`azurerm_frontdoor_firewall_policy` `override` block optional parameter not working as documented

ghost commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v1.0.11
on darwin_amd64
+ provider registry.terraform.io/hashicorp/azurerm v2.89.0

Affected Resource(s)

azurerm_frontdoor_firewall_policy

Terraform Configuration Files

variables.tf

variable "subscription_id" {
  type = string
}

variable "tenant_id" {
  type = string
}

variable "client_id" {
  type = string
}

variable "client_secret" {
  type = string
}

variable "resource_group" {
  type = string
}

main.tf

provider "azurerm" {
  subscription_id = var.subscription_id
  tenant_id       = var.tenant_id
  client_id       = var.client_id
  client_secret   = var.client_secret
  features {}
}

resource "azurerm_frontdoor_firewall_policy" "frontdoor_policy" {
  name                = "FrontDoorWAFv2"
  resource_group_name = var.resource_group
  enabled             = true
  mode                = "Detection"

  managed_rule {
    type    = "Microsoft_DefaultRuleSet"
    version = "1.1"

    override {
      rule_group_name = "PHP"
    }
  }
}

Expected Behaviour

Expect that all PHP rules would be disabled. i.e. [933100, 933110, 933120, 933130, 933140, 933150, 933151, 933160, 933170, 933180].

Actual Behaviour

No PHP rules are disabled.

Steps to Reproduce

Use the HCL code above (supply required variables via -var, terraform.tfvars etc.)

Add the following additional rule under the override block:

rule {
rule_id = "933100"
enabled = false
action  = "Block"
}

terraform apply
Check the Azure portal's FrontDoorWAFv2 > Managed rules to see that the single rule (933100) has been disabled
Remove the rule block
terraform apply
Check Azure portal again, all PHP rules should be disabled, but now we will see all PHP rules enabled

Important Factoids

Debug output from the Terraform command shows the following (removed most of it as it's not relevant and has IDs etc. in it):

PUT /subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/FrontDoorWAFv2?api-version=2020-04-01

{
    "location": "global",
    "name": "FrontDoorWAFv2",
    "properties": {
        "managedRules": {
            "managedRuleSets": [
                {
                    "ruleGroupOverrides": [
                        {
                            "ruleGroupName": "PHP"
                        }
                    ],
                    "ruleSetType": "Microsoft_DefaultRuleSet",
                    "ruleSetVersion": "1.1"
                }
            ]
        },
        "policySettings": {
            "enabledState": "Enabled",
            "mode": "Detection"
        }
    },
    "tags": {}
}

This shows the payload being sent over with the rule group name (PHP) and no additional rule blocks, which should disable all rules for the rule group name.

This has me wondering whether or not it's actually a bug in MS' API (2020-04-01). The only difference I can see is that the provider calls an earlier version of the API:

api-version=2020-04-01  <= TF Provider calls this
api-version=2020-11-01  <= MS API docs page has this listed this version for example calls

MS API Docs for 2020-11-01 show only 2 parameters for the managed rule group override, the rule group name and the rules (optional), which if omitted should disable all rules in the group. If there was a bug and it's been fixed, would it be possible to update the provider to use a newer version of the API/SDK?

References

Based on the override documentation for configuring policy on an Azure Front-door service, adding the override block:

override {
    rule_group_name = "PHP"
}

The docs state that if no rule blocks are supplied within the override block, that:

"If none are specified, all of the rules in the group will be disabled."

Interestingly, the Microsoft API docs say the same thing:

https://docs.microsoft.com/en-us/rest/api/frontdoorservice/webapplicationfirewall/policies/list#managedrulegroupoverride

lonegunmanb commented 2 years ago

It seems like a service side's issue, I've opened a support ticket for it.

lonegunmanb commented 2 years ago

Hi @ghost , sorry for the late reply. The service team confirmed that the document is wrong:

List of rules that will be disabled. If none specified, all rules in the group will be disabled.

It should be:

List of rules that will be disabled. If none specified, all rules in the group will be enabled.

So the firewall works as expected.

I'll update Terraform's doc when Microsoft has updated their doc.

rcskosir commented 8 months ago

Thanks for taking the time to open this issue. As seen on the above linked microsoft and terraform registry documentation, both have been updated to say disabled, as such I am going to mark this issue as complete. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/frontdoor_firewall_policy#override

github-actions[bot] commented 7 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform-provider-azurerm