An open API service indexing awesome lists of open source software.

https://github.com/launchbynttdata/tf-azurerm-module_primitive-web_application_firewall_policy


https://github.com/launchbynttdata/tf-azurerm-module_primitive-web_application_firewall_policy

Last synced: 13 days ago
JSON representation

Awesome Lists containing this project

README

          

# tf-azurerm-module_primitive-web_application_firewall_policy

[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
[![License: CC BY-NC-ND 4.0](https://img.shields.io/badge/License-CC_BY--NC--ND_4.0-lightgrey.svg)](https://creativecommons.org/licenses/by-nc-nd/4.0/)

## Overview

This terraform module provisions an web application firewall policy for use with application gateway.

## Pre-Commit hooks

[.pre-commit-config.yaml](.pre-commit-config.yaml) file defines certain `pre-commit` hooks that are relevant to terraform, golang and common linting tasks. There are no custom hooks added.

`commitlint` hook enforces commit message in certain format. The commit contains the following structural elements, to communicate intent to the consumers of your commit messages:

- **fix**: a commit of the type `fix` patches a bug in your codebase (this correlates with PATCH in Semantic Versioning).
- **feat**: a commit of the type `feat` introduces a new feature to the codebase (this correlates with MINOR in Semantic Versioning).
- **BREAKING CHANGE**: a commit that has a footer `BREAKING CHANGE:`, or appends a `!` after the type/scope, introduces a breaking API change (correlating with MAJOR in Semantic Versioning). A BREAKING CHANGE can be part of commits of any type.
footers other than BREAKING CHANGE: may be provided and follow a convention similar to git trailer format.
- **build**: a commit of the type `build` adds changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
- **chore**: a commit of the type `chore` adds changes that don't modify src or test files
- **ci**: a commit of the type `ci` adds changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
- **docs**: a commit of the type `docs` adds documentation only changes
- **perf**: a commit of the type `perf` adds code change that improves performance
- **refactor**: a commit of the type `refactor` adds code change that neither fixes a bug nor adds a feature
- **revert**: a commit of the type `revert` reverts a previous commit
- **style**: a commit of the type `style` adds code changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
- **test**: a commit of the type `test` adds missing tests or correcting existing tests

Base configuration used for this project is [commitlint-config-conventional (based on the Angular convention)](https://github.com/conventional-changelog/commitlint/tree/master/@commitlint/config-conventional#type-enum)

If you are a developer using vscode, [this](https://marketplace.visualstudio.com/items?itemName=joshbolduc.commitlint) plugin may be helpful.

`detect-secrets-hook` prevents new secrets from being introduced into the baseline. TODO: INSERT DOC LINK ABOUT HOOKS

In order for `pre-commit` hooks to work properly

- You need to have the pre-commit package manager installed. [Here](https://pre-commit.com/#install) are the installation instructions.
- `pre-commit` would install all the hooks when commit message is added by default except for `commitlint` hook. `commitlint` hook would need to be installed manually using the command below

```
pre-commit install --hook-type commit-msg
```

## To test the resource group module locally

1. For development/enhancements to this module locally, you'll need to install all of its components. This is controlled by the `configure` target in the project's [`Makefile`](./Makefile). Before you can run `configure`, familiarize yourself with the variables in the `Makefile` and ensure they're pointing to the right places.

```
make configure
```

This adds in several files and directories that are ignored by `git`. They expose many new Make targets.

2. _THIS STEP APPLIES ONLY TO MICROSOFT AZURE. IF YOU ARE USING A DIFFERENT PLATFORM PLEASE SKIP THIS STEP._ The first target you care about is `env`. This is the common interface for setting up environment variables. The values of the environment variables will be used to authenticate with cloud provider from local development workstation.

`make configure` command will bring down `azure_env.sh` file on local workstation. Devloper would need to modify this file, replace the environment variable values with relevant values.

These environment variables are used by `terratest` integration suit.

Service principle used for authentication(value of ARM_CLIENT_ID) should have below privileges on resource group within the subscription.

```
"Microsoft.Resources/subscriptions/resourceGroups/write"
"Microsoft.Resources/subscriptions/resourceGroups/read"
"Microsoft.Resources/subscriptions/resourceGroups/delete"
```

Then run this make target to set the environment variables on developer workstation.

```
make env
```

3. The first target you care about is `check`.

**Pre-requisites**
Before running this target it is important to ensure that, developer has created files mentioned below on local workstation under root directory of git repository that contains code for primitives/segments. Note that these files are `azure` specific. If primitive/segment under development uses any other cloud provider than azure, this section may not be relevant.

- A file named `provider.tf` with contents below

```
provider "azurerm" {
features {}
}
```

- A file named `terraform.tfvars` which contains key value pair of variables used.

Note that since these files are added in `gitignore` they would not be checked in into primitive/segment's git repo.

After creating these files, for running tests associated with the primitive/segment, run

```
make check
```

If `make check` target is successful, developer is good to commit the code to primitive/segment's git repo.

`make check` target

- runs `terraform commands` to `lint`,`validate` and `plan` terraform code.
- runs `conftests`. `conftests` make sure `policy` checks are successful.
- runs `terratest`. This is integration test suit.
- runs `opa` tests

## Requirements

| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | ~> 1.0 |
| [azurerm](#requirement\_azurerm) | ~> 3.117.1 |

## Providers

| Name | Version |
|------|---------|
| [azurerm](#provider\_azurerm) | 3.117.1 |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [azurerm_web_application_firewall_policy.waf_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/web_application_firewall_policy) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [name](#input\_name) | Name of the firewall policy. | `string` | n/a | yes |
| [location](#input\_location) | Azure location. | `string` | n/a | yes |
| [resource\_group\_name](#input\_resource\_group\_name) | Resource group name | `string` | n/a | yes |
| [custom\_rules](#input\_custom\_rules) | Custom rules of the firewall policy. |

list(object({
name = string
priority = number
rule_type = string
action = string

rate_limit_duration = optional(string)
rate_limit_threshold = optional(number)
group_rate_limit_by = optional(string)

match_conditions = list(object({
match_variables = list(object({
variable_name = string
selector = optional(string)
}))
operator = string
negation_condition = optional(bool)
match_values = optional(list(string))
transforms = optional(list(string))
}))
}))
| `null` | no |
| [policy\_settings](#input\_policy\_settings) | Policy settings of the firewall policy. |
object({
enabled = optional(bool)
mode = optional(string)
request_body_check = optional(bool)
file_upload_limit_in_mb = optional(number)
max_request_body_size_in_kb = optional(number)
request_body_inspect_limit_in_kb = optional(number)
js_challenge_cookie_expiration_in_minutes = optional(number)
})
|
{
"enabled": null,
"file_upload_limit_in_mb": null,
"js_challenge_cookie_expiration_in_minutes": null,
"max_request_body_size_in_kb": null,
"mode": null,
"request_body_check": null,
"request_body_inspect_limit_in_kb": null
}
| no |
| [managed\_rules](#input\_managed\_rules) | Managed rules of the firewall policy. |
object({
exclusions = optional(list(object({
match_variable = string
selector = string
selector_match_operator = string
excluded_rule_sets = list(object({
type = string
version = string
rule_groups = list(object({
rule_group_name = string
excluded_rules = list(string)
}))
}))
}))),
managed_rule_sets = list(object({
type = string
version = string
rule_group_overrides = optional(list(object({
rule_group_name = string
rules = optional(list(object({
id = number
enabled = optional(bool)
action = optional(string)
})))
})))
}))
})
|
{
"managed_rule_sets": [
{
"type": "OWASP",
"version": "3.2"
}
]
}
| no |
| [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `{}` | no |

## Outputs

| Name | Description |
|------|-------------|
| [id](#output\_id) | The ID of the firewall policy. |
| [name](#output\_name) | The name of the firewall policy. |