refactor: deprecate waf_configuration in favor of firewall_policy_id

.config/.terraform-docs.yml

@@ -50,7 +50,6 @@ content: |
 
   {{ template "table" dict "Resource" "sku" "File" ".config/sku_parameters.json" }}
   {{ template "table" dict "Resource" "autoscale_configuration" "File" ".config/autoscale_configuration_parameters.json" }}
-  {{ template "table" dict "Resource" "waf_configuration" "File" ".config/waf_configuration_parameters.json" }}
   {{ template "table" dict "Resource" "frontend_ip_configuration" "File" ".config/frontend_ip_configuration_parameters.json" }}
   {{ template "table" dict "Resource" "backend_address_pools" "File" ".config/backend_address_pool_parameters.json" }}
   {{ template "table" dict "Resource" "ssl_certificates" "File" ".config/ssl_certificate_parameters.json" }}

CHANGELOG.md

@@ -14,13 +14,15 @@ ENHANCEMENTS:
 
 FEATURES:
 
-* **New Parameter**:
+* **New Parameter**: `firewall_policy_id`
 
 BUG FIXES:
 
 DEPRECATIONS:
 
-* **Parameter**:
+[waf-config-deprecate]: https://azure.microsoft.com/en-us/updates/retirement-support-for-application-gateway-web-application-firewall-v2-configuration-is-ending/
+
+* **Parameter**: `waf_configuration` is deprecated in favor of `firewall_policy_id`. WAF configuration must now be performed using a firewall policy. [Retirement: Support for Application Gateway Web Application Firewall v2 Configuration is ending][waf-config-deprecate].
 
 ## 1.2.0 (January 27, 2022)
 

README.md

@@ -24,10 +24,10 @@ The following parameters are supported:
 |resource\_group\_name|The name of the resource group in which to create the Application Gateway.|`string`|n/a|yes|
 |location|The location/region where the Application Gateway is created.|`string`|n/a|yes|
 |tags|A mapping of tags to assign to the resource.|`map(string)`|`{}`|no|
+|firewall\_policy\_id|The ID of the Firewall Policy to associate with the Application Gateway.|`string`|n/a|yes|
 |sku|A mapping with the sku configuration of the application gateway.|`object({})`|n/a|yes|
 |autoscale\_configuration|A mapping with the autoscale configuration of the application gateway.|`object({})`|`null`|no|
 |subnet\_id|The ID of the Subnet which the Application Gateway should be connected to.|`string`|n/a|yes|
-|waf\_configuration|A mapping with the waf configuration of the application gateway.|`object({})`|`{}`|no|
 |frontend\_ip\_configuration|A mapping the front ip configuration.|`object({})`|n/a|yes|
 |backend\_address\_pools|List of objects that represent the configuration of each backend address pool.|`list(object({}))`|n/a|yes|
 |http\_listeners|List of objects that represent the configuration of each http listener.|`list(object({}))`|n/a|yes|
@@ -49,14 +49,6 @@ The `autoscale_configuration` supports the following:
 |min\_capacity|Minimum capacity for autoscaling. Accepted values are in the range `0` to `100`.|`number`|n/a|yes|
 |max\_capacity|Maximum capacity for autoscaling. Accepted values are in the range `2` to `125`.|`number`|n/a|yes|
 
-The `waf_configuration` supports the following:
-
-| Name | Description | Type | Default | Required |
-| ---- | ------------| :--: | :-----: | :------: |
-|enabled|The Tier of the SKU to use for this Application Gateway. Possible values are `Standard`, `Standard_v2`, `WAF` and `WAF_v2`.|`string`|n/a|yes|
-|firewall\_mode|The Web Application Firewall Mode. Possible values are `Detection` and `Prevention`.|`string`|`Prevention`|no|
-|rule\_set\_version|The Version of the Rule Set used for this Web Application Firewall. Possible values are `0.1`, `1.0`, `2.1`, `2.2.9`, `3.0`, `3.1` and `3.2`.|`number`|`3.2`|no|
-
 The `frontend_ip_configuration` supports the following:
 
 | Name | Description | Type | Default | Required |

locals.tf

@@ -1,5 +1,4 @@
 locals {
-  waf_configuration_enabled     = lookup(var.waf_configuration, "enabled", false) == true
   private_ip_address            = lookup(var.frontend_ip_configuration, "private_ip_address", null) != null
   public_ip_address_id          = lookup(var.frontend_ip_configuration, "public_ip_address_id", null) != null
   private_ip_address_allocation = lookup(var.frontend_ip_configuration, "private_ip_address_allocation", null) != null

main.tf

@@ -3,6 +3,7 @@ resource "azurerm_application_gateway" "main" {
   resource_group_name = var.resource_group_name
   location            = var.location
   tags                = var.tags
+  firewall_policy_id  = var.firewall_policy_id
 
   sku {
     name     = var.sku.size
@@ -24,16 +25,6 @@ resource "azurerm_application_gateway" "main" {
     subnet_id = var.subnet_id
   }
 
-  dynamic "waf_configuration" {
-    for_each = local.waf_configuration_enabled ? [""] : []
-
-    content {
-      enabled          = var.waf_configuration.enabled
-      firewall_mode    = var.waf_configuration.firewall_mode
-      rule_set_version = var.waf_configuration.rule_set_version
-    }
-  }
-
   dynamic "frontend_ip_configuration" {
     for_each = local.public_ip_address_id ? [""] : []
 

tests/environment/main.tf

@@ -8,6 +8,20 @@ resource "azurerm_resource_group" "rg" {
   }
 }
 
+resource "azurerm_web_application_firewall_policy" "waf" {
+  name                = local.workspace_id
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+  tags                = azurerm_resource_group.rg.tags
+
+  managed_rules {
+    managed_rule_set {
+      type    = "OWASP"
+      version = "3.2"
+    }
+  }
+}
+
 resource "azurerm_virtual_network" "vnet" {
   name                = local.workspace_id
   resource_group_name = azurerm_resource_group.rg.name

tests/environment/outputs.tf

@@ -18,6 +18,10 @@ output "resource_group_tags" {
   value = azurerm_resource_group.rg.tags
 }
 
+output "firewall_policy_id" {
+  value = azurerm_web_application_firewall_policy.waf.id
+}
+
 output "subnet_id" {
   value = azurerm_subnet.snet.id
 }

tests/testing.tftest.hcl

@@ -10,9 +10,6 @@ run "setup" {
 
 variables {
   sku = { tier = "WAF_v2", size = "WAF_v2", capacity = 2 }
-  waf_configuration = {
-    enabled = true
-  }
   backend_address_pools = [
     { name = "backend-address-pool-1" },
     { name = "backend-address-pool-2", ip_addresses = ["10.0.0.4", "10.0.0.5", "10.0.0.6"] }
@@ -56,6 +53,7 @@ run "plan" {
     resource_group_name = run.setup.resource_group_name
     location            = run.setup.resource_group_location
     tags                = run.setup.resource_group_tags
+    firewall_policy_id  = run.setup.firewall_policy_id
     subnet_id           = run.setup.subnet_id
     frontend_ip_configuration = {
       public_ip_address_id = run.setup.public_ip_id
@@ -86,6 +84,7 @@ run "apply" {
     resource_group_name = run.setup.resource_group_name
     location            = run.setup.resource_group_location
     tags                = run.setup.resource_group_tags
+    firewall_policy_id  = run.setup.firewall_policy_id
     subnet_id           = run.setup.subnet_id
     frontend_ip_configuration = {
       public_ip_address_id = run.setup.public_ip_id

variables.tf

@@ -19,6 +19,11 @@ variable "tags" {
   description = "A mapping of tags to assign to the resource."
 }
 
+variable "firewall_policy_id" {
+  type        = string
+  description = "The ID of the Firewall Policy to associate with the Application Gateway."
+}
+
 variable "sku" {
   type = object({
     tier     = string
@@ -42,16 +47,6 @@ variable "subnet_id" {
   description = "The ID of the Subnet which the Application Gateway should be connected to."
 }
 
-variable "waf_configuration" {
-  type = object({
-    enabled          = optional(bool, true)
-    firewall_mode    = optional(string, "Prevention")
-    rule_set_version = optional(string, "3.2")
-  })
-  default     = {}
-  description = "A mapping with the waf configuration of the application gateway."
-}
-
 variable "frontend_ip_configuration" {
   type = object({
     public_ip_address_id          = optional(string)