New Resource: Front Door Firewall Policy (#4125)

[fixes: #3186 ]

azurerm/internal/services/frontdoor/client.go

@@ -8,6 +8,7 @@ import (
 type Client struct {
 	FrontDoorsClient         *frontdoor.FrontDoorsClient
 	FrontDoorsFrontendClient *frontdoor.FrontendEndpointsClient
+	FrontDoorsPolicyClient   *frontdoor.PoliciesClient
 }
 
 func BuildClient(o *common.ClientOptions) *Client {
@@ -17,8 +18,12 @@ func BuildClient(o *common.ClientOptions) *Client {
 	frontDoorsFrontendClient := frontdoor.NewFrontendEndpointsClientWithBaseURI(o.ResourceManagerEndpoint, o.SubscriptionId)
 	o.ConfigureClient(&frontDoorsFrontendClient.Client, o.ResourceManagerAuthorizer)
 
+	frontDoorsPolicyClient := frontdoor.NewPoliciesClientWithBaseURI(o.ResourceManagerEndpoint, o.SubscriptionId)
+	o.ConfigureClient(&frontDoorsPolicyClient.Client, o.ResourceManagerAuthorizer)
+
 	return &Client{
 		FrontDoorsClient:         &frontDoorsClient,
 		FrontDoorsFrontendClient: &frontDoorsFrontendClient,
+		FrontDoorsPolicyClient:   &frontDoorsPolicyClient,
 	}
 }

azurerm/internal/services/frontdoor/helper.go

@@ -75,6 +75,7 @@ func GetFrontDoorBasicRouteConfigurationType(i interface{}) string {
 		return "ForwardingConfiguration"
 	}
 }
+
 func VerifyRoutingRuleFrontendEndpoints(routingRuleFrontends []interface{}, configFrontendEndpoints []interface{}) error {
 	for _, routingRuleFrontend := range routingRuleFrontends {
 		// Get the name of the frontend defined in the routing rule
@@ -178,3 +179,25 @@ func VerifyCustomHttpsConfiguration(configFrontendEndpoints []interface{}) error
 
 	return nil
 }
+
+func FlattenTransformSlice(input *[]frontdoor.TransformType) []interface{} {
+	result := make([]interface{}, 0)
+
+	if input != nil {
+		for _, item := range *input {
+			result = append(result, string(item))
+		}
+	}
+	return result
+}
+
+func FlattenFrontendEndpointLinkSlice(input *[]frontdoor.FrontendEndpointLink) []interface{} {
+	result := make([]interface{}, 0)
+
+	if input != nil {
+		for _, item := range *input {
+			result = append(result, *item.ID)
+		}
+	}
+	return result
+}

azurerm/internal/services/frontdoor/validate.go

@@ -23,6 +23,14 @@ func ValidateBackendPoolRoutingRuleName(i interface{}, k string) (_ []string, er
 	return nil, errors
 }
 
+func ValidateCustomBlockResponseBody(i interface{}, k string) (_ []string, errors []error) {
+	if m, regexErrs := validate.RegExHelper(i, k, `^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$`); !m {
+		errors = append(regexErrs, fmt.Errorf(`%q contains invalid characters, %q must contain only alphanumeric and equals sign characters.`, k, k))
+	}
+
+	return nil, errors
+}
+
 func ValidateFrontdoorSettings(d *schema.ResourceDiff) error {
 	routingRules := d.Get("routing_rule").([]interface{})
 	configFrontendEndpoints := d.Get("frontend_endpoint").([]interface{})

azurerm/provider.go

@@ -262,6 +262,7 @@ func Provider() terraform.ResourceProvider {
 		"azurerm_firewall_network_rule_collection":                   resourceArmFirewallNetworkRuleCollection(),
 		"azurerm_firewall":                                           resourceArmFirewall(),
 		"azurerm_frontdoor":                                          resourceArmFrontDoor(),
+		"azurerm_frontdoor_firewall_policy":                          resourceArmFrontDoorFirewallPolicy(),
 		"azurerm_function_app":                                       resourceArmFunctionApp(),
 		"azurerm_hdinsight_hadoop_cluster":                           resourceArmHDInsightHadoopCluster(),
 		"azurerm_hdinsight_hbase_cluster":                            resourceArmHDInsightHBaseCluster(),

azurerm/resource_arm_front_door.go

@@ -378,6 +378,10 @@ func resourceArmFrontDoor() *schema.Resource {
 							Type:     schema.TypeBool,
 							Required: true,
 						},
+						"web_application_firewall_policy_link_id": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
 						"custom_https_configuration": {
 							Type:     schema.TypeList,
 							Optional: true,
@@ -786,6 +790,7 @@ func expandArmFrontDoorFrontendEndpoint(input []interface{}, frontDoorPath strin
 		isSessionAffinityEnabled := frontendEndpoint["session_affinity_enabled"].(bool)
 		sessionAffinityTtlSeconds := int32(frontendEndpoint["session_affinity_ttl_seconds"].(int))
 		customHttpsConfiguration := frontendEndpoint["custom_https_configuration"].([]interface{})
+		waf := frontendEndpoint["web_application_firewall_policy_link_id"].(string)
 		name := frontendEndpoint["name"].(string)
 		id := utils.String(frontDoorPath + "/FrontendEndpoints/" + name)
 
@@ -805,6 +810,12 @@ func expandArmFrontDoorFrontendEndpoint(input []interface{}, frontDoorPath strin
 			},
 		}
 
+		if waf != "" {
+			result.FrontendEndpointProperties.WebApplicationFirewallPolicyLink = &frontdoor.FrontendEndpointUpdateParametersWebApplicationFirewallPolicyLink{
+				ID: utils.String(waf),
+			}
+		}
+
 		output = append(output, result)
 	}
 
@@ -1183,17 +1194,17 @@ func flattenArmFrontDoorFrontendEndpoint(input *[]frontdoor.FrontendEndpoint, re
 				}
 
 				if sessionAffinityEnabled := properties.SessionAffinityEnabledState; sessionAffinityEnabled != "" {
-					if sessionAffinityEnabled == frontdoor.SessionAffinityEnabledStateEnabled {
-						result["session_affinity_enabled"] = true
-					} else {
-						result["session_affinity_enabled"] = false
-					}
+					result["session_affinity_enabled"] = sessionAffinityEnabled == frontdoor.SessionAffinityEnabledStateEnabled
 				}
 
 				if sessionAffinityTtlSeconds := properties.SessionAffinityTTLSeconds; sessionAffinityTtlSeconds != nil {
 					result["session_affinity_ttl_seconds"] = *sessionAffinityTtlSeconds
 				}
 
+				if waf := properties.WebApplicationFirewallPolicyLink; waf != nil {
+					result["web_application_firewall_policy_link_id"] = *waf.ID
+				}
+
 				if properties.CustomHTTPSConfiguration != nil {
 					customHTTPSConfiguration := properties.CustomHTTPSConfiguration
 					if customHTTPSConfiguration.CertificateSource == frontdoor.CertificateSourceAzureKeyVault {