Skip to content

Commit

Permalink
azurerm_frontdoor_firewall_policy - support for exclusions
Browse files Browse the repository at this point in the history
  • Loading branch information
timja committed Jan 15, 2020
1 parent 478aef5 commit 3ba7319
Show file tree
Hide file tree
Showing 3 changed files with 265 additions and 12 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,42 @@ func resourceArmFrontDoorFirewallPolicy() *schema.Resource {
ValidateFunc: validate.NoEmptyStrings,
},

"exclusion": {
Type: schema.TypeList,
MaxItems: 100,
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"match_variable": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice([]string{
string(frontdoor.QueryStringArgNames),
string(frontdoor.RequestBodyPostArgNames),
string(frontdoor.RequestCookieNames),
string(frontdoor.RequestHeaderNames),
}, false),
},
"operator": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice([]string{
string(frontdoor.Contains),
string(frontdoor.EndsWith),
string(frontdoor.Equals),
string(frontdoor.EqualsAny),
string(frontdoor.StartsWith),
}, false),
},
"selector": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validate.NoEmptyStrings,
},
},
},
},

"override": {
Type: schema.TypeList,
MaxItems: 100,
Expand All @@ -260,6 +296,42 @@ func resourceArmFrontDoorFirewallPolicy() *schema.Resource {
ValidateFunc: validate.NoEmptyStrings,
},

"exclusion": {
Type: schema.TypeList,
MaxItems: 100,
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"match_variable": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice([]string{
string(frontdoor.QueryStringArgNames),
string(frontdoor.RequestBodyPostArgNames),
string(frontdoor.RequestCookieNames),
string(frontdoor.RequestHeaderNames),
}, false),
},
"operator": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice([]string{
string(frontdoor.Contains),
string(frontdoor.EndsWith),
string(frontdoor.Equals),
string(frontdoor.EqualsAny),
string(frontdoor.StartsWith),
}, false),
},
"selector": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validate.NoEmptyStrings,
},
},
},
},

"rule": {
Type: schema.TypeList,
MaxItems: 1000,
Expand All @@ -278,6 +350,42 @@ func resourceArmFrontDoorFirewallPolicy() *schema.Resource {
Default: false,
},

"exclusion": {
Type: schema.TypeList,
MaxItems: 100,
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"match_variable": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice([]string{
string(frontdoor.QueryStringArgNames),
string(frontdoor.RequestBodyPostArgNames),
string(frontdoor.RequestCookieNames),
string(frontdoor.RequestHeaderNames),
}, false),
},
"operator": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice([]string{
string(frontdoor.Contains),
string(frontdoor.EndsWith),
string(frontdoor.Equals),
string(frontdoor.EqualsAny),
string(frontdoor.StartsWith),
}, false),
},
"selector": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validate.NoEmptyStrings,
},
},
},
},

"action": {
Type: schema.TypeString,
Required: true,
Expand Down Expand Up @@ -344,6 +452,7 @@ func resourceArmFrontDoorFirewallPolicyCreateUpdate(d *schema.ResourceData, meta
customBlockResponseBody := d.Get("custom_block_response_body").(string)
customRules := d.Get("custom_rule").([]interface{})
managedRules := d.Get("managed_rule").([]interface{})

t := d.Get("tags").(map[string]interface{})

frontdoorWebApplicationFirewallPolicy := frontdoor.WebApplicationFirewallPolicy{
Expand Down Expand Up @@ -577,12 +686,17 @@ func expandArmFrontDoorFirewallManagedRules(input []interface{}) *frontdoor.Mana
ruleType := managedRule["type"].(string)
version := managedRule["version"].(string)
overrides := managedRule["override"].([]interface{})
exclusions := managedRule["exclusion"].([]interface{})

managedRuleSet := frontdoor.ManagedRuleSet{
RuleSetType: utils.String(ruleType),
RuleSetVersion: utils.String(version),
}

if exclusions := expandArmFrontDoorFirewallManagedRuleGroupExclusion(exclusions); exclusions != nil {
managedRuleSet.Exclusions = exclusions
}

if ruleGroupOverrides := expandArmFrontDoorFirewallManagedRuleGroupOverride(overrides); ruleGroupOverrides != nil {
managedRuleSet.RuleGroupOverrides = ruleGroupOverrides
}
Expand All @@ -595,6 +709,31 @@ func expandArmFrontDoorFirewallManagedRules(input []interface{}) *frontdoor.Mana
}
}

func expandArmFrontDoorFirewallManagedRuleGroupExclusion(input []interface{}) *[]frontdoor.ManagedRuleExclusion {
if len(input) == 0 {
return nil
}

managedRuleExclusions := make([]frontdoor.ManagedRuleExclusion, 0)
for _, v := range input {
exclusion := v.(map[string]interface{})

matchVariable := exclusion["match_variable"].(string)
operator := exclusion["operator"].(string)
selector := exclusion["selector"].(string)

managedRuleExclusion := frontdoor.ManagedRuleExclusion{
MatchVariable: frontdoor.ManagedRuleExclusionMatchVariable(matchVariable),
SelectorMatchOperator: frontdoor.ManagedRuleExclusionSelectorMatchOperator(operator),
Selector: utils.String(selector),
}

managedRuleExclusions = append(managedRuleExclusions, managedRuleExclusion)
}

return &managedRuleExclusions
}

func expandArmFrontDoorFirewallManagedRuleGroupOverride(input []interface{}) *[]frontdoor.ManagedRuleGroupOverride {
if len(input) == 0 {
return nil
Expand All @@ -606,11 +745,16 @@ func expandArmFrontDoorFirewallManagedRuleGroupOverride(input []interface{}) *[]

ruleGroupName := override["rule_group_name"].(string)
rules := override["rule"].([]interface{})
exclusions := override["exclusion"].([]interface{})

managedRuleGroupOverride := frontdoor.ManagedRuleGroupOverride{
RuleGroupName: utils.String(ruleGroupName),
}

if exclusions := expandArmFrontDoorFirewallManagedRuleGroupExclusion(exclusions); exclusions != nil {
managedRuleGroupOverride.Exclusions = exclusions
}

if managedRuleOverride := expandArmFrontDoorFirewallRuleOverride(rules); managedRuleOverride != nil {
managedRuleGroupOverride.Rules = managedRuleOverride
}
Expand All @@ -636,13 +780,18 @@ func expandArmFrontDoorFirewallRuleOverride(input []interface{}) *[]frontdoor.Ma
}
ruleId := rule["rule_id"].(string)
action := rule["action"].(string)
exclusions := rule["exclusion"].([]interface{})

managedRuleOverride := frontdoor.ManagedRuleOverride{
RuleID: utils.String(ruleId),
EnabledState: enabled,
Action: frontdoor.ActionType(action),
}

if exclusions := expandArmFrontDoorFirewallManagedRuleGroupExclusion(exclusions); exclusions != nil {
managedRuleOverride.Exclusions = exclusions
}

managedRuleOverrides = append(managedRuleOverrides, managedRuleOverride)
}

Expand Down Expand Up @@ -731,6 +880,29 @@ func flattenArmFrontDoorFirewallManagedRules(input *frontdoor.ManagedRuleSetList
output["override"] = flattenArmFrontDoorFirewallOverrides(v)
}

if v := r.Exclusions; v != nil {
output["exclusion"] = flattenArmFrontDoorFirewallExclusions(v)
}

results = append(results, output)
}

return results
}

func flattenArmFrontDoorFirewallExclusions(managedRuleExclusion *[]frontdoor.ManagedRuleExclusion) []interface{} {
if managedRuleExclusion == nil {
return make([]interface{}, 0)
}

results := make([]interface{}, 0)
for _, o := range *managedRuleExclusion {
output := make(map[string]interface{})

output["match_variable"] = o.MatchVariable
output["operator"] = o.SelectorMatchOperator
output["selector"] = o.Selector

results = append(results, output)
}

Expand All @@ -750,6 +922,10 @@ func flattenArmFrontDoorFirewallOverrides(groupOverride *[]frontdoor.ManagedRule
output["rule_group_name"] = *v
}

if v := o.Exclusions; v != nil {
output["exclusion"] = flattenArmFrontDoorFirewallExclusions(v)
}

if rules := o.Rules; rules != nil {
output["rule"] = flattenArmFrontdoorFirewallRules(rules)
}
Expand All @@ -776,6 +952,10 @@ func flattenArmFrontdoorFirewallRules(override *[]frontdoor.ManagedRuleOverride)
output["rule_id"] = *v
}

if v := o.Exclusions; v != nil {
output["exclusion"] = flattenArmFrontDoorFirewallExclusions(v)
}

results = append(results, output)
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,10 @@ func TestAccAzureRMFrontDoorFirewallPolicy_complete(t *testing.T) {
resource.TestCheckResourceAttr(data.ResourceName, "custom_rule.0.name", "Rule1"),
resource.TestCheckResourceAttr(data.ResourceName, "custom_rule.1.name", "Rule2"),
resource.TestCheckResourceAttr(data.ResourceName, "managed_rule.0.type", "DefaultRuleSet"),
resource.TestCheckResourceAttr(data.ResourceName, "managed_rule.1.type", "BotProtection"),
resource.TestCheckResourceAttr(data.ResourceName, "managed_rule.0.exclusion.0.match_variable", "QueryStringArgNames"),
resource.TestCheckResourceAttr(data.ResourceName, "managed_rule.0.override.1.exclusion.0.selector", "really_not_suspicious"),
resource.TestCheckResourceAttr(data.ResourceName, "managed_rule.0.override.1.rule.0.exclusion.0.selector", "innocent"),
resource.TestCheckResourceAttr(data.ResourceName, "managed_rule.1.type", "Microsoft_BotManagerRuleSet"),
),
},
data.ImportStep(),
Expand Down Expand Up @@ -276,22 +279,49 @@ resource "azurerm_frontdoor_firewall_policy" "test" {
managed_rule {
type = "DefaultRuleSet"
version = "preview-0.1"
version = "1.0"
exclusion {
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "not_suspicious"
}
override {
rule_group_name = "PHP"
rule {
rule_id = "933111"
rule_id = "933100"
enabled = false
action = "Block"
}
}
}
override {
rule_group_name = "SQLI"
exclusion {
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "really_not_suspicious"
}
rule {
rule_id = "942200"
action = "Block"
exclusion {
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "innocent"
}
}
}
}
managed_rule {
type = "BotProtection"
version = "preview-0.1"
type = "Microsoft_BotManagerRuleSet"
version = "1.0"
}
}
`, data.RandomInteger, data.Locations.Primary, inner)
Expand Down
Loading

0 comments on commit 3ba7319

Please sign in to comment.