New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azure - front-door.filters.web-application-firewall-policies #9038
azure - front-door.filters.web-application-firewall-policies #9038
Conversation
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
@@ -72,3 +73,22 @@ def process(self, resources, event=None): | |||
if self.check_state(front_endpoint.web_application_firewall_policy_link): | |||
matched.append(front_door) | |||
return matched | |||
|
|||
|
|||
@FrontDoor.filter_registry.register('web-application-firewall-policies') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rename to firewall-policy, this would be better to derive as a list item filter afaics.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Renamed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as i understood one Front Door resource can have multiple frontend endpoints whereas each individual endpoint can optionally have one WAF Policy. So, in general, one Front Door can have multiple different WAF policies (if it has multiple frontend endpoints). I rewrote this filter deriving from list-item filter. But this implementation neglects the connection between each policy and its frontend endpoint. Not sure whether it's okey..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, regarding front-door.waf
filter, seems like the list returned from process()
method can contain duplicated Front Door resources in case some Front Door have multiple enabled frontend endpoints.
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
@@ -70,5 +71,58 @@ def process(self, resources, event=None): | |||
front_endpoint = client.frontend_endpoints.get( | |||
front_door['resourceGroup'], front_door['name'],front_endpoints['name']) | |||
if self.check_state(front_endpoint.web_application_firewall_policy_link): | |||
# what if one front_door has multiple endpoints that match? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if front_door not in matched:
matched.append(front_door)
for small cardinalities this works fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can dispense with additional GET
requests because front door's json contains information about each endpoint's link:
Disabled:
{
"frontendEndpoints": [
{
"id": "/subscriptions/dd3ce4b8-093a-40da-8369-d50149d0f84a/resourcegroups/FrontDoorExampleResourceGroup/providers/Microsoft.Network/Frontdoors/42342342-FrontDoor/FrontendEndpoints/exampleFrontendEndpoint1",
"name": "exampleFrontendEndpoint1",
"type": "Microsoft.Network/Frontdoors/FrontendEndpoints",
"properties": {
"hostName": "42342342-FrontDoor.azurefd.net",
"sessionAffinityEnabledState": "Disabled",
"sessionAffinityTtlSeconds": 0,
"resourceState": "Enabled"
}
}
]
}
Enabled:
{
"frontendEndpoints": [
{
"id": "/subscriptions/dd3ce4b8-093a-40da-8369-d50149d0f84a/resourcegroups/FrontDoorExampleResourceGroup/providers/Microsoft.Network/Frontdoors/42342342-FrontDoor/FrontendEndpoints/exampleFrontendEndpoint1",
"name": "exampleFrontendEndpoint1",
"type": "Microsoft.Network/Frontdoors/FrontendEndpoints",
"properties": {
"hostName": "42342342-FrontDoor.azurefd.net",
"sessionAffinityEnabledState": "Disabled",
"sessionAffinityTtlSeconds": 0,
"webApplicationFirewallPolicyLink": {
"id": "/subscriptions/dd3ce4b8-093a-40da-8369-d50149d0f84a/resourceGroups/FrontDoorExampleResourceGroup/providers/Microsoft.Network/frontdoorWebApplicationFirewallPolicies/examplefdwafpolicy"
},
"resourceState": "Enabled"
}
}
]
}
I pushed some fixes, review pls !
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks
Use case: