WAF Policy rule_group_override is incomplete.

Azure / aztfexport

A tool to bring existing Azure resources under Terraform's management

https://azure.github.io/aztfexport/

Mozilla Public License 2.0

1.54k stars 175 forks source link

WAF Policy rule_group_override is incomplete. #441

Open aidanfinn opened 11 months ago

aidanfinn commented 11 months ago

When you run aztfexport, a WAF policy (azurerm_web_application_firewall_policy) is missing the individual rule overrides. An example of an incomplete export: managed_rules { managed_rule_set { rule_group_override { rule_group_name = "REQUEST-913-SCANNER-DETECTION" } } }

What should be exported:

managed_rules { managed_rule_set { rule_group_override { rule_group_name = "REQUEST-913-SCANNER-DETECTION" rule { id = "913101" enabled = true action = "AnomalyScoring" } rule { id = "913102" enabled = true action = "AnomalyScoring" } } } }

aztfexport version v0.13.1(c690456)

magodo commented 11 months ago

@aidanfinn Thank you for submitting this! The behavior is as expected as the rule is an Optional+Computed property: https://github.com/hashicorp/terraform-provider-azurerm/blob/fdc7f127174b77e2ce1a828ec93709bbb5b66016/internal/services/network/web_application_firewall_policy_resource.go#L291-L292.

Since the goal of aztfexport is to generate valid configuration and pass terraform plan, we intentionally not exporting those properties, as otherwise, they might introduce other issues. If you really wants all the non-readonly properties to be exported, you can specify --full-properties flag.

tzuehlke commented 6 months ago

@magodo the --full-properties helped to get the missing properties. But it exports additional the deprecated (computed) property disabled_rules = ["200003", "200004"]. And the property disabled_rules must be removed to run successfull terraform apply. Maybe you can remove disabled_rules from export?

  managed_rules {
    managed_rule_set {
      type    = "OWASP"
      version = "3.2"
      rule_group_override {
        disabled_rules  = ["200003", "200004"]
        rule_group_name = "General"
        rule {
          action  = "AnomalyScoring"
          enabled = false
          id      = "200003"
        }
        rule {
          action  = "AnomalyScoring"
          enabled = false
          id      = "200004"
        }
      }
    }
  }

magodo commented 6 months ago

@tzuehlke Unfortunately, the resource-level fine tuning is not something we plan to do for now, due to the large maintainance effort.