Redefine WAF provisioning to include disabled rules defined in TOML file

[jwadolowski]

At the moment waflyctl doesn't allow me to promote waflyctl.toml in a batch mode. My goal is to reuse VCL delivery model for WAF config - store it in Git, version and promote across environments.

Here's how my waflyctl.toml looks like:

logpath = "/tmp/waflyctl.log"
apiendpoint = "https://api.fastly.com"
tags = ["application-multi"]
publisher = ["owasp", "fastly"]
action = "block"
rules = []
disabledrules = [
    920272, # Invalid character in request (outside of printable chars below ascii 127)
    # ...
]

[owasp]
    AllowedHTTPVersions = "HTTP/1.0 HTTP/1.1 HTTP/2"
    AllowedMethods = "GET HEAD POST OPTIONS"
    # ...

# remaining sections have been removed on purpose, as they're managed in Terraform codebase

Disabled rules are not included while provisioning a service with waflyctl --apikey=<FASTLY_API_KEY> --serviceid=<FASTLY_SERVICE_ID> --config=</path/to/waflyctl.toml> --provision. That's not a surprise because of this comment and DefaultRuleDisabled function placement (it gets triggered only when there's no WAF attached to given service yet).

It simply means that disabledrules property is effectively ignored after initial WAF setup. The only way to disable rules is to use waflyctl --apikey=<FASTLY_API_KEY> --serviceid=<FASTLY_SERVICE_ID> --config=</path/to/waflyctl.toml> --rules=<X,Y,Z> --action=disabled.

Unfortunately, such approach is not ideal. To get it done I'd have to use the following deployment strategy:

• waflyctl --provision (set tag/publishers rules to block)
• waflyctl --rules=<X,Y,Z> --action=disabled (disable selected rules)

There's a couple of downsides here:

• 1st command unconditionally changes rules grouped into tag/publisher to given status (let's assume block). For tag-based rules that's less of a problem, as by default --force-status is false, so already disabled rules won't be changed to blocking mode. When it comes to publisher rules there's no such option - loop that goes through items fetched from /wafs/rules?filter[publisher]=<whatever> simply sets an action according to config (or CLI param).
• 2nd command disables given rules. Most likely they were turned into block mode few seconds ago, which means there's a short period of time when all rules block traffic, which is a no-go from my perspective.

Alternatively I could deploy rules on a fine-grained basis (disable rule A, B and C, then turn rules X, Y, Z into blocking mode, etc), but that kinda defeats the purpose of having waflyctl.toml file.

---

This PR respects disabledrules property during subsequent deployments. I also redefined the order in which ruleset is prepared before actual deployment (PatchRules). OWASP settings get applied at the very end of WAF provisioning.