web_application_firewall_policy - Adds support for `requestBodyEnfo…

…rcement` (#27094) * feat: add support for request body enforcement in web application firewall policy * feat: add request body enforcement option to `waf_configuration` block * Update web_application_firewall_policy.go * Update website/docs/r/application_gateway.html.markdown Co-authored-by: stephybun <[email protected]> * Update internal/services/network/web_application_firewall_policy_resource_test.go Co-authored-by: stephybun <[email protected]> * Update vendor/github.com/hashicorp/go-azure-sdk/resource-manager/network/2022-07-01/applicationgateways/model_applicationgatewaywebapplicationfirewallconfiguration.go Co-authored-by: stephybun <[email protected]> * Update internal/services/network/web_application_firewall_policy_resource_test.go Co-authored-by: stephybun <[email protected]> * feat: disable request body enforcement in web application firewall policy test * fix formatting --------- Co-authored-by: stephybun <[email protected]>
hashicorp · Aug 20, 2024 · 8824881 · 8824881
1 parent 1997b61
commit 8824881
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 2 deletions.
diff --git a/internal/services/network/web_application_firewall_policy_resource.go b/internal/services/network/web_application_firewall_policy_resource.go
@@ -390,6 +390,12 @@ func resourceWebApplicationFirewallPolicy() *pluginsdk.Resource {
 							Default:      100,
 						},
 
+						"request_body_enforcement": {
+							Type:     pluginsdk.TypeBool,
+							Optional: true,
+							Default:  true,
+						},
+
 						"max_request_body_size_in_kb": {
 							Type:         pluginsdk.TypeInt,
 							Optional:     true,
@@ -720,13 +726,15 @@ func expandWebApplicationFirewallPolicyPolicySettings(input []interface{}) *weba
 	}
 	mode := v["mode"].(string)
 	requestBodyCheck := v["request_body_check"].(bool)
+	requestBodyEnforcement := v["request_body_enforcement"].(bool)
 	maxRequestBodySizeInKb := v["max_request_body_size_in_kb"].(int)
 	fileUploadLimitInMb := v["file_upload_limit_in_mb"].(int)
 
 	result := webapplicationfirewallpolicies.PolicySettings{
 		State:                             pointer.To(enabled),
 		Mode:                              pointer.To(webapplicationfirewallpolicies.WebApplicationFirewallMode(mode)),
 		RequestBodyCheck:                  pointer.To(requestBodyCheck),
+		RequestBodyEnforcement:            pointer.To(requestBodyEnforcement),
 		MaxRequestBodySizeInKb:            pointer.To(int64(maxRequestBodySizeInKb)),
 		FileUploadLimitInMb:               pointer.To(int64(fileUploadLimitInMb)),
 		LogScrubbing:                      expandWebApplicationFirewallPolicyLogScrubbing(v["log_scrubbing"].([]interface{})),
@@ -1079,6 +1087,7 @@ func flattenWebApplicationFirewallPolicyPolicySettings(input *webapplicationfire
 	result["enabled"] = pointer.From(input.State) == webapplicationfirewallpolicies.WebApplicationFirewallEnabledStateEnabled
 	result["mode"] = string(pointer.From(input.Mode))
 	result["request_body_check"] = input.RequestBodyCheck
+	result["request_body_enforcement"] = input.RequestBodyEnforcement
 	result["max_request_body_size_in_kb"] = int(pointer.From(input.MaxRequestBodySizeInKb))
 	result["file_upload_limit_in_mb"] = int(pointer.From(input.FileUploadLimitInMb))
 	result["log_scrubbing"] = flattenWebApplicationFirewallPolicyLogScrubbing(input.LogScrubbing)

diff --git a/internal/services/network/web_application_firewall_policy_resource_test.go b/internal/services/network/web_application_firewall_policy_resource_test.go
@@ -111,6 +111,7 @@ func TestAccWebApplicationFirewallPolicy_complete(t *testing.T) {
 				check.That(data.ResourceName).Key("policy_settings.0.enabled").HasValue("true"),
 				check.That(data.ResourceName).Key("policy_settings.0.mode").HasValue("Prevention"),
 				check.That(data.ResourceName).Key("policy_settings.0.request_body_check").HasValue("true"),
+				check.That(data.ResourceName).Key("policy_settings.0.request_body_enforcement").HasValue("false"),
 				check.That(data.ResourceName).Key("policy_settings.0.file_upload_limit_in_mb").HasValue("100"),
 				check.That(data.ResourceName).Key("policy_settings.0.max_request_body_size_in_kb").HasValue("128"),
 			),
@@ -189,6 +190,7 @@ func TestAccWebApplicationFirewallPolicy_update(t *testing.T) {
 				check.That(data.ResourceName).Key("policy_settings.0.enabled").HasValue("true"),
 				check.That(data.ResourceName).Key("policy_settings.0.mode").HasValue("Prevention"),
 				check.That(data.ResourceName).Key("policy_settings.0.request_body_check").HasValue("true"),
+				check.That(data.ResourceName).Key("policy_settings.0.request_body_enforcement").HasValue("false"),
 				check.That(data.ResourceName).Key("policy_settings.0.file_upload_limit_in_mb").HasValue("100"),
 				check.That(data.ResourceName).Key("policy_settings.0.max_request_body_size_in_kb").HasValue("128"),
 			),
@@ -572,8 +574,9 @@ resource "azurerm_web_application_firewall_policy" "test" {
   }
 
   policy_settings {
-    enabled = true
-    mode    = "Prevention"
+    enabled                  = true
+    mode                     = "Prevention"
+    request_body_enforcement = false
   }
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger)

diff --git a/website/docs/d/application_gateway.html.markdown b/website/docs/d/application_gateway.html.markdown
@@ -507,6 +507,8 @@ A `waf_configuration` block exports the following:
 
 * `request_body_check` - Is Request Body Inspection enabled?
 
+* `request_body_enforcement` - Is Request Body limit enabled?
+
 * `max_request_body_size_kb` - The Maximum Request Body Size in KB.
 
 * `exclusion` - One or more `exclusion` blocks as defined below.

diff --git a/website/docs/r/application_gateway.html.markdown b/website/docs/r/application_gateway.html.markdown
@@ -553,6 +553,8 @@ A `waf_configuration` block supports the following:
 
 * `request_body_check` - (Optional) Is Request Body Inspection enabled? Defaults to `true`.
 
+* `request_body_enforcement` - (Optional) Whether the firewall should block a request with body size greater then `max_request_body_size_kb`. Defaults to `true`.
+
 * `max_request_body_size_kb` - (Optional) The Maximum Request Body Size in KB. Accepted values are in the range `1`KB to `128`KB. Defaults to `128`KB.
 
 * `exclusion` - (Optional) One or more `exclusion` blocks as defined below.