Skip to content

azurermWebApplicationFirewallPolicy

Manages a Azure Web Application Firewall Policy instance.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-rg",
  }
);
const azurermWebApplicationFirewallPolicyExample =
  new azurerm.webApplicationFirewallPolicy.WebApplicationFirewallPolicy(
    this,
    "example_1",
    {
      custom_rules: [
        {
          action: "Block",
          match_conditions: [
            {
              match_values: ["192.168.1.0/24", "10.0.0.0/24"],
              match_variables: [
                {
                  variable_name: "RemoteAddr",
                },
              ],
              negation_condition: false,
              operator: "IPMatch",
            },
          ],
          name: "Rule1",
          priority: 1,
          rule_type: "MatchRule",
        },
        {
          action: "Block",
          match_conditions: [
            {
              match_values: ["192.168.1.0/24"],
              match_variables: [
                {
                  variable_name: "RemoteAddr",
                },
              ],
              negation_condition: false,
              operator: "IPMatch",
            },
            {
              match_values: ["Windows"],
              match_variables: [
                {
                  selector: "UserAgent",
                  variable_name: "RequestHeaders",
                },
              ],
              negation_condition: false,
              operator: "Contains",
            },
          ],
          name: "Rule2",
          priority: 2,
          rule_type: "MatchRule",
        },
      ],
      location: azurermResourceGroupExample.location,
      managed_rules: [
        {
          exclusion: [
            {
              match_variable: "RequestHeaderNames",
              selector: "x-company-secret-header",
              selector_match_operator: "Equals",
            },
            {
              match_variable: "RequestCookieNames",
              selector: "too-tasty",
              selector_match_operator: "EndsWith",
            },
          ],
          managed_rule_set: [
            {
              rule_group_override: [
                {
                  rule: [
                    {
                      action: "Log",
                      enabled: true,
                      id: "920300",
                    },
                    {
                      action: "Block",
                      enabled: true,
                      id: "920440",
                    },
                  ],
                  rule_group_name: "REQUEST-920-PROTOCOL-ENFORCEMENT",
                },
              ],
              type: "OWASP",
              version: "3.2",
            },
          ],
        },
      ],
      name: "example-wafpolicy",
      policy_settings: [
        {
          enabled: true,
          file_upload_limit_in_mb: 100,
          max_request_body_size_in_kb: 128,
          mode: "Prevention",
          request_body_check: true,
        },
      ],
      resource_group_name: azurermResourceGroupExample.name,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermWebApplicationFirewallPolicyExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the policy. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) The name of the resource group. Changing this forces a new resource to be created.

  • location - (Required) Resource location. Changing this forces a new resource to be created.

  • customRules - (Optional) One or more customRules blocks as defined below.

  • policySettings - (Optional) A policySettings block as defined below.

  • managedRules - (Required) A managedRules blocks as defined below.

  • tags - (Optional) A mapping of tags to assign to the Web Application Firewall Policy.

The customRules block supports the following:

  • name - (Optional) Gets name of the resource that is unique within a policy. This name can be used to access the resource.

  • priority - (Required) Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.

  • ruleType - (Required) Describes the type of rule. Possible values are matchRule and invalid.

  • matchConditions - (Required) One or more matchConditions blocks as defined below.

  • action - (Required) Type of action. Possible values are allow, block and log.

The matchConditions block supports the following:

  • matchVariables - (Required) One or more matchVariables blocks as defined below.

  • matchValues - (Required) A list of match values.

  • operator - (Required) Describes operator to be matched. Possible values are any, ipMatch, geoMatch, equal, contains, lessThan, greaterThan, lessThanOrEqual, greaterThanOrEqual, beginsWith, endsWith and regex.

  • negationCondition - (Optional) Describes if this is negate condition or not

  • transforms - (Optional) A list of transformations to do before the match is attempted. Possible values are htmlEntityDecode, lowercase, removeNulls, trim, urlDecode and urlEncode.

The matchVariables block supports the following:

  • variableName - (Required) The name of the Match Variable. Possible values are remoteAddr, requestMethod, queryString, postArgs, requestUri, requestHeaders, requestBody and requestCookies.

  • selector - (Optional) Describes field of the matchVariable collection

The policySettings block supports the following:

  • enabled - (Optional) Describes if the policy is in enabled state or disabled state. Defaults to true.

  • mode - (Optional) Describes if it is in detection mode or prevention mode at the policy level. Valid values are detection and prevention. Defaults to prevention.

  • fileUploadLimitInMb - (Optional) The File Upload Limit in MB. Accepted values are in the range 1 to 4000. Defaults to 100.

  • requestBodyCheck - (Optional) Is Request Body Inspection enabled? Defaults to true.

  • maxRequestBodySizeInKb - (Optional) The Maximum Request Body Size in KB. Accepted values are in the range 8 to 2000. Defaults to 128.

The managedRules block supports the following:

  • exclusion - (Optional) One or more exclusion block defined below.

  • managedRuleSet - (Required) One or more managedRuleSet block defined below.

The exclusion block supports the following:

  • matchVariable - (Required) The name of the Match Variable. Possible values: requestArgKeys, requestArgNames, requestArgValues, requestCookieKeys, requestCookieNames, requestCookieValues, requestHeaderKeys, requestHeaderNames, requestHeaderValues.

  • selector - (Required) Describes field of the matchVariable collection.

  • selectorMatchOperator - (Required) Describes operator to be matched. Possible values: contains, endsWith, equals, equalsAny, startsWith.

  • excludedRuleSet - (Optional) One or more excludedRuleSet block defined below.

The excludedRuleSet block supports the following:

  • type - (Optional) The rule set type. The only possible value is owasp . Defaults to owasp.

  • version - (Optional) The rule set version. The only possible value is 32 . Defaults to 32.

  • ruleGroup - (Optional) One or more ruleGroup block defined below.

The ruleGroup block supports the following:

  • ruleGroupName - (Required) The name of rule group for exclusion. Possible values are badBots, crs20ProtocolViolations, crs21ProtocolAnomalies, crs23RequestLimits, crs30HttpPolicy, crs35BadRobots, crs40GenericAttacks, crs41SqlInjectionAttacks, crs41XssAttacks, crs42TightSecurity, crs45Trojans, general, goodBots, knownCvEs, request911MethodEnforcement, request913ScannerDetection, request920ProtocolEnforcement, request921ProtocolAttack, request930ApplicationAttackLfi, request931ApplicationAttackRfi, request932ApplicationAttackRce, request933ApplicationAttackPhp, request941ApplicationAttackXss, request942ApplicationAttackSqli, request943ApplicationAttackSessionFixation, request944ApplicationAttackJava and unknownBots.

  • excludedRules - (Optional) One or more Rule IDs for exclusion.

The managedRuleSet block supports the following:

  • type - (Optional) The rule set type. Possible values: microsoftBotManagerRuleSet and owasp.

  • version - (Required) The rule set version. Possible values: 01, 10, 229, 30, 31 and 32.

  • ruleGroupOverride - (Optional) One or more ruleGroupOverride block defined below.

The ruleGroupOverride block supports the following:

  • ruleGroupName - (Required) The name of the Rule Group. Possible values are badBots, crs20ProtocolViolations, crs21ProtocolAnomalies, crs23RequestLimits, crs30HttpPolicy, crs35BadRobots, crs40GenericAttacks, crs41SqlInjectionAttacks, crs41XssAttacks, crs42TightSecurity, crs45Trojans, general, goodBots, knownCvEs, request911MethodEnforcement, request913ScannerDetection, request920ProtocolEnforcement, request921ProtocolAttack, request930ApplicationAttackLfi, request931ApplicationAttackRfi, request932ApplicationAttackRce, request933ApplicationAttackPhp, request941ApplicationAttackXss, request942ApplicationAttackSqli, request943ApplicationAttackSessionFixation, request944ApplicationAttackJava and unknownBots.

  • rule - (Optional) One or more rule block defined below.

The rule block supports the following:

  • id - (Required) Identifier for the managed rule.

  • enabled - (Optional) Describes if the managed rule is in enabled state or disabled state.

  • action - (Optional) Describes the override action to be applied when rule matches. Possible values are allow, anomalyScoring, block and log.

Attributes Reference

The following attributes are exported:

  • id - The ID of the Web Application Firewall Policy.

  • httpListenerIds - A list of HTTP Listener IDs from an azurermApplicationGateway.

  • pathBasedRuleIds - A list of URL Path Map Path Rule IDs from an azurermApplicationGateway.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Web Application Firewall Policy.
  • update - (Defaults to 30 minutes) Used when updating the Web Application Firewall Policy.
  • read - (Defaults to 5 minutes) Used when retrieving the Web Application Firewall Policy.
  • delete - (Defaults to 30 minutes) Used when deleting the Web Application Firewall Policy.

Import

Web Application Firewall Policy can be imported using the resourceId, e.g.

terraform import azurerm_web_application_firewall_policy.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/example-wafpolicy