From 2e37a009023c021369ec42bc9fb94420505ae3a1 Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Mon, 16 Mar 2020 22:38:53 +0100
Subject: [PATCH 01/16] Add "managed_rules" to
 azurerm_web_application_firewall_policy

Also streamline singular plurality for optional blocks allowing
multiple repetitions.

Fixes #5727.

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 ...rce_arm_web_application_firewall_policy.go | 289 +++++++++++++++++-
 1 file changed, 277 insertions(+), 12 deletions(-)

diff --git a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
index 0e11f794324d..44aa8b53412f 100644
--- a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
+++ b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
@@ -48,7 +48,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 
 			"resource_group_name": azure.SchemaResourceGroupNameDiffSuppress(),
 
-			"custom_rules": {
+			"custom_rule": {
 				Type:     schema.TypeList,
 				Optional: true,
 				Elem: &schema.Resource{
@@ -62,7 +62,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 								string(network.WebApplicationFirewallActionLog),
 							}, false),
 						},
-						"match_conditions": {
+						"match_condition": {
 							Type:     schema.TypeList,
 							Required: true,
 							Elem: &schema.Resource{
@@ -74,7 +74,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 											Type: schema.TypeString,
 										},
 									},
-									"match_variables": {
+									"match_variable": {
 										Type:     schema.TypeList,
 										Required: true,
 										Elem: &schema.Resource{
@@ -143,6 +143,87 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 				},
 			},
 
+			"managed_rules": {
+				Type:     schema.TypeList,
+				Required: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"exclusion": {
+							Type:     schema.TypeList,
+							Optional: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"match_variable": {
+										Type:     schema.TypeString,
+										Required: true,
+										ValidateFunc: validation.StringInSlice([]string{
+											string(network.RequestArgNames),
+											string(network.RequestCookieNames),
+											string(network.RequestHeaderNames),
+										}, false),
+									},
+									"selector": {
+										Type:         schema.TypeString,
+										Required:     true,
+										ValidateFunc: validation.NoZeroValues,
+									},
+									"selector_match_operator": {
+										Type:     schema.TypeString,
+										Required: true,
+										ValidateFunc: validation.StringInSlice([]string{
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorContains),
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorEndsWith),
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorEquals),
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorEqualsAny),
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorStartsWith),
+										}, false),
+									},
+								},
+							},
+						},
+						"managed_rule_set": {
+							Type:     schema.TypeList,
+							Optional: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"rule_set_type": {
+										Type:         schema.TypeString,
+										Required:     true,
+										ValidateFunc: validation.NoZeroValues,
+									},
+									"rule_set_version": {
+										Type:         schema.TypeString,
+										Required:     true,
+										ValidateFunc: validation.NoZeroValues,
+									},
+									"rule_group_override": {
+										Type:     schema.TypeList,
+										Optional: true,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"rule_group_name": {
+													Type:         schema.TypeString,
+													Required:     true,
+													ValidateFunc: validation.NoZeroValues,
+												},
+												"disabled_rules": {
+													Type:     schema.TypeList,
+													Required: true,
+													Elem: &schema.Schema{
+														Type: schema.TypeString,
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+
 			"policy_settings": {
 				Type:     schema.TypeList,
 				Optional: true,
@@ -193,8 +274,9 @@ func resourceArmWebApplicationFirewallPolicyCreateUpdate(d *schema.ResourceData,
 	}
 
 	location := azure.NormalizeLocation(d.Get("location").(string))
-	customRules := d.Get("custom_rules").([]interface{})
+	customRules := d.Get("custom_rule").([]interface{})
 	policySettings := d.Get("policy_settings").([]interface{})
+	managedRules := d.Get("managed_rules").([]interface{})
 	t := d.Get("tags").(map[string]interface{})
 
 	parameters := network.WebApplicationFirewallPolicy{
@@ -202,6 +284,7 @@ func resourceArmWebApplicationFirewallPolicyCreateUpdate(d *schema.ResourceData,
 		WebApplicationFirewallPolicyPropertiesFormat: &network.WebApplicationFirewallPolicyPropertiesFormat{
 			CustomRules:    expandArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(customRules),
 			PolicySettings: expandArmWebApplicationFirewallPolicyPolicySettings(policySettings),
+			ManagedRules:   expandArmWebApplicationFirewallPolicyManagedRulesDefinition(managedRules),
 		},
 		Tags: tags.Expand(t),
 	}
@@ -250,11 +333,14 @@ func resourceArmWebApplicationFirewallPolicyRead(d *schema.ResourceData, meta in
 		d.Set("location", azure.NormalizeLocation(*location))
 	}
 	if webApplicationFirewallPolicyPropertiesFormat := resp.WebApplicationFirewallPolicyPropertiesFormat; webApplicationFirewallPolicyPropertiesFormat != nil {
-		if err := d.Set("custom_rules", flattenArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(webApplicationFirewallPolicyPropertiesFormat.CustomRules)); err != nil {
+		if err := d.Set("custom_rule", flattenArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(webApplicationFirewallPolicyPropertiesFormat.CustomRules)); err != nil {
 			return fmt.Errorf("Error setting `custom_rules`: %+v", err)
 		}
 		if err := d.Set("policy_settings", flattenArmWebApplicationFirewallPolicyPolicySettings(webApplicationFirewallPolicyPropertiesFormat.PolicySettings)); err != nil {
-			return fmt.Errorf("Error setting `policy_settings`: %+v", err)
+			return fmt.Errorf("Error setting `policy_setting`: %+v", err)
+		}
+		if err := d.Set("managed_rules", flattenArmWebApplicationFirewallPolicyManagedRulesDefinition(webApplicationFirewallPolicyPropertiesFormat.ManagedRules)); err != nil {
+			return fmt.Errorf("Error setting `managed_rule`: %+v", err)
 		}
 	}
 
@@ -297,7 +383,7 @@ func expandArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(input
 		name := v["name"].(string)
 		priority := v["priority"].(int)
 		ruleType := v["rule_type"].(string)
-		matchConditions := v["match_conditions"].([]interface{})
+		matchConditions := v["match_condition"].([]interface{})
 		action := v["action"].(string)
 
 		result := network.WebApplicationFirewallCustomRule{
@@ -320,7 +406,7 @@ func expandArmWebApplicationFirewallPolicyPolicySettings(input []interface{}) *n
 	v := input[0].(map[string]interface{})
 
 	enabled := network.WebApplicationFirewallEnabledStateDisabled
-	if v["enabled"].(bool) {
+	if value, ok := v["enabled"].(bool); ok && value {
 		enabled = network.WebApplicationFirewallEnabledStateEnabled
 	}
 	mode := v["mode"].(string)
@@ -332,11 +418,100 @@ func expandArmWebApplicationFirewallPolicyPolicySettings(input []interface{}) *n
 	return &result
 }
 
+func expandArmWebApplicationFirewallPolicyManagedRulesDefinition(input []interface{}) *network.ManagedRulesDefinition {
+	if len(input) == 0 {
+		return nil
+	}
+	v := input[0].(map[string]interface{})
+
+	exclusions := v["exclusion"].([]interface{})
+	managedRuleSets := v["managed_rule_set"].([]interface{})
+
+	result := network.ManagedRulesDefinition{
+		Exclusions:      expandArmWebApplicationFirewallPolicyExclusions(exclusions),
+		ManagedRuleSets: expandArmWebApplicationFirewallPolicyManagedRuleSet(managedRuleSets),
+	}
+	return &result
+}
+
+func expandArmWebApplicationFirewallPolicyExclusions(input []interface{}) *[]network.OwaspCrsExclusionEntry {
+	results := make([]network.OwaspCrsExclusionEntry, 0)
+	for _, item := range input {
+		v := item.(map[string]interface{})
+
+		matchVariable := v["match_variable"].(string)
+		selectorMatchOperator := v["selector_match_operator"].(string)
+		selector := v["selector"].(string)
+
+		result := network.OwaspCrsExclusionEntry{
+			MatchVariable:         network.OwaspCrsExclusionEntryMatchVariable(matchVariable),
+			SelectorMatchOperator: network.OwaspCrsExclusionEntrySelectorMatchOperator(selectorMatchOperator),
+			Selector:              utils.String(selector),
+		}
+
+		results = append(results, result)
+	}
+	return &results
+}
+
+func expandArmWebApplicationFirewallPolicyManagedRuleSet(input []interface{}) *[]network.ManagedRuleSet {
+	results := make([]network.ManagedRuleSet, 0)
+	for _, item := range input {
+		v := item.(map[string]interface{})
+
+		ruleSetType := v["rule_set_type"].(string)
+		ruleSetVersion := v["rule_set_version"].(string)
+		ruleGroupOverrides := v["rule_group_overrides"].([]interface{})
+		result := network.ManagedRuleSet{
+			RuleSetType:        utils.String(ruleSetType),
+			RuleSetVersion:     utils.String(ruleSetVersion),
+			RuleGroupOverrides: expandArmWebApplicationFirewallPolicyRuleGroupOverrides(ruleGroupOverrides),
+		}
+
+		results = append(results, result)
+	}
+	return &results
+}
+
+func expandArmWebApplicationFirewallPolicyRuleGroupOverrides(input []interface{}) *[]network.ManagedRuleGroupOverride {
+	results := make([]network.ManagedRuleGroupOverride, 0)
+	for _, item := range input {
+		v := item.(map[string]interface{})
+
+		ruleGroupName := v["rule_group_name"].(string)
+		disabledRules := v["disabled_rules"].([]interface{})
+
+		result := network.ManagedRuleGroupOverride{
+			RuleGroupName: utils.String(ruleGroupName),
+			Rules:         expandArmWebApplicationFirewallPolicyRules(disabledRules),
+		}
+
+		results = append(results, result)
+	}
+	return &results
+
+}
+
+func expandArmWebApplicationFirewallPolicyRules(input []interface{}) *[]network.ManagedRuleOverride {
+	results := make([]network.ManagedRuleOverride, 0)
+	for _, item := range input {
+		ruleID := item.(string)
+
+		result := network.ManagedRuleOverride{
+			RuleID: utils.String(ruleID),
+			State:  network.ManagedRuleEnabledStateDisabled,
+		}
+
+		results = append(results, result)
+	}
+	return &results
+}
+
 func expandArmWebApplicationFirewallPolicyMatchCondition(input []interface{}) *[]network.MatchCondition {
 	results := make([]network.MatchCondition, 0)
 	for _, item := range input {
 		v := item.(map[string]interface{})
-		matchVariables := v["match_variables"].([]interface{})
+		matchVariables := v["match_variable"].([]interface{})
 		operator := v["operator"].(string)
 		negationCondition := v["negation_condition"].(bool)
 		matchValues := v["match_values"].([]interface{})
@@ -383,7 +558,7 @@ func flattenArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(inpu
 			v["name"] = *name
 		}
 		v["action"] = string(item.Action)
-		v["match_conditions"] = flattenArmWebApplicationFirewallPolicyMatchCondition(item.MatchConditions)
+		v["match_condition"] = flattenArmWebApplicationFirewallPolicyMatchCondition(item.MatchConditions)
 		if priority := item.Priority; priority != nil {
 			v["priority"] = int(*priority)
 		}
@@ -402,12 +577,102 @@ func flattenArmWebApplicationFirewallPolicyPolicySettings(input *network.PolicyS
 
