Code Monkey home page Code Monkey logo

terraform-azurerm-waf-policy's Introduction

Azure WAF Policies

Changelog Notice Apache V2 License TF Registry

This terraform module creates an Azure WAF policy with OWASP 3.2 enabled

Global versioning rule for Claranet Azure modules

Module version Terraform version AzureRM version
>= 7.x.x 1.3.x >= 3.0
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.azure_region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "waf_policy" {
  source  = "claranet/waf-policy/azurerm"
  version = "x.x.x"

  client_name    = var.client_name
  environment    = var.environment
  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  stack          = var.stack

  resource_group_name = module.rg.resource_group_name

  policy_mode = "Detection"

  managed_rule_set_configuration = [
    {
      type    = "OWASP"
      version = "3.2"
    }
  ]

  exclusion_configuration = [

  ]

  custom_rules_configuration = [
    {
      name      = "DenyAll"
      priority  = 1
      rule_type = "MatchRule"
      action    = "Block"

      match_conditions_configuration = [
        {
          match_variable_configuration = [
            {
              variable_name = "RemoteAddr"
              selector      = null
            }
          ]

          match_values = [
            "X.X.X.X"
          ]

          operator           = "IPMatch"
          negation_condition = true
          transforms         = null
        },
        {
          match_variable_configuration = [
            {
              variable_name = "RequestUri"
              selector      = null
            },
            {
              variable_name = "RequestUri"
              selector      = null
            }
          ]

          match_values = [
            "Azure",
            "Cloud"
          ]

          operator           = "Contains"
          negation_condition = true
          transforms         = null
        }
      ]
    }
  ]
}

Providers

Name Version
azurecaf ~> 1.2, >= 1.2.22
azurerm ~> 3.80

Modules

No modules.

Resources

Name Type
azurerm_web_application_firewall_policy.waf_policy resource
azurecaf_name.wafp data source

Inputs

Name Description Type Default Required
client_name Client name/account used in naming. string n/a yes
custom_rules_configuration Custom rules configuration object with following attributes:
- name:                           Gets name of the resource that is unique within a policy. This name can be used to access the resource.
- priority:                       Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
- rule_type:                      Describes the type of rule. Possible values are MatchRule and Invalid.
- action:                         Type of action. Possible values are Allow, Block and Log.
- match_conditions_configuration: One or more match_conditions blocks as defined below.
- match_variable_configuration:   One or more match_variables blocks as defined below.
- variable_name:                  The name of the Match Variable. Possible values are RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody and RequestCookies.
- selector:                       Describes field of the matchVariable collection
- match_values:                   A list of match values.
- operator:                       Describes operator to be matched. Possible values are IPMatch, GeoMatch, Equal, Contains, LessThan, GreaterThan, LessThanOrEqual, GreaterThanOrEqual, BeginsWith, EndsWith and Regex.
- negation_condition:             Describes if this is negate condition or not
- transforms:                     A list of transformations to do before the match is attempted. Possible values are HtmlEntityDecode, Lowercase, RemoveNulls, Trim, UrlDecode and UrlEncode.
 
list(object({
    name      = optional(string)
    priority  = optional(number)
    rule_type = optional(string)
    action    = optional(string)
    match_conditions_configuration = optional(list(object({
      match_variable_configuration = optional(list(object({
        variable_name = optional(string)
        selector      = optional(string, null)
      })))
      match_values       = optional(list(string))
      operator           = optional(string)
      negation_condition = optional(string, null)
      transforms         = optional(list(string), null)
    })))
  }))
 [] no
default_tags_enabled Option to enable or disable default tags. bool true no
environment Project environment. string n/a yes
exclusion_configuration Exclusion rules configuration object with following attributes:
- match_variable:          The name of the Match Variable. Accepted values can be found here.
- selector:                Describes field of the matchVariable collection.
- selector_match_operator: Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
- excluded_rule_set:       One or more excluded_rule_set block defined below.
  - type:                  The rule set type. The only possible value is OWASP. Defaults to OWASP.
  - version:               The rule set version. The only possible value is 3.2. Defaults to 3.2.
  - rule_group:            One or more rule_group block defined below.
    - rule_group_name:     The name of rule group for exclusion. Accepted values can be found here.
    - excluded_rules:      One or more Rule IDs for exclusion.
 
list(object({
    match_variable          = optional(string)
    selector                = optional(string)
    selector_match_operator = optional(string)
    excluded_rule_set = optional(list(object({
      type    = optional(string, "OWASP")
      version = optional(string, "3.2")
      rule_group = optional(list(object({
        rule_group_name = string
        excluded_rules  = optional(list(string), [])
      })), [])
    })), [])
  }))
 [] no
extra_tags Extra tags to add. map(string) {} no
location Azure location. string n/a yes
location_short Short string for Azure location. string n/a yes
managed_rule_set_configuration Managed rule set configuration. 
list(object({
    type    = optional(string, "OWASP")
    version = optional(string, "3.2")
    rule_group_override_configuration = optional(list(object({
      rule_group_name = optional(string, null)
      rule = optional(list(object({
        id      = string
        enabled = optional(bool)
        action  = optional(string)
      })), [])
    })))

  }))
 [] no
name_prefix Optional prefix for the generated name. string "" no
name_suffix Optional suffix for the generated name. string "" no
policy_enabled Describes if the policy is in enabled state or disabled state. Defaults to true. string true no
policy_file_limit Policy regarding the size limit of uploaded files. Value is in MB. Accepted values are in the range 1 to 4000. Defaults to 100. number 100 no
policy_max_body_size Policy regarding the maximum request body size. Value is in KB. Accepted values are in the range 8 to 2000. Defaults to 128. number 128 no
policy_mode Describes if it is in detection mode or prevention mode at the policy level. Valid values are Detection and Prevention. Defaults to Prevention. string "Prevention" no
policy_request_body_check_enabled Describes if the Request Body Inspection is enabled. Defaults to true. string true no
resource_group_name Resource Group Name. string n/a yes
stack Project stack name. string n/a yes
use_caf_naming Use the Azure CAF naming provider to generate default resource name. waf_policy_custom_name override this if set. Legacy default name is used if this is set to false. bool true no
waf_policy_custom_name Custom WAF Policy name, generated if not set. string "" no

Outputs

Name Description
http_listener_ids A list of HTTP Listener IDs from an azurerm_application_gateway.
path_based_rule_ids A list of URL Path Map Path Rule IDs from an azurerm_application_gateway.
waf_policy_id Waf Policy ID

Related documentation

Microsoft Azure documentation: docs.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview/

terraform-azurerm-waf-policy's People

Contributors

shr3ps avatar adayclara avatar rossifumax avatar alanbty avatar nicolas-morel-claranet avatar rchauvetclara avatar semantic-release-bot avatar

Stargazers

Lavakumar Ramesh avatar David McNeill avatar

Watchers

Adrien Pestel avatar Spi avatar avatar avatar avatar

Forkers

muraliv21

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.