import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Manages a Front Door (standard/premium) Firewall Policy instance. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "example-cdn-frontdoor", * location: "West Europe", * }); * const exampleFrontdoorProfile = new azure.cdn.FrontdoorProfile("example", { * name: "example-profile", * resourceGroupName: example.name, * skuName: "Premium_AzureFrontDoor", * }); * const exampleFrontdoorFirewallPolicy = new azure.cdn.FrontdoorFirewallPolicy("example", { * name: "examplecdnfdwafpolicy", * resourceGroupName: example.name, * skuName: exampleFrontdoorProfile.skuName, * enabled: true, * mode: "Prevention", * redirectUrl: "https://www.contoso.com", * customBlockResponseStatusCode: 403, * customBlockResponseBody: "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==", * customRules: [ * { * name: "Rule1", * enabled: true, * priority: 1, * rateLimitDurationInMinutes: 1, * rateLimitThreshold: 10, * type: "MatchRule", * action: "Block", * matchConditions: [{ * matchVariable: "RemoteAddr", * operator: "IPMatch", * negationCondition: false, * matchValues: [ * "10.0.1.0/24", * "10.0.0.0/24", * ], * }], * }, * { * name: "Rule2", * enabled: true, * priority: 50, * rateLimitDurationInMinutes: 1, * rateLimitThreshold: 10, * type: "MatchRule", * action: "Block", * matchConditions: [ * { * matchVariable: "RemoteAddr", * operator: "IPMatch", * negationCondition: false, * matchValues: ["192.168.1.0/24"], * }, * { * matchVariable: "RequestHeader", * selector: "UserAgent", * operator: "Contains", * negationCondition: false, * matchValues: ["windows"], * transforms: [ * "Lowercase", * "Trim", * ], * }, * ], * }, * ], * managedRules: [ * { * type: "DefaultRuleSet", * version: "1.0", * action: "Log", * exclusions: [{ * matchVariable: "QueryStringArgNames", * operator: "Equals", * selector: "not_suspicious", * }], * overrides: [ * { * ruleGroupName: "PHP", * rules: [{ * ruleId: "933100", * enabled: false, * action: "Block", * }], * }, * { * ruleGroupName: "SQLI", * exclusions: [{ * matchVariable: "QueryStringArgNames", * operator: "Equals", * selector: "really_not_suspicious", * }], * rules: [{ * ruleId: "942200", * action: "Block", * exclusions: [{ * matchVariable: "QueryStringArgNames", * operator: "Equals", * selector: "innocent", * }], * }], * }, * ], * }, * { * type: "Microsoft_BotManagerRuleSet", * version: "1.1", * action: "Log", * }, * ], * }); * ``` * * ## `scrubbingRule` Examples: * * The following table shows examples of `scrubbingRule`'s that can be used to protect sensitive data: * * | Match Variable | Operator | Selector | What Gets Scrubbed | * | :--------------------------- | :------------- | :------------ | :---------------------------------------------------------------------------- | * | `RequestHeaderNames` | Equals | keyToBlock | {"matchVariableName":"HeaderValue:keyToBlock","matchVariableValue":"****"} | * | `RequestCookieNames` | Equals | cookieToBlock | {"matchVariableName":"CookieValue:cookieToBlock","matchVariableValue":"****"} | * | `RequestBodyPostArgNames` | Equals | var | {"matchVariableName":"PostParamValue:var","matchVariableValue":"****"} | * | `RequestBodyJsonArgNames` | Equals | JsonValue | {"matchVariableName":"JsonValue:key","matchVariableValue":"****"} | * | `QueryStringArgNames` | Equals | foo | {"matchVariableName":"QueryParamValue:foo","matchVariableValue":"****"} | * | `RequestIPAddress` | Equals Any | Not Supported | {"matchVariableName":"ClientIP","matchVariableValue":"****"} | * | `RequestUri` | Equals Any | Not Supported | {"matchVariableName":"URI","matchVariableValue":"****"} | * * *** * * ## Import * * Front Door Firewall Policies can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:cdn/frontdoorFirewallPolicy:FrontdoorFirewallPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/firewallPolicy1 * ``` */ export declare class FrontdoorFirewallPolicy extends pulumi.CustomResource { /** * Get an existing FrontdoorFirewallPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: FrontdoorFirewallPolicyState, opts?: pulumi.CustomResourceOptions): FrontdoorFirewallPolicy; /** * Returns true if the given object is an instance of FrontdoorFirewallPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is FrontdoorFirewallPolicy; /** * Specifies the Captcha cookie lifetime in minutes. Possible values are between `5` and `1440`. Defaults to`30` minutes. * * > **Note:** The `captchaCookieExpirationInMinutes` field can only be set on `Premium_AzureFrontDoor` sku's. Please see the [Product Documentation](https://learn.microsoft.com/azure/web-application-firewall/afds/captcha-challenge) for more information. * * > **Note:** When you remove the `captchaCookieExpirationInMinutes` field from your configuration, the value will revert to the default of `30` minutes in the Terraform state. This is because Azure manages this setting and Terraform will reflect the actual Azure configuration, which defaults to `30` minutes when not explicitly specified. */ readonly captchaCookieExpirationInMinutes: pulumi.Output; /** * If a `customRule` block's action type is `block`, this is the response body. The body must be specified in base64 encoding. */ readonly customBlockResponseBody: pulumi.Output; /** * If a `customRule` block's action type is `block`, this is the response status code. Possible values are `200`, `403`, `405`, `406`, or `429`. */ readonly customBlockResponseStatusCode: pulumi.Output; /** * One or more `customRule` blocks as defined below. */ readonly customRules: pulumi.Output; /** * Is the Front Door Firewall Policy enabled? Defaults to `true`. */ readonly enabled: pulumi.Output; /** * The Front Door Profiles frontend endpoints associated with this Front Door Firewall Policy. */ readonly frontendEndpointIds: pulumi.Output; /** * Specifies the JavaScript challenge cookie lifetime in minutes, after which the user will be revalidated. Possible values are between `5` to `1440` minutes. Defaults to `30` minutes. * * > **Note:** The `jsChallengeCookieExpirationInMinutes` field can only be set on `Premium_AzureFrontDoor` sku's. Please see the [Product Documentation](https://learn.microsoft.com/azure/web-application-firewall/waf-javascript-challenge) for more information. * * > **Note:** When you remove the `jsChallengeCookieExpirationInMinutes` field from your configuration, the value will revert to the default of `30` minutes in the Terraform state. This is because Azure manages this setting and Terraform will reflect the actual Azure configuration, which defaults to `30` minutes when not explicitly specified. */ readonly jsChallengeCookieExpirationInMinutes: pulumi.Output; /** * A `logScrubbing` block as defined below. * * !> **Note:** Setting the`logScrubbing` block is currently in **PREVIEW**. Please see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. */ readonly logScrubbing: pulumi.Output; /** * One or more `managedRule` blocks as defined below. */ readonly managedRules: pulumi.Output; /** * The Front Door Firewall Policy mode. Possible values are `Detection`, `Prevention`. */ readonly mode: pulumi.Output; /** * The name of the policy. Changing this forces a new resource to be created. */ readonly name: pulumi.Output; /** * If action type is redirect, this field represents redirect URL for the client. */ readonly redirectUrl: pulumi.Output; /** * Should policy managed rules inspect the request body content? Defaults to `true`. * * > **Note:** When run in `Detection` mode, the Front Door Firewall Policy doesn't take any other actions other than monitoring and logging the request and its matched Front Door Rule to the Web Application Firewall logs. */ readonly requestBodyCheckEnabled: pulumi.Output; /** * The name of the resource group. Changing this forces a new resource to be created. */ readonly resourceGroupName: pulumi.Output; /** * The sku's pricing tier for this Front Door Firewall Policy. Possible values include `Standard_AzureFrontDoor` or `Premium_AzureFrontDoor`. Changing this forces a new resource to be created. * * > **Note:** The `Standard_AzureFrontDoor` Front Door Firewall Policy sku may contain `custom` rules only. The `Premium_AzureFrontDoor` Front Door Firewall Policy sku's may contain both `custom` and `managed` rules. */ readonly skuName: pulumi.Output; /** * A mapping of tags to assign to the Front Door Firewall Policy. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * Create a FrontdoorFirewallPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: FrontdoorFirewallPolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering FrontdoorFirewallPolicy resources. */ export interface FrontdoorFirewallPolicyState { /** * Specifies the Captcha cookie lifetime in minutes. Possible values are between `5` and `1440`. Defaults to`30` minutes. * * > **Note:** The `captchaCookieExpirationInMinutes` field can only be set on `Premium_AzureFrontDoor` sku's. Please see the [Product Documentation](https://learn.microsoft.com/azure/web-application-firewall/afds/captcha-challenge) for more information. * * > **Note:** When you remove the `captchaCookieExpirationInMinutes` field from your configuration, the value will revert to the default of `30` minutes in the Terraform state. This is because Azure manages this setting and Terraform will reflect the actual Azure configuration, which defaults to `30` minutes when not explicitly specified. */ captchaCookieExpirationInMinutes?: pulumi.Input; /** * If a `customRule` block's action type is `block`, this is the response body. The body must be specified in base64 encoding. */ customBlockResponseBody?: pulumi.Input; /** * If a `customRule` block's action type is `block`, this is the response status code. Possible values are `200`, `403`, `405`, `406`, or `429`. */ customBlockResponseStatusCode?: pulumi.Input; /** * One or more `customRule` blocks as defined below. */ customRules?: pulumi.Input[]>; /** * Is the Front Door Firewall Policy enabled? Defaults to `true`. */ enabled?: pulumi.Input; /** * The Front Door Profiles frontend endpoints associated with this Front Door Firewall Policy. */ frontendEndpointIds?: pulumi.Input[]>; /** * Specifies the JavaScript challenge cookie lifetime in minutes, after which the user will be revalidated. Possible values are between `5` to `1440` minutes. Defaults to `30` minutes. * * > **Note:** The `jsChallengeCookieExpirationInMinutes` field can only be set on `Premium_AzureFrontDoor` sku's. Please see the [Product Documentation](https://learn.microsoft.com/azure/web-application-firewall/waf-javascript-challenge) for more information. * * > **Note:** When you remove the `jsChallengeCookieExpirationInMinutes` field from your configuration, the value will revert to the default of `30` minutes in the Terraform state. This is because Azure manages this setting and Terraform will reflect the actual Azure configuration, which defaults to `30` minutes when not explicitly specified. */ jsChallengeCookieExpirationInMinutes?: pulumi.Input; /** * A `logScrubbing` block as defined below. * * !> **Note:** Setting the`logScrubbing` block is currently in **PREVIEW**. Please see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. */ logScrubbing?: pulumi.Input; /** * One or more `managedRule` blocks as defined below. */ managedRules?: pulumi.Input[]>; /** * The Front Door Firewall Policy mode. Possible values are `Detection`, `Prevention`. */ mode?: pulumi.Input; /** * The name of the policy. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * If action type is redirect, this field represents redirect URL for the client. */ redirectUrl?: pulumi.Input; /** * Should policy managed rules inspect the request body content? Defaults to `true`. * * > **Note:** When run in `Detection` mode, the Front Door Firewall Policy doesn't take any other actions other than monitoring and logging the request and its matched Front Door Rule to the Web Application Firewall logs. */ requestBodyCheckEnabled?: pulumi.Input; /** * The name of the resource group. Changing this forces a new resource to be created. */ resourceGroupName?: pulumi.Input; /** * The sku's pricing tier for this Front Door Firewall Policy. Possible values include `Standard_AzureFrontDoor` or `Premium_AzureFrontDoor`. Changing this forces a new resource to be created. * * > **Note:** The `Standard_AzureFrontDoor` Front Door Firewall Policy sku may contain `custom` rules only. The `Premium_AzureFrontDoor` Front Door Firewall Policy sku's may contain both `custom` and `managed` rules. */ skuName?: pulumi.Input; /** * A mapping of tags to assign to the Front Door Firewall Policy. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } /** * The set of arguments for constructing a FrontdoorFirewallPolicy resource. */ export interface FrontdoorFirewallPolicyArgs { /** * Specifies the Captcha cookie lifetime in minutes. Possible values are between `5` and `1440`. Defaults to`30` minutes. * * > **Note:** The `captchaCookieExpirationInMinutes` field can only be set on `Premium_AzureFrontDoor` sku's. Please see the [Product Documentation](https://learn.microsoft.com/azure/web-application-firewall/afds/captcha-challenge) for more information. * * > **Note:** When you remove the `captchaCookieExpirationInMinutes` field from your configuration, the value will revert to the default of `30` minutes in the Terraform state. This is because Azure manages this setting and Terraform will reflect the actual Azure configuration, which defaults to `30` minutes when not explicitly specified. */ captchaCookieExpirationInMinutes?: pulumi.Input; /** * If a `customRule` block's action type is `block`, this is the response body. The body must be specified in base64 encoding. */ customBlockResponseBody?: pulumi.Input; /** * If a `customRule` block's action type is `block`, this is the response status code. Possible values are `200`, `403`, `405`, `406`, or `429`. */ customBlockResponseStatusCode?: pulumi.Input; /** * One or more `customRule` blocks as defined below. */ customRules?: pulumi.Input[]>; /** * Is the Front Door Firewall Policy enabled? Defaults to `true`. */ enabled?: pulumi.Input; /** * Specifies the JavaScript challenge cookie lifetime in minutes, after which the user will be revalidated. Possible values are between `5` to `1440` minutes. Defaults to `30` minutes. * * > **Note:** The `jsChallengeCookieExpirationInMinutes` field can only be set on `Premium_AzureFrontDoor` sku's. Please see the [Product Documentation](https://learn.microsoft.com/azure/web-application-firewall/waf-javascript-challenge) for more information. * * > **Note:** When you remove the `jsChallengeCookieExpirationInMinutes` field from your configuration, the value will revert to the default of `30` minutes in the Terraform state. This is because Azure manages this setting and Terraform will reflect the actual Azure configuration, which defaults to `30` minutes when not explicitly specified. */ jsChallengeCookieExpirationInMinutes?: pulumi.Input; /** * A `logScrubbing` block as defined below. * * !> **Note:** Setting the`logScrubbing` block is currently in **PREVIEW**. Please see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. */ logScrubbing?: pulumi.Input; /** * One or more `managedRule` blocks as defined below. */ managedRules?: pulumi.Input[]>; /** * The Front Door Firewall Policy mode. Possible values are `Detection`, `Prevention`. */ mode: pulumi.Input; /** * The name of the policy. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * If action type is redirect, this field represents redirect URL for the client. */ redirectUrl?: pulumi.Input; /** * Should policy managed rules inspect the request body content? Defaults to `true`. * * > **Note:** When run in `Detection` mode, the Front Door Firewall Policy doesn't take any other actions other than monitoring and logging the request and its matched Front Door Rule to the Web Application Firewall logs. */ requestBodyCheckEnabled?: pulumi.Input; /** * The name of the resource group. Changing this forces a new resource to be created. */ resourceGroupName: pulumi.Input; /** * The sku's pricing tier for this Front Door Firewall Policy. Possible values include `Standard_AzureFrontDoor` or `Premium_AzureFrontDoor`. Changing this forces a new resource to be created. * * > **Note:** The `Standard_AzureFrontDoor` Front Door Firewall Policy sku may contain `custom` rules only. The `Premium_AzureFrontDoor` Front Door Firewall Policy sku's may contain both `custom` and `managed` rules. */ skuName: pulumi.Input; /** * A mapping of tags to assign to the Front Door Firewall Policy. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; }