azurermCdnFrontdoorFirewallPolicy
Manages a Front Door (standard/premium) Firewall Policy instance.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-cdn-frontdoor",
}
);
const azurermCdnFrontdoorProfileExample =
new azurerm.cdnFrontdoorProfile.CdnFrontdoorProfile(this, "example_1", {
name: "example-profile",
resource_group_name: azurermResourceGroupExample.name,
sku_name: "Premium_AzureFrontDoor",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorProfileExample.overrideLogicalId("example");
const azurermCdnFrontdoorFirewallPolicyExample =
new azurerm.cdnFrontdoorFirewallPolicy.CdnFrontdoorFirewallPolicy(
this,
"example_2",
{
custom_block_response_body:
"PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
custom_block_response_status_code: 403,
custom_rule: [
{
action: "Block",
enabled: true,
match_condition: [
{
match_values: ["10.0.1.0/24", "10.0.0.0/24"],
match_variable: "RemoteAddr",
negation_condition: false,
operator: "IPMatch",
},
],
name: "Rule1",
priority: 1,
rate_limit_duration_in_minutes: 1,
rate_limit_threshold: 10,
type: "MatchRule",
},
{
action: "Block",
enabled: true,
match_condition: [
{
match_values: ["192.168.1.0/24"],
match_variable: "RemoteAddr",
negation_condition: false,
operator: "IPMatch",
},
{
match_values: ["windows"],
match_variable: "RequestHeader",
negation_condition: false,
operator: "Contains",
selector: "UserAgent",
transforms: ["Lowercase", "Trim"],
},
],
name: "Rule2",
priority: 2,
rate_limit_duration_in_minutes: 1,
rate_limit_threshold: 10,
type: "MatchRule",
},
],
enabled: true,
managed_rule: [
{
exclusion: [
{
match_variable: "QueryStringArgNames",
operator: "Equals",
selector: "not_suspicious",
},
],
override: [
{
rule: [
{
action: "Block",
enabled: false,
rule_id: "933100",
},
],
rule_group_name: "PHP",
},
{
exclusion: [
{
match_variable: "QueryStringArgNames",
operator: "Equals",
selector: "really_not_suspicious",
},
],
rule: [
{
action: "Block",
exclusion: [
{
match_variable: "QueryStringArgNames",
operator: "Equals",
selector: "innocent",
},
],
rule_id: "942200",
},
],
rule_group_name: "SQLI",
},
],
type: "DefaultRuleSet",
version: "1.0",
},
{
action: "Log",
type: "Microsoft_BotManagerRuleSet",
version: "1.0",
},
],
mode: "Prevention",
name: "examplecdnfdwafpolicy",
redirect_url: "https://www.contoso.com",
resource_group_name: azurermResourceGroupExample.name,
sku_name: azurermCdnFrontdoorProfileExample.skuName,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorFirewallPolicyExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
-
name
- (Required) The name of the policy. Changing this forces a new resource to be created. -
resourceGroupName
- (Required) The name of the resource group. Changing this forces a new resource to be created. -
skuName
- (Required) The sku's pricing tier for this Front Door Firewall Policy. Possible values includestandardAzureFrontDoor
orpremiumAzureFrontDoor
. Changing this forces a new resource to be created.
-> NOTE: The standardAzureFrontDoor
Front Door Firewall Policy sku may contain custom
rules only. The premiumAzureFrontDoor
Front Door Firewall Policy skus may contain both custom
and managed
rules.
-
enabled
- (Optional) Is the Front Door Firewall Policy enabled? Defaults totrue
. -
mode
- (Required) The Front Door Firewall Policy mode. Possible values aredetection
,prevention
.
-> NOTE: When run in detection
mode, the Front Door Firewall Policy doesn't take any other actions other than monitoring and logging the request and its matched Front Door Rule to the Web Application Firewall logs.
-
redirectUrl
- (Optional) If action type is redirect, this field represents redirect URL for the client. -
customRule
- (Optional) One or morecustomRule
blocks as defined below. -
customBlockResponseStatusCode
- (Optional) If acustomRule
block's action type isblock
, this is the response status code. Possible values are200
,403
,405
,406
, or429
. -
customBlockResponseBody
- (Optional) If acustomRule
block's action type isblock
, this is the response body. The body must be specified in base64 encoding. -
managedRule
- (Optional) One or moremanagedRule
blocks as defined below. -
tags
- (Optional) A mapping of tags to assign to the Front Door Firewall Policy.
