azurermFrontdoorFirewallPolicy
!> IMPORTANT This deploys an Azure Front Door (classic) resource which has been deprecated and will receive security updates only. Please migrate your existing Azure Front Door (classic) deployments to the new Azure Front Door (standard/premium) resources. For your convenience, the service team has exposed a frontDoorClassic to frontDoorStandard/premium migration tool to allow you to migrate your existing frontDoorClassic instances to the new frontDoorStandard/premium product tiers.
Manages an Azure Front Door (classic) Web Application Firewall Policy instance.
!> Be Aware: Azure is rolling out a breaking change on Friday 9th April 2021 which may cause issues with the CDN/FrontDoor resources. More information is available in this GitHub issue - however unfortunately this may necessitate a breaking change to the CDN and Front Door resources, more information will be posted in the GitHub issue as the necessary changes are identified.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-rg",
}
);
const azurermFrontdoorFirewallPolicyExample =
new azurerm.frontdoorFirewallPolicy.FrontdoorFirewallPolicy(
this,
"example_1",
{
custom_block_response_body:
"PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
custom_block_response_status_code: 403,
custom_rule: [
{
action: "Block",
enabled: true,
match_condition: [
{
match_values: ["192.168.1.0/24", "10.0.0.0/24"],
match_variable: "RemoteAddr",
negation_condition: false,
operator: "IPMatch",
},
],
name: "Rule1",
priority: 1,
rate_limit_duration_in_minutes: 1,
rate_limit_threshold: 10,
type: "MatchRule",
},
{
action: "Block",
enabled: true,
match_condition: [
{
match_values: ["192.168.1.0/24"],
match_variable: "RemoteAddr",
negation_condition: false,
operator: "IPMatch",
},
{
match_values: ["windows"],
match_variable: "RequestHeader",
negation_condition: false,
operator: "Contains",
selector: "UserAgent",
transforms: ["Lowercase", "Trim"],
},
],
name: "Rule2",
priority: 2,
rate_limit_duration_in_minutes: 1,
rate_limit_threshold: 10,
type: "MatchRule",
},
],
enabled: true,
managed_rule: [
{
exclusion: [
{
match_variable: "QueryStringArgNames",
operator: "Equals",
selector: "not_suspicious",
},
],
override: [
{
rule: [
{
action: "Block",
enabled: false,
rule_id: "933100",
},
],
rule_group_name: "PHP",
},
{
exclusion: [
{
match_variable: "QueryStringArgNames",
operator: "Equals",
selector: "really_not_suspicious",
},
],
rule: [
{
action: "Block",
exclusion: [
{
match_variable: "QueryStringArgNames",
operator: "Equals",
selector: "innocent",
},
],
rule_id: "942200",
},
],
rule_group_name: "SQLI",
},
],
type: "DefaultRuleSet",
version: "1.0",
},
{
type: "Microsoft_BotManagerRuleSet",
version: "1.0",
},
],
mode: "Prevention",
name: "examplefdwafpolicy",
redirect_url: "https://www.contoso.com",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermFrontdoorFirewallPolicyExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
-
name- (Required) The name of the policy. Changing this forces a new resource to be created. -
resourceGroupName- (Required) The name of the resource group. Changing this forces a new resource to be created. -
enabled- (Optional) Is the policy a enabled state or disabled state. Defaults totrue. -
mode- (Optional) The firewall policy mode. Possible values aredetection,preventionand defaults toprevention. -
redirectUrl- (Optional) If action type is redirect, this field represents redirect URL for the client. -
customRule- (Optional) One or morecustomRuleblocks as defined below. -
customBlockResponseStatusCode- (Optional) If acustomRuleblock's action type isblock, this is the response status code. Possible values are200,403,405,406, or429. -
customBlockResponseBody- (Optional) If acustomRuleblock's action type isblock, this is the response body. The body must be specified in base64 encoding. -
managedRule- (Optional) One or moremanagedRuleblocks as defined below. -
tags- (Optional) A mapping of tags to assign to the Web Application Firewall Policy.
