diff --git a/internal/services/network/web_application_firewall_policy_resource.go b/internal/services/network/web_application_firewall_policy_resource.go index 9ca574bc56b3..9743277be64f 100644 --- a/internal/services/network/web_application_firewall_policy_resource.go +++ b/internal/services/network/web_application_firewall_policy_resource.go @@ -390,6 +390,12 @@ func resourceWebApplicationFirewallPolicy() *pluginsdk.Resource { Default: 100, }, + "request_body_enforcement": { + Type: pluginsdk.TypeBool, + Optional: true, + Default: true, + }, + "max_request_body_size_in_kb": { Type: pluginsdk.TypeInt, Optional: true, @@ -720,6 +726,7 @@ func expandWebApplicationFirewallPolicyPolicySettings(input []interface{}) *weba } mode := v["mode"].(string) requestBodyCheck := v["request_body_check"].(bool) + requestBodyEnforcement := v["request_body_enforcement"].(bool) maxRequestBodySizeInKb := v["max_request_body_size_in_kb"].(int) fileUploadLimitInMb := v["file_upload_limit_in_mb"].(int) @@ -727,6 +734,7 @@ func expandWebApplicationFirewallPolicyPolicySettings(input []interface{}) *weba State: pointer.To(enabled), Mode: pointer.To(webapplicationfirewallpolicies.WebApplicationFirewallMode(mode)), RequestBodyCheck: pointer.To(requestBodyCheck), + RequestBodyEnforcement: pointer.To(requestBodyEnforcement), MaxRequestBodySizeInKb: pointer.To(int64(maxRequestBodySizeInKb)), FileUploadLimitInMb: pointer.To(int64(fileUploadLimitInMb)), LogScrubbing: expandWebApplicationFirewallPolicyLogScrubbing(v["log_scrubbing"].([]interface{})), @@ -1079,6 +1087,7 @@ func flattenWebApplicationFirewallPolicyPolicySettings(input *webapplicationfire result["enabled"] = pointer.From(input.State) == webapplicationfirewallpolicies.WebApplicationFirewallEnabledStateEnabled result["mode"] = string(pointer.From(input.Mode)) result["request_body_check"] = input.RequestBodyCheck + result["request_body_enforcement"] = input.RequestBodyEnforcement result["max_request_body_size_in_kb"] = int(pointer.From(input.MaxRequestBodySizeInKb)) result["file_upload_limit_in_mb"] = int(pointer.From(input.FileUploadLimitInMb)) result["log_scrubbing"] = flattenWebApplicationFirewallPolicyLogScrubbing(input.LogScrubbing) diff --git a/internal/services/network/web_application_firewall_policy_resource_test.go b/internal/services/network/web_application_firewall_policy_resource_test.go index 737dbee2cbe2..f27211b69546 100644 --- a/internal/services/network/web_application_firewall_policy_resource_test.go +++ b/internal/services/network/web_application_firewall_policy_resource_test.go @@ -111,6 +111,7 @@ func TestAccWebApplicationFirewallPolicy_complete(t *testing.T) { check.That(data.ResourceName).Key("policy_settings.0.enabled").HasValue("true"), check.That(data.ResourceName).Key("policy_settings.0.mode").HasValue("Prevention"), check.That(data.ResourceName).Key("policy_settings.0.request_body_check").HasValue("true"), + check.That(data.ResourceName).Key("policy_settings.0.request_body_enforcement").HasValue("false"), check.That(data.ResourceName).Key("policy_settings.0.file_upload_limit_in_mb").HasValue("100"), check.That(data.ResourceName).Key("policy_settings.0.max_request_body_size_in_kb").HasValue("128"), ), @@ -189,6 +190,7 @@ func TestAccWebApplicationFirewallPolicy_update(t *testing.T) { check.That(data.ResourceName).Key("policy_settings.0.enabled").HasValue("true"), check.That(data.ResourceName).Key("policy_settings.0.mode").HasValue("Prevention"), check.That(data.ResourceName).Key("policy_settings.0.request_body_check").HasValue("true"), + check.That(data.ResourceName).Key("policy_settings.0.request_body_enforcement").HasValue("false"), check.That(data.ResourceName).Key("policy_settings.0.file_upload_limit_in_mb").HasValue("100"), check.That(data.ResourceName).Key("policy_settings.0.max_request_body_size_in_kb").HasValue("128"), ), @@ -572,8 +574,9 @@ resource "azurerm_web_application_firewall_policy" "test" { } policy_settings { - enabled = true - mode = "Prevention" + enabled = true + mode = "Prevention" + request_body_enforcement = false } } `, data.RandomInteger, data.Locations.Primary, data.RandomInteger) diff --git a/website/docs/d/application_gateway.html.markdown b/website/docs/d/application_gateway.html.markdown index 264d70b68a77..48621085e2cd 100644 --- a/website/docs/d/application_gateway.html.markdown +++ b/website/docs/d/application_gateway.html.markdown @@ -507,6 +507,8 @@ A `waf_configuration` block exports the following: * `request_body_check` - Is Request Body Inspection enabled? +* `request_body_enforcement` - Is Request Body limit enabled? + * `max_request_body_size_kb` - The Maximum Request Body Size in KB. * `exclusion` - One or more `exclusion` blocks as defined below. diff --git a/website/docs/r/application_gateway.html.markdown b/website/docs/r/application_gateway.html.markdown index 4a28c064cb07..2c03f8f408a3 100644 --- a/website/docs/r/application_gateway.html.markdown +++ b/website/docs/r/application_gateway.html.markdown @@ -553,6 +553,8 @@ A `waf_configuration` block supports the following: * `request_body_check` - (Optional) Is Request Body Inspection enabled? Defaults to `true`. +* `request_body_enforcement` - (Optional) Whether the firewall should block a request with body size greater then `max_request_body_size_kb`. Defaults to `true`. + * `max_request_body_size_kb` - (Optional) The Maximum Request Body Size in KB. Accepted values are in the range `1`KB to `128`KB. Defaults to `128`KB. * `exclusion` - (Optional) One or more `exclusion` blocks as defined below.