Open aidanfinn opened 11 months ago
@aidanfinn Thank you for submitting this! The behavior is as expected as the rule
is an Optional+Computed
property: https://github.com/hashicorp/terraform-provider-azurerm/blob/fdc7f127174b77e2ce1a828ec93709bbb5b66016/internal/services/network/web_application_firewall_policy_resource.go#L291-L292.
Since the goal of aztfexport
is to generate valid configuration and pass terraform plan
, we intentionally not exporting those properties, as otherwise, they might introduce other issues. If you really wants all the non-readonly properties to be exported, you can specify --full-properties
flag.
@magodo the --full-properties
helped to get the missing properties. But it exports additional the deprecated (computed) property disabled_rules = ["200003", "200004"]
. And the property disabled_rules
must be removed to run successfull terraform apply
. Maybe you can remove disabled_rules
from export?
managed_rules {
managed_rule_set {
type = "OWASP"
version = "3.2"
rule_group_override {
disabled_rules = ["200003", "200004"]
rule_group_name = "General"
rule {
action = "AnomalyScoring"
enabled = false
id = "200003"
}
rule {
action = "AnomalyScoring"
enabled = false
id = "200004"
}
}
}
}
@tzuehlke Unfortunately, the resource-level fine tuning is not something we plan to do for now, due to the large maintainance effort.
When you run aztfexport, a WAF policy (azurerm_web_application_firewall_policy) is missing the individual rule overrides. An example of an incomplete export: managed_rules { managed_rule_set { rule_group_override { rule_group_name = "REQUEST-913-SCANNER-DETECTION" } } }
What should be exported:
managed_rules { managed_rule_set { rule_group_override { rule_group_name = "REQUEST-913-SCANNER-DETECTION" rule { id = "913101" enabled = true action = "AnomalyScoring" } rule { id = "913102" enabled = true action = "AnomalyScoring" } } } }
aztfexport version v0.13.1(c690456)