azurerm_web_application_firewall_policy add enabled / disabled state for Custom Rules

internal/services/network/web_application_firewall_policy_resource.go

@@ -76,6 +76,11 @@ func resourceWebApplicationFirewallPolicy() *pluginsdk.Resource {
 								string(webapplicationfirewallpolicies.WebApplicationFirewallActionLog),
 							}, false),
 						},
+						"enabled": {
+							Type:     pluginsdk.TypeBool,
+							Optional: true,
+							Default:  true,
+						},
 						"match_conditions": {
 							Type:     pluginsdk.TypeList,
 							Required: true,
@@ -599,7 +604,13 @@ func expandWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(input []
 		matchConditions := v["match_conditions"].([]interface{})
 		action := v["action"].(string)
 
+		enabled := webapplicationfirewallpolicies.WebApplicationFirewallStateEnabled
+		if value, ok := v["enabled"].(bool); ok && !value {
+			enabled = webapplicationfirewallpolicies.WebApplicationFirewallStateDisabled
+		}
+
 		result := webapplicationfirewallpolicies.WebApplicationFirewallCustomRule{
+			State:           pointer.To(enabled),
 			Action:          webapplicationfirewallpolicies.WebApplicationFirewallAction(action),
 			MatchConditions: expandWebApplicationFirewallPolicyMatchCondition(matchConditions),
 			Name:            pointer.To(name),
@@ -946,6 +957,7 @@ func flattenWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(input *
 			v["name"] = *name
 		}
 		v["action"] = string(item.Action)
+		v["enabled"] = pointer.From(item.State) == webapplicationfirewallpolicies.WebApplicationFirewallStateEnabled
 		v["match_conditions"] = flattenWebApplicationFirewallPolicyMatchCondition(item.MatchConditions)
 		v["priority"] = int(item.Priority)
 		v["rule_type"] = string(item.RuleType)

internal/services/network/web_application_firewall_policy_resource_test.go

@@ -42,7 +42,8 @@ func TestAccWebApplicationFirewallPolicy_complete(t *testing.T) {
 			Config: r.complete(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
-				check.That(data.ResourceName).Key("custom_rules.#").HasValue("2"),
+				check.That(data.ResourceName).Key("custom_rules.#").HasValue("3"),
+				check.That(data.ResourceName).Key("custom_rules.0.enabled").HasValue("true"),
 				check.That(data.ResourceName).Key("custom_rules.0.name").HasValue("Rule1"),
 				check.That(data.ResourceName).Key("custom_rules.0.priority").HasValue("1"),
 				check.That(data.ResourceName).Key("custom_rules.0.rule_type").HasValue("MatchRule"),
@@ -73,6 +74,19 @@ func TestAccWebApplicationFirewallPolicy_complete(t *testing.T) {
 				check.That(data.ResourceName).Key("custom_rules.1.match_conditions.1.match_values.#").HasValue("1"),
 				check.That(data.ResourceName).Key("custom_rules.1.match_conditions.1.match_values.0").HasValue("windows"),
 				check.That(data.ResourceName).Key("custom_rules.1.action").HasValue("Block"),
+				check.That(data.ResourceName).Key("custom_rules.2.enabled").HasValue("false"),
+				check.That(data.ResourceName).Key("custom_rules.2.name").HasValue("Rule3"),
+				check.That(data.ResourceName).Key("custom_rules.2.priority").HasValue("3"),
+				check.That(data.ResourceName).Key("custom_rules.2.rule_type").HasValue("MatchRule"),
+				check.That(data.ResourceName).Key("custom_rules.2.match_conditions.#").HasValue("1"),
+				check.That(data.ResourceName).Key("custom_rules.2.match_conditions.0.match_variables.#").HasValue("1"),
+				check.That(data.ResourceName).Key("custom_rules.2.match_conditions.0.match_variables.0.variable_name").HasValue("RemoteAddr"),
+				check.That(data.ResourceName).Key("custom_rules.2.match_conditions.0.operator").HasValue("IPMatch"),
+				check.That(data.ResourceName).Key("custom_rules.2.match_conditions.0.negation_condition").HasValue("false"),
+				check.That(data.ResourceName).Key("custom_rules.2.match_conditions.0.match_values.#").HasValue("2"),
+				check.That(data.ResourceName).Key("custom_rules.2.match_conditions.0.match_values.0").HasValue("192.168.1.0/24"),
+				check.That(data.ResourceName).Key("custom_rules.2.match_conditions.0.match_values.1").HasValue("10.0.0.0/24"),
+				check.That(data.ResourceName).Key("custom_rules.2.action").HasValue("Block"),
 				check.That(data.ResourceName).Key("managed_rules.#").HasValue("1"),
 				check.That(data.ResourceName).Key("managed_rules.0.exclusion.#").HasValue("2"),
 				check.That(data.ResourceName).Key("managed_rules.0.exclusion.0.match_variable").HasValue("RequestHeaderNames"),
@@ -368,6 +382,7 @@ resource "azurerm_web_application_firewall_policy" "test" {
   }
 
   custom_rules {
+    enabled   = true
     name      = "Rule1"
     priority  = 1
     rule_type = "MatchRule"
@@ -415,6 +430,25 @@ resource "azurerm_web_application_firewall_policy" "test" {
     action = "Block"
   }
 
+  custom_rules {
+    enabled   = false
+    name      = "Rule3"
+    priority  = 3
+    rule_type = "MatchRule"
+
+    match_conditions {
+      match_variables {
+        variable_name = "RemoteAddr"
+      }
+
+      operator           = "IPMatch"
+      negation_condition = false
+      match_values       = ["192.168.1.0/24", "10.0.0.0/24"]
+    }
+
+    action = "Block"
+  }
+
   managed_rules {
     exclusion {
       match_variable          = "RequestHeaderNames"

website/docs/r/web_application_firewall_policy.html.markdown

@@ -134,6 +134,8 @@ The following arguments are supported:
 
 The `custom_rules` block supports the following:
 
+* `enabled` - (Optional) Describes if the policy is in enabled state or disabled state. Defaults to `true`.
+
 * `name` - (Optional) Gets name of the resource that is unique within a policy. This name can be used to access the resource.
 
 * `priority` - (Required) Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.