Thanks for your interest in Cloud Adoption Framework for Azure landing zones on Terraform. This module is now deprecated and no longer maintained.
As part of Cloud Adoption Framework landing zones for Terraform, we have migrated to a single module model, which you can find here: https://github.com/aztfmod/terraform-azurerm-caf and on the Terraform registry: https://registry.terraform.io/modules/aztfmod/caf/azurerm
In Terraform 0.13 you can now call directly submodules easily with the following syntax:
module "caf_firewall" {
source = "aztfmod/caf/azurerm//modules/networking/firewall"
version = "0.4.18"
# insert the 9 required variables here
}
Creates a Front Front Door with:
- 1 to many Backend Pools
- 1 to many Routing Rules
- 1 to many Frontend Endpoints
- 1 to many WAF Policies and links them to Frontend Endpoints
Reference the module to a specific version (recommended):
module "front-door" {
source = "aztfmod/caf-frontdoor/azurerm" #Point to front-end module location
version = "0.x.y"
front-door-rg = var.rg
location = var.location
front-door-object = var.front-door-object
front-door-waf-object = var.front-door-waf-object
tags = var.tags
}Link to Terraform providor:
- Front Door: https://www.terraform.io/docs/providers/azurerm/r/frontdoor.html
- Front Door WAF: https://www.terraform.io/docs/providers/azurerm/r/frontdoor_firewall_policy.html
| Name | Type | Default | Description |
|---|---|---|---|
| front-door-rg | string | None | Name of the resource group where to create the resource. Changing this forces a new resource to be created. |
| location | string | None | Specifies the Azure location to deploy the resource. Changing this forces a new resource to be created. |
| front-door-object | object | None | Front Door configuration object as described in the Parameters section. |
| front-door-waf-object | object | None | Front Door WAF configuration object as described in the Parameters section. |
| tags | map | None | Map of tags for the deployment. |
(Required) Confirguration object describing the Front Door configuration. The object has sections are as follows:
| Name | Type | Description |
|---|---|---|
| name | Required | Specifies the name of the Front Door service. Changing this forces a new resource to be created. |
| resource_group_name | Required | Specifies the name of the Resource Group in which the Front Door service should exist. Changing this forces a new resource to be created. |
| location | Required | Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. |
| backend_pool | Required | A backend_pool block as defined below. |
| backend_pool_health_probe | Required | A backend_pool_health_probe block as defined below. |
| backend_pool_load_balancing | Required | A backend_pool_load_balancing block as defined below. |
| enforce_backend_pools_certificate_name_check | Required | Enforce certificate name check on HTTPS requests to all backend pools, this setting will have no effect on HTTP requests. Permitted values are true or false. |
| load_balancer_enabled | Optional | Should the Front Door Load Balancer be Enabled? Defaults to true. |
| friendly_name | Optional | A friendly name for the Front Door service. |
| frontend_endpoint | Required | A frontend_endpoint block as defined below. |
| routing_rule | Required | A routing_rule block as defined below. |
| tags | Optional | A mapping of tags to assign to the resource. |
| Name | Type | Description |
|---|---|---|
| name | Required | Specifies the name of the Backend Pool. |
| backend | Required | A backend block as defined below. |
| load_balancing_name | Required | Specifies the name of the backend_pool_load_balancing block within this resource to use for this Backend Pool. |
| health_probe_name | Required | Specifies the name of the backend_pool_health_probe block whithin this resource to use for this Backend Pool. |
| Name | Type | Description |
|---|---|---|
| enabled | Optional | Specifies if the backend is enabled or not. Valid options are true or false. Defaults to true. |
| address | Required | Location of the backend (IP address or FQDN) |
| host_header | Required | The value to use as the host header sent to the backend. |
| http_port | Required | The HTTP TCP port number. Possible values are between 1 - 65535. |
