Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update azure_rm_appgateway to support setting WAF policy #1725

Open
wants to merge 7 commits into
base: dev
Choose a base branch
from
Open

Update azure_rm_appgateway to support setting WAF policy #1725

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e7e1dce
update appgw for waf policy configuration
l3ender Sep 21, 2024
d677e19
Merge branch 'dev' into appgw-waf-policy
l3ender Sep 21, 2024
9f45e80
correct line length
l3ender Sep 23, 2024
dfdfd00
Apply suggestions from code review
l3ender Sep 23, 2024
060da81
Merge remote-tracking branch 'origin/appgw-waf-policy' into appgw-waf…
l3ender Sep 23, 2024
05b71f8
Merge branch 'dev' into appgw-waf-policy
l3ender Sep 27, 2024
5f0cfb1
Merge remote-tracking branch 'origin/dev' into appgw-waf-policy
l3ender Oct 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 74 additions & 12 deletions plugins/modules/azure_rm_appgateway.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -799,12 +799,14 @@
web_application_firewall_configuration:
version_added: "1.15.0"
description:
- Web application firewall configuration of the application gateway reosurce.
- Web application firewall configuration of the application gateway resource.
- Note that as of version 2.8.0, I(firewall_policy) is required instead of deprecated options. See https://github.com/ansible-collections/azure/pull/1697.
l3ender marked this conversation as resolved.
Show resolved Hide resolved
type: dict
suboptions:
disabled_rule_groups:
description:
- The disabled rule groups.
- (Deprecated) The disabled rule groups.
- This value has been deprecated, and will be removed in a later version. Use I(firewall_policy) instead.
type: list
elements: dict
default: []
Expand All @@ -821,11 +823,13 @@
default: []
enabled:
description:
- Whether the web application firewall is enabled or not.
- (Deprecated) Whether the web application firewall is enabled or not.
l3ender marked this conversation as resolved.
Show resolved Hide resolved
- This value has been deprecated, and will be removed in a later version. Use I(firewall_policy) instead.
type: bool
exclusions:
description:
- The exclusion list.
- (Deprecated) The exclusion list.
- This value has been deprecated, and will be removed in a later version. Use I(firewall_policy) instead.
type: list
elements: dict
default: []
Expand All @@ -845,38 +849,64 @@
type: str
file_upload_limit_in_mb:
description:
- Maximum file upload size in Mb for WAF.
- (Deprecated) Maximum file upload size in Mb for WAF.
- This value has been deprecated, and will be removed in a later version. Use I(firewall_policy) instead.
type: int
firewall_mode:
description:
- Web application firewall mode.
- (Deprecated) Web application firewall mode.
- This value has been deprecated, and will be removed in a later version. Use I(firewall_policy) instead.
type: str
choices:
- 'Detection'
- 'Prevention'
max_request_body_size:
description:
- Maximum request body size for WAF.
- (Deprecated) Maximum request body size for WAF.
- This value has been deprecated, and will be removed in a later version. Use I(firewall_policy) instead.
type: int
max_request_body_size_in_kb:
description:
- Maximum request body size in Kb for WAF.
- (Deprecated) Maximum request body size in Kb for WAF.
- This value has been deprecated, and will be removed in a later version. Use I(firewall_policy) instead.
type: int
request_body_check:
description:
- Whether allow WAF to check request Body.
- (Deprecated) Whether allow WAF to check request Body.
- This value has been deprecated, and will be removed in a later version. Use I(firewall_policy) instead.
type: bool
rule_set_type:
description:
- The type of the web application firewall rule set.
- (Deprecated) The type of the web application firewall rule set.
- Possible values are 'OWASP'.
- This value has been deprecated, and will be removed in a later version. Use I(firewall_policy) instead.
type: str
choices:
- 'OWASP'
rule_set_version:
description:
- The version of the rule set type.
- (Deprecated) The version of the rule set type.
- This value has been deprecated, and will be removed in a later version. Use I(firewall_policy) instead.
type: str
firewall_policy:
version_added: "2.8.0"
description:
- Web application firewall policy for the application gateway.
type: dict
suboptions:
id:
description:
- Resource ID of the firewall policy. Required if I(name) is not provided.
type: str
name:
description:
- Name of the firewall policy (in same subscription and region). Used if I(id) is not provided.
type: str
force_association:
description:
- If true, associates the firewall policy with an application gateway regardless whether the policy differs from the WAF Config.
type: bool
default: true
identity:
description:
- Identity for the App Gateway
Expand Down Expand Up @@ -1760,6 +1790,12 @@ class Actions:
rules=dict(type='list', elements='int', default=[]),
)

firewall_policy_spec = dict(
id=dict(type='str'),
name=dict(type='str'),
force_association=dict(type='bool', default=True),
)

web_application_firewall_configuration_spec = dict(
enabled=dict(type='bool'),
firewall_mode=dict(type='str', choices=['Detection', 'Prevention']),
Expand All @@ -1771,6 +1807,7 @@ class Actions:
file_upload_limit_in_mb=dict(type='int'),
exclusions=dict(type='list', elements='dict', options=waf_configuration_exclusions_spec, default=[]),
disabled_rule_groups=dict(type='list', elements='dict', options=waf_configuration_disabled_rule_groups_spec, default=[]),
firewall_policy=dict(type='dict', options=firewall_policy_spec),
)

trusted_root_certificates_spec = dict(
Expand Down Expand Up @@ -2409,7 +2446,7 @@ def exec_module(self, **kwargs):
elif key == "autoscale_configuration":
self.parameters["autoscale_configuration"] = kwargs[key]
elif key == "web_application_firewall_configuration":
self.parameters["web_application_firewall_configuration"] = kwargs[key]
self.set_web_application_firewall_configuration(kwargs)
elif key == "enable_http2":
self.parameters["enable_http2"] = kwargs[key]
elif key == "tags":
Expand Down Expand Up @@ -2658,6 +2695,22 @@ def get_resource(self):

return False

def set_web_application_firewall_configuration(self, kwargs):
waf_config = dict(kwargs['web_application_firewall_configuration'])
if waf_config is None:
return

if 'firewall_policy' in waf_config and waf_config['firewall_policy'] is not None:
if 'name' in waf_config['firewall_policy'] and waf_config['firewall_policy']['name'] is not None:
waf_config['firewall_policy']['id'] = waf_policy_id(self.subscription_id,
kwargs['resource_group'],
waf_config['firewall_policy']['name'])
del waf_config['firewall_policy']['name']

self.parameters['force_firewall_policy_association'] = waf_config['firewall_policy']['force_association']
del waf_config['firewall_policy']['force_association']
self.parameters['firewall_policy'] = waf_config['firewall_policy']


def public_ip_id(subscription_id, resource_group_name, name):
"""Generate the id for a frontend ip configuration"""
Expand Down Expand Up @@ -2819,6 +2872,15 @@ def trusted_root_certificate_id(subscription_id, resource_group_name, appgateway
)


def waf_policy_id(subscription_id, resource_group_name, policy_name):
"""Generate the id for a web application firewall policy"""
return '/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/{2}'.format(
subscription_id,
resource_group_name,
policy_name,
)


def compare_dicts(old_response, new_response):
"""Compare two dictionaries using recursive_diff method and assuming that null values coming from yaml input
are acting like absent values"""
Expand Down
Loading