Web
data class WebApplicationFirewallPolicyArgs(val customRules: Output<List<WebApplicationFirewallCustomRuleArgs>>? = null, val id: Output<String>? = null, val location: Output<String>? = null, val managedRules: Output<ManagedRulesDefinitionArgs>? = null, val policyName: Output<String>? = null, val policySettings: Output<PolicySettingsArgs>? = null, val resourceGroupName: Output<String>? = null, val tags: Output<Map<String, String>>? = null) : ConvertibleToJava<WebApplicationFirewallPolicyArgs>
Defines web application firewall policy. Uses Azure REST API version 2024-05-01. In version 2.x of the Azure Native provider, it used API version 2023-02-01. Other available API versions: 2018-12-01, 2019-02-01, 2019-04-01, 2019-06-01, 2019-07-01, 2019-08-01, 2019-09-01, 2019-11-01, 2019-12-01, 2020-03-01, 2020-04-01, 2020-05-01, 2020-06-01, 2020-07-01, 2020-08-01, 2020-11-01, 2021-02-01, 2021-03-01, 2021-05-01, 2021-08-01, 2022-01-01, 2022-05-01, 2022-07-01, 2022-09-01, 2022-11-01, 2023-02-01, 2023-04-01, 2023-05-01, 2023-06-01, 2023-09-01, 2023-11-01, 2024-01-01, 2024-03-01, 2024-07-01. These can be accessed by generating a local SDK package using the CLI command pulumi package add azure-native network [ApiVersion]. See the ../../../version-guide/#accessing-any-api-version-via-local-packages for details.
Example Usage
Creates or updates a WAF policy within a resource group
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var webApplicationFirewallPolicy = new AzureNative.Network.WebApplicationFirewallPolicy("webApplicationFirewallPolicy", new()
{
CustomRules = new[]
{
new AzureNative.Network.Inputs.WebApplicationFirewallCustomRuleArgs
{
Action = AzureNative.Network.WebApplicationFirewallAction.Block,
MatchConditions = new[]
{
new AzureNative.Network.Inputs.MatchConditionArgs
{
MatchValues = new[]
{
"192.168.1.0/24",
"10.0.0.0/24",
},
MatchVariables = new[]
{
new AzureNative.Network.Inputs.MatchVariableArgs
{
VariableName = AzureNative.Network.WebApplicationFirewallMatchVariable.RemoteAddr,
},
},
Operator = AzureNative.Network.WebApplicationFirewallOperator.IPMatch,
},
},
Name = "Rule1",
Priority = 1,
RuleType = AzureNative.Network.WebApplicationFirewallRuleType.MatchRule,
},
new AzureNative.Network.Inputs.WebApplicationFirewallCustomRuleArgs
{
Action = AzureNative.Network.WebApplicationFirewallAction.Block,
MatchConditions = new[]
{
new AzureNative.Network.Inputs.MatchConditionArgs
{
MatchValues = new[]
{
"192.168.1.0/24",
},
MatchVariables = new[]
{
new AzureNative.Network.Inputs.MatchVariableArgs
{
VariableName = AzureNative.Network.WebApplicationFirewallMatchVariable.RemoteAddr,
},
},
Operator = AzureNative.Network.WebApplicationFirewallOperator.IPMatch,
},
new AzureNative.Network.Inputs.MatchConditionArgs
{
MatchValues = new[]
{
"Windows",
},
MatchVariables = new[]
{
new AzureNative.Network.Inputs.MatchVariableArgs
{
Selector = "UserAgent",
VariableName = AzureNative.Network.WebApplicationFirewallMatchVariable.RequestHeaders,
},
},
Operator = AzureNative.Network.WebApplicationFirewallOperator.Contains,
},
},
Name = "Rule2",
Priority = 2,
RuleType = AzureNative.Network.WebApplicationFirewallRuleType.MatchRule,
},
new AzureNative.Network.Inputs.WebApplicationFirewallCustomRuleArgs
{
Action = AzureNative.Network.WebApplicationFirewallAction.Block,
GroupByUserSession = new[]
{
new AzureNative.Network.Inputs.GroupByUserSessionArgs
{
GroupByVariables = new[]
{
new AzureNative.Network.Inputs.GroupByVariableArgs
{
VariableName = AzureNative.Network.ApplicationGatewayFirewallUserSessionVariable.ClientAddr,
},
},
},
},
MatchConditions = new[]
{
new AzureNative.Network.Inputs.MatchConditionArgs
{
MatchValues = new[]
{
"192.168.1.0/24",
"10.0.0.0/24",
},
MatchVariables = new[]
{
new AzureNative.Network.Inputs.MatchVariableArgs
{
VariableName = AzureNative.Network.WebApplicationFirewallMatchVariable.RemoteAddr,
},
},
NegationConditon = true,
Operator = AzureNative.Network.WebApplicationFirewallOperator.IPMatch,
},
},
Name = "RateLimitRule3",
Priority = 3,
RateLimitDuration = AzureNative.Network.ApplicationGatewayFirewallRateLimitDuration.OneMin,
RateLimitThreshold = 10,
RuleType = AzureNative.Network.WebApplicationFirewallRuleType.RateLimitRule,
},
new AzureNative.Network.Inputs.WebApplicationFirewallCustomRuleArgs
{
Action = AzureNative.Network.WebApplicationFirewallAction.JSChallenge,
MatchConditions = new[]
{
new AzureNative.Network.Inputs.MatchConditionArgs
{
MatchValues = new[]
{
"192.168.1.0/24",
},
MatchVariables = new[]
{
new AzureNative.Network.Inputs.MatchVariableArgs
{
VariableName = AzureNative.Network.WebApplicationFirewallMatchVariable.RemoteAddr,
},
},
Operator = AzureNative.Network.WebApplicationFirewallOperator.IPMatch,
},
new AzureNative.Network.Inputs.MatchConditionArgs
{
MatchValues = new[]
{
"Bot",
},
MatchVariables = new[]
{
new AzureNative.Network.Inputs.MatchVariableArgs
{
Selector = "UserAgent",
VariableName = AzureNative.Network.WebApplicationFirewallMatchVariable.RequestHeaders,
},
},
Operator = AzureNative.Network.WebApplicationFirewallOperator.Contains,
},
},
Name = "Rule4",
Priority = 4,
RuleType = AzureNative.Network.WebApplicationFirewallRuleType.MatchRule,
},
},
Location = "WestUs",
ManagedRules = new AzureNative.Network.Inputs.ManagedRulesDefinitionArgs
{
Exceptions = new[]
{
new AzureNative.Network.Inputs.ExceptionEntryArgs
{
ExceptionManagedRuleSets = new[]
{
new AzureNative.Network.Inputs.ExclusionManagedRuleSetArgs
{
RuleSetType = "OWASP",
RuleSetVersion = "3.2",
},
},
MatchVariable = AzureNative.Network.ExceptionEntryMatchVariable.RequestURI,
ValueMatchOperator = AzureNative.Network.ExceptionEntryValueMatchOperator.Contains,
Values = new[]
{
"health",
"account/images",
"default.aspx",
},
},
new AzureNative.Network.Inputs.ExceptionEntryArgs
{
ExceptionManagedRuleSets = new[]
{
new AzureNative.Network.Inputs.ExclusionManagedRuleSetArgs
{
RuleGroups = new[]
{
new AzureNative.Network.Inputs.ExclusionManagedRuleGroupArgs
{
RuleGroupName = "REQUEST-932-APPLICATION-ATTACK-RCE",
},
},
RuleSetType = "OWASP",
RuleSetVersion = "3.2",
},
},
MatchVariable = AzureNative.Network.ExceptionEntryMatchVariable.RequestHeader,
Selector = "User-Agent",
SelectorMatchOperator = AzureNative.Network.ExceptionEntrySelectorMatchOperator.StartsWith,
ValueMatchOperator = AzureNative.Network.ExceptionEntryValueMatchOperator.Contains,
Values = new[]
{
"Mozilla/5.0",
"Chrome/122.0.0.0",
},
},
new AzureNative.Network.Inputs.ExceptionEntryArgs
{
ExceptionManagedRuleSets = new[]
{
new AzureNative.Network.Inputs.ExclusionManagedRuleSetArgs
{
RuleGroups = new[]
{
new AzureNative.Network.Inputs.ExclusionManagedRuleGroupArgs
{
RuleGroupName = "BadBots",
Rules = new[]
{
new AzureNative.Network.Inputs.ExclusionManagedRuleArgs
{
RuleId = "100100",
},
},
},
},
RuleSetType = "Microsoft_BotManagerRuleSet",
RuleSetVersion = "1.0",
},
},
MatchVariable = AzureNative.Network.ExceptionEntryMatchVariable.RemoteAddr,
ValueMatchOperator = AzureNative.Network.ExceptionEntryValueMatchOperator.IPMatch,
Values = new[]
{
"1.2.3.4",
"10.0.0.1/6",
},
},
},
Exclusions = new[]
{
new AzureNative.Network.Inputs.OwaspCrsExclusionEntryArgs
{
ExclusionManagedRuleSets = new[]
{
new AzureNative.Network.Inputs.ExclusionManagedRuleSetArgs
{
RuleGroups = new[]
{
new AzureNative.Network.Inputs.ExclusionManagedRuleGroupArgs
{
RuleGroupName = "REQUEST-930-APPLICATION-ATTACK-LFI",
Rules = new[]
{
new AzureNative.Network.Inputs.ExclusionManagedRuleArgs
{
RuleId = "930120",
},
},
},
new AzureNative.Network.Inputs.ExclusionManagedRuleGroupArgs
{
RuleGroupName = "REQUEST-932-APPLICATION-ATTACK-RCE",
},
},
RuleSetType = "OWASP",
RuleSetVersion = "3.2",
},
},
MatchVariable = AzureNative.Network.OwaspCrsExclusionEntryMatchVariable.RequestArgNames,
Selector = "hello",
SelectorMatchOperator = AzureNative.Network.OwaspCrsExclusionEntrySelectorMatchOperator.StartsWith,
},
new AzureNative.Network.Inputs.OwaspCrsExclusionEntryArgs
{
ExclusionManagedRuleSets = new[]
{
new AzureNative.Network.Inputs.ExclusionManagedRuleSetArgs
{
RuleGroups = new() { },
RuleSetType = "OWASP",
RuleSetVersion = "3.1",
},
},
MatchVariable = AzureNative.Network.OwaspCrsExclusionEntryMatchVariable.RequestArgNames,
Selector = "hello",
SelectorMatchOperator = AzureNative.Network.OwaspCrsExclusionEntrySelectorMatchOperator.EndsWith,
},
new AzureNative.Network.Inputs.OwaspCrsExclusionEntryArgs
{
MatchVariable = AzureNative.Network.OwaspCrsExclusionEntryMatchVariable.RequestArgNames,
Selector = "test",
SelectorMatchOperator = AzureNative.Network.OwaspCrsExclusionEntrySelectorMatchOperator.StartsWith,
},
new AzureNative.Network.Inputs.OwaspCrsExclusionEntryArgs
{
MatchVariable = AzureNative.Network.OwaspCrsExclusionEntryMatchVariable.RequestArgValues,
Selector = "test",
SelectorMatchOperator = AzureNative.Network.OwaspCrsExclusionEntrySelectorMatchOperator.StartsWith,
},
},
ManagedRuleSets = new[]
{
new AzureNative.Network.Inputs.ManagedRuleSetArgs
{
RuleGroupOverrides = new[]
{
new AzureNative.Network.Inputs.ManagedRuleGroupOverrideArgs
{
RuleGroupName = "REQUEST-931-APPLICATION-ATTACK-RFI",
Rules = new[]
{
new AzureNative.Network.Inputs.ManagedRuleOverrideArgs
{
Action = AzureNative.Network.ActionType.Log,
RuleId = "931120",
State = AzureNative.Network.ManagedRuleEnabledState.Enabled,
},
new AzureNative.Network.Inputs.ManagedRuleOverrideArgs
{
Action = AzureNative.Network.ActionType.AnomalyScoring,
RuleId = "931130",
State = AzureNative.Network.ManagedRuleEnabledState.Disabled,
},
},
},
},
RuleSetType = "OWASP",
RuleSetVersion = "3.2",
},
new AzureNative.Network.Inputs.ManagedRuleSetArgs
{
RuleGroupOverrides = new[]
{
new AzureNative.Network.Inputs.ManagedRuleGroupOverrideArgs
{
RuleGroupName = "UnknownBots",
Rules = new[]
{
new AzureNative.Network.Inputs.ManagedRuleOverrideArgs
{
Action = AzureNative.Network.ActionType.JSChallenge,
RuleId = "300700",
State = AzureNative.Network.ManagedRuleEnabledState.Enabled,
},
},
},
},
RuleSetType = "Microsoft_BotManagerRuleSet",
RuleSetVersion = "1.0",
},
new AzureNative.Network.Inputs.ManagedRuleSetArgs
{
RuleGroupOverrides = new[]
{
new AzureNative.Network.Inputs.ManagedRuleGroupOverrideArgs
{
RuleGroupName = "ExcessiveRequests",
Rules = new[]
{
new AzureNative.Network.Inputs.ManagedRuleOverrideArgs
{
Action = AzureNative.Network.ActionType.Block,
RuleId = "500100",
Sensitivity = AzureNative.Network.SensitivityType.High,
State = AzureNative.Network.ManagedRuleEnabledState.Enabled,
},
},
},
},
RuleSetType = "Microsoft_HTTPDDoSRuleSet",
RuleSetVersion = "1.0",
},
},
},
PolicyName = "Policy1",
PolicySettings = new AzureNative.Network.Inputs.PolicySettingsArgs
{
JsChallengeCookieExpirationInMins = 100,
LogScrubbing = new AzureNative.Network.Inputs.PolicySettingsLogScrubbingArgs
{
ScrubbingRules = new[]
{
new AzureNative.Network.Inputs.WebApplicationFirewallScrubbingRulesArgs
{
MatchVariable = AzureNative.Network.ScrubbingRuleEntryMatchVariable.RequestArgNames,
Selector = "test",
SelectorMatchOperator = AzureNative.Network.ScrubbingRuleEntryMatchOperator.EqualsValue,
State = AzureNative.Network.ScrubbingRuleEntryState.Enabled,
},
new AzureNative.Network.Inputs.WebApplicationFirewallScrubbingRulesArgs
{
MatchVariable = AzureNative.Network.ScrubbingRuleEntryMatchVariable.RequestIPAddress,
SelectorMatchOperator = AzureNative.Network.ScrubbingRuleEntryMatchOperator.EqualsAny,
State = AzureNative.Network.ScrubbingRuleEntryState.Enabled,
},
},
State = AzureNative.Network.WebApplicationFirewallScrubbingState.Enabled,
},
},
ResourceGroupName = "rg1",
});
});Content copied to clipboard
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewWebApplicationFirewallPolicy(ctx, "webApplicationFirewallPolicy", &network.WebApplicationFirewallPolicyArgs{
CustomRules: network.WebApplicationFirewallCustomRuleArray{
&network.WebApplicationFirewallCustomRuleArgs{
Action: pulumi.String(network.WebApplicationFirewallActionBlock),
MatchConditions: network.MatchConditionArray{
&network.MatchConditionArgs{
MatchValues: pulumi.StringArray{
pulumi.String("192.168.1.0/24"),
pulumi.String("10.0.0.0/24"),
},
MatchVariables: network.MatchVariableArray{
&network.MatchVariableArgs{
VariableName: pulumi.String(network.WebApplicationFirewallMatchVariableRemoteAddr),
},
},
Operator: pulumi.String(network.WebApplicationFirewallOperatorIPMatch),
},
},
Name: pulumi.String("Rule1"),
Priority: pulumi.Int(1),
RuleType: pulumi.String(network.WebApplicationFirewallRuleTypeMatchRule),
},
&network.WebApplicationFirewallCustomRuleArgs{
Action: pulumi.String(network.WebApplicationFirewallActionBlock),
MatchConditions: network.MatchConditionArray{
&network.MatchConditionArgs{
MatchValues: pulumi.StringArray{
pulumi.String("192.168.1.0/24"),
},
MatchVariables: network.MatchVariableArray{
&network.MatchVariableArgs{
VariableName: pulumi.String(network.WebApplicationFirewallMatchVariableRemoteAddr),
},
},
Operator: pulumi.String(network.WebApplicationFirewallOperatorIPMatch),
},
&network.MatchConditionArgs{
MatchValues: pulumi.StringArray{
pulumi.String("Windows"),
},
MatchVariables: network.MatchVariableArray{
&network.MatchVariableArgs{
Selector: pulumi.String("UserAgent"),
VariableName: pulumi.String(network.WebApplicationFirewallMatchVariableRequestHeaders),
},
},
Operator: pulumi.String(network.WebApplicationFirewallOperatorContains),
},
},
Name: pulumi.String("Rule2"),
Priority: pulumi.Int(2),
RuleType: pulumi.String(network.WebApplicationFirewallRuleTypeMatchRule),
},
&network.WebApplicationFirewallCustomRuleArgs{
Action: pulumi.String(network.WebApplicationFirewallActionBlock),
GroupByUserSession: network.GroupByUserSessionArray{
&network.GroupByUserSessionArgs{
GroupByVariables: network.GroupByVariableArray{
&network.GroupByVariableArgs{
VariableName: pulumi.String(network.ApplicationGatewayFirewallUserSessionVariableClientAddr),
},
},
},
},
MatchConditions: network.MatchConditionArray{
&network.MatchConditionArgs{
MatchValues: pulumi.StringArray{
pulumi.String("192.168.1.0/24"),
pulumi.String("10.0.0.0/24"),
},
MatchVariables: network.MatchVariableArray{
&network.MatchVariableArgs{
VariableName: pulumi.String(network.WebApplicationFirewallMatchVariableRemoteAddr),
},
},
NegationConditon: pulumi.Bool(true),
Operator: pulumi.String(network.WebApplicationFirewallOperatorIPMatch),
},
},
Name: pulumi.String("RateLimitRule3"),
Priority: pulumi.Int(3),
RateLimitDuration: pulumi.String(network.ApplicationGatewayFirewallRateLimitDurationOneMin),
RateLimitThreshold: pulumi.Int(10),
RuleType: pulumi.String(network.WebApplicationFirewallRuleTypeRateLimitRule),
},
&network.WebApplicationFirewallCustomRuleArgs{
Action: pulumi.String(network.WebApplicationFirewallActionJSChallenge),
MatchConditions: network.MatchConditionArray{
&network.MatchConditionArgs{
MatchValues: pulumi.StringArray{
pulumi.String("192.168.1.0/24"),
},
MatchVariables: network.MatchVariableArray{
&network.MatchVariableArgs{
VariableName: pulumi.String(network.WebApplicationFirewallMatchVariableRemoteAddr),
},
},
Operator: pulumi.String(network.WebApplicationFirewallOperatorIPMatch),
},
&network.MatchConditionArgs{
MatchValues: pulumi.StringArray{
pulumi.String("Bot"),
},
MatchVariables: network.MatchVariableArray{
&network.MatchVariableArgs{
Selector: pulumi.String("UserAgent"),
VariableName: pulumi.String(network.WebApplicationFirewallMatchVariableRequestHeaders),
},
},
Operator: pulumi.String(network.WebApplicationFirewallOperatorContains),
},
},
Name: pulumi.String("Rule4"),
Priority: pulumi.Int(4),
RuleType: pulumi.String(network.WebApplicationFirewallRuleTypeMatchRule),
},
},
Location: pulumi.String("WestUs"),
ManagedRules: &network.ManagedRulesDefinitionArgs{
Exceptions: network.ExceptionEntryArray{
&network.ExceptionEntryArgs{
ExceptionManagedRuleSets: network.ExclusionManagedRuleSetArray{
&network.ExclusionManagedRuleSetArgs{
RuleSetType: pulumi.String("OWASP"),
RuleSetVersion: pulumi.String("3.2"),
},
},
MatchVariable: pulumi.String(network.ExceptionEntryMatchVariableRequestURI),
ValueMatchOperator: pulumi.String(network.ExceptionEntryValueMatchOperatorContains),
Values: pulumi.StringArray{
pulumi.String("health"),
pulumi.String("account/images"),
pulumi.String("default.aspx"),
},
},
&network.ExceptionEntryArgs{
ExceptionManagedRuleSets: network.ExclusionManagedRuleSetArray{
&network.ExclusionManagedRuleSetArgs{
RuleGroups: network.ExclusionManagedRuleGroupArray{
&network.ExclusionManagedRuleGroupArgs{
RuleGroupName: pulumi.String("REQUEST-932-APPLICATION-ATTACK-RCE"),
},
},
RuleSetType: pulumi.String("OWASP"),
RuleSetVersion: pulumi.String("3.2"),
},
},
MatchVariable: pulumi.String(network.ExceptionEntryMatchVariableRequestHeader),
Selector: pulumi.String("User-Agent"),
SelectorMatchOperator: pulumi.String(network.ExceptionEntrySelectorMatchOperatorStartsWith),
ValueMatchOperator: pulumi.String(network.ExceptionEntryValueMatchOperatorContains),
Values: pulumi.StringArray{
pulumi.String("Mozilla/5.0"),
pulumi.String("Chrome/122.0.0.0"),
},
},
&network.ExceptionEntryArgs{
ExceptionManagedRuleSets: network.ExclusionManagedRuleSetArray{
&network.ExclusionManagedRuleSetArgs{
RuleGroups: network.ExclusionManagedRuleGroupArray{
&network.ExclusionManagedRuleGroupArgs{
RuleGroupName: pulumi.String("BadBots"),
Rules: network.ExclusionManagedRuleArray{
&network.ExclusionManagedRuleArgs{
RuleId: pulumi.String("100100"),
},
},
},
},
RuleSetType: pulumi.String("Microsoft_BotManagerRuleSet"),
RuleSetVersion: pulumi.String("1.0"),
},
},
MatchVariable: pulumi.String(network.ExceptionEntryMatchVariableRemoteAddr),
ValueMatchOperator: pulumi.String(network.ExceptionEntryValueMatchOperatorIPMatch),
Values: pulumi.StringArray{
pulumi.String("1.2.3.4"),
pulumi.String("10.0.0.1/6"),
},
},
},
Exclusions: network.OwaspCrsExclusionEntryArray{
&network.OwaspCrsExclusionEntryArgs{
ExclusionManagedRuleSets: network.ExclusionManagedRuleSetArray{
&network.ExclusionManagedRuleSetArgs{
RuleGroups: network.ExclusionManagedRuleGroupArray{
&network.ExclusionManagedRuleGroupArgs{
RuleGroupName: pulumi.String("REQUEST-930-APPLICATION-ATTACK-LFI"),
Rules: network.ExclusionManagedRuleArray{
&network.ExclusionManagedRuleArgs{
RuleId: pulumi.String("930120"),
},
},
},
&network.ExclusionManagedRuleGroupArgs{
RuleGroupName: pulumi.String("REQUEST-932-APPLICATION-ATTACK-RCE"),
},
},
RuleSetType: pulumi.String("OWASP"),
RuleSetVersion: pulumi.String("3.2"),
},
},
MatchVariable: pulumi.String(network.OwaspCrsExclusionEntryMatchVariableRequestArgNames),
Selector: pulumi.String("hello"),
SelectorMatchOperator: pulumi.String(network.OwaspCrsExclusionEntrySelectorMatchOperatorStartsWith),
},
&network.OwaspCrsExclusionEntryArgs{
ExclusionManagedRuleSets: network.ExclusionManagedRuleSetArray{
&network.ExclusionManagedRuleSetArgs{
RuleGroups: network.ExclusionManagedRuleGroupArray{},
RuleSetType: pulumi.String("OWASP"),
RuleSetVersion: pulumi.String("3.1"),
},
},
MatchVariable: pulumi.String(network.OwaspCrsExclusionEntryMatchVariableRequestArgNames),
Selector: pulumi.String("hello"),
SelectorMatchOperator: pulumi.String(network.OwaspCrsExclusionEntrySelectorMatchOperatorEndsWith),
},
&network.OwaspCrsExclusionEntryArgs{
MatchVariable: pulumi.String(network.OwaspCrsExclusionEntryMatchVariableRequestArgNames),
Selector: pulumi.String("test"),
SelectorMatchOperator: pulumi.String(network.OwaspCrsExclusionEntrySelectorMatchOperatorStartsWith),
},
&network.OwaspCrsExclusionEntryArgs{
MatchVariable: pulumi.String(network.OwaspCrsExclusionEntryMatchVariableRequestArgValues),
Selector: pulumi.String("test"),
SelectorMatchOperator: pulumi.String(network.OwaspCrsExclusionEntrySelectorMatchOperatorStartsWith),
},
},
ManagedRuleSets: network.ManagedRuleSetArray{
&network.ManagedRuleSetArgs{
RuleGroupOverrides: network.ManagedRuleGroupOverrideArray{
&network.ManagedRuleGroupOverrideArgs{
RuleGroupName: pulumi.String("REQUEST-931-APPLICATION-ATTACK-RFI"),
Rules: network.ManagedRuleOverrideArray{
&network.ManagedRuleOverrideArgs{
Action: pulumi.String(network.ActionTypeLog),
RuleId: pulumi.String("931120"),
State: pulumi.String(network.ManagedRuleEnabledStateEnabled),
},
&network.ManagedRuleOverrideArgs{
Action: pulumi.String(network.ActionTypeAnomalyScoring),
RuleId: pulumi.String("931130"),
State: pulumi.String(network.ManagedRuleEnabledStateDisabled),
},
},
},
},
RuleSetType: pulumi.String("OWASP"),
RuleSetVersion: pulumi.String("3.2"),
},
&network.ManagedRuleSetArgs{
RuleGroupOverrides: network.ManagedRuleGroupOverrideArray{
&network.ManagedRuleGroupOverrideArgs{
RuleGroupName: pulumi.String("UnknownBots"),
Rules: network.ManagedRuleOverrideArray{
&network.ManagedRuleOverrideArgs{
Action: pulumi.String(network.ActionTypeJSChallenge),
RuleId: pulumi.String("300700"),
State: pulumi.String(network.ManagedRuleEnabledStateEnabled),
},
},
},
},
RuleSetType: pulumi.String("Microsoft_BotManagerRuleSet"),
RuleSetVersion: pulumi.String("1.0"),
},
&network.ManagedRuleSetArgs{
RuleGroupOverrides: network.ManagedRuleGroupOverrideArray{
&network.ManagedRuleGroupOverrideArgs{
RuleGroupName: pulumi.String("ExcessiveRequests"),
Rules: network.ManagedRuleOverrideArray{
&network.ManagedRuleOverrideArgs{
Action: pulumi.String(network.ActionTypeBlock),
RuleId: pulumi.String("500100"),
Sensitivity: pulumi.String(network.SensitivityTypeHigh),
State: pulumi.String(network.ManagedRuleEnabledStateEnabled),
},
},
},
},
RuleSetType: pulumi.String("Microsoft_HTTPDDoSRuleSet"),
RuleSetVersion: pulumi.String("1.0"),
},
},
},
PolicyName: pulumi.String("Policy1"),
PolicySettings: &network.PolicySettingsArgs{
JsChallengeCookieExpirationInMins: pulumi.Int(100),
LogScrubbing: &network.PolicySettingsLogScrubbingArgs{
ScrubbingRules: network.WebApplicationFirewallScrubbingRulesArray{
&network.WebApplicationFirewallScrubbingRulesArgs{
MatchVariable: pulumi.String(network.ScrubbingRuleEntryMatchVariableRequestArgNames),
Selector: pulumi.String("test"),
SelectorMatchOperator: pulumi.String(network.ScrubbingRuleEntryMatchOperatorEquals),
State: pulumi.String(network.ScrubbingRuleEntryStateEnabled),
},
&network.WebApplicationFirewallScrubbingRulesArgs{
MatchVariable: pulumi.String(network.ScrubbingRuleEntryMatchVariableRequestIPAddress),
SelectorMatchOperator: pulumi.String(network.ScrubbingRuleEntryMatchOperatorEqualsAny),
State: pulumi.String(network.ScrubbingRuleEntryStateEnabled),
},
},
State: pulumi.String(network.WebApplicationFirewallScrubbingStateEnabled),
},
},
ResourceGroupName: pulumi.String("rg1"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.WebApplicationFirewallPolicy;
import com.pulumi.azurenative.network.WebApplicationFirewallPolicyArgs;
import com.pulumi.azurenative.network.inputs.WebApplicationFirewallCustomRuleArgs;
import com.pulumi.azurenative.network.inputs.ManagedRulesDefinitionArgs;
import com.pulumi.azurenative.network.inputs.PolicySettingsArgs;
import com.pulumi.azurenative.network.inputs.PolicySettingsLogScrubbingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var webApplicationFirewallPolicy = new WebApplicationFirewallPolicy("webApplicationFirewallPolicy", WebApplicationFirewallPolicyArgs.builder()
.customRules(
WebApplicationFirewallCustomRuleArgs.builder()
.action("Block")
.matchConditions(MatchConditionArgs.builder()
.matchValues(
"192.168.1.0/24",
"10.0.0.0/24")
.matchVariables(MatchVariableArgs.builder()
.variableName("RemoteAddr")
.build())
.operator("IPMatch")
.build())
.name("Rule1")
.priority(1)
.ruleType("MatchRule")
.build(),
WebApplicationFirewallCustomRuleArgs.builder()
.action("Block")
.matchConditions(
MatchConditionArgs.builder()
.matchValues("192.168.1.0/24")
.matchVariables(MatchVariableArgs.builder()
.variableName("RemoteAddr")
.build())
.operator("IPMatch")
.build(),
MatchConditionArgs.builder()
.matchValues("Windows")
.matchVariables(MatchVariableArgs.builder()
.selector("UserAgent")
.variableName("RequestHeaders")
.build())
.operator("Contains")
.build())
.name("Rule2")
.priority(2)
.ruleType("MatchRule")
.build(),
WebApplicationFirewallCustomRuleArgs.builder()
.action("Block")
.groupByUserSession(GroupByUserSessionArgs.builder()
.groupByVariables(GroupByVariableArgs.builder()
.variableName("ClientAddr")
.build())
.build())
.matchConditions(MatchConditionArgs.builder()
.matchValues(
"192.168.1.0/24",
"10.0.0.0/24")
.matchVariables(MatchVariableArgs.builder()
.variableName("RemoteAddr")
.build())
.negationConditon(true)
.operator("IPMatch")
.build())
.name("RateLimitRule3")
.priority(3)
.rateLimitDuration("OneMin")
.rateLimitThreshold(10)
.ruleType("RateLimitRule")
.build(),
WebApplicationFirewallCustomRuleArgs.builder()
.action("JSChallenge")
.matchConditions(
MatchConditionArgs.builder()
.matchValues("192.168.1.0/24")
.matchVariables(MatchVariableArgs.builder()
.variableName("RemoteAddr")
.build())
.operator("IPMatch")
.build(),
MatchConditionArgs.builder()
.matchValues("Bot")
.matchVariables(MatchVariableArgs.builder()
.selector("UserAgent")
.variableName("RequestHeaders")
.build())
.operator("Contains")
.build())
.name("Rule4")
.priority(4)
.ruleType("MatchRule")
.build())
.location("WestUs")
.managedRules(ManagedRulesDefinitionArgs.builder()
.exceptions(
ExceptionEntryArgs.builder()
.exceptionManagedRuleSets(ExclusionManagedRuleSetArgs.builder()
.ruleSetType("OWASP")
.ruleSetVersion("3.2")
.build())
.matchVariable("RequestURI")
.valueMatchOperator("Contains")
.values(
"health",
"account/images",
"default.aspx")
.build(),
ExceptionEntryArgs.builder()
.exceptionManagedRuleSets(ExclusionManagedRuleSetArgs.builder()
.ruleGroups(ExclusionManagedRuleGroupArgs.builder()
.ruleGroupName("REQUEST-932-APPLICATION-ATTACK-RCE")
.build())
.ruleSetType("OWASP")
.ruleSetVersion("3.2")
.build())
.matchVariable("RequestHeader")
.selector("User-Agent")
.selectorMatchOperator("StartsWith")
.valueMatchOperator("Contains")
.values(
"Mozilla/5.0",
"Chrome/122.0.0.0")
.build(),
ExceptionEntryArgs.builder()
.exceptionManagedRuleSets(ExclusionManagedRuleSetArgs.builder()
.ruleGroups(ExclusionManagedRuleGroupArgs.builder()
.ruleGroupName("BadBots")
.rules(ExclusionManagedRuleArgs.builder()
.ruleId("100100")
.build())
.build())
.ruleSetType("Microsoft_BotManagerRuleSet")
.ruleSetVersion("1.0")
.build())
.matchVariable("RemoteAddr")
.valueMatchOperator("IPMatch")
.values(
"1.2.3.4",
"10.0.0.1/6")
.build())
.exclusions(
OwaspCrsExclusionEntryArgs.builder()
.exclusionManagedRuleSets(ExclusionManagedRuleSetArgs.builder()
.ruleGroups(
ExclusionManagedRuleGroupArgs.builder()
.ruleGroupName("REQUEST-930-APPLICATION-ATTACK-LFI")
.rules(ExclusionManagedRuleArgs.builder()
.ruleId("930120")
.build())
.build(),
ExclusionManagedRuleGroupArgs.builder()
.ruleGroupName("REQUEST-932-APPLICATION-ATTACK-RCE")
.build())
.ruleSetType("OWASP")
.ruleSetVersion("3.2")
.build())
.matchVariable("RequestArgNames")
.selector("hello")
.selectorMatchOperator("StartsWith")
.build(),
OwaspCrsExclusionEntryArgs.builder()
.exclusionManagedRuleSets(ExclusionManagedRuleSetArgs.builder()
.ruleGroups()
.ruleSetType("OWASP")
.ruleSetVersion("3.1")
.build())
.matchVariable("RequestArgNames")
.selector("hello")
.selectorMatchOperator("EndsWith")
.build(),
OwaspCrsExclusionEntryArgs.builder()
.matchVariable("RequestArgNames")
.selector("test")
.selectorMatchOperator("StartsWith")
.build(),
OwaspCrsExclusionEntryArgs.builder()
.matchVariable("RequestArgValues")
.selector("test")
.selectorMatchOperator("StartsWith")
.build())
.managedRuleSets(
ManagedRuleSetArgs.builder()
.ruleGroupOverrides(ManagedRuleGroupOverrideArgs.builder()
.ruleGroupName("REQUEST-931-APPLICATION-ATTACK-RFI")
.rules(
ManagedRuleOverrideArgs.builder()
.action("Log")
.ruleId("931120")
.state("Enabled")
.build(),
ManagedRuleOverrideArgs.builder()
.action("AnomalyScoring")
.ruleId("931130")
.state("Disabled")
.build())
.build())
.ruleSetType("OWASP")
.ruleSetVersion("3.2")
.build(),
ManagedRuleSetArgs.builder()
.ruleGroupOverrides(ManagedRuleGroupOverrideArgs.builder()
.ruleGroupName("UnknownBots")
.rules(ManagedRuleOverrideArgs.builder()
.action("JSChallenge")
.ruleId("300700")
.state("Enabled")
.build())
.build())
.ruleSetType("Microsoft_BotManagerRuleSet")
.ruleSetVersion("1.0")
.build(),
ManagedRuleSetArgs.builder()
.ruleGroupOverrides(ManagedRuleGroupOverrideArgs.builder()
.ruleGroupName("ExcessiveRequests")
.rules(ManagedRuleOverrideArgs.builder()
.action("Block")
.ruleId("500100")
.sensitivity("High")
.state("Enabled")
.build())
.build())
.ruleSetType("Microsoft_HTTPDDoSRuleSet")
.ruleSetVersion("1.0")
.build())
.build())
.policyName("Policy1")
.policySettings(PolicySettingsArgs.builder()
.jsChallengeCookieExpirationInMins(100)
.logScrubbing(PolicySettingsLogScrubbingArgs.builder()
.scrubbingRules(
WebApplicationFirewallScrubbingRulesArgs.builder()
.matchVariable("RequestArgNames")
.selector("test")
.selectorMatchOperator("Equals")
.state("Enabled")
.build(),
WebApplicationFirewallScrubbingRulesArgs.builder()
.matchVariable("RequestIPAddress")
.selectorMatchOperator("EqualsAny")
.state("Enabled")
.build())
.state("Enabled")
.build())
.build())
.resourceGroupName("rg1")
.build());
}
}Content copied to clipboard
Import
An existing resource can be imported using its type token, name, and identifier, e.g.
$ pulumi import azure-native:network:WebApplicationFirewallPolicy Policy1 /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/{policyName}Content copied to clipboard
Constructors
Link copied to clipboard
constructor(customRules: Output<List<WebApplicationFirewallCustomRuleArgs>>? = null, id: Output<String>? = null, location: Output<String>? = null, managedRules: Output<ManagedRulesDefinitionArgs>? = null, policyName: Output<String>? = null, policySettings: Output<PolicySettingsArgs>? = null, resourceGroupName: Output<String>? = null, tags: Output<Map<String, String>>? = null)