Firewall policy: order matters for "rule_group_override" blocks

[Meandron]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

When adding a new "rule_group_override" to azurerm_web_application_firewall_policy, it only works if you add it to the end. If you add it in between of existing ones, data gets confused and apply fails.

Terraform Version

1.2.3

AzureRM Provider Version

3.38.0

Affected Resource(s)/Data Source(s)

azurerm_web_application_firewall_policy

Terraform Configuration Files

resource "azurerm_web_application_firewall_policy" "waf_policy_service_level" {
  name                = "<some_name>"
  resource_group_name = "<some_group>"
  location            = "<some_location>"

  policy_settings {
    enabled                     = true
    mode                        = var.appgw_firewall_mode
    request_body_check          = true
    file_upload_limit_in_mb     = 100
    max_request_body_size_in_kb = 2000 
  }

  managed_rules {
    managed_rule_set {
      type    = "OWASP"
      version = "3.2" # see https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules for included rules

      # The following rules are disabled
      rule_group_override {
        rule_group_name = "REQUEST-931-APPLICATION-ATTACK-RFI"
        disabled_rules  = ["931130"] # Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
      }

      rule_group_override {
        rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
        disabled_rules = [
          "920320", # Missing User Agent Header
          "920230"  # Multiple URL Encoding Detected
        ]
      }

      #NEW BLOCK!!!
      rule_group_override {
        rule_group_name = "REQUEST-932-APPLICATION-ATTACK-RCE"
        disabled_rules  = ["932100"] # This rule detects Unix command injections
      }

      rule_group_override {
        rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI"
        disabled_rules = [
          "942450", # SQL Hex Encoding Identified
          "942430", # Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
          "942440", # SQL Comment Sequence Detected
          "942370", # Detects classic SQL injection probings 2/2
          "942340", # Detects basic SQL authentication bypass attempts 3/3
          "942260", # Detects basic SQL authentication bypass attempts 2/3
          "942200", # Detects MySQL comment-/space-obfuscated injections and backtick termination
          "942330", # Detects classic SQL injection probings 1/2 (/dmp-notification-service/api/v1/subscriptions)
          "942120", # SQL Injection Attack: SQL Operator Detected (/dmp-notification-service/api/v1/subscriptions)
          "942110", # SQL Injection Attack: Common Injection Testing Detected (/assetregistry/api/v1/fileschemas)
          "942150", # SQL Injection Attack
          "942410", # SQL Injection Attack
          "942130", # SQL Injection Attack: SQL Tautology Detected (/assetregistry/api/v1/calculatedsignalrules)
          "942100"  # SQL Injection Attack
        ]
      }

      rule_group_override {
        rule_group_name = "REQUEST-941-APPLICATION-ATTACK-XSS"
        disabled_rules = [
          "941340" # IE XSS Filters - Attack Detected. (/dmp-notification-service/api/v1/subscriptions)
        ]
      }
    }
  }
}

Debug Output/Panic Output

Plan result: 

managed_rules {

          ~ managed_rule_set {
                # (2 unchanged attributes hidden)

              ~ rule_group_override {
                  ~ disabled_rules  = [
                      - "942450",
                      - "942430",
                      - "942440",
                      - "942370",
                      - "942340",
                      - "942260",
                      - "942200",
                      - "942330",
                      - "942120",
                      - "942110",
                      - "942150",
                      - "942410",
                      - "942130",
                      - "942100",
                      + "932100",
                    ]
                  ~ rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI" -> "REQUEST-932-APPLICATION-ATTACK-RCE"

                    # (14 unchanged blocks hidden)
                }
              ~ rule_group_override {
                  ~ disabled_rules  = [
                      - "941340",
                      + "942450",
                      + "942430",
                      + "942440",
                      + "942370",
                      + "942340",
                      + "942260",
                      + "942200",
                      + "942330",
                      + "942120",
                      + "942110",
                      + "942150",
                      + "942410",
                      + "942130",
                      + "942100",
                    ]
                  ~ rule_group_name = "REQUEST-941-APPLICATION-ATTACK-XSS" -> "REQUEST-942-APPLICATION-ATTACK-SQLI"

                    # (1 unchanged block hidden)
                }
              + rule_group_override {
                  + disabled_rules  = [
                      + "941340",
                    ]
                  + rule_group_name = "REQUEST-941-APPLICATION-ATTACK-XSS"

                  + rule {
                      + action  = (known after apply)
                      + enabled = (known after apply)
                      + id      = (known after apply)
                    }
                }
                # (2 unchanged blocks hidden)
            }
        }

Expected Behaviour

Plan result, when new block is added to the end:

managed_rules {

      ~ managed_rule_set {
            # (2 unchanged attributes hidden)

          + rule_group_override {
              + disabled_rules  = [
                  + "932100",
                ]
              + rule_group_name = "REQUEST-932-APPLICATION-ATTACK-RCE"

              + rule {
                  + action  = (known after apply)
                  + enabled = (known after apply)
                  + id      = (known after apply)
                }
            }
            # (4 unchanged blocks hidden)
        }
    }

Actual Behaviour

Error: creating Application Gateway Web Application Firewall Policy: (Name "" / Resource Group ""): network.WebApplicationFirewallPoliciesClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ApplicationGatewayFirewallUnknownRuleOverride" Message="The override Rule '942450' is unknown for RuleGroup 'REQUEST-932-APPLICATION-ATTACK-RCE' for Application Gateway Firewall in context ''." Details=[]

Steps to Reproduce

1. Add "rule_group_override" blocks
2. TF plan & apply
3. Add new "rule_group_override" block in between of existing ones
4. TF plan & apply

Important Factoids

No response

References

No response

[ms-zhenhua]

Hi @Meandron, thank you for reporting this issue. I have created a PR to fix it.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.