subcategory | layout | page_title | description |
---|---|---|---|
Network |
azurerm |
Azure Resource Manager: azurerm_web_application_firewall_policy |
Manages a Azure Web Application Firewall Policy instance. |
Manages a Azure Web Application Firewall Policy instance.
resource "azurerm_resource_group" "example" {
name = "example-rg"
location = "West US 2"
}
resource "azurerm_web_application_firewall_policy" "example" {
name = "example-wafpolicy"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
custom_rules {
name = "Rule1"
priority = 1
rule_type = "MatchRule"
match_conditions {
match_variables {
variable_name = "RemoteAddr"
}
operator = "IPMatch"
negation_condition = false
match_values = ["192.168.1.0/24", "10.0.0.0/24"]
}
action = "Block"
}
custom_rules {
name = "Rule2"
priority = 2
rule_type = "MatchRule"
match_conditions {
match_variables {
variable_name = "RemoteAddr"
}
operator = "IPMatch"
negation_condition = false
match_values = ["192.168.1.0/24"]
}
match_conditions {
match_variables {
variable_name = "RequestHeaders"
selector = "UserAgent"
}
operator = "Contains"
negation_condition = false
match_values = ["Windows"]
}
action = "Block"
}
policy_settings {
enabled = true
mode = "Prevention"
}
managed_rules {
exclusion {
match_variable = "RequestHeaderNames"
selector = "x-company-secret-header"
selector_match_operator = "Equals"
}
exclusion {
match_variable = "RequestCookieNames"
selector = "too-tasty"
selector_match_operator = "EndsWith"
}
managed_rules_set {
rule_set_type = "OWASP"
rule_set_version = "3.1"
rule_group_override {
rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
disabled_rules = [
"920300",
"920440"
]
}
}
}
}
The following arguments are supported:
-
name
- (Required) The name of the policy. Changing this forces a new resource to be created. -
resource_group_name
- (Required) The name of the resource group. Changing this forces a new resource to be created. -
location
- (Optional) Resource location. Changing this forces a new resource to be created. -
custom_rules
- (Optional) One or morecustom_rules
blocks as defined below. -
policy_settings
- (Optional) Apolicy_settings
block as defined below. -
managed_rules
- (Optional) Amanaged_rules
blocks as defined below. -
tags
- (Optional) A mapping of tags to assign to the Web Application Firewall Policy.
The custom_rules
block supports the following:
-
name
- (Optional) Gets name of the resource that is unique within a policy. This name can be used to access the resource. -
priority
- (Required) Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. -
rule_type
- (Required) Describes the type of rule. -
match_conditions
- (Required) One or morematch_conditions
blocks as defined below. -
action
- (Required) Type of action.
The match_conditions
block supports the following:
-
match_variables
- (Required) One or morematch_variables
blocks as defined below. -
operator
- (Required) Describes operator to be matched. -
negation_condition
- (Optional) Describes if this is negate condition or not -
match_values
- (Required) A list of match values.
The match_variables
block supports the following:
-
variable_name
- (Required) The name of the Match Variable -
selector
- (Optional) Describes field of the matchVariable collection
The policy_settings
block supports the following:
-
enabled
- (Optional) Describes if the policy is in enabled state or disabled state Defaults toEnabled
. -
mode
- (Optional) Describes if it is in detection mode or prevention mode at the policy level Defaults toPrevention
.
The managed_rules
block supports the following:
-
exclusion
- (Optional) One or moreexclusion
block defined below. -
managed_rules_set
- (Optional) One or moremanaged_rules_set
block defined below.
The exclusion
block supports the following:
-
match_variables
- (Required) The name of the Match Variable. Possible values:RequestArgNames
,RequestCookieNames
,RequestHeaderNames
. -
selector
- (Optional) Describes field of the matchVariable collection. -
selector_match_operator
- (Required) Describes operator to be matched. Possible values:Contains
,EndsWith
,Equals
,EqualsAny
,StartsWith
.
The managed_rules_set
block supports the following:
-
type
- (Required) The rule set type. -
version
- (Required) The rule set version. -
rule_group_override
- (Optional) One or morerule_group_override
block defined below.
The rule_group_override
block supports the following:
-
rule_group_name
- (Required) The name of the Rule Group -
disabled_rules
- (Optional) One or more Rule ID's
The following attributes are exported:
id
- The ID of the Web Application Firewall Policy.
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Web Application Firewall Policy.update
- (Defaults to 30 minutes) Used when updating the Web Application Firewall Policy.read
- (Defaults to 5 minutes) Used when retrieving the Web Application Firewall Policy.delete
- (Defaults to 30 minutes) Used when deleting the Web Application Firewall Policy.
Web Application Firewall Policy can be imported using the resource id
, e.g.
$ terraform import azurerm_web_application_firewall_policy.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/example-wafpolicy