Support for more policy_settings in web_application_firewall_policy

[boschcrank]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The policy_settings in the resource web_application_firewall_policy allow only to set enabled and mode. To replace the WAF firewall config with a global policy, we need all settings in the Azure resource:

https://docs.microsoft.com/en-us/rest/api/virtualnetwork/webapplicationfirewallpolicies/createorupdate#policysettings

Those are (translated in the provider's attribute naming):

• file_upload_limit_in_mb (int)
• max_request_body_size_in_kb (int)
• request_body_check (boolean)

New or Affected Resource(s)

• azurerm_web_application_firewall_policy

Potential Terraform Configuration

provider "azurerm" {
  version = "2.14.0"
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "test-rg"
  location = "West Europe"
}

resource "azurerm_web_application_firewall_policy" "example" {
  name                = "example-wafpolicy"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  custom_rules {
    name      = "Geoblocking"
    priority  = 2
    rule_type = "MatchRule"
    action    = "Block"

    match_conditions {
      match_variables {
        variable_name = "RemoteAddr"
      }
      operator     = "GeoMatch"
      match_values = ["DE"]
    }
  }

  managed_rules {
    managed_rule_set {
      type    = "OWASP"
      version = "3.1"
      rule_group_override {
        rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
        disabled_rules = [
          "920300",
          "920440"
        ]
      }
    }
  }

  policy_settings {
    enabled = true
    mode    = "Prevention"
    file_upload_limit_in_mb = 100
    max_request_body_size_in_kb = 100
    request_body_check   = true
  }
}

References

• https://docs.microsoft.com/en-us/rest/api/virtualnetwork/webapplicationfirewallpolicies/createorupdate#policysettings

[boschcrank]

Here is a PR to add the missing attributes:
#7363

[ghost]

This has been released in version 2.18.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.18.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!