1. Packages
  2. Azure Classic
  3. API Docs
  4. waf
  5. Policy

We recommend using Azure Native.

Azure Classic v5.67.1 published on Tuesday, Feb 27, 2024 by Pulumi

azure.waf.Policy

Explore with Pulumi AI

azure logo

We recommend using Azure Native.

Azure Classic v5.67.1 published on Tuesday, Feb 27, 2024 by Pulumi

    Manages a Azure Web Application Firewall Policy instance.

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example-rg",
            Location = "West Europe",
        });
    
        var examplePolicy = new Azure.Waf.Policy("example", new()
        {
            Name = "example-wafpolicy",
            ResourceGroupName = example.Name,
            Location = example.Location,
            CustomRules = new[]
            {
                new Azure.Waf.Inputs.PolicyCustomRuleArgs
                {
                    Name = "Rule1",
                    Priority = 1,
                    RuleType = "MatchRule",
                    MatchConditions = new[]
                    {
                        new Azure.Waf.Inputs.PolicyCustomRuleMatchConditionArgs
                        {
                            MatchVariables = new[]
                            {
                                new Azure.Waf.Inputs.PolicyCustomRuleMatchConditionMatchVariableArgs
                                {
                                    VariableName = "RemoteAddr",
                                },
                            },
                            Operator = "IPMatch",
                            NegationCondition = false,
                            MatchValues = new[]
                            {
                                "192.168.1.0/24",
                                "10.0.0.0/24",
                            },
                        },
                    },
                    Action = "Block",
                },
                new Azure.Waf.Inputs.PolicyCustomRuleArgs
                {
                    Name = "Rule2",
                    Priority = 2,
                    RuleType = "MatchRule",
                    MatchConditions = new[]
                    {
                        new Azure.Waf.Inputs.PolicyCustomRuleMatchConditionArgs
                        {
                            MatchVariables = new[]
                            {
                                new Azure.Waf.Inputs.PolicyCustomRuleMatchConditionMatchVariableArgs
                                {
                                    VariableName = "RemoteAddr",
                                },
                            },
                            Operator = "IPMatch",
                            NegationCondition = false,
                            MatchValues = new[]
                            {
                                "192.168.1.0/24",
                            },
                        },
                        new Azure.Waf.Inputs.PolicyCustomRuleMatchConditionArgs
                        {
                            MatchVariables = new[]
                            {
                                new Azure.Waf.Inputs.PolicyCustomRuleMatchConditionMatchVariableArgs
                                {
                                    VariableName = "RequestHeaders",
                                    Selector = "UserAgent",
                                },
                            },
                            Operator = "Contains",
                            NegationCondition = false,
                            MatchValues = new[]
                            {
                                "Windows",
                            },
                        },
                    },
                    Action = "Block",
                },
            },
            PolicySettings = new Azure.Waf.Inputs.PolicyPolicySettingsArgs
            {
                Enabled = true,
                Mode = "Prevention",
                RequestBodyCheck = true,
                FileUploadLimitInMb = 100,
                MaxRequestBodySizeInKb = 128,
            },
            ManagedRules = new Azure.Waf.Inputs.PolicyManagedRulesArgs
            {
                Exclusions = new[]
                {
                    new Azure.Waf.Inputs.PolicyManagedRulesExclusionArgs
                    {
                        MatchVariable = "RequestHeaderNames",
                        Selector = "x-company-secret-header",
                        SelectorMatchOperator = "Equals",
                    },
                    new Azure.Waf.Inputs.PolicyManagedRulesExclusionArgs
                    {
                        MatchVariable = "RequestCookieNames",
                        Selector = "too-tasty",
                        SelectorMatchOperator = "EndsWith",
                    },
                },
                ManagedRuleSets = new[]
                {
                    new Azure.Waf.Inputs.PolicyManagedRulesManagedRuleSetArgs
                    {
                        Type = "OWASP",
                        Version = "3.2",
                        RuleGroupOverrides = new[]
                        {
                            new Azure.Waf.Inputs.PolicyManagedRulesManagedRuleSetRuleGroupOverrideArgs
                            {
                                RuleGroupName = "REQUEST-920-PROTOCOL-ENFORCEMENT",
                                Rules = new[]
                                {
                                    new Azure.Waf.Inputs.PolicyManagedRulesManagedRuleSetRuleGroupOverrideRuleArgs
                                    {
                                        Id = "920300",
                                        Enabled = true,
                                        Action = "Log",
                                    },
                                    new Azure.Waf.Inputs.PolicyManagedRulesManagedRuleSetRuleGroupOverrideRuleArgs
                                    {
                                        Id = "920440",
                                        Enabled = true,
                                        Action = "Block",
                                    },
                                },
                            },
                        },
                    },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/waf"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example-rg"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = waf.NewPolicy(ctx, "example", &waf.PolicyArgs{
    			Name:              pulumi.String("example-wafpolicy"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    			CustomRules: waf.PolicyCustomRuleArray{
    				&waf.PolicyCustomRuleArgs{
    					Name:     pulumi.String("Rule1"),
    					Priority: pulumi.Int(1),
    					RuleType: pulumi.String("MatchRule"),
    					MatchConditions: waf.PolicyCustomRuleMatchConditionArray{
    						&waf.PolicyCustomRuleMatchConditionArgs{
    							MatchVariables: waf.PolicyCustomRuleMatchConditionMatchVariableArray{
    								&waf.PolicyCustomRuleMatchConditionMatchVariableArgs{
    									VariableName: pulumi.String("RemoteAddr"),
    								},
    							},
    							Operator:          pulumi.String("IPMatch"),
    							NegationCondition: pulumi.Bool(false),
    							MatchValues: pulumi.StringArray{
    								pulumi.String("192.168.1.0/24"),
    								pulumi.String("10.0.0.0/24"),
    							},
    						},
    					},
    					Action: pulumi.String("Block"),
    				},
    				&waf.PolicyCustomRuleArgs{
    					Name:     pulumi.String("Rule2"),
    					Priority: pulumi.Int(2),
    					RuleType: pulumi.String("MatchRule"),
    					MatchConditions: waf.PolicyCustomRuleMatchConditionArray{
    						&waf.PolicyCustomRuleMatchConditionArgs{
    							MatchVariables: waf.PolicyCustomRuleMatchConditionMatchVariableArray{
    								&waf.PolicyCustomRuleMatchConditionMatchVariableArgs{
    									VariableName: pulumi.String("RemoteAddr"),
    								},
    							},
    							Operator:          pulumi.String("IPMatch"),
    							NegationCondition: pulumi.Bool(false),
    							MatchValues: pulumi.StringArray{
    								pulumi.String("192.168.1.0/24"),
    							},
    						},
    						&waf.PolicyCustomRuleMatchConditionArgs{
    							MatchVariables: waf.PolicyCustomRuleMatchConditionMatchVariableArray{
    								&waf.PolicyCustomRuleMatchConditionMatchVariableArgs{
    									VariableName: pulumi.String("RequestHeaders"),
    									Selector:     pulumi.String("UserAgent"),
    								},
    							},
    							Operator:          pulumi.String("Contains"),
    							NegationCondition: pulumi.Bool(false),
    							MatchValues: pulumi.StringArray{
    								pulumi.String("Windows"),
    							},
    						},
    					},
    					Action: pulumi.String("Block"),
    				},
    			},
    			PolicySettings: &waf.PolicyPolicySettingsArgs{
    				Enabled:                pulumi.Bool(true),
    				Mode:                   pulumi.String("Prevention"),
    				RequestBodyCheck:       pulumi.Bool(true),
    				FileUploadLimitInMb:    pulumi.Int(100),
    				MaxRequestBodySizeInKb: pulumi.Int(128),
    			},
    			ManagedRules: &waf.PolicyManagedRulesArgs{
    				Exclusions: waf.PolicyManagedRulesExclusionArray{
    					&waf.PolicyManagedRulesExclusionArgs{
    						MatchVariable:         pulumi.String("RequestHeaderNames"),
    						Selector:              pulumi.String("x-company-secret-header"),
    						SelectorMatchOperator: pulumi.String("Equals"),
    					},
    					&waf.PolicyManagedRulesExclusionArgs{
    						MatchVariable:         pulumi.String("RequestCookieNames"),
    						Selector:              pulumi.String("too-tasty"),
    						SelectorMatchOperator: pulumi.String("EndsWith"),
    					},
    				},
    				ManagedRuleSets: waf.PolicyManagedRulesManagedRuleSetArray{
    					&waf.PolicyManagedRulesManagedRuleSetArgs{
    						Type:    pulumi.String("OWASP"),
    						Version: pulumi.String("3.2"),
    						RuleGroupOverrides: waf.PolicyManagedRulesManagedRuleSetRuleGroupOverrideArray{
    							&waf.PolicyManagedRulesManagedRuleSetRuleGroupOverrideArgs{
    								RuleGroupName: pulumi.String("REQUEST-920-PROTOCOL-ENFORCEMENT"),
    								Rules: waf.PolicyManagedRulesManagedRuleSetRuleGroupOverrideRuleArray{
    									&waf.PolicyManagedRulesManagedRuleSetRuleGroupOverrideRuleArgs{
    										Id:      pulumi.String("920300"),
    										Enabled: pulumi.Bool(true),
    										Action:  pulumi.String("Log"),
    									},
    									&waf.PolicyManagedRulesManagedRuleSetRuleGroupOverrideRuleArgs{
    										Id:      pulumi.String("920440"),
    										Enabled: pulumi.Bool(true),
    										Action:  pulumi.String("Block"),
    									},
    								},
    							},
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.waf.Policy;
    import com.pulumi.azure.waf.PolicyArgs;
    import com.pulumi.azure.waf.inputs.PolicyCustomRuleArgs;
    import com.pulumi.azure.waf.inputs.PolicyPolicySettingsArgs;
    import com.pulumi.azure.waf.inputs.PolicyManagedRulesArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example-rg")
                .location("West Europe")
                .build());
    
            var examplePolicy = new Policy("examplePolicy", PolicyArgs.builder()        
                .name("example-wafpolicy")
                .resourceGroupName(example.name())
                .location(example.location())
                .customRules(            
                    PolicyCustomRuleArgs.builder()
                        .name("Rule1")
                        .priority(1)
                        .ruleType("MatchRule")
                        .matchConditions(PolicyCustomRuleMatchConditionArgs.builder()
                            .matchVariables(PolicyCustomRuleMatchConditionMatchVariableArgs.builder()
                                .variableName("RemoteAddr")
                                .build())
                            .operator("IPMatch")
                            .negationCondition(false)
                            .matchValues(                        
                                "192.168.1.0/24",
                                "10.0.0.0/24")
                            .build())
                        .action("Block")
                        .build(),
                    PolicyCustomRuleArgs.builder()
                        .name("Rule2")
                        .priority(2)
                        .ruleType("MatchRule")
                        .matchConditions(                    
                            PolicyCustomRuleMatchConditionArgs.builder()
                                .matchVariables(PolicyCustomRuleMatchConditionMatchVariableArgs.builder()
                                    .variableName("RemoteAddr")
                                    .build())
                                .operator("IPMatch")
                                .negationCondition(false)
                                .matchValues("192.168.1.0/24")
                                .build(),
                            PolicyCustomRuleMatchConditionArgs.builder()
                                .matchVariables(PolicyCustomRuleMatchConditionMatchVariableArgs.builder()
                                    .variableName("RequestHeaders")
                                    .selector("UserAgent")
                                    .build())
                                .operator("Contains")
                                .negationCondition(false)
                                .matchValues("Windows")
                                .build())
                        .action("Block")
                        .build())
                .policySettings(PolicyPolicySettingsArgs.builder()
                    .enabled(true)
                    .mode("Prevention")
                    .requestBodyCheck(true)
                    .fileUploadLimitInMb(100)
                    .maxRequestBodySizeInKb(128)
                    .build())
                .managedRules(PolicyManagedRulesArgs.builder()
                    .exclusions(                
                        PolicyManagedRulesExclusionArgs.builder()
                            .matchVariable("RequestHeaderNames")
                            .selector("x-company-secret-header")
                            .selectorMatchOperator("Equals")
                            .build(),
                        PolicyManagedRulesExclusionArgs.builder()
                            .matchVariable("RequestCookieNames")
                            .selector("too-tasty")
                            .selectorMatchOperator("EndsWith")
                            .build())
                    .managedRuleSets(PolicyManagedRulesManagedRuleSetArgs.builder()
                        .type("OWASP")
                        .version("3.2")
                        .ruleGroupOverrides(PolicyManagedRulesManagedRuleSetRuleGroupOverrideArgs.builder()
                            .ruleGroupName("REQUEST-920-PROTOCOL-ENFORCEMENT")
                            .rules(                        
                                PolicyManagedRulesManagedRuleSetRuleGroupOverrideRuleArgs.builder()
                                    .id("920300")
                                    .enabled(true)
                                    .action("Log")
                                    .build(),
                                PolicyManagedRulesManagedRuleSetRuleGroupOverrideRuleArgs.builder()
                                    .id("920440")
                                    .enabled(true)
                                    .action("Block")
                                    .build())
                            .build())
                        .build())
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example-rg",
        location="West Europe")
    example_policy = azure.waf.Policy("example",
        name="example-wafpolicy",
        resource_group_name=example.name,
        location=example.location,
        custom_rules=[
            azure.waf.PolicyCustomRuleArgs(
                name="Rule1",
                priority=1,
                rule_type="MatchRule",
                match_conditions=[azure.waf.PolicyCustomRuleMatchConditionArgs(
                    match_variables=[azure.waf.PolicyCustomRuleMatchConditionMatchVariableArgs(
                        variable_name="RemoteAddr",
                    )],
                    operator="IPMatch",
                    negation_condition=False,
                    match_values=[
                        "192.168.1.0/24",
                        "10.0.0.0/24",
                    ],
                )],
                action="Block",
            ),
            azure.waf.PolicyCustomRuleArgs(
                name="Rule2",
                priority=2,
                rule_type="MatchRule",
                match_conditions=[
                    azure.waf.PolicyCustomRuleMatchConditionArgs(
                        match_variables=[azure.waf.PolicyCustomRuleMatchConditionMatchVariableArgs(
                            variable_name="RemoteAddr",
                        )],
                        operator="IPMatch",
                        negation_condition=False,
                        match_values=["192.168.1.0/24"],
                    ),
                    azure.waf.PolicyCustomRuleMatchConditionArgs(
                        match_variables=[azure.waf.PolicyCustomRuleMatchConditionMatchVariableArgs(
                            variable_name="RequestHeaders",
                            selector="UserAgent",
                        )],
                        operator="Contains",
                        negation_condition=False,
                        match_values=["Windows"],
                    ),
                ],
                action="Block",
            ),
        ],
        policy_settings=azure.waf.PolicyPolicySettingsArgs(
            enabled=True,
            mode="Prevention",
            request_body_check=True,
            file_upload_limit_in_mb=100,
            max_request_body_size_in_kb=128,
        ),
        managed_rules=azure.waf.PolicyManagedRulesArgs(
            exclusions=[
                azure.waf.PolicyManagedRulesExclusionArgs(
                    match_variable="RequestHeaderNames",
                    selector="x-company-secret-header",
                    selector_match_operator="Equals",
                ),
                azure.waf.PolicyManagedRulesExclusionArgs(
                    match_variable="RequestCookieNames",
                    selector="too-tasty",
                    selector_match_operator="EndsWith",
                ),
            ],
            managed_rule_sets=[azure.waf.PolicyManagedRulesManagedRuleSetArgs(
                type="OWASP",
                version="3.2",
                rule_group_overrides=[azure.waf.PolicyManagedRulesManagedRuleSetRuleGroupOverrideArgs(
                    rule_group_name="REQUEST-920-PROTOCOL-ENFORCEMENT",
                    rules=[
                        azure.waf.PolicyManagedRulesManagedRuleSetRuleGroupOverrideRuleArgs(
                            id="920300",
                            enabled=True,
                            action="Log",
                        ),
                        azure.waf.PolicyManagedRulesManagedRuleSetRuleGroupOverrideRuleArgs(
                            id="920440",
                            enabled=True,
                            action="Block",
                        ),
                    ],
                )],
            )],
        ))
    
    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const example = new azure.core.ResourceGroup("example", {
        name: "example-rg",
        location: "West Europe",
    });
    const examplePolicy = new azure.waf.Policy("example", {
        name: "example-wafpolicy",
        resourceGroupName: example.name,
        location: example.location,
        customRules: [
            {
                name: "Rule1",
                priority: 1,
                ruleType: "MatchRule",
                matchConditions: [{
                    matchVariables: [{
                        variableName: "RemoteAddr",
                    }],
                    operator: "IPMatch",
                    negationCondition: false,
                    matchValues: [
                        "192.168.1.0/24",
                        "10.0.0.0/24",
                    ],
                }],
                action: "Block",
            },
            {
                name: "Rule2",
                priority: 2,
                ruleType: "MatchRule",
                matchConditions: [
                    {
                        matchVariables: [{
                            variableName: "RemoteAddr",
                        }],
                        operator: "IPMatch",
                        negationCondition: false,
                        matchValues: ["192.168.1.0/24"],
                    },
                    {
                        matchVariables: [{
                            variableName: "RequestHeaders",
                            selector: "UserAgent",
                        }],
                        operator: "Contains",
                        negationCondition: false,
                        matchValues: ["Windows"],
                    },
                ],
                action: "Block",
            },
        ],
        policySettings: {
            enabled: true,
            mode: "Prevention",
            requestBodyCheck: true,
            fileUploadLimitInMb: 100,
            maxRequestBodySizeInKb: 128,
        },
        managedRules: {
            exclusions: [
                {
                    matchVariable: "RequestHeaderNames",
                    selector: "x-company-secret-header",
                    selectorMatchOperator: "Equals",
                },
                {
                    matchVariable: "RequestCookieNames",
                    selector: "too-tasty",
                    selectorMatchOperator: "EndsWith",
                },
            ],
            managedRuleSets: [{
                type: "OWASP",
                version: "3.2",
                ruleGroupOverrides: [{
                    ruleGroupName: "REQUEST-920-PROTOCOL-ENFORCEMENT",
                    rules: [
                        {
                            id: "920300",
                            enabled: true,
                            action: "Log",
                        },
                        {
                            id: "920440",
                            enabled: true,
                            action: "Block",
                        },
                    ],
                }],
            }],
        },
    });
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example-rg
          location: West Europe
      examplePolicy:
        type: azure:waf:Policy
        name: example
        properties:
          name: example-wafpolicy
          resourceGroupName: ${example.name}
          location: ${example.location}
          customRules:
            - name: Rule1
              priority: 1
              ruleType: MatchRule
              matchConditions:
                - matchVariables:
                    - variableName: RemoteAddr
                  operator: IPMatch
                  negationCondition: false
                  matchValues:
                    - 192.168.1.0/24
                    - 10.0.0.0/24
              action: Block
            - name: Rule2
              priority: 2
              ruleType: MatchRule
              matchConditions:
                - matchVariables:
                    - variableName: RemoteAddr
                  operator: IPMatch
                  negationCondition: false
                  matchValues:
                    - 192.168.1.0/24
                - matchVariables:
                    - variableName: RequestHeaders
                      selector: UserAgent
                  operator: Contains
                  negationCondition: false
                  matchValues:
                    - Windows
              action: Block
          policySettings:
            enabled: true
            mode: Prevention
            requestBodyCheck: true
            fileUploadLimitInMb: 100
            maxRequestBodySizeInKb: 128
          managedRules:
            exclusions:
              - matchVariable: RequestHeaderNames
                selector: x-company-secret-header
                selectorMatchOperator: Equals
              - matchVariable: RequestCookieNames
                selector: too-tasty
                selectorMatchOperator: EndsWith
            managedRuleSets:
              - type: OWASP
                version: '3.2'
                ruleGroupOverrides:
                  - ruleGroupName: REQUEST-920-PROTOCOL-ENFORCEMENT
                    rules:
                      - id: '920300'
                        enabled: true
                        action: Log
                      - id: '920440'
                        enabled: true
                        action: Block
    

    Create Policy Resource

    new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);
    @overload
    def Policy(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               custom_rules: Optional[Sequence[PolicyCustomRuleArgs]] = None,
               location: Optional[str] = None,
               managed_rules: Optional[PolicyManagedRulesArgs] = None,
               name: Optional[str] = None,
               policy_settings: Optional[PolicyPolicySettingsArgs] = None,
               resource_group_name: Optional[str] = None,
               tags: Optional[Mapping[str, str]] = None)
    @overload
    def Policy(resource_name: str,
               args: PolicyArgs,
               opts: Optional[ResourceOptions] = None)
    func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)
    public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)
    public Policy(String name, PolicyArgs args)
    public Policy(String name, PolicyArgs args, CustomResourceOptions options)
    
    type: azure:waf:Policy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Policy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Policy resource accepts the following input properties:

    ManagedRules PolicyManagedRules
    A managed_rules blocks as defined below.
    ResourceGroupName string
    The name of the resource group. Changing this forces a new resource to be created.
    CustomRules List<PolicyCustomRule>
    One or more custom_rules blocks as defined below.
    Location string
    Resource location. Changing this forces a new resource to be created.
    Name string
    The name of the policy. Changing this forces a new resource to be created.
    PolicySettings PolicyPolicySettings
    A policy_settings block as defined below.
    Tags Dictionary<string, string>
    A mapping of tags to assign to the Web Application Firewall Policy.
    ManagedRules PolicyManagedRulesArgs
    A managed_rules blocks as defined below.
    ResourceGroupName string
    The name of the resource group. Changing this forces a new resource to be created.
    CustomRules []PolicyCustomRuleArgs
    One or more custom_rules blocks as defined below.
    Location string
    Resource location. Changing this forces a new resource to be created.
    Name string
    The name of the policy. Changing this forces a new resource to be created.
    PolicySettings PolicyPolicySettingsArgs
    A policy_settings block as defined below.
    Tags map[string]string
    A mapping of tags to assign to the Web Application Firewall Policy.
    managedRules PolicyManagedRules
    A managed_rules blocks as defined below.
    resourceGroupName String
    The name of the resource group. Changing this forces a new resource to be created.
    customRules List<PolicyCustomRule>
    One or more custom_rules blocks as defined below.
    location String
    Resource location. Changing this forces a new resource to be created.
    name String
    The name of the policy. Changing this forces a new resource to be created.
    policySettings PolicyPolicySettings
    A policy_settings block as defined below.
    tags Map<String,String>
    A mapping of tags to assign to the Web Application Firewall Policy.
    managedRules PolicyManagedRules
    A managed_rules blocks as defined below.
    resourceGroupName string
    The name of the resource group. Changing this forces a new resource to be created.
    customRules PolicyCustomRule[]
    One or more custom_rules blocks as defined below.
    location string
    Resource location. Changing this forces a new resource to be created.
    name string
    The name of the policy. Changing this forces a new resource to be created.
    policySettings PolicyPolicySettings
    A policy_settings block as defined below.
    tags {[key: string]: string}
    A mapping of tags to assign to the Web Application Firewall Policy.
    managed_rules PolicyManagedRulesArgs
    A managed_rules blocks as defined below.
    resource_group_name str
    The name of the resource group. Changing this forces a new resource to be created.
    custom_rules Sequence[PolicyCustomRuleArgs]
    One or more custom_rules blocks as defined below.
    location str
    Resource location. Changing this forces a new resource to be created.
    name str
    The name of the policy. Changing this forces a new resource to be created.
    policy_settings PolicyPolicySettingsArgs
    A policy_settings block as defined below.
    tags Mapping[str, str]
    A mapping of tags to assign to the Web Application Firewall Policy.
    managedRules Property Map
    A managed_rules blocks as defined below.
    resourceGroupName String
    The name of the resource group. Changing this forces a new resource to be created.
    customRules List<Property Map>
    One or more custom_rules blocks as defined below.
    location String
    Resource location. Changing this forces a new resource to be created.
    name String
    The name of the policy. Changing this forces a new resource to be created.
    policySettings Property Map
    A policy_settings block as defined below.
    tags Map<String>
    A mapping of tags to assign to the Web Application Firewall Policy.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:

    HttpListenerIds List<string>
    A list of HTTP Listener IDs from an azure.network.ApplicationGateway.
    Id string
    The provider-assigned unique ID for this managed resource.
    PathBasedRuleIds List<string>
    A list of URL Path Map Path Rule IDs from an azure.network.ApplicationGateway.
    HttpListenerIds []string
    A list of HTTP Listener IDs from an azure.network.ApplicationGateway.
    Id string
    The provider-assigned unique ID for this managed resource.
    PathBasedRuleIds []string
    A list of URL Path Map Path Rule IDs from an azure.network.ApplicationGateway.
    httpListenerIds List<String>
    A list of HTTP Listener IDs from an azure.network.ApplicationGateway.
    id String
    The provider-assigned unique ID for this managed resource.
    pathBasedRuleIds List<String>
    A list of URL Path Map Path Rule IDs from an azure.network.ApplicationGateway.
    httpListenerIds string[]
    A list of HTTP Listener IDs from an azure.network.ApplicationGateway.
    id string
    The provider-assigned unique ID for this managed resource.
    pathBasedRuleIds string[]
    A list of URL Path Map Path Rule IDs from an azure.network.ApplicationGateway.
    http_listener_ids Sequence[str]
    A list of HTTP Listener IDs from an azure.network.ApplicationGateway.
    id str
    The provider-assigned unique ID for this managed resource.
    path_based_rule_ids Sequence[str]
    A list of URL Path Map Path Rule IDs from an azure.network.ApplicationGateway.
    httpListenerIds List<String>
    A list of HTTP Listener IDs from an azure.network.ApplicationGateway.
    id String
    The provider-assigned unique ID for this managed resource.
    pathBasedRuleIds List<String>
    A list of URL Path Map Path Rule IDs from an azure.network.ApplicationGateway.

    Look up Existing Policy Resource

    Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: PolicyState, opts?: CustomResourceOptions): Policy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            custom_rules: Optional[Sequence[PolicyCustomRuleArgs]] = None,
            http_listener_ids: Optional[Sequence[str]] = None,
            location: Optional[str] = None,
            managed_rules: Optional[PolicyManagedRulesArgs] = None,
            name: Optional[str] = None,
            path_based_rule_ids: Optional[Sequence[str]] = None,
            policy_settings: Optional[PolicyPolicySettingsArgs] = None,
            resource_group_name: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None) -> Policy
    func GetPolicy(ctx *Context, name string, id IDInput, state *PolicyState, opts ...ResourceOption) (*Policy, error)
    public static Policy Get(string name, Input<string> id, PolicyState? state, CustomResourceOptions? opts = null)
    public static Policy get(String name, Output<String> id, PolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    CustomRules List<PolicyCustomRule>
    One or more custom_rules blocks as defined below.
    HttpListenerIds List<string>
    A list of HTTP Listener IDs from an azure.network.ApplicationGateway.
    Location string
    Resource location. Changing this forces a new resource to be created.
    ManagedRules PolicyManagedRules
    A managed_rules blocks as defined below.
    Name string
    The name of the policy. Changing this forces a new resource to be created.
    PathBasedRuleIds List<string>
    A list of URL Path Map Path Rule IDs from an azure.network.ApplicationGateway.
    PolicySettings PolicyPolicySettings
    A policy_settings block as defined below.
    ResourceGroupName string
    The name of the resource group. Changing this forces a new resource to be created.
    Tags Dictionary<string, string>
    A mapping of tags to assign to the Web Application Firewall Policy.
    CustomRules []PolicyCustomRuleArgs
    One or more custom_rules blocks as defined below.
    HttpListenerIds []string
    A list of HTTP Listener IDs from an azure.network.ApplicationGateway.
    Location string
    Resource location. Changing this forces a new resource to be created.
    ManagedRules PolicyManagedRulesArgs
    A managed_rules blocks as defined below.
    Name string
    The name of the policy. Changing this forces a new resource to be created.
    PathBasedRuleIds []string
    A list of URL Path Map Path Rule IDs from an azure.network.ApplicationGateway.
    PolicySettings PolicyPolicySettingsArgs
    A policy_settings block as defined below.
    ResourceGroupName string
    The name of the resource group. Changing this forces a new resource to be created.
    Tags map[string]string
    A mapping of tags to assign to the Web Application Firewall Policy.
    customRules List<PolicyCustomRule>
    One or more custom_rules blocks as defined below.
    httpListenerIds List<String>
    A list of HTTP Listener IDs from an azure.network.ApplicationGateway.
    location String
    Resource location. Changing this forces a new resource to be created.
    managedRules PolicyManagedRules
    A managed_rules blocks as defined below.
    name String
    The name of the policy. Changing this forces a new resource to be created.
    pathBasedRuleIds List<String>
    A list of URL Path Map Path Rule IDs from an azure.network.ApplicationGateway.
    policySettings PolicyPolicySettings
    A policy_settings block as defined below.
    resourceGroupName String
    The name of the resource group. Changing this forces a new resource to be created.
    tags Map<String,String>
    A mapping of tags to assign to the Web Application Firewall Policy.
    customRules PolicyCustomRule[]
    One or more custom_rules blocks as defined below.
    httpListenerIds string[]
    A list of HTTP Listener IDs from an azure.network.ApplicationGateway.
    location string
    Resource location. Changing this forces a new resource to be created.
    managedRules PolicyManagedRules
    A managed_rules blocks as defined below.
    name string
    The name of the policy. Changing this forces a new resource to be created.
    pathBasedRuleIds string[]
    A list of URL Path Map Path Rule IDs from an azure.network.ApplicationGateway.
    policySettings PolicyPolicySettings
    A policy_settings block as defined below.
    resourceGroupName string
    The name of the resource group. Changing this forces a new resource to be created.
    tags {[key: string]: string}
    A mapping of tags to assign to the Web Application Firewall Policy.
    custom_rules Sequence[PolicyCustomRuleArgs]
    One or more custom_rules blocks as defined below.
    http_listener_ids Sequence[str]
    A list of HTTP Listener IDs from an azure.network.ApplicationGateway.
    location str
    Resource location. Changing this forces a new resource to be created.
    managed_rules PolicyManagedRulesArgs
    A managed_rules blocks as defined below.
    name str
    The name of the policy. Changing this forces a new resource to be created.
    path_based_rule_ids Sequence[str]
    A list of URL Path Map Path Rule IDs from an azure.network.ApplicationGateway.
    policy_settings PolicyPolicySettingsArgs
    A policy_settings block as defined below.
    resource_group_name str
    The name of the resource group. Changing this forces a new resource to be created.
    tags Mapping[str, str]
    A mapping of tags to assign to the Web Application Firewall Policy.
    customRules List<Property Map>
    One or more custom_rules blocks as defined below.
    httpListenerIds List<String>
    A list of HTTP Listener IDs from an azure.network.ApplicationGateway.
    location String
    Resource location. Changing this forces a new resource to be created.
    managedRules Property Map
    A managed_rules blocks as defined below.
    name String
    The name of the policy. Changing this forces a new resource to be created.
    pathBasedRuleIds List<String>
    A list of URL Path Map Path Rule IDs from an azure.network.ApplicationGateway.
    policySettings Property Map
    A policy_settings block as defined below.
    resourceGroupName String
    The name of the resource group. Changing this forces a new resource to be created.
    tags Map<String>
    A mapping of tags to assign to the Web Application Firewall Policy.

    Supporting Types

    PolicyCustomRule, PolicyCustomRuleArgs

    Action string
    Type of action. Possible values are Allow, Block and Log.
    MatchConditions List<PolicyCustomRuleMatchCondition>
    One or more match_conditions blocks as defined below.
    Priority int
    Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
    RuleType string
    Describes the type of rule. Possible values are MatchRule, RateLimitRule and Invalid.
    Enabled bool
    Describes if the policy is in enabled state or disabled state. Defaults to true.
    GroupRateLimitBy string
    Specifies what grouping the rate limit will count requests by. Possible values are GeoLocation, ClientAddr and None.
    Name string
    Gets name of the resource that is unique within a policy. This name can be used to access the resource.
    RateLimitDuration string
    Specifies the duration at which the rate limit policy will be applied. Should be used with RateLimitRule rule type. Possible values are FiveMins and OneMin.
    RateLimitThreshold int
    Specifies the threshold value for the rate limit policy. Must be greater than or equal to 1 if provided.
    Action string
    Type of action. Possible values are Allow, Block and Log.
    MatchConditions []PolicyCustomRuleMatchCondition
    One or more match_conditions blocks as defined below.
    Priority int
    Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
    RuleType string
    Describes the type of rule. Possible values are MatchRule, RateLimitRule and Invalid.
    Enabled bool
    Describes if the policy is in enabled state or disabled state. Defaults to true.
    GroupRateLimitBy string
    Specifies what grouping the rate limit will count requests by. Possible values are GeoLocation, ClientAddr and None.
    Name string
    Gets name of the resource that is unique within a policy. This name can be used to access the resource.
    RateLimitDuration string
    Specifies the duration at which the rate limit policy will be applied. Should be used with RateLimitRule rule type. Possible values are FiveMins and OneMin.
    RateLimitThreshold int
    Specifies the threshold value for the rate limit policy. Must be greater than or equal to 1 if provided.
    action String
    Type of action. Possible values are Allow, Block and Log.
    matchConditions List<PolicyCustomRuleMatchCondition>
    One or more match_conditions blocks as defined below.
    priority Integer
    Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
    ruleType String
    Describes the type of rule. Possible values are MatchRule, RateLimitRule and Invalid.
    enabled Boolean
    Describes if the policy is in enabled state or disabled state. Defaults to true.
    groupRateLimitBy String
    Specifies what grouping the rate limit will count requests by. Possible values are GeoLocation, ClientAddr and None.
    name String
    Gets name of the resource that is unique within a policy. This name can be used to access the resource.
    rateLimitDuration String
    Specifies the duration at which the rate limit policy will be applied. Should be used with RateLimitRule rule type. Possible values are FiveMins and OneMin.
    rateLimitThreshold Integer
    Specifies the threshold value for the rate limit policy. Must be greater than or equal to 1 if provided.
    action string
    Type of action. Possible values are Allow, Block and Log.
    matchConditions PolicyCustomRuleMatchCondition[]
    One or more match_conditions blocks as defined below.
    priority number
    Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
    ruleType string
    Describes the type of rule. Possible values are MatchRule, RateLimitRule and Invalid.
    enabled boolean
    Describes if the policy is in enabled state or disabled state. Defaults to true.
    groupRateLimitBy string
    Specifies what grouping the rate limit will count requests by. Possible values are GeoLocation, ClientAddr and None.
    name string
    Gets name of the resource that is unique within a policy. This name can be used to access the resource.
    rateLimitDuration string
    Specifies the duration at which the rate limit policy will be applied. Should be used with RateLimitRule rule type. Possible values are FiveMins and OneMin.
    rateLimitThreshold number
    Specifies the threshold value for the rate limit policy. Must be greater than or equal to 1 if provided.
    action str
    Type of action. Possible values are Allow, Block and Log.
    match_conditions Sequence[PolicyCustomRuleMatchCondition]
    One or more match_conditions blocks as defined below.
    priority int
    Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
    rule_type str
    Describes the type of rule. Possible values are MatchRule, RateLimitRule and Invalid.
    enabled bool
    Describes if the policy is in enabled state or disabled state. Defaults to true.
    group_rate_limit_by str
    Specifies what grouping the rate limit will count requests by. Possible values are GeoLocation, ClientAddr and None.
    name str
    Gets name of the resource that is unique within a policy. This name can be used to access the resource.
    rate_limit_duration str
    Specifies the duration at which the rate limit policy will be applied. Should be used with RateLimitRule rule type. Possible values are FiveMins and OneMin.
    rate_limit_threshold int
    Specifies the threshold value for the rate limit policy. Must be greater than or equal to 1 if provided.
    action String
    Type of action. Possible values are Allow, Block and Log.
    matchConditions List<Property Map>
    One or more match_conditions blocks as defined below.
    priority Number
    Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
    ruleType String
    Describes the type of rule. Possible values are MatchRule, RateLimitRule and Invalid.
    enabled Boolean
    Describes if the policy is in enabled state or disabled state. Defaults to true.
    groupRateLimitBy String
    Specifies what grouping the rate limit will count requests by. Possible values are GeoLocation, ClientAddr and None.
    name String
    Gets name of the resource that is unique within a policy. This name can be used to access the resource.
    rateLimitDuration String
    Specifies the duration at which the rate limit policy will be applied. Should be used with RateLimitRule rule type. Possible values are FiveMins and OneMin.
    rateLimitThreshold Number
    Specifies the threshold value for the rate limit policy. Must be greater than or equal to 1 if provided.

    PolicyCustomRuleMatchCondition, PolicyCustomRuleMatchConditionArgs

    MatchVariables List<PolicyCustomRuleMatchConditionMatchVariable>
    One or more match_variables blocks as defined below.
    Operator string
    Describes operator to be matched. Possible values are Any, IPMatch, GeoMatch, Equal, Contains, LessThan, GreaterThan, LessThanOrEqual, GreaterThanOrEqual, BeginsWith, EndsWith and Regex.
    MatchValues List<string>
    A list of match values. This is Required when the operator is not Any.
    NegationCondition bool
    Describes if this is negate condition or not
    Transforms List<string>
    A list of transformations to do before the match is attempted. Possible values are HtmlEntityDecode, Lowercase, RemoveNulls, Trim, UrlDecode and UrlEncode.
    MatchVariables []PolicyCustomRuleMatchConditionMatchVariable
    One or more match_variables blocks as defined below.
    Operator string
    Describes operator to be matched. Possible values are Any, IPMatch, GeoMatch, Equal, Contains, LessThan, GreaterThan, LessThanOrEqual, GreaterThanOrEqual, BeginsWith, EndsWith and Regex.
    MatchValues []string
    A list of match values. This is Required when the operator is not Any.
    NegationCondition bool
    Describes if this is negate condition or not
    Transforms []string
    A list of transformations to do before the match is attempted. Possible values are HtmlEntityDecode, Lowercase, RemoveNulls, Trim, UrlDecode and UrlEncode.
    matchVariables List<PolicyCustomRuleMatchConditionMatchVariable>
    One or more match_variables blocks as defined below.
    operator String
    Describes operator to be matched. Possible values are Any, IPMatch, GeoMatch, Equal, Contains, LessThan, GreaterThan, LessThanOrEqual, GreaterThanOrEqual, BeginsWith, EndsWith and Regex.
    matchValues List<String>
    A list of match values. This is Required when the operator is not Any.
    negationCondition Boolean
    Describes if this is negate condition or not
    transforms List<String>
    A list of transformations to do before the match is attempted. Possible values are HtmlEntityDecode, Lowercase, RemoveNulls, Trim, UrlDecode and UrlEncode.
    matchVariables PolicyCustomRuleMatchConditionMatchVariable[]
    One or more match_variables blocks as defined below.
    operator string
    Describes operator to be matched. Possible values are Any, IPMatch, GeoMatch, Equal, Contains, LessThan, GreaterThan, LessThanOrEqual, GreaterThanOrEqual, BeginsWith, EndsWith and Regex.
    matchValues string[]
    A list of match values. This is Required when the operator is not Any.
    negationCondition boolean
    Describes if this is negate condition or not
    transforms string[]
    A list of transformations to do before the match is attempted. Possible values are HtmlEntityDecode, Lowercase, RemoveNulls, Trim, UrlDecode and UrlEncode.
    match_variables Sequence[PolicyCustomRuleMatchConditionMatchVariable]
    One or more match_variables blocks as defined below.
    operator str
    Describes operator to be matched. Possible values are Any, IPMatch, GeoMatch, Equal, Contains, LessThan, GreaterThan, LessThanOrEqual, GreaterThanOrEqual, BeginsWith, EndsWith and Regex.
    match_values Sequence[str]
    A list of match values. This is Required when the operator is not Any.
    negation_condition bool
    Describes if this is negate condition or not
    transforms Sequence[str]
    A list of transformations to do before the match is attempted. Possible values are HtmlEntityDecode, Lowercase, RemoveNulls, Trim, UrlDecode and UrlEncode.
    matchVariables List<Property Map>
    One or more match_variables blocks as defined below.
    operator String
    Describes operator to be matched. Possible values are Any, IPMatch, GeoMatch, Equal, Contains, LessThan, GreaterThan, LessThanOrEqual, GreaterThanOrEqual, BeginsWith, EndsWith and Regex.
    matchValues List<String>
    A list of match values. This is Required when the operator is not Any.
    negationCondition Boolean
    Describes if this is negate condition or not
    transforms List<String>
    A list of transformations to do before the match is attempted. Possible values are HtmlEntityDecode, Lowercase, RemoveNulls, Trim, UrlDecode and UrlEncode.

    PolicyCustomRuleMatchConditionMatchVariable, PolicyCustomRuleMatchConditionMatchVariableArgs

    VariableName string
    The name of the Match Variable. Possible values are RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody and RequestCookies.
    Selector string
    Describes field of the matchVariable collection
    VariableName string
    The name of the Match Variable. Possible values are RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody and RequestCookies.
    Selector string
    Describes field of the matchVariable collection
    variableName String
    The name of the Match Variable. Possible values are RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody and RequestCookies.
    selector String
    Describes field of the matchVariable collection
    variableName string
    The name of the Match Variable. Possible values are RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody and RequestCookies.
    selector string
    Describes field of the matchVariable collection
    variable_name str
    The name of the Match Variable. Possible values are RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody and RequestCookies.
    selector str
    Describes field of the matchVariable collection
    variableName String
    The name of the Match Variable. Possible values are RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody and RequestCookies.
    selector String
    Describes field of the matchVariable collection

    PolicyManagedRules, PolicyManagedRulesArgs

    ManagedRuleSets List<PolicyManagedRulesManagedRuleSet>
    One or more managed_rule_set block defined below.
    Exclusions List<PolicyManagedRulesExclusion>
    One or more exclusion block defined below.
    ManagedRuleSets []PolicyManagedRulesManagedRuleSet
    One or more managed_rule_set block defined below.
    Exclusions []PolicyManagedRulesExclusion
    One or more exclusion block defined below.
    managedRuleSets List<PolicyManagedRulesManagedRuleSet>
    One or more managed_rule_set block defined below.
    exclusions List<PolicyManagedRulesExclusion>
    One or more exclusion block defined below.
    managedRuleSets PolicyManagedRulesManagedRuleSet[]
    One or more managed_rule_set block defined below.
    exclusions PolicyManagedRulesExclusion[]
    One or more exclusion block defined below.
    managed_rule_sets Sequence[PolicyManagedRulesManagedRuleSet]
    One or more managed_rule_set block defined below.
    exclusions Sequence[PolicyManagedRulesExclusion]
    One or more exclusion block defined below.
    managedRuleSets List<Property Map>
    One or more managed_rule_set block defined below.
    exclusions List<Property Map>
    One or more exclusion block defined below.

    PolicyManagedRulesExclusion, PolicyManagedRulesExclusionArgs

    MatchVariable string
    The name of the Match Variable. Possible values: RequestArgKeys, RequestArgNames, RequestArgValues, RequestCookieKeys, RequestCookieNames, RequestCookieValues, RequestHeaderKeys, RequestHeaderNames, RequestHeaderValues.
    Selector string
    Describes field of the matchVariable collection.
    SelectorMatchOperator string
    Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
    ExcludedRuleSet PolicyManagedRulesExclusionExcludedRuleSet
    One or more excluded_rule_set block defined below.
    MatchVariable string
    The name of the Match Variable. Possible values: RequestArgKeys, RequestArgNames, RequestArgValues, RequestCookieKeys, RequestCookieNames, RequestCookieValues, RequestHeaderKeys, RequestHeaderNames, RequestHeaderValues.
    Selector string
    Describes field of the matchVariable collection.
    SelectorMatchOperator string
    Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
    ExcludedRuleSet PolicyManagedRulesExclusionExcludedRuleSet
    One or more excluded_rule_set block defined below.
    matchVariable String
    The name of the Match Variable. Possible values: RequestArgKeys, RequestArgNames, RequestArgValues, RequestCookieKeys, RequestCookieNames, RequestCookieValues, RequestHeaderKeys, RequestHeaderNames, RequestHeaderValues.
    selector String
    Describes field of the matchVariable collection.
    selectorMatchOperator String
    Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
    excludedRuleSet PolicyManagedRulesExclusionExcludedRuleSet
    One or more excluded_rule_set block defined below.
    matchVariable string
    The name of the Match Variable. Possible values: RequestArgKeys, RequestArgNames, RequestArgValues, RequestCookieKeys, RequestCookieNames, RequestCookieValues, RequestHeaderKeys, RequestHeaderNames, RequestHeaderValues.
    selector string
    Describes field of the matchVariable collection.
    selectorMatchOperator string
    Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
    excludedRuleSet PolicyManagedRulesExclusionExcludedRuleSet
    One or more excluded_rule_set block defined below.
    match_variable str
    The name of the Match Variable. Possible values: RequestArgKeys, RequestArgNames, RequestArgValues, RequestCookieKeys, RequestCookieNames, RequestCookieValues, RequestHeaderKeys, RequestHeaderNames, RequestHeaderValues.
    selector str
    Describes field of the matchVariable collection.
    selector_match_operator str
    Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
    excluded_rule_set PolicyManagedRulesExclusionExcludedRuleSet
    One or more excluded_rule_set block defined below.
    matchVariable String
    The name of the Match Variable. Possible values: RequestArgKeys, RequestArgNames, RequestArgValues, RequestCookieKeys, RequestCookieNames, RequestCookieValues, RequestHeaderKeys, RequestHeaderNames, RequestHeaderValues.
    selector String
    Describes field of the matchVariable collection.
    selectorMatchOperator String
    Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
    excludedRuleSet Property Map
    One or more excluded_rule_set block defined below.

    PolicyManagedRulesExclusionExcludedRuleSet, PolicyManagedRulesExclusionExcludedRuleSetArgs

    RuleGroups List<PolicyManagedRulesExclusionExcludedRuleSetRuleGroup>
    One or more rule_group block defined below.
    Type string
    The rule set type. The only possible value include Microsoft_DefaultRuleSet and OWASP. Defaults to OWASP.
    Version string
    The rule set version. The only possible value include 2.1 (for rule set type Microsoft_DefaultRuleSet) and 3.2 (for rule set type OWASP). Defaults to 3.2.
    RuleGroups []PolicyManagedRulesExclusionExcludedRuleSetRuleGroup
    One or more rule_group block defined below.
    Type string
    The rule set type. The only possible value include Microsoft_DefaultRuleSet and OWASP. Defaults to OWASP.
    Version string
    The rule set version. The only possible value include 2.1 (for rule set type Microsoft_DefaultRuleSet) and 3.2 (for rule set type OWASP). Defaults to 3.2.
    ruleGroups List<PolicyManagedRulesExclusionExcludedRuleSetRuleGroup>
    One or more rule_group block defined below.
    type String
    The rule set type. The only possible value include Microsoft_DefaultRuleSet and OWASP. Defaults to OWASP.
    version String
    The rule set version. The only possible value include 2.1 (for rule set type Microsoft_DefaultRuleSet) and 3.2 (for rule set type OWASP). Defaults to 3.2.
    ruleGroups PolicyManagedRulesExclusionExcludedRuleSetRuleGroup[]
    One or more rule_group block defined below.
    type string
    The rule set type. The only possible value include Microsoft_DefaultRuleSet and OWASP. Defaults to OWASP.
    version string
    The rule set version. The only possible value include 2.1 (for rule set type Microsoft_DefaultRuleSet) and 3.2 (for rule set type OWASP). Defaults to 3.2.
    rule_groups Sequence[PolicyManagedRulesExclusionExcludedRuleSetRuleGroup]
    One or more rule_group block defined below.
    type str
    The rule set type. The only possible value include Microsoft_DefaultRuleSet and OWASP. Defaults to OWASP.
    version str
    The rule set version. The only possible value include 2.1 (for rule set type Microsoft_DefaultRuleSet) and 3.2 (for rule set type OWASP). Defaults to 3.2.
    ruleGroups List<Property Map>
    One or more rule_group block defined below.
    type String
    The rule set type. The only possible value include Microsoft_DefaultRuleSet and OWASP. Defaults to OWASP.
    version String
    The rule set version. The only possible value include 2.1 (for rule set type Microsoft_DefaultRuleSet) and 3.2 (for rule set type OWASP). Defaults to 3.2.

    PolicyManagedRulesExclusionExcludedRuleSetRuleGroup, PolicyManagedRulesExclusionExcludedRuleSetRuleGroupArgs

    RuleGroupName string
    The name of rule group for exclusion. Possible values are BadBots, crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, crs_49_inbound_blocking, General, GoodBots, KnownBadBots, Known-CVEs, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, REQUEST-944-APPLICATION-ATTACK-JAVA, UnknownBots, METHOD-ENFORCEMENT, PROTOCOL-ENFORCEMENT, PROTOCOL-ATTACK, LFI, RFI, RCE, PHP, NODEJS, XSS, SQLI, FIX, JAVA, MS-ThreatIntel-WebShells, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEs. MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEs.
    ExcludedRules List<string>
    One or more Rule IDs for exclusion.
    RuleGroupName string
    The name of rule group for exclusion. Possible values are BadBots, crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, crs_49_inbound_blocking, General, GoodBots, KnownBadBots, Known-CVEs, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, REQUEST-944-APPLICATION-ATTACK-JAVA, UnknownBots, METHOD-ENFORCEMENT, PROTOCOL-ENFORCEMENT, PROTOCOL-ATTACK, LFI, RFI, RCE, PHP, NODEJS, XSS, SQLI, FIX, JAVA, MS-ThreatIntel-WebShells, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEs. MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEs.
    ExcludedRules []string
    One or more Rule IDs for exclusion.
    ruleGroupName String
    The name of rule group for exclusion. Possible values are BadBots, crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, crs_49_inbound_blocking, General, GoodBots, KnownBadBots, Known-CVEs, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, REQUEST-944-APPLICATION-ATTACK-JAVA, UnknownBots, METHOD-ENFORCEMENT, PROTOCOL-ENFORCEMENT, PROTOCOL-ATTACK, LFI, RFI, RCE, PHP, NODEJS, XSS, SQLI, FIX, JAVA, MS-ThreatIntel-WebShells, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEs. MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEs.
    excludedRules List<String>
    One or more Rule IDs for exclusion.
    ruleGroupName string
    The name of rule group for exclusion. Possible values are BadBots, crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, crs_49_inbound_blocking, General, GoodBots, KnownBadBots, Known-CVEs, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, REQUEST-944-APPLICATION-ATTACK-JAVA, UnknownBots, METHOD-ENFORCEMENT, PROTOCOL-ENFORCEMENT, PROTOCOL-ATTACK, LFI, RFI, RCE, PHP, NODEJS, XSS, SQLI, FIX, JAVA, MS-ThreatIntel-WebShells, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEs. MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEs.
    excludedRules string[]
    One or more Rule IDs for exclusion.
    rule_group_name str
    The name of rule group for exclusion. Possible values are BadBots, crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, crs_49_inbound_blocking, General, GoodBots, KnownBadBots, Known-CVEs, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, REQUEST-944-APPLICATION-ATTACK-JAVA, UnknownBots, METHOD-ENFORCEMENT, PROTOCOL-ENFORCEMENT, PROTOCOL-ATTACK, LFI, RFI, RCE, PHP, NODEJS, XSS, SQLI, FIX, JAVA, MS-ThreatIntel-WebShells, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEs. MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEs.
    excluded_rules Sequence[str]
    One or more Rule IDs for exclusion.
    ruleGroupName String
    The name of rule group for exclusion. Possible values are BadBots, crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, crs_49_inbound_blocking, General, GoodBots, KnownBadBots, Known-CVEs, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, REQUEST-944-APPLICATION-ATTACK-JAVA, UnknownBots, METHOD-ENFORCEMENT, PROTOCOL-ENFORCEMENT, PROTOCOL-ATTACK, LFI, RFI, RCE, PHP, NODEJS, XSS, SQLI, FIX, JAVA, MS-ThreatIntel-WebShells, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEs. MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEs.
    excludedRules List<String>
    One or more Rule IDs for exclusion.

    PolicyManagedRulesManagedRuleSet, PolicyManagedRulesManagedRuleSetArgs

    Version string
    The rule set version. Possible values: 0.1, 1.0, 2.1, 2.2.9, 3.0, 3.1 and 3.2.
    RuleGroupOverrides List<PolicyManagedRulesManagedRuleSetRuleGroupOverride>
    One or more rule_group_override block defined below.
    Type string
    The rule set type. Possible values: Microsoft_BotManagerRuleSet, Microsoft_DefaultRuleSet and OWASP. Defaults to OWASP.
    Version string
    The rule set version. Possible values: 0.1, 1.0, 2.1, 2.2.9, 3.0, 3.1 and 3.2.
    RuleGroupOverrides []PolicyManagedRulesManagedRuleSetRuleGroupOverride
    One or more rule_group_override block defined below.
    Type string
    The rule set type. Possible values: Microsoft_BotManagerRuleSet, Microsoft_DefaultRuleSet and OWASP. Defaults to OWASP.
    version String
    The rule set version. Possible values: 0.1, 1.0, 2.1, 2.2.9, 3.0, 3.1 and 3.2.
    ruleGroupOverrides List<PolicyManagedRulesManagedRuleSetRuleGroupOverride>
    One or more rule_group_override block defined below.
    type String
    The rule set type. Possible values: Microsoft_BotManagerRuleSet, Microsoft_DefaultRuleSet and OWASP. Defaults to OWASP.
    version string
    The rule set version. Possible values: 0.1, 1.0, 2.1, 2.2.9, 3.0, 3.1 and 3.2.
    ruleGroupOverrides PolicyManagedRulesManagedRuleSetRuleGroupOverride[]
    One or more rule_group_override block defined below.
    type string
    The rule set type. Possible values: Microsoft_BotManagerRuleSet, Microsoft_DefaultRuleSet and OWASP. Defaults to OWASP.
    version str
    The rule set version. Possible values: 0.1, 1.0, 2.1, 2.2.9, 3.0, 3.1 and 3.2.
    rule_group_overrides Sequence[PolicyManagedRulesManagedRuleSetRuleGroupOverride]
    One or more rule_group_override block defined below.
    type str
    The rule set type. Possible values: Microsoft_BotManagerRuleSet, Microsoft_DefaultRuleSet and OWASP. Defaults to OWASP.
    version String
    The rule set version. Possible values: 0.1, 1.0, 2.1, 2.2.9, 3.0, 3.1 and 3.2.
    ruleGroupOverrides List<Property Map>
    One or more rule_group_override block defined below.
    type String
    The rule set type. Possible values: Microsoft_BotManagerRuleSet, Microsoft_DefaultRuleSet and OWASP. Defaults to OWASP.

    PolicyManagedRulesManagedRuleSetRuleGroupOverride, PolicyManagedRulesManagedRuleSetRuleGroupOverrideArgs

    RuleGroupName string
    The name of the Rule Group. Possible values are BadBots, crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, crs_49_inbound_blocking, General, GoodBots, KnownBadBots, Known-CVEs, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, REQUEST-944-APPLICATION-ATTACK-JAVA, UnknownBots, METHOD-ENFORCEMENT, PROTOCOL-ENFORCEMENT, PROTOCOL-ATTACK, LFI, RFI, RCE, PHP, NODEJS, XSS, SQLI, FIX, JAVA, MS-ThreatIntel-WebShells, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEsMS-ThreatIntel-WebShells`,.
    DisabledRules List<string>

    Deprecated:disabled_rules will be removed in favour of the rule property in version 4.0 of the AzureRM Provider.

    Rules List<PolicyManagedRulesManagedRuleSetRuleGroupOverrideRule>
    One or more rule block defined below.
    RuleGroupName string
    The name of the Rule Group. Possible values are BadBots, crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, crs_49_inbound_blocking, General, GoodBots, KnownBadBots, Known-CVEs, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, REQUEST-944-APPLICATION-ATTACK-JAVA, UnknownBots, METHOD-ENFORCEMENT, PROTOCOL-ENFORCEMENT, PROTOCOL-ATTACK, LFI, RFI, RCE, PHP, NODEJS, XSS, SQLI, FIX, JAVA, MS-ThreatIntel-WebShells, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEsMS-ThreatIntel-WebShells`,.
    DisabledRules []string

    Deprecated:disabled_rules will be removed in favour of the rule property in version 4.0 of the AzureRM Provider.

    Rules []PolicyManagedRulesManagedRuleSetRuleGroupOverrideRule
    One or more rule block defined below.
    ruleGroupName String
    The name of the Rule Group. Possible values are BadBots, crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, crs_49_inbound_blocking, General, GoodBots, KnownBadBots, Known-CVEs, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, REQUEST-944-APPLICATION-ATTACK-JAVA, UnknownBots, METHOD-ENFORCEMENT, PROTOCOL-ENFORCEMENT, PROTOCOL-ATTACK, LFI, RFI, RCE, PHP, NODEJS, XSS, SQLI, FIX, JAVA, MS-ThreatIntel-WebShells, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEsMS-ThreatIntel-WebShells`,.
    disabledRules List<String>

    Deprecated:disabled_rules will be removed in favour of the rule property in version 4.0 of the AzureRM Provider.

    rules List<PolicyManagedRulesManagedRuleSetRuleGroupOverrideRule>
    One or more rule block defined below.
    ruleGroupName string
    The name of the Rule Group. Possible values are BadBots, crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, crs_49_inbound_blocking, General, GoodBots, KnownBadBots, Known-CVEs, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, REQUEST-944-APPLICATION-ATTACK-JAVA, UnknownBots, METHOD-ENFORCEMENT, PROTOCOL-ENFORCEMENT, PROTOCOL-ATTACK, LFI, RFI, RCE, PHP, NODEJS, XSS, SQLI, FIX, JAVA, MS-ThreatIntel-WebShells, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEsMS-ThreatIntel-WebShells`,.
    disabledRules string[]

    Deprecated:disabled_rules will be removed in favour of the rule property in version 4.0 of the AzureRM Provider.

    rules PolicyManagedRulesManagedRuleSetRuleGroupOverrideRule[]
    One or more rule block defined below.
    rule_group_name str
    The name of the Rule Group. Possible values are BadBots, crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, crs_49_inbound_blocking, General, GoodBots, KnownBadBots, Known-CVEs, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, REQUEST-944-APPLICATION-ATTACK-JAVA, UnknownBots, METHOD-ENFORCEMENT, PROTOCOL-ENFORCEMENT, PROTOCOL-ATTACK, LFI, RFI, RCE, PHP, NODEJS, XSS, SQLI, FIX, JAVA, MS-ThreatIntel-WebShells, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEsMS-ThreatIntel-WebShells`,.
    disabled_rules Sequence[str]

    Deprecated:disabled_rules will be removed in favour of the rule property in version 4.0 of the AzureRM Provider.

    rules Sequence[PolicyManagedRulesManagedRuleSetRuleGroupOverrideRule]
    One or more rule block defined below.
    ruleGroupName String
    The name of the Rule Group. Possible values are BadBots, crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, crs_49_inbound_blocking, General, GoodBots, KnownBadBots, Known-CVEs, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, REQUEST-944-APPLICATION-ATTACK-JAVA, UnknownBots, METHOD-ENFORCEMENT, PROTOCOL-ENFORCEMENT, PROTOCOL-ATTACK, LFI, RFI, RCE, PHP, NODEJS, XSS, SQLI, FIX, JAVA, MS-ThreatIntel-WebShells, MS-ThreatIntel-AppSec, MS-ThreatIntel-SQLI and MS-ThreatIntel-CVEsMS-ThreatIntel-WebShells`,.
    disabledRules List<String>

    Deprecated:disabled_rules will be removed in favour of the rule property in version 4.0 of the AzureRM Provider.

    rules List<Property Map>
    One or more rule block defined below.

    PolicyManagedRulesManagedRuleSetRuleGroupOverrideRule, PolicyManagedRulesManagedRuleSetRuleGroupOverrideRuleArgs

    Id string
    Identifier for the managed rule.
    Action string
    Describes the override action to be applied when rule matches. Possible values are Allow, AnomalyScoring, Block and Log.
    Enabled bool
    Describes if the managed rule is in enabled state or disabled state.
    Id string
    Identifier for the managed rule.
    Action string
    Describes the override action to be applied when rule matches. Possible values are Allow, AnomalyScoring, Block and Log.
    Enabled bool
    Describes if the managed rule is in enabled state or disabled state.
    id String
    Identifier for the managed rule.
    action String
    Describes the override action to be applied when rule matches. Possible values are Allow, AnomalyScoring, Block and Log.
    enabled Boolean
    Describes if the managed rule is in enabled state or disabled state.
    id string
    Identifier for the managed rule.
    action string
    Describes the override action to be applied when rule matches. Possible values are Allow, AnomalyScoring, Block and Log.
    enabled boolean
    Describes if the managed rule is in enabled state or disabled state.
    id str
    Identifier for the managed rule.
    action str
    Describes the override action to be applied when rule matches. Possible values are Allow, AnomalyScoring, Block and Log.
    enabled bool
    Describes if the managed rule is in enabled state or disabled state.
    id String
    Identifier for the managed rule.
    action String
    Describes the override action to be applied when rule matches. Possible values are Allow, AnomalyScoring, Block and Log.
    enabled Boolean
    Describes if the managed rule is in enabled state or disabled state.

    PolicyPolicySettings, PolicyPolicySettingsArgs

    Enabled bool
    Describes if the policy is in enabled state or disabled state. Defaults to true.
    FileUploadLimitInMb int
    The File Upload Limit in MB. Accepted values are in the range 1 to 4000. Defaults to 100.
    LogScrubbing PolicyPolicySettingsLogScrubbing
    One log_scrubbing block as defined below.
    MaxRequestBodySizeInKb int
    The Maximum Request Body Size in KB. Accepted values are in the range 8 to 2000. Defaults to 128.
    Mode string
    Describes if it is in detection mode or prevention mode at the policy level. Valid values are Detection and Prevention. Defaults to Prevention.
    RequestBodyCheck bool
    Is Request Body Inspection enabled? Defaults to true.
    RequestBodyInspectLimitInKb int
    Specifies the maximum request body inspection limit in KB for the Web Application Firewall. Defaults to 128.
    Enabled bool
    Describes if the policy is in enabled state or disabled state. Defaults to true.
    FileUploadLimitInMb int
    The File Upload Limit in MB. Accepted values are in the range 1 to 4000. Defaults to 100.
    LogScrubbing PolicyPolicySettingsLogScrubbing
    One log_scrubbing block as defined below.
    MaxRequestBodySizeInKb int
    The Maximum Request Body Size in KB. Accepted values are in the range 8 to 2000. Defaults to 128.
    Mode string
    Describes if it is in detection mode or prevention mode at the policy level. Valid values are Detection and Prevention. Defaults to Prevention.
    RequestBodyCheck bool
    Is Request Body Inspection enabled? Defaults to true.
    RequestBodyInspectLimitInKb int
    Specifies the maximum request body inspection limit in KB for the Web Application Firewall. Defaults to 128.
    enabled Boolean
    Describes if the policy is in enabled state or disabled state. Defaults to true.
    fileUploadLimitInMb Integer
    The File Upload Limit in MB. Accepted values are in the range 1 to 4000. Defaults to 100.
    logScrubbing PolicyPolicySettingsLogScrubbing
    One log_scrubbing block as defined below.
    maxRequestBodySizeInKb Integer
    The Maximum Request Body Size in KB. Accepted values are in the range 8 to 2000. Defaults to 128.
    mode String
    Describes if it is in detection mode or prevention mode at the policy level. Valid values are Detection and Prevention. Defaults to Prevention.
    requestBodyCheck Boolean
    Is Request Body Inspection enabled? Defaults to true.
    requestBodyInspectLimitInKb Integer
    Specifies the maximum request body inspection limit in KB for the Web Application Firewall. Defaults to 128.
    enabled boolean
    Describes if the policy is in enabled state or disabled state. Defaults to true.
    fileUploadLimitInMb number
    The File Upload Limit in MB. Accepted values are in the range 1 to 4000. Defaults to 100.
    logScrubbing PolicyPolicySettingsLogScrubbing
    One log_scrubbing block as defined below.
    maxRequestBodySizeInKb number
    The Maximum Request Body Size in KB. Accepted values are in the range 8 to 2000. Defaults to 128.
    mode string
    Describes if it is in detection mode or prevention mode at the policy level. Valid values are Detection and Prevention. Defaults to Prevention.
    requestBodyCheck boolean
    Is Request Body Inspection enabled? Defaults to true.
    requestBodyInspectLimitInKb number
    Specifies the maximum request body inspection limit in KB for the Web Application Firewall. Defaults to 128.
    enabled bool
    Describes if the policy is in enabled state or disabled state. Defaults to true.
    file_upload_limit_in_mb int
    The File Upload Limit in MB. Accepted values are in the range 1 to 4000. Defaults to 100.
    log_scrubbing PolicyPolicySettingsLogScrubbing
    One log_scrubbing block as defined below.
    max_request_body_size_in_kb int
    The Maximum Request Body Size in KB. Accepted values are in the range 8 to 2000. Defaults to 128.
    mode str
    Describes if it is in detection mode or prevention mode at the policy level. Valid values are Detection and Prevention. Defaults to Prevention.
    request_body_check bool
    Is Request Body Inspection enabled? Defaults to true.
    request_body_inspect_limit_in_kb int
    Specifies the maximum request body inspection limit in KB for the Web Application Firewall. Defaults to 128.
    enabled Boolean
    Describes if the policy is in enabled state or disabled state. Defaults to true.
    fileUploadLimitInMb Number
    The File Upload Limit in MB. Accepted values are in the range 1 to 4000. Defaults to 100.
    logScrubbing Property Map
    One log_scrubbing block as defined below.
    maxRequestBodySizeInKb Number
    The Maximum Request Body Size in KB. Accepted values are in the range 8 to 2000. Defaults to 128.
    mode String
    Describes if it is in detection mode or prevention mode at the policy level. Valid values are Detection and Prevention. Defaults to Prevention.
    requestBodyCheck Boolean
    Is Request Body Inspection enabled? Defaults to true.
    requestBodyInspectLimitInKb Number
    Specifies the maximum request body inspection limit in KB for the Web Application Firewall. Defaults to 128.

    PolicyPolicySettingsLogScrubbing, PolicyPolicySettingsLogScrubbingArgs

    Enabled bool
    Whether the log scrubbing is enabled or disabled. Defaults to true.
    Rules List<PolicyPolicySettingsLogScrubbingRule>
    One or more scrubbing_rule blocks as define below.
    Enabled bool
    Whether the log scrubbing is enabled or disabled. Defaults to true.
    Rules []PolicyPolicySettingsLogScrubbingRule
    One or more scrubbing_rule blocks as define below.
    enabled Boolean
    Whether the log scrubbing is enabled or disabled. Defaults to true.
    rules List<PolicyPolicySettingsLogScrubbingRule>
    One or more scrubbing_rule blocks as define below.
    enabled boolean
    Whether the log scrubbing is enabled or disabled. Defaults to true.
    rules PolicyPolicySettingsLogScrubbingRule[]
    One or more scrubbing_rule blocks as define below.
    enabled bool
    Whether the log scrubbing is enabled or disabled. Defaults to true.
    rules Sequence[PolicyPolicySettingsLogScrubbingRule]
    One or more scrubbing_rule blocks as define below.
    enabled Boolean
    Whether the log scrubbing is enabled or disabled. Defaults to true.
    rules List<Property Map>
    One or more scrubbing_rule blocks as define below.

    PolicyPolicySettingsLogScrubbingRule, PolicyPolicySettingsLogScrubbingRuleArgs

    MatchVariable string
    The name of the Match Variable. Possible values: RequestArgKeys, RequestArgNames, RequestArgValues, RequestCookieKeys, RequestCookieNames, RequestCookieValues, RequestHeaderKeys, RequestHeaderNames, RequestHeaderValues.
    Enabled bool
    Describes if the managed rule is in enabled state or disabled state.
    Selector string
    Describes field of the matchVariable collection.
    SelectorMatchOperator string
    Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
    MatchVariable string
    The name of the Match Variable. Possible values: RequestArgKeys, RequestArgNames, RequestArgValues, RequestCookieKeys, RequestCookieNames, RequestCookieValues, RequestHeaderKeys, RequestHeaderNames, RequestHeaderValues.
    Enabled bool
    Describes if the managed rule is in enabled state or disabled state.
    Selector string
    Describes field of the matchVariable collection.
    SelectorMatchOperator string
    Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
    matchVariable String
    The name of the Match Variable. Possible values: RequestArgKeys, RequestArgNames, RequestArgValues, RequestCookieKeys, RequestCookieNames, RequestCookieValues, RequestHeaderKeys, RequestHeaderNames, RequestHeaderValues.
    enabled Boolean
    Describes if the managed rule is in enabled state or disabled state.
    selector String
    Describes field of the matchVariable collection.
    selectorMatchOperator String
    Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
    matchVariable string
    The name of the Match Variable. Possible values: RequestArgKeys, RequestArgNames, RequestArgValues, RequestCookieKeys, RequestCookieNames, RequestCookieValues, RequestHeaderKeys, RequestHeaderNames, RequestHeaderValues.
    enabled boolean
    Describes if the managed rule is in enabled state or disabled state.
    selector string
    Describes field of the matchVariable collection.
    selectorMatchOperator string
    Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
    match_variable str
    The name of the Match Variable. Possible values: RequestArgKeys, RequestArgNames, RequestArgValues, RequestCookieKeys, RequestCookieNames, RequestCookieValues, RequestHeaderKeys, RequestHeaderNames, RequestHeaderValues.
    enabled bool
    Describes if the managed rule is in enabled state or disabled state.
    selector str
    Describes field of the matchVariable collection.
    selector_match_operator str
    Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.
    matchVariable String
    The name of the Match Variable. Possible values: RequestArgKeys, RequestArgNames, RequestArgValues, RequestCookieKeys, RequestCookieNames, RequestCookieValues, RequestHeaderKeys, RequestHeaderNames, RequestHeaderValues.
    enabled Boolean
    Describes if the managed rule is in enabled state or disabled state.
    selector String
    Describes field of the matchVariable collection.
    selectorMatchOperator String
    Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.

    Import

    Web Application Firewall Policy can be imported using the resource id, e.g.

    $ pulumi import azure:waf/policy:Policy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/example-wafpolicy
    

    Package Details

    Repository
    Azure Classic pulumi/pulumi-azure
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azurerm Terraform Provider.
    azure logo

    We recommend using Azure Native.

    Azure Classic v5.67.1 published on Tuesday, Feb 27, 2024 by Pulumi