 	result := make(map[string]interface{})
 
-	result["enabled"] = input.State == network.WebApplicationFirewallEnabledStateDisabled
+	result["enabled"] = input.State == network.WebApplicationFirewallEnabledStateEnabled
 	result["mode"] = string(input.Mode)
 
 	return []interface{}{result}
 }
 
+func flattenArmWebApplicationFirewallPolicyManagedRulesDefinition(input *network.ManagedRulesDefinition) []interface{} {
+	results := make([]interface{}, 0)
+	if input == nil {
+		return results
+	}
+
+	v := make(map[string]interface{})
+
+	v["exclusion"] = flattenArmWebApplicationFirewallPolicyExclusions(input.Exclusions)
+	v["managed_rule_set"] = flattenArmWebApplicationFirewallPolicyManagedRuleSets(input.ManagedRuleSets)
+
+	results = append(results, v)
+
+	return results
+}
+
+func flattenArmWebApplicationFirewallPolicyExclusions(input *[]network.OwaspCrsExclusionEntry) []interface{} {
+	results := make([]interface{}, 0)
+	if input == nil {
+		return results
+	}
+
+	for _, item := range *input {
+		v := make(map[string]interface{})
+
+		selector := item.Selector
+
+		v["match_variable"] = string(item.MatchVariable)
+		if selector != nil {
+			v["selector"] = string(*selector)
+		}
+		v["selector_match_operator"] = string(item.SelectorMatchOperator)
+
+		results = append(results, v)
+	}
+	return results
+}
+
+func flattenArmWebApplicationFirewallPolicyManagedRuleSets(input *[]network.ManagedRuleSet) []interface{} {
+	results := make([]interface{}, 0)
+	if input == nil {
+		return results
+	}
+
+	for _, item := range *input {
+		v := make(map[string]interface{})
+
+		v["rule_set_type"] = item.RuleSetType
+		v["rule_set_version"] = item.RuleSetVersion
+		v["rule_group_override"] = flattenArmWebApplicationFirewallPolicyRuleGroupOverrides(item.RuleGroupOverrides)
+
+		results = append(results, v)
+	}
+	return results
+}
+
+func flattenArmWebApplicationFirewallPolicyRuleGroupOverrides(input *[]network.ManagedRuleGroupOverride) []interface{} {
+	results := make([]interface{}, 0)
+	if input == nil {
+		return results
+	}
+
+	for _, item := range *input {
+		v := make(map[string]interface{})
+
+		v["rule_group_name"] = item.RuleGroupName
+		v["disabled_rules"] = flattenArmWebApplicationFirewallPolicyManagedRuleOverrides(item.Rules)
+
+		results = append(results, v)
+	}
+	return results
+}
+
+func flattenArmWebApplicationFirewallPolicyManagedRuleOverrides(input *[]network.ManagedRuleOverride) []string {
+	results := make([]string, 0)
+	if input == nil {
+		return results
+	}
+
+	for _, item := range *input {
+		if item.State == "" || item.State == network.ManagedRuleEnabledStateDisabled {
+			v := *item.RuleID
+
+			results = append(results, v)
+		}
+	}
+
+	return results
+}
+
 func flattenArmWebApplicationFirewallPolicyMatchCondition(input *[]network.MatchCondition) []interface{} {
 	results := make([]interface{}, 0)
 	if input == nil {
@@ -418,7 +683,7 @@ func flattenArmWebApplicationFirewallPolicyMatchCondition(input *[]network.Match
 		v := make(map[string]interface{})
 
 		v["match_values"] = utils.FlattenStringSlice(item.MatchValues)
-		v["match_variables"] = flattenArmWebApplicationFirewallPolicyMatchVariable(item.MatchVariables)
+		v["match_variable"] = flattenArmWebApplicationFirewallPolicyMatchVariable(item.MatchVariables)
 		if negationCondition := item.NegationConditon; negationCondition != nil {
 			v["negation_condition"] = *negationCondition
 		}

From e34b12c5495969a5bc25bdcac09073ecf612afc8 Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Mon, 16 Mar 2020 22:39:40 +0100
Subject: [PATCH 02/16] Add website docs for "managed_rules" in
 azurerm_web_application_firewall_policy

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 ..._application_firewall_policy.html.markdown | 103 +++++++++++++++---
 1 file changed, 86 insertions(+), 17 deletions(-)

diff --git a/website/docs/r/web_application_firewall_policy.html.markdown b/website/docs/r/web_application_firewall_policy.html.markdown
index 51a80dcabee0..38cad06e459b 100644
--- a/website/docs/r/web_application_firewall_policy.html.markdown
+++ b/website/docs/r/web_application_firewall_policy.html.markdown
@@ -23,13 +23,13 @@ resource "azurerm_web_application_firewall_policy" "example" {
   resource_group_name = azurerm_resource_group.example.name
   location            = azurerm_resource_group.example.location
 
-  custom_rules {
+  custom_rule {
     name      = "Rule1"
     priority  = 1
     rule_type = "MatchRule"
 
-    match_conditions {
-      match_variables {
+    match_condition {
+      match_variable {
         variable_name = "RemoteAddr"
       }
 
@@ -41,13 +41,13 @@ resource "azurerm_web_application_firewall_policy" "example" {
     action = "Block"
   }
 
-  custom_rules {
+  custom_rule {
     name      = "Rule2"
     priority  = 2
     rule_type = "MatchRule"
 
-    match_conditions {
-      match_variables {
+    match_condition {
+      match_variable {
         variable_name = "RemoteAddr"
       }
 
@@ -56,8 +56,8 @@ resource "azurerm_web_application_firewall_policy" "example" {
       match_values       = ["192.168.1.0/24"]
     }
 
-    match_conditions {
-      match_variables {
+    match_condition {
+      match_variable {
         variable_name = "RequestHeaders"
         selector      = "UserAgent"
       }
@@ -69,6 +69,37 @@ resource "azurerm_web_application_firewall_policy" "example" {
 
     action = "Block"
   }
+
+  policy_setting {
+    enabled = true
+    mode    = "Prevention"
+  }
+
+  managed_rules {
+    exclusion {
+      match_variable          = "RequestHeaderNames"
+      selector                = "x-company-secret-header"
+      selector_match_operator = "Equals"
+    }
+    exclusion {
+      match_variable          = "RequestCookieNames"
+      selector                = "too-tasty"
+      selector_match_operator = "EndsWith"
+    }
+
+    managed_rules_set {
+      rule_set_type    = "OWASP"
+      rule_set_version = "3.1"
+      rule_group_override {
+        rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
+        disabled_rules = [
+          "920300",
+          "920440"
+        ]
+      }
+    }
+  }
+
 }
 ```
 
@@ -82,9 +113,11 @@ The following arguments are supported:
 
 * `location` - (Optional) Resource location. Changing this forces a new resource to be created.
 
-* `custom_rules` - (Optional) One or more `custom_rule` blocks as defined below.
+* `custom_rule` - (Optional) One or more `custom_rules` blocks as defined below.
+
+* `policy_setting` - (Optional) A `policy_setting` block as defined below.
 
-* `policy_settings` - (Optional) A `policy_setting` block as defined below.
+* `managed_rules` - (Optional) A `managed_rules` blocks as defined below.
 
 * `tags` - (Optional) A mapping of tags to assign to the Web Application Firewall Policy.
 
@@ -94,25 +127,25 @@ The `custom_rule` block supports the following:
 
 * `name` - (Optional) Gets name of the resource that is unique within a policy. This name can be used to access the resource.
 
-* `priority` - (Required) Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value
+* `priority` - (Required) Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
 
-* `rule_type` - (Required) Describes the type of rule
+* `rule_type` - (Required) Describes the type of rule.
 
-* `match_conditions` - (Required) One or more `match_condition` block defined below.
+* `match_condition` - (Required) One or more `match_condition` blocks as defined below.
 
-* `action` - (Required) Type of Actions
+* `action` - (Required) Type of action.
 
 ---
 
 The `match_condition` block supports the following:
 
-* `match_variables` - (Required) One or more `match_variable` block defined below.
+* `match_variable` - (Required) One or more `match_variable` blocks as defined below.
 
-* `operator` - (Required) Describes operator to be matched
+* `operator` - (Required) Describes operator to be matched.
 
 * `negation_condition` - (Optional) Describes if this is negate condition or not
 
-* `match_values` - (Required) Match value
+* `match_values` - (Required) A list of match values.
 
 ---
 
@@ -130,6 +163,42 @@ The `policy_setting` block supports the following:
 
 * `mode` - (Optional) Describes if it is in detection mode  or prevention mode at the policy level Defaults to `Prevention`.
 
+---
+
+The `managed_rules` block supports the following:
+
+* `exclusion` - (Optional) One or more `exclusion` block defined below.
+
+* `managed_rules_set` - (Optional) One or more `managed_rules_set` block defined below.
+
+---
+
+The `exclusion` block supports the following:
+
+* `match_variable` - (Required) The name of the Match Variable.
+
+* `selector` - (Optional) Describes field of the matchVariable collection.
+
+* `selector_match_operator` - (Required) Describes operator to be matched.
+
+---
+
+The `managed_rules_set` block supports the following:
+
+* `rule_set_type` - (Required) The rule set type.
+
+* `rule_set_version` - (Required) The rule set version.
+
+* `rule_group_override` - (Optional) One or more `rule_group_override` block defined below.
+
+---
+
+The `rule_group_override` block supports the following:
+
+* `rule_group_name` - (Required) The name of the Rule Group
+
+* `disabled_rules` - (Optional) One or more Rule ID's
+
 ## Attributes Reference
 
 The following attributes are exported:

From f6629135e4334dc9dfadb2475ccba34268ad4fe0 Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Mon, 16 Mar 2020 23:02:32 +0100
Subject: [PATCH 03/16] Add nil check for "rule_group_overrides"

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 .../network/resource_arm_web_application_firewall_policy.go  | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
index 44aa8b53412f..49871a2f8be0 100644
--- a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
+++ b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
@@ -461,7 +461,10 @@ func expandArmWebApplicationFirewallPolicyManagedRuleSet(input []interface{}) *[
 
 		ruleSetType := v["rule_set_type"].(string)
 		ruleSetVersion := v["rule_set_version"].(string)
-		ruleGroupOverrides := v["rule_group_overrides"].([]interface{})
+		ruleGroupOverrides := []interface{}{}
+		if value, exists := v["rule_group_overrides"]; exists {
+			ruleGroupOverrides = value.([]interface{})
+		}
 		result := network.ManagedRuleSet{
 			RuleSetType:        utils.String(ruleSetType),
 			RuleSetVersion:     utils.String(ruleSetVersion),

From 9abcde01e67d7e7b3c67156b0826c3bda40bc92a Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Tue, 17 Mar 2020 16:44:53 +0100
Subject: [PATCH 04/16] Fix lint errors

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 .../network/resource_arm_web_application_firewall_policy.go    | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
index 49871a2f8be0..e720bbe8db40 100644
--- a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
+++ b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
@@ -492,7 +492,6 @@ func expandArmWebApplicationFirewallPolicyRuleGroupOverrides(input []interface{}
 		results = append(results, result)
 	}
 	return &results
-
 }
 
 func expandArmWebApplicationFirewallPolicyRules(input []interface{}) *[]network.ManagedRuleOverride {
@@ -615,7 +614,7 @@ func flattenArmWebApplicationFirewallPolicyExclusions(input *[]network.OwaspCrsE
 
 		v["match_variable"] = string(item.MatchVariable)
 		if selector != nil {
-			v["selector"] = string(*selector)
+			v["selector"] = *selector
 		}
 		v["selector_match_operator"] = string(item.SelectorMatchOperator)
 

From 85c6f0e443cf8fe47445de70f801f94d6c133a34 Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Sat, 21 Mar 2020 14:03:36 +0100
Subject: [PATCH 05/16] Shorten "rule_set_*" properties and list some possible
 values in docs

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 ...esource_arm_web_application_firewall_policy.go | 15 +++++++--------
 .../web_application_firewall_policy.html.markdown |  8 ++++----
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
index e720bbe8db40..b8edabe6b903 100644
--- a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
+++ b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
@@ -187,12 +187,12 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 							Optional: true,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
-									"rule_set_type": {
+									"type": {
 										Type:         schema.TypeString,
 										Required:     true,
 										ValidateFunc: validation.NoZeroValues,
 									},
-									"rule_set_version": {
+									"version": {
 										Type:         schema.TypeString,
 										Required:     true,
 										ValidateFunc: validation.NoZeroValues,
@@ -427,11 +427,10 @@ func expandArmWebApplicationFirewallPolicyManagedRulesDefinition(input []interfa
 	exclusions := v["exclusion"].([]interface{})
 	managedRuleSets := v["managed_rule_set"].([]interface{})
 
-	result := network.ManagedRulesDefinition{
+	return &network.ManagedRulesDefinition{
 		Exclusions:      expandArmWebApplicationFirewallPolicyExclusions(exclusions),
 		ManagedRuleSets: expandArmWebApplicationFirewallPolicyManagedRuleSet(managedRuleSets),
 	}
-	return &result
 }
 
 func expandArmWebApplicationFirewallPolicyExclusions(input []interface{}) *[]network.OwaspCrsExclusionEntry {
@@ -459,8 +458,8 @@ func expandArmWebApplicationFirewallPolicyManagedRuleSet(input []interface{}) *[
 	for _, item := range input {
 		v := item.(map[string]interface{})
 
-		ruleSetType := v["rule_set_type"].(string)
-		ruleSetVersion := v["rule_set_version"].(string)
+		ruleSetType := v["type"].(string)
+		ruleSetVersion := v["version"].(string)
 		ruleGroupOverrides := []interface{}{}
 		if value, exists := v["rule_group_overrides"]; exists {
 			ruleGroupOverrides = value.([]interface{})
@@ -632,8 +631,8 @@ func flattenArmWebApplicationFirewallPolicyManagedRuleSets(input *[]network.Mana
 	for _, item := range *input {
 		v := make(map[string]interface{})
 
-		v["rule_set_type"] = item.RuleSetType
-		v["rule_set_version"] = item.RuleSetVersion
+		v["type"] = item.RuleSetType
+		v["version"] = item.RuleSetVersion
 		v["rule_group_override"] = flattenArmWebApplicationFirewallPolicyRuleGroupOverrides(item.RuleGroupOverrides)
 
 		results = append(results, v)
diff --git a/website/docs/r/web_application_firewall_policy.html.markdown b/website/docs/r/web_application_firewall_policy.html.markdown
index 38cad06e459b..d103506b46e4 100644
--- a/website/docs/r/web_application_firewall_policy.html.markdown
+++ b/website/docs/r/web_application_firewall_policy.html.markdown
@@ -175,19 +175,19 @@ The `managed_rules` block supports the following:
 
 The `exclusion` block supports the following:
 
-* `match_variable` - (Required) The name of the Match Variable.
+* `match_variable` - (Required) The name of the Match Variable. Possible values: `RequestArgNames`, `RequestCookieNames`, `RequestHeaderNames`.
 
 * `selector` - (Optional) Describes field of the matchVariable collection.
 
