Support for 'SocketAddr' in match_variable for Front Door firewall policy (WAF) custom_rule

darrenk13 commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Terraform has support in the Front Door WAF custom policies for a match_variable of RemoteAddr for match types (operator) of IPMatch. Azure has an option for another match_variable of SocketAddr. Please add SocketAddr to the list of valid options.

Both options filter on remote IP address but RemoteAddr will look at the X-Forwarded-For header which is insecure. SocketAddr does not have that behaviour.

New or Affected Resource(s)

Resource:

azurerm_frontdoor_firewall_policy

Potential Terraform Configuration

resource "azurerm_frontdoor_firewall_policy" "policy" {
    location                          = "global"
    name                              = "example"
    resource_group_name               = "resourceGroupName"

    custom_rule {
        action                         = "Block"
        name                           = "IPmatch"
        priority                       = 50
        type                           = "MatchRule"

        match_condition {
            match_values       = ["10.0.0.0/24"]
            negation_condition = true
            operator           = "IPMatch"

            match_variable     = "SocketAddr"
        }
    }
}

References

https://docs.microsoft.com/en-us/rest/api/frontdoorservice/webapplicationfirewall/policies/createorupdate#matchvariable

ghost commented 4 years ago

This has been released in version 2.25.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.25.0"
}
# ... other configuration ...

ghost commented 3 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

hashicorp / terraform-provider-azurerm