feat: (IAC-276) Updated app_gateway_config to include waf_policy vari…

…able
sassoftware · Feb 15, 2024 · b8e8cbe · b8e8cbe
1 parent 56d92a9
commit b8e8cbe
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 13 deletions.
diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md
@@ -398,7 +398,6 @@ Azure Web Application Firewall (WAF) on Azure Application Gateway provides centr
 | :--- | :--- | :--- | :--- | :--- |
 | create_app_gateway | Creates Azure Application Gateway | bool | false | |
 | app_gateway_config | Map of Application Gateway configuration objects | map | null | All the variables that can be defined in the `app_gateway_config` are described in table below. |
-| waf_policy | A JSON file with all the WAF_Policy rules | map | null | The WAF policy has few required components see the details below. |
 
 The `app_gateway_config` variable can contain none, some, or all of the parameters listed below:
 For the details of all the parameters that can be specified see: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway
@@ -408,6 +407,7 @@ For the details of all the parameters that can be specified see: https://registr
 | sku | The Name of the SKU to use for this Application Gateway. | string | false | "Standard_v2" | If WAF policy is enabled the default is `"WAF_v2"` |
 | port | The port which should be used for this Application Gateway. | string | false | "443" |  |
 | protocol | The Protocol which should be used. | string | false  | "Https" | Possible values are Http and Https.|
+| waf_policy | A JSON file with all the WAF_Policy rules | map | null | The WAF policy has few required components see the details below. |
 | backend_host_name | Hostname for the Application Gateway | string | false | null |Set this variable when using custom DNS. Not setting this will use Azure Public DNS to set the FQDN for Application Gateway Public IP.|
 | backend_trusted_root_certificate | The Trusted Root Certificate to use. | list(map(string)) | true | null  | List of map containing: name, data, or key_vault_secret_id. `key_vault_secret_id` is required if `data` is not set. |
 | ssl_certificate |The associated SSL Certificate which should be used for this HTTP Listener. | list(map(string)) | true | null | List of map containing: name, data, password or key_vault_secret_id. `key_vault_secret_id` is required if `data` is not set.|
@@ -424,7 +424,7 @@ For the details of all the parameters that can be specified see: https://registr
 | managed_rules | A managed_rules blocks | list(map) | true  | | |
 
 Example WAF Policy:
-```
+```json
 {
     "custom_rules": [
         {

diff --git a/examples/sample-input-app-gateway.tfvars b/examples/sample-input-app-gateway.tfvars
@@ -32,6 +32,7 @@ postgres_servers = {
 create_app_gateway = true
 
 app_gateway_config = {
+  waf_policy = "<path-to-WAF-policy-json-file>"   ## Required to configure WAF with Application Gateway
   backend_host_name = "<your Application Gateway host name>"  ## leave empty to use Azure public DNS assigned host name
   backend_trusted_root_certificate = [{
     name = "<rootcert-name>"
@@ -49,8 +50,6 @@ app_gateway_config = {
   backend_address_pool_fqdn = ["<your-ingress-nginx-loadBalancer-hostname>"]  ## Required to setup the backend pool. This list only accepts FQDN.
 }
 
-waf_policy = "<path-to-WAF-policy-json-file>"   ## Required to configure WAF with Application Gateway
-
 # AKS config
 kubernetes_version         = "1.26"
 default_nodepool_min_nodes = 2

diff --git a/locals.tf b/locals.tf
@@ -41,7 +41,7 @@ locals {
 
   # App Gateway
   app_gateway_config = merge(var.app_gateway_defaults, var.app_gateway_config)
-  waf_policy_config  = var.waf_policy != null ? jsondecode(file(var.waf_policy)) : null
+  waf_policy_config  = local.app_gateway_config.waf_policy != null ? jsondecode(file(local.app_gateway_config.waf_policy)) : null
   waf_policy_enabled = local.waf_policy_config != null ? length(local.waf_policy_config) != 0 ? true : false : false
 
   # Container Registry

diff --git a/variables.tf b/variables.tf
@@ -822,8 +822,9 @@ variable "app_gateway_defaults" {
     backend_host_name                = null
     backend_trusted_root_certificate = null
     ssl_certificate                  = null
-    identity_ids                     = []
-    backend_address_pool_fqdn        = []
+    identity_ids                     = null
+    backend_address_pool_fqdn        = null
+    waf_policy                       = null
     probe = [{
       name = "default-probe"
       path = "/SASLogon/apiMeta"
@@ -836,9 +837,3 @@ variable "app_gateway_config" {
   type        = any
   default     = {}
 }
-
-variable "waf_policy" {
-  description = "A JSON file with all the WAF_Policy rules"
-  type        = string
-  default     = null
-}