Associate WAF policy to Application Gateway listener (fixes 6485)

azurerm/internal/services/network/application_gateway_resource.go

@@ -465,6 +465,12 @@ func resourceArmApplicationGateway() *schema.Resource {
 								},
 							},
 						},
+
+						"firewall_policy_id": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: azure.ValidateResourceID,
+						},
 					},
 				},
 			},
@@ -2217,6 +2223,7 @@ func expandApplicationGatewayHTTPListeners(d *schema.ResourceData, gatewayID str
 
 		frontendIPConfigID := fmt.Sprintf("%s/frontendIPConfigurations/%s", gatewayID, frontendIPConfigName)
 		frontendPortID := fmt.Sprintf("%s/frontendPorts/%s", gatewayID, frontendPortName)
+		firewallPolicyID := v["firewall_policy_id"].(string)
 
 		customErrorConfigurations := expandApplicationGatewayCustomErrorConfigurations(v["custom_error_configuration"].([]interface{}))
 
@@ -2257,6 +2264,12 @@ func expandApplicationGatewayHTTPListeners(d *schema.ResourceData, gatewayID str
 			}
 		}
 
+		if firewallPolicyID != "" && len(firewallPolicyID) > 0 {
+			listener.ApplicationGatewayHTTPListenerPropertiesFormat.FirewallPolicy = &network.SubResource{
+				ID: utils.String(firewallPolicyID),
+			}
+		}
+
 		results = append(results, listener)
 	}
 
@@ -2332,6 +2345,10 @@ func flattenApplicationGatewayHTTPListeners(input *[]network.ApplicationGatewayH
 				output["require_sni"] = *sni
 			}
 
+			if fwp := props.FirewallPolicy; fwp != nil && fwp.ID != nil {
+				output["firewall_policy_id"] = *fwp.ID
+			}
+
 			output["custom_error_configuration"] = flattenApplicationGatewayCustomErrorConfigurations(props.CustomErrorConfigurations)
 		}
 

azurerm/internal/services/network/tests/application_gateway_resource_test.go

@@ -235,6 +235,26 @@ func TestAccAzureRMApplicationGateway_customFirewallPolicy(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMApplicationGateway_customHttpListenerFirewallPolicy(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_application_gateway", "test")
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acceptance.PreCheck(t) },
+		Providers:    acceptance.SupportedProviders,
+		CheckDestroy: testCheckAzureRMApplicationGatewayDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMApplicationGateway_customHttpListenerFirewallPolicy(data),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMApplicationGatewayExists(data.ResourceName),
+					resource.TestCheckResourceAttrSet(data.ResourceName, "http_listener.0.firewall_policy_id"),
+				),
+			},
+			data.ImportStep(),
+		},
+	})
+}
+
 // TODO required soft delete on the keyvault
 func TestAccAzureRMApplicationGateway_trustedRootCertificate_keyvault(t *testing.T) {
 	t.Skip()
@@ -2116,6 +2136,126 @@ resource "azurerm_application_gateway" "test" {
 `, template, data.RandomInteger)
 }
 
+func testAccAzureRMApplicationGateway_customHttpListenerFirewallPolicy(data acceptance.TestData) string {
+	template := testAccAzureRMApplicationGateway_template(data)
+	return fmt.Sprintf(`
+%[1]s
+
+# since these variables are re-used - a locals block makes this more maintainable
+locals {
+  backend_address_pool_name      = "${azurerm_virtual_network.test.name}-beap"
+  frontend_port_name             = "${azurerm_virtual_network.test.name}-feport"
+  frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
+  http_setting_name              = "${azurerm_virtual_network.test.name}-be-htst"
+  listener_name                  = "${azurerm_virtual_network.test.name}-httplstn"
+  request_routing_rule_name      = "${azurerm_virtual_network.test.name}-rqrt"
+}
+
+resource "azurerm_public_ip" "teststd" {
+  name                = "acctest-PubIpStd-%[2]d"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+}
+
+resource "azurerm_web_application_firewall_policy" "testfwp" {
+  name                = "acctest-fwp-%[2]d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+
+  policy_settings {
+    enabled = true
+    mode    = "Prevention"
+  }
+
+  managed_rules {
+    managed_rule_set {
+      type    = "OWASP"
+      version = "3.1"
+    }
+  }
+}
+
+resource "azurerm_web_application_firewall_policy" "testfwp_listener" {
+  name                = "acctest-fwp-listener-%[2]d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+
+  policy_settings {
+    enabled = true
+    mode    = "Prevention"
+  }
+
+  managed_rules {
+    managed_rule_set {
+      type    = "OWASP"
+      version = "3.1"
+    }
+  }
+}
+
+resource "azurerm_application_gateway" "test" {
+  name                = "acctestag-%[2]d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+
+  sku {
+    name     = "WAF_v2"
+    tier     = "WAF_v2"
+    capacity = 2
+  }
+
+  firewall_policy_id = azurerm_web_application_firewall_policy.testfwp.id
+
+  gateway_ip_configuration {
+    name      = "my-gateway-ip-configuration"
+    subnet_id = azurerm_subnet.test.id
+  }
+
+  frontend_port {
+    name = local.frontend_port_name
+    port = 80
+  }
+
+  frontend_ip_configuration {
+    name                 = local.frontend_ip_configuration_name
+    public_ip_address_id = azurerm_public_ip.teststd.id
+  }
+
+  backend_address_pool {
+    name = local.backend_address_pool_name
+  }
+
+  backend_http_settings {
+    name                  = local.http_setting_name
+    cookie_based_affinity = "Disabled"
+    port                  = 443
+    protocol              = "Https"
+    request_timeout       = 1
+
+    pick_host_name_from_backend_address = true
+  }
+
+  http_listener {
+    name                           = local.listener_name
+    frontend_ip_configuration_name = local.frontend_ip_configuration_name
+    frontend_port_name             = local.frontend_port_name
+    protocol                       = "Http"
+    firewall_policy_id             = azurerm_web_application_firewall_policy.testfwp_listener.id
+  }
+
+  request_routing_rule {
+    name                       = local.request_routing_rule_name
+    rule_type                  = "Basic"
+    http_listener_name         = local.listener_name
+    backend_address_pool_name  = local.backend_address_pool_name
+    backend_http_settings_name = local.http_setting_name
+  }
+}
+`, template, data.RandomInteger)
+}
+
 func testAccAzureRMApplicationGateway_authCertificateUpdated(data acceptance.TestData) string {
 	template := testAccAzureRMApplicationGateway_template(data)
 	return fmt.Sprintf(`

website/docs/r/application_gateway.html.markdown

@@ -167,7 +167,7 @@ The following arguments are supported:
 
 * `custom_error_configuration` - (Optional) One or more `custom_error_configuration` blocks as defined below.
 
-* `firewall_policy_id` - (Optional) The resource ID of a firewall policy.
+* `firewall_policy_id` - (Optional) The ID of the Web Application Firewall Policy.
 
 * `redirect_configuration` - (Optional) A `redirect_configuration` block as defined below.
 
@@ -302,6 +302,8 @@ A `http_listener` block supports the following:
 
 * `custom_error_configuration` - (Optional) One or more `custom_error_configuration` blocks as defined below.
 
+* `firewall_policy_id` - (Optional) The ID of the Web Application Firewall Policy which should be used as a HTTP Listener.
+
 ---
 
 A `identity` block supports the following: