Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_web_application_firewall_policy - add support for policy_settings.0.file_upload_enforcement #27774

Merged
merged 1 commit into from
Oct 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -396,6 +396,22 @@ func resourceWebApplicationFirewallPolicy() *pluginsdk.Resource {
Default: true,
},

"file_upload_enforcement": {
Type: pluginsdk.TypeBool,
/*
NOTE: O+C: This value defaults to true but is only available under certain conditions (i.e. when version is 3.2)
managed_rules {
managed_rule_set {
type = "OWASP"
version = "3.2"
}
}
*/
Optional: true,
// We'll remove computed in 5.0 so we don't break existing configurations
Computed: !features.FivePointOhBeta(),
},

"max_request_body_size_in_kb": {
Type: pluginsdk.TypeInt,
Optional: true,
Expand Down Expand Up @@ -727,12 +743,14 @@ func expandWebApplicationFirewallPolicyPolicySettings(input []interface{}) *weba
mode := v["mode"].(string)
requestBodyCheck := v["request_body_check"].(bool)
requestBodyEnforcement := v["request_body_enforcement"].(bool)
fileUploadEnforcement := v["file_upload_enforcement"].(bool)
maxRequestBodySizeInKb := v["max_request_body_size_in_kb"].(int)
fileUploadLimitInMb := v["file_upload_limit_in_mb"].(int)

result := webapplicationfirewallpolicies.PolicySettings{
State: pointer.To(enabled),
Mode: pointer.To(webapplicationfirewallpolicies.WebApplicationFirewallMode(mode)),
FileUploadEnforcement: pointer.To(fileUploadEnforcement),
RequestBodyCheck: pointer.To(requestBodyCheck),
RequestBodyEnforcement: pointer.To(requestBodyEnforcement),
MaxRequestBodySizeInKb: pointer.To(int64(maxRequestBodySizeInKb)),
Expand Down Expand Up @@ -1088,6 +1106,7 @@ func flattenWebApplicationFirewallPolicyPolicySettings(input *webapplicationfire
result["mode"] = string(pointer.From(input.Mode))
result["request_body_check"] = input.RequestBodyCheck
result["request_body_enforcement"] = input.RequestBodyEnforcement
result["file_upload_enforcement"] = input.FileUploadEnforcement
result["max_request_body_size_in_kb"] = int(pointer.From(input.MaxRequestBodySizeInKb))
result["file_upload_limit_in_mb"] = int(pointer.From(input.FileUploadLimitInMb))
result["log_scrubbing"] = flattenWebApplicationFirewallPolicyLogScrubbing(input.LogScrubbing)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -405,6 +405,35 @@ func TestAccWebApplicationFirewallPolicy_BotManager(t *testing.T) {
})
}

func TestAccWebApplicationFirewallPolicy_fileUploadEnforcement(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_web_application_firewall_policy", "test")
r := WebApplicationFirewallResource{}

data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.fileUploadEnforcement(data, true),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
{
Config: r.fileUploadEnforcement(data, false),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
{
Config: r.fileUploadEnforcement(data, true),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
})
}

func (t WebApplicationFirewallResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
id, err := webapplicationfirewallpolicies.ParseApplicationGatewayWebApplicationFirewallPolicyID(state.ID)
if err != nil {
Expand Down Expand Up @@ -2035,3 +2064,40 @@ resource "azurerm_web_application_firewall_policy" "test" {
}
`, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
}

func (WebApplicationFirewallResource) fileUploadEnforcement(data acceptance.TestData, enforcement bool) string {
return fmt.Sprintf(`
provider "azurerm" {
features {}
}

resource "azurerm_resource_group" "test" {
name = "acctestRG-%d"
location = "%s"
}

resource "azurerm_web_application_firewall_policy" "test" {
name = "acctestwafpolicy-%d"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location


managed_rules {
managed_rule_set {
type = "OWASP"
version = "3.2"
}
}

policy_settings {
enabled = true
mode = "Prevention"
request_body_check = false
request_body_enforcement = true
file_upload_limit_in_mb = 128
max_request_body_size_in_kb = 128
file_upload_enforcement = %t
}
}
`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, enforcement)
}
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,8 @@ The `policy_settings` block supports the following:

* `js_challenge_cookie_expiration_in_minutes` - (Optional) Specifies the JavaScript challenge cookie validity lifetime in minutes. The user is challenged after the lifetime expires. Accepted values are in the range `5` to `1440`. Defaults to `30`.

* `file_upload_enforcement` - (Optional) - Whether the firewall should block a request with upload size greater then `file_upload_limit_in_mb`.

---

The `managed_rules` block supports the following:
Expand Down
Loading