Saikumar
Reputation: 63
Azure waf custom terraform configuration is throwing error for match_variables
I'm adding waf configuration to avoid when ever "--BEGIN PUBLIC KEY---" is matching but terraform is throwing error about some required options
name = "example-wafpolicy"
resource_group_name = azurerm_resource_group.rg.name
location = "Global"
custom_rules {
name = "MatchPublicKey"
priority = 1
rule_type = "MatchRule"
action = "Block"
match_conditions {
match_variable = "RequestBody"
operator = "RegexMatch"
match_values = ["--BEGIN PUBLIC KEY---"]
}
}
managed_rules {
managed_rule_set {
version = "1.1"
}
}
}```
```Too few blocks specified for "match_variables": At least 1 block(s) are expected for "match_variables"Terraform
Unexpected attribute: An attribute named "match_variable" is not expected hereTerraform
Upvotes: 0
Views: 160
Answers (2)
Vinay B
Reputation: 2531
Azure waf custom policy configuration is throwoing error for match_variables using terraform
As per the latest terraform registry you should mention the match_variables within match_conditions and use the variable_name attribute instead of match_variable
Demo configuration:
resource "azurerm_cdn_frontdoor_firewall_policy" "example" {
name = "vinaycdnfdwafpolicy"
resource_group_name = azurerm_resource_group.example.name
sku_name = azurerm_cdn_frontdoor_profile.example.sku_name
enabled = true
mode = "Prevention"
redirect_url = "https://www.contoso.com"
custom_block_response_status_code = 403
custom_block_response_body = "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=="
custom_rule {
name = "Rule1"
enabled = true
priority = 1
rate_limit_duration_in_minutes = 1
rate_limit_threshold = 10
type = "MatchRule"
action = "Block"
match_condition {
match_variable = "RemoteAddr"
operator = "IPMatch"
negation_condition = false
match_values = ["10.0.1.0/24", "10.0.0.0/24"]
}
}
custom_rule {
name = "Rule2"
enabled = true
priority = 2
rate_limit_duration_in_minutes = 1
rate_limit_threshold = 10
type = "MatchRule"
action = "Block"
match_condition {
match_variable = "RemoteAddr"
operator = "IPMatch"
negation_condition = false
match_values = ["192.168.1.0/24"]
}
match_condition {
match_variable = "RequestHeader"
selector = "UserAgent"
operator = "Contains"
negation_condition = false
match_values = ["windows"]
transforms = ["Lowercase", "Trim"]
}
}
managed_rule {
type = "DefaultRuleSet"
version = "1.0"
action = "Block"
exclusion {
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "not_suspicious"
}
override {
rule_group_name = "PHP"
rule {
rule_id = "933100"
enabled = false
action = "Block"
}
}
override {
rule_group_name = "SQLI"
exclusion {
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "really_not_suspicious"
}
rule {
rule_id = "942200"
action = "Block"
exclusion {
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "innocent"
}
}
}
}
managed_rule {
type = "Microsoft_BotManagerRuleSet"
version = "1.0"
action = "Log"
}
}
Deployment:
Refer:
Upvotes: 1
Saikumar
Reputation: 63
need follow this doc for the solution.
resource "azurerm_cdn_frontdoor_firewall_policy" "example"
is the correct resource to use
Upvotes: 0
Related Questions
- Azure WAF exclusion
- Using Azure WAF for my server(not in Azure)
- Azure Application Gateway WAF Policy Custom Rule Update
- Azure WAF exclusion - (RFI) Attack
- Azure Application GW WAF custom rule not working
- Custom IP Range in Azure WAF
- How To Disable Azure WAF Mandatory rule?
- How to whitelist an ip address in Azure WAF