From 4557b7e24e6a89f7bef8c1801e565f57e6726978 Mon Sep 17 00:00:00 2001
From: Ritika Patil <Ritika.Patil@sas.com>
Date: Tue, 5 Dec 2023 11:44:12 -0600
Subject: [PATCH] feat: (IAC-276) Updated app_gateway_config to include
 waf_policy variable

---
 docs/CONFIG-VARS.md                      |  4 ++--
 examples/sample-input-app-gateway.tfvars |  3 +--
 locals.tf                                |  2 +-
 variables.tf                             | 11 +++--------
 4 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md
index 7ccc8c62..befba809 100644
--- a/docs/CONFIG-VARS.md
+++ b/docs/CONFIG-VARS.md
@@ -398,7 +398,6 @@ Azure Web Application Firewall (WAF) on Azure Application Gateway provides centr
 | :--- | :--- | :--- | :--- | :--- |
 | create_app_gateway | Creates Azure Application Gateway | bool | false | |
 | app_gateway_config | Map of Application Gateway configuration objects | map | null | All the variables that can be defined in the `app_gateway_config` are described in table below. |
-| waf_policy | A JSON file with all the WAF_Policy rules | map | null | The WAF policy has few required components see the details below. |
 
 The `app_gateway_config` variable can contain none, some, or all of the parameters listed below:
 For the details of all the parameters that can be specified see: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway
@@ -408,6 +407,7 @@ For the details of all the parameters that can be specified see: https://registr
 | sku | The Name of the SKU to use for this Application Gateway. | string | false | "Standard_v2" | If WAF policy is enabled the default is `"WAF_v2"` |
 | port | The port which should be used for this Application Gateway. | string | false | "443" |  |
 | protocol | The Protocol which should be used. | string | false  | "Https" | Possible values are Http and Https.|
+| waf_policy | A JSON file with all the WAF_Policy rules | map | null | The WAF policy has few required components see the details below. |
 | backend_host_name | Hostname for the Application Gateway | string | false | null |Set this variable when using custom DNS. Not setting this will use Azure Public DNS to set the FQDN for Application Gateway Public IP.|
 | backend_trusted_root_certificate | The Trusted Root Certificate to use. | list(map(string)) | true | null  | List of map containing: name, data, or key_vault_secret_id. `key_vault_secret_id` is required if `data` is not set. |
 | ssl_certificate |The associated SSL Certificate which should be used for this HTTP Listener. | list(map(string)) | true | null | List of map containing: name, data, password or key_vault_secret_id. `key_vault_secret_id` is required if `data` is not set.|
@@ -424,7 +424,7 @@ For the details of all the parameters that can be specified see: https://registr
 | managed_rules | A managed_rules blocks | list(map) | true  | | |
 
 Example WAF Policy:
-```
+```json
 {
     "custom_rules": [
         {
diff --git a/examples/sample-input-app-gateway.tfvars b/examples/sample-input-app-gateway.tfvars
index 9b74a2c3..cb3f41e1 100644
--- a/examples/sample-input-app-gateway.tfvars
+++ b/examples/sample-input-app-gateway.tfvars
@@ -32,6 +32,7 @@ postgres_servers = {
 create_app_gateway = true
 
 app_gateway_config = {
+  waf_policy = "<path-to-WAF-policy-json-file>"   ## Required to configure WAF with Application Gateway
   backend_host_name = "<your Application Gateway host name>"  ## leave empty to use Azure public DNS assigned host name
   backend_trusted_root_certificate = [{
     name = "<rootcert-name>"
@@ -49,8 +50,6 @@ app_gateway_config = {
   backend_address_pool_fqdn = ["<your-ingress-nginx-loadBalancer-hostname>"]  ## Required to setup the backend pool. This list only accepts FQDN.
 }
 
-waf_policy = "<path-to-WAF-policy-json-file>"   ## Required to configure WAF with Application Gateway
-
 # AKS config
 kubernetes_version         = "1.26"
 default_nodepool_min_nodes = 2
diff --git a/locals.tf b/locals.tf
index 647e3aee..2401217e 100644
--- a/locals.tf
+++ b/locals.tf
@@ -41,7 +41,7 @@ locals {
 
   # App Gateway
   app_gateway_config = merge(var.app_gateway_defaults, var.app_gateway_config)
-  waf_policy_config  = var.waf_policy != null ? jsondecode(file(var.waf_policy)) : null
+  waf_policy_config  = local.app_gateway_config.waf_policy != null ? jsondecode(file(local.app_gateway_config.waf_policy)) : null
   waf_policy_enabled = local.waf_policy_config != null ? length(local.waf_policy_config) != 0 ? true : false : false
 
   # Container Registry
diff --git a/variables.tf b/variables.tf
index a8142a6f..c28aa7f6 100644
--- a/variables.tf
+++ b/variables.tf
@@ -822,8 +822,9 @@ variable "app_gateway_defaults" {
     backend_host_name                = null
     backend_trusted_root_certificate = null
     ssl_certificate                  = null
-    identity_ids                     = []
-    backend_address_pool_fqdn        = []
+    identity_ids                     = null
+    backend_address_pool_fqdn        = null
+    waf_policy                       = null
     probe = [{
       name = "default-probe"
       path = "/SASLogon/apiMeta"
@@ -836,9 +837,3 @@ variable "app_gateway_config" {
   type        = any
   default     = {}
 }
-
-variable "waf_policy" {
-  description = "A JSON file with all the WAF_Policy rules"
-  type        = string
-  default     = null
-}