-* `selector_match_operator` - (Required) Describes operator to be matched.
+* `selector_match_operator` - (Required) Describes operator to be matched. Possible values: `Contains`, `EndsWith`, `Equals`, `EqualsAny`, `StartsWith`.
 
 ---
 
 The `managed_rules_set` block supports the following:
 
-* `rule_set_type` - (Required) The rule set type.
+* `type` - (Required) The rule set type.
 
-* `rule_set_version` - (Required) The rule set version.
+* `version` - (Required) The rule set version.
 
 * `rule_group_override` - (Optional) One or more `rule_group_override` block defined below.
 

From 882ffd7047b099db64d2a7ae99bbacac5a86de46 Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Sat, 21 Mar 2020 15:31:22 +0100
Subject: [PATCH 06/16] Revert plurality normalization

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 ...rce_arm_web_application_firewall_policy.go | 22 ++++++------
 ..._application_firewall_policy.html.markdown | 36 +++++++++----------
 2 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
index b8edabe6b903..7060af38da2e 100644
--- a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
+++ b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
@@ -48,7 +48,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 
 			"resource_group_name": azure.SchemaResourceGroupNameDiffSuppress(),
 
-			"custom_rule": {
+			"custom_rules": {
 				Type:     schema.TypeList,
 				Optional: true,
 				Elem: &schema.Resource{
@@ -62,7 +62,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 								string(network.WebApplicationFirewallActionLog),
 							}, false),
 						},
-						"match_condition": {
+						"match_conditions": {
 							Type:     schema.TypeList,
 							Required: true,
 							Elem: &schema.Resource{
@@ -74,7 +74,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 											Type: schema.TypeString,
 										},
 									},
-									"match_variable": {
+									"match_variables": {
 										Type:     schema.TypeList,
 										Required: true,
 										Elem: &schema.Resource{
@@ -274,7 +274,7 @@ func resourceArmWebApplicationFirewallPolicyCreateUpdate(d *schema.ResourceData,
 	}
 
 	location := azure.NormalizeLocation(d.Get("location").(string))
-	customRules := d.Get("custom_rule").([]interface{})
+	customRules := d.Get("custom_rules").([]interface{})
 	policySettings := d.Get("policy_settings").([]interface{})
 	managedRules := d.Get("managed_rules").([]interface{})
 	t := d.Get("tags").(map[string]interface{})
@@ -333,14 +333,14 @@ func resourceArmWebApplicationFirewallPolicyRead(d *schema.ResourceData, meta in
 		d.Set("location", azure.NormalizeLocation(*location))
 	}
 	if webApplicationFirewallPolicyPropertiesFormat := resp.WebApplicationFirewallPolicyPropertiesFormat; webApplicationFirewallPolicyPropertiesFormat != nil {
-		if err := d.Set("custom_rule", flattenArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(webApplicationFirewallPolicyPropertiesFormat.CustomRules)); err != nil {
+		if err := d.Set("custom_rules", flattenArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(webApplicationFirewallPolicyPropertiesFormat.CustomRules)); err != nil {
 			return fmt.Errorf("Error setting `custom_rules`: %+v", err)
 		}
 		if err := d.Set("policy_settings", flattenArmWebApplicationFirewallPolicyPolicySettings(webApplicationFirewallPolicyPropertiesFormat.PolicySettings)); err != nil {
-			return fmt.Errorf("Error setting `policy_setting`: %+v", err)
+			return fmt.Errorf("Error setting `policy_settings`: %+v", err)
 		}
 		if err := d.Set("managed_rules", flattenArmWebApplicationFirewallPolicyManagedRulesDefinition(webApplicationFirewallPolicyPropertiesFormat.ManagedRules)); err != nil {
-			return fmt.Errorf("Error setting `managed_rule`: %+v", err)
+			return fmt.Errorf("Error setting `managed_rules`: %+v", err)
 		}
 	}
 
@@ -383,7 +383,7 @@ func expandArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(input
 		name := v["name"].(string)
 		priority := v["priority"].(int)
 		ruleType := v["rule_type"].(string)
-		matchConditions := v["match_condition"].([]interface{})
+		matchConditions := v["match_conditions"].([]interface{})
 		action := v["action"].(string)
 
 		result := network.WebApplicationFirewallCustomRule{
@@ -512,7 +512,7 @@ func expandArmWebApplicationFirewallPolicyMatchCondition(input []interface{}) *[
 	results := make([]network.MatchCondition, 0)
 	for _, item := range input {
 		v := item.(map[string]interface{})
-		matchVariables := v["match_variable"].([]interface{})
+		matchVariables := v["match_variables"].([]interface{})
 		operator := v["operator"].(string)
 		negationCondition := v["negation_condition"].(bool)
 		matchValues := v["match_values"].([]interface{})
@@ -559,7 +559,7 @@ func flattenArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(inpu
 			v["name"] = *name
 		}
 		v["action"] = string(item.Action)
-		v["match_condition"] = flattenArmWebApplicationFirewallPolicyMatchCondition(item.MatchConditions)
+		v["match_conditions"] = flattenArmWebApplicationFirewallPolicyMatchCondition(item.MatchConditions)
 		if priority := item.Priority; priority != nil {
 			v["priority"] = int(*priority)
 		}
@@ -684,7 +684,7 @@ func flattenArmWebApplicationFirewallPolicyMatchCondition(input *[]network.Match
 		v := make(map[string]interface{})
 
 		v["match_values"] = utils.FlattenStringSlice(item.MatchValues)
-		v["match_variable"] = flattenArmWebApplicationFirewallPolicyMatchVariable(item.MatchVariables)
+		v["match_variables"] = flattenArmWebApplicationFirewallPolicyMatchVariable(item.MatchVariables)
 		if negationCondition := item.NegationConditon; negationCondition != nil {
 			v["negation_condition"] = *negationCondition
 		}
diff --git a/website/docs/r/web_application_firewall_policy.html.markdown b/website/docs/r/web_application_firewall_policy.html.markdown
index d103506b46e4..4020a1dcbae0 100644
--- a/website/docs/r/web_application_firewall_policy.html.markdown
+++ b/website/docs/r/web_application_firewall_policy.html.markdown
@@ -23,13 +23,13 @@ resource "azurerm_web_application_firewall_policy" "example" {
   resource_group_name = azurerm_resource_group.example.name
   location            = azurerm_resource_group.example.location
 
-  custom_rule {
+  custom_rules {
     name      = "Rule1"
     priority  = 1
     rule_type = "MatchRule"
 
-    match_condition {
-      match_variable {
+    match_conditions {
+      match_variables {
         variable_name = "RemoteAddr"
       }
 
@@ -41,13 +41,13 @@ resource "azurerm_web_application_firewall_policy" "example" {
     action = "Block"
   }
 
-  custom_rule {
+  custom_rules {
     name      = "Rule2"
     priority  = 2
     rule_type = "MatchRule"
 
-    match_condition {
-      match_variable {
+    match_conditions {
+      match_variables {
         variable_name = "RemoteAddr"
       }
 
@@ -56,8 +56,8 @@ resource "azurerm_web_application_firewall_policy" "example" {
       match_values       = ["192.168.1.0/24"]
     }
 
-    match_condition {
-      match_variable {
+    match_conditions {
+      match_variables {
         variable_name = "RequestHeaders"
         selector      = "UserAgent"
       }
@@ -70,7 +70,7 @@ resource "azurerm_web_application_firewall_policy" "example" {
     action = "Block"
   }
 
-  policy_setting {
+  policy_settings {
     enabled = true
     mode    = "Prevention"
   }
@@ -113,9 +113,9 @@ The following arguments are supported:
 
 * `location` - (Optional) Resource location. Changing this forces a new resource to be created.
 
-* `custom_rule` - (Optional) One or more `custom_rules` blocks as defined below.
+* `custom_rules` - (Optional) One or more `custom_rules` blocks as defined below.
 
-* `policy_setting` - (Optional) A `policy_setting` block as defined below.
+* `policy_settings` - (Optional) A `policy_settings` block as defined below.
 
 * `managed_rules` - (Optional) A `managed_rules` blocks as defined below.
 
@@ -123,7 +123,7 @@ The following arguments are supported:
 
 ---
 
-The `custom_rule` block supports the following:
+The `custom_rules` block supports the following:
 
 * `name` - (Optional) Gets name of the resource that is unique within a policy. This name can be used to access the resource.
 
@@ -131,15 +131,15 @@ The `custom_rule` block supports the following:
 
 * `rule_type` - (Required) Describes the type of rule.
 
-* `match_condition` - (Required) One or more `match_condition` blocks as defined below.
+* `match_conditions` - (Required) One or more `match_conditions` blocks as defined below.
 
 * `action` - (Required) Type of action.
 
 ---
 
-The `match_condition` block supports the following:
+The `match_conditions` block supports the following:
 
-* `match_variable` - (Required) One or more `match_variable` blocks as defined below.
+* `match_variables` - (Required) One or more `match_variables` blocks as defined below.
 
 * `operator` - (Required) Describes operator to be matched.
 
@@ -149,7 +149,7 @@ The `match_condition` block supports the following:
 
 ---
 
-The `match_variable` block supports the following:
+The `match_variables` block supports the following:
 
 * `variable_name` - (Required) The name of the Match Variable
 
@@ -157,7 +157,7 @@ The `match_variable` block supports the following:
 
 ---
 
-The `policy_setting` block supports the following:
+The `policy_settings` block supports the following:
 
 * `enabled` - (Optional) Describes if the policy is in enabled state or disabled state Defaults to `Enabled`.
 
@@ -175,7 +175,7 @@ The `managed_rules` block supports the following:
 
 The `exclusion` block supports the following:
 
-* `match_variable` - (Required) The name of the Match Variable. Possible values: `RequestArgNames`, `RequestCookieNames`, `RequestHeaderNames`.
