From 8947482c50cb5db11050a81db158ca282b2c7599 Mon Sep 17 00:00:00 2001
From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com>
Date: Wed, 24 Jul 2024 13:26:21 +0100
Subject: [PATCH] Set custom CDN waf rules

* this will be used for specific cases where we want requests to bypass the rate limit policy
---
 terraform/README.md                 |  1 +
 terraform/container-apps-hosting.tf |  1 +
 terraform/locals.tf                 |  1 +
 terraform/variables.tf              | 16 ++++++++++++++++
 4 files changed, 19 insertions(+)

diff --git a/terraform/README.md b/terraform/README.md
index 02c8972a3..93f0850d9 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -165,6 +165,7 @@ No resources.
 | <a name="input_cdn_frontdoor_origin_host_header_override"></a> [cdn\_frontdoor\_origin\_host\_header\_override](#input\_cdn\_frontdoor\_origin\_host\_header\_override) | Manually specify the host header that the CDN sends to the target. Defaults to the recieved host header. Set to null to set it to the host\_name (`cdn_frontdoor_origin_fqdn_override`) | `string` | `""` | no |
 | <a name="input_cdn_frontdoor_rate_limiting_duration_in_minutes"></a> [cdn\_frontdoor\_rate\_limiting\_duration\_in\_minutes](#input\_cdn\_frontdoor\_rate\_limiting\_duration\_in\_minutes) | CDN Front Door rate limiting duration in minutes | `number` | `5` | no |
 | <a name="input_cdn_frontdoor_rate_limiting_threshold"></a> [cdn\_frontdoor\_rate\_limiting\_threshold](#input\_cdn\_frontdoor\_rate\_limiting\_threshold) | Maximum number of concurrent requests before rate limiting is applied | `number` | n/a | yes |
+| <a name="input_cdn_frontdoor_waf_custom_rules"></a> [cdn\_frontdoor\_waf\_custom\_rules](#input\_cdn\_frontdoor\_waf\_custom\_rules) | Map of all Custom rules you want to apply to the CDN WAF | <pre>map(object({<br>    priority : number,<br>    action : string<br>    match_conditions : map(object({<br>      match_variable : string,<br>      match_values : optional(list(string), []),<br>      operator : optional(string, "Any"),<br>      selector : optional(string, null),<br>      negation_condition : optional(bool, false),<br>    }))<br>  }))</pre> | `{}` | no |
 | <a name="input_container_apps_allow_ips_inbound"></a> [container\_apps\_allow\_ips\_inbound](#input\_container\_apps\_allow\_ips\_inbound) | Restricts access to the Container Apps by creating a network security group rule that only allow inbound traffic from the provided list of IPs | `list(string)` | `[]` | no |
 | <a name="input_container_command"></a> [container\_command](#input\_container\_command) | Container command | `list(any)` | n/a | yes |
 | <a name="input_container_health_probe_path"></a> [container\_health\_probe\_path](#input\_container\_health\_probe\_path) | Specifies the path that is used to determine the liveness of the Container | `string` | n/a | yes |
diff --git a/terraform/container-apps-hosting.tf b/terraform/container-apps-hosting.tf
index 650006e51..cc0a85d1f 100644
--- a/terraform/container-apps-hosting.tf
+++ b/terraform/container-apps-hosting.tf
@@ -36,6 +36,7 @@ module "azure_container_apps_hosting" {
   cdn_frontdoor_origin_fqdn_override              = local.cdn_frontdoor_origin_fqdn_override
   cdn_frontdoor_health_probe_protocol             = local.cdn_frontdoor_health_probe_protocol
   cdn_frontdoor_enable_rate_limiting              = local.cdn_frontdoor_enable_rate_limiting
+  cdn_frontdoor_waf_custom_rules                  = local.cdn_frontdoor_waf_custom_rules
   cdn_frontdoor_rate_limiting_threshold           = local.cdn_frontdoor_rate_limiting_threshold
   cdn_frontdoor_rate_limiting_duration_in_minutes = local.cdn_frontdoor_rate_limiting_duration_in_minutes
   cdn_frontdoor_host_add_response_headers         = local.cdn_frontdoor_host_add_response_headers
diff --git a/terraform/locals.tf b/terraform/locals.tf
index a0770f2e9..437f54a9d 100644
--- a/terraform/locals.tf
+++ b/terraform/locals.tf
@@ -28,6 +28,7 @@ locals {
   cdn_frontdoor_origin_host_header_override       = var.cdn_frontdoor_origin_host_header_override
   cdn_frontdoor_forwarding_protocol               = var.cdn_frontdoor_forwarding_protocol
   cdn_frontdoor_enable_rate_limiting              = var.cdn_frontdoor_enable_rate_limiting
+  cdn_frontdoor_waf_custom_rules                  = var.cdn_frontdoor_waf_custom_rules
   cdn_frontdoor_rate_limiting_threshold           = var.cdn_frontdoor_rate_limiting_threshold
   cdn_frontdoor_rate_limiting_duration_in_minutes = var.cdn_frontdoor_rate_limiting_duration_in_minutes
   cdn_frontdoor_host_add_response_headers         = var.cdn_frontdoor_host_add_response_headers
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 9be43e97b..7ba1ebfa0 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -149,6 +149,22 @@ variable "cdn_frontdoor_rate_limiting_duration_in_minutes" {
   default     = 5
 }
 
+variable "cdn_frontdoor_waf_custom_rules" {
+  description = "Map of all Custom rules you want to apply to the CDN WAF"
+  type = map(object({
+    priority : number,
+    action : string
+    match_conditions : map(object({
+      match_variable : string,
+      match_values : optional(list(string), []),
+      operator : optional(string, "Any"),
+      selector : optional(string, null),
+      negation_condition : optional(bool, false),
+    }))
+  }))
+  default = {}
+}
+
 variable "cdn_frontdoor_host_add_response_headers" {
   description = "List of response headers to add at the CDN Front Door `[{ \"Name\" = \"Strict-Transport-Security\", \"value\" = \"max-age=31536000\" }]`"
   type        = list(map(string))