azure - front-door.filters.web-application-firewall-policies #9038
Conversation
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
| @@ -72,3 +73,22 @@ def process(self, resources, event=None): | |||
| if self.check_state(front_endpoint.web_application_firewall_policy_link): | |||
| matched.append(front_door) | |||
| return matched | |||
|
|
|||
|
|
|||
| @FrontDoor.filter_registry.register('web-application-firewall-policies') | |||
There was a problem hiding this comment.
rename to firewall-policy, this would be better to derive as a list item filter afaics.
There was a problem hiding this comment.
As far as i understood one Front Door resource can have multiple frontend endpoints whereas each individual endpoint can optionally have one WAF Policy. So, in general, one Front Door can have multiple different WAF policies (if it has multiple frontend endpoints). I rewrote this filter deriving from list-item filter. But this implementation neglects the connection between each policy and its frontend endpoint. Not sure whether it's okey..
There was a problem hiding this comment.
Also, regarding front-door.waf filter, seems like the list returned from process() method can contain duplicated Front Door resources in case some Front Door have multiple enabled frontend endpoints.
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
| @@ -70,5 +71,58 @@ def process(self, resources, event=None): | |||
| front_endpoint = client.frontend_endpoints.get( | |||
| front_door['resourceGroup'], front_door['name'],front_endpoints['name']) | |||
| if self.check_state(front_endpoint.web_application_firewall_policy_link): | |||
| # what if one front_door has multiple endpoints that match? | |||
There was a problem hiding this comment.
if front_door not in matched:
matched.append(front_door)for small cardinalities this works fine.
There was a problem hiding this comment.
We can dispense with additional GET requests because front door's json contains information about each endpoint's link:
Disabled:
{
"frontendEndpoints": [
{
"id": "/subscriptions/dd3ce4b8-093a-40da-8369-d50149d0f84a/resourcegroups/FrontDoorExampleResourceGroup/providers/Microsoft.Network/Frontdoors/42342342-FrontDoor/FrontendEndpoints/exampleFrontendEndpoint1",
"name": "exampleFrontendEndpoint1",
"type": "Microsoft.Network/Frontdoors/FrontendEndpoints",
"properties": {
"hostName": "42342342-FrontDoor.azurefd.net",
"sessionAffinityEnabledState": "Disabled",
"sessionAffinityTtlSeconds": 0,
"resourceState": "Enabled"
}
}
]
}
Enabled:
{
"frontendEndpoints": [
{
"id": "/subscriptions/dd3ce4b8-093a-40da-8369-d50149d0f84a/resourcegroups/FrontDoorExampleResourceGroup/providers/Microsoft.Network/Frontdoors/42342342-FrontDoor/FrontendEndpoints/exampleFrontendEndpoint1",
"name": "exampleFrontendEndpoint1",
"type": "Microsoft.Network/Frontdoors/FrontendEndpoints",
"properties": {
"hostName": "42342342-FrontDoor.azurefd.net",
"sessionAffinityEnabledState": "Disabled",
"sessionAffinityTtlSeconds": 0,
"webApplicationFirewallPolicyLink": {
"id": "/subscriptions/dd3ce4b8-093a-40da-8369-d50149d0f84a/resourceGroups/FrontDoorExampleResourceGroup/providers/Microsoft.Network/frontdoorWebApplicationFirewallPolicies/examplefdwafpolicy"
},
"resourceState": "Enabled"
}
}
]
}
I pushed some fixes, review pls !
…b-application-firewall-policies
…b-application-firewall-policies
…b-application-firewall-policies
Use case: