| subcategory | layout | page_title | description |
|---|---|---|---|
Network |
azurerm |
Azure Resource Manager: azurerm_web_application_firewall_policy |
Manages a Azure Web Application Firewall Policy instance. |
Manages a Azure Web Application Firewall Policy instance.
resource "azurerm_resource_group" "example" {
name = "example-rg"
location = "West US 2"
}
resource "azurerm_web_application_firewall_policy" "example" {
name = "example-wafpolicy"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
custom_rules {
name = "Rule1"
priority = 1
rule_type = "MatchRule"
match_conditions {
match_variables {
variable_name = "RemoteAddr"
}
operator = "IPMatch"
negation_condition = false
match_values = ["192.168.1.0/24", "10.0.0.0/24"]
}
action = "Block"
}
custom_rules {
name = "Rule2"
priority = 2
rule_type = "MatchRule"
match_conditions {
match_variables {
variable_name = "RemoteAddr"
}
operator = "IPMatch"
negation_condition = false
match_values = ["192.168.1.0/24"]
}
match_conditions {
match_variables {
variable_name = "RequestHeaders"
selector = "UserAgent"
}
operator = "Contains"
negation_condition = false
match_values = ["Windows"]
}
action = "Block"
}
policy_settings {
enabled = true
mode = "Prevention"
}
managed_rules {
exclusion {
match_variable = "RequestHeaderNames"
selector = "x-company-secret-header"
selector_match_operator = "Equals"
}
exclusion {
match_variable = "RequestCookieNames"
selector = "too-tasty"
selector_match_operator = "EndsWith"
}
managed_rules_set {
rule_set_type = "OWASP"
rule_set_version = "3.1"
rule_group_override {
rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
disabled_rules = [
"920300",
"920440"
]
}
}
}
}The following arguments are supported:
-
name- (Required) The name of the policy. Changing this forces a new resource to be created. -
resource_group_name- (Required) The name of the resource group. Changing this forces a new resource to be created. -
location- (Optional) Resource location. Changing this forces a new resource to be created. -
custom_rules- (Optional) One or morecustom_rulesblocks as defined below. -
policy_settings- (Optional) Apolicy_settingsblock as defined below. -
managed_rules- (Optional) Amanaged_rulesblocks as defined below. -
tags- (Optional) A mapping of tags to assign to the Web Application Firewall Policy.
The custom_rules block supports the following:
-
name- (Optional) Gets name of the resource that is unique within a policy. This name can be used to access the resource. -
priority- (Required) Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. -
rule_type- (Required) Describes the type of rule. -
match_conditions- (Required) One or morematch_conditionsblocks as defined below. -
action- (Required) Type of action.
The match_conditions block supports the following:
-
match_variables- (Required) One or morematch_variablesblocks as defined below. -
operator- (Required) Describes operator to be matched. -
negation_condition- (Optional) Describes if this is negate condition or not -
match_values- (Required) A list of match values.
The match_variables block supports the following:
-
variable_name- (Required) The name of the Match Variable -
selector- (Optional) Describes field of the matchVariable collection
The policy_settings block supports the following:
-
enabled- (Optional) Describes if the policy is in enabled state or disabled state Defaults toEnabled. -
mode- (Optional) Describes if it is in detection mode or prevention mode at the policy level Defaults toPrevention.
The managed_rules block supports the following:
-
exclusion- (Optional) One or moreexclusionblock defined below. -
managed_rules_set- (Optional) One or moremanaged_rules_setblock defined below.
The exclusion block supports the following:
-
match_variables- (Required) The name of the Match Variable. Possible values:RequestArgNames,RequestCookieNames,RequestHeaderNames. -
selector- (Optional) Describes field of the matchVariable collection. -
selector_match_operator- (Required) Describes operator to be matched. Possible values:Contains,EndsWith,Equals,EqualsAny,StartsWith.
The managed_rules_set block supports the following:
-
type- (Required) The rule set type. -
version- (Required) The rule set version. -
rule_group_override- (Optional) One or morerule_group_overrideblock defined below.
The rule_group_override block supports the following:
-
rule_group_name- (Required) The name of the Rule Group -
disabled_rules- (Optional) One or more Rule ID's
The following attributes are exported:
id- The ID of the Web Application Firewall Policy.
The timeouts block allows you to specify timeouts for certain actions:
create- (Defaults to 30 minutes) Used when creating the Web Application Firewall Policy.update- (Defaults to 30 minutes) Used when updating the Web Application Firewall Policy.read- (Defaults to 5 minutes) Used when retrieving the Web Application Firewall Policy.delete- (Defaults to 30 minutes) Used when deleting the Web Application Firewall Policy.
Web Application Firewall Policy can be imported using the resource id, e.g.
$ terraform import azurerm_web_application_firewall_policy.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/example-wafpolicy