diff --git a/internal/services/network/web_application_firewall_policy_resource.go b/internal/services/network/web_application_firewall_policy_resource.go index 16e2e0ce25b5..4aac77187b3b 100644 --- a/internal/services/network/web_application_firewall_policy_resource.go +++ b/internal/services/network/web_application_firewall_policy_resource.go @@ -4,7 +4,6 @@ package network import ( - "context" "fmt" "log" "time" @@ -29,9 +28,9 @@ import ( func resourceWebApplicationFirewallPolicy() *pluginsdk.Resource { resource := &pluginsdk.Resource{ - Create: resourceWebApplicationFirewallPolicyCreateUpdate, + Create: resourceWebApplicationFirewallPolicyCreate, Read: resourceWebApplicationFirewallPolicyRead, - Update: resourceWebApplicationFirewallPolicyCreateUpdate, + Update: resourceWebApplicationFirewallPolicyUpdate, Delete: resourceWebApplicationFirewallPolicyDelete, Importer: pluginsdk.ImporterValidatingResourceId(func(id string) error { _, err := webapplicationfirewallpolicies.ParseApplicationGatewayWebApplicationFirewallPolicyID(id) @@ -473,25 +472,6 @@ func resourceWebApplicationFirewallPolicy() *pluginsdk.Resource { "tags": commonschema.Tags(), }, - - CustomizeDiff: pluginsdk.CustomizeDiffShim(func(ctx context.Context, diff *pluginsdk.ResourceDiff, v interface{}) error { - if !features.FourPointOhBeta() { - // Since ConflictsWith cannot be used on these properties and the properties are optional and computed, diff.GetOK may still return value even the property is not configured. Have to check the configuration with GetRawConfig - managedRuleSetList := diff.GetRawConfig().AsValueMap()["managed_rules"].AsValueSlice()[0].AsValueMap()["managed_rule_set"].AsValueSlice() - for _, managedRuleSetVal := range managedRuleSetList { - ruleGroupOverrideList := managedRuleSetVal.AsValueMap()["rule_group_override"].AsValueSlice() - for _, ruleGroupOverrideVal := range ruleGroupOverrideList { - disabledRules := ruleGroupOverrideVal.AsValueMap()["disabled_rules"] - ruleList := ruleGroupOverrideVal.AsValueMap()["rule"].AsValueSlice() - if !disabledRules.IsNull() && len(ruleList) != 0 { - return fmt.Errorf("`disabled_rules` cannot be set when `rule` is set under `rule_group_override`") - } - } - } - } - - return nil - }), } if !features.FourPointOhBeta() { @@ -509,25 +489,23 @@ func resourceWebApplicationFirewallPolicy() *pluginsdk.Resource { return resource } -func resourceWebApplicationFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, meta interface{}) error { +func resourceWebApplicationFirewallPolicyCreate(d *pluginsdk.ResourceData, meta interface{}) error { client := meta.(*clients.Client).Network.WebApplicationFirewallPolicies subscriptionId := meta.(*clients.Client).Account.SubscriptionId - ctx, cancel := timeouts.ForCreateUpdate(meta.(*clients.Client).StopContext, d) + ctx, cancel := timeouts.ForCreate(meta.(*clients.Client).StopContext, d) defer cancel() id := webapplicationfirewallpolicies.NewApplicationGatewayWebApplicationFirewallPolicyID(subscriptionId, d.Get("resource_group_name").(string), d.Get("name").(string)) - if d.IsNewResource() { - resp, err := client.Get(ctx, id) - if err != nil { - if !response.WasNotFound(resp.HttpResponse) { - return fmt.Errorf("checking for present of existing %s: %+v", id, err) - } - } + resp, err := client.Get(ctx, id) + if err != nil { if !response.WasNotFound(resp.HttpResponse) { - return tf.ImportAsExistsError("azurerm_web_application_firewall_policy", id.ID()) + return fmt.Errorf("checking for present of existing %s: %+v", id, err) } } + if !response.WasNotFound(resp.HttpResponse) { + return tf.ImportAsExistsError("azurerm_web_application_firewall_policy", id.ID()) + } location := azure.NormalizeLocation(d.Get("location").(string)) customRules := d.Get("custom_rules").([]interface{}) @@ -559,6 +537,55 @@ func resourceWebApplicationFirewallPolicyCreateUpdate(d *pluginsdk.ResourceData, return resourceWebApplicationFirewallPolicyRead(d, meta) } +func resourceWebApplicationFirewallPolicyUpdate(d *pluginsdk.ResourceData, meta interface{}) error { + client := meta.(*clients.Client).Network.WebApplicationFirewallPolicies + subscriptionId := meta.(*clients.Client).Account.SubscriptionId + ctx, cancel := timeouts.ForUpdate(meta.(*clients.Client).StopContext, d) + defer cancel() + + id := webapplicationfirewallpolicies.NewApplicationGatewayWebApplicationFirewallPolicyID(subscriptionId, d.Get("resource_group_name").(string), d.Get("name").(string)) + + resp, err := client.Get(ctx, id) + if err != nil { + return fmt.Errorf("retrieving %s: %+v", id, err) + } + + if resp.Model == nil { + return fmt.Errorf("retrieving %s: model was nil", id) + } + if resp.Model.Properties == nil { + return fmt.Errorf("retrieving %s: properties was nil", id) + } + + model := resp.Model + + if d.HasChange("custom_rules") { + model.Properties.CustomRules = expandWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(d.Get("custom_rules").([]interface{})) + } + + if d.HasChange("policy_settings") { + model.Properties.PolicySettings = expandWebApplicationFirewallPolicyPolicySettings(d.Get("policy_settings").([]interface{})) + } + + if d.HasChange("managed_rules") { + expandedManagedRules, err := expandWebApplicationFirewallPolicyManagedRulesDefinition(d.Get("managed_rules").([]interface{}), d) + if err != nil { + return err + } + model.Properties.ManagedRules = pointer.From(expandedManagedRules) + } + + if d.HasChange("tags") { + model.Tags = tags.Expand(d.Get("tags").(map[string]interface{})) + } + + if _, err := client.CreateOrUpdate(ctx, id, *model); err != nil { + return fmt.Errorf("creating %s: %+v", id, err) + } + + return resourceWebApplicationFirewallPolicyRead(d, meta) +} + func resourceWebApplicationFirewallPolicyRead(d *pluginsdk.ResourceData, meta interface{}) error { client := meta.(*clients.Client).Network.WebApplicationFirewallPolicies ctx, cancel := timeouts.ForRead(meta.(*clients.Client).StopContext, d) @@ -893,6 +920,11 @@ func expandWebApplicationFirewallPolicyRuleGroupOverrides(input []interface{}, d return nil, fmt.Errorf("rule group override index %d exceeds raw config length %d", i, len(ruleGroupOverrideList)) } + // Since ConflictsWith cannot be used on these properties and the properties are optional and computed, Have to check the configuration with GetRawConfig + if !ruleGroupOverrideList[i].AsValueMap()["rule"].IsNull() && len(ruleGroupOverrideList[i].AsValueMap()["rule"].AsValueSlice()) > 0 && !ruleGroupOverrideList[i].AsValueMap()["disabled_rules"].IsNull() { + return nil, fmt.Errorf("`disabled_rules` cannot be set when `rule` is set under `rule_group_override`") + } + if disabledRules := v["disabled_rules"].([]interface{}); !ruleGroupOverrideList[i].AsValueMap()["disabled_rules"].IsNull() { result.Rules = expandWebApplicationFirewallPolicyRules(disabledRules) }