A customRule
block supports the following:
-
name
- (Required) Gets name of the resource that is unique within a policy. This name can be used to access the resource. -
action
- (Required) The action to perform when the rule is matched. Possible values areallow
,block
,log
, orredirect
. -
enabled
- (Optional) Is the rule is enabled or disabled? Defaults totrue
. -
priority
- (Optional) The priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. Defaults to1
. -
type
- (Required) The type of rule. Possible values arematchRule
orrateLimitRule
. -
matchCondition
- (Optional) One or morematchCondition
block defined below. Can support up to10
matchCondition
blocks. -
rateLimitDurationInMinutes
- (Optional) The rate limit duration in minutes. Defaults to1
. -
rateLimitThreshold
- (Optional) The rate limit threshold. Defaults to10
.
A matchCondition
block supports the following:
-
matchVariable
- (Required) The request variable to compare with. Possible values arecookies
,postArgs
,queryString
,remoteAddr
,requestBody
,requestHeader
,requestMethod
,requestUri
, orsocketAddr
. -
matchValues
- (Required) Up to600
possible values to match. Limit is in total across allmatchCondition
blocks andmatchValues
arguments. String value itself can be up to256
characters in length. -
operator
- (Required) Comparison type to use for matching with the variable value. Possible values areany
,beginsWith
,contains
,endsWith
,equal
,geoMatch
,greaterThan
,greaterThanOrEqual
,ipMatch
,lessThan
,lessThanOrEqual
orregEx
. -
selector
- (Optional) Match against a specific key if thematchVariable
isqueryString
,postArgs
,requestHeader
orcookies
. -
negationCondition
- (Optional) Should the result of the condition be negated. -
transforms
- (Optional) Up to5
transforms to apply. Possible values arelowercase
,removeNulls
,trim
,uppercase
,urlDecode
orurlEncode
.
A managedRule
block supports the following:
-
type
- (Required) The name of the managed rule to use with this resource. Possible values includedefaultRuleSet
,microsoftDefaultRuleSet
,botProtection
ormicrosoftBotManagerRuleSet
. -
version
- (Required) The version of the managed rule to use with this resource. Possible values depends on which DRS type you are using, for thedefaultRuleSet
type the possible values include10
orpreview01
. FormicrosoftDefaultRuleSet
the possible values include11
,20
or21
. ForbotProtection
the value must bepreview01
and formicrosoftBotManagerRuleSet
the value must be10
. -
action
- (Required) The action to perform for all DRS rules when the managed rule is matched or when the anomaly score is 5 or greater depending on which version of the DRS you are using. Possible values includeallow
,log
,block
, andredirect
. -
exclusion
- (Optional) One or moreexclusion
blocks as defined below. -
override
- (Optional) One or moreoverride
blocks as defined below.
An override
block supports the following:
-
ruleGroupName
- (Required) The managed rule group to override. -
exclusion
- (Optional) One or moreexclusion
blocks as defined below. -
rule
- (Optional) One or morerule
blocks as defined below. If none are specified, all of the rules in the group will be disabled.
A rule
block supports the following:
-
ruleId
- (Required) Identifier for the managed rule. -
action
- (Required) The action to be applied when the managed rule matches or when the anomaly score is 5 or greater. Possible values for DRS11
and below areallow
,log
,block
, andredirect
. For DRS20
and above the possible values arelog
oranomalyScoring
.
->NOTE: Please see the DRS product documentation for more information.
-
enabled
- (Optional) Is the managed rule override enabled or disabled. Defaults tofalse
-
exclusion
- (Optional) One or moreexclusion
blocks as defined below.
An exclusion
block supports the following:
matchVariable
- (Required) The variable type to be excluded. Possible values arequeryStringArgNames
,requestBodyPostArgNames
,requestCookieNames
,requestHeaderNames
,requestBodyJsonArgNames
-> NOTE: requestBodyJsonArgNames
is only available on Default Rule Set (DRS) 2.0 or later
-
operator
- (Required) Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. Possible values are:equals
,contains
,startsWith
,endsWith
,equalsAny
. -
selector
- (Required) Selector for the value in thematchVariable
attribute this exclusion applies to.
Attributes Reference
The following attributes are exported:
-
id
- The ID of the Front Door Firewall Policy. -
frontendEndpointIds
- The Front Door Profiles frontend endpoints associated with this Front Door Firewall Policy.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Front Door Firewall Policy.update
- (Defaults to 30 minutes) Used when updating the Front Door Firewall Policy.read
- (Defaults to 5 minutes) Used when retrieving the Front Door Firewall Policy.delete
- (Defaults to 30 minutes) Used when deleting the Front Door Firewall Policy.
Import
Front Door Firewall Policies can be imported using the resourceId
, e.g.