azurerm_cdn_frontdoor_firewall_policy - add support for log_scrubbing block

[WodansSon]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

• Adding support for the newly exposed log scrubbing feature exposed in the new Frontdoor WAF policies API.

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
  For example: “resource_name_here - description of change e.g. adding property new_property_name_here”

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevant documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_cdn_frontdoor_firewall_policy - add support for the log_scrubbing code block [GH-00000]

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #28236

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[jackofallops]

Thanks @WodansSon - Just a few things to take a look at below if you could? Should be good to go when those are addressed (assuming tests pass, ofc!)

[jackofallops]

Is there a default rule / behaviour here if log_scrubbing is enabled, but no rules are defined? Just wondering, if there's no default behaviour, if these should be Required / MinItems instead to ensure the block does something?

(The test cases suggest that your design is fine, but I wanted to be sure since it's a little confusing to have this without rules?)

Suggested change

	"enabled": {
	Type: pluginsdk.TypeBool,
	Optional: true,
	Default: true,
	},
	"rule": {
	Type: pluginsdk.TypeList,
	MaxItems: 100,
	Optional: true,
	Elem: &pluginsdk.Resource{
	"enabled": {
	Type: pluginsdk.TypeBool,
	Required: true,
	},
	"rule": {
	Type: pluginsdk.TypeList,
	MaxItems: 100,
	Minitems: 1,
	Elem: &pluginsdk.Resource{

[WodansSon]

No, there isn't a default behavior, per the service team:

Correction on the behavior of the LogScrubbing state.

• If LogScrubbing State is set to Enabled but no scrubbing rules are configured, it will result in a no op (no operation).
• For log scrubbing to take effect, both the LogScrubbing State (Enabled) and at least one Scrubbing Rule with State Enabled must be configured.

[jackofallops]

This looks a little off? We're checking for empty, not nil here? To avoid a panic, should this be:

Suggested change

	// NOTE: If the 'operator' is set to 'Equals' the 'selector' cannot be 'nil'...
	if *item.Selector == "" {
	// NOTE: If the 'operator' is set to 'Equals' the 'selector' cannot be 'nil'...
	if pointer.From(item.Selector) == "" {

since we're only setting item.Selector if there's a v["selector"] value present?

[WodansSon]

Fixed.

[jackofallops]

Again here, should this be?

Suggested change

	// NOTE: If the 'operator' is set to 'EqualsAny' the 'selector' must be 'nil'...
	if *item.Selector != "" {
	// NOTE: If the 'operator' is set to 'EqualsAny' the 'selector' must be 'nil'...
	if item.Selector == nil {

[WodansSon]

Fixed.

[jackofallops]

copy paste error?

Suggested change

// NOTE: Regression test case for issue #19088

[WodansSon]

Yes sir... DOH! 🤣 Fixed.

[jackofallops]

We're pushing away from this pattern as it's unnecessary to assign the template to a var when it can be passed into the test directly. Would you mind updating these? (Just the new tests, don't worry about the others in the file, we'll be sorting this out more broadly in the future, just want to avoid more instances of it where possible. 🙈 )

Suggested change

	tmp := r.template(data)
	return fmt.Sprintf(`
	%s
	resource "azurerm_cdn_frontdoor_firewall_policy" "test" {
	name = "accTestWAF%d"
	resource_group_name = azurerm_resource_group.test.name
	sku_name = azurerm_cdn_frontdoor_profile.test.sku_name
	mode = "Prevention"
	log_scrubbing {
	enabled = true
	}
	}
	`, tmp, data.RandomInteger)
	return fmt.Sprintf(`
	%s
	resource "azurerm_cdn_frontdoor_firewall_policy" "test" {
	name = "accTestWAF%d"
	resource_group_name = azurerm_resource_group.test.name
	sku_name = azurerm_cdn_frontdoor_profile.test.sku_name
	mode = "Prevention"
	log_scrubbing {
	enabled = true
	}
	}
	`, r.template(data), data.RandomInteger)

[WodansSon]

Since I will already be in the code I might as well just update all of them. Fixed.

[jackofallops]

Suggested change

	* `rule` - (Optional) One or more `scrubbing_rule` blocks as defined below.
	* `rule` - (Optional) One or more `rule` blocks as defined below.

[WodansSon]

Same as above, the managed_rule also uses rule so I gave it a different name in the documentation trying to not confuse the end user when they are looking up what the scrubbing_rule block contains.

[jackofallops]

Thanks @WodansSon - Just a few things to take a look at below if you could? Should be good to go when those are addressed (assuming tests pass, ofc!)

[WodansSon]

Comments have been addressed...

[jackofallops]

Thanks for the changes/responses @WodansSon - Given the external limitation, I don't think we will have to suck up a deviation from naming convention for now. I think once that's done, this should be good to go. Sorry for the back-and-forth.

[jackofallops]

As noted in the docs, if this doesn't match it will be difficult/frustrating for users to work out the correct block name. Since this is a limitation of the Registry docs, I don't think we have a choice here but to deviate from the convention due to the duplication of the block name in this resource.

Suggested change

	"rule": {
	"scrubbing_rule": {

[WodansSon]

Fixed.

[WodansSon]

[jackofallops]

Thanks @WodansSon for the changes, this LGTM now 👍

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.