From ccd10bfc765ff6d6f3238804688f97d01ab5a23c Mon Sep 17 00:00:00 2001
From: zjhe <lonegunmanb@hotmail.com>
Date: Fri, 24 Jan 2025 19:23:46 +0800
Subject: [PATCH] add microsoft_network_applicationGateways_sku_name rule

---
 ...ork_applicationGateways_sku_name.mock.json | 91 +++++++++++++++++++
 ..._network_applicationGateways_sku_name.rego | 21 +++++
 policy/common/avm.utils.rego                  |  6 ++
 3 files changed, 118 insertions(+)
 create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.mock.json
 create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.rego

diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.mock.json b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.mock.json
new file mode 100644
index 0000000..dc88894
--- /dev/null
+++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.mock.json
@@ -0,0 +1,91 @@
+{
+  "mock": {
+    "Standard_v2": {
+      "resource_changes": [
+        {
+          "address": "azapi_resource.gw",
+          "mode": "managed",
+          "type": "azapi_resource",
+          "name": "gw",
+          "provider_name": "registry.terraform.io/azure/azapi",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "body": {
+                "properties": {
+                  "sku": {
+                    "capacity": 2,
+                    "name": "Standard_v2",
+                    "tier": "Standard_v2"
+                  }
+                }
+              },
+              "name": "example-appgateway",
+              "type": "Microsoft.Network/applicationGateways@2024-03-01"
+            }
+          }
+        }
+      ]
+    },
+    "WAF_v2": {
+      "resource_changes": [
+        {
+          "address": "azapi_resource.gw",
+          "mode": "managed",
+          "type": "azapi_resource",
+          "name": "gw",
+          "provider_name": "registry.terraform.io/azure/azapi",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "body": {
+                "properties": {
+                  "sku": {
+                    "capacity": 2,
+                    "name": "WAF_v2",
+                    "tier": "WAF_v2"
+                  }
+                }
+              },
+              "name": "example-appgateway",
+              "type": "Microsoft.Network/applicationGateways@2024-03-01"
+            }
+          }
+        }
+      ]
+    },
+    "invalid_basic":  {
+      "resource_changes": [
+        {
+          "address": "azapi_resource.gw",
+          "mode": "managed",
+          "type": "azapi_resource",
+          "name": "gw",
+          "provider_name": "registry.terraform.io/azure/azapi",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "body": {
+                "properties": {
+                  "sku": {
+                    "capacity": 2,
+                    "name": "Basic",
+                    "tier": "Basic"
+                  }
+                }
+              },
+              "name": "example-appgateway",
+              "type": "Microsoft.Network/applicationGateways@2024-03-01"
+            }
+          }
+        }
+      ]
+    }
+  }
+}
diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.rego
new file mode 100644
index 0000000..cf51c01
--- /dev/null
+++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.rego
@@ -0,0 +1,21 @@
+package Azure_Proactive_Resiliency_Library_v2.azurerm_application_gateway
+
+valid_azapi_sku(resource) {
+    resource.change.after.body.properties.sku.name == "Standard_v2"
+}
+
+valid_azapi_sku(resource) {
+    resource.change.after.body.properties.sku.name == "WAF_v2"
+}
+
+deny[reason] {
+    tfplan := data.utils.tfplan(input)
+    resource := tfplan.resource_changes[_]
+    resource.mode == "managed"
+    resource.type == "azapi_resource"
+    data.utils.azapi_resource_type_equals(resource.change.after, "Microsoft.Network/applicationGateways")
+    data.utils.is_create_or_update(resource.change.actions)
+    not valid_azapi_sku(resource)
+
+    reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have 'body.properties.sku.name' set to 'Standard_v2' or 'WAF_v2': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/applicationGateways/#migrate-to-application-gateway-v2", [resource.address])
+}
\ No newline at end of file
diff --git a/policy/common/avm.utils.rego b/policy/common/avm.utils.rego
index 1c5d8f9..10ee22e 100644
--- a/policy/common/avm.utils.rego
+++ b/policy/common/avm.utils.rego
@@ -8,4 +8,10 @@ tfplan(d) = output {
 tfplan(d) = output {
     not d.plan.resource_changes
     output := d
+}
+
+azapi_resource_type_equals(resource, type) {
+    regex.match(sprintf(`^%s@`, type), resource.type)
+} else = false {
+ 	true
 }
\ No newline at end of file