RuleGroup 'APPLICATION-ATTACK-SQLI' cannot be configured for rule set Microsoft_DefaultRuleSet version 2.1

[frans-otogone]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.7

AzureRM Provider Version

3.84.0

Affected Resource(s)/Data Source(s)

azurerm_web_application_firewall_policy

Terraform Configuration Files

resource "azurerm_web_application_firewall_policy" "application_gateway" {
  name                = "my-waf-policy"
  location            = azurerm_resource_group.application_gateway.location
  resource_group_name = azurerm_resource_group.application_gateway.name

  managed_rules {
    managed_rule_set {
      type    = "Microsoft_DefaultRuleSet"
      version = "2.1"

      rule_group_override {
        rule_group_name = "APPLICATION-ATTACK-SQLI"

        rule {
          action  = "AnomalyScoring"
          id      = "942110"
          enabled = false
        }
        rule {
          action  = "AnomalyScoring"
          enabled = false
          id      = "942150"
        }
        rule {
          action  = "AnomalyScoring"
          enabled = false
          id      = "942230"
        }
        rule {
          action  = "AnomalyScoring"
          enabled = false
          id      = "942260"
        }
        rule {
          action  = "AnomalyScoring"
          enabled = false
          id      = "942430"
        }
        rule {
          action  = "AnomalyScoring"
          enabled = false
          id      = "942440"
        }
      }
    }
    managed_rule_set {
      type    = "Microsoft_BotManagerRuleSet"
      version = "1.0"
    }
  }
}

Debug Output/Panic Output

╷
│ Error: creating Application Gateway Web Application Firewall Policy (Subscription: "xxx"
│ Resource Group Name: "application-gateway-test"
│ Application Gateway Web Application Firewall Policy Name: "test"): unexpected status 400 with error: ApplicationGatewayFirewallUnknownRuleGroup: RuleGroup 'APPLICATION-ATTACK-SQLI' cannot be configured since it does not exist for Application Gateway Firewall in context ''.
│ 
│   with azurerm_web_application_firewall_policy.application_gateway,
│   on ../../application-gateway-waf.tf line 1, in resource "azurerm_web_application_firewall_policy" "application_gateway":
│    1: resource "azurerm_web_application_firewall_policy" "application_gateway" {
│ 
╵
##[error]Bash exited with code '1'.

Expected Behaviour

Rule group Microsoft_DefaultRuleSet gets configured

Actual Behaviour

Error during terraform apply

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[alexdokka]

Also to this case:

Verification for "rule_group_name" doesn't contain rule group names from "Microsoft_DefaultRuleSet" (SQLI, LFI and other)

│ Error: expected managed_rules.0.managed_rule_set.0.rule_group_override.0.rule_group_name to be one of ["BadBots" "crs_20_protocol_violations" "crs_21_protocol_anomalies" "crs_23_request_limits" "crs_30_http_policy" "crs_35_bad_robots" "crs_40_generic_attacks" "crs_41_sql_injection_attacks" "crs_41_xss_attacks" "crs_42_tight_security" "crs_45_trojans" "General" "GoodBots" "Known-CVEs" "REQUEST-911-METHOD-ENFORCEMENT" "REQUEST-913-SCANNER-DETECTION" "REQUEST-920-PROTOCOL-ENFORCEMENT" "REQUEST-921-PROTOCOL-ATTACK" "REQUEST-930-APPLICATION-ATTACK-LFI" "REQUEST-931-APPLICATION-ATTACK-RFI" "REQUEST-932-APPLICATION-ATTACK-RCE" "REQUEST-933-APPLICATION-ATTACK-PHP" "REQUEST-941-APPLICATION-ATTACK-XSS" "REQUEST-942-APPLICATION-ATTACK-SQLI" "REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" "REQUEST-944-APPLICATION-ATTACK-JAVA" "UnknownBots" "METHOD-ENFORCEMENT" "PROTOCOL-ENFORCEMENT" "PROTOCOL-ATTACK" "APPLICATION-ATTACK-LFI" "APPLICATION-ATTACK-RFI" "APPLICATION-ATTACK-RCE" "APPLICATION-ATTACK-PHP" "APPLICATION-ATTACK-NodeJS" "APPLICATION-ATTACK-XSS" "APPLICATION-ATTACK-SQLI" "APPLICATION-ATTACK-SESSION-FIXATION" "APPLICATION-ATTACK-SESSION-JAVA" "MS-ThreatIntel-WebShells" "MS-ThreatIntel-AppSec" "MS-ThreatIntel-SQLI" "MS-ThreatIntel-CVEs"], got LFI

[sinbai]

Hi @frans-otogone thanks for opening this issue. PR has been submitted to fix this issue. Could you please follow it for more updates?

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.