Including #28726

* Initial Check-In...

* Fix lint error...

* Update test case names...

* Mostly working now, need to fix one test...

* Fix lint error...

* Add test cases and CustomizeDiffShim...

* Add custom_rule definition to jsChallengePolicyStandardSku test case...

* Fix error return value...

* Slightly tweak documentation and expose a CustomizeDiffShim for JSChallenge policy validation...

* Add test case for invalid JSChallenge Policy...

* Update tests...

* Update documentation...

* Format documentation...

* Address PR comments...

Author: WodansSon

internal/services/cdn/cdn_frontdoor_firewall_policy_data_source_test.go

@@ -28,13 +28,13 @@ func TestAccCdnFrontDoorFirewallPolicyDataSource_basic(t *testing.T) {
 	})
 }
 
-func TestAccCdnFrontDoorFirewallPolicyDataSourceJsChallenge_basic(t *testing.T) {
+func TestAccCdnFrontDoorFirewallPolicyDataSource_jsChallengeBasic(t *testing.T) {
 	data := acceptance.BuildTestData(t, "data.azurerm_cdn_frontdoor_firewall_policy", "test")
 	d := CdnFrontDoorFirewallPolicyDataSource{}
 
 	data.DataSourceTest(t, []acceptance.TestStep{
 		{
-			Config: d.basicJsChallenge(data),
+			Config: d.jsChallengePolicyBasic(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).Key("redirect_url").MatchesOtherKey(check.That("azurerm_cdn_frontdoor_firewall_policy.test").Key("redirect_url")),
 				check.That(data.ResourceName).Key("js_challenge_cookie_expiration_in_minutes").HasValue("45"),
@@ -54,13 +54,13 @@ data "azurerm_cdn_frontdoor_firewall_policy" "test" {
 `, CdnFrontDoorFirewallPolicyResource{}.basic(data))
 }
 
-func (CdnFrontDoorFirewallPolicyDataSource) basicJsChallenge(data acceptance.TestData) string {
+func (CdnFrontDoorFirewallPolicyDataSource) jsChallengePolicyBasic(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %s
 
 data "azurerm_cdn_frontdoor_firewall_policy" "test" {
   name                = azurerm_cdn_frontdoor_firewall_policy.test.name
   resource_group_name = azurerm_resource_group.test.name
 }
-`, CdnFrontDoorFirewallPolicyResource{}.basicJsChallenge(data))
+`, CdnFrontDoorFirewallPolicyResource{}.jSChallengePolicyBasic(data))
 }

internal/services/cdn/cdn_frontdoor_firewall_policy_resource.go

@@ -4,6 +4,7 @@
 package cdn
 
 import (
+	"context"
 	"fmt"
 	"strconv"
 	"strings"
@@ -79,11 +80,12 @@ func resourceCdnFrontDoorFirewallPolicy() *pluginsdk.Resource {
 			},
 
 			// NOTE: Through local testing, the new API js challenge expiration is always
-			// enabled no matter what and cannot be disabled...
+			// enabled no matter what and cannot be disabled for Premium_AzureFrontDoor
+			// and is not supported in Standard_AzureFrontDoor...
 			"js_challenge_cookie_expiration_in_minutes": {
 				Type:         pluginsdk.TypeInt,
 				Optional:     true,
-				Default:      30,
+				Computed:     true,
 				ValidateFunc: validation.IntBetween(5, 1440),
 			},
 
@@ -458,6 +460,61 @@ func resourceCdnFrontDoorFirewallPolicy() *pluginsdk.Resource {
 
 			"tags": commonschema.Tags(),
 		},
+
+		CustomizeDiff: pluginsdk.CustomDiffWithAll(
+			// Verify that they are not downgrading the service from Premium SKU -> Standard SKU...
+			pluginsdk.CustomizeDiffShim(func(ctx context.Context, diff *pluginsdk.ResourceDiff, v interface{}) error {
+				oSku, nSku := diff.GetChange("sku_name")
+
+				if oSku != "" {
+					if oSku.(string) == string(waf.SkuNamePremiumAzureFrontDoor) && nSku.(string) == string(waf.SkuNameStandardAzureFrontDoor) {
+						return fmt.Errorf("downgrading from the %q sku to the %q sku is not supported, got %q", waf.SkuNamePremiumAzureFrontDoor, waf.SkuNameStandardAzureFrontDoor, nSku.(string))
+					}
+				}
+
+				return nil
+			}),
+
+			// Verify that the Standard SKU is not setting the JSChallenge policy...
+			pluginsdk.CustomizeDiffShim(func(ctx context.Context, diff *pluginsdk.ResourceDiff, v interface{}) error {
+				sku := diff.Get("sku_name").(string)
+				policyInMinutes := diff.Get("js_challenge_cookie_expiration_in_minutes").(int)
+
+				if sku == string(waf.SkuNameStandardAzureFrontDoor) && policyInMinutes > 0 {
+					return fmt.Errorf("the 'js_challenge_cookie_expiration_in_minutes' field is only supported with the %q sku, got %q", waf.SkuNamePremiumAzureFrontDoor, sku)
+				}
+
+				return nil
+			}),
+
+			// Verify that the Standard SKU is not using managed rules...
+			pluginsdk.CustomizeDiffShim(func(ctx context.Context, diff *pluginsdk.ResourceDiff, v interface{}) error {
+				sku := diff.Get("sku_name").(string)
+				managedRules := diff.Get("managed_rule").([]interface{})
+
+				if sku == string(waf.SkuNameStandardAzureFrontDoor) && len(managedRules) > 0 {
+					return fmt.Errorf("the 'managed_rule' code block is only supported with the %q sku, got %q", waf.SkuNamePremiumAzureFrontDoor, sku)
+				}
+
+				return nil
+			}),
+
+			// Verify that the Standard SKU is not using the JSChallenge Action type for custom rules...
+			pluginsdk.CustomizeDiffShim(func(ctx context.Context, diff *pluginsdk.ResourceDiff, v interface{}) error {
+				sku := diff.Get("sku_name").(string)
+				customRules := expandCdnFrontDoorFirewallCustomRules(diff.Get("custom_rule").([]interface{}))
+
+				if sku == string(waf.SkuNameStandardAzureFrontDoor) && customRules != nil {
+					for _, v := range *customRules.Rules {
+						if v.Action == waf.ActionTypeJSChallenge {
+							return fmt.Errorf("'custom_rule' blocks with the 'action' type of 'JSChallenge' are only supported for the %q sku, got action: %q (custom_rule.name: %q, sku_name: %q)", waf.SkuNamePremiumAzureFrontDoor, waf.ActionTypeJSChallenge, *v.Name, sku)
+						}
+					}
+				}
+
+				return nil
+			}),
+		),
 	}
 }
 
@@ -498,7 +555,6 @@ func resourceCdnFrontDoorFirewallPolicyCreate(d *pluginsdk.ResourceData, meta in
 	sku := d.Get("sku_name").(string)
 	mode := waf.PolicyMode(d.Get("mode").(string))
 	redirectUrl := d.Get("redirect_url").(string)
-	jsChallengeExpirationInMinutes := int64(d.Get("js_challenge_cookie_expiration_in_minutes").(int))
 	customBlockResponseStatusCode := d.Get("custom_block_response_status_code").(int)
 	customBlockResponseBody := d.Get("custom_block_response_body").(string)
 	customRules := d.Get("custom_rule").([]interface{})
@@ -518,16 +574,29 @@ func resourceCdnFrontDoorFirewallPolicyCreate(d *pluginsdk.ResourceData, meta in
 		},
 		Properties: &waf.WebApplicationFirewallPolicyProperties{
 			PolicySettings: &waf.PolicySettings{
-				EnabledState:                           pointer.To(enabled),
-				Mode:                                   pointer.To(mode),
-				RequestBodyCheck:                       pointer.To(requestBodyCheck),
-				JavascriptChallengeExpirationInMinutes: pointer.To(jsChallengeExpirationInMinutes),
+				EnabledState:     pointer.To(enabled),
+				Mode:             pointer.To(mode),
+				RequestBodyCheck: pointer.To(requestBodyCheck),
 			},
 			CustomRules: expandCdnFrontDoorFirewallCustomRules(customRules),
 		},
 		Tags: tags.Expand(d.Get("tags").(map[string]interface{})),
 	}
 
