_addresses  = ["10.0.0.1", "10.0.0.2"]
-      destination_fqdns = ["pluginsdk.io"]
+      source_addresses      = ["10.0.0.1"]
+      destination_addresses = ["10.0.0.1"]
+      destination_urls      = ["www.google.com/en"]
+      terminate_tls         = true
+      web_categories        = ["News"]
     }
     rule {
       name = "app_rule_collection1_rule2"
+      description = "app_rule_collection1_rule2"
       protocols {
         type = "Http"
         port = 80
       }
-      source_ip_groups  = [azurerm_ip_group.test_source.id]
-      destination_fqdns = ["pluginsdk.io"]
+      source_ip_groups      = [azurerm_ip_group.test_source.id]
+      destination_addresses = ["10.0.0.1"]
+      destination_fqdns     = ["pluginsdk.io"]
+      terminate_tls         = true
+      web_categories        = ["News"]
     }
     rule {
       name = "app_rule_collection1_rule3"
+      description = "app_rule_collection1_rule3"
       protocols {
         type = "Http"
         port = 80
@@ -363,7 +671,10 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
         port = 443
       }
       source_addresses      = ["10.0.0.1", "10.0.0.2"]
-      destination_fqdn_tags = ["WindowsDiagnostics"]
+      destination_addresses = ["10.0.0.1", "10.0.0.2"]
+      destination_urls      = ["www.google.com/en"]
+      terminate_tls         = true
+      web_categories        = ["News"]
     }
   }
 

From 8d1760c6349ece82d8d46287a94d476fcb86441c Mon Sep 17 00:00:00 2001
From: Michael Gross <leachimgross@gmail.com>
Date: Thu, 2 Sep 2021 21:32:41 +0200
Subject: [PATCH 09/12] remove lifecycle ignore_changes blocks

---
 ...icy_rule_collection_group_resource_test.go | 36 -------------------
 1 file changed, 36 deletions(-)

diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
index 3529188fc8f7..f70470ca8499 100644
--- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
+++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
@@ -113,18 +113,12 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
   resource_group_name = azurerm_resource_group.test.name
   location            = azurerm_resource_group.test.location
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 
 resource "azurerm_firewall_policy_rule_collection_group" "test" {
@@ -143,9 +137,6 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
@@ -155,27 +146,18 @@ resource "azurerm_firewall_policy" "test" {
     network_rule_fqdn_enabled = false
     proxy_enabled             = true
   }
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_ip_group" "test_source" {
   name                = "acctestIpGroupForFirewallPolicySource"
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["1.2.3.4/32", "12.34.56.0/24"]
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_ip_group" "test_destination" {
   name                = "acctestIpGroupForFirewallPolicyDest"
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["192.168.0.0/25", "192.168.0.192/26"]
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_firewall_policy_rule_collection_group" "test" {
   name               = "acctest-fwpolicy-RCG-%[1]d"
@@ -293,9 +275,6 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
@@ -422,9 +401,6 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 
 resource "azurerm_firewall_policy" "test" {
@@ -436,9 +412,6 @@ resource "azurerm_firewall_policy" "test" {
     network_rule_fqdn_enabled = false
     proxy_enabled             = true
   }
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 
 resource "azurerm_ip_group" "test_source" {
@@ -446,9 +419,6 @@ resource "azurerm_ip_group" "test_source" {
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["1.2.3.4/32", "12.34.56.0/24"]
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 
 resource "azurerm_ip_group" "test_destination" {
@@ -456,9 +426,6 @@ resource "azurerm_ip_group" "test_destination" {
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["192.168.0.0/25", "192.168.0.192/26"]
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 
 resource "azurerm_firewall_policy_rule_collection_group" "test" {
@@ -592,9 +559,6 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 
 resource "azurerm_firewall_policy" "test" {

From b12912808ce6a3e478a72ed9a5443d2d565c07b8 Mon Sep 17 00:00:00 2001
From: Michael Gross <leachimgross@gmail.com>
Date: Thu, 2 Sep 2021 21:42:53 +0200
Subject: [PATCH 10/12] add tests for Premium

---
 ...icy_rule_collection_group_resource_test.go | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
index f70470ca8499..65e2eb24ea2c 100644
--- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
+++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
@@ -46,6 +46,21 @@ func TestAccFirewallPolicyRuleCollectionGroup_complete(t *testing.T) {
 	})
 }
 
+func TestAccFirewallPolicyRuleCollectionGroup_completePremium(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_firewall_policy_rule_collection_group", "test")
+	r := FirewallPolicyRuleCollectionGroupResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.completePremium(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func TestAccFirewallPolicyRuleCollectionGroup_update(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_firewall_policy_rule_collection_group", "test")
 	r := FirewallPolicyRuleCollectionGroupResource{}
@@ -75,6 +90,35 @@ func TestAccFirewallPolicyRuleCollectionGroup_update(t *testing.T) {
 	})
 }
 
+func TestAccFirewallPolicyRuleCollectionGroup_updatePremium(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_firewall_policy_rule_collection_group", "test")
+	r := FirewallPolicyRuleCollectionGroupResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.completePremium(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.updatePremium(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.completePremium(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func TestAccFirewallPolicyRuleCollectionGroup_requiresImport(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_firewall_policy_rule_collection_group", "test")
 	r := FirewallPolicyRuleCollectionGroupResource{}

From 05d3e670bc4a89f5c7ca83b54b0fc9cdcd5f841d Mon Sep 17 00:00:00 2001
From: Michael Gross <leachimgross@gmail.com>
Date: Thu, 2 Sep 2021 21:53:13 +0200
Subject: [PATCH 11/12] all tests pass (also Premium)

---
 ...icy_rule_collection_group_resource_test.go | 60 ++++++++++++-------
 1 file changed, 39 insertions(+), 21 deletions(-)

diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
index 65e2eb24ea2c..b732e2f52da4 100644
--- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
+++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
@@ -153,18 +153,21 @@ func (FirewallPolicyRuleCollectionGroupResource) basic(data acceptance.TestData)
 provider "azurerm" {
   features {}
 }
-
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
-
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
   resource_group_name = azurerm_resource_group.test.name
   location            = azurerm_resource_group.test.location
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
-
 resource "azurerm_firewall_policy_rule_collection_group" "test" {
   name               = "acctest-fwpolicy-RCG-%[1]d"
   firewall_policy_id = azurerm_firewall_policy.test.id
@@ -181,6 +184,9 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
@@ -190,18 +196,27 @@ resource "azurerm_firewall_policy" "test" {
     network_rule_fqdn_enabled = false
     proxy_enabled             = true
   }
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 resource "azurerm_ip_group" "test_source" {
   name                = "acctestIpGroupForFirewallPolicySource"
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["1.2.3.4/32", "12.34.56.0/24"]
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 resource "azurerm_ip_group" "test_destination" {
   name                = "acctestIpGroupForFirewallPolicyDest"
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["192.168.0.0/25", "192.168.0.192/26"]
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 resource "azurerm_firewall_policy_rule_collection_group" "test" {
   name               = "acctest-fwpolicy-RCG-%[1]d"
@@ -319,6 +334,9 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
@@ -441,12 +459,13 @@ func (FirewallPolicyRuleCollectionGroupResource) completePremium(data acceptance
 provider "azurerm" {
   features {}
 }
-
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
-
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
   resource_group_name = azurerm_resource_group.test.name
@@ -456,22 +475,28 @@ resource "azurerm_firewall_policy" "test" {
     network_rule_fqdn_enabled = false
     proxy_enabled             = true
   }
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
-
 resource "azurerm_ip_group" "test_source" {
   name                = "acctestIpGroupForFirewallPolicySource"
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["1.2.3.4/32", "12.34.56.0/24"]
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
-
 resource "azurerm_ip_group" "test_destination" {
   name                = "acctestIpGroupForFirewallPolicyDest"
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["192.168.0.0/25", "192.168.0.192/26"]
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
-
 resource "azurerm_firewall_policy_rule_collection_group" "test" {
   name               = "acctest-fwpolicy-RCG-%[1]d"
   firewall_policy_id = azurerm_firewall_policy.test.id
@@ -532,7 +557,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
       web_categories        = ["News"]
     }
   }
-
   network_rule_collection {
     name     = "network_rule_collection1"
     priority = 400
@@ -566,7 +590,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
       destination_ports     = ["*"]
     }
   }
-
   nat_rule_collection {
     name     = "nat_rule_collection1"
     priority = 300
@@ -599,12 +622,13 @@ func (FirewallPolicyRuleCollectionGroupResource) updatePremium(data acceptance.T
 provider "azurerm" {
   features {}
 }
-
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
-
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
   resource_group_name = azurerm_resource_group.test.name
@@ -614,21 +638,18 @@ resource "azurerm_firewall_policy" "test" {
     proxy_enabled             = true
   }
 }
-
 resource "azurerm_ip_group" "test_source" {
   name                = "acctestIpGroupForFirewallPolicySource"
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["1.2.3.4/32", "12.34.56.0/24"]
 }
-
 resource "azurerm_ip_group" "test_destination" {
   name                = "acctestIpGroupForFirewallPolicyDest"
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["192.168.0.0/25", "192.168.0.192/26"]
 }
-
 resource "azurerm_firewall_policy_rule_collection_group" "test" {
   name               = "acctest-fwpolicy-RCG-%[1]d"
   firewall_policy_id = azurerm_firewall_policy.test.id
@@ -638,7 +659,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
     priority = 500
     action   = "Deny"
     rule {
-      name = "app_rule_collection1_rule1"
+      name        = "app_rule_collection1_rule1"
       description = "app_rule_collection1_rule1"
       protocols {
         type = "Http"
@@ -655,7 +676,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
       web_categories        = ["News"]
     }
     rule {
-      name = "app_rule_collection1_rule2"
+      name        = "app_rule_collection1_rule2"
       description = "app_rule_collection1_rule2"
       protocols {
         type = "Http"
@@ -668,7 +689,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
       web_categories        = ["News"]
     }
     rule {
-      name = "app_rule_collection1_rule3"
+      name        = "app_rule_collection1_rule3"
       description = "app_rule_collection1_rule3"
       protocols {
         type = "Http"
@@ -685,7 +706,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
       web_categories        = ["News"]
     }
   }
-
   network_rule_collection {
     name     = "network_rule_collection1"
     priority = 400
@@ -719,7 +739,6 @@ resource "azurerm_firewall_policy_rule_collection_group" "test" {
       destination_ports     = ["*"]
     }
   }
-
   nat_rule_collection {
     name     = "nat_rule_collection1"
     priority = 300
@@ -742,7 +761,6 @@ func (FirewallPolicyRuleCollectionGroupResource) requiresImport(data acceptance.
 	template := FirewallPolicyRuleCollectionGroupResource{}.basic(data)
 	return fmt.Sprintf(`
 %s
-
 resource "azurerm_firewall_policy_rule_collection_group" "import" {
   name               = azurerm_firewall_policy_rule_collection_group.test.name
   firewall_policy_id = azurerm_firewall_policy_rule_collection_group.test.firewall_policy_id

