Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The profiles/securityPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Cdn/profiles/securityPolicies resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Cdn/profiles/securityPolicies@2025-09-01-preview' = {
parent: resourceSymbolicName
name: 'string'
properties: {
parameters: {
type: 'string'
// For remaining properties, see SecurityPolicyPropertiesParameters objects
}
}
}
SecurityPolicyPropertiesParameters objects
Set the type property to specify the type of object.
For WebApplicationFirewall, use:
{
associations: [
{
domains: [
{
id: 'string'
}
]
patternsToMatch: [
'string'
]
}
]
type: 'WebApplicationFirewall'
wafPolicy: {
id: 'string'
}
}
For WebApplicationFirewallEmbedded, use:
{
associations: [
{
domains: [
{
id: 'string'
}
]
patternsToMatch: [
'string'
]
}
]
type: 'WebApplicationFirewallEmbedded'
wafPolicy: {
etag: 'string'
properties: {
customRules: {
rules: [
{
action: 'string'
enabledState: 'string'
groupBy: [
{
variableName: 'string'
}
]
matchConditions: [
{
matchValue: [
'string'
]
matchVariable: 'string'
negateCondition: bool
operator: 'string'
selector: 'string'
transforms: [
'string'
]
}
]
name: 'string'
priority: int
rateLimitDurationInMinutes: int
rateLimitThreshold: int
ruleType: 'string'
}
]
}
managedRules: {
managedRuleSets: [
{
exclusions: [
{
matchVariable: 'string'
selector: 'string'
selectorMatchOperator: 'string'
}
]
ruleGroupOverrides: [
{
exclusions: [
{
matchVariable: 'string'
selector: 'string'
selectorMatchOperator: 'string'
}
]
ruleGroupName: 'string'
rules: [
{
action: 'string'
enabledState: 'string'
exclusions: [
{
matchVariable: 'string'
selector: 'string'
selectorMatchOperator: 'string'
}
]
ruleId: 'string'
}
]
}
]
ruleSetAction: 'string'
ruleSetType: 'string'
ruleSetVersion: 'string'
}
]
}
policySettings: {
captchaExpirationInMinutes: int
customBlockResponseBody: 'string'
customBlockResponseStatusCode: int
enabledState: 'string'
javascriptChallengeExpirationInMinutes: int
logScrubbing: {
scrubbingRules: [
{
matchVariable: 'string'
selector: 'string'
selectorMatchOperator: 'string'
state: 'string'
}
]
state: 'string'
}
mode: 'string'
redirectUrl: 'string'
requestBodyCheck: 'string'
}
}
sku: {
name: 'string'
}
}
}
Property Values
Microsoft.Cdn/profiles/securityPolicies
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: profiles |
| properties | The json object that contains properties required to create a security policy | SecurityPolicyProperties |
ActivatedResourceReference
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
CustomRuleAfd
| Name | Description | Value |
|---|---|---|
| action | Describes what action to be applied when rule matches. | 'Allow' 'AnomalyScoring' 'Block' 'CAPTCHA' 'JSChallenge' 'Log' 'Redirect' (required) |
| enabledState | Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. | 'Disabled' 'Enabled' |
| groupBy | Describes the list of variables to group the rate limit requests | GroupByVariable[] |
| matchConditions | List of match conditions. | MatchConditionAfd[] (required) |
| name | Describes the name of the rule. | string Constraints: Max length = 128 |
| priority | Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. | int (required) |
| rateLimitDurationInMinutes | Time window for resetting the rate limit count. Default is 1 minute. | int Constraints: Min value = 0 Max value = 5 |
| rateLimitThreshold | Number of allowed requests per client within the time window. | int Constraints: Min value = 0 |
| ruleType | Describes type of rule. | 'MatchRule' 'RateLimitRule' (required) |
CustomRuleListAfd
| Name | Description | Value |
|---|---|---|
| rules | List of rules | CustomRuleAfd[] |
GroupByVariable
| Name | Description | Value |
|---|---|---|
| variableName | Describes the supported variable for group by | 'GeoLocation' 'None' 'SocketAddr' (required) |
ManagedRuleExclusion
| Name | Description | Value |
|---|---|---|
| matchVariable | The variable type to be excluded. | 'QueryStringArgNames' 'RequestBodyJsonArgNames' 'RequestBodyPostArgNames' 'RequestCookieNames' 'RequestHeaderNames' (required) |
| selector | Selector value for which elements in the collection this exclusion applies to. | string (required) |
| selectorMatchOperator | Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. | 'Contains' 'EndsWith' 'Equals' 'EqualsAny' 'StartsWith' (required) |
ManagedRuleGroupOverrideAfd
| Name | Description | Value |
|---|---|---|
| exclusions | Describes the exclusions that are applied to all rules in the group. | ManagedRuleExclusion[] |
| ruleGroupName | Describes the managed rule group to override. | string (required) |
| rules | List of rules that will be disabled. If none specified, all rules in the group will be disabled. | ManagedRuleOverrideAfd[] |
ManagedRuleOverrideAfd
| Name | Description | Value |
|---|---|---|
| action | Describes the override action to be applied when rule matches. | 'Allow' 'AnomalyScoring' 'Block' 'CAPTCHA' 'JSChallenge' 'Log' 'Redirect' |
| enabledState | Describes if the managed rule is in enabled or disabled state. Defaults to Disabled if not specified. | 'Disabled' 'Enabled' |
| exclusions | Describes the exclusions that are applied to this specific rule. | ManagedRuleExclusion[] |
| ruleId | Identifier for the managed rule. | string (required) |
ManagedRuleSetAfd
| Name | Description | Value |
|---|---|---|
| exclusions | Describes the exclusions that are applied to all rules in the set. | ManagedRuleExclusion[] |
| ruleGroupOverrides | Defines the rule group overrides to apply to the rule set. | ManagedRuleGroupOverrideAfd[] |
| ruleSetAction | Defines the rule set action. | 'Block' 'Log' 'Redirect' |
| ruleSetType | Defines the rule set type to use. | string (required) |
| ruleSetVersion | Defines the version of the rule set to use. | string (required) |
ManagedRuleSetListAfd
| Name | Description | Value |
|---|---|---|
| managedRuleSets | List of rule sets. | ManagedRuleSetAfd[] |
MatchConditionAfd
| Name | Description | Value |
|---|---|---|
| matchValue | List of possible match values. | string[] (required) |
| matchVariable | Request variable to compare with. | 'ClientPort' 'Cookies' 'HostName' 'HttpVersion' 'IsDevice' 'PostArgs' 'QueryString' 'RemoteAddress' 'RequestBody' 'RequestHeader' 'RequestMethod' 'RequestScheme' 'RequestUri' 'ServerPort' 'SocketAddr' 'SslProtocol' 'UrlFileExtension' 'UrlFileName' 'UrlPath' (required) |
| negateCondition | Describes if the result of this condition should be negated. | bool |
| operator | Comparison type to use for matching with the variable value. | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' 'RegEx' (required) |
| selector | Match against a specific key from the QueryString, PostArgs, RequestHeader or Cookies variables. Default is null. | string |
| transforms | List of transforms. | String array containing any of: 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' |
PolicySettingsAfd
| Name | Description | Value |
|---|---|---|
| captchaExpirationInMinutes | Defines the Captcha cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30. | int Constraints: Min value = 5 Max value = 1440 |
| customBlockResponseBody | If the action type is block, customer can override the response body. The body must be specified in base64 encoding. | string Constraints: Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ |
| customBlockResponseStatusCode | If the action type is block, customer can override the response status code. | int |
| enabledState | Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified. | 'Disabled' 'Enabled' |
| javascriptChallengeExpirationInMinutes | Defines the JavaScript challenge cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30. | int Constraints: Min value = 5 Max value = 1440 |
| logScrubbing | Defines rules that scrub sensitive fields in the Web Application Firewall logs. | PolicySettingsLogScrubbing |
| mode | Describes if it is in detection mode or prevention mode at policy level. | 'Detection' 'Prevention' |
| redirectUrl | If action type is redirect, this field represents redirect URL for the client. | string |
| requestBodyCheck | Describes if policy managed rules will inspect the request body content. | 'Disabled' 'Enabled' |
PolicySettingsLogScrubbing
| Name | Description | Value |
|---|---|---|
| scrubbingRules | List of log scrubbing rules applied to the Web Application Firewall logs. | WebApplicationFirewallScrubbingRules[] |
| state | State of the log scrubbing config. Default value is Enabled. | 'Disabled' 'Enabled' |
ResourceReference
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
SecurityPolicyProperties
| Name | Description | Value |
|---|---|---|
| parameters | object which contains security policy parameters | SecurityPolicyPropertiesParameters |
SecurityPolicyPropertiesParameters
| Name | Description | Value |
|---|---|---|
| type | Set to 'WebApplicationFirewall' for type SecurityPolicyWebApplicationFirewallParameters. Set to 'WebApplicationFirewallEmbedded' for type SecurityPolicyWebApplicationFirewallParametersWithEmbeddedWafPolicy. | 'WebApplicationFirewall' 'WebApplicationFirewallEmbedded' (required) |
SecurityPolicyWebApplicationFirewallAssociation
| Name | Description | Value |
|---|---|---|
| domains | List of domains. | ActivatedResourceReference[] |
| patternsToMatch | List of paths | string[] |
SecurityPolicyWebApplicationFirewallParameters
| Name | Description | Value |
|---|---|---|
| associations | Waf associations | SecurityPolicyWebApplicationFirewallAssociation[] |
| type | The type of the Security policy to create. | 'WebApplicationFirewall' (required) |
| wafPolicy | Resource ID. | ResourceReference |
SecurityPolicyWebApplicationFirewallParametersWithEmbeddedWafPolicy
| Name | Description | Value |
|---|---|---|
| associations | Waf associations | SecurityPolicyWebApplicationFirewallAssociation[] |
| type | The type of the Security policy to create. | 'WebApplicationFirewallEmbedded' (required) |
| wafPolicy | Properties of the web application firewall policy. | WebApplicationFirewallPolicy |
Sku
| Name | Description | Value |
|---|---|---|
| name | Name of the pricing tier. | 'Classic_AzureFrontDoor' 'Custom_Verizon' 'Premium_AzureFrontDoor' 'Premium_Verizon' 'StandardPlus_955BandWidth_ChinaCdn' 'StandardPlus_AvgBandWidth_ChinaCdn' 'StandardPlus_ChinaCdn' 'Standard_955BandWidth_ChinaCdn' 'Standard_Akamai' 'Standard_AvgBandWidth_ChinaCdn' 'Standard_AzureFrontDoor' 'Standard_ChinaCdn' 'Standard_Microsoft' 'Standard_Verizon' |
WebApplicationFirewallPolicy
| Name | Description | Value |
|---|---|---|
| etag | Gets a unique read-only string that changes whenever the resource is updated. | string |
| properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyProperties |
| sku | The pricing tier of web application firewall policy. Defaults to Classic_AzureFrontDoor if not specified. | Sku |
WebApplicationFirewallPolicyProperties
| Name | Description | Value |
|---|---|---|
| customRules | Describes custom rules inside the policy. | CustomRuleListAfd |
| managedRules | Describes managed rules inside the policy. | ManagedRuleSetListAfd |
| policySettings | Describes settings for the policy. | PolicySettingsAfd |
WebApplicationFirewallScrubbingRules
| Name | Description | Value |
|---|---|---|
| matchVariable | The variable to be scrubbed from the logs. | 'QueryStringArgNames' 'RequestBodyJsonArgNames' 'RequestBodyPostArgNames' 'RequestCookieNames' 'RequestHeaderNames' 'RequestIPAddress' 'RequestUri' (required) |
| selector | When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. | string |
| selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. | 'Equals' 'EqualsAny' (required) |
| state | Defines the state of a log scrubbing rule. Default value is enabled. | 'Disabled' 'Enabled' |
Usage Examples
Bicep Samples
A basic example of deploying Front Door (standard/premium) Security Policy.
param resourceName string = 'acctest0001'
resource frontdoorwebapplicationfirewallpolicy 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2020-11-01' = {
name: resourceName
location: 'global'
properties: {
customRules: {
rules: [
{
action: 'Block'
enabledState: 'Enabled'
matchConditions: [
{
matchValue: [
'192.168.1.0/24'
'10.0.0.0/24'
]
matchVariable: 'RemoteAddr'
negateCondition: false
operator: 'IPMatch'
}
]
name: 'Rule1'
priority: 1
rateLimitDurationInMinutes: 1
rateLimitThreshold: 10
ruleType: 'MatchRule'
}
]
}
managedRules: {
managedRuleSets: [
{
ruleGroupOverrides: [
{
ruleGroupName: 'PHP'
rules: [
{
action: 'Block'
enabledState: 'Disabled'
ruleId: '933111'
}
]
}
]
ruleSetAction: 'Block'
ruleSetType: 'DefaultRuleSet'
ruleSetVersion: 'preview-0.1'
}
{
ruleSetAction: 'Block'
ruleSetType: 'BotProtection'
ruleSetVersion: 'preview-0.1'
}
]
}
policySettings: {
customBlockResponseBody: 'PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=='
customBlockResponseStatusCode: 403
enabledState: 'Enabled'
mode: 'Prevention'
redirectUrl: 'https://www.fabrikam.com'
}
}
sku: {
name: 'Premium_AzureFrontDoor'
}
}
resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' = {
name: '${resourceName}.com'
location: 'global'
}
resource profile 'Microsoft.Cdn/profiles@2021-06-01' = {
name: resourceName
location: 'global'
properties: {
originResponseTimeoutSeconds: 120
}
sku: {
name: 'Premium_AzureFrontDoor'
}
}
resource customDomain 'Microsoft.Cdn/profiles/customDomains@2021-06-01' = {
parent: profile
name: resourceName
properties: {
azureDnsZone: {
id: dnsZone.id
}
hostName: 'fabrikam.acctest0001.com'
tlsSettings: {
certificateType: 'ManagedCertificate'
minimumTlsVersion: 'TLS12'
}
}
}
resource securityPolicy 'Microsoft.Cdn/profiles/securityPolicies@2021-06-01' = {
parent: profile
name: resourceName
properties: {
parameters: {
associations: [
{
domains: [
{
id: customDomain.id
}
]
patternsToMatch: [
'/*'
]
}
]
type: 'WebApplicationFirewall'
wafPolicy: {
id: frontdoorwebapplicationfirewallpolicy.id
}
}
}
}
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description |
|---|---|
| Front Door Premium with blob origin and Private Link | This template creates a Front Door Premium and an Azure Storage blob container, and uses a private endpoint for Front Door to send traffic to the storage account. |
| Front Door Premium with WAF and Microsoft-managed rule sets | This template creates a Front Door Premium including a web application firewall with the Microsoft-managed default and bot protection rule sets. |
| Front Door Standard/Premium with geo-filtering | This template creates a Front Door Standard/Premium including a web application firewall with a geo-filtering rule. |
| Front Door Standard/Premium with rate limit | This template creates a Front Door Standard/Premium including a web application firewall with a rate limit rule. |
| Front Door Standard/Premium with WAF and custom rule | This template creates a Front Door Standard/Premium including a web application firewall with a custom rule. |
| Front Door with blob origins for blobs upload | This template creates a Front Door with origins, routes and ruleSets, and an Azure Storage accounts with blob containers. Front Door sends traffic to the storage accounts when uploading files. |
| FrontDoor CDN with WAF, Domains and Logs to EventHub | This template creates a new Azure FrontDoor cdn profile. Create WAF with custom and managed rules, cdn routes, origin and groups with their association with WAF and routes, configures custom domains, create event hub and diagnostic settings for sending CDN access logs using event hub. |
| Function App secured by Azure Frontdoor | This template allows you to deploy an azure premium function protected and published by Azure Frontdoor premium. The conenction between Azure Frontdoor and Azure Functions is protected by Azure Private Link. |
ARM template resource definition
The profiles/securityPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Cdn/profiles/securityPolicies resource, add the following JSON to your template.
{
"type": "Microsoft.Cdn/profiles/securityPolicies",
"apiVersion": "2025-09-01-preview",
"name": "string",
"properties": {
"parameters": {
"type": "string"
// For remaining properties, see SecurityPolicyPropertiesParameters objects
}
}
}
SecurityPolicyPropertiesParameters objects
Set the type property to specify the type of object.
For WebApplicationFirewall, use:
{
"associations": [
{
"domains": [
{
"id": "string"
}
],
"patternsToMatch": [ "string" ]
}
],
"type": "WebApplicationFirewall",
"wafPolicy": {
"id": "string"
}
}
For WebApplicationFirewallEmbedded, use:
{
"associations": [
{
"domains": [
{
"id": "string"
}
],
"patternsToMatch": [ "string" ]
}
],
"type": "WebApplicationFirewallEmbedded",
"wafPolicy": {
"etag": "string",
"properties": {
"customRules": {
"rules": [
{
"action": "string",
"enabledState": "string",
"groupBy": [
{
"variableName": "string"
}
],
"matchConditions": [
{
"matchValue": [ "string" ],
"matchVariable": "string",
"negateCondition": "bool",
"operator": "string",
"selector": "string",
"transforms": [ "string" ]
}
],
"name": "string",
"priority": "int",
"rateLimitDurationInMinutes": "int",
"rateLimitThreshold": "int",
"ruleType": "string"
}
]
},
"managedRules": {
"managedRuleSets": [
{
"exclusions": [
{
"matchVariable": "string",
"selector": "string",
"selectorMatchOperator": "string"
}
],
"ruleGroupOverrides": [
{
"exclusions": [
{
"matchVariable": "string",
"selector": "string",
"selectorMatchOperator": "string"
}
],
"ruleGroupName": "string",
"rules": [
{
"action": "string",
"enabledState": "string",
"exclusions": [
{
"matchVariable": "string",
"selector": "string",
"selectorMatchOperator": "string"
}
],
"ruleId": "string"
}
]
}
],
"ruleSetAction": "string",
"ruleSetType": "string",
"ruleSetVersion": "string"
}
]
},
"policySettings": {
"captchaExpirationInMinutes": "int",
"customBlockResponseBody": "string",
"customBlockResponseStatusCode": "int",
"enabledState": "string",
"javascriptChallengeExpirationInMinutes": "int",
"logScrubbing": {
"scrubbingRules": [
{
"matchVariable": "string",
"selector": "string",
"selectorMatchOperator": "string",
"state": "string"
}
],
"state": "string"
},
"mode": "string",
"redirectUrl": "string",
"requestBodyCheck": "string"
}
},
"sku": {
"name": "string"
}
}
}
Property Values
Microsoft.Cdn/profiles/securityPolicies
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2025-09-01-preview' |
| name | The resource name | string (required) |
| properties | The json object that contains properties required to create a security policy | SecurityPolicyProperties |
| type | The resource type | 'Microsoft.Cdn/profiles/securityPolicies' |
ActivatedResourceReference
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
CustomRuleAfd
| Name | Description | Value |
|---|---|---|
| action | Describes what action to be applied when rule matches. | 'Allow' 'AnomalyScoring' 'Block' 'CAPTCHA' 'JSChallenge' 'Log' 'Redirect' (required) |
| enabledState | Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. | 'Disabled' 'Enabled' |
| groupBy | Describes the list of variables to group the rate limit requests | GroupByVariable[] |
| matchConditions | List of match conditions. | MatchConditionAfd[] (required) |
| name | Describes the name of the rule. | string Constraints: Max length = 128 |
| priority | Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. | int (required) |
| rateLimitDurationInMinutes | Time window for resetting the rate limit count. Default is 1 minute. | int Constraints: Min value = 0 Max value = 5 |
| rateLimitThreshold | Number of allowed requests per client within the time window. | int Constraints: Min value = 0 |
| ruleType | Describes type of rule. | 'MatchRule' 'RateLimitRule' (required) |
CustomRuleListAfd
| Name | Description | Value |
|---|---|---|
| rules | List of rules | CustomRuleAfd[] |
GroupByVariable
| Name | Description | Value |
|---|---|---|
| variableName | Describes the supported variable for group by | 'GeoLocation' 'None' 'SocketAddr' (required) |
ManagedRuleExclusion
| Name | Description | Value |
|---|---|---|
| matchVariable | The variable type to be excluded. | 'QueryStringArgNames' 'RequestBodyJsonArgNames' 'RequestBodyPostArgNames' 'RequestCookieNames' 'RequestHeaderNames' (required) |
| selector | Selector value for which elements in the collection this exclusion applies to. | string (required) |
| selectorMatchOperator | Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. | 'Contains' 'EndsWith' 'Equals' 'EqualsAny' 'StartsWith' (required) |
ManagedRuleGroupOverrideAfd
| Name | Description | Value |
|---|---|---|
| exclusions | Describes the exclusions that are applied to all rules in the group. | ManagedRuleExclusion[] |
| ruleGroupName | Describes the managed rule group to override. | string (required) |
| rules | List of rules that will be disabled. If none specified, all rules in the group will be disabled. | ManagedRuleOverrideAfd[] |
ManagedRuleOverrideAfd
| Name | Description | Value |
|---|---|---|
| action | Describes the override action to be applied when rule matches. | 'Allow' 'AnomalyScoring' 'Block' 'CAPTCHA' 'JSChallenge' 'Log' 'Redirect' |
| enabledState | Describes if the managed rule is in enabled or disabled state. Defaults to Disabled if not specified. | 'Disabled' 'Enabled' |
| exclusions | Describes the exclusions that are applied to this specific rule. | ManagedRuleExclusion[] |
| ruleId | Identifier for the managed rule. | string (required) |
ManagedRuleSetAfd
| Name | Description | Value |
|---|---|---|
| exclusions | Describes the exclusions that are applied to all rules in the set. | ManagedRuleExclusion[] |
| ruleGroupOverrides | Defines the rule group overrides to apply to the rule set. | ManagedRuleGroupOverrideAfd[] |
| ruleSetAction | Defines the rule set action. | 'Block' 'Log' 'Redirect' |
| ruleSetType | Defines the rule set type to use. | string (required) |
| ruleSetVersion | Defines the version of the rule set to use. | string (required) |
ManagedRuleSetListAfd
| Name | Description | Value |
|---|---|---|
| managedRuleSets | List of rule sets. | ManagedRuleSetAfd[] |
MatchConditionAfd
| Name | Description | Value |
|---|---|---|
| matchValue | List of possible match values. | string[] (required) |
| matchVariable | Request variable to compare with. | 'ClientPort' 'Cookies' 'HostName' 'HttpVersion' 'IsDevice' 'PostArgs' 'QueryString' 'RemoteAddress' 'RequestBody' 'RequestHeader' 'RequestMethod' 'RequestScheme' 'RequestUri' 'ServerPort' 'SocketAddr' 'SslProtocol' 'UrlFileExtension' 'UrlFileName' 'UrlPath' (required) |
| negateCondition | Describes if the result of this condition should be negated. | bool |
| operator | Comparison type to use for matching with the variable value. | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' 'RegEx' (required) |
| selector | Match against a specific key from the QueryString, PostArgs, RequestHeader or Cookies variables. Default is null. | string |
| transforms | List of transforms. | String array containing any of: 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' |
PolicySettingsAfd
| Name | Description | Value |
|---|---|---|
| captchaExpirationInMinutes | Defines the Captcha cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30. | int Constraints: Min value = 5 Max value = 1440 |
| customBlockResponseBody | If the action type is block, customer can override the response body. The body must be specified in base64 encoding. | string Constraints: Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ |
| customBlockResponseStatusCode | If the action type is block, customer can override the response status code. | int |
| enabledState | Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified. | 'Disabled' 'Enabled' |
| javascriptChallengeExpirationInMinutes | Defines the JavaScript challenge cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30. | int Constraints: Min value = 5 Max value = 1440 |
| logScrubbing | Defines rules that scrub sensitive fields in the Web Application Firewall logs. | PolicySettingsLogScrubbing |
| mode | Describes if it is in detection mode or prevention mode at policy level. | 'Detection' 'Prevention' |
| redirectUrl | If action type is redirect, this field represents redirect URL for the client. | string |
| requestBodyCheck | Describes if policy managed rules will inspect the request body content. | 'Disabled' 'Enabled' |
PolicySettingsLogScrubbing
| Name | Description | Value |
|---|---|---|
| scrubbingRules | List of log scrubbing rules applied to the Web Application Firewall logs. | WebApplicationFirewallScrubbingRules[] |
| state | State of the log scrubbing config. Default value is Enabled. | 'Disabled' 'Enabled' |
ResourceReference
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
SecurityPolicyProperties
| Name | Description | Value |
|---|---|---|
| parameters | object which contains security policy parameters | SecurityPolicyPropertiesParameters |
SecurityPolicyPropertiesParameters
| Name | Description | Value |
|---|---|---|
| type | Set to 'WebApplicationFirewall' for type SecurityPolicyWebApplicationFirewallParameters. Set to 'WebApplicationFirewallEmbedded' for type SecurityPolicyWebApplicationFirewallParametersWithEmbeddedWafPolicy. | 'WebApplicationFirewall' 'WebApplicationFirewallEmbedded' (required) |
SecurityPolicyWebApplicationFirewallAssociation
| Name | Description | Value |
|---|---|---|
| domains | List of domains. | ActivatedResourceReference[] |
| patternsToMatch | List of paths | string[] |
SecurityPolicyWebApplicationFirewallParameters
| Name | Description | Value |
|---|---|---|
| associations | Waf associations | SecurityPolicyWebApplicationFirewallAssociation[] |
| type | The type of the Security policy to create. | 'WebApplicationFirewall' (required) |
| wafPolicy | Resource ID. | ResourceReference |
SecurityPolicyWebApplicationFirewallParametersWithEmbeddedWafPolicy
| Name | Description | Value |
|---|---|---|
| associations | Waf associations | SecurityPolicyWebApplicationFirewallAssociation[] |
| type | The type of the Security policy to create. | 'WebApplicationFirewallEmbedded' (required) |
| wafPolicy | Properties of the web application firewall policy. | WebApplicationFirewallPolicy |
Sku
| Name | Description | Value |
|---|---|---|
| name | Name of the pricing tier. | 'Classic_AzureFrontDoor' 'Custom_Verizon' 'Premium_AzureFrontDoor' 'Premium_Verizon' 'StandardPlus_955BandWidth_ChinaCdn' 'StandardPlus_AvgBandWidth_ChinaCdn' 'StandardPlus_ChinaCdn' 'Standard_955BandWidth_ChinaCdn' 'Standard_Akamai' 'Standard_AvgBandWidth_ChinaCdn' 'Standard_AzureFrontDoor' 'Standard_ChinaCdn' 'Standard_Microsoft' 'Standard_Verizon' |
WebApplicationFirewallPolicy
| Name | Description | Value |
|---|---|---|
| etag | Gets a unique read-only string that changes whenever the resource is updated. | string |
| properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyProperties |
| sku | The pricing tier of web application firewall policy. Defaults to Classic_AzureFrontDoor if not specified. | Sku |
WebApplicationFirewallPolicyProperties
| Name | Description | Value |
|---|---|---|
| customRules | Describes custom rules inside the policy. | CustomRuleListAfd |
| managedRules | Describes managed rules inside the policy. | ManagedRuleSetListAfd |
| policySettings | Describes settings for the policy. | PolicySettingsAfd |
WebApplicationFirewallScrubbingRules
| Name | Description | Value |
|---|---|---|
| matchVariable | The variable to be scrubbed from the logs. | 'QueryStringArgNames' 'RequestBodyJsonArgNames' 'RequestBodyPostArgNames' 'RequestCookieNames' 'RequestHeaderNames' 'RequestIPAddress' 'RequestUri' (required) |
| selector | When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. | string |
| selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. | 'Equals' 'EqualsAny' (required) |
| state | Defines the state of a log scrubbing rule. Default value is enabled. | 'Disabled' 'Enabled' |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Front Door Premium with blob origin and Private Link |
This template creates a Front Door Premium and an Azure Storage blob container, and uses a private endpoint for Front Door to send traffic to the storage account. |
| Front Door Premium with WAF and Microsoft-managed rule sets |
This template creates a Front Door Premium including a web application firewall with the Microsoft-managed default and bot protection rule sets. |
| Front Door Standard/Premium with geo-filtering |
This template creates a Front Door Standard/Premium including a web application firewall with a geo-filtering rule. |
| Front Door Standard/Premium with rate limit |
This template creates a Front Door Standard/Premium including a web application firewall with a rate limit rule. |
| Front Door Standard/Premium with WAF and custom rule |
This template creates a Front Door Standard/Premium including a web application firewall with a custom rule. |
| Front Door with blob origins for blobs upload |
This template creates a Front Door with origins, routes and ruleSets, and an Azure Storage accounts with blob containers. Front Door sends traffic to the storage accounts when uploading files. |
| FrontDoor CDN with WAF, Domains and Logs to EventHub |
This template creates a new Azure FrontDoor cdn profile. Create WAF with custom and managed rules, cdn routes, origin and groups with their association with WAF and routes, configures custom domains, create event hub and diagnostic settings for sending CDN access logs using event hub. |
| Function App secured by Azure Frontdoor |
This template allows you to deploy an azure premium function protected and published by Azure Frontdoor premium. The conenction between Azure Frontdoor and Azure Functions is protected by Azure Private Link. |
Terraform (AzAPI provider) resource definition
The profiles/securityPolicies resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Cdn/profiles/securityPolicies resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Cdn/profiles/securityPolicies@2025-09-01-preview"
name = "string"
parent_id = "string"
body = {
properties = {
parameters = {
type = "string"
// For remaining properties, see SecurityPolicyPropertiesParameters objects
}
}
}
}
SecurityPolicyPropertiesParameters objects
Set the type property to specify the type of object.
For WebApplicationFirewall, use:
{
associations = [
{
domains = [
{
id = "string"
}
]
patternsToMatch = [
"string"
]
}
]
type = "WebApplicationFirewall"
wafPolicy = {
id = "string"
}
}
For WebApplicationFirewallEmbedded, use:
{
associations = [
{
domains = [
{
id = "string"
}
]
patternsToMatch = [
"string"
]
}
]
type = "WebApplicationFirewallEmbedded"
wafPolicy = {
etag = "string"
properties = {
customRules = {
rules = [
{
action = "string"
enabledState = "string"
groupBy = [
{
variableName = "string"
}
]
matchConditions = [
{
matchValue = [
"string"
]
matchVariable = "string"
negateCondition = bool
operator = "string"
selector = "string"
transforms = [
"string"
]
}
]
name = "string"
priority = int
rateLimitDurationInMinutes = int
rateLimitThreshold = int
ruleType = "string"
}
]
}
managedRules = {
managedRuleSets = [
{
exclusions = [
{
matchVariable = "string"
selector = "string"
selectorMatchOperator = "string"
}
]
ruleGroupOverrides = [
{
exclusions = [
{
matchVariable = "string"
selector = "string"
selectorMatchOperator = "string"
}
]
ruleGroupName = "string"
rules = [
{
action = "string"
enabledState = "string"
exclusions = [
{
matchVariable = "string"
selector = "string"
selectorMatchOperator = "string"
}
]
ruleId = "string"
}
]
}
]
ruleSetAction = "string"
ruleSetType = "string"
ruleSetVersion = "string"
}
]
}
policySettings = {
captchaExpirationInMinutes = int
customBlockResponseBody = "string"
customBlockResponseStatusCode = int
enabledState = "string"
javascriptChallengeExpirationInMinutes = int
logScrubbing = {
scrubbingRules = [
{
matchVariable = "string"
selector = "string"
selectorMatchOperator = "string"
state = "string"
}
]
state = "string"
}
mode = "string"
redirectUrl = "string"
requestBodyCheck = "string"
}
}
sku = {
name = "string"
}
}
}
Property Values
Microsoft.Cdn/profiles/securityPolicies
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: profiles |
| properties | The json object that contains properties required to create a security policy | SecurityPolicyProperties |
| type | The resource type | "Microsoft.Cdn/profiles/securityPolicies@2025-09-01-preview" |
ActivatedResourceReference
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
CustomRuleAfd
| Name | Description | Value |
|---|---|---|
| action | Describes what action to be applied when rule matches. | 'Allow' 'AnomalyScoring' 'Block' 'CAPTCHA' 'JSChallenge' 'Log' 'Redirect' (required) |
| enabledState | Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. | 'Disabled' 'Enabled' |
| groupBy | Describes the list of variables to group the rate limit requests | GroupByVariable[] |
| matchConditions | List of match conditions. | MatchConditionAfd[] (required) |
| name | Describes the name of the rule. | string Constraints: Max length = 128 |
| priority | Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. | int (required) |
| rateLimitDurationInMinutes | Time window for resetting the rate limit count. Default is 1 minute. | int Constraints: Min value = 0 Max value = 5 |
| rateLimitThreshold | Number of allowed requests per client within the time window. | int Constraints: Min value = 0 |
| ruleType | Describes type of rule. | 'MatchRule' 'RateLimitRule' (required) |
CustomRuleListAfd
| Name | Description | Value |
|---|---|---|
| rules | List of rules | CustomRuleAfd[] |
GroupByVariable
| Name | Description | Value |
|---|---|---|
| variableName | Describes the supported variable for group by | 'GeoLocation' 'None' 'SocketAddr' (required) |
ManagedRuleExclusion
| Name | Description | Value |
|---|---|---|
| matchVariable | The variable type to be excluded. | 'QueryStringArgNames' 'RequestBodyJsonArgNames' 'RequestBodyPostArgNames' 'RequestCookieNames' 'RequestHeaderNames' (required) |
| selector | Selector value for which elements in the collection this exclusion applies to. | string (required) |
| selectorMatchOperator | Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. | 'Contains' 'EndsWith' 'Equals' 'EqualsAny' 'StartsWith' (required) |
ManagedRuleGroupOverrideAfd
| Name | Description | Value |
|---|---|---|
| exclusions | Describes the exclusions that are applied to all rules in the group. | ManagedRuleExclusion[] |
| ruleGroupName | Describes the managed rule group to override. | string (required) |
| rules | List of rules that will be disabled. If none specified, all rules in the group will be disabled. | ManagedRuleOverrideAfd[] |
ManagedRuleOverrideAfd
| Name | Description | Value |
|---|---|---|
| action | Describes the override action to be applied when rule matches. | 'Allow' 'AnomalyScoring' 'Block' 'CAPTCHA' 'JSChallenge' 'Log' 'Redirect' |
| enabledState | Describes if the managed rule is in enabled or disabled state. Defaults to Disabled if not specified. | 'Disabled' 'Enabled' |
| exclusions | Describes the exclusions that are applied to this specific rule. | ManagedRuleExclusion[] |
| ruleId | Identifier for the managed rule. | string (required) |
ManagedRuleSetAfd
| Name | Description | Value |
|---|---|---|
| exclusions | Describes the exclusions that are applied to all rules in the set. | ManagedRuleExclusion[] |
| ruleGroupOverrides | Defines the rule group overrides to apply to the rule set. | ManagedRuleGroupOverrideAfd[] |
| ruleSetAction | Defines the rule set action. | 'Block' 'Log' 'Redirect' |
| ruleSetType | Defines the rule set type to use. | string (required) |
| ruleSetVersion | Defines the version of the rule set to use. | string (required) |
ManagedRuleSetListAfd
| Name | Description | Value |
|---|---|---|
| managedRuleSets | List of rule sets. | ManagedRuleSetAfd[] |
MatchConditionAfd
| Name | Description | Value |
|---|---|---|
| matchValue | List of possible match values. | string[] (required) |
| matchVariable | Request variable to compare with. | 'ClientPort' 'Cookies' 'HostName' 'HttpVersion' 'IsDevice' 'PostArgs' 'QueryString' 'RemoteAddress' 'RequestBody' 'RequestHeader' 'RequestMethod' 'RequestScheme' 'RequestUri' 'ServerPort' 'SocketAddr' 'SslProtocol' 'UrlFileExtension' 'UrlFileName' 'UrlPath' (required) |
| negateCondition | Describes if the result of this condition should be negated. | bool |
| operator | Comparison type to use for matching with the variable value. | 'Any' 'BeginsWith' 'Contains' 'EndsWith' 'Equal' 'GeoMatch' 'GreaterThan' 'GreaterThanOrEqual' 'IPMatch' 'LessThan' 'LessThanOrEqual' 'RegEx' (required) |
| selector | Match against a specific key from the QueryString, PostArgs, RequestHeader or Cookies variables. Default is null. | string |
| transforms | List of transforms. | String array containing any of: 'Lowercase' 'RemoveNulls' 'Trim' 'Uppercase' 'UrlDecode' 'UrlEncode' |
PolicySettingsAfd
| Name | Description | Value |
|---|---|---|
| captchaExpirationInMinutes | Defines the Captcha cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30. | int Constraints: Min value = 5 Max value = 1440 |
| customBlockResponseBody | If the action type is block, customer can override the response body. The body must be specified in base64 encoding. | string Constraints: Pattern = ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ |
| customBlockResponseStatusCode | If the action type is block, customer can override the response status code. | int |
| enabledState | Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified. | 'Disabled' 'Enabled' |
| javascriptChallengeExpirationInMinutes | Defines the JavaScript challenge cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30. | int Constraints: Min value = 5 Max value = 1440 |
| logScrubbing | Defines rules that scrub sensitive fields in the Web Application Firewall logs. | PolicySettingsLogScrubbing |
| mode | Describes if it is in detection mode or prevention mode at policy level. | 'Detection' 'Prevention' |
| redirectUrl | If action type is redirect, this field represents redirect URL for the client. | string |
| requestBodyCheck | Describes if policy managed rules will inspect the request body content. | 'Disabled' 'Enabled' |
PolicySettingsLogScrubbing
| Name | Description | Value |
|---|---|---|
| scrubbingRules | List of log scrubbing rules applied to the Web Application Firewall logs. | WebApplicationFirewallScrubbingRules[] |
| state | State of the log scrubbing config. Default value is Enabled. | 'Disabled' 'Enabled' |
ResourceReference
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
SecurityPolicyProperties
| Name | Description | Value |
|---|---|---|
| parameters | object which contains security policy parameters | SecurityPolicyPropertiesParameters |
SecurityPolicyPropertiesParameters
| Name | Description | Value |
|---|---|---|
| type | Set to 'WebApplicationFirewall' for type SecurityPolicyWebApplicationFirewallParameters. Set to 'WebApplicationFirewallEmbedded' for type SecurityPolicyWebApplicationFirewallParametersWithEmbeddedWafPolicy. | 'WebApplicationFirewall' 'WebApplicationFirewallEmbedded' (required) |
SecurityPolicyWebApplicationFirewallAssociation
| Name | Description | Value |
|---|---|---|
| domains | List of domains. | ActivatedResourceReference[] |
| patternsToMatch | List of paths | string[] |
SecurityPolicyWebApplicationFirewallParameters
| Name | Description | Value |
|---|---|---|
| associations | Waf associations | SecurityPolicyWebApplicationFirewallAssociation[] |
| type | The type of the Security policy to create. | 'WebApplicationFirewall' (required) |
| wafPolicy | Resource ID. | ResourceReference |
SecurityPolicyWebApplicationFirewallParametersWithEmbeddedWafPolicy
| Name | Description | Value |
|---|---|---|
| associations | Waf associations | SecurityPolicyWebApplicationFirewallAssociation[] |
| type | The type of the Security policy to create. | 'WebApplicationFirewallEmbedded' (required) |
| wafPolicy | Properties of the web application firewall policy. | WebApplicationFirewallPolicy |
Sku
| Name | Description | Value |
|---|---|---|
| name | Name of the pricing tier. | 'Classic_AzureFrontDoor' 'Custom_Verizon' 'Premium_AzureFrontDoor' 'Premium_Verizon' 'StandardPlus_955BandWidth_ChinaCdn' 'StandardPlus_AvgBandWidth_ChinaCdn' 'StandardPlus_ChinaCdn' 'Standard_955BandWidth_ChinaCdn' 'Standard_Akamai' 'Standard_AvgBandWidth_ChinaCdn' 'Standard_AzureFrontDoor' 'Standard_ChinaCdn' 'Standard_Microsoft' 'Standard_Verizon' |
WebApplicationFirewallPolicy
| Name | Description | Value |
|---|---|---|
| etag | Gets a unique read-only string that changes whenever the resource is updated. | string |
| properties | Properties of the web application firewall policy. | WebApplicationFirewallPolicyProperties |
| sku | The pricing tier of web application firewall policy. Defaults to Classic_AzureFrontDoor if not specified. | Sku |
WebApplicationFirewallPolicyProperties
| Name | Description | Value |
|---|---|---|
| customRules | Describes custom rules inside the policy. | CustomRuleListAfd |
| managedRules | Describes managed rules inside the policy. | ManagedRuleSetListAfd |
| policySettings | Describes settings for the policy. | PolicySettingsAfd |
WebApplicationFirewallScrubbingRules
| Name | Description | Value |
|---|---|---|
| matchVariable | The variable to be scrubbed from the logs. | 'QueryStringArgNames' 'RequestBodyJsonArgNames' 'RequestBodyPostArgNames' 'RequestCookieNames' 'RequestHeaderNames' 'RequestIPAddress' 'RequestUri' (required) |
| selector | When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. | string |
| selectorMatchOperator | When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. | 'Equals' 'EqualsAny' (required) |
| state | Defines the state of a log scrubbing rule. Default value is enabled. | 'Disabled' 'Enabled' |
Usage Examples
Terraform Samples
A basic example of deploying Front Door (standard/premium) Security Policy.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "dnsZone" {
type = "Microsoft.Network/dnsZones@2018-05-01"
parent_id = azapi_resource.resourceGroup.id
name = "${var.resource_name}.com"
location = "global"
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "profile" {
type = "Microsoft.Cdn/profiles@2021-06-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = "global"
body = {
properties = {
originResponseTimeoutSeconds = 120
}
sku = {
name = "Premium_AzureFrontDoor"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "FrontDoorWebApplicationFirewallPolicy" {
type = "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2020-11-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = "global"
body = {
properties = {
customRules = {
rules = [
{
action = "Block"
enabledState = "Enabled"
matchConditions = [
{
matchValue = [
"192.168.1.0/24",
"10.0.0.0/24",
]
matchVariable = "RemoteAddr"
negateCondition = false
operator = "IPMatch"
},
]
name = "Rule1"
priority = 1
rateLimitDurationInMinutes = 1
rateLimitThreshold = 10
ruleType = "MatchRule"
},
]
}
managedRules = {
managedRuleSets = [
{
ruleGroupOverrides = [
{
ruleGroupName = "PHP"
rules = [
{
action = "Block"
enabledState = "Disabled"
ruleId = "933111"
},
]
},
]
ruleSetAction = "Block"
ruleSetType = "DefaultRuleSet"
ruleSetVersion = "preview-0.1"
},
{
ruleSetAction = "Block"
ruleSetType = "BotProtection"
ruleSetVersion = "preview-0.1"
},
]
}
policySettings = {
customBlockResponseBody = "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=="
customBlockResponseStatusCode = 403
enabledState = "Enabled"
mode = "Prevention"
redirectUrl = "https://www.fabrikam.com"
}
}
sku = {
name = "Premium_AzureFrontDoor"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "customDomain" {
type = "Microsoft.Cdn/profiles/customDomains@2021-06-01"
parent_id = azapi_resource.profile.id
name = var.resource_name
body = {
properties = {
azureDnsZone = {
id = azapi_resource.dnsZone.id
}
hostName = "fabrikam.${var.resource_name}.com"
tlsSettings = {
certificateType = "ManagedCertificate"
minimumTlsVersion = "TLS12"
}
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "securityPolicy" {
type = "Microsoft.Cdn/profiles/securityPolicies@2021-06-01"
parent_id = azapi_resource.profile.id
name = var.resource_name
body = {
properties = {
parameters = {
associations = [
{
domains = [
{
id = azapi_resource.customDomain.id
},
]
patternsToMatch = [
"/*",
]
},
]
type = "WebApplicationFirewall"
wafPolicy = {
id = azapi_resource.FrontDoorWebApplicationFirewallPolicy.id
}
}
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}