hashicorp · katbyte · May 17, 2019 · Mar 28, 2019 · May 3, 2019 · May 5, 2019
diff --git a/azurerm/resource_arm_application_gateway.go b/azurerm/resource_arm_application_gateway.go
@@ -14,6 +14,15 @@ import (
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
 )
 
+// See https://github.com/Azure/azure-sdk-for-go/blob/master/services/network/mgmt/2018-04-01/network/models.go
+func possibleArmApplicationGatewaySslCipherSuiteValues() []string {
+	cipherSuites := make([]string, 0)
+	for _, cipherSuite := range network.PossibleApplicationGatewaySslCipherSuiteValues() {
+		cipherSuites = append(cipherSuites, string(cipherSuite))
+	}
+	return cipherSuites
+}
+
 func resourceArmApplicationGateway() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceArmApplicationGatewayCreateUpdate,
@@ -633,10 +642,12 @@ func resourceArmApplicationGateway() *schema.Resource {
 				},
 			},
 
-			// TODO: @tombuildsstuff deprecate this in favour of a full `ssl_protocol` block in the future
+			// TODO: remove in 2.0
 			"disabled_ssl_protocols": {
-				Type:     schema.TypeList,
-				Optional: true,
+				Type:       schema.TypeList,
+				Optional:   true,
+				Computed:   true,
+				Deprecated: "has been replaced by `ssl_policy`.`disabled_protocols`",
 				Elem: &schema.Schema{
 					Type:             schema.TypeString,
 					DiffSuppressFunc: suppress.CaseDifference,
@@ -648,6 +659,65 @@ func resourceArmApplicationGateway() *schema.Resource {
 				},
 			},
 
+			"ssl_policy": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"disabled_protocols": {
+							Type:     schema.TypeList,
+							Optional: true,
+							Computed: true,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+								ValidateFunc: validation.StringInSlice([]string{
+									string(network.TLSv10),
+									string(network.TLSv11),
+									string(network.TLSv12),
+								}, false),
+							},
+						},
+
+						"policy_type": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+								ValidateFunc: validation.StringInSlice([]string{
+									string(network.Custom),
+									string(network.Predefined),
+								}, false),
+							},
+						},
+
+						"policy_name": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+
+						"cipher_suites": {
+							Type:     schema.TypeList,
+							Optional: true,
+							Elem: &schema.Schema{
+								Type:         schema.TypeString,
+								ValidateFunc: validation.StringInSlice(possibleArmApplicationGatewaySslCipherSuiteValues(), false),
+							},
+						},
+
+						"min_protocol_version": {
+							Type:     schema.TypeString,
+							Optional: true,
+							ValidateFunc: validation.StringInSlice([]string{
+								string(network.TLSv10),
+								string(network.TLSv11),
+								string(network.TLSv12),
+							}, false),
+						},
+					},
+				},
+			},
+
 			"enable_http2": {
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -1228,6 +1298,10 @@ func resourceArmApplicationGatewayRead(d *schema.ResourceData, meta interface{})
 			return fmt.Errorf("Error setting `disabled_ssl_protocols`: %+v", setErr)
 		}
 
+		if setErr := d.Set("ssl_policy", flattenApplicationGatewaySslPolicy(props.SslPolicy)); setErr != nil {
+			return fmt.Errorf("Error setting `ssl_policy`: %+v", setErr)
+		}
+
 		d.Set("enable_http2", props.EnableHTTP2)
 
 		httpListeners, err := flattenApplicationGatewayHTTPListeners(props.HTTPListeners)
@@ -1661,16 +1735,94 @@ func flattenApplicationGatewayConnectionDraining(input *network.ApplicationGatew
 }
 
 func expandApplicationGatewaySslPolicy(d *schema.ResourceData) *network.ApplicationGatewaySslPolicy {
-	vs := d.Get("disabled_ssl_protocols").([]interface{})
-	results := make([]network.ApplicationGatewaySslProtocol, 0)
+	policy := network.ApplicationGatewaySslPolicy{}
+	disabledSSLPolicies := make([]network.ApplicationGatewaySslProtocol, 0)
 
-	for _, v := range vs {
-		results = append(results, network.ApplicationGatewaySslProtocol(v.(string)))
+	vs := d.Get("ssl_policy").([]interface{})
+	vsdsp := d.Get("disabled_ssl_protocols").([]interface{})
+
+	if len(vsdsp) == 0 && len(vs) == 0 {
+		policy = network.ApplicationGatewaySslPolicy{
+			DisabledSslProtocols: &disabledSSLPolicies,
+		}
 	}
 
-	return &network.ApplicationGatewaySslPolicy{
-		DisabledSslProtocols: &results,
+	for _, policy := range vsdsp {
+		disabledSSLPolicies = append(disabledSSLPolicies, network.ApplicationGatewaySslProtocol(policy.(string)))
 	}
+
+	if len(vs) > 0 {
+		v := vs[0].(map[string]interface{})
+		policyType := network.ApplicationGatewaySslPolicyType(v["policy_type"].(string))
+
+		// reset disabledSSLPolicies here to always use the new disabled_protocols block in favor of disabled_ssl_protocols
+		disabledSSLPolicies = disabledSSLPolicies[:0]
+
+		for _, policy := range v["disabled_protocols"].([]interface{}) {
+			disabledSSLPolicies = append(disabledSSLPolicies, network.ApplicationGatewaySslProtocol(policy.(string)))
+		}
+
+		if policyType == network.Predefined {
+			policyName := network.ApplicationGatewaySslPolicyName(v["policy_name"].(string))
+			policy = network.ApplicationGatewaySslPolicy{
+				PolicyType: policyType,
+				PolicyName: policyName,
+			}
+		} else if policyType == network.Custom {
+			minProtocolVersion := network.ApplicationGatewaySslProtocol(v["min_protocol_version"].(string))
+			cipherSuites := make([]network.ApplicationGatewaySslCipherSuite, 0)
+
+			for _, cipherSuite := range v["cipher_suites"].([]interface{}) {
+				cipherSuites = append(cipherSuites, network.ApplicationGatewaySslCipherSuite(cipherSuite.(string)))
+			}
+
+			policy = network.ApplicationGatewaySslPolicy{
+				PolicyType:         policyType,
+				MinProtocolVersion: minProtocolVersion,
+				CipherSuites:       &cipherSuites,
+			}
+		}
+	}
+
+	if len(disabledSSLPolicies) > 0 {
+		policy = network.ApplicationGatewaySslPolicy{
+			DisabledSslProtocols: &disabledSSLPolicies,
+		}
+	}
+
+	return &policy
+}
+
+func flattenApplicationGatewaySslPolicy(input *network.ApplicationGatewaySslPolicy) []interface{} {
+	results := make([]interface{}, 0)
+
+	if input == nil {
+		return results
+	}
+
+	output := map[string]interface{}{}
+	output["policy_name"] = input.PolicyName
+	output["policy_type"] = input.PolicyType
+	output["min_protocol_version"] = input.MinProtocolVersion
+
+	cipherSuites := make([]interface{}, 0)
+	if input.CipherSuites != nil {
+		for _, v := range *input.CipherSuites {
+			cipherSuites = append(cipherSuites, string(v))
+		}
+	}
+	output["cipher_suites"] = cipherSuites
+
+	disabledSslProtocols := make([]interface{}, 0)
+	if input.DisabledSslProtocols != nil {
+		for _, v := range *input.DisabledSslProtocols {
+			disabledSslProtocols = append(disabledSslProtocols, string(v))
+		}
+	}
+	output["disabled_protocols"] = disabledSslProtocols
+
+	results = append(results, output)
+	return results
 }
 
 func flattenApplicationGatewayDisabledSSLProtocols(input *network.ApplicationGatewaySslPolicy) []interface{} {