From 0c2ba48e3fd43d2faead27d7e973024a4f3dbe23 Mon Sep 17 00:00:00 2001
From: Michael Gross <leachimgross@gmail.com>
Date: Thu, 2 Sep 2021 21:56:05 +0200
Subject: [PATCH 12/12] remove lifecycle ignore_changes

---
 ...icy_rule_collection_group_resource_test.go | 36 -------------------
 1 file changed, 36 deletions(-)

diff --git a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
index b732e2f52da4..32d52379524d 100644
--- a/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
+++ b/internal/services/firewall/firewall_policy_rule_collection_group_resource_test.go
@@ -156,17 +156,11 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
   resource_group_name = azurerm_resource_group.test.name
   location            = azurerm_resource_group.test.location
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_firewall_policy_rule_collection_group" "test" {
   name               = "acctest-fwpolicy-RCG-%[1]d"
@@ -184,9 +178,6 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
@@ -196,27 +187,18 @@ resource "azurerm_firewall_policy" "test" {
     network_rule_fqdn_enabled = false
     proxy_enabled             = true
   }
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_ip_group" "test_source" {
   name                = "acctestIpGroupForFirewallPolicySource"
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["1.2.3.4/32", "12.34.56.0/24"]
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_ip_group" "test_destination" {
   name                = "acctestIpGroupForFirewallPolicyDest"
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["192.168.0.0/25", "192.168.0.192/26"]
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_firewall_policy_rule_collection_group" "test" {
   name               = "acctest-fwpolicy-RCG-%[1]d"
@@ -334,9 +316,6 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
@@ -462,9 +441,6 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"
@@ -475,27 +451,18 @@ resource "azurerm_firewall_policy" "test" {
     network_rule_fqdn_enabled = false
     proxy_enabled             = true
   }
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_ip_group" "test_source" {
   name                = "acctestIpGroupForFirewallPolicySource"
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["1.2.3.4/32", "12.34.56.0/24"]
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_ip_group" "test_destination" {
   name                = "acctestIpGroupForFirewallPolicyDest"
   location            = azurerm_resource_group.test.location
   resource_group_name = azurerm_resource_group.test.name
   cidrs               = ["192.168.0.0/25", "192.168.0.192/26"]
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_firewall_policy_rule_collection_group" "test" {
   name               = "acctest-fwpolicy-RCG-%[1]d"
@@ -625,9 +592,6 @@ provider "azurerm" {
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-fwpolicy-RCG-%[1]d"
   location = "%[2]s"
-  lifecycle {
-    ignore_changes = [tags]
-  }
 }
 resource "azurerm_firewall_policy" "test" {
   name                = "acctest-fwpolicy-RCG-%[1]d"