Azure WAF Policies

This terraform module creates an Azure WAF policy with OWASP 3.2 enabled

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "waf_policy" {
  source  = "claranet/waf-policy/azurerm"
  version = "x.x.x"

  client_name    = var.client_name
  environment    = var.environment
  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  stack          = var.stack

  resource_group_name = module.rg.name

  policy_mode = "Detection"

  managed_rule_set_configuration = [
    {
      type    = "OWASP"
      version = "3.2"
    }
  ]

  exclusion_configuration = []

  custom_rules_configuration = [
    {
      name      = "DenyAll"
      priority  = 1
      rule_type = "MatchRule"
      action    = "Block"

      match_conditions_configuration = [
        {
          match_variable_configuration = [
            {
              variable_name = "RemoteAddr"
              selector      = null
            }
          ]

          match_values = [
            "X.X.X.X"
          ]

          operator           = "IPMatch"
          negation_condition = true
          transforms         = null
        },
        {
          match_variable_configuration = [
            {
              variable_name = "RequestUri"
              selector      = null
            },
            {
              variable_name = "RequestUri"
              selector      = null
            }
          ]

          match_values = [
            "Azure",
            "Cloud"
          ]

          operator           = "Contains"
          negation_condition = true
          transforms         = null
        }
      ]
    }
  ]
}

Providers

Name	Version
azurecaf	>= 1.2.28
azurerm	~> 4.0

Modules

No modules.

Resources

Name	Type
azurerm_web_application_firewall_policy.main	resource
azurecaf_name.wafp	data source

