azurerm_nginx_deployment - support NGINX App Protect WAF

[arpith-f5]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

NGINXaaS now supports NGINX App Protect WAF. In order to use WAF, customers need to explicitly enable it while creating/update their NGINXaaS deployment. This commit includes changes to support a new block nginx_app_protect in azurerm_nginx_deployment resource to enable/disable WAF while creation or updating an NGINXaaS deployment.

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
  For example: “resource_name_here - description of change e.g. adding property new_property_name_here”

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevent documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

Manually tested create and update of a NGINXaaS deployment with WAF enabled/disabled

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_nginx_deployment - support NGINX App Protect WAF

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[puneetsarna]

Looks like some vendor checks are failing?

[puneetsarna]

I like the newly flattened structure (less nested) to invoke this new feature as well 👍

[arpith-f5]

Hi @katbyte @stephybun, when you get time would you be able to take a look at this PR. Thanks in advance!

[katbyte]

Hi, we have a test failure needing fixing:

------- Stdout: -------
=== RUN   TestAccNginxDeploymentDataSource_nginxappprotect
=== PAUSE TestAccNginxDeploymentDataSource_nginxappprotect
=== CONT  TestAccNginxDeploymentDataSource_nginxappprotect
    testcase.go:173: Step 1/1 error: Error running apply: exit status 1
        
        Error: scaling is required for `sku` 'standardv2_Monthly', please provide `capacity` or `auto_scale_profiles`
        
          with azurerm_nginx_deployment.test,
          on terraform_plugin_test.tf line 75, in resource "azurerm_nginx_deployment" "test":
          75: resource "azurerm_nginx_deployment" "test" {
        
        scaling is required for `sku` 'standardv2_Monthly', please provide `capacity`
        or `auto_scale_profiles`
--- FAIL: TestAccNginxDeploymentDataSource_nginxappprotect (92.49s)
FAIL

[puneetsarna]

Hi @katbyte!! I see @arpith-f5 pushed a fix for the test. Can you please re-run the tests and see if the issue persists?

[katbyte]

Thanks for the pr @arpith-f5 - i've given it a quick review and made some schema suggestions. let me know what you think

[katbyte]

settings is redundant, so we can remove it to also be more consistent with the rest of the provider

Suggested change

	"web_application_firewall_settings": {
	"web_application_firewall": {

[puneetsarna]

I think this should be fine but the swagger calls it WebApplicationFirewallSettings and so that translates here fine in the client.

We can also check what we are doing for other client tools and keep the provider consistent with that as well to provide a uniform experience.

[arpith-f5]

@katbyte I have been following the approach of keeping the provider consistent with the swagger spec which is the reason for using web_application_firewall_settings, activation_state and having the activation_state be an enum instead of a bool as per the swagger spec. I think deviating from the swagger spec will cause more confusion for users so would prefer to use the same naming. Do let me know if provider has a different set of naming convention that it needs to follow.

[katbyte]

settings is redundant, so we can remove it to also be more consistent with the rest of the provider

Suggested change

	"web_application_firewall_settings": {
	"web_application_firewall": {

[katbyte]

if the block becomes web_application_firewall this would be better as activated or enabled? which would make it more consistent with the rest of the provided

[katbyte]

addtionally is this the only setting that will be here or will there be further items

[puneetsarna]

I am fine with either naming convention but would prefer what's already there as the WAF experience sounds fine to me. Will sync up with @arpith-f5 once to see if we want to change this.

[katbyte]

if the above block becomes web_application_firewall this could go inside as web_application_firewall.status.x ?

[katbyte]

it could even be web_application_firewall.package_status.x and then web_application_firewall .component_versions

[arpith-f5]

I initially wanted to follow this approach of nesting the status inside the web_application_firewall block but the problem I encountered is that the status needs to be an attribute but settings is an argument. I didn't find a good way to have them both in the same block. Do you have any suggestions on how to do that?

[katbyte]

this is a bool? so we should

Suggested change

	Type: pluginsdk.TypeString,
	Required: true,
	ValidateFunc: validation.StringInSlice(
	[]string{
	"Enabled",
	"Disabled",
	}, false),
	Type: pluginsdk.TypeBool,
	Required: true,

and then in the provider code translate true/false to Enabled Disabled, unless there is going to be a 3rd state here?

[puneetsarna]

The state is an enum.

[katbyte]

Thanks for the pr @arpith-f5 - i've given it a quick review and made some schema suggestions. let me know what you think