Ability to configuration WAF advanced application rules

[RobertNorthard]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The default OWASP WAF rule set blocks PUT and PATCH request methods which are common Resftul API request methods. We would like to be able to customise the rules set through Terraform.

New or Affected Resource(s)

• azurerm_application_gateway

References

• https://www.terraform.io/docs/providers/azurerm/r/application_gateway.html

[mattquinn]

Building on this a little, I see specific mention of the absence of this feature is called out here: http://fortytwoblog.centralus.cloudapp.azure.com/2018/07/12/configuring-azure-traffic-manager-application-gateway-and-app-services/

You can set some very basic WAF properties in Terraform:

waf_configuration { enabled = "true" firewall_mode = "Detection" rule_set_type = "OWASP" rule_set_version = "3.0" }

But the specific rules/rulesets are effectively 'data' rather than resource definitions and aren't currently available to set via Terraform.

In the short term you can use PowerShell or the CLI to configure the active rulesets as outlined here:

• PowerShell - https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-customize-waf-rules-powershell
• CLI - https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-customize-waf-rules-cli

Understand however the intent is to have "desired state" set in Terraform rather than commands/scripts to set individual rules on/off.

As a stop gap (until this feature is added both both at the ARM level and the Terraform layer over ARM) may be to have a script that explicitly checks and turns on all required rules and checks off all unrequired rules?

[RobertNorthard]

Thanks @mattquinn - we decided on using the Azure CLI temporality as part of a null resource to customise the rule set. It does not track desired state, but has a trigger on gateway changes.

[dan-jackson-github]

Does this feature request include the ability to configure exclusion rules on the WAF also? We use a couple of these to tune the WAF with our application, it doesn't appear that they can be set via Terraform at the current time

[RobertNorthard]

It should do as that is our primary use case.

[timja]

WIP PR up for disabled rule groups, it doesn't cover all of this issue but should help: https://github.com/terraform-providers/terraform-provider-azurerm/pull/3356

[saravanaarthikeyakumar]

Hi Team,

Please help to validate the below written script prepared from my side. If not , suggest me the best possible methods to written the script.

Under the WAF resource group , I created one sub resource group as below..

disabled_rule_group { rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT" rules = "920300,920320" rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI" rules = "942100","942440" }
}

[favoretti]

Since this issue has been reported a long time ago and relates to the version of provider we no longer support - I'm going to close it. Please open a new updated bug report if this is still relevant. Thank you.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.