This terraform module creates an Azure WAF policy with OWASP 3.2 enabled
Module version | Terraform version | OpenTofu version | AzureRM version |
---|---|---|---|
>= 8.x.x | Unverified | 1.8.x | >= 4.0 |
>= 7.x.x | 1.3.x | >= 3.0 | |
>= 6.x.x | 1.x | >= 3.0 | |
>= 5.x.x | 0.15.x | >= 2.0 | |
>= 4.x.x | 0.13.x / 0.14.x | >= 2.0 | |
>= 3.x.x | 0.12.x | >= 2.0 | |
>= 2.x.x | 0.12.x | < 2.0 | |
< 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper
available in the documentation.
module "waf_policy" {
source = "claranet/waf-policy/azurerm"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
location = module.azure_region.location
location_short = module.azure_region.location_short
stack = var.stack
resource_group_name = module.rg.name
policy_mode = "Detection"
managed_rule_set_configuration = [
{
type = "OWASP"
version = "3.2"
}
]
exclusion_configuration = []
custom_rules_configuration = [
{
name = "DenyAll"
priority = 1
rule_type = "MatchRule"
action = "Block"
match_conditions_configuration = [
{
match_variable_configuration = [
{
variable_name = "RemoteAddr"
selector = null
}
]
match_values = [
"X.X.X.X"
]
operator = "IPMatch"
negation_condition = true
transforms = null
},
{
match_variable_configuration = [
{
variable_name = "RequestUri"
selector = null
},
{
variable_name = "RequestUri"
selector = null
}
]
match_values = [
"Azure",
"Cloud"
]
operator = "Contains"
negation_condition = true
transforms = null
}
]
}
]
}
Name | Version |
---|---|
azurecaf | ~> 1.2.28 |
azurerm | ~> 4.0 |
No modules.
Name | Type |
---|---|
azurerm_web_application_firewall_policy.main | resource |
azurecaf_name.wafp | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
client_name | Client name/account used in naming. | string |
n/a | yes |
custom_name | WAF Policy custom name. | string |
null |
no |
custom_rules_configuration | Custom rules configuration object with following attributes:- name: Gets name of the resource that is unique within a policy. This name can be used to access the resource. |
list(object({ |
[] |
no |
default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
environment | Project environment. | string |
n/a | yes |
exclusion_configuration | Exclusion rules configuration object with following attributes:- match_variable: The name of the Match Variable. Accepted values can be found here. |
list(object({ |
[] |
no |
extra_tags | Extra tags to add. | map(string) |
{} |
no |
location | Azure location. | string |
n/a | yes |
location_short | Short string for Azure location. | string |
n/a | yes |
managed_rule_set_configuration | Managed rule set configuration. | list(object({ |
[] |
no |
name_prefix | Optional prefix for the generated name. | string |
"" |
no |
name_suffix | Optional suffix for the generated name. | string |
"" |
no |
policy_enabled | Describes if the policy is in enabled state or disabled state. Defaults to true . |
string |
true |
no |
policy_file_limit | Policy regarding the size limit of uploaded files. Value is in MB. Accepted values are in the range 1 to 4000 . Defaults to 100 . |
number |
100 |
no |
policy_max_body_size | Policy regarding the maximum request body size. Value is in KB. Accepted values are in the range 8 to 2000 . Defaults to 128 . |
number |
128 |
no |
policy_mode | Describes if it is in detection mode or prevention mode at the policy level. Valid values are Detection and Prevention . Defaults to Prevention . |
string |
"Prevention" |
no |
policy_request_body_check_enabled | Describes if the Request Body Inspection is enabled. Defaults to true . |
string |
true |
no |
resource_group_name | Resource Group Name. | string |
n/a | yes |
stack | Project stack name. | string |
n/a | yes |
Name | Description |
---|---|
http_listener_ids | A list of HTTP Listener IDs from an azurerm_application_gateway. |
id | WAF Policy ID. |
name | WAF Policy name. |
path_based_rule_ids | A list of URL Path Map Path Rule IDs from an azurerm_application_gateway. |
resource | WAF Policy resource object. |
Microsoft Azure documentation: docs.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview/