Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#24401: Support request_body_check part of azurerm_cdn_frontdoor_firewall_policy #24406

Merged
merged 4 commits into from
Jan 10, 2024
Merged

#24401: Support request_body_check part of azurerm_cdn_frontdoor_firewall_policy #24406

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
76c808b
#24401: Support request_body_check part of request_body_check
harshavmb Jan 5, 2024
e866e76
#24401: Refactoring request_body_check to request_body_check_enabled …
harshavmb Jan 8, 2024
55257b0
#24401: Moving request_body_check_enabled out of custom_rule block in…
harshavmb Jan 9, 2024
8abc5e1
#24401: terrafmt
harshavmb Jan 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 24 additions & 5 deletions internal/services/cdn/cdn_frontdoor_firewall_policy_resource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,12 @@ func resourceCdnFrontDoorFirewallPolicy() *pluginsdk.Resource {
ValidateFunc: validation.IsURLWithScheme([]string{"http", "https"}),
},

"request_body_check_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
Default: true,
},

"custom_block_response_status_code": {
Type: pluginsdk.TypeInt,
Optional: true,
Expand Down Expand Up @@ -475,6 +481,12 @@ func resourceCdnFrontDoorFirewallPolicyCreate(d *pluginsdk.ResourceData, meta in
enabled = frontdoor.PolicyEnabledStateEnabled
}

requestBodyCheck := frontdoor.PolicyRequestBodyCheckDisabled

if d.Get("request_body_check_enabled").(bool) {
requestBodyCheck = frontdoor.PolicyRequestBodyCheckEnabled
}

sku := d.Get("sku_name").(string)
mode := frontdoor.PolicyMode(d.Get("mode").(string))
redirectUrl := d.Get("redirect_url").(string)
Expand All @@ -499,8 +511,9 @@ func resourceCdnFrontDoorFirewallPolicyCreate(d *pluginsdk.ResourceData, meta in
},
WebApplicationFirewallPolicyProperties: &frontdoor.WebApplicationFirewallPolicyProperties{
PolicySettings: &frontdoor.PolicySettings{
EnabledState: enabled,
Mode: mode,
EnabledState: enabled,
Mode: mode,
RequestBodyCheck: requestBodyCheck,
},
CustomRules: expandCdnFrontDoorFirewallCustomRules(customRules),
},
Expand Down Expand Up @@ -561,14 +574,19 @@ func resourceCdnFrontDoorFirewallPolicyUpdate(d *pluginsdk.ResourceData, meta in

props := *existing.WebApplicationFirewallPolicyProperties

if d.HasChanges("custom_block_response_body", "custom_block_response_status_code", "enabled", "mode", "redirect_url") {
if d.HasChanges("custom_block_response_body", "custom_block_response_status_code", "enabled", "mode", "redirect_url", "request_body_check_enabled") {
enabled := frontdoor.PolicyEnabledStateDisabled
if d.Get("enabled").(bool) {
enabled = frontdoor.PolicyEnabledStateEnabled
}
requestBodyCheck := frontdoor.PolicyRequestBodyCheckDisabled
if d.Get("request_body_check_enabled").(bool) {
requestBodyCheck = frontdoor.PolicyRequestBodyCheckEnabled
}
props.PolicySettings = &frontdoor.PolicySettings{
EnabledState: enabled,
Mode: frontdoor.PolicyMode(d.Get("mode").(string)),
EnabledState: enabled,
Mode: frontdoor.PolicyMode(d.Get("mode").(string)),
RequestBodyCheck: requestBodyCheck,
}

if redirectUrl := d.Get("redirect_url").(string); redirectUrl != "" {
Expand Down Expand Up @@ -653,6 +671,7 @@ func resourceCdnFrontDoorFirewallPolicyRead(d *pluginsdk.ResourceData, meta inte
if policy := properties.PolicySettings; policy != nil {
d.Set("enabled", policy.EnabledState == frontdoor.PolicyEnabledStateEnabled)
d.Set("mode", string(policy.Mode))
d.Set("request_body_check_enabled", policy.RequestBodyCheck == frontdoor.PolicyRequestBodyCheckEnabled)
d.Set("redirect_url", policy.RedirectURL)
d.Set("custom_block_response_status_code", policy.CustomBlockResponseStatusCode)
d.Set("custom_block_response_body", policy.CustomBlockResponseBody)
Expand Down
2 changes: 2 additions & 0 deletions internal/services/cdn/cdn_frontdoor_firewall_policy_resource_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ func TestAccCdnFrontDoorFirewallPolicy_update(t *testing.T) {
Config: r.update(data),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("request_body_check_enabled").HasValue("false"),
),
},
data.ImportStep(),
Expand Down Expand Up @@ -333,6 +334,7 @@ resource "azurerm_cdn_frontdoor_firewall_policy" "test" {
custom_rule {
name = "Rule1"
enabled = true
request_body_check_enabled = false
harshavmb marked this conversation as resolved.
Show resolved Hide resolved
priority = 1
rate_limit_duration_in_minutes = 1
rate_limit_threshold = 10
Expand Down
2 changes: 2 additions & 0 deletions website/docs/r/cdn_frontdoor_firewall_policy.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,8 @@ The following arguments are supported:

* `mode` - (Required) The Front Door Firewall Policy mode. Possible values are `Detection`, `Prevention`.

* `request_body_check_enabled` - (Optional) Should policy managed rules inspect the request body content? Defaults to `true`.

-> **NOTE:** When run in `Detection` mode, the Front Door Firewall Policy doesn't take any other actions other than monitoring and logging the request and its matched Front Door Rule to the Web Application Firewall logs.

* `redirect_url` - (Optional) If action type is redirect, this field represents redirect URL for the client.
Expand Down
Loading