+* `match_variables` - (Required) The name of the Match Variable. Possible values: `RequestArgNames`, `RequestCookieNames`, `RequestHeaderNames`.
 
 * `selector` - (Optional) Describes field of the matchVariable collection.
 

From 992e9894ac4441e1133283f9d05d0c698fd0f143 Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Mon, 23 Mar 2020 14:04:32 +0100
Subject: [PATCH 07/16] Fix reading "rule_group_override" property

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 .../network/resource_arm_web_application_firewall_policy.go     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
index 7060af38da2e..34b6cf12ff6f 100644
--- a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
+++ b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
@@ -461,7 +461,7 @@ func expandArmWebApplicationFirewallPolicyManagedRuleSet(input []interface{}) *[
 		ruleSetType := v["type"].(string)
 		ruleSetVersion := v["version"].(string)
 		ruleGroupOverrides := []interface{}{}
-		if value, exists := v["rule_group_overrides"]; exists {
+		if value, exists := v["rule_group_override"]; exists {
 			ruleGroupOverrides = value.([]interface{})
 		}
 		result := network.ManagedRuleSet{

From 733ea5eaa4004d4788aff55716487f97473fe8f7 Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Wed, 25 Mar 2020 11:49:05 +0100
Subject: [PATCH 08/16] Set new properties in test

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 ...rm_web_application_firewall_policy_test.go | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go b/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go
index 576c91e87635..7dfaa2fb3d2b 100644
--- a/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go
+++ b/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go
@@ -73,6 +73,23 @@ func TestAccAzureRMWebApplicationFirewallPolicy_complete(t *testing.T) {
 					resource.TestCheckResourceAttr(data.ResourceName, "custom_rules.1.match_conditions.1.match_values.#", "1"),
 					resource.TestCheckResourceAttr(data.ResourceName, "custom_rules.1.match_conditions.1.match_values.0", "Windows"),
 					resource.TestCheckResourceAttr(data.ResourceName, "custom_rules.1.action", "Block"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.#", "2"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.0.match_variable", "RequestHeaderNames"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.0.selector", "x-shared-secret"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.0.selector_match_operator", "Equals"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.1.match_variable", "RequestCookieNames"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.1.selector", "too-much-fun"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.1.selector_match_operator", "EndsWith"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.#", "1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.type", "OWASP"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.version", "3.1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.rule_group_override.#", "1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.rule_group_override.0.rule_group_name", "REQUEST-920-PROTOCOL-ENFORCEMENT"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.rule_group_override.0.disabled_rules.#", "2"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.rule_group_override.0.disabled_rules.0", "920300"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.rule_group_override.0.disabled_rules.1", "920440"),
+					resource.TestCheckResourceAttr(data.ResourceName, "policy_settings.enabled", "true"),
+					resource.TestCheckResourceAttr(data.ResourceName, "policy_settings.mode", "Prevention"),
 				),
 			},
 			data.ImportStep(),
@@ -265,6 +282,38 @@ resource "azurerm_web_application_firewall_policy" "test" {
 
     action = "Block"
   }
+
+  managed_rules {
+    exclusion {
+      match_variable          = "RequestHeaderNames"
+      selector                = "x-shared-secret"
+      selector_match_operator = "Equals"
+    }
+
+    exclusion {
+      match_variable          = "RequestCookieNames"
+      selector                = "too-much-fun"
+      selector_match_operator = "EndsWith"
+    }
+
+    managed_rules_set {
+      type    = "OWASP"
+      version = "3.1"
+
+      rule_group_override {
+        rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
+        disabled_rules = [
+          "920300",
+          "920440",
+        ]
+      }
+    }
+  }
+
+  policy_settings {
+    enabled = true
+    mode    = "Prevention"
+  }
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
 }

From ec8202ac382ef975a0f517f29e8da25cc3667f49 Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Tue, 31 Mar 2020 00:30:02 +0200
Subject: [PATCH 09/16] Align test with required properties

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 ...rce_arm_web_application_firewall_policy.go |  2 +-
 ...rm_web_application_firewall_policy_test.go | 25 ++++++++++++-------
 ..._application_firewall_policy.html.markdown |  6 ++---
 3 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
index 34b6cf12ff6f..c9df5fb5efeb 100644
--- a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
+++ b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
@@ -184,7 +184,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 						},
 						"managed_rule_set": {
 							Type:     schema.TypeList,
-							Optional: true,
+							Required: true,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"type": {
diff --git a/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go b/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go
index 7dfaa2fb3d2b..aa40a00e5f64 100644
--- a/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go
+++ b/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go
@@ -80,14 +80,14 @@ func TestAccAzureRMWebApplicationFirewallPolicy_complete(t *testing.T) {
 					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.1.match_variable", "RequestCookieNames"),
 					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.1.selector", "too-much-fun"),
 					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.1.selector_match_operator", "EndsWith"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.#", "1"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.type", "OWASP"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.version", "3.1"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.rule_group_override.#", "1"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.rule_group_override.0.rule_group_name", "REQUEST-920-PROTOCOL-ENFORCEMENT"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.rule_group_override.0.disabled_rules.#", "2"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.rule_group_override.0.disabled_rules.0", "920300"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rules_set.0.rule_group_override.0.disabled_rules.1", "920440"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.#", "1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.type", "OWASP"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.version", "3.1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.rule_group_override.#", "1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.rule_group_override.0.rule_group_name", "REQUEST-920-PROTOCOL-ENFORCEMENT"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.rule_group_override.0.disabled_rules.#", "2"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.rule_group_override.0.disabled_rules.0", "920300"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.rule_group_override.0.disabled_rules.1", "920440"),
 					resource.TestCheckResourceAttr(data.ResourceName, "policy_settings.enabled", "true"),
 					resource.TestCheckResourceAttr(data.ResourceName, "policy_settings.mode", "Prevention"),
 				),
@@ -216,6 +216,13 @@ resource "azurerm_web_application_firewall_policy" "test" {
   name                = "acctestwafpolicy-%d"
   resource_group_name = azurerm_resource_group.test.name
   location            = azurerm_resource_group.test.location
+
+  managed_rules {
+    managed_rule_set {
+      type    = "OWASP"
+      version = "3.1"
+    }
+  }
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
 }
@@ -296,7 +303,7 @@ resource "azurerm_web_application_firewall_policy" "test" {
       selector_match_operator = "EndsWith"
     }
 
-    managed_rules_set {
+    managed_rule_set {
       type    = "OWASP"
       version = "3.1"
 
diff --git a/website/docs/r/web_application_firewall_policy.html.markdown b/website/docs/r/web_application_firewall_policy.html.markdown
index 4020a1dcbae0..b1ee28367c72 100644
--- a/website/docs/r/web_application_firewall_policy.html.markdown
+++ b/website/docs/r/web_application_firewall_policy.html.markdown
@@ -87,7 +87,7 @@ resource "azurerm_web_application_firewall_policy" "example" {
       selector_match_operator = "EndsWith"
     }
 
-    managed_rules_set {
+    managed_rule_set {
       rule_set_type    = "OWASP"
       rule_set_version = "3.1"
       rule_group_override {
@@ -169,7 +169,7 @@ The `managed_rules` block supports the following:
 
 * `exclusion` - (Optional) One or more `exclusion` block defined below.
 
-* `managed_rules_set` - (Optional) One or more `managed_rules_set` block defined below.
+* `managed_rule_set` - (Optional) One or more `managed_rule_set` block defined below.
 
 ---
 
@@ -183,7 +183,7 @@ The `exclusion` block supports the following:
 
 ---
 
-The `managed_rules_set` block supports the following:
+The `managed_rule_set` block supports the following:
 
 * `type` - (Required) The rule set type.
 

From bdc3eea4ea8bafc22c8860ca1f111bb25fd8a013 Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Thu, 2 Apr 2020 15:15:21 +0200
Subject: [PATCH 10/16] Ensure managed_rules is considered a list, and add to
 update test

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 ...rm_web_application_firewall_policy_test.go | 55 +++++++++++++------
