Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug:] azurerm_cdn_frontdoor_firewall_policy - expose AnomalyScoring in override rule action for DRS 2.0 #19095

Merged
merged 3 commits into from
Nov 4, 2022

Conversation

WodansSon
Copy link
Collaborator

@WodansSon WodansSon commented Nov 2, 2022

This issue is due to the fact that the API defers the valid version/action of the override by the type value (e.g. DefaultRuleSet or Microsoft_DefaultRuleSet). In version 1.0 and preview-0.1 (type DefaultRuleSet) the accepted actions are Allow, Block, Log, and Redirect, however in 2.0 (type Microsoft_DefaultRuleSet) the only valid action is AnomalyScoring due to the DRS 2.0 implementing the OWASP anomaly score model.

Example of a DRS 1.X Override:

resource "azurerm_cdn_frontdoor_firewall_policy" "example" {
  name                              = "exampleWAF"
  resource_group_name               = azurerm_resource_group.example.name
  sku_name                          = azurerm_cdn_frontdoor_profile.example.sku_name
  enabled                           = true
  mode                              = "Prevention"
  redirect_url                      = "https://www.contoso.com"
  custom_block_response_status_code = 403
  custom_block_response_body        = "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=="

  managed_rule {
    type    = "DefaultRuleSet"
    version = "1.0"
    action  = "Log"

    override {     
      rule_group_name = "PHP"

      rule {
        rule_id = "933100"
        enabled = false
        action  = "Block"
      }
    }    
  }
}

Example of a DRS 2.0 Override:

resource "azurerm_cdn_frontdoor_firewall_policy" "example" {
  name                              = "exampleWAF"
  resource_group_name               = azurerm_resource_group.example.name
  sku_name                          = azurerm_cdn_frontdoor_profile.example.sku_name
  enabled                           = true
  mode                              = "Prevention"
  redirect_url                      = "https://www.contoso.com"
  custom_block_response_status_code = 403
  custom_block_response_body        = "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=="

  managed_rule {
    type    = "Microsoft_DefaultRuleSet"
    version = "2.0"
    action  = "Log"

    override {     
      rule_group_name = "PHP"

      rule {
        rule_id = "933100"
        enabled = false
        action  = "AnomalyScoring"
      }
    }    
  }
}

(fixes #18480)
(fixes #19088)

@github-actions github-actions bot added the size/M label Nov 2, 2022
@WodansSon WodansSon marked this pull request as draft November 2, 2022 07:59
@WodansSon WodansSon changed the title [Bug:] azurerm_cdn_frontdoor_firewall_policy - expose AnomalyScoring in override rule action [Bug:] azurerm_cdn_frontdoor_firewall_policy - expose AnomalyScoring in override rule action for DRS 2.0 and above Nov 2, 2022
@WodansSon WodansSon changed the title [Bug:] azurerm_cdn_frontdoor_firewall_policy - expose AnomalyScoring in override rule action for DRS 2.0 and above [Bug:] azurerm_cdn_frontdoor_firewall_policy - expose AnomalyScoring in override for DRS 2.0 Nov 2, 2022
@WodansSon WodansSon changed the title [Bug:] azurerm_cdn_frontdoor_firewall_policy - expose AnomalyScoring in override for DRS 2.0 [Bug:] azurerm_cdn_frontdoor_firewall_policy - expose AnomalyScoring in override rule action for DRS 2.0 Nov 2, 2022
@github-actions github-actions bot added size/XL and removed size/M labels Nov 2, 2022
@WodansSon
Copy link
Collaborator Author

image

@WodansSon WodansSon marked this pull request as ready for review November 3, 2022 01:42
@WodansSon WodansSon added this to the v3.30.0 milestone Nov 3, 2022
Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with 1 comment 🚪

@@ -417,6 +418,7 @@ func resourceCdnFrontDoorFirewallPolicy() *pluginsdk.Resource {
string(frontdoor.ActionTypeLog),
string(frontdoor.ActionTypeBlock),
string(frontdoor.ActionTypeRedirect),
"AnomalyScoring", // Only valid with 2.0 and above
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should make sure this exists in swagger & if not open an issue to ensure it is added in future SDKs

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened issue

@katbyte katbyte merged commit 0d6f7f1 into main Nov 4, 2022
@katbyte katbyte deleted the b_cdn_frontdoor_waf_anomaly_scoring branch November 4, 2022 00:16
katbyte added a commit that referenced this pull request Nov 4, 2022
@github-actions
Copy link

github-actions bot commented Nov 4, 2022

This functionality has been released in v3.30.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

github-actions bot commented Dec 7, 2022

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 7, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.