The customRule block supports the following:
-
name- (Required) Gets name of the resource that is unique within a policy. This name can be used to access the resource. -
action- (Required) The action to perform when the rule is matched. Possible values areallow,block,log, orredirect. -
enabled- (Optional) Is the rule is enabled or disabled? Defaults totrue. -
priority- (Optional) The priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. Defaults to1. -
type- (Required) The type of rule. Possible values arematchRuleorrateLimitRule. -
matchCondition- (Optional) One or morematchConditionblock defined below. Can support up to10matchConditionblocks. -
rateLimitDurationInMinutes- (Optional) The rate limit duration in minutes. Defaults to1. -
rateLimitThreshold- (Optional) The rate limit threshold. Defaults to10.
The matchCondition block supports the following:
-
matchVariable- (Required) The request variable to compare with. Possible values arecookies,postArgs,queryString,remoteAddr,requestBody,requestHeader,requestMethod,requestUri, orsocketAddr. -
matchValues- (Required) Up to600possible values to match. Limit is in total across allmatchConditionblocks andmatchValuesarguments. String value itself can be up to256characters long. -
operator- (Required) Comparison type to use for matching with the variable value. Possible values areany,beginsWith,contains,endsWith,equal,geoMatch,greaterThan,greaterThanOrEqual,ipMatch,lessThan,lessThanOrEqualorregEx. -
selector- (Optional) Match against a specific key if thematchVariableisqueryString,postArgs,requestHeaderorcookies. -
negationCondition- (Optional) Should the result of the condition be negated. -
transforms- (Optional) Up to5transforms to apply. Possible values arelowercase,removeNulls,trim,uppercase,urlDecodeorurlEncode.
The managedRule block supports the following:
-
type- (Required) The name of the managed rule to use with this resource. -
version- (Required) The version on the managed rule to use with this resource. -
exclusion- (Optional) One or moreexclusionblocks as defined below. -
override- (Optional) One or moreoverrideblocks as defined below.
The override block supports the following:
-
ruleGroupName- (Required) The managed rule group to override. -
exclusion- (Optional) One or moreexclusionblocks as defined below. -
rule- (Optional) One or moreruleblocks as defined below. If none are specified, all of the rules in the group will be disabled.
The rule block supports the following:
-
ruleId- (Required) Identifier for the managed rule. -
action- (Required) The action to be applied when the rule matches. Possible values areallow,block,log, orredirect. -
enabled- (Optional) Is the managed rule override enabled or disabled. Defaults tofalse -
exclusion- (Optional) One or moreexclusionblocks as defined below.
The exclusion block supports the following:
-
matchVariable- (Required) The variable type to be excluded. Possible values arequeryStringArgNames,requestBodyPostArgNames,requestCookieNames,requestHeaderNames. -
operator- (Required) Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. Possible values are:equals,contains,startsWith,endsWith,equalsAny. -
selector- (Required) Selector for the value in thematchVariableattribute this exclusion applies to.
Attributes Reference
The following attributes are exported:
-
id- The ID of the Front Door Firewall Policy. -
location- The Azure Region where this Front Door Firewall Policy exists. -
frontendEndpointIds- The Frontend Endpoints associated with this Front Door Web Application Firewall policy.
Timeouts
The timeouts block allows you to specify timeouts for certain actions:
create- (Defaults to 30 minutes) Used when creating the Front Door Web Application Firewall Policy.update- (Defaults to 30 minutes) Used when updating the Front Door Web Application Firewall Policy.read- (Defaults to 5 minutes) Used when retrieving the Front Door Web Application Firewall Policy.delete- (Defaults to 30 minutes) Used when deleting the Front Door Web Application Firewall Policy.
Import
FrontDoor Web Application Firewall Policy can be imported using the resourceId, e.g.