Estou tentando criar regras WAF personalizadas para permitir tráfego para URIs específicos. Esta implantação está sendo feita via Terraform.
O erro que estou recebendo é:
Application Gateway Web Application Firewall Policy Name: "waf-policy-prod-uksouth"): unexpected status 400 (400 Bad Request) with error: ApplicationGatewayFirewallMatchValueNoCollection: Custom Rule 'AllowAmexPay' does not have a valid collection match variable 'RequestUri' which support selector in its condition in context 'properties.customRules[2].matchConditions[0].matchVariables[0]'.
│
│ with azurerm_web_application_firewall_policy.waf_policy,
│ on application_gw.tf line 224, in resource "azurerm_web_application_firewall_policy" "waf_policy":
│ 224: resource "azurerm_web_application_firewall_policy" "waf_policy" {
Arquivo TFVars:
custom_rules = [
{
name = "RecitePreferences"
priority = "70"
enabled = true
rule_type = "MatchRule"
variable_name = "RequestCookies"
selector = "Recite.Preferences"
operator = "Any"
action = "Allow"
},
{
name = "CookieConsent"
priority = "71"
enabled = true
rule_type = "MatchRule"
variable_name = "RequestCookies"
selector = "CookieConsent"
operator = "Any"
action = "Allow"
},
{
name = "AllowAmexPay"
priority = "80"
enabled = true
rule_type = "MatchRule"
variable_name = "RequestUri"
selector = "/smart-card/amex-pay"
operator = "Contains"
action = "Allow"
},
{
name = "AllowAmexPayComplete"
priority = "81"
enabled = true
rule_type = "MatchRule"
variable_name = "RequestUri"
selector = "/smart-card/amex-pay-complete"
operator = "Contains"
action = "Allow"
}
]
Arquivo Variables.tf:
variable "custom_rules" {
type = list(object({
name = string
priority = string
enabled = bool
rule_type = string
variable_name = string
operator = string
selector = string
action = string
}))
}
Configuração do Application Gateway:
resource "azurerm_web_application_firewall_policy" "waf_policy" {
name = "waf-policy-${var.general_environment}-${var.general_location}"
resource_group_name = azurerm_resource_group.prod.name
location = azurerm_resource_group.prod.location
policy_settings {
enabled = true
mode = "Detection"
request_body_check = false
file_upload_limit_in_mb = 100
max_request_body_size_in_kb = 128
}
managed_rules {
managed_rule_set {
type = "OWASP"
version = "3.2"
dynamic "rule_group_override" {
for_each = var.rule_group_override
content {
rule_group_name = rule_group_override.key
dynamic "rule" {
for_each = rule_group_override.value
content {
id = rule.value.id
enabled = rule.value.enabled
}
}
}
}
}
dynamic "exclusion" {
for_each = var.exclusion
content {
match_variable = exclusion.value["match_variable"]
selector = exclusion.value["selector"]
selector_match_operator = exclusion.value["selector_match_operator"]
}
}
managed_rule_set {
type = "Microsoft_BotManagerRuleSet"
version = "1.0"
}
}
dynamic "custom_rules" {
for_each = var.custom_rules
content {
name = custom_rules.value["name"]
enabled = custom_rules.value["enabled"]
priority = custom_rules.value["priority"]
rule_type = custom_rules.value["rule_type"]
action = custom_rules.value["action"]
match_conditions {
operator = custom_rules.value["operator"]
match_variables {
variable_name = custom_rules.value["variable_name"]
selector = custom_rules.value["selector"]
}
}
}
}
}
Só queria saber se existe uma maneira diferente/melhor de passar as variáveis, já que elas estão apresentando erros no Apply?
O problema parece estar na maneira como você define o seletor. Ele foi usado incorretamente para
RequestUri. A estrutura que você mencionou forçava tudo a usar apenasselector.O RequestUri sempre define usando
match_valuesisso, o que explica por que a configuração que você tentou estava enfrentando um problema. A configuração estrutural não atende ao requisito.Tentei uma configuração com todas as alterações necessárias e consegui provisionar o requisito com sucesso.
Principal.tf:
tfvars:
variável.tf:
Implantação:
Consulte:
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview#match-variables
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/web_application_firewall_policy#selector-2