Can't override anomaly based rules for azurerm_cdn_frontdoor_firewall_policy due to incorrect validator

[fristedt]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.8

AzureRM Provider Version

3.23.0

Affected Resource(s)/Data Source(s)

azurerm_cdn_frontdoor_firewall_policy

Terraform Configuration Files

resource "azurerm_cdn_frontdoor_firewall_policy" "foobar" {
  name                = "foobar"
  resource_group_name = "foo"
  sku_name            = "Premium_AzureFrontDoor"
  enabled             = true
  mode                = "Prevention"

  managed_rule {
    type    = "Microsoft_DefaultRuleSet"
    version = "2.0"
    action  = "Block"

    override {
      rule_group_name = "PROTOCOL-ENFORCEMENT"
      rule {
        rule_id = "920320"
        enabled = false
        action = "AnomalyScoring" # This action is what the Azure portal sets but it doesn't pass Terraform validation
      }
      rule {
        rule_id = "920330"
        enabled = false
        action = "Block" # This action passes terraform validation but isn't accepted by Azure for Microsoft DefaultRuleSet
      }
    }
  }
}

Debug Output/Panic Output

╷
│ Error: expected managed_rule.0.override.0.rule.0.action to be one of [Allow Log Block Redirect], got AnomalyScoring
│
│   with azurerm_cdn_frontdoor_firewall_policy.foobar,
│   on frontdoor-waf.tf line 84, in resource "azurerm_cdn_frontdoor_firewall_policy" "foobar":
│   84:         action = "AnomalyScoring"
│

Expected Behaviour

We should be able to disable rules from managed rule set Microsoft_DefaultRuleSet_2.0

Actual Behaviour

Terraform validation blocks us from disabling rules.

Steps to Reproduce

We want to disable certain managed rules using azurerm_cdn_frontdoor_firewall_policy, but the validation for anomaly based rule sets is incorrect (e.g. Microsoft_DefaultRuleSet_2.0). Terraform should accept AnomalyScoring as a valid action, but it only allows Allow Log Block Redirect.

I think the fix is as easy as updating the validator here:

terraform-provider-azurerm/internal/services/cdn/cdn_frontdoor_firewall_policy_resource.go

Lines 412 to 417 in de964e8

	ValidateFunc: validation.StringInSlice([]string{
	string(frontdoor.ActionTypeAllow),
	string(frontdoor.ActionTypeLog),
	string(frontdoor.ActionTypeBlock),
	string(frontdoor.ActionTypeRedirect),
	}, false),

Important Factoids

No response

References

No response

[Amier3]

Hey @fristedt

I don't think we'll be able to set AnomalyScoring, per the Azure docs:

DRS is enabled by default in Detection mode in your WAF policies. You can disable or enable individual rules within the Default Rule Set to meet your application requirements. You can also set specific actions per rule. The available actions are: Allow, Block, Log, and Redirect.

This is the config I was able to use in order to disable the PROTOCOL-ENFORCEMENT rule in your example:

resource "azurerm_resource_group" "foobee" {
  name     = "foo1"
  location = "eastus"
}

resource "azurerm_cdn_frontdoor_firewall_policy" "foobar" {
  name                = "foobar"
  resource_group_name = azurerm_resource_group.foobee.name
  sku_name            = "Premium_AzureFrontDoor"
  enabled             = true
  mode                = "Prevention"

  managed_rule {
    type    = "Microsoft_DefaultRuleSet"
    version = "2.0"
    action = "Block"

    override {
      rule_group_name = "PROTOCOL-ENFORCEMENT"

      rule {
        rule_id = "920330"
        enabled = false
        action  = "Log"
      }
  }
  }
}

Which ended up with this:

This is more of a workaround than a fix since I wasn't able to get this working without setting the action to Log . Anything else ( like Block or Allow ) gave me an API error.

[fristedt]

Hey @Amier3, thanks for the workaround! It works great.

I think it's strange that the documentation states that only those 4 rules are supported as when I import an existing Front Door WAF the terraform diff shows that the current rule action is set to "AnomalyScoring" for all rules. Perhaps the documentation is incorrect?

      ~ managed_rule {
            # (3 unchanged attributes hidden)

          ~ override {
                # (1 unchanged attribute hidden)

              ~ rule {
                  ~ action  = "AnomalyScoring" -> "Block"
                    # (2 unchanged attributes hidden)
                }

Anyway, the workaround is great so I don't think this is urgent to fix.

[WodansSon]

@fristedt, I don't blame you for being a bit confused, this is not super clear and the error message from the API is a bit cryptic as well. Thank you for opening this issue, I am currently working on a fix. This has to do with the way the service implemented the override rules. The DRS 2.0 AnomolyScoring was not exposed in the ActionTypes in the API swagger so I was blissfully unaware of this scenario when I was implementing this resource. @BigFrog-coding opened issue #19088 about the same issue and that is how I was made aware of this. Please follow #19088 for my the progress of fixing this issue. Sorry I did not see this issue until now. 🙁

[github-actions]

This functionality has been released in v3.30.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.