diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 221bf66f..37c4b791 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -397,7 +397,6 @@ Azure Web Application Firewall (WAF) on Azure Application Gateway provides centr | :--- | :--- | :--- | :--- | :--- | | create_app_gateway | Creates Azure Application Gateway | bool | false | | | app_gateway_config | Map of Application Gateway configuration objects | map | null | All the variables that can be defined in the `app_gateway_config` are described in table below. | -| waf_policy | A JSON file with all the WAF_Policy rules | map | null | The WAF policy has few required components see the details below. | The `app_gateway_config` variable can contain none, some, or all of the parameters listed below: For the details of all the parameters that can be specified see: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway @@ -407,6 +406,7 @@ For the details of all the parameters that can be specified see: https://registr | sku | The Name of the SKU to use for this Application Gateway. | string | false | "Standard_v2" | If WAF policy is enabled the default is `"WAF_v2"` | | port | The port which should be used for this Application Gateway. | string | false | "443" | | | protocol | The Protocol which should be used. | string | false | "Https" | Possible values are Http and Https.| +| waf_policy | A JSON file with all the WAF_Policy rules | map | null | The WAF policy has few required components see the details below. | | backend_host_name | Hostname for the Application Gateway | string | false | null |Set this variable when using custom DNS. Not setting this will use Azure Public DNS to set the FQDN for Application Gateway Public IP.| | backend_trusted_root_certificate | The Trusted Root Certificate to use. | list(map(string)) | true | null | List of map containing: name, data, or key_vault_secret_id. `key_vault_secret_id` is required if `data` is not set. | | ssl_certificate |The associated SSL Certificate which should be used for this HTTP Listener. | list(map(string)) | true | null | List of map containing: name, data, password or key_vault_secret_id. `key_vault_secret_id` is required if `data` is not set.| @@ -423,7 +423,7 @@ For the details of all the parameters that can be specified see: https://registr | managed_rules | A managed_rules blocks | list(map) | true | | | Example WAF Policy: -``` +```json { "custom_rules": [ { diff --git a/examples/sample-input-app-gateway.tfvars b/examples/sample-input-app-gateway.tfvars index 9b74a2c3..cb3f41e1 100644 --- a/examples/sample-input-app-gateway.tfvars +++ b/examples/sample-input-app-gateway.tfvars @@ -32,6 +32,7 @@ postgres_servers = { create_app_gateway = true app_gateway_config = { + waf_policy = "" ## Required to configure WAF with Application Gateway backend_host_name = "" ## leave empty to use Azure public DNS assigned host name backend_trusted_root_certificate = [{ name = "" @@ -49,8 +50,6 @@ app_gateway_config = { backend_address_pool_fqdn = [""] ## Required to setup the backend pool. This list only accepts FQDN. } -waf_policy = "" ## Required to configure WAF with Application Gateway - # AKS config kubernetes_version = "1.26" default_nodepool_min_nodes = 2 diff --git a/locals.tf b/locals.tf index 07a13e4e..bfb221fd 100644 --- a/locals.tf +++ b/locals.tf @@ -41,7 +41,7 @@ locals { # App Gateway app_gateway_config = merge(var.app_gateway_defaults, var.app_gateway_config) - waf_policy_config = var.waf_policy != null ? jsondecode(file(var.waf_policy)) : null + waf_policy_config = local.app_gateway_config.waf_policy != null ? jsondecode(file(local.app_gateway_config.waf_policy)) : null waf_policy_enabled = local.waf_policy_config != null ? length(local.waf_policy_config) != 0 ? true : false : false # Container Registry diff --git a/variables.tf b/variables.tf index 3755c6e8..197def97 100644 --- a/variables.tf +++ b/variables.tf @@ -810,8 +810,9 @@ variable "app_gateway_defaults" { backend_host_name = null backend_trusted_root_certificate = null ssl_certificate = null - identity_ids = [] - backend_address_pool_fqdn = [] + identity_ids = null + backend_address_pool_fqdn = null + waf_policy = null probe = [{ name = "default-probe" path = "/SASLogon/apiMeta" @@ -824,9 +825,3 @@ variable "app_gateway_config" { type = any default = {} } - -variable "waf_policy" { - description = "A JSON file with all the WAF_Policy rules" - type = string - default = null -}