| https_port | Required | The HTTPS TCP port number. Possible values are between 1 - 65535. |
| priority | Optional | Priority to use for load balancing. Higher priorities will not be used for load balancing if any lower priority backend is healthy. Defaults to 1. |
| weight | Optional | Weight of this endpoint for load balancing purposes. Defaults to 50. |
| Name | Type | Description |
|---|---|---|
| name | Required | Specifies the name of the frontend_endpoint. |
| host_name | Required | Specifies the host name of the frontend_endpoint. Must be a domain name. |
| session_affinity_enabled | Optional | Whether to allow session affinity on this host. Valid options are true or false Defaults to false. |
| session_affinity_ttl_seconds | Optional | The TTL to use in seconds for session affinity, if applicable. Defaults to 0. |
| custom_https_provisioning_enabled | Required | Should the HTTPS protocol be enabled for a custom domain associated with the Front Door? |
| custom_https_configuration | Optional | A custom_https_configuration block as defined below. NOTE: This block is required when custom_https_provisioning_enabled is set to true. |
| web_application_firewall_policy_link_id | Optional | Defines the Web Application Firewall policy ID for each host. |
| Name | Type | Description |
|---|---|---|
| name | Required | Specifies the name of the Health Probe. |
| path | Optional | The path to use for the Health Probe. Default is /. |
| protocol | Optional | Protocol scheme to use for the Health Probe. Defaults to Http. |
| interval_in_seconds | Optional | The number of seconds between each Health Probe. Defaults to 120. |
| Name | Type | Description |
|---|---|---|
| name | Required | Specifies the name of the Load Balancer. |
| sample_size | Optional | The number of samples to consider for load balancing decisions. Defaults to 4. |
| successful_samples_required | Optional | The number of samples within the sample period that must succeed. Defaults to 2. |
| additional_latency_milliseconds | Optional | The additional latency in milliseconds for probes to fall into the lowest latency bucket. Defaults to 0. |
| Name | Type | Description |
|---|---|---|
| name | Required | Specifies the name of the Routing Rule. |
| frontend_endpoints | Required | The names of the frontend_endpoint blocks whithin this resource to associate with this routing_rule. |
| accepted_protocols | Optional | Protocol schemes to match for the Backend Routing Rule. Defaults to Http. |
| patterns_to_match | Optional | The route patterns for the Backend Routing Rule. Defaults to /*. |
| enabled | Optional | Enable or Disable use of this Backend Routing Rule. Permitted values are true or false. Defaults to true. |
| forwarding_configuration | Optional | A forwarding_configuration block as defined below. |
| redirect_configuration | Optional | A redirect_configuration block as defined below. |
| Name | Type | Description |
|---|---|---|
| backend_pool_name | Required | Specifies the name of the Backend Pool to forward the incoming traffic to. |
| cache_enabled | Optional | Specifies whether to Enable caching or not. Valid options are true or false. Defaults to true. |
| cache_use_dynamic_compression | Optional | Whether to use dynamic compression when caching. Valid options are true or false. Defaults to false. |
| cache_query_parameter_strip_directive | Optional | Defines cache behavior in releation to query string parameters. Valid options are StripAll or StripNone. Defaults to StripNone. |
| custom_forwarding_path | Optional | Path to use when constructing the request to forward to the backend. This functions as a URL Rewrite. Default behavior preserves the URL path. |
| forwarding_protocol | Optional | Protocol to use when redirecting. Valid options are HttpOnly, HttpsOnly, or MatchRequest. Defaults to MatchRequest. |
| Name | Type | Description |
|---|---|---|
| custom_host | Optional | Set this to change the URL for the redirection. |
| redirect_protocol | Optional | Protocol to use when redirecting. Valid options are HttpOnly, HttpsOnly, or MatchRequest. Defaults to MatchRequest |
| redirect_type | Optional | Status code for the redirect. Valida options are Moved, Found, TemporaryRedirect, PermanentRedirect. Defaults to Found |