+	// NOTE: JS Challenge Expiration policy is enabled by default on Premium SKU's with a default of
+	// 30 minutes, if it is not in the config set the default and include it in the policy settings
+	// payload block...
+	if sku == string(waf.SkuNamePremiumAzureFrontDoor) {
+		// Set the Default value...
+		jsChallengeExpirationInMinutes := 30
+
+		if v, ok := d.GetOk("js_challenge_cookie_expiration_in_minutes"); ok {
+			jsChallengeExpirationInMinutes = v.(int)
+		}
+
+		payload.Properties.PolicySettings.JavascriptChallengeExpirationInMinutes = pointer.FromInt64(int64(jsChallengeExpirationInMinutes))
+	}
+
 	if managedRules != nil {
 		payload.Properties.ManagedRules = managedRules
 	}
@@ -592,10 +661,22 @@ func resourceCdnFrontDoorFirewallPolicyUpdate(d *pluginsdk.ResourceData, meta in
 		}
 
 		props.PolicySettings = &waf.PolicySettings{
-			EnabledState:                           pointer.To(enabled),
-			Mode:                                   pointer.To(waf.PolicyMode(d.Get("mode").(string))),
-			RequestBodyCheck:                       pointer.To(requestBodyCheck),
-			JavascriptChallengeExpirationInMinutes: pointer.To(int64(d.Get("js_challenge_cookie_expiration_in_minutes").(int))),
+			EnabledState:     pointer.To(enabled),
+			Mode:             pointer.To(waf.PolicyMode(d.Get("mode").(string))),
+			RequestBodyCheck: pointer.To(requestBodyCheck),
+		}
+
+		// NOTE: js_challenge_cookie_expiration_in_minutes is only valid for
+		// Premium_AzureFrontDoor skus...
+		if model.Sku != nil && *model.Sku.Name == waf.SkuNamePremiumAzureFrontDoor {
+			// Set the Default value...
+			jsChallengeExpirationInMinutes := 30
+
+			if v, ok := d.GetOk("js_challenge_cookie_expiration_in_minutes"); ok {
+				jsChallengeExpirationInMinutes = v.(int)
+			}
+
+			props.PolicySettings.JavascriptChallengeExpirationInMinutes = pointer.FromInt64(int64(jsChallengeExpirationInMinutes))
 		}
 
 		if redirectUrl := d.Get("redirect_url").(string); redirectUrl != "" {
@@ -691,7 +772,12 @@ func resourceCdnFrontDoorFirewallPolicyRead(d *pluginsdk.ResourceData, meta inte
 				d.Set("redirect_url", policy.RedirectURL)
 				d.Set("custom_block_response_status_code", int(pointer.From(policy.CustomBlockResponseStatusCode)))
 				d.Set("custom_block_response_body", policy.CustomBlockResponseBody)
-				d.Set("js_challenge_cookie_expiration_in_minutes", int(pointer.From(policy.JavascriptChallengeExpirationInMinutes)))
+
+				// NOTE: js_challenge_cookie_expiration_in_minutes is only returned
+				// for Premium_AzureFrontDoor skus, else it will be 'nil'...
+				if policy.JavascriptChallengeExpirationInMinutes != nil {
+					d.Set("js_challenge_cookie_expiration_in_minutes", int(pointer.From(policy.JavascriptChallengeExpirationInMinutes)))
+				}
 			}
 		}