Skip to content

Latest commit

 

History

History
183 lines (146 loc) · 11.6 KB

README.md

File metadata and controls

183 lines (146 loc) · 11.6 KB

Azure WAF Policies

Changelog Notice Apache V2 License OpenTofu Registry

This terraform module creates an Azure WAF policy with OWASP 3.2 enabled

Global versioning rule for Claranet Azure modules

Module version Terraform version OpenTofu version AzureRM version
>= 8.x.x Unverified 1.8.x >= 4.0
>= 7.x.x 1.3.x >= 3.0
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.azure_region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "waf_policy" {
  source  = "claranet/waf-policy/azurerm"
  version = "x.x.x"

  client_name    = var.client_name
  environment    = var.environment
  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  stack          = var.stack

  resource_group_name = module.rg.resource_group_name

  policy_mode = "Detection"

  managed_rule_set_configuration = [
    {
      type    = "OWASP"
      version = "3.2"
    }
  ]

  exclusion_configuration = [

  ]

  custom_rules_configuration = [
    {
      name      = "DenyAll"
      priority  = 1
      rule_type = "MatchRule"
      action    = "Block"

      match_conditions_configuration = [
        {
          match_variable_configuration = [
            {
              variable_name = "RemoteAddr"
              selector      = null
            }
          ]

          match_values = [
            "X.X.X.X"
          ]

          operator           = "IPMatch"
          negation_condition = true
          transforms         = null
        },
        {
          match_variable_configuration = [
            {
              variable_name = "RequestUri"
              selector      = null
            },
            {
              variable_name = "RequestUri"
              selector      = null
            }
          ]

          match_values = [
            "Azure",
            "Cloud"
          ]

          operator           = "Contains"
          negation_condition = true
          transforms         = null
        }
      ]
    }
  ]
}

Providers

Name Version
azurecaf ~> 1.2, >= 1.2.22
azurerm ~> 3.80

Modules

No modules.

Resources

Name Type
azurerm_web_application_firewall_policy.waf_policy resource
azurecaf_name.wafp data source

Inputs

Name Description Type Default Required
client_name Client name/account used in naming. string n/a yes
custom_rules_configuration Custom rules configuration object with following attributes:
- name:                           Gets name of the resource that is unique within a policy. This name can be used to access the resource.
- priority: Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
- rule_type: Describes the type of rule. Possible values are MatchRule and Invalid.
- action: Type of action. Possible values are Allow, Block and Log.
- match_conditions_configuration: One or more match_conditions blocks as defined below.
- match_variable_configuration: One or more match_variables blocks as defined below.
- variable_name: The name of the Match Variable. Possible values are RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody and RequestCookies.
- selector: Describes field of the matchVariable collection
- match_values: A list of match values.
- operator: Describes operator to be matched. Possible values are IPMatch, GeoMatch, Equal, Contains, LessThan, GreaterThan, LessThanOrEqual, GreaterThanOrEqual, BeginsWith, EndsWith and Regex.
- negation_condition: Describes if this is negate condition or not
- transforms: A list of transformations to do before the match is attempted. Possible values are HtmlEntityDecode, Lowercase, RemoveNulls, Trim, UrlDecode and UrlEncode.
list(object({
name = optional(string)
priority = optional(number)
rule_type = optional(string)
action = optional(string)
match_conditions_configuration = optional(list(object({
match_variable_configuration = optional(list(object({
variable_name = optional(string)
selector = optional(string, null)
})))
match_values = optional(list(string))
operator = optional(string)
negation_condition = optional(string, null)
transforms = optional(list(string), null)
})))
}))
[] no
default_tags_enabled Option to enable or disable default tags. bool true no
environment Project environment. string n/a yes
exclusion_configuration Exclusion rules configuration object with following attributes:
- match_variable:          The name of the Match Variable. Accepted values can be found here.
- selector: Describes field of the matchVariable collection.
- selector_match_operator: Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
- excluded_rule_set: One or more excluded_rule_set block defined below.
- type: The rule set type. The only possible value is OWASP. Defaults to OWASP.
- version: The rule set version. The only possible value is 3.2. Defaults to 3.2.
- rule_group: One or more rule_group block defined below.
- rule_group_name: The name of rule group for exclusion. Accepted values can be found here.
- excluded_rules: One or more Rule IDs for exclusion.
list(object({
match_variable = optional(string)
selector = optional(string)
selector_match_operator = optional(string)
excluded_rule_set = optional(list(object({
type = optional(string, "OWASP")
version = optional(string, "3.2")
rule_group = optional(list(object({
rule_group_name = string
excluded_rules = optional(list(string), [])
})), [])
})), [])
}))
[] no
extra_tags Extra tags to add. map(string) {} no
location Azure location. string n/a yes
location_short Short string for Azure location. string n/a yes
managed_rule_set_configuration Managed rule set configuration.
list(object({
type = optional(string, "OWASP")
version = optional(string, "3.2")
rule_group_override_configuration = optional(list(object({
rule_group_name = optional(string, null)
rule = optional(list(object({
id = string
enabled = optional(bool)
action = optional(string)
})), [])
})))

}))
[] no
name_prefix Optional prefix for the generated name. string "" no
name_suffix Optional suffix for the generated name. string "" no
policy_enabled Describes if the policy is in enabled state or disabled state. Defaults to true. string true no
policy_file_limit Policy regarding the size limit of uploaded files. Value is in MB. Accepted values are in the range 1 to 4000. Defaults to 100. number 100 no
policy_max_body_size Policy regarding the maximum request body size. Value is in KB. Accepted values are in the range 8 to 2000. Defaults to 128. number 128 no
policy_mode Describes if it is in detection mode or prevention mode at the policy level. Valid values are Detection and Prevention. Defaults to Prevention. string "Prevention" no
policy_request_body_check_enabled Describes if the Request Body Inspection is enabled. Defaults to true. string true no
resource_group_name Resource Group Name. string n/a yes
stack Project stack name. string n/a yes
use_caf_naming Use the Azure CAF naming provider to generate default resource name. waf_policy_custom_name override this if set. Legacy default name is used if this is set to false. bool true no
waf_policy_custom_name Custom WAF Policy name, generated if not set. string "" no

Outputs

Name Description
http_listener_ids A list of HTTP Listener IDs from an azurerm_application_gateway.
path_based_rule_ids A list of URL Path Map Path Rule IDs from an azurerm_application_gateway.
waf_policy_id Waf Policy ID

Related documentation

Microsoft Azure documentation: docs.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview/