Document: "webapplicationfirewall"
Defines web application firewall policy.
azure_web_application_firewall_policy {
api_version => "api_version",
etag => "etag (optional)",
location => "location (optional)",
parameters => "parameters",
policy_name => "policy_name",
properties => $azure_web_application_firewall_policy_properties
resource_group_name => "resource_group_name",
subscription_id => "subscription_id",
tags => "tags (optional)",
}
Name | Type | Required | Description |
---|---|---|---|
api_version | String | true | Client API version. |
etag | String | false | Gets a unique read-only string that changes whenever the resource is updated. |
location | String | false | Resource location. |
parameters | Hash | true | Policy to be created. |
policy_name | String | true | The name of the Web Application Firewall Policy. |
properties | WebApplicationFirewallPolicyProperties | false | Properties of the web application firewall policy. |
resource_group_name | String | true | Name of the Resource group within the Azure subscription. |
subscription_id | String | true | The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call. |
tags | Hash | false | Resource tags. |
Defines web application firewall policy properties.
$azure_web_application_firewall_policy_properties = {
customRules => $azure_custom_rule_list
frontendEndpointLinks => $azure_frontend_endpoint_link
managedRules => $azure_managed_rule_set_list
policySettings => $azure_policy_settings
}
Name | Type | Required | Description |
---|---|---|---|
customRules | CustomRuleList | false | Describes custom rules inside the policy. |
frontendEndpointLinks | FrontendEndpointLink | false | Describes Frontend Endpoints associated with this Web Application Firewall policy. |
managedRules | ManagedRuleSetList | false | Describes managed rules inside the policy. |
policySettings | PolicySettings | false | Describes settings for the policy. |
Defines contents of custom rules
$azure_custom_rule_list = {
rules => $azure_custom_rule
}
Name | Type | Required | Description |
---|---|---|---|
rules | CustomRule | false | List of rules |
Defines contents of a web application rule
$azure_custom_rule = {
action => $azure_action_type
enabledState => "enabledState (optional)",
matchConditions => $azure_match_condition
name => "name (optional)",
priority => "1234",
rateLimitDurationInMinutes => "1234 (optional)",
rateLimitThreshold => "1234 (optional)",
ruleType => "ruleType",
}
Name | Type | Required | Description |
---|---|---|---|
action | ActionType | true | Describes what action to be applied when rule matches. |
enabledState | String | false | Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. |
matchConditions | MatchCondition | true | List of match conditions. |
name | String | false | Describes the name of the rule. |
priority | Integer | true | Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. |
rateLimitDurationInMinutes | Integer | false | Time window for resetting the rate limit count. Default is 1 minute. |
rateLimitThreshold | Integer | false | Number of allowed requests per client within the time window. |
ruleType | String | true | Describes type of rule. |
Defines the action to take on rule match.
$azure_action_type = {
}
Name | Type | Required | Description |
---|
Define a match condition.
$azure_match_condition = {
matchValue => "matchValue",
matchVariable => "matchVariable",
negateCondition => "negateCondition (optional)",
operator => "operator",
selector => "selector (optional)",
transforms => $azure_transform_type
}
Name | Type | Required | Description |
---|---|---|---|
matchValue | Array | true | List of possible match values. |
matchVariable | String | true | Request variable to compare with. |
negateCondition | Boolean | false | Describes if the result of this condition should be negated. |
operator | String | true | Comparison type to use for matching with the variable value. |
selector | String | false | Match against a specific key from the QueryString, PostArgs, RequestHeader or Cookies variables. Default is null. |
transforms | TransformType | false | List of transforms. |
Describes what transforms applied before matching.
$azure_transform_type = {
}
Name | Type | Required | Description |
---|
Defines the Resource ID for a Frontend Endpoint.
$azure_frontend_endpoint_link = {
id => "id (optional)",
}
Name | Type | Required | Description |
---|---|---|---|
id | String | false | Resource ID. |
Defines the list of managed rule sets for the policy.
$azure_managed_rule_set_list = {
managedRuleSets => $azure_managed_rule_set
}
Name | Type | Required | Description |
---|---|---|---|
managedRuleSets | ManagedRuleSet | false | List of rule sets. |
Defines a managed rule set.
$azure_managed_rule_set = {
ruleGroupOverrides => $azure_managed_rule_group_override
ruleSetType => "ruleSetType",
ruleSetVersion => "ruleSetVersion",
}
Name | Type | Required | Description |
---|---|---|---|
ruleGroupOverrides | ManagedRuleGroupOverride | false | Defines the rule group overrides to apply to the rule set. |
ruleSetType | String | true | Defines the rule set type to use. |
ruleSetVersion | String | true | Defines the version of the rule set to use. |
Defines a managed rule group override setting.
$azure_managed_rule_group_override = {
ruleGroupName => "ruleGroupName",
rules => $azure_managed_rule_override
}
Name | Type | Required | Description |
---|---|---|---|
ruleGroupName | String | true | Describes the managed rule group to override. |
rules | ManagedRuleOverride | false | List of rules that will be disabled. If none specified, all rules in the group will be disabled. |
Defines a managed rule group override setting.
$azure_managed_rule_override = {
action => $azure_action_type
enabledState => "enabledState (optional)",
ruleId => "ruleId",
}
Name | Type | Required | Description |
---|---|---|---|
action | ActionType | false | Describes the override action to be applied when rule matches. |
enabledState | String | false | Describes if the managed rule is in enabled or disabled state. Defaults to Disabled if not specified. |
ruleId | String | true | Identifier for the managed rule. |
Defines top-level WebApplicationFirewallPolicy configuration settings.
$azure_policy_settings = {
customBlockResponseBody => "customBlockResponseBody (optional)",
customBlockResponseStatusCode => "1234 (optional)",
enabledState => "enabledState (optional)",
mode => "mode (optional)",
redirectUrl => "redirectUrl (optional)",
}
Name | Type | Required | Description |
---|---|---|---|
customBlockResponseBody | String | false | If the action type is block, customer can override the response body. The body must be specified in base64 encoding. |
customBlockResponseStatusCode | Integer | false | If the action type is block, customer can override the response status code. |
enabledState | String | false | Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified. |
mode | String | false | Describes if it is in detection mode or prevention mode at policy level. |
redirectUrl | String | false | If action type is redirect, this field represents redirect URL for the client. |
Here is a list of endpoints that we use to create, read, update and delete the WebApplicationFirewallPolicy
Operation | Path | Verb | Description | OperationID |
---|---|---|---|---|
Create | /subscriptions/%{subscription_id}/resourceGroups/%{resource_group_name}/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/%{policy_name} |
Put | Create or update policy with specified rule set name within a resource group. | Policies_CreateOrUpdate |
List - list all | `` | |||
List - get one | /subscriptions/%{subscription_id}/resourceGroups/%{resource_group_name}/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/%{policy_name} |
Get | Retrieve protection policy with specified name within a resource group. | Policies_Get |
List - get list using params | /subscriptions/%{subscription_id}/resourceGroups/%{resource_group_name}/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies |
Get | Lists all of the protection policies within a resource group. | Policies_List |
Update | /subscriptions/%{subscription_id}/resourceGroups/%{resource_group_name}/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/%{policy_name} |
Put | Create or update policy with specified rule set name within a resource group. | Policies_CreateOrUpdate |
Delete | /subscriptions/%{subscription_id}/resourceGroups/%{resource_group_name}/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/%{policy_name} |
Delete | Deletes Policy | Policies_Delete |