Adding Module code for Azure WAF policy

.github/workflows/checkov.yml

@@ -0,0 +1,25 @@
+
+name: Static security analysis for Terraform
+
+permissions: read-all
+
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+jobs:
+  checkov-job:
+    runs-on: ubuntu-latest
+    name: checkov-action
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+
+      - name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: ./

.gitignore

@@ -0,0 +1,34 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+.terraform.*
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+repos:
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.77.1
+  hooks:
+    - id: terraform_fmt
+    - id: terraform_validate
+    - id: terraform_checkov
+    - id: terraform_docs
+      args:
+          - '--args=--lockfile=false'
+

README.md

@@ -0,0 +1,51 @@
+# Terraform module for Azure WAF Policy
+
+## How to use it as a module
+
+```hcl
+
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 3.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_web_application_firewall_policy.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/web_application_firewall_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_create_waf_rule"></a> [create\_waf\_rule](#input\_create\_waf\_rule) | Do you want to create WAF rule? | `bool` | `true` | no |
+| <a name="input_custom_rules"></a> [custom\_rules](#input\_custom\_rules) | (Optional) One or more custom\_rules blocks | `any` | `[]` | no |
+| <a name="input_location"></a> [location](#input\_location) | (Required) Resource location. Changing this forces a new resource to be created. | `string` | n/a | yes |
+| <a name="input_managed_rules"></a> [managed\_rules](#input\_managed\_rules) | (Required) A managed\_rules blocks | `any` | <pre>[<br>  {<br>    "managed_rule_set": [<br>      {<br>        "type": "OWASP",<br>        "version": "3.2"<br>      }<br>    ]<br>  }<br>]</pre> | no |
+| <a name="input_name"></a> [name](#input\_name) | (Required) The name of the policy. Changing this forces a new resource to be created. | `string` | n/a | yes |
+| <a name="input_policy_settings"></a> [policy\_settings](#input\_policy\_settings) | (Optional) A policy\_settings block | `any` | `[]` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Required) The name of the resource group. Changing this forces a new resource to be created. | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A mapping of tags to assign to the Web Application Firewall Policy. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_id"></a> [id](#output\_id) | The ID of the Web Application Firewall Policy. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

main.tf

@@ -0,0 +1,114 @@
+resource "azurerm_web_application_firewall_policy" "this" {
+  count = var.create_waf_rule ? 1 : 0
+
+  name                = var.name
+  resource_group_name = var.resource_group_name
+  location            = var.location
+
+
+  dynamic "custom_rules" {
+    for_each = var.custom_rules
+
+    content {
+      name      = try(custom_rules.value.name, null)
+      priority  = try(custom_rules.value.priority)
+      rule_type = try(custom_rules.value.rule_type, null)
+
+      dynamic "match_conditions" {
+        for_each = try(custom_rules.value.match_conditions, [])
+
+        content {
+          match_values       = try(match_conditions.value.match_values, [])
+          operator           = try(match_conditions.value.operator)
+          negation_condition = try(match_conditions.value.negation_condition, null)
+          transforms         = try(match_conditions.value.transforms, [])
+          dynamic "match_variables" {
+            for_each = try(match_conditions.value.match_variables)
+
+            content {
+              variable_name = try(match_variables.value.variable_name)
+              selector      = try(match_variables.value.selector, null)
+            }
+          }
+        }
+      }
+
+      action = try(custom_rules.value.action, "Log")
+    }
+  }
+
+  dynamic "policy_settings" {
+    for_each = var.policy_settings
+
+    content {
+      enabled                     = try(policy_settings.value.enabled, true)
+      mode                        = try(policy_settings.value.mode, "Detection")
+      file_upload_limit_in_mb     = try(policy_settings.value.file_upload_limit_in_mb, 100)
+      request_body_check          = try(policy_settings.value.request_body_check, true)
+      max_request_body_size_in_kb = try(policy_settings.value.max_request_body_size_in_kb, 128)
+    }
+  }
+
+  dynamic "managed_rules" {
+    for_each = var.managed_rules
+
+    content {
+
+      dynamic "exclusion" {
+        for_each = try(managed_rules.value.exclusion, [])
+
+        content {
+          match_variable          = try(exclusion.value.match_variable)
+          selector                = try(exclusion.value.selector)
+          selector_match_operator = try(exclusion.value.selector_match_operator)
+
+          dynamic "excluded_rule_set" {
+            for_each = try(exclusion.value.excluded_rule_set, [])
+
+            content {
+              type    = try(excluded_rule_set.value.type, "OWASP")
+              version = try(excluded_rule_set.value.version, "3.2")
+
+              dynamic "rule_group" {
+                for_each = try(excluded_rule_set.value.rule_group, [])
+
+                content {
+                  rule_group_name = try(rule_group.value.rule_group_name)
+                  excluded_rules  = try(rule_group.value.excluded_rules, [])
+                }
+              }
+            }
+          }
+        }
+      }
+
+      dynamic "managed_rule_set" {
+        for_each = try(managed_rules.value.managed_rule_set, [])
+
+        content {
+          type    = try(managed_rule_set.value.type, null)
+          version = try(managed_rule_set.value.version, null)
+
+          dynamic "rule_group_override" {
+            for_each = try(managed_rule_set.value.rule_group_override, [])
+
+            content {
+              rule_group_name = try(rule_group_override.value.rule_group_name)
+              dynamic "rule" {
+                for_each = try(rule_group_override.value.rule, [])
+                content {
+                  id      = try(rule.value.id)
+                  enabled = try(rule.value.enabled, null)
+                  action  = try(rule.value.action, null)
+                }
+              }
+            }
+
+          }
+        }
+      }
+    }
+  }
+
+  tags = var.tags
+}

outputs.tf

@@ -0,0 +1,4 @@
+output "id" {
+  description = "The ID of the Web Application Firewall Policy."
+  value       = try(azurerm_web_application_firewall_policy.this[0].id, "")
+}

variables.tf

@@ -0,0 +1,53 @@
+variable "create_waf_rule" {
+  type        = bool
+  description = "Do you want to create WAF rule?"
+  default     = true
+}
+
+variable "name" {
+  type        = string
+  description = "(Required) The name of the policy. Changing this forces a new resource to be created."
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "(Required) The name of the resource group. Changing this forces a new resource to be created."
+}
+
+variable "location" {
+  type        = string
+  description = "(Required) Resource location. Changing this forces a new resource to be created."
+}
+
+variable "custom_rules" {
+  type        = any
+  description = "(Optional) One or more custom_rules blocks"
+  default     = []
+}
+
+variable "policy_settings" {
+  type        = any
+  description = "(Optional) A policy_settings block"
+  default     = []
+}
+
+variable "managed_rules" {
+  type        = any
+  description = "(Required) A managed_rules blocks"
+  default = [
+    {
+      managed_rule_set = [
+        {
+          type    = "OWASP"
+          version = "3.2"
+        }
+      ]
+    }
+  ]
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "(Optional) A mapping of tags to assign to the Web Application Firewall Policy."
+  default     = {}
+}

versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.13.1"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.0.0"
+    }
+  }
+}