我正在尝试创建自定义 WAF 规则以允许流量到特定的 URI - 此部署是通过 Terraform 完成的。
我收到的错误是:
Application Gateway Web Application Firewall Policy Name: "waf-policy-prod-uksouth"): unexpected status 400 (400 Bad Request) with error: ApplicationGatewayFirewallMatchValueNoCollection: Custom Rule 'AllowAmexPay' does not have a valid collection match variable 'RequestUri' which support selector in its condition in context 'properties.customRules[2].matchConditions[0].matchVariables[0]'.
│
│ with azurerm_web_application_firewall_policy.waf_policy,
│ on application_gw.tf line 224, in resource "azurerm_web_application_firewall_policy" "waf_policy":
│ 224: resource "azurerm_web_application_firewall_policy" "waf_policy" {
TFVars 文件:
custom_rules = [
{
name = "RecitePreferences"
priority = "70"
enabled = true
rule_type = "MatchRule"
variable_name = "RequestCookies"
selector = "Recite.Preferences"
operator = "Any"
action = "Allow"
},
{
name = "CookieConsent"
priority = "71"
enabled = true
rule_type = "MatchRule"
variable_name = "RequestCookies"
selector = "CookieConsent"
operator = "Any"
action = "Allow"
},
{
name = "AllowAmexPay"
priority = "80"
enabled = true
rule_type = "MatchRule"
variable_name = "RequestUri"
selector = "/smart-card/amex-pay"
operator = "Contains"
action = "Allow"
},
{
name = "AllowAmexPayComplete"
priority = "81"
enabled = true
rule_type = "MatchRule"
variable_name = "RequestUri"
selector = "/smart-card/amex-pay-complete"
operator = "Contains"
action = "Allow"
}
]
Variables.tf 文件:
variable "custom_rules" {
type = list(object({
name = string
priority = string
enabled = bool
rule_type = string
variable_name = string
operator = string
selector = string
action = string
}))
}
应用程序网关配置:
resource "azurerm_web_application_firewall_policy" "waf_policy" {
name = "waf-policy-${var.general_environment}-${var.general_location}"
resource_group_name = azurerm_resource_group.prod.name
location = azurerm_resource_group.prod.location
policy_settings {
enabled = true
mode = "Detection"
request_body_check = false
file_upload_limit_in_mb = 100
max_request_body_size_in_kb = 128
}
managed_rules {
managed_rule_set {
type = "OWASP"
version = "3.2"
dynamic "rule_group_override" {
for_each = var.rule_group_override
content {
rule_group_name = rule_group_override.key
dynamic "rule" {
for_each = rule_group_override.value
content {
id = rule.value.id
enabled = rule.value.enabled
}
}
}
}
}
dynamic "exclusion" {
for_each = var.exclusion
content {
match_variable = exclusion.value["match_variable"]
selector = exclusion.value["selector"]
selector_match_operator = exclusion.value["selector_match_operator"]
}
}
managed_rule_set {
type = "Microsoft_BotManagerRuleSet"
version = "1.0"
}
}
dynamic "custom_rules" {
for_each = var.custom_rules
content {
name = custom_rules.value["name"]
enabled = custom_rules.value["enabled"]
priority = custom_rules.value["priority"]
rule_type = custom_rules.value["rule_type"]
action = custom_rules.value["action"]
match_conditions {
operator = custom_rules.value["operator"]
match_variables {
variable_name = custom_rules.value["variable_name"]
selector = custom_rules.value["selector"]
}
}
}
}
}
只是想知道是否有不同/更好的方法来传递变量,因为这些变量目前在 Apply 上出错?
问题似乎出在你定义选择器的方式上。它被错误地用于了
RequestUri。你提到的结构强制所有东西都只能使用selector。RequestUri 始终使用
match_values此定义,这就是您尝试的配置遇到阻止的原因。结构配置不符合要求。我尝试了包含所有必要更改的配置,并且能够成功满足要求。
主.tf:
tfvars:
变量.tf:
部署:
参考:
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview#match-variables
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/web_application_firewall_policy#selector-2