Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting a warning about disabled_rules when trying to set managed_rules to be ignored in lifecycle changes #23379

Closed
1 task done
JAK1047 opened this issue Sep 25, 2023 · 6 comments · Fixed by #23412
Closed
1 task done

Getting a warning about disabled_rules when trying to set managed_rules to be ignored in lifecycle changes #23379

JAK1047 opened this issue Sep 25, 2023 · 6 comments · Fixed by #23412
Labels
bug service/network v/3.x
Milestone
v3.84.0

Comments

@JAK1047
Copy link

JAK1047 commented Sep 25, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.4.5

AzureRM Provider Version

3.56.0

Affected Resource(s)/Data Source(s)

azurerm_web_application_firewall_policy

Terraform Configuration Files

tf.var
# - Application Gateway WAF Policy
waf_policies = {
  AGW-001 = {
    name     = "network-hub"
    instance = "001"

    tags = {
      "workload" = "Azure Application Gateway WAF Policy for Azure Network Hub"
    }

    policy_settings = {
      DEFAULT = {
        enabled            = true
        mode               = "Detection"
        request_body_check = false
      }
    }

    managed_rules = {
      OWASP = {
        exclusion = {
          ISS = {
            match_variable          = "RequestArgNames"
            selector                = "iss"
            selector_match_operator = "Equals"
          }
        }
        managed_rule_set = {
          OWASP = {
            version = "3.2"
            type    = "OWASP"

            rule_group_override = {
              REQUEST-942-APPLICATION-ATTACK-SQLI = {
                rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI"

                rule = [
                  {
                    action  = "Log"
                    enabled = true
                    id      = "942340"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "942200"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "942260"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "942370"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "942430"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "942450"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "942130"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "942110"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "942210"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "942330"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "942180"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "942120"
                  },
                ]
              }
              REQUEST-920-PROTOCOL-ENFORCEMENT = {
                rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"

                rule = [
                  {
                    action  = "Log"
                    enabled = true
                    id      = "920420"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "920300"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "920320"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "920170"
                  },
                ]
              }
              REQUEST-941-APPLICATION-ATTACK-XSS = {
                rule_group_name = "REQUEST-941-APPLICATION-ATTACK-XSS"

                rule = [
                  {
                    action  = "Log"
                    enabled = true
                    id      = "941100"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "941120"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "941330"
                  },
                ]
              }
              GENERAL = {
                rule_group_name = "General"

                rule = [
                  {
                    action  = "Log"
                    enabled = true
                    id      = "200002"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "200003"
                  },
                ]
              }
              REQUEST-930-APPLICATION-ATTACK-LFI = {
                rule_group_name = "REQUEST-930-APPLICATION-ATTACK-LFI"

                rule = [
                  {
                    action  = "Log"
                    enabled = true
                    id      = "930120"
                  },
                ]
              }
              REQUEST-931-APPLICATION-ATTACK-RFI = {
                rule_group_name = "REQUEST-931-APPLICATION-ATTACK-RFI"

                rule = [
                  {
                    action  = "Log"
                    enabled = true
                    id      = "931130"
                  },
                ]
              }
            }
          }
          BOT = {
            version = "1.0"
            type    = "Microsoft_BotManagerRuleSet"

            rule_group_override = {
              UnknownBots = {
                rule_group_name = "UnknownBots"

                rule = [
                  {
                    action  = "Log"
                    enabled = true
                    id      = "300100"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "300200"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "300300"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "300400"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "300500"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "300600"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "300700"
                  },
                ]
              }
              BadBots = {
                rule_group_name = "BadBots"

                rule = [
                  {
                    action  = "Block"
                    enabled = true
                    id      = "100100"
                  },
                  {
                    action  = "Block"
                    enabled = true
                    id      = "100200"
                  },
                ]
              }
              UnknownBots = {
                rule_group_name = "GoodBots"

                rule = [
                  {
                    action  = "Allow"
                    enabled = true
                    id      = "200100"
                  },
                  {
                    action  = "Log"
                    enabled = true
                    id      = "200200"
                  },
                ]
              }
            }
          }
        }
      }
    }
  }
}

main.tf
# - Web Application Firewall Policy
resource "azurerm_web_application_firewall_policy" "this" {
  for_each            = var.waf_policies
  name                = "wafp-${each.value["name"]}-${lookup(each.value, "location", null) == null ? var.resource_group.location : each.value["location"]}-${each.value["instance"]}"
  location            = lookup(each.value, "location", null) == null ? var.resource_group.location : each.value["location"]
  resource_group_name = var.resource_group.name
  tags                = merge(var.resource_group.tags, lookup(each.value, "tags", null))

  dynamic "custom_rules" { #(Optional) One or more custom_rules blocks as defined below.
    for_each = lookup(each.value, "custom_rules", var.null_array)
    content {
      name = lookup(each.value, "name", null) #(Optional) Gets name of the resource that is unique within a policy. This name can be used to access the resource.

      priority  = each.value["priority"]  #(Required) Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
      rule_type = each.value["rule_type"] #(Required) Describes the type of rule.
      action    = each.value["action"]    #(Required) Type of action.    

      dynamic "match_conditions" { #(Required) One or more match_conditions blocks as defined below.
        for_each = lookup(custom_rules.value, "match_conditions", var.null_array)
        content {
          match_values = match_conditions.value["match_values"] #(Required) A list of match values.
          operator     = match_conditions.value["operator"]     #(Required) Describes operator to be matched.

          negation_condition = lookup(match_conditions.value, "negation_condition", null) #(Optional) Describes if this is negate condition or not
          transforms         = lookup(match_conditions.value, "transforms", null)         #(Optional) A list of transformations to do before the match is attempted.

          dynamic "match_variables" { #(Required) One or more match_variables blocks as defined below.
            for_each = lookup(match_conditions.value, "match_variables", var.null_array)
            content {
              variable_name = match_variables.value["variable_name"]          #(Required) The name of the Match Variable
              selector      = lookup(match_variables.value, "selector", null) #(Optional) Describes field of the matchVariable collection              
            }
          }
        }
      }
    }
  }

  dynamic "policy_settings" { #(Optional) A policy_settings block as defined below.
    for_each = lookup(each.value, "policy_settings", var.null_array)
    content {
      enabled                     = lookup(each.value, "enabled", null)                     #(Optional) Describes if the policy is in enabled state or disabled state. Defaults to true.
      mode                        = lookup(each.value, "mode", null)                        #(Optional) Describes if it is in detection mode or prevention mode at the policy level. Valid values are Detection and Prevention. Defaults to Prevention.
      file_upload_limit_in_mb     = lookup(each.value, "file_upload_limit_in_mb", null)     #(Optional) The File Upload Limit in MB. Accepted values are in the range 1 to 4000. Defaults to 100.
      request_body_check          = lookup(each.value, "request_body_check", null)          #(Optional) Is Request Body Inspection enabled? Defaults to true.
      max_request_body_size_in_kb = lookup(each.value, "max_request_body_size_in_kb", null) #(Optional) The Maximum Request Body Size in KB. Accepted values are in the range 8 to 2000. Defaults to 128.      
    }
  }

  dynamic "managed_rules" { #(Required) A managed_rules blocks as defined below.
    for_each = lookup(each.value, "managed_rules", var.null_array)
    content {
      dynamic "exclusion" { #(Optional) One or more exclusion block defined below.
        for_each = lookup(managed_rules.value, "exclusion", var.null_array)
        content {
          match_variable          = exclusion.value["match_variable"]          #(Required) The name of the Match Variable. Possible values: RequestArgNames, RequestCookieNames, RequestHeaderNames.
          selector_match_operator = exclusion.value["selector_match_operator"] #(Required) Describes operator to be matched. Possible values: Contains, EndsWith, Equals, EqualsAny, StartsWith.

          selector = lookup(exclusion.value, "selector", null) #(Optional) Describes field of the matchVariable collection.
        }
      }
      dynamic "managed_rule_set" { #(Required) One or more managed_rule_set block defined below.      
        for_each = lookup(managed_rules.value, "managed_rule_set", var.null_array)
        content {
          version = managed_rule_set.value["version"] #(Required) The rule set version. Possible values: 0.1, 1.0, 2.2.9, 3.0, 3.1 and 3.2.

          type = lookup(managed_rule_set.value, "type", null) #(Optional) The rule set type. Possible values: Microsoft_BotManagerRuleSet and OWASP.

          dynamic "rule_group_override" { #(Optional) One or more rule_group_override block defined below.          
            for_each = lookup(managed_rule_set.value, "rule_group_override", var.null_array)
            content {
              rule_group_name = rule_group_override.value["rule_group_name"] #(Required) The name of the Rule Group

              dynamic "rule" { #(Optional) One or more rule_group_override block defined below.          
                for_each = lookup(rule_group_override.value, "rule", var.null_array)
                content {
                  id      = rule.value["id"]                    #(Required) Identifier for the managed rule.
                  enabled = lookup(rule.value, "enabled", null) #(Optional) Describes if the managed rule is in enabled state or disabled state.
                  action  = lookup(rule.value, "action", null)  #(Optional) Describes the override action to be applied when rule matches. Possible values are Allow, AnomalyScoring, Block and Log.
                }
              }
            }
          }
        }
      }
    }
  }

  # Allow management of the WAF policy from the Azure Portal.
  lifecycle {
    ignore_changes = [custom_rules, policy_settings, managed_rules]
  }
}

Debug Output/Panic Output

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: `disabled_rules` cannot be set when `rule` is set under `rule_group_override`
│ 
│   with module.application_gateways.azurerm_web_application_firewall_policy.this["AGW-001"],
│   on .terraform/modules/application_gateways/application_gateway/main.tf line 53, in resource "azurerm_web_application_firewall_policy" "this":
│   53: resource "azurerm_web_application_firewall_policy" "this" {
│ 
╵
##[error]Terraform command 'plan' failed with exit code '1'.
##[error]╷
│ Error: `disabled_rules` cannot be set when `rule` is set under `rule_group_override`
│ 
│   with module.application_gateways.azurerm_web_application_firewall_policy.this["AGW-001"],
│   on .terraform/modules/application_gateways/application_gateway/main.tf line 53, in resource "azurerm_web_application_firewall_policy" "this":
│   53: resource "azurerm_web_application_firewall_policy" "this" {
│ 
╵

Expected Behaviour

There is no reference to the older disabled_rules block in any of the configs or the state file, but when going to add managed_rules to be ignored by lifecycle changes so we can start controlling it outside of Terraform the plan states I can't have "disabled_rules" set while "rule" is set. Not in a state to easily move to the latest AzureRM or TF providers, but reviewing the change logs I didn't see anything that seemed related to this.

Actual Behaviour

Warning generates in the TF plan that disabled_rules can't be set.

Steps to Reproduce

terraform plan

Important Factoids

Running from ADO pipelines on a production environment

References

No response
@JAK1047
Copy link
Author

JAK1047 commented Sep 26, 2023

And I'll state it works fine so long as I don't add the lifecycle ignore.

@DaviMarczal
Copy link

Same problem here. No solution found.

@JAK1047
Copy link
Author

JAK1047 commented Sep 27, 2023

Reached out to a colleague at a previous company I was part of and they had the same issue. Eventually just abandoned the state file and started fresh with the entire app gateway outside of Terraform. They are on 3.61.

@JAK1047
Copy link
Author

JAK1047 commented Sep 28, 2023

Near as I can tell the relevant code is at:

https://github.com/hashicorp/terraform-provider-azurerm/blob/f93d250ade87120d0fd7369ea415c51676306a62/internal/services/network/web_application_firewall_policy_resource.go#L477C1-L495

CustomizeDiff: pluginsdk.CustomizeDiffShim(func(ctx context.Context, diff *pluginsdk.ResourceDiff, v interface{}) error {
	if !features.FourPointOhBeta() {
		// Since ConflictsWith cannot be used on these properties and the properties are optional and computed, diff.GetOK may still return value even the property is not configured. Have to check the configuration with GetRawConfig
		managedRuleSetList := diff.GetRawConfig().AsValueMap()["managed_rules"].AsValueSlice()[0].AsValueMap()["managed_rule_set"].AsValueSlice()
		for _, managedRuleSetVal := range managedRuleSetList {
			ruleGroupOverrideList := managedRuleSetVal.AsValueMap()["rule_group_override"].AsValueSlice()
			for _, ruleGroupOverrideVal := range ruleGroupOverrideList {
				disabledRules := ruleGroupOverrideVal.AsValueMap()["disabled_rules"]
				ruleList := ruleGroupOverrideVal.AsValueMap()["rule"].AsValueSlice()
				if !disabledRules.IsNull() && len(ruleList) != 0 {
					return fmt.Errorf("`disabled_rules` cannot be set when `rule` is set under `rule_group_override`")
				}
			}
		}
	}

	return nil
}),

I don't know enough about the inner code to point out the issue, but it seems like disabledRules isn't being set to null when you set managed_rules to be ignored?

@teowa teowa mentioned this issue Sep 28, 2023
Merged
@rcskosir rcskosir added the bug label Sep 29, 2023
@JAK1047
Copy link
Author

JAK1047 commented Oct 17, 2023

It looks like #23412 got created that would resolve this issue. I'm not familiar with the push to prod for the Terraform Azure RM Provider, but how often do these PRs get integrated into releases?

@github-actions github-actions bot added this to the v3.84.0 milestone Dec 7, 2023
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 30, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug service/network v/3.x
Projects
None yet
Milestone
v3.84.0
3 participants
@JAK1047 @DaviMarczal @rcskosir