Policy
Defines web application firewall policy for Azure CDN. Uses Azure REST API version 2024-09-01. In version 2.x of the Azure Native provider, it used API version 2023-05-01. Other available API versions: 2023-05-01, 2023-07-01-preview, 2024-02-01, 2024-05-01-preview, 2024-06-01-preview. These can be accessed by generating a local SDK package using the CLI command pulumi package add azure-native cdn [ApiVersion]. See the ../../../version-guide/#accessing-any-api-version-via-local-packages for details.
Example Usage
Creates specific policy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var policy = new AzureNative.Cdn.Policy("policy", new()
{
CustomRules = new AzureNative.Cdn.Inputs.CustomRuleListArgs
{
Rules = new[]
{
new AzureNative.Cdn.Inputs.CustomRuleArgs
{
Action = AzureNative.Cdn.ActionType.Block,
EnabledState = AzureNative.Cdn.CustomRuleEnabledState.Enabled,
MatchConditions = new[]
{
new AzureNative.Cdn.Inputs.MatchConditionArgs
{
MatchValue = new[]
{
"CH",
},
MatchVariable = AzureNative.Cdn.WafMatchVariable.RemoteAddr,
NegateCondition = false,
Operator = AzureNative.Cdn.Operator.GeoMatch,
Transforms = new() { },
},
new AzureNative.Cdn.Inputs.MatchConditionArgs
{
MatchValue = new[]
{
"windows",
},
MatchVariable = AzureNative.Cdn.WafMatchVariable.RequestHeader,
NegateCondition = false,
Operator = AzureNative.Cdn.Operator.Contains,
Selector = "UserAgent",
Transforms = new() { },
},
new AzureNative.Cdn.Inputs.MatchConditionArgs
{
MatchValue = new[]
{
"<?php",
"?>",
},
MatchVariable = AzureNative.Cdn.WafMatchVariable.QueryString,
NegateCondition = false,
Operator = AzureNative.Cdn.Operator.Contains,
Selector = "search",
Transforms = new[]
{
AzureNative.Cdn.TransformType.UrlDecode,
AzureNative.Cdn.TransformType.Lowercase,
},
},
},
Name = "CustomRule1",
Priority = 2,
},
},
},
Location = "WestUs",
ManagedRules = new AzureNative.Cdn.Inputs.ManagedRuleSetListArgs
{
ManagedRuleSets = new[]
{
new AzureNative.Cdn.Inputs.ManagedRuleSetArgs
{
RuleGroupOverrides = new[]
{
new AzureNative.Cdn.Inputs.ManagedRuleGroupOverrideArgs
{
RuleGroupName = "Group1",
Rules = new[]
{
new AzureNative.Cdn.Inputs.ManagedRuleOverrideArgs
{
Action = AzureNative.Cdn.ActionType.Redirect,
EnabledState = AzureNative.Cdn.ManagedRuleEnabledState.Enabled,
RuleId = "GROUP1-0001",
},
new AzureNative.Cdn.Inputs.ManagedRuleOverrideArgs
{
EnabledState = AzureNative.Cdn.ManagedRuleEnabledState.Disabled,
RuleId = "GROUP1-0002",
},
},
},
},
RuleSetType = "DefaultRuleSet",
RuleSetVersion = "preview-1.0",
},
},
},
PolicyName = "MicrosoftCdnWafPolicy",
PolicySettings = new AzureNative.Cdn.Inputs.PolicySettingsArgs
{
DefaultCustomBlockResponseBody = "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
DefaultCustomBlockResponseStatusCode = 200,
DefaultRedirectUrl = "http://www.bing.com",
},
RateLimitRules = new AzureNative.Cdn.Inputs.RateLimitRuleListArgs
{
Rules = new[]
{
new AzureNative.Cdn.Inputs.RateLimitRuleArgs
{
Action = AzureNative.Cdn.ActionType.Block,
EnabledState = AzureNative.Cdn.CustomRuleEnabledState.Enabled,
MatchConditions = new[]
{
new AzureNative.Cdn.Inputs.MatchConditionArgs
{
MatchValue = new[]
{
"192.168.1.0/24",
"10.0.0.0/24",
},
MatchVariable = AzureNative.Cdn.WafMatchVariable.RemoteAddr,
NegateCondition = false,
Operator = AzureNative.Cdn.Operator.IPMatch,
Transforms = new() { },
},
},
Name = "RateLimitRule1",
Priority = 1,
RateLimitDurationInMinutes = 0,
RateLimitThreshold = 1000,
},
},
},
ResourceGroupName = "rg1",
Sku = new AzureNative.Cdn.Inputs.SkuArgs
{
Name = AzureNative.Cdn.SkuName.Standard_Microsoft,
},
});
});Content copied to clipboard
package main
import (
cdn "github.com/pulumi/pulumi-azure-native-sdk/cdn/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cdn.NewPolicy(ctx, "policy", &cdn.PolicyArgs{
CustomRules: &cdn.CustomRuleListArgs{
Rules: cdn.CustomRuleArray{
&cdn.CustomRuleArgs{
Action: pulumi.String(cdn.ActionTypeBlock),
EnabledState: pulumi.String(cdn.CustomRuleEnabledStateEnabled),
MatchConditions: cdn.MatchConditionArray{
&cdn.MatchConditionArgs{
MatchValue: pulumi.StringArray{
pulumi.String("CH"),
},
MatchVariable: pulumi.String(cdn.WafMatchVariableRemoteAddr),
NegateCondition: pulumi.Bool(false),
Operator: pulumi.String(cdn.OperatorGeoMatch),
Transforms: pulumi.StringArray{},
},
&cdn.MatchConditionArgs{
MatchValue: pulumi.StringArray{
pulumi.String("windows"),
},
MatchVariable: pulumi.String(cdn.WafMatchVariableRequestHeader),
NegateCondition: pulumi.Bool(false),
Operator: pulumi.String(cdn.OperatorContains),
Selector: pulumi.String("UserAgent"),
Transforms: pulumi.StringArray{},
},
&cdn.MatchConditionArgs{
MatchValue: pulumi.StringArray{
pulumi.String("<?php"),
pulumi.String("?>"),
},
MatchVariable: pulumi.String(cdn.WafMatchVariableQueryString),
NegateCondition: pulumi.Bool(false),
Operator: pulumi.String(cdn.OperatorContains),
Selector: pulumi.String("search"),
Transforms: pulumi.StringArray{
pulumi.String(cdn.TransformTypeUrlDecode),
pulumi.String(cdn.TransformTypeLowercase),
},
},
},
Name: pulumi.String("CustomRule1"),
Priority: pulumi.Int(2),
},
},
},
Location: pulumi.String("WestUs"),
ManagedRules: &cdn.ManagedRuleSetListArgs{
ManagedRuleSets: cdn.ManagedRuleSetArray{
&cdn.ManagedRuleSetArgs{
RuleGroupOverrides: cdn.ManagedRuleGroupOverrideArray{
&cdn.ManagedRuleGroupOverrideArgs{
RuleGroupName: pulumi.String("Group1"),
Rules: cdn.ManagedRuleOverrideArray{
&cdn.ManagedRuleOverrideArgs{
Action: pulumi.String(cdn.ActionTypeRedirect),
EnabledState: pulumi.String(cdn.ManagedRuleEnabledStateEnabled),
RuleId: pulumi.String("GROUP1-0001"),
},
&cdn.ManagedRuleOverrideArgs{
EnabledState: pulumi.String(cdn.ManagedRuleEnabledStateDisabled),
RuleId: pulumi.String("GROUP1-0002"),
},
},
},
},
RuleSetType: pulumi.String("DefaultRuleSet"),
RuleSetVersion: pulumi.String("preview-1.0"),
},
},
},
PolicyName: pulumi.String("MicrosoftCdnWafPolicy"),
PolicySettings: &cdn.PolicySettingsArgs{
DefaultCustomBlockResponseBody: pulumi.String("PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=="),
DefaultCustomBlockResponseStatusCode: pulumi.Int(200),
DefaultRedirectUrl: pulumi.String("http://www.bing.com"),
},
RateLimitRules: &cdn.RateLimitRuleListArgs{
Rules: cdn.RateLimitRuleArray{
&cdn.RateLimitRuleArgs{
Action: pulumi.String(cdn.ActionTypeBlock),
EnabledState: pulumi.String(cdn.CustomRuleEnabledStateEnabled),
MatchConditions: cdn.MatchConditionArray{
&cdn.MatchConditionArgs{
MatchValue: pulumi.StringArray{
pulumi.String("192.168.1.0/24"),
pulumi.String("10.0.0.0/24"),
},
MatchVariable: pulumi.String(cdn.WafMatchVariableRemoteAddr),
NegateCondition: pulumi.Bool(false),
Operator: pulumi.String(cdn.OperatorIPMatch),
Transforms: pulumi.StringArray{},
},
},
Name: pulumi.String("RateLimitRule1"),
Priority: pulumi.Int(1),
RateLimitDurationInMinutes: pulumi.Int(0),
RateLimitThreshold: pulumi.Int(1000),
},
},
},
ResourceGroupName: pulumi.String("rg1"),
Sku: &cdn.SkuArgs{
Name: pulumi.String(cdn.SkuName_Standard_Microsoft),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.cdn.Policy;
import com.pulumi.azurenative.cdn.PolicyArgs;
import com.pulumi.azurenative.cdn.inputs.CustomRuleListArgs;
import com.pulumi.azurenative.cdn.inputs.ManagedRuleSetListArgs;
import com.pulumi.azurenative.cdn.inputs.PolicySettingsArgs;
import com.pulumi.azurenative.cdn.inputs.RateLimitRuleListArgs;
import com.pulumi.azurenative.cdn.inputs.SkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policy = new Policy("policy", PolicyArgs.builder()
.customRules(CustomRuleListArgs.builder()
.rules(CustomRuleArgs.builder()
.action("Block")
.enabledState("Enabled")
.matchConditions(
MatchConditionArgs.builder()
.matchValue("CH")
.matchVariable("RemoteAddr")
.negateCondition(false)
.operator("GeoMatch")
.transforms()
.build(),
MatchConditionArgs.builder()
.matchValue("windows")
.matchVariable("RequestHeader")
.negateCondition(false)
.operator("Contains")
.selector("UserAgent")
.transforms()
.build(),
MatchConditionArgs.builder()
.matchValue(
"<?php",
"?>")
.matchVariable("QueryString")
.negateCondition(false)
.operator("Contains")
.selector("search")
.transforms(
"UrlDecode",
"Lowercase")
.build())
.name("CustomRule1")
.priority(2)
.build())
.build())
.location("WestUs")
.managedRules(ManagedRuleSetListArgs.builder()
.managedRuleSets(ManagedRuleSetArgs.builder()
.ruleGroupOverrides(ManagedRuleGroupOverrideArgs.builder()
.ruleGroupName("Group1")
.rules(
ManagedRuleOverrideArgs.builder()
.action("Redirect")
.enabledState("Enabled")
.ruleId("GROUP1-0001")
.build(),
ManagedRuleOverrideArgs.builder()
.enabledState("Disabled")
.ruleId("GROUP1-0002")
.build())
.build())
.ruleSetType("DefaultRuleSet")
.ruleSetVersion("preview-1.0")
.build())
.build())
.policyName("MicrosoftCdnWafPolicy")
.policySettings(PolicySettingsArgs.builder()
.defaultCustomBlockResponseBody("PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==")
.defaultCustomBlockResponseStatusCode(200)
.defaultRedirectUrl("http://www.bing.com")
.build())
.rateLimitRules(RateLimitRuleListArgs.builder()
.rules(RateLimitRuleArgs.builder()
.action("Block")
.enabledState("Enabled")
.matchConditions(MatchConditionArgs.builder()
.matchValue(
"192.168.1.0/24",
"10.0.0.0/24")
.matchVariable("RemoteAddr")
.negateCondition(false)
.operator("IPMatch")
.transforms()
.build())
.name("RateLimitRule1")
.priority(1)
.rateLimitDurationInMinutes(0)
.rateLimitThreshold(1000)
.build())
.build())
.resourceGroupName("rg1")
.sku(SkuArgs.builder()
.name("Standard_Microsoft")
.build())
.build());
}
}Content copied to clipboard
Import
An existing resource can be imported using its type token, name, and identifier, e.g.
$ pulumi import azure-native:cdn:Policy MicrosoftCdnWafPolicy /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Cdn/cdnWebApplicationFirewallPolicies/{policyName}Content copied to clipboard
Properties
Link copied to clipboard
The Azure API version of the resource.
Link copied to clipboard
Describes custom rules inside the policy.
Link copied to clipboard
Describes Azure CDN endpoints associated with this Web Application Firewall policy.
Link copied to clipboard
Key-Value pair representing additional properties for Web Application Firewall policy.
Link copied to clipboard
Describes managed rules inside the policy.
Link copied to clipboard
Describes policySettings for policy
Link copied to clipboard
Provisioning state of the WebApplicationFirewallPolicy.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Describes rate limit rules inside the policy.
Link copied to clipboard
Link copied to clipboard
The pricing tier (defines a CDN provider, feature list and rate) of the CdnWebApplicationFirewallPolicy.
Link copied to clipboard
Read only system data