Inputs

Name	Description	Type	Default	Required
client_name	Client name/account used in naming.	string	n/a	yes
custom_name	WAF Policy custom name.	string	null	no
custom_rules_configuration	Custom rules configuration object with following attributes: - enabled: Describes if the policy is in enabled state or disabled state. Defaults to true. - name: Gets name of the resource that is unique within a policy. This name can be used to access the resource. - priority: Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. - rule_type: Describes the type of rule. Possible values are MatchRule, RateLimitRule and Invalid. - action: Type of action. Possible values are Allow, Block, JSChallenge and Log. - rate_limit_duration: Specifies the duration at which the rate limit policy will be applied. Should be used with RateLimitRule rule type. Possible values are FiveMins and OneMin. - rate_limit_threshold: Specifies the threshold value for the rate limit policy. Must be greater than or equal to 1 if provided. - group_rate_limit_by: Specifies what grouping the rate limit will count requests by. Possible values are GeoLocation, ClientAddr and None. - match_conditions_configuration: One or more match_conditions blocks as defined below. - match_variable_configuration: One or more match_variables blocks as defined below. - variable_name: The name of the Match Variable. Possible values are RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody and RequestCookies. - selector: Describes field of the matchVariable collection - match_values: A list of match values. - operator: Describes operator to be matched. Possible values are Any, IPMatch, GeoMatch, Equal, Contains, LessThan, GreaterThan, LessThanOrEqual, GreaterThanOrEqual, BeginsWith, EndsWith and Regex. - negation_condition: Describes if this is negate condition or not - transforms: A list of transformations to do before the match is attempted. Possible values are HtmlEntityDecode, Lowercase, RemoveNulls, Trim, Uppercase, UrlDecode and UrlEncode.	list(object({ enabled = optional(bool, true) name = optional(string) priority = optional(number) rule_type = optional(string) action = optional(string) rate_limit_duration = optional(string) rate_limit_threshold = optional(number) group_rate_limit_by = optional(string) match_conditions_configuration = optional(list(object({ match_variable_configuration = optional(list(object({ variable_name = optional(string) selector = optional(string, null) }))) match_values = optional(list(string)) operator = optional(string) negation_condition = optional(string, null) transforms = optional(list(string), null) }))) }))	[]	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
environment	Project environment.	string	n/a	yes
exclusion_configuration	Exclusion rules configuration object with following attributes: - match_variable: The name of the Match Variable. Accepted values can be found here. - selector: Describes field of the matchVariable collection. - selector_match_operator: Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith. - excluded_rule_set: One or more excluded_rule_set block defined below. - type: The rule set type. The only possible value is OWASP. Defaults to OWASP. - version: The rule set version. The only possible value is 3.2. Defaults to 3.2. - rule_group: One or more rule_group block defined below. - rule_group_name: The name of rule group for exclusion. Accepted values can be found here. - excluded_rules: One or more Rule IDs for exclusion.	list(object({ match_variable = optional(string) selector = optional(string) selector_match_operator = optional(string) excluded_rule_set = optional(list(object({ type = optional(string, "OWASP") version = optional(string, "3.2") rule_group = optional(list(object({ rule_group_name = string excluded_rules = optional(list(string), []) })), []) })), []) }))	[]	no
extra_tags	Extra tags to add.	map(string)	{}	no
location	Azure location.	string	n/a	yes
location_short	Short string for Azure location.	string	n/a	yes
managed_rule_set_configuration	Managed rule set configuration.	list(object({ type = optional(string, "OWASP") version = optional(string, "3.2") rule_group_override_configuration = optional(list(object({ rule_group_name = optional(string, null) rule = optional(list(object({ id = string enabled = optional(bool) action = optional(string) })), []) }))) }))	[]	no
name_prefix	Optional prefix for the generated name.	string	""	no
name_suffix	Optional suffix for the generated name.	string	""	no
policy_enabled	Describes if the policy is in enabled state or disabled state. Defaults to true.	string	true	no
policy_file_limit	Policy regarding the size limit of uploaded files. Value is in MB. Accepted values are in the range 1 to 4000. Defaults to 100.	number	100	no
policy_file_upload_enforcement	Whether the firewall should block a request with upload size greater then file_upload_limit_in_mb. Defaults to true.	bool	true	no
policy_js_challenge_cookie_expiration	Specifies the JavaScript challenge cookie validity lifetime in minutes. The user is challenged after the lifetime expires. Accepted values are in the range 5 to 1440. Defaults to 30.	number	30	no
policy_log_scrubbing_enabled	Whether the log scrubbing is enabled or disabled. Defaults to true.	bool	true	no
policy_log_scrubbing_rules	Log scrubbing rules configuration object with following attributes: - enabled: Whether this rule is enabled. Defaults to true. - match_variable: Specifies the variable to be scrubbed from the logs. Possible values are RequestHeaderNames, RequestCookieNames, RequestArgNames, RequestPostArgNames, RequestJSONArgNames and RequestIPAddress. - selector_match_operator: Specifies the operating on the selector. Possible values are Equals and EqualsAny. Defaults to Equals. - selector: Specifies which elements in the collection this rule applies to.	list(object({ enabled = optional(bool, true) match_variable = string selector_match_operator = optional(string, "Equals") selector = optional(string) }))	[]	no
policy_max_body_size	Policy regarding the maximum request body size. Value is in KB. Accepted values are in the range 8 to 2000. Defaults to 128.	number	128	no
policy_mode	Describes if it is in detection mode or prevention mode at the policy level. Valid values are Detection and Prevention. Defaults to Prevention.	string	"Prevention"	no
policy_request_body_check_enabled	Describes if the Request Body Inspection is enabled. Defaults to true.	string	true	no
policy_request_body_enforcement	Whether the firewall should block a request with body size greater then max_request_body_size_in_kb. Defaults to true.	bool	true	no
policy_request_body_inspect_limit	Specifies the maximum request body inspection limit in KB for the Web Application Firewall. Accepted values are in the range 8 to 2000. Defaults to 128.	number	128	no
resource_group_name	Resource Group Name.	string	n/a	yes
stack	Project stack name.	string	n/a	yes

Outputs

Name	Description
http_listener_ids	A list of HTTP Listener IDs from an azurerm_application_gateway.
id	WAF Policy ID.
name	WAF Policy name.
path_based_rule_ids	A list of URL Path Map Path Rule IDs from an azurerm_application_gateway.
resource	WAF Policy resource object.

Related documentation

Microsoft Azure documentation: docs.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview/