Manages an Azure Front Door (classic) Web Application Firewall Policy instance.
resource "azurerm_resource_group" "example" {
name = "example-rg"
location = "West Europe"
}
resource "azurerm_frontdoor_firewall_policy" "example" {
name = "examplefdwafpolicy"
resource_group_name = azurerm_resource_group.example.name
enabled = true
mode = "Prevention"
redirect_url = "https://www.contoso.com"
custom_block_response_status_code = 403
custom_block_response_body = "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=="
custom_rule {
name = "Rule1"
enabled = true
priority = 1
rate_limit_duration_in_minutes = 1
rate_limit_threshold = 10
type = "MatchRule"
action = "Block"
match_condition {
match_variable = "RemoteAddr"
operator = "IPMatch"
negation_condition = false
match_values = ["192.168.1.0/24", "10.0.0.0/24"]
}
}
custom_rule {
name = "Rule2"
enabled = true
priority = 2
rate_limit_duration_in_minutes = 1
rate_limit_threshold = 10
type = "MatchRule"
action = "Block"
match_condition {
match_variable = "RemoteAddr"
operator = "IPMatch"
negation_condition = false
match_values = ["192.168.1.0/24"]
}
match_condition {
match_variable = "RequestHeader"
selector = "UserAgent"
operator = "Contains"
negation_condition = false
match_values = ["windows"]
transforms = ["Lowercase", "Trim"]
}
}
managed_rule {
type = "DefaultRuleSet"
version = "1.0"
exclusion {
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "not_suspicious"
}
override {
rule_group_name = "PHP"
rule {
rule_id = "933100"
enabled = false
action = "Block"
}
}
override {
rule_group_name = "SQLI"
exclusion {
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "really_not_suspicious"
}
rule {
rule_id = "942200"
action = "Block"
exclusion {
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "innocent"
}
}
}
}
managed_rule {
type = "Microsoft_BotManagerRuleSet"
version = "1.0"
}
}
The following arguments are supported:
name
- (Required) The name of the policy. Changing this forces a new resource to be created.
resource_group_name
- (Required) The name of the resource group. Changing this forces a new resource to be created.
enabled
- (Optional) Is the policy a enabled state or disabled state. Defaults to true
.
mode
- (Optional) The firewall policy mode. Possible values are Detection
, Prevention
. Defaults to Prevention
.
redirect_url
- (Optional) If action type is redirect, this field represents redirect URL for the client.
custom_rule
- (Optional) One or more custom_rule
blocks as defined below.
custom_block_response_status_code
- (Optional) If a custom_rule
block's action type is block
, this is the response status code. Possible values are 200
, 403
, 405
, 406
, or 429
.
custom_block_response_body
- (Optional) If a custom_rule
block's action type is block
, this is the response body. The body must be specified in base64 encoding.
managed_rule
- (Optional) One or more managed_rule
blocks as defined below.
tags
- (Optional) A mapping of tags to assign to the Web Application Firewall Policy.
The custom_rule
block supports the following:
name
- (Required) Gets name of the resource that is unique within a policy. This name can be used to access the resource.
action
- (Required) The action to perform when the rule is matched. Possible values are Allow
, Block
, Log
, or Redirect
.
enabled
- (Optional) Is the rule is enabled or disabled? Defaults to true
.
priority
- (Optional) The priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. Defaults to 1
.
type
- (Required) The type of rule. Possible values are MatchRule
or RateLimitRule
.
match_condition
- (Optional) One or more match_condition
block defined below. Can support up to 10
match_condition
blocks.
rate_limit_duration_in_minutes
- (Optional) The rate limit duration in minutes. Defaults to 1
.
rate_limit_threshold
- (Optional) The rate limit threshold. Defaults to 10
.
The match_condition
block supports the following:
match_variable
- (Required) The request variable to compare with. Possible values are Cookies
, PostArgs
, QueryString
, RemoteAddr
, RequestBody
, RequestHeader
, RequestMethod
, RequestUri
, or SocketAddr
.
match_values
- (Required) Up to 600
possible values to match. Limit is in total across all match_condition
blocks and match_values
arguments. String value itself can be up to 256
characters long.
operator
- (Required) Comparison type to use for matching with the variable value. Possible values are Any
, BeginsWith
, Contains
, EndsWith
, Equal
, GeoMatch
, GreaterThan
, GreaterThanOrEqual
, IPMatch
, LessThan
, LessThanOrEqual
or RegEx
.
selector
- (Optional) Match against a specific key if the match_variable
is QueryString
, PostArgs
, RequestHeader
or Cookies
.
negation_condition
- (Optional) Should the result of the condition be negated.
transforms
- (Optional) Up to 5
transforms to apply. Possible values are Lowercase
, RemoveNulls
, Trim
, Uppercase
, URLDecode
orURLEncode
.
The managed_rule
block supports the following:
type
- (Required) The name of the managed rule to use with this resource.
version
- (Required) The version on the managed rule to use with this resource.
exclusion
- (Optional) One or more exclusion
blocks as defined below.
override
- (Optional) One or more override
blocks as defined below.
The override
block supports the following:
rule_group_name
- (Required) The managed rule group to override.
exclusion
- (Optional) One or more exclusion
blocks as defined below.
rule
- (Optional) One or more rule
blocks as defined below. If none are specified, all of the rules in the group will be disabled.
The rule
block supports the following:
rule_id
- (Required) Identifier for the managed rule.
action
- (Required) The action to be applied when the rule matches. Possible values are Allow
, Block
, Log
, or Redirect
.
enabled
- (Optional) Is the managed rule override enabled or disabled. Defaults to false
exclusion
- (Optional) One or more exclusion
blocks as defined below.
The exclusion
block supports the following:
match_variable
- (Required) The variable type to be excluded. Possible values are QueryStringArgNames
, RequestBodyPostArgNames
, RequestCookieNames
, RequestHeaderNames
.
operator
- (Required) Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. Possible values are: Equals
, Contains
, StartsWith
, EndsWith
, EqualsAny
.
selector
- (Required) Selector for the value in the match_variable
attribute this exclusion applies to.
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Front Door Firewall Policy.
location
- The Azure Region where this Front Door Firewall Policy exists.
frontend_endpoint_ids
- The Frontend Endpoints associated with this Front Door Web Application Firewall policy.
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Front Door Web Application Firewall Policy.update
- (Defaults to 30 minutes) Used when updating the Front Door Web Application Firewall Policy.read
- (Defaults to 5 minutes) Used when retrieving the Front Door Web Application Firewall Policy.delete
- (Defaults to 30 minutes) Used when deleting the Front Door Web Application Firewall Policy.FrontDoor Web Application Firewall Policy can be imported using the resource id
, e.g.
terraform import azurerm_frontdoor_firewall_policy.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/examplefdwafpolicy