Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to configuration WAF advanced application rules #2756

Closed
RobertNorthard opened this issue Jan 24, 2019 · 8 comments
Closed

Ability to configuration WAF advanced application rules #2756

RobertNorthard opened this issue Jan 24, 2019 · 8 comments

Comments

@RobertNorthard
Copy link

RobertNorthard commented Jan 24, 2019

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The default OWASP WAF rule set blocks PUT and PATCH request methods which are common Resftul API request methods. We would like to be able to customise the rules set through Terraform.

New or Affected Resource(s)

  • azurerm_application_gateway

References

@mattquinn
Copy link

mattquinn commented Jan 28, 2019

Building on this a little, I see specific mention of the absence of this feature is called out here: http://fortytwoblog.centralus.cloudapp.azure.com/2018/07/12/configuring-azure-traffic-manager-application-gateway-and-app-services/

You can set some very basic WAF properties in Terraform:

waf_configuration { enabled = "true" firewall_mode = "Detection" rule_set_type = "OWASP" rule_set_version = "3.0" }

But the specific rules/rulesets are effectively 'data' rather than resource definitions and aren't currently available to set via Terraform.

In the short term you can use PowerShell or the CLI to configure the active rulesets as outlined here:

Understand however the intent is to have "desired state" set in Terraform rather than commands/scripts to set individual rules on/off.

As a stop gap (until this feature is added both both at the ARM level and the Terraform layer over ARM) may be to have a script that explicitly checks and turns on all required rules and checks off all unrequired rules?

@RobertNorthard
Copy link
Author

Thanks @mattquinn - we decided on using the Azure CLI temporality as part of a null resource to customise the rule set. It does not track desired state, but has a trigger on gateway changes.

@dan-jackson-github
Copy link

Does this feature request include the ability to configure exclusion rules on the WAF also? We use a couple of these to tune the WAF with our application, it doesn't appear that they can be set via Terraform at the current time

@RobertNorthard
Copy link
Author

It should do as that is our primary use case.

@timja
Copy link
Contributor

timja commented May 1, 2019

WIP PR up for disabled rule groups, it doesn't cover all of this issue but should help:
#3356

@saravanaarthikeyakumar
Copy link

Hi Team,

Please help to validate the below written script prepared from my side. If not , suggest me the best possible methods to written the script.

Under the WAF resource group , I created one sub resource group as below..

disabled_rule_group {
rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
rules = "920300,920320"
rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI"
rules = "942100","942440"
}
}

@favoretti
Copy link
Collaborator

Since this issue has been reported a long time ago and relates to the version of provider we no longer support - I'm going to close it. Please open a new updated bug report if this is still relevant. Thank you.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 24, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

7 participants