Azure WAF Policies

This terraform module creates an Azure WAF policy with OWASP 3.2 enabled

Global versioning rule for Claranet Azure modules

Module version	Terraform version	AzureRM version
>= 7.x.x	1.3.x	>= 3.0
>= 6.x.x	1.x	>= 3.0
>= 5.x.x	0.15.x	>= 2.0
>= 4.x.x	0.13.x / 0.14.x	>= 2.0
>= 3.x.x	0.12.x	>= 2.0
>= 2.x.x	0.12.x	< 2.0
< 2.x.x	0.11.x	< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.azure_region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "waf_policy" {
  source  = "claranet/waf-policy/azurerm"
  version = "x.x.x"

  client_name    = var.client_name
  environment    = var.environment
  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  stack          = var.stack

  resource_group_name = module.rg.resource_group_name

  policy_mode = "Detection"

  managed_rule_set_configuration = [
    {
      type    = "OWASP"
      version = "3.2"
    }
  ]

  exclusion_configuration = [

  ]

  custom_rules_configuration = [
    {
      name      = "DenyAll"
      priority  = 1
      rule_type = "MatchRule"
      action    = "Block"

      match_conditions_configuration = [
        {
          match_variable_configuration = [
            {
              variable_name = "RemoteAddr"
              selector      = null
            }
          ]

          match_values = [
            "X.X.X.X"
          ]

          operator           = "IPMatch"
          negation_condition = true
          transforms         = null
        },
        {
          match_variable_configuration = [
            {
              variable_name = "RequestUri"
              selector      = null
            },
            {
              variable_name = "RequestUri"
              selector      = null
            }
          ]

          match_values = [
            "Azure",
            "Cloud"
          ]

          operator           = "Contains"
          negation_condition = true
          transforms         = null
        }
      ]
    }
  ]
}

Providers

Name	Version
azurecaf	~> 1.2, >= 1.2.22
azurerm	~> 3.80

Modules

No modules.

Resources

Name	Type
azurerm_web_application_firewall_policy.waf_policy	resource
azurecaf_name.wafp	data source

Inputs

Name	Description	Type	Default	Required
client_name	Client name/account used in naming.	string	n/a	yes
custom_rules_configuration	Custom rules configuration object with following attributes: - name: Gets name of the resource that is unique within a policy. This name can be used to access the resource. - priority: Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. - rule_type: Describes the type of rule. Possible values are MatchRule and Invalid. - action: Type of action. Possible values are Allow, Block and Log. - match_conditions_configuration: One or more match_conditions blocks as defined below. - match_variable_configuration: One or more match_variables blocks as defined below. - variable_name: The name of the Match Variable. Possible values are RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody and RequestCookies. - selector: Describes field of the matchVariable collection - match_values: A list of match values. - operator: Describes operator to be matched. Possible values are IPMatch, GeoMatch, Equal, Contains, LessThan, GreaterThan, LessThanOrEqual, GreaterThanOrEqual, BeginsWith, EndsWith and Regex. - negation_condition: Describes if this is negate condition or not - transforms: A list of transformations to do before the match is attempted. Possible values are HtmlEntityDecode, Lowercase, RemoveNulls, Trim, UrlDecode and UrlEncode.	list(object({ name = optional(string) priority = optional(number) rule_type = optional(string) action = optional(string) match_conditions_configuration = optional(list(object({ match_variable_configuration = optional(list(object({ variable_name = optional(string) selector = optional(string, null) }))) match_values = optional(list(string)) operator = optional(string) negation_condition = optional(string, null) transforms = optional(list(string), null) }))) }))	[]	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
environment	Project environment.	string	n/a	yes
exclusion_configuration	Exclusion rules configuration object with following attributes: - match_variable: The name of the Match Variable. Accepted values can be found here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/web_application_firewall_policy#match_variable - selector: Describes field of the matchVariable collection. - selector_match_operator: Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith. - excluded_rule_set: One or more excluded_rule_set block defined below. - type: The rule set type. The only possible value is OWASP . Defaults to OWASP. - version: The rule set version. The only possible value is 3.2 . Defaults to 3.2. - rule_group: One or more rule_group block defined below. - rule_group_name: The name of rule group for exclusion. Accepted values can be found here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/web_application_firewall_policy#rule_group_name - excluded_rules: One or more Rule IDs for exclusion.	list(object({ match_variable = optional(string) selector = optional(string) selector_match_operator = optional(string) excluded_rule_set = optional(list(object({ type = optional(string, "OWASP") version = optional(string, "3.2") rule_group = optional(list(object({ rule_group_name = optional(string) excluded_rules = optional(string) }))) }))) }))	[]	no
extra_tags	Extra tags to add.	map(string)	{}	no
location	Azure location.	string	n/a	yes
location_short	Short string for Azure location.	string	n/a	yes
managed_rule_set_configuration	Managed rule set configuration.	list(object({ type = optional(string, "OWASP") version = optional(string, "3.2") rule_group_override_configuration = optional(list(object({ rule_group_name = optional(string, null) rule = optional(list(object({ id = string enabled = optional(bool) action = optional(string) })), []) }))) }))	[]	no
name_prefix	Optional prefix for the generated name.	string	""	no
name_suffix	Optional suffix for the generated name.	string	""	no
policy_enabled	Describes if the policy is in enabled state or disabled state. Defaults to true.	string	true	no
policy_file_limit	Policy regarding the size limit of uploaded files. Value is in MB. Accepted values are in the range 1 to 4000. Defaults to 100.	number	100	no
policy_max_body_size	Policy regarding the maximum request body size. Value is in KB. Accepted values are in the range 8 to 2000. Defaults to 128.	number	128	no
policy_mode	Describes if it is in detection mode or prevention mode at the policy level. Valid values are Detection and Prevention. Defaults to Prevention.	string	"Prevention"	no
policy_request_body_check_enabled	Describes if the Request Body Inspection is enabled. Defaults to true.	string	true	no
resource_group_name	Resource Group Name.	string	n/a	yes
stack	Project stack name.	string	n/a	yes
use_caf_naming	Use the Azure CAF naming provider to generate default resource name. waf_policy_custom_name override this if set. Legacy default name is used if this is set to false.	bool	true	no
waf_policy_custom_name	Custom WAF Policy name, generated if not set.	string	""	no

Outputs

Name	Description
http_listener_ids	A list of HTTP Listener IDs from an azurerm_application_gateway.
path_based_rule_ids	A list of URL Path Map Path Rule IDs from an azurerm_application_gateway.
waf_policy_id	Waf Policy ID

Related documentation

Microsoft Azure documentation: docs.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview/