aztfexport icon indicating copy to clipboard operation
aztfexport copied to clipboard

Published 20 hours ago verified publisher icon Azure

Importing Application Gateway with Custom WAF Rules does not work

Open andyr8939 opened this issue 2 years ago • 4 comments

If you have an Azure Application Gateway in WAF_V2 SKU, it imports fine using the inbuilt WAF rules on the Application Gateway.

However, if you use a separate WAF policy and assign these to specific HTTP Listeners on the Application Gateway, these are not recognized or imported.

These would need to go into each specific HTTP Listener block such as the below

  http_listener {
    name   = "listener-web-public-443"
    frontend_ip_configuration_name   = "public_ipconfig"
    frontend_port_name   = "443"
    protocol   = "Https"
    require_sni   = true
    host_name   = "www.mytestwebsite.com"
    ssl_certificate_name   = "my_public_cert"
    firewall_policy_id   = "/subscriptions/xxxxx-xxxxx-xxxxx-xxxxx-xxxx/resourceGroups/rg-my-appgw/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/waf-appgw-block"
  }

andyr8939 avatar Apr 26 '22 00:04 andyr8939

@andyr8939 Thank you for submitting this!

Assuming you mean the http_listener above exists in the state, but isn't generated in the configuration, would you please check terraform state holds this block? If it doesn't, then it means the provider doesn't get it during importing, which typically indicates the response of GET on the application gateway doesn't return them.

magodo avatar Apr 26 '22 02:04 magodo

The http_listener block appears in the state and config, but the block doesn't have the firewall_policy_id part.

AzTfy does import the actual waf policy itself fine so it's easy to link them but yeah, it doesn't seem to have done that.

Overall though, very impressive. I was testing it out compared to my already built config I have used for a while and this was the only difference I could spot which is amazing.

andyr8939 avatar Apr 26 '22 08:04 andyr8939

@andyr8939 As I'm not so familiar with waf policy, I'm wondering if you can provide me a simplified state file (with the sensitive values redacted of course), so that I can use https://github.com/magodo/tfadd to debug the issue.

magodo avatar Apr 26 '22 09:04 magodo

@andyr8939 Do you have an example TF config that I can provision and try importing with aztfy, to further troubleshoot this issue?

magodo avatar Jul 21 '22 03:07 magodo

@andyr8939 There is a new CLI option called --full-properties, which can export all the non-computed-only attributes for the terrafied resources. That should solve your issues. But keep in mind in that case, the config probably needs manual modifications to make it valid.

I'm gonna close this issue for now, please feel free to reopen it if you have other questions.

magodo avatar Sep 28 '22 03:09 magodo