 1 file changed, 38 insertions(+), 17 deletions(-)

diff --git a/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go b/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go
index aa40a00e5f64..589d2fbd5560 100644
--- a/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go
+++ b/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go
@@ -73,23 +73,25 @@ func TestAccAzureRMWebApplicationFirewallPolicy_complete(t *testing.T) {
 					resource.TestCheckResourceAttr(data.ResourceName, "custom_rules.1.match_conditions.1.match_values.#", "1"),
 					resource.TestCheckResourceAttr(data.ResourceName, "custom_rules.1.match_conditions.1.match_values.0", "Windows"),
 					resource.TestCheckResourceAttr(data.ResourceName, "custom_rules.1.action", "Block"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.#", "2"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.0.match_variable", "RequestHeaderNames"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.0.selector", "x-shared-secret"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.0.selector_match_operator", "Equals"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.1.match_variable", "RequestCookieNames"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.1.selector", "too-much-fun"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.exclusion.1.selector_match_operator", "EndsWith"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.#", "1"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.type", "OWASP"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.version", "3.1"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.rule_group_override.#", "1"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.rule_group_override.0.rule_group_name", "REQUEST-920-PROTOCOL-ENFORCEMENT"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.rule_group_override.0.disabled_rules.#", "2"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.rule_group_override.0.disabled_rules.0", "920300"),
-					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.managed_rule_set.0.rule_group_override.0.disabled_rules.1", "920440"),
-					resource.TestCheckResourceAttr(data.ResourceName, "policy_settings.enabled", "true"),
-					resource.TestCheckResourceAttr(data.ResourceName, "policy_settings.mode", "Prevention"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.#", "1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.#", "2"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.0.match_variable", "RequestHeaderNames"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.0.selector", "x-shared-secret"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.0.selector_match_operator", "Equals"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.1.match_variable", "RequestCookieNames"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.1.selector", "too-much-fun"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.1.selector_match_operator", "EndsWith"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.#", "1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.type", "OWASP"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.version", "3.1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.rule_group_override.#", "1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.rule_group_override.0.rule_group_name", "REQUEST-920-PROTOCOL-ENFORCEMENT"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.rule_group_override.0.disabled_rules.#", "2"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.rule_group_override.0.disabled_rules.0", "920300"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.rule_group_override.0.disabled_rules.1", "920440"),
+					resource.TestCheckResourceAttr(data.ResourceName, "policy_settings.#", "1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "policy_settings.0.enabled", "true"),
+					resource.TestCheckResourceAttr(data.ResourceName, "policy_settings.0.mode", "Prevention"),
 				),
 			},
 			data.ImportStep(),
@@ -146,6 +148,25 @@ func TestAccAzureRMWebApplicationFirewallPolicy_update(t *testing.T) {
 					resource.TestCheckResourceAttr(data.ResourceName, "custom_rules.1.match_conditions.1.match_values.#", "1"),
 					resource.TestCheckResourceAttr(data.ResourceName, "custom_rules.1.match_conditions.1.match_values.0", "Windows"),
 					resource.TestCheckResourceAttr(data.ResourceName, "custom_rules.1.action", "Block"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.#", "1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.#", "2"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.0.match_variable", "RequestHeaderNames"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.0.selector", "x-shared-secret"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.0.selector_match_operator", "Equals"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.1.match_variable", "RequestCookieNames"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.1.selector", "too-much-fun"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.exclusion.1.selector_match_operator", "EndsWith"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.#", "1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.type", "OWASP"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.version", "3.1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.rule_group_override.#", "1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.rule_group_override.0.rule_group_name", "REQUEST-920-PROTOCOL-ENFORCEMENT"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.rule_group_override.0.disabled_rules.#", "2"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.rule_group_override.0.disabled_rules.0", "920300"),
+					resource.TestCheckResourceAttr(data.ResourceName, "managed_rules.0.managed_rule_set.0.rule_group_override.0.disabled_rules.1", "920440"),
+					resource.TestCheckResourceAttr(data.ResourceName, "policy_settings.#", "1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "policy_settings.0.enabled", "true"),
+					resource.TestCheckResourceAttr(data.ResourceName, "policy_settings.0.mode", "Prevention"),
 				),
 			},
 			data.ImportStep(),

From 1c3f166bf68dc8e8b5963eb1729cfa6dff5ece9b Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Thu, 2 Apr 2020 18:17:46 +0200
Subject: [PATCH 11/16] Streamline validation of rule type, rule version and
 disabled rule group names

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 .../web_application_firewall_policy.go        | 39 ++++++++++++
 .../resource_arm_application_gateway.go       | 61 ++++++-------------
 ...rce_arm_web_application_firewall_policy.go | 10 +--
 3 files changed, 63 insertions(+), 47 deletions(-)
 create mode 100644 azurerm/helpers/validate/web_application_firewall_policy.go

diff --git a/azurerm/helpers/validate/web_application_firewall_policy.go b/azurerm/helpers/validate/web_application_firewall_policy.go
new file mode 100644
index 000000000000..7e6912c44fee
--- /dev/null
+++ b/azurerm/helpers/validate/web_application_firewall_policy.go
@@ -0,0 +1,39 @@
+package validate
+
+import "github.com/hashicorp/terraform-plugin-sdk/helper/validation"
+
+var ValidateWebApplicationFirewallPolicyRuleGroupName = validation.StringInSlice([]string{
+	"crs_20_protocol_violations",
+	"crs_21_protocol_anomalies",
+	"crs_23_request_limits",
+	"crs_30_http_policy",
+	"crs_35_bad_robots",
+	"crs_40_generic_attacks",
+	"crs_41_sql_injection_attacks",
+	"crs_41_xss_attacks",
+	"crs_42_tight_security",
+	"crs_45_trojans",
+	"General",
+	"REQUEST-911-METHOD-ENFORCEMENT",
+	"REQUEST-913-SCANNER-DETECTION",
+	"REQUEST-920-PROTOCOL-ENFORCEMENT",
+	"REQUEST-921-PROTOCOL-ATTACK",
+	"REQUEST-930-APPLICATION-ATTACK-LFI",
+	"REQUEST-931-APPLICATION-ATTACK-RFI",
+	"REQUEST-932-APPLICATION-ATTACK-RCE",
+	"REQUEST-933-APPLICATION-ATTACK-PHP",
+	"REQUEST-941-APPLICATION-ATTACK-XSS",
+	"REQUEST-942-APPLICATION-ATTACK-SQLI",
+	"REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION",
+}, false)
+
+var ValidateWebApplicationFirewallPolicyRuleSetVersion = validation.StringInSlice([]string{
+	"2.2.9",
+	"3.0",
+	"3.1",
+}, false)
+
+var ValidateWebApplicationFirewallPolicyRuleSetType = validation.StringInSlice([]string{
+	"OWASP",
+	"Microsoft_BotManagerRuleSet",
+}, false)
diff --git a/azurerm/internal/services/network/resource_arm_application_gateway.go b/azurerm/internal/services/network/resource_arm_application_gateway.go
index 8fcdd30c995b..9e22c7bd6ba4 100644
--- a/azurerm/internal/services/network/resource_arm_application_gateway.go
+++ b/azurerm/internal/services/network/resource_arm_application_gateway.go
@@ -1170,19 +1170,16 @@ func resourceArmApplicationGateway() *schema.Resource {
 						},
 
 						"rule_set_type": {
-							Type:     schema.TypeString,
-							Optional: true,
-							Default:  "OWASP",
+							Type:         schema.TypeString,
+							Optional:     true,
+							Default:      "OWASP",
+							ValidateFunc: validate.ValidateWebApplicationFirewallPolicyRuleSetType,
 						},
 
 						"rule_set_version": {
-							Type:     schema.TypeString,
-							Required: true,
-							ValidateFunc: validation.StringInSlice([]string{
-								"2.2.9",
-								"3.0",
-								"3.1",
-							}, false),
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validate.ValidateWebApplicationFirewallPolicyRuleSetVersion,
 						},
 						"file_upload_limit_mb": {
 							Type:         schema.TypeInt,
@@ -1207,32 +1204,9 @@ func resourceArmApplicationGateway() *schema.Resource {
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"rule_group_name": {
-										Type:     schema.TypeString,
-										Required: true,
-										ValidateFunc: validation.StringInSlice([]string{
-											"crs_20_protocol_violations",
-											"crs_21_protocol_anomalies",
-											"crs_23_request_limits",
-											"crs_30_http_policy",
