azurerm_web_application_firewall_policy managed_rule_set for Microsoft_BotManagerRuleSet v1.0 fails to apply disabled rules for rule group "BadBots"

[musicislife08]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.4

AzureRM Provider Version

3.33.0

Affected Resource(s)/Data Source(s)

azurerm_web_application_firewall_policy

Terraform Configuration Files

resource "azurerm_web_application_firewall_policy" "main" {
  name                = "wafname"
  resource_group_name = local.resource-group-name
  location            = local.location
  custom_rules {
    action    = "Block"
    name      = "GeoRestrictions"
    priority  = 1
    rule_type = "MatchRule"
    match_conditions {
      match_values = [
        "US",
        "IN",
      ]
      negation_condition = true
      operator           = "GeoMatch"
      transforms         = []
      match_variables {
        variable_name = "RemoteAddr"
      }
    }
  }
  managed_rules {
    managed_rule_set {
      type    = "OWASP"
      version = "3.2"
      rule_group_override {
        disabled_rules = [200002,200003]
        rule_group_name = "General"
      }
      rule_group_override {
        disabled_rules = [ 920320,920470,920300,920230 ]
        rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
      }
      rule_group_override {
        disabled_rules = [921150]
        rule_group_name = "REQUEST-921-PROTOCOL-ATTACK"
      }
      rule_group_override {
        disabled_rules = [931130]
        rule_group_name = "REQUEST-931-APPLICATION-ATTACK-RFI"
      }
      rule_group_override {
        disabled_rules = [932110]
        rule_group_name = "REQUEST-932-APPLICATION-ATTACK-RCE"
      }
      rule_group_override {
        disabled_rules = [941100,941330,941340]
        rule_group_name = "REQUEST-941-APPLICATION-ATTACK-XSS"
      }
      rule_group_override {
        disabled_rules  = [
          942100,942110,942120,942130,942150,942180,
          942190,942200,942260,942300,942310,942330,
          942340,942361,942370,942400,942410,942430,
          942440,942450]
        rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI"
      }
    }
    managed_rule_set {
      type    = "Microsoft_BotManagerRuleSet"
      version = "1.0"
      rule_group_override {
        disabled_rules = [100200]
        # ISSUE HERE
        rule_group_name = "BadBots"
      }
    }
  }
  policy_settings {
    enabled                     = true
    mode                        = "Prevention"
    file_upload_limit_in_mb     = 500
    max_request_body_size_in_kb = 128
    request_body_check          = true
  }
  timeouts {}
}

Debug Output/Panic Output

Error: expected managed_rules.0.managed_rule_set.1.rule_group_override.0.rule_group_name to be one of [crs_20_protocol_violations crs_21_protocol_anomalies crs_23_request_limits crs_30_http_policy crs_35_bad_robots crs_40_generic_attacks crs_41_sql_injection_attacks crs_41_xss_attacks crs_42_tight_security crs_45_trojans General Known-CVEs REQUEST-911-METHOD-ENFORCEMENT REQUEST-913-SCANNER-DETECTION REQUEST-920-PROTOCOL-ENFORCEMENT REQUEST-921-PROTOCOL-ATTACK REQUEST-930-APPLICATION-ATTACK-LFI REQUEST-931-APPLICATION-ATTACK-RFI REQUEST-932-APPLICATION-ATTACK-RCE REQUEST-933-APPLICATION-ATTACK-PHP REQUEST-941-APPLICATION-ATTACK-XSS REQUEST-942-APPLICATION-ATTACK-SQLI REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION REQUEST-944-APPLICATION-ATTACK-JAVA], got BadBots

Expected Behaviour

The provider should allow disabling of the BadBots ruleset

Actual Behaviour

Fails to apply as the provider does not list "BadBots" as a valid option

Steps to Reproduce

add a Managed_rule_set to any waf with the following settings

managed_rule_set {
      type    = "Microsoft_BotManagerRuleSet"
      version = "1.0"
      rule_group_override {
        disabled_rules = [100200]
        rule_group_name = "BadBots"
      }
    }

Important Factoids

Standard azure cloud

References

No response

[wuxu92]

Hi @musicislife08 thanks for your feedback, as I know the BadBots is not in the validate list in the current version. Is there any doc/link you see this value for the rule group name?

[musicislife08]

From the azure portal you can see the name. and the same string "BadBots" shows up when you query a waf policy from the azure cli

[MICHAL53Q]

Hello,

"GoodBots" and "UnknownBots" are affected aswell, you can see it also on https://resources.azure.com/ when set

Extending following list might fix it: internal/services/network/validate/web_application_firewall_policy.go#L7-L32

[Snoopenz]

Hello,

When do you plan to "resolve" this? We are started to use BotManager RuleSet 1.0 a month ago, but without this, BotManager rules and Exclusions cant be handled by terraform, because we cant define rule groups for rule_group_override. For example this:

// rule_group_override { // rule_group_name = "UnknownBots" // rule { // id = "300100" // enabled = true // action = "Log" // } // rule { // id = "300200" // enabled = true // action = "Block" // } // rule { // id = "300600" // enabled = true // action = "Block" // } // }

thx

[wuxu92]

Hi @MICHAL53Q @musicislife08 @Snoopenz These rule names have been added since #20221. Could you please have a try with the latest AzureRM provider to see if it addresses this issue?

[arisabejuela]

Hello

I encountered this error when excluding rules from Microsoft_BotManagerRuleSet.

│ Error: expected managed_rules.0.exclusion.1.excluded_rule_set.0.type to be one of ["OWASP" "Microsoft_DefaultRuleSet"], got Microsoft_BotManagerRuleSet
│
│   with module.waf_policy.azurerm_web_application_firewall_policy.appgw_waf,
│   on ..\..\modules\waf_policy\main.tf line 16, in resource "azurerm_web_application_firewall_policy" "appgw_waf":
│   16:   managed_rules {
│
╵

╷
│ Error: expected managed_rules.0.exclusion.1.excluded_rule_set.0.version to be one of ["2.1" "3.2"], got 1.0
│
│   with module.waf_policy.azurerm_web_application_firewall_policy.appgw_waf,
│   on ..\..\modules\waf_policy\main.tf line 16, in resource "azurerm_web_application_firewall_policy" "appgw_waf":
│   16:   managed_rules {

From the documentation (Version 3.113.0), Microsoft_BotManagerRuleSet is currently not part of the allowed values:

The excluded_rule_set block supports the following:

type - (Optional) The rule set type. The only possible value include Microsoft_DefaultRuleSet and OWASP. Defaults to OWASP.

version - (Optional) The rule set version. The only possible value include 2.1 (for rule set type Microsoft_DefaultRuleSet) and 3.2 (for rule set type OWASP). Defaults to 3.2.

rule_group - (Optional) One or more rule_group block defined below.

Could you please update the validation to include Microsoft_BotManagerRuleSet so that we can fully utilize Terraform in managing WAF rules?

[wuxu92]

@arisabejuela Thanks for reporting this! I cresated a PR to add Microsoft_BotManagerRuleSet to the validation.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.