Skip to content

aztfm/terraform-azurerm-application-gateway-firewall-policy

BranchesTags

Repository files navigation

Azure Application Gateway Firewall Policy - Terraform Module

pre-commit Terraform Registry Dev Container GitHub License GitHub release (latest by date)

Open in GitHub Codespaces

⚙️ Version compatibility

Module version Terraform version AzureRM version
>= 1.x.x >= 1.9.x >= 3.112.0

📝 Usage

resource "azurerm_resource_group" "rg" {
  name     = "resource-group"
  location = "Spain Central"
}

module "application_gateway_firewall_policy" {
  source              = "aztfm/application-gateway-firewall-policy/azurerm"
  version             = ">=1.0.0"
  name                = "application-gateway-firewall-policy"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  tags                = azurerm_resource_group.rg.tags
  managed_rule_sets = [{
    type    = "OWASP"
    version = "3.2"
    }, {
    type    = "Microsoft_BotManagerRuleSet"
    version = "1.0"
  }]
}

Reference to more examples.

▶️ Parameters

The following parameters are supported:

Name Description Type Default Required
name The name of the Application Gateway Firewall Policy. string n/a yes
resource_group_name The name of the resource group in which to create the Application Gateway Firewall Policy. string n/a yes
location The location/region where the Application Gateway Firewall Policy is created. string n/a yes
tags A mapping of tags to assign to the resource. map(string) {} no
enabled Describes if the policy is in enabled state or disabled state. bool true no
mode Describes if it is in detection mode or prevention mode at the policy level. Valid values are Detection and Prevention. string "Prevention" no
request_body_inspect_limit_in_kb The maximum request body inspection size in KB for the policy. number 128 no
max_request_body_size_in_kb The maximum request body size in KB for the policy. number 128 no
file_upload_limit_in_mb The maximum file upload size in MB for the policy. number 100 no
managed_rule_sets A mapping of managed rule set types and versions to associate with the policy. list(object({})) n/a yes
managed_rule_exclusions A mapping of managed rule exclusions to associate with the policy. list(object({})) [] no

The managed_rule_sets supports the following:

Name Description Type Default Required
type The rule set type. Possible values: Microsoft_BotManagerRuleSet, Microsoft_DefaultRuleSet and OWASP. string n/a yes
version The rule set version. Possible values: 0.1, 1.0, 2.1, 3.0, 3.1 and 3.2. string n/a yes

The managed_rule_exclusions supports the following:

Name Description Type Default Required
match_variable The name of the Match Variable. Possible values: RequestArgKeys, RequestArgNames, RequestArgValues, RequestCookieKeys, RequestCookieNames, RequestCookieValues, RequestHeaderKeys, RequestHeaderNames and RequestHeaderValues. string n/a yes
selector_match_operator Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny and StartsWith. string n/a yes
selector Describes field of the matchVariable collection. string n/a yes
rule_set The rule set to be excluded. object({}) null no

The managed_rule_exclusions.rule_set supports the following:

Name Description Type Default Required
type The rule set type. The only possible value include Microsoft_DefaultRuleSet and OWASP. string n/a yes
rule_groups The rule groups to exclude from the rule set. list(object({}) [] no

The managed_rule_exclusions.rule_set.rule_groups supports the following:

Name Description Type Default Required
rule_group_name The name of the Rule Group. Possible values are BadBots, crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, crs_49_inbound_blocking, General, GoodBots, KnownBadBots, Known-CVEs, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, REQUEST-944-APPLICATION-ATTACK-JAVA, UnknownBots, METHOD-ENFORCEMENT, PROTOCOL-ENFORCEMENT, PROTOCOL-ATTACK, LFI, RFI, RCE, PHP, NODEJS, XSS, SQLI, FIX, JAVA, MS-ThreatIntel-WebShells, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI, MS-ThreatIntel-CVEs, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEs. string n/a yes
excluded_rules One or more Rule IDs for exclusion. list(number) [] no

◀️ Outputs

The following outputs are exported:

Name Description Sensitive
id The ID of Application Gateway Firewall Policy. no

About

Terraform module for Microsoft Azure to manage Application Gateway Firewall Policy resource.

registry.terraform.io/modules/aztfm/application-gateway-firewall-policy/azurerm/

Topics

azure terraform azure-resource-manager terraform-module application-gateway-firewall-policy

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases 1

v1.0.0 (July 25, 2024) Latest
Jul 25, 2024

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

 
 
 

Contributors

Languages