-											"crs_35_bad_robots",
-											"crs_40_generic_attacks",
-											"crs_41_sql_injection_attacks",
-											"crs_41_xss_attacks",
-											"crs_42_tight_security",
-											"crs_45_trojans",
-											"General",
-											"REQUEST-911-METHOD-ENFORCEMENT",
-											"REQUEST-913-SCANNER-DETECTION",
-											"REQUEST-920-PROTOCOL-ENFORCEMENT",
-											"REQUEST-921-PROTOCOL-ATTACK",
-											"REQUEST-930-APPLICATION-ATTACK-LFI",
-											"REQUEST-931-APPLICATION-ATTACK-RFI",
-											"REQUEST-932-APPLICATION-ATTACK-RCE",
-											"REQUEST-933-APPLICATION-ATTACK-PHP",
-											"REQUEST-941-APPLICATION-ATTACK-XSS",
-											"REQUEST-942-APPLICATION-ATTACK-SQLI",
-											"REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION",
-										}, false),
+										Type:         schema.TypeString,
+										Required:     true,
+										ValidateFunc: validate.ValidateWebApplicationFirewallPolicyRuleGroupName,
 									},
 
 									"rules": {
@@ -1255,19 +1229,20 @@ func resourceArmApplicationGateway() *schema.Resource {
 										Type:     schema.TypeString,
 										Required: true,
 										ValidateFunc: validation.StringInSlice([]string{
-											"RequestHeaderNames",
-											"RequestArgNames",
-											"RequestCookieNames",
+											string(network.RequestArgNames),
+											string(network.RequestCookieNames),
+											string(network.RequestHeaderNames),
 										}, false),
 									},
 
 									"selector_match_operator": {
 										Type: schema.TypeString,
 										ValidateFunc: validation.StringInSlice([]string{
-											"Equals",
-											"StartsWith",
-											"EndsWith",
-											"Contains",
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorContains),
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorEndsWith),
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorEquals),
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorEqualsAny),
+											string(network.OwaspCrsExclusionEntrySelectorMatchOperatorStartsWith),
 										}, false),
 										Optional: true,
 									},
diff --git a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
index c9df5fb5efeb..b5ca75fbe442 100644
--- a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
+++ b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/validate"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/clients"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/features"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tags"
@@ -189,13 +190,14 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 								Schema: map[string]*schema.Schema{
 									"type": {
 										Type:         schema.TypeString,
-										Required:     true,
-										ValidateFunc: validation.NoZeroValues,
+										Optional:     true,
+										Default:      "OWASP",
+										ValidateFunc: validate.ValidateWebApplicationFirewallPolicyRuleSetType,
 									},
 									"version": {
 										Type:         schema.TypeString,
 										Required:     true,
-										ValidateFunc: validation.NoZeroValues,
+										ValidateFunc: validate.ValidateWebApplicationFirewallPolicyRuleSetVersion,
 									},
 									"rule_group_override": {
 										Type:     schema.TypeList,
@@ -205,7 +207,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 												"rule_group_name": {
 													Type:         schema.TypeString,
 													Required:     true,
-													ValidateFunc: validation.NoZeroValues,
+													ValidateFunc: validate.ValidateWebApplicationFirewallPolicyRuleGroupName,
 												},
 												"disabled_rules": {
 													Type:     schema.TypeList,

From 14177bdda4b0555a36439cb5a2c6c62d99cdaefe Mon Sep 17 00:00:00 2001
From: Sune Keller <sune.keller@gmail.com>
Date: Sun, 5 Apr 2020 14:04:26 +0200
Subject: [PATCH 12/16] Added version 1.0 to rule set versions

It is the single valid version for the Microsoft_BotManagerRuleSet rule set.

Signed-off-by: Sune Keller <sune.keller@gmail.com>
---
 azurerm/helpers/validate/web_application_firewall_policy.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/azurerm/helpers/validate/web_application_firewall_policy.go b/azurerm/helpers/validate/web_application_firewall_policy.go
index 7e6912c44fee..da86db47f952 100644
--- a/azurerm/helpers/validate/web_application_firewall_policy.go
+++ b/azurerm/helpers/validate/web_application_firewall_policy.go
@@ -28,6 +28,7 @@ var ValidateWebApplicationFirewallPolicyRuleGroupName = validation.StringInSlice
 }, false)
 
 var ValidateWebApplicationFirewallPolicyRuleSetVersion = validation.StringInSlice([]string{
+	"1.0",
 	"2.2.9",
 	"3.0",
 	"3.1",

From c98ebdd4abc41328ad033f9f5bdf7b34ead0b4c0 Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Mon, 16 Mar 2020 22:38:53 +0100
Subject: [PATCH 13/16] Add "managed_rules" to
 azurerm_web_application_firewall_policy

Also streamline singular plurality for optional blocks allowing
multiple repetitions.

Fixes #5727.

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 ...rce_arm_web_application_firewall_policy.go | 23 +++++++++++--------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
index b5ca75fbe442..49ab29d02ee2 100644
--- a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
+++ b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
@@ -49,7 +49,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 
 			"resource_group_name": azure.SchemaResourceGroupNameDiffSuppress(),
 
-			"custom_rules": {
+			"custom_rule": {
 				Type:     schema.TypeList,
 				Optional: true,
 				Elem: &schema.Resource{
@@ -63,7 +63,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 								string(network.WebApplicationFirewallActionLog),
 							}, false),
 						},
-						"match_conditions": {
+						"match_condition": {
 							Type:     schema.TypeList,
 							Required: true,
 							Elem: &schema.Resource{
@@ -75,7 +75,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 											Type: schema.TypeString,
 										},
 									},
-									"match_variables": {
+									"match_variable": {
 										Type:     schema.TypeList,
 										Required: true,
 										Elem: &schema.Resource{
@@ -276,7 +276,7 @@ func resourceArmWebApplicationFirewallPolicyCreateUpdate(d *schema.ResourceData,
 	}
 
 	location := azure.NormalizeLocation(d.Get("location").(string))
-	customRules := d.Get("custom_rules").([]interface{})
+	customRules := d.Get("custom_rule").([]interface{})
 	policySettings := d.Get("policy_settings").([]interface{})
 	managedRules := d.Get("managed_rules").([]interface{})
 	t := d.Get("tags").(map[string]interface{})
@@ -335,11 +335,14 @@ func resourceArmWebApplicationFirewallPolicyRead(d *schema.ResourceData, meta in
 		d.Set("location", azure.NormalizeLocation(*location))
 	}
 	if webApplicationFirewallPolicyPropertiesFormat := resp.WebApplicationFirewallPolicyPropertiesFormat; webApplicationFirewallPolicyPropertiesFormat != nil {
-		if err := d.Set("custom_rules", flattenArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(webApplicationFirewallPolicyPropertiesFormat.CustomRules)); err != nil {
+		if err := d.Set("custom_rule", flattenArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(webApplicationFirewallPolicyPropertiesFormat.CustomRules)); err != nil {
 			return fmt.Errorf("Error setting `custom_rules`: %+v", err)
 		}
 		if err := d.Set("policy_settings", flattenArmWebApplicationFirewallPolicyPolicySettings(webApplicationFirewallPolicyPropertiesFormat.PolicySettings)); err != nil {
-			return fmt.Errorf("Error setting `policy_settings`: %+v", err)
+			return fmt.Errorf("Error setting `policy_setting`: %+v", err)
+		}
+		if err := d.Set("managed_rules", flattenArmWebApplicationFirewallPolicyManagedRulesDefinition(webApplicationFirewallPolicyPropertiesFormat.ManagedRules)); err != nil {
+			return fmt.Errorf("Error setting `managed_rule`: %+v", err)
 		}
 		if err := d.Set("managed_rules", flattenArmWebApplicationFirewallPolicyManagedRulesDefinition(webApplicationFirewallPolicyPropertiesFormat.ManagedRules)); err != nil {
 			return fmt.Errorf("Error setting `managed_rules`: %+v", err)
@@ -385,7 +388,7 @@ func expandArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(input
 		name := v["name"].(string)
 		priority := v["priority"].(int)
 		ruleType := v["rule_type"].(string)
-		matchConditions := v["match_conditions"].([]interface{})
+		matchConditions := v["match_condition"].([]interface{})
 		action := v["action"].(string)
 
 		result := network.WebApplicationFirewallCustomRule{
@@ -514,7 +517,7 @@ func expandArmWebApplicationFirewallPolicyMatchCondition(input []interface{}) *[
 	results := make([]network.MatchCondition, 0)
 	for _, item := range input {
 		v := item.(map[string]interface{})
-		matchVariables := v["match_variables"].([]interface{})
+		matchVariables := v["match_variable"].([]interface{})
 		operator := v["operator"].(string)
 		negationCondition := v["negation_condition"].(bool)
 		matchValues := v["match_values"].([]interface{})
@@ -561,7 +564,7 @@ func flattenArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(inpu
 			v["name"] = *name
 		}
 		v["action"] = string(item.Action)
-		v["match_conditions"] = flattenArmWebApplicationFirewallPolicyMatchCondition(item.MatchConditions)
+		v["match_condition"] = flattenArmWebApplicationFirewallPolicyMatchCondition(item.MatchConditions)
 		if priority := item.Priority; priority != nil {
 			v["priority"] = int(*priority)
 		}
@@ -686,7 +689,7 @@ func flattenArmWebApplicationFirewallPolicyMatchCondition(input *[]network.Match
 		v := make(map[string]interface{})
 
 		v["match_values"] = utils.FlattenStringSlice(item.MatchValues)
-		v["match_variables"] = flattenArmWebApplicationFirewallPolicyMatchVariable(item.MatchVariables)
+		v["match_variable"] = flattenArmWebApplicationFirewallPolicyMatchVariable(item.MatchVariables)
 		if negationCondition := item.NegationConditon; negationCondition != nil {
 			v["negation_condition"] = *negationCondition
 		}

From a2bb6c2f05c59e741a39ac91ab0e124362e03726 Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Mon, 16 Mar 2020 22:39:40 +0100
Subject: [PATCH 14/16] Add website docs for "managed_rules" in
 azurerm_web_application_firewall_policy

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 ...web_application_firewall_policy.html.markdown | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/website/docs/r/web_application_firewall_policy.html.markdown b/website/docs/r/web_application_firewall_policy.html.markdown
index b1ee28367c72..4f7c0105566a 100644
--- a/website/docs/r/web_application_firewall_policy.html.markdown
+++ b/website/docs/r/web_application_firewall_policy.html.markdown
@@ -23,13 +23,13 @@ resource "azurerm_web_application_firewall_policy" "example" {
   resource_group_name = azurerm_resource_group.example.name
   location            = azurerm_resource_group.example.location
 
-  custom_rules {
+  custom_rule {
     name      = "Rule1"
     priority  = 1
     rule_type = "MatchRule"
 
-    match_conditions {
-      match_variables {
+    match_condition {
+      match_variable {
         variable_name = "RemoteAddr"
       }
 
@@ -41,13 +41,13 @@ resource "azurerm_web_application_firewall_policy" "example" {
     action = "Block"
   }
 
-  custom_rules {
+  custom_rule {
     name      = "Rule2"
     priority  = 2
     rule_type = "MatchRule"
 
-    match_conditions {
-      match_variables {
+    match_condition {
+      match_variable {
         variable_name = "RemoteAddr"
       }
 
@@ -56,8 +56,8 @@ resource "azurerm_web_application_firewall_policy" "example" {
       match_values       = ["192.168.1.0/24"]
     }
 
-    match_conditions {
-      match_variables {
+    match_condition {
+      match_variable {
         variable_name = "RequestHeaders"
         selector      = "UserAgent"
       }

From e838ca28841f2babc0b7fb221fe3f76f8e7b43d4 Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Sat, 21 Mar 2020 15:31:22 +0100
Subject: [PATCH 15/16] Revert plurality normalization

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 ...rce_arm_web_application_firewall_policy.go | 22 +++++++++----------
 ..._application_firewall_policy.html.markdown | 16 +++++++-------
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
index 49ab29d02ee2..a3955c94e88f 100644
--- a/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
+++ b/azurerm/internal/services/network/resource_arm_web_application_firewall_policy.go
@@ -49,7 +49,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 
 			"resource_group_name": azure.SchemaResourceGroupNameDiffSuppress(),
 
-			"custom_rule": {
+			"custom_rules": {
 				Type:     schema.TypeList,
 				Optional: true,
 				Elem: &schema.Resource{
@@ -63,7 +63,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 								string(network.WebApplicationFirewallActionLog),
 							}, false),
 						},
-						"match_condition": {
+						"match_conditions": {
 							Type:     schema.TypeList,
 							Required: true,
 							Elem: &schema.Resource{
@@ -75,7 +75,7 @@ func resourceArmWebApplicationFirewallPolicy() *schema.Resource {
 											Type: schema.TypeString,
 										},
 									},
-									"match_variable": {
+									"match_variables": {
 										Type:     schema.TypeList,
 										Required: true,
 										Elem: &schema.Resource{
@@ -276,7 +276,7 @@ func resourceArmWebApplicationFirewallPolicyCreateUpdate(d *schema.ResourceData,
 	}
 
 	location := azure.NormalizeLocation(d.Get("location").(string))
-	customRules := d.Get("custom_rule").([]interface{})
+	customRules := d.Get("custom_rules").([]interface{})
 	policySettings := d.Get("policy_settings").([]interface{})
 	managedRules := d.Get("managed_rules").([]interface{})
 	t := d.Get("tags").(map[string]interface{})
@@ -335,14 +335,14 @@ func resourceArmWebApplicationFirewallPolicyRead(d *schema.ResourceData, meta in
 		d.Set("location", azure.NormalizeLocation(*location))
 	}
 	if webApplicationFirewallPolicyPropertiesFormat := resp.WebApplicationFirewallPolicyPropertiesFormat; webApplicationFirewallPolicyPropertiesFormat != nil {
-		if err := d.Set("custom_rule", flattenArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(webApplicationFirewallPolicyPropertiesFormat.CustomRules)); err != nil {
+		if err := d.Set("custom_rules", flattenArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(webApplicationFirewallPolicyPropertiesFormat.CustomRules)); err != nil {
 			return fmt.Errorf("Error setting `custom_rules`: %+v", err)
 		}
 		if err := d.Set("policy_settings", flattenArmWebApplicationFirewallPolicyPolicySettings(webApplicationFirewallPolicyPropertiesFormat.PolicySettings)); err != nil {
-			return fmt.Errorf("Error setting `policy_setting`: %+v", err)
+			return fmt.Errorf("Error setting `policy_settings`: %+v", err)
 		}
 		if err := d.Set("managed_rules", flattenArmWebApplicationFirewallPolicyManagedRulesDefinition(webApplicationFirewallPolicyPropertiesFormat.ManagedRules)); err != nil {
-			return fmt.Errorf("Error setting `managed_rule`: %+v", err)
+			return fmt.Errorf("Error setting `managed_rules`: %+v", err)
 		}
 		if err := d.Set("managed_rules", flattenArmWebApplicationFirewallPolicyManagedRulesDefinition(webApplicationFirewallPolicyPropertiesFormat.ManagedRules)); err != nil {
 			return fmt.Errorf("Error setting `managed_rules`: %+v", err)
@@ -388,7 +388,7 @@ func expandArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(input
 		name := v["name"].(string)
 		priority := v["priority"].(int)
 		ruleType := v["rule_type"].(string)
-		matchConditions := v["match_condition"].([]interface{})
+		matchConditions := v["match_conditions"].([]interface{})
 		action := v["action"].(string)
 
 		result := network.WebApplicationFirewallCustomRule{
@@ -517,7 +517,7 @@ func expandArmWebApplicationFirewallPolicyMatchCondition(input []interface{}) *[
 	results := make([]network.MatchCondition, 0)
 	for _, item := range input {
 		v := item.(map[string]interface{})
-		matchVariables := v["match_variable"].([]interface{})
+		matchVariables := v["match_variables"].([]interface{})
 		operator := v["operator"].(string)
 		negationCondition := v["negation_condition"].(bool)
 		matchValues := v["match_values"].([]interface{})
@@ -564,7 +564,7 @@ func flattenArmWebApplicationFirewallPolicyWebApplicationFirewallCustomRule(inpu
 			v["name"] = *name
 		}
 		v["action"] = string(item.Action)
-		v["match_condition"] = flattenArmWebApplicationFirewallPolicyMatchCondition(item.MatchConditions)
+		v["match_conditions"] = flattenArmWebApplicationFirewallPolicyMatchCondition(item.MatchConditions)
 		if priority := item.Priority; priority != nil {
 			v["priority"] = int(*priority)
 		}
@@ -689,7 +689,7 @@ func flattenArmWebApplicationFirewallPolicyMatchCondition(input *[]network.Match
 		v := make(map[string]interface{})
 
 		v["match_values"] = utils.FlattenStringSlice(item.MatchValues)
-		v["match_variable"] = flattenArmWebApplicationFirewallPolicyMatchVariable(item.MatchVariables)
+		v["match_variables"] = flattenArmWebApplicationFirewallPolicyMatchVariable(item.MatchVariables)
 		if negationCondition := item.NegationConditon; negationCondition != nil {
 			v["negation_condition"] = *negationCondition
 		}
diff --git a/website/docs/r/web_application_firewall_policy.html.markdown b/website/docs/r/web_application_firewall_policy.html.markdown
index 4f7c0105566a..b1ee28367c72 100644
--- a/website/docs/r/web_application_firewall_policy.html.markdown
+++ b/website/docs/r/web_application_firewall_policy.html.markdown
@@ -23,13 +23,13 @@ resource "azurerm_web_application_firewall_policy" "example" {
   resource_group_name = azurerm_resource_group.example.name
   location            = azurerm_resource_group.example.location
 
-  custom_rule {
+  custom_rules {
     name      = "Rule1"
     priority  = 1
     rule_type = "MatchRule"
 
-    match_condition {
-      match_variable {
+    match_conditions {
+      match_variables {
         variable_name = "RemoteAddr"
       }
 
@@ -41,13 +41,13 @@ resource "azurerm_web_application_firewall_policy" "example" {
     action = "Block"
   }
 
-  custom_rule {
+  custom_rules {
     name      = "Rule2"
     priority  = 2
     rule_type = "MatchRule"
 
-    match_condition {
-      match_variable {
+    match_conditions {
+      match_variables {
         variable_name = "RemoteAddr"
       }
 
@@ -56,8 +56,8 @@ resource "azurerm_web_application_firewall_policy" "example" {
       match_values       = ["192.168.1.0/24"]
     }
 
-    match_condition {
-      match_variable {
+    match_conditions {
+      match_variables {
         variable_name = "RequestHeaders"
         selector      = "UserAgent"
       }

From 94b5e9d43bb4c880491850c2d3ee5ca3c5055e7b Mon Sep 17 00:00:00 2001
From: Sune Keller <absukl@almbrand.dk>
Date: Mon, 20 Apr 2020 14:23:57 +0200
Subject: [PATCH 16/16] Fix indentation

Signed-off-by: Sune Keller <absukl@almbrand.dk>
---
 .../resource_arm_web_application_firewall_policy_test.go     | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go b/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go
index 589d2fbd5560..8df8d533dd92 100644
--- a/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go
+++ b/azurerm/internal/services/network/tests/resource_arm_web_application_firewall_policy_test.go
@@ -244,6 +244,11 @@ resource "azurerm_web_application_firewall_policy" "test" {
       version = "3.1"
     }
   }
+
+  policy_settings {
+    enabled = true
+    mode    = "Detection"
+  }
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
 }