Azure waf custom terraform configuration is throwing error for match_variables
I'm adding waf configuration to avoid when ever "--BEGIN PUBLIC KEY---" is matching but terraform is throwing error about some required options
name = "example-wafpolicy"
resource_group_name = azurerm_resource_group.rg.name
location = "Global"
custom_rules {
name = "MatchPublicKey"
priority = 1
rule_type = "MatchRule"
action = "Block"
match_conditions {
match_variable = "RequestBody"
operator = "RegexMatch"
match_values = ["--BEGIN PUBLIC KEY---"]
}
}
managed_rules {
managed_rule_set {
version = "1.1"
}
}
}```
```Too few blocks specified for "match_variables": At least 1 block(s) are expected for "match_variables"Terraform
Unexpected attribute: An attribute named "match_variable" is not expected hereTerraform
Solution
Azure waf custom policy configuration is throwoing error for match_variables using terraform
As per the latest terraform registry you should mention the match_variables within match_conditions and use the variable_name attribute instead of match_variable
Demo configuration:
resource "azurerm_cdn_frontdoor_firewall_policy" "example" {
name = "vinaycdnfdwafpolicy"
resource_group_name = azurerm_resource_group.example.name
sku_name = azurerm_cdn_frontdoor_profile.example.sku_name
enabled = true
mode = "Prevention"
redirect_url = "https://www.contoso.com"
custom_block_response_status_code = 403
custom_block_response_body = "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=="
custom_rule {
name = "Rule1"
enabled = true
priority = 1
rate_limit_duration_in_minutes = 1
rate_limit_threshold = 10
type = "MatchRule"
action = "Block"
match_condition {
match_variable = "RemoteAddr"
operator = "IPMatch"
negation_condition = false
match_values = ["10.0.1.0/24", "10.0.0.0/24"]
}
}
custom_rule {
name = "Rule2"
enabled = true
priority = 2
rate_limit_duration_in_minutes = 1
rate_limit_threshold = 10
type = "MatchRule"
action = "Block"
match_condition {
match_variable = "RemoteAddr"
operator = "IPMatch"
negation_condition = false
match_values = ["192.168.1.0/24"]
}
match_condition {
match_variable = "RequestHeader"
selector = "UserAgent"
operator = "Contains"
negation_condition = false
match_values = ["windows"]
transforms = ["Lowercase", "Trim"]
}
}
managed_rule {
type = "DefaultRuleSet"
version = "1.0"
action = "Block"
exclusion {
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "not_suspicious"
}
override {
rule_group_name = "PHP"
rule {
rule_id = "933100"
enabled = false
action = "Block"
}
}
override {
rule_group_name = "SQLI"
exclusion {
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "really_not_suspicious"
}
rule {
rule_id = "942200"
action = "Block"
exclusion {
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "innocent"
}
}
}
}
managed_rule {
type = "Microsoft_BotManagerRuleSet"
version = "1.0"
action = "Log"
}
}
Deployment:
Refer:
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions