Frontdoor
data class FrontdoorFirewallPolicyArgs(val customBlockResponseBody: Output<String>? = null, val customBlockResponseStatusCode: Output<Int>? = null, val customRules: Output<List<FrontdoorFirewallPolicyCustomRuleArgs>>? = null, val enabled: Output<Boolean>? = null, val jsChallengeCookieExpirationInMinutes: Output<Int>? = null, val logScrubbing: Output<FrontdoorFirewallPolicyLogScrubbingArgs>? = null, val managedRules: Output<List<FrontdoorFirewallPolicyManagedRuleArgs>>? = null, val mode: Output<String>? = null, val name: Output<String>? = null, val redirectUrl: Output<String>? = null, val requestBodyCheckEnabled: Output<Boolean>? = null, val resourceGroupName: Output<String>? = null, val skuName: Output<String>? = null, val tags: Output<Map<String, String>>? = null) : ConvertibleToJava<FrontdoorFirewallPolicyArgs>
Manages a Front Door (standard/premium) Firewall Policy instance.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", {
name: "example-cdn-frontdoor",
location: "West Europe",
});
const exampleFrontdoorProfile = new azure.cdn.FrontdoorProfile("example", {
name: "example-profile",
resourceGroupName: example.name,
skuName: "Premium_AzureFrontDoor",
});
const exampleFrontdoorFirewallPolicy = new azure.cdn.FrontdoorFirewallPolicy("example", {
name: "examplecdnfdwafpolicy",
resourceGroupName: example.name,
skuName: exampleFrontdoorProfile.skuName,
enabled: true,
mode: "Prevention",
redirectUrl: "https://www.contoso.com",
customBlockResponseStatusCode: 403,
customBlockResponseBody: "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
jsChallengeCookieExpirationInMinutes: 45,
logScrubbing: {
enabled: true,
scrubbingRules: [{
enabled: true,
matchVariable: "RequestCookieNames",
operator: "Equals",
selector: "ChocolateChip",
}],
},
customRules: [
{
name: "Rule1",
enabled: true,
priority: 1,
rateLimitDurationInMinutes: 1,
rateLimitThreshold: 10,
type: "MatchRule",
action: "Block",
matchConditions: [{
matchVariable: "RemoteAddr",
operator: "IPMatch",
negationCondition: false,
matchValues: [
"10.0.1.0/24",
"10.0.0.0/24",
],
}],
},
{
name: "Rule2",
enabled: true,
priority: 50,
rateLimitDurationInMinutes: 1,
rateLimitThreshold: 10,
type: "MatchRule",
action: "Block",
matchConditions: [
{
matchVariable: "RemoteAddr",
operator: "IPMatch",
negationCondition: false,
matchValues: ["192.168.1.0/24"],
},
{
matchVariable: "RequestHeader",
selector: "UserAgent",
operator: "Contains",
negationCondition: false,
matchValues: ["windows"],
transforms: [
"Lowercase",
"Trim",
],
},
],
},
{
name: "CustomJSChallenge",
enabled: true,
priority: 100,
rateLimitDurationInMinutes: 1,
rateLimitThreshold: 10,
type: "MatchRule",
action: "JSChallenge",
matchConditions: [{
matchVariable: "RemoteAddr",
operator: "IPMatch",
negationCondition: false,
matchValues: ["192.168.1.0/24"],
}],
},
],
managedRules: [
{
type: "DefaultRuleSet",
version: "1.0",
action: "Log",
exclusions: [{
matchVariable: "QueryStringArgNames",
operator: "Equals",
selector: "not_suspicious",
}],
overrides: [
{
ruleGroupName: "PHP",
rules: [{
ruleId: "933100",
enabled: false,
action: "Block",
}],
},
{
ruleGroupName: "SQLI",
exclusions: [{
matchVariable: "QueryStringArgNames",
operator: "Equals",
selector: "really_not_suspicious",
}],
rules: [{
ruleId: "942200",
action: "Block",
exclusions: [{
matchVariable: "QueryStringArgNames",
operator: "Equals",
selector: "innocent",
}],
}],
},
],
},
{
type: "Microsoft_BotManagerRuleSet",
version: "1.1",
action: "Log",
overrides: [{
ruleGroupName: "BadBots",
rules: [{
action: "JSChallenge",
enabled: true,
ruleId: "Bot100200",
}],
}],
},
],
});Content copied to clipboard
import pulumi
import pulumi_azure as azure
example = azure.core.ResourceGroup("example",
name="example-cdn-frontdoor",
location="West Europe")
example_frontdoor_profile = azure.cdn.FrontdoorProfile("example",
name="example-profile",
resource_group_name=example.name,
sku_name="Premium_AzureFrontDoor")
example_frontdoor_firewall_policy = azure.cdn.FrontdoorFirewallPolicy("example",
name="examplecdnfdwafpolicy",
resource_group_name=example.name,
sku_name=example_frontdoor_profile.sku_name,
enabled=True,
mode="Prevention",
redirect_url="https://www.contoso.com",
custom_block_response_status_code=403,
custom_block_response_body="PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
js_challenge_cookie_expiration_in_minutes=45,
log_scrubbing={
"enabled": True,
"scrubbing_rules": [{
"enabled": True,
"match_variable": "RequestCookieNames",
"operator": "Equals",
"selector": "ChocolateChip",
}],
},
custom_rules=[
{
"name": "Rule1",
"enabled": True,
"priority": 1,
"rate_limit_duration_in_minutes": 1,
"rate_limit_threshold": 10,
"type": "MatchRule",
"action": "Block",
"match_conditions": [{
"match_variable": "RemoteAddr",
"operator": "IPMatch",
"negation_condition": False,
"match_values": [
"10.0.1.0/24",
"10.0.0.0/24",
],
}],
},
{
"name": "Rule2",
"enabled": True,
"priority": 50,
"rate_limit_duration_in_minutes": 1,
"rate_limit_threshold": 10,
"type": "MatchRule",
"action": "Block",
"match_conditions": [
{
"match_variable": "RemoteAddr",
"operator": "IPMatch",
"negation_condition": False,
"match_values": ["192.168.1.0/24"],
},
{
"match_variable": "RequestHeader",
"selector": "UserAgent",
"operator": "Contains",
"negation_condition": False,
"match_values": ["windows"],
"transforms": [
"Lowercase",
"Trim",
],
},
],
},
{
"name": "CustomJSChallenge",
"enabled": True,
"priority": 100,
"rate_limit_duration_in_minutes": 1,
"rate_limit_threshold": 10,
"type": "MatchRule",
"action": "JSChallenge",
"match_conditions": [{
"match_variable": "RemoteAddr",
"operator": "IPMatch",
"negation_condition": False,
"match_values": ["192.168.1.0/24"],
}],
},
],
managed_rules=[
{
"type": "DefaultRuleSet",
"version": "1.0",
"action": "Log",
"exclusions": [{
"match_variable": "QueryStringArgNames",
"operator": "Equals",
"selector": "not_suspicious",
}],
"overrides": [
{
"rule_group_name": "PHP",
"rules": [{
"rule_id": "933100",
"enabled": False,
"action": "Block",
}],
},
{
"rule_group_name": "SQLI",
"exclusions": [{
"match_variable": "QueryStringArgNames",
"operator": "Equals",
"selector": "really_not_suspicious",
}],
"rules": [{
"rule_id": "942200",
"action": "Block",
"exclusions": [{
"match_variable": "QueryStringArgNames",
"operator": "Equals",
"selector": "innocent",
}],
}],
},
],
},
{
"type": "Microsoft_BotManagerRuleSet",
"version": "1.1",
"action": "Log",
"overrides": [{
"rule_group_name": "BadBots",
"rules": [{
"action": "JSChallenge",
"enabled": True,
"rule_id": "Bot100200",
}],
}],
},
])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-cdn-frontdoor",
Location = "West Europe",
});
var exampleFrontdoorProfile = new Azure.Cdn.FrontdoorProfile("example", new()
{
Name = "example-profile",
ResourceGroupName = example.Name,
SkuName = "Premium_AzureFrontDoor",
});
var exampleFrontdoorFirewallPolicy = new Azure.Cdn.FrontdoorFirewallPolicy("example", new()
{
Name = "examplecdnfdwafpolicy",
ResourceGroupName = example.Name,
SkuName = exampleFrontdoorProfile.SkuName,
Enabled = true,
Mode = "Prevention",
RedirectUrl = "https://www.contoso.com",
CustomBlockResponseStatusCode = 403,
CustomBlockResponseBody = "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
JsChallengeCookieExpirationInMinutes = 45,
LogScrubbing = new Azure.Cdn.Inputs.FrontdoorFirewallPolicyLogScrubbingArgs
{
Enabled = true,
ScrubbingRules = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyLogScrubbingScrubbingRuleArgs
{
Enabled = true,
MatchVariable = "RequestCookieNames",
Operator = "Equals",
Selector = "ChocolateChip",
},
},
},
CustomRules = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyCustomRuleArgs
{
Name = "Rule1",
Enabled = true,
Priority = 1,
RateLimitDurationInMinutes = 1,
RateLimitThreshold = 10,
Type = "MatchRule",
Action = "Block",
MatchConditions = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyCustomRuleMatchConditionArgs
{
MatchVariable = "RemoteAddr",
Operator = "IPMatch",
NegationCondition = false,
MatchValues = new[]
{
"10.0.1.0/24",
"10.0.0.0/24",
},
},
},
},
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyCustomRuleArgs
{
Name = "Rule2",
Enabled = true,
Priority = 50,
RateLimitDurationInMinutes = 1,
RateLimitThreshold = 10,
Type = "MatchRule",
Action = "Block",
MatchConditions = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyCustomRuleMatchConditionArgs
{
MatchVariable = "RemoteAddr",
Operator = "IPMatch",
NegationCondition = false,
MatchValues = new[]
{
"192.168.1.0/24",
},
},
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyCustomRuleMatchConditionArgs
{
MatchVariable = "RequestHeader",
Selector = "UserAgent",
Operator = "Contains",
NegationCondition = false,
MatchValues = new[]
{
"windows",
},
Transforms = new[]
{
"Lowercase",
"Trim",
},
},
},
},
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyCustomRuleArgs
{
Name = "CustomJSChallenge",
Enabled = true,
Priority = 100,
RateLimitDurationInMinutes = 1,
RateLimitThreshold = 10,
Type = "MatchRule",
Action = "JSChallenge",
MatchConditions = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyCustomRuleMatchConditionArgs
{
MatchVariable = "RemoteAddr",
Operator = "IPMatch",
NegationCondition = false,
MatchValues = new[]
{
"192.168.1.0/24",
},
},
},
},
},
ManagedRules = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyManagedRuleArgs
{
Type = "DefaultRuleSet",
Version = "1.0",
Action = "Log",
Exclusions = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyManagedRuleExclusionArgs
{
MatchVariable = "QueryStringArgNames",
Operator = "Equals",
Selector = "not_suspicious",
},
},
Overrides = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyManagedRuleOverrideArgs
{
RuleGroupName = "PHP",
Rules = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyManagedRuleOverrideRuleArgs
{
RuleId = "933100",
Enabled = false,
Action = "Block",
},
},
},
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyManagedRuleOverrideArgs
{
RuleGroupName = "SQLI",
Exclusions = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyManagedRuleOverrideExclusionArgs
{
MatchVariable = "QueryStringArgNames",
Operator = "Equals",
Selector = "really_not_suspicious",
},
},
Rules = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyManagedRuleOverrideRuleArgs
{
RuleId = "942200",
Action = "Block",
Exclusions = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyManagedRuleOverrideRuleExclusionArgs
{
MatchVariable = "QueryStringArgNames",
Operator = "Equals",
Selector = "innocent",
},
},
},
},
},
},
},
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyManagedRuleArgs
{
Type = "Microsoft_BotManagerRuleSet",
Version = "1.1",
Action = "Log",
Overrides = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyManagedRuleOverrideArgs
{
RuleGroupName = "BadBots",
Rules = new[]
{
new Azure.Cdn.Inputs.FrontdoorFirewallPolicyManagedRuleOverrideRuleArgs
{
Action = "JSChallenge",
Enabled = true,
RuleId = "Bot100200",
},
},
},
},
},
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/cdn"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-cdn-frontdoor"),
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleFrontdoorProfile, err := cdn.NewFrontdoorProfile(ctx, "example", &cdn.FrontdoorProfileArgs{
Name: pulumi.String("example-profile"),
ResourceGroupName: example.Name,
SkuName: pulumi.String("Premium_AzureFrontDoor"),
})
if err != nil {
return err
}
_, err = cdn.NewFrontdoorFirewallPolicy(ctx, "example", &cdn.FrontdoorFirewallPolicyArgs{
Name: pulumi.String("examplecdnfdwafpolicy"),
ResourceGroupName: example.Name,
SkuName: exampleFrontdoorProfile.SkuName,
Enabled: pulumi.Bool(true),
Mode: pulumi.String("Prevention"),
RedirectUrl: pulumi.String("https://www.contoso.com"),
CustomBlockResponseStatusCode: pulumi.Int(403),
CustomBlockResponseBody: pulumi.String("PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=="),
JsChallengeCookieExpirationInMinutes: pulumi.Int(45),
LogScrubbing: &cdn.FrontdoorFirewallPolicyLogScrubbingArgs{
Enabled: pulumi.Bool(true),
ScrubbingRules: cdn.FrontdoorFirewallPolicyLogScrubbingScrubbingRuleArray{
&cdn.FrontdoorFirewallPolicyLogScrubbingScrubbingRuleArgs{
Enabled: pulumi.Bool(true),
MatchVariable: pulumi.String("RequestCookieNames"),
Operator: pulumi.String("Equals"),
Selector: pulumi.String("ChocolateChip"),
},
},
},
CustomRules: cdn.FrontdoorFirewallPolicyCustomRuleArray{
&cdn.FrontdoorFirewallPolicyCustomRuleArgs{
Name: pulumi.String("Rule1"),
Enabled: pulumi.Bool(true),
Priority: pulumi.Int(1),
RateLimitDurationInMinutes: pulumi.Int(1),
RateLimitThreshold: pulumi.Int(10),
Type: pulumi.String("MatchRule"),
Action: pulumi.String("Block"),
MatchConditions: cdn.FrontdoorFirewallPolicyCustomRuleMatchConditionArray{
&cdn.FrontdoorFirewallPolicyCustomRuleMatchConditionArgs{
MatchVariable: pulumi.String("RemoteAddr"),
Operator: pulumi.String("IPMatch"),
NegationCondition: pulumi.Bool(false),
MatchValues: pulumi.StringArray{
pulumi.String("10.0.1.0/24"),
pulumi.String("10.0.0.0/24"),
},
},
},
},
&cdn.FrontdoorFirewallPolicyCustomRuleArgs{
Name: pulumi.String("Rule2"),
Enabled: pulumi.Bool(true),
Priority: pulumi.Int(50),
RateLimitDurationInMinutes: pulumi.Int(1),
RateLimitThreshold: pulumi.Int(10),
Type: pulumi.String("MatchRule"),
Action: pulumi.String("Block"),
MatchConditions: cdn.FrontdoorFirewallPolicyCustomRuleMatchConditionArray{
&cdn.FrontdoorFirewallPolicyCustomRuleMatchConditionArgs{
MatchVariable: pulumi.String("RemoteAddr"),
Operator: pulumi.String("IPMatch"),
NegationCondition: pulumi.Bool(false),
MatchValues: pulumi.StringArray{
pulumi.String("192.168.1.0/24"),
},
},
&cdn.FrontdoorFirewallPolicyCustomRuleMatchConditionArgs{
MatchVariable: pulumi.String("RequestHeader"),
Selector: pulumi.String("UserAgent"),
Operator: pulumi.String("Contains"),
NegationCondition: pulumi.Bool(false),
MatchValues: pulumi.StringArray{
pulumi.String("windows"),
},
Transforms: pulumi.StringArray{
pulumi.String("Lowercase"),
pulumi.String("Trim"),
},
},
},
},
&cdn.FrontdoorFirewallPolicyCustomRuleArgs{
Name: pulumi.String("CustomJSChallenge"),
Enabled: pulumi.Bool(true),
Priority: pulumi.Int(100),
RateLimitDurationInMinutes: pulumi.Int(1),
RateLimitThreshold: pulumi.Int(10),
Type: pulumi.String("MatchRule"),
Action: pulumi.String("JSChallenge"),
MatchConditions: cdn.FrontdoorFirewallPolicyCustomRuleMatchConditionArray{
&cdn.FrontdoorFirewallPolicyCustomRuleMatchConditionArgs{
MatchVariable: pulumi.String("RemoteAddr"),
Operator: pulumi.String("IPMatch"),
NegationCondition: pulumi.Bool(false),
MatchValues: pulumi.StringArray{
pulumi.String("192.168.1.0/24"),
},
},
},
},
},
ManagedRules: cdn.FrontdoorFirewallPolicyManagedRuleArray{
&cdn.FrontdoorFirewallPolicyManagedRuleArgs{
Type: pulumi.String("DefaultRuleSet"),
Version: pulumi.String("1.0"),
Action: pulumi.String("Log"),
Exclusions: cdn.FrontdoorFirewallPolicyManagedRuleExclusionArray{
&cdn.FrontdoorFirewallPolicyManagedRuleExclusionArgs{
MatchVariable: pulumi.String("QueryStringArgNames"),
Operator: pulumi.String("Equals"),
Selector: pulumi.String("not_suspicious"),
},
},
Overrides: cdn.FrontdoorFirewallPolicyManagedRuleOverrideArray{
&cdn.FrontdoorFirewallPolicyManagedRuleOverrideArgs{
RuleGroupName: pulumi.String("PHP"),
Rules: cdn.FrontdoorFirewallPolicyManagedRuleOverrideRuleArray{
&cdn.FrontdoorFirewallPolicyManagedRuleOverrideRuleArgs{
RuleId: pulumi.String("933100"),
Enabled: pulumi.Bool(false),
Action: pulumi.String("Block"),
},
},
},
&cdn.FrontdoorFirewallPolicyManagedRuleOverrideArgs{
RuleGroupName: pulumi.String("SQLI"),
Exclusions: cdn.FrontdoorFirewallPolicyManagedRuleOverrideExclusionArray{
&cdn.FrontdoorFirewallPolicyManagedRuleOverrideExclusionArgs{
MatchVariable: pulumi.String("QueryStringArgNames"),
Operator: pulumi.String("Equals"),
Selector: pulumi.String("really_not_suspicious"),
},
},
Rules: cdn.FrontdoorFirewallPolicyManagedRuleOverrideRuleArray{
&cdn.FrontdoorFirewallPolicyManagedRuleOverrideRuleArgs{
RuleId: pulumi.String("942200"),
Action: pulumi.String("Block"),
Exclusions: cdn.FrontdoorFirewallPolicyManagedRuleOverrideRuleExclusionArray{
&cdn.FrontdoorFirewallPolicyManagedRuleOverrideRuleExclusionArgs{
MatchVariable: pulumi.String("QueryStringArgNames"),
Operator: pulumi.String("Equals"),
Selector: pulumi.String("innocent"),
},
},
},
},
},
},
},
&cdn.FrontdoorFirewallPolicyManagedRuleArgs{
Type: pulumi.String("Microsoft_BotManagerRuleSet"),
Version: pulumi.String("1.1"),
Action: pulumi.String("Log"),
Overrides: cdn.FrontdoorFirewallPolicyManagedRuleOverrideArray{
&cdn.FrontdoorFirewallPolicyManagedRuleOverrideArgs{
RuleGroupName: pulumi.String("BadBots"),
Rules: cdn.FrontdoorFirewallPolicyManagedRuleOverrideRuleArray{
&cdn.FrontdoorFirewallPolicyManagedRuleOverrideRuleArgs{
Action: pulumi.String("JSChallenge"),
Enabled: pulumi.Bool(true),
RuleId: pulumi.String("Bot100200"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.cdn.FrontdoorProfile;
import com.pulumi.azure.cdn.FrontdoorProfileArgs;
import com.pulumi.azure.cdn.FrontdoorFirewallPolicy;
import com.pulumi.azure.cdn.FrontdoorFirewallPolicyArgs;
import com.pulumi.azure.cdn.inputs.FrontdoorFirewallPolicyLogScrubbingArgs;
import com.pulumi.azure.cdn.inputs.FrontdoorFirewallPolicyCustomRuleArgs;
import com.pulumi.azure.cdn.inputs.FrontdoorFirewallPolicyManagedRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-cdn-frontdoor")
.location("West Europe")
.build());
var exampleFrontdoorProfile = new FrontdoorProfile("exampleFrontdoorProfile", FrontdoorProfileArgs.builder()
.name("example-profile")
.resourceGroupName(example.name())
.skuName("Premium_AzureFrontDoor")
.build());
var exampleFrontdoorFirewallPolicy = new FrontdoorFirewallPolicy("exampleFrontdoorFirewallPolicy", FrontdoorFirewallPolicyArgs.builder()
.name("examplecdnfdwafpolicy")
.resourceGroupName(example.name())
.skuName(exampleFrontdoorProfile.skuName())
.enabled(true)
.mode("Prevention")
.redirectUrl("https://www.contoso.com")
.customBlockResponseStatusCode(403)
.customBlockResponseBody("PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==")
.jsChallengeCookieExpirationInMinutes(45)
.logScrubbing(FrontdoorFirewallPolicyLogScrubbingArgs.builder()
.enabled(true)
.scrubbingRules(FrontdoorFirewallPolicyLogScrubbingScrubbingRuleArgs.builder()
.enabled(true)
.matchVariable("RequestCookieNames")
.operator("Equals")
.selector("ChocolateChip")
.build())
.build())
.customRules(
FrontdoorFirewallPolicyCustomRuleArgs.builder()
.name("Rule1")
.enabled(true)
.priority(1)
.rateLimitDurationInMinutes(1)
.rateLimitThreshold(10)
.type("MatchRule")
.action("Block")
.matchConditions(FrontdoorFirewallPolicyCustomRuleMatchConditionArgs.builder()
.matchVariable("RemoteAddr")
.operator("IPMatch")
.negationCondition(false)
.matchValues(
"10.0.1.0/24",
"10.0.0.0/24")
.build())
.build(),
FrontdoorFirewallPolicyCustomRuleArgs.builder()
.name("Rule2")
.enabled(true)
.priority(50)
.rateLimitDurationInMinutes(1)
.rateLimitThreshold(10)
.type("MatchRule")
.action("Block")
.matchConditions(
FrontdoorFirewallPolicyCustomRuleMatchConditionArgs.builder()
.matchVariable("RemoteAddr")
.operator("IPMatch")
.negationCondition(false)
.matchValues("192.168.1.0/24")
.build(),
FrontdoorFirewallPolicyCustomRuleMatchConditionArgs.builder()
.matchVariable("RequestHeader")
.selector("UserAgent")
.operator("Contains")
.negationCondition(false)
.matchValues("windows")
.transforms(
"Lowercase",
"Trim")
.build())
.build(),
FrontdoorFirewallPolicyCustomRuleArgs.builder()
.name("CustomJSChallenge")
.enabled(true)
.priority(100)
.rateLimitDurationInMinutes(1)
.rateLimitThreshold(10)
.type("MatchRule")
.action("JSChallenge")
.matchConditions(FrontdoorFirewallPolicyCustomRuleMatchConditionArgs.builder()
.matchVariable("RemoteAddr")
.operator("IPMatch")
.negationCondition(false)
.matchValues("192.168.1.0/24")
.build())
.build())
.managedRules(
FrontdoorFirewallPolicyManagedRuleArgs.builder()
.type("DefaultRuleSet")
.version("1.0")
.action("Log")
.exclusions(FrontdoorFirewallPolicyManagedRuleExclusionArgs.builder()
.matchVariable("QueryStringArgNames")
.operator("Equals")
.selector("not_suspicious")
.build())
.overrides(
FrontdoorFirewallPolicyManagedRuleOverrideArgs.builder()
.ruleGroupName("PHP")
.rules(FrontdoorFirewallPolicyManagedRuleOverrideRuleArgs.builder()
.ruleId("933100")
.enabled(false)
.action("Block")
.build())
.build(),
FrontdoorFirewallPolicyManagedRuleOverrideArgs.builder()
.ruleGroupName("SQLI")
.exclusions(FrontdoorFirewallPolicyManagedRuleOverrideExclusionArgs.builder()
.matchVariable("QueryStringArgNames")
.operator("Equals")
.selector("really_not_suspicious")
.build())
.rules(FrontdoorFirewallPolicyManagedRuleOverrideRuleArgs.builder()
.ruleId("942200")
.action("Block")
.exclusions(FrontdoorFirewallPolicyManagedRuleOverrideRuleExclusionArgs.builder()
.matchVariable("QueryStringArgNames")
.operator("Equals")
.selector("innocent")
.build())
.build())
.build())
.build(),
FrontdoorFirewallPolicyManagedRuleArgs.builder()
.type("Microsoft_BotManagerRuleSet")
.version("1.1")
.action("Log")
.overrides(FrontdoorFirewallPolicyManagedRuleOverrideArgs.builder()
.ruleGroupName("BadBots")
.rules(FrontdoorFirewallPolicyManagedRuleOverrideRuleArgs.builder()
.action("JSChallenge")
.enabled(true)
.ruleId("Bot100200")
.build())
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-cdn-frontdoor
location: West Europe
exampleFrontdoorProfile:
type: azure:cdn:FrontdoorProfile
name: example
properties:
name: example-profile
resourceGroupName: ${example.name}
skuName: Premium_AzureFrontDoor
exampleFrontdoorFirewallPolicy:
type: azure:cdn:FrontdoorFirewallPolicy
name: example
properties:
name: examplecdnfdwafpolicy
resourceGroupName: ${example.name}
skuName: ${exampleFrontdoorProfile.skuName}
enabled: true
mode: Prevention
redirectUrl: https://www.contoso.com
customBlockResponseStatusCode: 403
customBlockResponseBody: PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==
jsChallengeCookieExpirationInMinutes: 45
logScrubbing:
enabled: true
scrubbingRules:
- enabled: true
matchVariable: RequestCookieNames
operator: Equals
selector: ChocolateChip
customRules:
- name: Rule1
enabled: true
priority: 1
rateLimitDurationInMinutes: 1
rateLimitThreshold: 10
type: MatchRule
action: Block
matchConditions:
- matchVariable: RemoteAddr
operator: IPMatch
negationCondition: false
matchValues:
- 10.0.1.0/24
- 10.0.0.0/24
- name: Rule2
enabled: true
priority: 50
rateLimitDurationInMinutes: 1
rateLimitThreshold: 10
type: MatchRule
action: Block
matchConditions:
- matchVariable: RemoteAddr
operator: IPMatch
negationCondition: false
matchValues:
- 192.168.1.0/24
- matchVariable: RequestHeader
selector: UserAgent
operator: Contains
negationCondition: false
matchValues:
- windows
transforms:
- Lowercase
- Trim
- name: CustomJSChallenge
enabled: true
priority: 100
rateLimitDurationInMinutes: 1
rateLimitThreshold: 10
type: MatchRule
action: JSChallenge
matchConditions:
- matchVariable: RemoteAddr
operator: IPMatch
negationCondition: false
matchValues:
- 192.168.1.0/24
managedRules:
- type: DefaultRuleSet
version: '1.0'
action: Log
exclusions:
- matchVariable: QueryStringArgNames
operator: Equals
selector: not_suspicious
overrides:
- ruleGroupName: PHP
rules:
- ruleId: '933100'
enabled: false
action: Block
- ruleGroupName: SQLI
exclusions:
- matchVariable: QueryStringArgNames
operator: Equals
selector: really_not_suspicious
rules:
- ruleId: '942200'
action: Block
exclusions:
- matchVariable: QueryStringArgNames
operator: Equals
selector: innocent
- type: Microsoft_BotManagerRuleSet
version: '1.1'
action: Log
overrides:
- ruleGroupName: BadBots
rules:
- action: JSChallenge
enabled: true
ruleId: Bot100200Content copied to clipboard
scrubbing_rule Examples:
The following table shows examples of scrubbing_rule's that can be used to protect sensitive data: | Match Variable | Operator | Selector | What Gets Scrubbed | | :--------------------------- | :------------- | :------------ | :---------------------------------------------------------------------------- | | RequestHeaderNames | Equals | keyToBlock | {"matchVariableName":"HeaderValue:keyToBlock","matchVariableValue":""} | | RequestCookieNames | Equals | cookieToBlock | {"matchVariableName":"CookieValue:cookieToBlock","matchVariableValue":""} | | RequestBodyPostArgNames | Equals | var | {"matchVariableName":"PostParamValue:var","matchVariableValue":""} | | RequestBodyJsonArgNames | Equals | JsonValue | {"matchVariableName":"JsonValue:key","matchVariableValue":""} | | QueryStringArgNames | Equals | foo | {"matchVariableName":"QueryParamValue:foo","matchVariableValue":""} | | RequestIPAddress | Equals Any | Not Supported | {"matchVariableName":"ClientIP","matchVariableValue":""} | | RequestUri | Equals Any | Not Supported | {"matchVariableName":"URI","matchVariableValue":"****"} |
Import
Front Door Firewall Policies can be imported using the resource id, e.g.
$ pulumi import azure:cdn/frontdoorFirewallPolicy:FrontdoorFirewallPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/firewallPolicy1Content copied to clipboard
Constructors
Link copied to clipboard
constructor(customBlockResponseBody: Output<String>? = null, customBlockResponseStatusCode: Output<Int>? = null, customRules: Output<List<FrontdoorFirewallPolicyCustomRuleArgs>>? = null, enabled: Output<Boolean>? = null, jsChallengeCookieExpirationInMinutes: Output<Int>? = null, logScrubbing: Output<FrontdoorFirewallPolicyLogScrubbingArgs>? = null, managedRules: Output<List<FrontdoorFirewallPolicyManagedRuleArgs>>? = null, mode: Output<String>? = null, name: Output<String>? = null, redirectUrl: Output<String>? = null, requestBodyCheckEnabled: Output<Boolean>? = null, resourceGroupName: Output<String>? = null, skuName: Output<String>? = null, tags: Output<Map<String, String>>? = null)
Properties
Link copied to clipboard
If a custom_rule block's action type is block, this is the response body. The body must be specified in base64 encoding.
Link copied to clipboard
If a custom_rule block's action type is block, this is the response status code. Possible values are 200, 403, 405, 406, or 429.
Link copied to clipboard
One or more custom_rule blocks as defined below.
Link copied to clipboard
Specifies the JavaScript challenge cookie lifetime in minutes, after which the user will be revalidated. Possible values are between 5 to 1440 minutes. Defaults to 30 minutes.
Link copied to clipboard
A log_scrubbing block as defined below. !>Note: Setting thelog_scrubbing block is currently in PREVIEW. Please see the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Link copied to clipboard
One or more managed_rule blocks as defined below.
Link copied to clipboard
If action type is redirect, this field represents redirect URL for the client.
Link copied to clipboard
Should policy managed rules inspect the request body content? Defaults to true.
Link copied to clipboard
The name of the resource group. Changing this forces a new resource to be created.