From e22e1dc28e2004df26f3b0080b5d668b968bac15 Mon Sep 17 00:00:00 2001
From: tomrss <tommaso.rossi@pagopa.it>
Date: Thu, 21 Nov 2024 16:34:00 +0100
Subject: [PATCH] feat(app_gateway): Allow to attach WAF policy at gateway
 level

---
 app_gateway/README.md    | 1 +
 app_gateway/main.tf      | 1 +
 app_gateway/variables.tf | 6 ++++++
 3 files changed, 8 insertions(+)

diff --git a/app_gateway/README.md b/app_gateway/README.md
index cd383513..23bd6469 100644
--- a/app_gateway/README.md
+++ b/app_gateway/README.md
@@ -475,6 +475,7 @@ No modules.
 | <a name="input_app_gateway_max_capacity"></a> [app\_gateway\_max\_capacity](#input\_app\_gateway\_max\_capacity) | (Optional) Maximum capacity for autoscaling. Accepted values are in the range 2 to 125. | `string` | n/a | yes |
 | <a name="input_app_gateway_min_capacity"></a> [app\_gateway\_min\_capacity](#input\_app\_gateway\_min\_capacity) | (Required) Minimum capacity for autoscaling. Accepted values are in the range 0 to 100. | `string` | n/a | yes |
 | <a name="input_backends"></a> [backends](#input\_backends) | Obj that allow to configure: backend\_address\_pool, backend\_http\_settings, probe | <pre>map(object({<br/>    protocol                    = string       # The Protocol which should be used. Possible values are Http and Https<br/>    host                        = string       # The Hostname used for this Probe. If the Application Gateway is configured for a single site, by default the Host name should be specified as ‘127.0.0.1’, unless otherwise configured in custom probe. Cannot be set if pick_host_name_from_backend_http_settings is set to true<br/>    port                        = number       # Custom port which will be used for probing the backend servers. The valid value ranges from 1 to 65535. In case not set, port from http settings will be used.<br/>    ip_addresses                = list(string) # A list of IP Addresses which should be part of the Backend Address Pool.<br/>    fqdns                       = list(string) # A list of FQDN's which should be part of the Backend Address Pool.<br/>    probe                       = string       # The Path used for this Probe.<br/>    probe_name                  = string       # The Name of the Probe.<br/>    request_timeout             = number       # The Timeout used for this Probe, which indicates when a probe becomes unhealthy. Possible values range from 1 second to a maximum of 86,400 seconds.<br/>    pick_host_name_from_backend = bool         # Whether the host header should be picked from the backend http settings<br/>  }))</pre> | n/a | yes |
+| <a name="input_firewall_policy_id"></a> [firewall\_policy\_id](#input\_firewall\_policy\_id) | (Optional) Id of the WAF policy to attach to the gateway | `string` | `null` | no |
 | <a name="input_identity_ids"></a> [identity\_ids](#input\_identity\_ids) | n/a | `list(string)` | n/a | yes |
 | <a name="input_listeners"></a> [listeners](#input\_listeners) | n/a | <pre>map(object({<br/>    protocol           = string                     # The Protocol which should be used. Possible values are Http and Https<br/>    host               = string                     # The Hostname which should be used for this HTTP Listener. Setting this value changes Listener Type to 'Multi site'.<br/>    port               = number                     # The port used for this Frontend Port.<br/>    ssl_profile_name   = string                     # The name of the associated SSL Profile which should be used for this HTTP Listener.<br/>    firewall_policy_id = string                     # The ID of the Web Application Firewall Policy which should be used for this HTTP Listener.<br/>    type               = optional(string, "Public") # The type of Listener "Public" - "Private"<br/>    certificate = object({<br/>      name = string # The Name of the SSL certificate that is unique within this Application Gateway<br/>      id   = string # Secret Id of (base-64 encoded unencrypted pfx) Secret or Certificate object stored in Azure KeyVault. You need to enable soft delete for keyvault to use this feature. Required if data is not set.<br/>    })<br/>  }))</pre> | n/a | yes |
 | <a name="input_location"></a> [location](#input\_location) | n/a | `string` | `"westeurope"` | no |
diff --git a/app_gateway/main.tf b/app_gateway/main.tf
index 0f6fa3ad..e30f8e66 100644
--- a/app_gateway/main.tf
+++ b/app_gateway/main.tf
@@ -9,6 +9,7 @@ resource "azurerm_application_gateway" "this" {
   resource_group_name = var.resource_group_name
   location            = var.location
   zones               = var.zones
+  firewall_policy_id  = var.firewall_policy_id
 
   sku {
     name = var.sku_name
diff --git a/app_gateway/variables.tf b/app_gateway/variables.tf
index d33a2e4e..f68d1aa3 100644
--- a/app_gateway/variables.tf
+++ b/app_gateway/variables.tf
@@ -186,6 +186,12 @@ variable "waf_disabled_rule_group" {
   default = []
 }
 
+variable "firewall_policy_id" {
+  type        = string
+  default     = null
+  description = "(Optional) Id of the WAF policy to attach to the gateway"
+}
+
 # Scaling
 
 variable "app_gateway_max_capacity" {