This page documents the language specification for the azure package. If you're looking for help working with the inputs, outputs, or functions of azure resources in a Pulumi program, please see the resource documentation for examples and API reference.

waf¶

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-azure repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-azurerm repo.

class pulumi_azure.waf.Policy(resource_name, opts=None, custom_rules=None, location=None, managed_rules=None, name=None, policy_settings=None, resource_group_name=None, tags=None, __props__=None, __name__=None, __opts__=None)¶

Manages a Azure Web Application Firewall Policy instance.

import pulumi
import pulumi_azure as azure

example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West US 2")
example_policy = azure.waf.Policy("examplePolicy",
    resource_group_name=example_resource_group.name,
    location=example_resource_group.location,
    custom_rules=[
        {
            "name": "Rule1",
            "priority": 1,
            "ruleType": "MatchRule",
            "match_conditions": [{
                "match_variables": [{
                    "variableName": "RemoteAddr",
                }],
                "operator": "IPMatch",
                "negationCondition": False,
                "matchValues": [
                    "192.168.1.0/24",
                    "10.0.0.0/24",
                ],
            }],
            "action": "Block",
        },
        {
            "name": "Rule2",
            "priority": 2,
            "ruleType": "MatchRule",
            "match_conditions": [
                {
                    "match_variables": [{
                        "variableName": "RemoteAddr",
                    }],
                    "operator": "IPMatch",
                    "negationCondition": False,
                    "matchValues": ["192.168.1.0/24"],
                },
                {
                    "match_variables": [{
                        "variableName": "RequestHeaders",
                        "selector": "UserAgent",
                    }],
                    "operator": "Contains",
                    "negationCondition": False,
                    "matchValues": ["Windows"],
                },
            ],
            "action": "Block",
        },
    ],
    policy_settings={
        "enabled": True,
        "mode": "Prevention",
    },
    managed_rules={
        "exclusion": [
            {
                "matchVariable": "RequestHeaderNames",
                "selector": "x-company-secret-header",
                "selectorMatchOperator": "Equals",
            },
            {
                "matchVariable": "RequestCookieNames",
                "selector": "too-tasty",
                "selectorMatchOperator": "EndsWith",
            },
        ],
        "managed_rule_set": [{
            "type": "OWASP",
            "version": "3.1",
            "rule_group_override": [{
                "ruleGroupName": "REQUEST-920-PROTOCOL-ENFORCEMENT",
                "disabledRules": [
                    "920300",
                    "920440",
                ],
            }],
        }],
    })

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
custom_rules (pulumi.Input[list]) – One or more custom_rules blocks as defined below.
location (pulumi.Input[str]) – Resource location. Changing this forces a new resource to be created.
managed_rules (pulumi.Input[dict]) – A managed_rules blocks as defined below.
name (pulumi.Input[str]) – The name of the policy. Changing this forces a new resource to be created.
policy_settings (pulumi.Input[dict]) – A policy_settings block as defined below.
resource_group_name (pulumi.Input[str]) – The name of the resource group. Changing this forces a new resource to be created.
tags (pulumi.Input[dict]) – A mapping of tags to assign to the Web Application Firewall Policy.

The custom_rules object supports the following:

action (pulumi.Input[str]) - Type of action.
matchConditions (pulumi.Input[list]) - One or more match_conditions blocks as defined below.
- matchValues (pulumi.Input[list]) - A list of match values.
- matchVariables (pulumi.Input[list]) - One or more match_variables blocks as defined below.
  - selector (pulumi.Input[str]) - Describes field of the matchVariable collection
  - variableName (pulumi.Input[str]) - The name of the Match Variable
- negationCondition (pulumi.Input[bool]) - Describes if this is negate condition or not
- operator (pulumi.Input[str]) - Describes operator to be matched.
name (pulumi.Input[str]) - Gets name of the resource that is unique within a policy. This name can be used to access the resource.
priority (pulumi.Input[float]) - Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
ruleType (pulumi.Input[str]) - Describes the type of rule.

The managed_rules object supports the following:

exclusions (pulumi.Input[list]) - One or more exclusion block defined below.
- matchVariable (pulumi.Input[str])
- selector (pulumi.Input[str]) - Describes field of the matchVariable collection.
- selectorMatchOperator (pulumi.Input[str]) - Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
managedRuleSets (pulumi.Input[list]) - One or more managed_rule_set block defined below.
- ruleGroupOverrides (pulumi.Input[list]) - One or more rule_group_override block defined below.
  - disabledRules (pulumi.Input[list]) - One or more Rule ID’s
  - ruleGroupName (pulumi.Input[str]) - The name of the Rule Group
- type (pulumi.Input[str]) - The rule set type.
- version (pulumi.Input[str]) - The rule set version.

The policy_settings object supports the following:

enabled (pulumi.Input[bool]) - Describes if the policy is in enabled state or disabled state Defaults to Enabled.
mode (pulumi.Input[str]) - Describes if it is in detection mode or prevention mode at the policy level Defaults to Prevention.

custom_rules: pulumi.Output[list] = None¶

One or more custom_rules blocks as defined below.

action (str) - Type of action.
matchConditions (list) - One or more match_conditions blocks as defined below.
- matchValues (list) - A list of match values.
- matchVariables (list) - One or more match_variables blocks as defined below.
  - selector (str) - Describes field of the matchVariable collection
  - variableName (str) - The name of the Match Variable
- negationCondition (bool) - Describes if this is negate condition or not
- operator (str) - Describes operator to be matched.
name (str) - Gets name of the resource that is unique within a policy. This name can be used to access the resource.
priority (float) - Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
ruleType (str) - Describes the type of rule.

location: pulumi.Output[str] = None¶: Resource location. Changing this forces a new resource to be created.

managed_rules: pulumi.Output[dict] = None¶

A managed_rules blocks as defined below.

exclusions (list) - One or more exclusion block defined below.
- matchVariable (str)
- selector (str) - Describes field of the matchVariable collection.
- selectorMatchOperator (str) - Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
managedRuleSets (list) - One or more managed_rule_set block defined below.
- ruleGroupOverrides (list) - One or more rule_group_override block defined below.
  - disabledRules (list) - One or more Rule ID’s
  - ruleGroupName (str) - The name of the Rule Group
- type (str) - The rule set type.
- version (str) - The rule set version.

name: pulumi.Output[str] = None¶: The name of the policy. Changing this forces a new resource to be created.

policy_settings: pulumi.Output[dict] = None¶

A policy_settings block as defined below.

enabled (bool) - Describes if the policy is in enabled state or disabled state Defaults to Enabled.
mode (str) - Describes if it is in detection mode or prevention mode at the policy level Defaults to Prevention.

resource_group_name: pulumi.Output[str] = None¶: The name of the resource group. Changing this forces a new resource to be created.

tags: pulumi.Output[dict] = None¶: A mapping of tags to assign to the Web Application Firewall Policy.

static get(resource_name, id, opts=None, custom_rules=None, location=None, managed_rules=None, name=None, policy_settings=None, resource_group_name=None, tags=None)¶

Get an existing Policy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
custom_rules (pulumi.Input[list]) – One or more custom_rules blocks as defined below.
location (pulumi.Input[str]) – Resource location. Changing this forces a new resource to be created.
managed_rules (pulumi.Input[dict]) – A managed_rules blocks as defined below.
name (pulumi.Input[str]) – The name of the policy. Changing this forces a new resource to be created.
policy_settings (pulumi.Input[dict]) – A policy_settings block as defined below.
resource_group_name (pulumi.Input[str]) – The name of the resource group. Changing this forces a new resource to be created.
tags (pulumi.Input[dict]) – A mapping of tags to assign to the Web Application Firewall Policy.

The custom_rules object supports the following:

action (pulumi.Input[str]) - Type of action.
matchConditions (pulumi.Input[list]) - One or more match_conditions blocks as defined below.
- matchValues (pulumi.Input[list]) - A list of match values.
- matchVariables (pulumi.Input[list]) - One or more match_variables blocks as defined below.
  - selector (pulumi.Input[str]) - Describes field of the matchVariable collection
  - variableName (pulumi.Input[str]) - The name of the Match Variable
- negationCondition (pulumi.Input[bool]) - Describes if this is negate condition or not
- operator (pulumi.Input[str]) - Describes operator to be matched.
name (pulumi.Input[str]) - Gets name of the resource that is unique within a policy. This name can be used to access the resource.
priority (pulumi.Input[float]) - Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
ruleType (pulumi.Input[str]) - Describes the type of rule.

The managed_rules object supports the following:

exclusions (pulumi.Input[list]) - One or more exclusion block defined below.
- matchVariable (pulumi.Input[str])
- selector (pulumi.Input[str]) - Describes field of the matchVariable collection.
- selectorMatchOperator (pulumi.Input[str]) - Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
managedRuleSets (pulumi.Input[list]) - One or more managed_rule_set block defined below.
- ruleGroupOverrides (pulumi.Input[list]) - One or more rule_group_override block defined below.
  - disabledRules (pulumi.Input[list]) - One or more Rule ID’s
  - ruleGroupName (pulumi.Input[str]) - The name of the Rule Group
- type (pulumi.Input[str]) - The rule set type.
- version (pulumi.Input[str]) - The rule set version.

The policy_settings object supports the following:

enabled (pulumi.Input[bool]) - Describes if the policy is in enabled state or disabled state Defaults to Enabled.
mode (pulumi.Input[str]) - Describes if it is in detection mode or prevention mode at the policy level Defaults to Prevention.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

waf¶

On This Page