azurerm_web_application_firewall_policy - support managed_rules (#6126)

azurerm/helpers/validate/web_application_firewall_policy.go

@@ -0,0 +1,40 @@
+package validate
+
+import "github.com/hashicorp/terraform-plugin-sdk/helper/validation"
+
+var ValidateWebApplicationFirewallPolicyRuleGroupName = validation.StringInSlice([]string{
+	"crs_20_protocol_violations",
+	"crs_21_protocol_anomalies",
+	"crs_23_request_limits",
+	"crs_30_http_policy",
+	"crs_35_bad_robots",
+	"crs_40_generic_attacks",
+	"crs_41_sql_injection_attacks",
+	"crs_41_xss_attacks",
+	"crs_42_tight_security",
+	"crs_45_trojans",
+	"General",
+	"REQUEST-911-METHOD-ENFORCEMENT",
+	"REQUEST-913-SCANNER-DETECTION",
+	"REQUEST-920-PROTOCOL-ENFORCEMENT",
+	"REQUEST-921-PROTOCOL-ATTACK",
+	"REQUEST-930-APPLICATION-ATTACK-LFI",
+	"REQUEST-931-APPLICATION-ATTACK-RFI",
+	"REQUEST-932-APPLICATION-ATTACK-RCE",
+	"REQUEST-933-APPLICATION-ATTACK-PHP",
+	"REQUEST-941-APPLICATION-ATTACK-XSS",
+	"REQUEST-942-APPLICATION-ATTACK-SQLI",
+	"REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION",
+}, false)
+
+var ValidateWebApplicationFirewallPolicyRuleSetVersion = validation.StringInSlice([]string{
+	"1.0",
+	"2.2.9",
+	"3.0",
+	"3.1",
+}, false)
+
+var ValidateWebApplicationFirewallPolicyRuleSetType = validation.StringInSlice([]string{
+	"OWASP",
+	"Microsoft_BotManagerRuleSet",
+}, false)

azurerm/internal/services/network/resource_arm_application_gateway.go

@@ -1170,19 +1170,16 @@ func resourceArmApplicationGateway() *schema.Resource {
 						},
 
 						"rule_set_type": {
-							Type:     schema.TypeString,
-							Optional: true,
-							Default:  "OWASP",
+							Type:         schema.TypeString,
+							Optional:     true,
+							Default:      "OWASP",
+							ValidateFunc: validate.ValidateWebApplicationFirewallPolicyRuleSetType,
 						},
 
 						"rule_set_version": {
-							Type:     schema.TypeString,
-							Required: true,
-							ValidateFunc: validation.StringInSlice([]string{
-								"2.2.9",
-								"3.0",
-								"3.1",
-							}, false),
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validate.ValidateWebApplicationFirewallPolicyRuleSetVersion,
 						},
 						"file_upload_limit_mb": {
 							Type:         schema.TypeInt,
@@ -1207,32 +1204,9 @@ func resourceArmApplicationGateway() *schema.Resource {
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"rule_group_name": {
-										Type:     schema.TypeString,
-										Required: true,
-										ValidateFunc: validation.StringInSlice([]string{
-											"crs_20_protocol_violations",
-											"crs_21_protocol_anomalies",
-											"crs_23_request_limits",
-											"crs_30_http_policy",
-											"crs_35_bad_robots",
-											"crs_40_generic_attacks",
-											"crs_41_sql_injection_attacks",
-											"crs_41_xss_attacks",
-											"crs_42_tight_security",
-											"crs_45_trojans",
-											"General",
-											"REQUEST-911-METHOD-ENFORCEMENT",
-											"REQUEST-913-SCANNER-DETECTION",
-											"REQUEST-920-PROTOCOL-ENFORCEMENT",
-											"REQUEST-921-PROTOCOL-ATTACK",
-											"REQUEST-930-APPLICATION-ATTACK-LFI",
-											"REQUEST-931-APPLICATION-ATTACK-RFI",
-											"REQUEST-932-APPLICATION-ATTACK-RCE",
-											"REQUEST-933-APPLICATION-ATTACK-PHP",
-											"REQUEST-941-APPLICATION-ATTACK-XSS",
-											"REQUEST-942-APPLICATION-ATTACK-SQLI",
-											"REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION",
-										}, false),
+										Type:         schema.TypeString,
+										Required:     true,
+										ValidateFunc: validate.ValidateWebApplicationFirewallPolicyRuleGroupName,
 									},
 
 									"rules": {
@@ -1255,19 +1229,20 @@ func resourceArmApplicationGateway() *schema.Resource {
 										Type:     schema.TypeString,
 										Required: true,
 										ValidateFunc: validation.StringInSlice([]string{
-											"RequestHeaderNames",
-											"RequestArgNames",
-											"RequestCookieNames",
+											string(network.RequestArgNames),
+											string(network.RequestCookieNames),
+											string(network.RequestHeaderNames),
 										}, false),
 									},
 
 									"selector_match_operator": {
 										Type: schema.TypeString,
 										ValidateFunc: validation.StringInSlice([]string{
-											"Equals",
-											"StartsWith",
-											"EndsWith",
-											"Contains",
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorContains),
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorEndsWith),
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorEquals),
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorEqualsAny),
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorStartsWith),
 										}, false),
 										Optional: true,
 									},