azurerm_application_gateway - support WAF Policies

azurerm/internal/services/network/application_gateway_resource.go

@@ -1267,6 +1267,12 @@ func resourceArmApplicationGateway() *schema.Resource {
  },
  },
 
+ "firewall_policy_id": {
+ Type: schema.TypeString,
+ Optional: true,
+ ValidateFunc: azure.ValidateResourceID,
+ },
+
  "custom_error_configuration": {
  Type: schema.TypeList,
  Optional: true,
@@ -1428,6 +1434,13 @@ func resourceArmApplicationGatewayCreateUpdate(d *schema.ResourceData, meta inte
  gateway.ApplicationGatewayPropertiesFormat.WebApplicationFirewallConfiguration = expandApplicationGatewayWafConfig(d)
  }
 
+ if v, ok := d.GetOk("firewall_policy_id"); ok {
+ id := v.(string)
+ gateway.ApplicationGatewayPropertiesFormat.FirewallPolicy = &network.SubResource{
+ ID: &id,
+ }
+ }
+
  if stopApplicationGateway {
  future, err := client.Stop(ctx, resGroup, name)
  if err != nil {
@@ -1606,6 +1619,10 @@ func resourceArmApplicationGatewayRead(d *schema.ResourceData, meta interface{})
  if setErr := d.Set("waf_configuration", flattenApplicationGatewayWafConfig(props.WebApplicationFirewallConfiguration)); setErr != nil {
  return fmt.Errorf("Error setting `waf_configuration`: %+v", setErr)
  }
+
+ if props.FirewallPolicy != nil {
+ d.Set("firewall_policy_id", props.FirewallPolicy.ID)
+ }
  }
 
  return tags.FlattenAndSet(d, applicationGateway.Tags)

azurerm/internal/services/network/tests/application_gateway_resource_test.go

@@ -215,6 +215,26 @@ func TestAccAzureRMApplicationGateway_authCertificate(t *testing.T) {
  })
 }
 
+func TestAccAzureRMApplicationGateway_customFirewallPolicy(t *testing.T) {
+ data := acceptance.BuildTestData(t, "azurerm_application_gateway", "test")
+
+ resource.ParallelTest(t, resource.TestCase{
+ PreCheck: func() { acceptance.PreCheck(t) },
+ Providers: acceptance.SupportedProviders,
+ CheckDestroy: testCheckAzureRMApplicationGatewayDestroy,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccAzureRMApplicationGateway_customFirewallPolicy(data),
+ Check: resource.ComposeTestCheckFunc(
+ testCheckAzureRMApplicationGatewayExists(data.ResourceName),
+ resource.TestCheckResourceAttrSet(data.ResourceName, "firewall_policy_id"),
+ ),
+ },
+ data.ImportStep(),
+ },
+ })
+}
+
 // TODO required soft delete on the keyvault
 func TestAccAzureRMApplicationGateway_trustedRootCertificate_keyvault(t *testing.T) {
  t.Skip()
@@ -1979,6 +1999,107 @@ resource "azurerm_application_gateway" "test" {
 `, template, data.RandomInteger)
 }
 
+func testAccAzureRMApplicationGateway_customFirewallPolicy(data acceptance.TestData) string {
+ template := testAccAzureRMApplicationGateway_template(data)
+ return fmt.Sprintf(`
+%[1]s
+
+# since these variables are re-used - a locals block makes this more maintainable
+locals {
+ backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap"
+ frontend_port_name = "${azurerm_virtual_network.test.name}-feport"
+ frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
+ http_setting_name = "${azurerm_virtual_network.test.name}-be-htst"
+ listener_name = "${azurerm_virtual_network.test.name}-httplstn"
+ request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt"
+}
+
+resource "azurerm_public_ip" "teststd" {
+ name = "acctest-PubIpStd-%[2]d"
+ location = azurerm_resource_group.test.location
+ resource_group_name = azurerm_resource_group.test.name
+ allocation_method = "Static"
+ sku = "Standard"
+}
+
+resource "azurerm_web_application_firewall_policy" "testfwp" {
+ name = "acctest-fwp-%[2]d"
+ resource_group_name = azurerm_resource_group.test.name
+ location = azurerm_resource_group.test.location
+
+ policy_settings {
+ enabled = true
+ mode = "Prevention"
+ }
+
+ managed_rules {
+ managed_rule_set {
+ type = "OWASP"
+ version = "3.1"
+ }
+ }
+}
+
+resource "azurerm_application_gateway" "test" {
+ name = "acctestag-%[2]d"
+ resource_group_name = azurerm_resource_group.test.name
+ location = azurerm_resource_group.test.location
+
+ sku {
+ name = "WAF_v2"
+ tier = "WAF_v2"
+ capacity = 2
+ }
+
+ firewall_policy_id = azurerm_web_application_firewall_policy.testfwp.id
+
+ gateway_ip_configuration {
+ name = "my-gateway-ip-configuration"
+ subnet_id = azurerm_subnet.test.id
+ }
+
+ frontend_port {
+ name = local.frontend_port_name
+ port = 80
+ }
+
+ frontend_ip_configuration {
+ name = local.frontend_ip_configuration_name
+ public_ip_address_id = azurerm_public_ip.teststd.id
+ }
+
+ backend_address_pool {
+ name = local.backend_address_pool_name
+ }
+
+ backend_http_settings {
+ name = local.http_setting_name
+ cookie_based_affinity = "Disabled"
+ port = 443
+ protocol = "Https"
+ request_timeout = 1
+
+ pick_host_name_from_backend_address = true
+ }
+
+ http_listener {
+ name = local.listener_name
+ frontend_ip_configuration_name = local.frontend_ip_configuration_name
+ frontend_port_name = local.frontend_port_name
+ protocol = "Http"
+ }
+
+ request_routing_rule {
+ name = local.request_routing_rule_name
+ rule_type = "Basic"
+ http_listener_name = local.listener_name
+ backend_address_pool_name = local.backend_address_pool_name
+ backend_http_settings_name = local.http_setting_name
+ }
+}
+`, template, data.RandomInteger)
+}
+
 func testAccAzureRMApplicationGateway_authCertificateUpdated(data acceptance.TestData) string {
  template := testAccAzureRMApplicationGateway_template(data)
  return fmt.Sprintf(`

website/docs/r/application_gateway.html.markdown

@@ -167,6 +167,8 @@ The following arguments are supported:
 
 * `custom_error_configuration` - (Optional) One or more `custom_error_configuration` blocks as defined below.
 
+* `firewall_policy_id` - (Optional) The resource ID of a firewall policy.
+
 * `redirect_configuration` - (Optional) A `redirect_configuration` block as defined below.
 
 * `autoscale_configuration` - (Optional) A `autoscale_configuration` block as defined below.