resource_arm_application_gateway: add disabled_rule_group to waf_conf…

…iguration (#3394)
hashicorp · May 9, 2019 · d4ac51d · d4ac51d
1 parent 54ce523
commit d4ac51d
Show file tree

Hide file tree

Showing 3 changed files with 375 additions and 0 deletions.
diff --git a/azurerm/resource_arm_application_gateway.go b/azurerm/resource_arm_application_gateway.go
@@ -937,6 +937,50 @@ func resourceArmApplicationGateway() *schema.Resource {
 							ValidateFunc: validation.IntBetween(1, 128),
 							Default:      128,
 						},
+						"disabled_rule_group": {
+							Type:     schema.TypeList,
+							Optional: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"rule_group_name": {
+										Type:     schema.TypeString,
+										Required: true,
+										ValidateFunc: validation.StringInSlice([]string{
+											"crs_20_protocol_violations",
+											"crs_21_protocol_anomalies",
+											"crs_23_request_limits",
+											"crs_30_http_policy",
+											"crs_35_bad_robots",
+											"crs_40_generic_attacks",
+											"crs_41_sql_injection_attacks",
+											"crs_41_xss_attacks",
+											"crs_42_tight_security",
+											"crs_45_trojans",
+											"REQUEST-911-METHOD-ENFORCEMENT",
+											"REQUEST-913-SCANNER-DETECTION",
+											"REQUEST-920-PROTOCOL-ENFORCEMENT",
+											"REQUEST-921-PROTOCOL-ATTACK",
+											"REQUEST-930-APPLICATION-ATTACK-LFI",
+											"REQUEST-931-APPLICATION-ATTACK-RFI",
+											"REQUEST-932-APPLICATION-ATTACK-RCE",
+											"REQUEST-933-APPLICATION-ATTACK-PHP",
+											"REQUEST-941-APPLICATION-ATTACK-XSS",
+											"REQUEST-942-APPLICATION-ATTACK-SQLI",
+											"REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION",
+										}, false),
+									},
+
+									"rules": {
+										Type:     schema.TypeList,
+										Optional: true,
+										Elem: &schema.Schema{
+											Type:         schema.TypeInt,
+											ValidateFunc: validation.IntAtLeast(1),
+										},
+									},
+								},
+							},
+						},
 					},
 				},
 			},
@@ -2685,6 +2729,7 @@ func expandApplicationGatewayWafConfig(d *schema.ResourceData) *network.Applicat
 		FileUploadLimitInMb:    utils.Int32(int32(fileUploadLimitInMb)),
 		RequestBodyCheck:       utils.Bool(requestBodyCheck),
 		MaxRequestBodySizeInKb: utils.Int32(int32(maxRequestBodySizeInKb)),
+		DisabledRuleGroups:     expandApplicationGatewayFirewallDisabledRuleGroup(v["disabled_rule_group"].([]interface{})),
 	}
 }
 
@@ -2710,6 +2755,10 @@ func flattenApplicationGatewayWafConfig(input *network.ApplicationGatewayWebAppl
 		output["rule_set_version"] = *input.RuleSetVersion
 	}
 
+	if input.DisabledRuleGroups != nil {
+		output["disabled_rule_group"] = flattenApplicationGateWayDisabledRuleGroups(input.DisabledRuleGroups)
+	}
+
 	if input.FileUploadLimitInMb != nil {
 		output["file_upload_limit_mb"] = int(*input.FileUploadLimitInMb)
 	}
@@ -2727,6 +2776,58 @@ func flattenApplicationGatewayWafConfig(input *network.ApplicationGatewayWebAppl
 	return results
 }
 
+func expandApplicationGatewayFirewallDisabledRuleGroup(d []interface{}) *[]network.ApplicationGatewayFirewallDisabledRuleGroup {
+	if len(d) == 0 {
+		return nil
+	}
+
+	disabledRuleGroups := make([]network.ApplicationGatewayFirewallDisabledRuleGroup, 0)
+	for _, disabledRuleGroup := range d {
+		disabledRuleGroupMap := disabledRuleGroup.(map[string]interface{})
+
+		ruleGroupName := disabledRuleGroupMap["rule_group_name"].(string)
+
+		ruleGroup := network.ApplicationGatewayFirewallDisabledRuleGroup{
+			RuleGroupName: utils.String(ruleGroupName),
+		}
+
+		rules := make([]int32, 0)
+		for _, rule := range disabledRuleGroupMap["rules"].([]interface{}) {
+			rules = append(rules, int32(rule.(int)))
+		}
+
+		if len(rules) > 0 {
+			ruleGroup.Rules = &rules
+		}
+
+		disabledRuleGroups = append(disabledRuleGroups, ruleGroup)
+	}
+	return &disabledRuleGroups
+}
+
+func flattenApplicationGateWayDisabledRuleGroups(input *[]network.ApplicationGatewayFirewallDisabledRuleGroup) []interface{} {
+	ruleGroups := make([]interface{}, 0)
+	for _, ruleGroup := range *input {
+		ruleGroupOutput := map[string]interface{}{}
+
+		if ruleGroup.RuleGroupName != nil {
+			ruleGroupOutput["rule_group_name"] = *ruleGroup.RuleGroupName
+		}
+
+		ruleOutputs := make([]interface{}, 0)
+		if rules := ruleGroup.Rules; rules != nil {
+			for _, rule := range *rules {
+				ruleOutputs = append(ruleOutputs, rule)
+			}
+		}
+		ruleGroupOutput["rules"] = ruleOutputs
+
+		ruleGroups = append(ruleGroups, ruleGroupOutput)
+
+	}
+	return ruleGroups
+}
+
 func expandApplicationGatewayCustomErrorConfigurations(vs []interface{}) *[]network.ApplicationGatewayCustomError {
 	results := make([]network.ApplicationGatewayCustomError, 0)