azurermWebApplicationFirewallPolicy
Manages a Azure Web Application Firewall Policy instance.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-rg",
}
);
const azurermWebApplicationFirewallPolicyExample =
new azurerm.webApplicationFirewallPolicy.WebApplicationFirewallPolicy(
this,
"example_1",
{
custom_rules: [
{
action: "Block",
match_conditions: [
{
match_values: ["192.168.1.0/24", "10.0.0.0/24"],
match_variables: [
{
variable_name: "RemoteAddr",
},
],
negation_condition: false,
operator: "IPMatch",
},
],
name: "Rule1",
priority: 1,
rule_type: "MatchRule",
},
{
action: "Block",
match_conditions: [
{
match_values: ["192.168.1.0/24"],
match_variables: [
{
variable_name: "RemoteAddr",
},
],
negation_condition: false,
operator: "IPMatch",
},
{
match_values: ["Windows"],
match_variables: [
{
selector: "UserAgent",
variable_name: "RequestHeaders",
},
],
negation_condition: false,
operator: "Contains",
},
],
name: "Rule2",
priority: 2,
rule_type: "MatchRule",
},
],
location: azurermResourceGroupExample.location,
managed_rules: [
{
exclusion: [
{
match_variable: "RequestHeaderNames",
selector: "x-company-secret-header",
selector_match_operator: "Equals",
},
{
match_variable: "RequestCookieNames",
selector: "too-tasty",
selector_match_operator: "EndsWith",
},
],
managed_rule_set: [
{
rule_group_override: [
{
rule: [
{
action: "Log",
enabled: true,
id: "920300",
},
{
action: "Block",
enabled: true,
id: "920440",
},
],
rule_group_name: "REQUEST-920-PROTOCOL-ENFORCEMENT",
},
],
type: "OWASP",
version: "3.2",
},
],
},
],
name: "example-wafpolicy",
policy_settings: [
{
enabled: true,
file_upload_limit_in_mb: 100,
max_request_body_size_in_kb: 128,
mode: "Prevention",
request_body_check: true,
},
],
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermWebApplicationFirewallPolicyExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
-
name
- (Required) The name of the policy. Changing this forces a new resource to be created. -
resourceGroupName
- (Required) The name of the resource group. Changing this forces a new resource to be created. -
location
- (Required) Resource location. Changing this forces a new resource to be created. -
customRules
- (Optional) One or morecustomRules
blocks as defined below. -
policySettings
- (Optional) ApolicySettings
block as defined below. -
managedRules
- (Required) AmanagedRules
blocks as defined below. -
tags
- (Optional) A mapping of tags to assign to the Web Application Firewall Policy.
The customRules
block supports the following:
-
name
- (Optional) Gets name of the resource that is unique within a policy. This name can be used to access the resource. -
priority
- (Required) Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. -
ruleType
- (Required) Describes the type of rule. Possible values arematchRule
andinvalid
. -
matchConditions
- (Required) One or morematchConditions
blocks as defined below. -
action
- (Required) Type of action. Possible values areallow
,block
andlog
.
The matchConditions
block supports the following:
-
matchVariables
- (Required) One or morematchVariables
blocks as defined below. -
matchValues
- (Required) A list of match values. -
operator
- (Required) Describes operator to be matched. Possible values areany
,ipMatch
,geoMatch
,equal
,contains
,lessThan
,greaterThan
,lessThanOrEqual
,greaterThanOrEqual
,beginsWith
,endsWith
andregex
. -
negationCondition
- (Optional) Describes if this is negate condition or not -
transforms
- (Optional) A list of transformations to do before the match is attempted. Possible values arehtmlEntityDecode
,lowercase
,removeNulls
,trim
,urlDecode
andurlEncode
.
The matchVariables
block supports the following:
-
variableName
- (Required) The name of the Match Variable. Possible values areremoteAddr
,requestMethod
,queryString
,postArgs
,requestUri
,requestHeaders
,requestBody
andrequestCookies
. -
selector
- (Optional) Describes field of the matchVariable collection
The policySettings
block supports the following:
-
enabled
- (Optional) Describes if the policy is in enabled state or disabled state. Defaults totrue
. -
mode
- (Optional) Describes if it is in detection mode or prevention mode at the policy level. Valid values aredetection
andprevention
. Defaults toprevention
. -
fileUploadLimitInMb
- (Optional) The File Upload Limit in MB. Accepted values are in the range1
to4000
. Defaults to100
. -
requestBodyCheck
- (Optional) Is Request Body Inspection enabled? Defaults totrue
. -
maxRequestBodySizeInKb
- (Optional) The Maximum Request Body Size in KB. Accepted values are in the range8
to2000
. Defaults to128
.
The managedRules
block supports the following:
-
exclusion
- (Optional) One or moreexclusion
block defined below. -
managedRuleSet
- (Required) One or moremanagedRuleSet
block defined below.
The exclusion
block supports the following:
-
matchVariable
- (Required) The name of the Match Variable. Possible values:requestArgKeys
,requestArgNames
,requestArgValues
,requestCookieKeys
,requestCookieNames
,requestCookieValues
,requestHeaderKeys
,requestHeaderNames
,requestHeaderValues
. -
selector
- (Required) Describes field of the matchVariable collection. -
selectorMatchOperator
- (Required) Describes operator to be matched. Possible values:contains
,endsWith
,equals
,equalsAny
,startsWith
. -
excludedRuleSet
- (Optional) One or moreexcludedRuleSet
block defined below.
The excludedRuleSet
block supports the following:
-
type
- (Optional) The rule set type. The only possible value isowasp
. Defaults toowasp
. -
version
- (Optional) The rule set version. The only possible value is32
. Defaults to32
. -
ruleGroup
- (Optional) One or moreruleGroup
block defined below.
The ruleGroup
block supports the following:
-
ruleGroupName
- (Required) The name of rule group for exclusion. Possible values arebadBots
,crs20ProtocolViolations
,crs21ProtocolAnomalies
,crs23RequestLimits
,crs30HttpPolicy
,crs35BadRobots
,crs40GenericAttacks
,crs41SqlInjectionAttacks
,crs41XssAttacks
,crs42TightSecurity
,crs45Trojans
,general
,goodBots
,knownCvEs
,request911MethodEnforcement
,request913ScannerDetection
,request920ProtocolEnforcement
,request921ProtocolAttack
,request930ApplicationAttackLfi
,request931ApplicationAttackRfi
,request932ApplicationAttackRce
,request933ApplicationAttackPhp
,request941ApplicationAttackXss
,request942ApplicationAttackSqli
,request943ApplicationAttackSessionFixation
,request944ApplicationAttackJava
andunknownBots
. -
excludedRules
- (Optional) One or more Rule IDs for exclusion.
The managedRuleSet
block supports the following:
-
type
- (Optional) The rule set type. Possible values:microsoftBotManagerRuleSet
andowasp
. -
version
- (Required) The rule set version. Possible values:01
,10
,229
,30
,31
and32
. -
ruleGroupOverride
- (Optional) One or moreruleGroupOverride
block defined below.
The ruleGroupOverride
block supports the following:
-
ruleGroupName
- (Required) The name of the Rule Group. Possible values arebadBots
,crs20ProtocolViolations
,crs21ProtocolAnomalies
,crs23RequestLimits
,crs30HttpPolicy
,crs35BadRobots
,crs40GenericAttacks
,crs41SqlInjectionAttacks
,crs41XssAttacks
,crs42TightSecurity
,crs45Trojans
,general
,goodBots
,knownCvEs
,request911MethodEnforcement
,request913ScannerDetection
,request920ProtocolEnforcement
,request921ProtocolAttack
,request930ApplicationAttackLfi
,request931ApplicationAttackRfi
,request932ApplicationAttackRce
,request933ApplicationAttackPhp
,request941ApplicationAttackXss
,request942ApplicationAttackSqli
,request943ApplicationAttackSessionFixation
,request944ApplicationAttackJava
andunknownBots
. -
rule
- (Optional) One or morerule
block defined below.
The rule
block supports the following:
-
id
- (Required) Identifier for the managed rule. -
enabled
- (Optional) Describes if the managed rule is in enabled state or disabled state. -
action
- (Optional) Describes the override action to be applied when rule matches. Possible values areallow
,anomalyScoring
,block
andlog
.
Attributes Reference
The following attributes are exported:
-
id
- The ID of the Web Application Firewall Policy. -
httpListenerIds
- A list of HTTP Listener IDs from anazurermApplicationGateway
. -
pathBasedRuleIds
- A list of URL Path Map Path Rule IDs from anazurermApplicationGateway
.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Web Application Firewall Policy.update
- (Defaults to 30 minutes) Used when updating the Web Application Firewall Policy.read
- (Defaults to 5 minutes) Used when retrieving the Web Application Firewall Policy.delete
- (Defaults to 30 minutes) Used when deleting the Web Application Firewall Policy.
Import
Web Application Firewall Policy can be imported using the resourceId
, e.g.