| custom_fragment | Optional | The destination fragment in the portion of URL after '#'. Set this to add a fragment to the redirect URL. |
| custom_path | Optional | The path to retain as per the incoming request, or update in the URL for the redirection. |
| custom_query_string | Optional | Replace any existing query string from the incoming request URL. |
| Name | Type | Description |
|---|---|---|
| certificate_source | Optional | Certificate source to encrypted HTTPS traffic with. Allowed values are FrontDoor or AzureKeyVault. Defaults to FrontDoor. |
| Name | Type | Description |
|---|---|---|
| azure_key_vault_certificate_vault_id | Required | The ID of the Key Vault containing the SSL certificate. |
| azure_key_vault_certificate_secret_name | Required | The name of the Key Vault secret representing the full certificate PFX. |
| azure_key_vault_certificate_secret_version | Required | The version of the Key Vault secret representing the full certificate PFX. |
The following front-door-object shows an example of the composition:
Sample of front door configuration object below
front-door-object = {
name = "<your AFD Name>"
friendly_name = "My Azure Front Door Service" #Optional
#disable_bgp_route_propagation = false #Default: false
enforce_backend_pools_certificate_name_check = false
load_balancer_enabled = true #Default: true
routing_rule = {
rr1 = {
name = "exampleRoutingRule1"
frontend_endpoints = ["exampleFrontendEndpoint1"]
accepted_protocols = ["Http", "Https"] #Default: "Http"
patterns_to_match = ["/*"] #Default: "/*"
enabled = true #Default: true
configuration = "Forwarding" #Options: Forwarding / Redirect
forwarding_configuration = {
backend_pool_name = "exampleBackendBing1"
cache_enabled = false #Default: false
cache_use_dynamic_compression = false #Default: false
cache_query_parameter_strip_directive = "StripNone" #Default: "StripNone"
custom_forwarding_path = ""
forwarding_protocol = "MatchRequest" #Default: "BestMatch"
}
redirect_configuration = {
custom_host = "" #Optional
redirect_protocol = "MatchRequest" #Default: "MatchRequest"
redirect_type = "Found" #Default: "Found"
custom_fragment = ""
custom_path = ""
custom_query_string = ""
}
} #Add extra routing rules here (e.g. rr2 = {...})
}
backend_pool_load_balancing = {
lb1 = {
name = "exampleLoadBalancingSettings1"
sample_size = 4 #Default: 4
successful_samples_required = 2 #Default: 2
additional_latency_milliseconds = 0 #Default: 0
} #Add extra backend load balancing names here (e.g. lb2 = {...})
}
backend_pool_health_probe = {
hp1 = {
name = "exampleHealthProbeSetting1"
path = "/"
protocol = "Http" #Default: Http
interval_in_seconds = 120 #Default: 120
} #Add extra health probes here (e.g. hp2 = {...})
}
backend_pool = {
bp1 = {
name = "exampleBackendBing1"
backend = {
be1 = {
enabled = true
address = "www.bing.com"
host_header = "www.bing.com"
http_port = 80
https_port = 443
priority = 1 #Default: 1
weight = 50 #Default: 50
},
be2 = {
enabled = true
address = "www.bing.co.uk"
host_header = "www.bing.co.uk"
http_port = 80
https_port = 443
priority = 1 #default: 1
weight = 50 #default: 50
} #Add extra backend's here (e.g. be3 = {...})
}
load_balancing_name = "exampleLoadBalancingSettings1" #Name of backend_pool_load_balancing to use
health_probe_name = "exampleHealthProbeSetting1" #Name of backend_pool_health_probe to use
} #Add extra backend pools here (e.g. bp2 = {...})
}
frontend_endpoint = {
fe1 = {
name = "exampleFrontendEndpoint1"
host_name = "<your AFD Name>.azurefd.net"
session_affinity_enabled = false #default: false
session_affinity_ttl_seconds = 0 #default: 0
custom_https_provisioning_enabled = false
#Required if custom_https_provisioning_enabled is true
custom_https_configuration = {
certificate_source = "FrontDoor" #Optional (FrontDoor / AzureKeyVault)
#If certificate source is AzureKeyVault the below are required:
azure_key_vault_certificate_vault_id = ""
azure_key_vault_certificate_secret_name = ""
azure_key_vault_certificate_secret_version = ""
}
#Links the WAF Policy to the Fronend Endpoints
web_application_firewall_policy_link_name = "TerraformPolicy" #Optional Enter the name of the waf policy you'll be creating
} #Add extra frontend Endpoints here (e.g. fe2 = {...})
}
}
(Required_ Confirguration object describing the Front Door WAF configuration.
| Name | Type | Description |
|---|---|---|
| name | Required | The name of the policy. Changing this forces a new resource to be created. |
| resource_group_name | Required | The name of the resource group. Changing this forces a new resource to be created. |
| enabled | Optional | Is the policy a enabled state or disabled state. Defaults to true. |
| mode | Optional | The firewall policy mode. Possible values are Detection, Prevention and defaults to Prevention. |
| redirect_url | Optional | If action type is redirect, this field represents redirect URL for the client. |
| custom_rule | Optional | One or more custom_rule blocks as defined below. |
| custom_block_response_status_code | Optional | If a custom_rule block's action type is block, this is the response status code. Possible values are 200, 403, 405, 406, or 429. |
| custom_block_response_body | Optional | If a custom_rule block's action type is block, this is the response body needs to be set here. Possible values are either a relative path to a file or content. |
| managed_rule | Optional | One or more managed_rule blocks as defined below. |
| tags | Optional | A mapping of tags to assign to the Web Application Firewall Policy. |
| Name | Type | Description |
|---|---|---|
| name | Required | Gets name of the resource that is unique within a policy. This name can be used to access the resource. |
| action | Required | The action to perform when the rule is matched. Possible values are Allow, Block, Log, or Redirect. |
| enabled | Optional | Is the rule is enabled or disabled? Defaults to true. |
| priority | Required | The priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. Defaults to 1. |
| type | Required | The type of rule. Possible values are MatchRule or RateLimitRule. |
| match_condition | Required | One or more match_condition block defined below. |
| rate_limit_duration_in_minutes | Optional | The rate limit duration in minutes. Defaults to 1. |
| rate_limit_threshold | Optional | The rate limit threshold. Defaults to 10. |
| Name | Type | Description |
|---|---|---|
| match_variable | Required | The request variable to compare with. Possible values are Cookies, PostArgs, QueryString, RemoteAddr, RequestBody, RequestHeader, RequestMethod, or RequestUri. |
| match_values | Required | Up to 100 possible values to match. |
| operator | Required | Comparison type to use for matching with the variable value. Possible values are Any, BeginsWith, Contains, EndsWith, Equal, GeoMatch, GreaterThan, GreaterThanOrEqual, IPMatch, LessThan, LessThanOrEqual or RegEx. |
| selector | Optional | Match against a specific key if the match_variable is QueryString, PostArgs, RequestHeader or Cookies. |
| negation_condition | Optional | Should the result of the condition be negated. |
| transforms | Optional | Up to 5 transforms to apply. Possible values are Lowercase, RemoveNulls, Trim, Uppercase, URLDecode orURLEncode. |
| Name | Type | Description |
|---|---|---|
| type | Required | The name of the managed rule to use with this resource. |
| version | Required | The version on the managed rule to use with this resource. |
| exclusion | Optional | One or more exclusion blocks as defined below. |
| override | Optional | One or more override blocks as defined below. |
| Name | Type | Description |
|---|---|---|
| rule_group_name | Required | The managed rule group to override. |
| exclusion | Optional | One or more exclusion blocks as defined below. |
| rule | Optional | One or more rule blocks as defined below. If none are specified, all of the rules in the group will be disabled. |
| Name | Type | Description |
|---|---|---|
| rule_id | Required | Identifier for the managed rule. |
| action | Required | The action to be applied when the rule matches. Possible values are Allow, Block, Log, or Redirect. |
| enabled | Optional | Is the managed rule override enabled or disabled. Defaults to false |
| exclusion | Optional | One or more exclusion blocks as defined below. |
| Name | Type | Description |
|---|---|---|
| match_variable | Required | The variable type to be excluded. Possible values are QueryStringArgNames, RequestBodyPostArgNames, RequestCookieNames, RequestHeaderNames. |
| operator | Required | Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. Possible values are: Equals, Contains, StartsWith, EndsWith, EqualsAny. |
| selector | Required | Selector for the value in the match_variable attribute this exclusion applies to. |
The following front-door-waf-object shows an example of the composition:
Sample of front door waf configuration object below
front-door-waf-object = {
waf1 = {
name = "TerraformPolicy"
enabled = true #Default: true
mode = "Prevention" #Options: Prevention / Detection
redirect_url = "https://www.bing.com" #Optional
custom_rule = {
cr1 = {
name = "Rule1"
action = "Block" #Options: Allow/Block/Log/Redirect
enabled = true #Default: true
priority = 1 #Default: 1
type = "MatchRule" #Options: MatchRule / RateLimitRule
match_condition = {
match_variable = "RequestHeader" #Options: Cookies, PostArgs, QueryString, RemoteAddr, RequestBody, RequestHeader, RequestMethod, or RequestUri
match_values = ["windows"]
operator = "Contains" #Options: Any, BeginsWith, Contains, EndsWith, Equal, GeoMatch, GreaterThan, GreaterThanOrEqual, IPMatch, LessThan, LessThanOrEqual or RegEx
selector = "UserAgent" #Used if matched_variable is QueryString, PostArgs, RequestHeader or Cookies
negation_condition = false #If result of condition is negative
transforms = ["Lowercase", "Trim"] #Options: transforms - (Optional) Up to 5 transforms to apply. Possible values are Lowercase, RemoveNulls, Trim, Uppercase, URLDecode or URLEncode
}
rate_limit_duration_in_minutes = 1
rate_limit_threshold = 10
} #Add extra custom rules here (e.g. cr2 = {...})
}
custom_block_response_status_code = 403 #Options: 200, 403, 405, 406, or 429
custom_block_response_body = "./blocked-response.html" #Options: Relative path to a file or content for the blocked response body. (e.g. "./blocked-response.html" or "Blocked by WAF Policy")
managed_rule = {
mr1 = {
type = "DefaultRuleSet"
version = "1.0"
exclusion = {
ex1 = {
match_variable = "QueryStringArgNames" #Options: match_variable - (Required) The variable type to be excluded. Possible values are QueryStringArgNames, RequestBodyPostArgNames, RequestCookieNames, RequestHeaderNames
operator = "Equals" #Options: Equals, Contains, StartsWith, EndsWith, EqualsAny
selector = "not_suspicious"
} #Add extra managed rule exclusions here (e.g. ex2 = {...})
}
override = {
or1 = {
rule_group_name = "PHP"
exclusion = {
ex1 = {
match_variable = "QueryStringArgNames" #Options: match_variable - (Required) The variable type to be excluded. Possible values are QueryStringArgNames, RequestBodyPostArgNames, RequestCookieNames, RequestHeaderNames
operator = "Equals" #Options: Equals, Contains, StartsWith, EndsWith, EqualsAny
selector = "not_suspicious"
} #Add extra override exclusions here (e.g. ex2 = {...})
}
rule = {
r1 = {
rule_id = "933100"
action = "Block" #Options: Allow, Block, Log, or Redirect
enabled = false #Default: true
exclusion = {
ex1 = {
match_variable = "QueryStringArgNames" #Options: match_variable - (Required) The variable type to be excluded. Possible values are QueryStringArgNames, RequestBodyPostArgNames, RequestCookieNames, RequestHeaderNames
operator = "Equals" #Options: Equals, Contains, StartsWith, EndsWith, EqualsAny
selector = "not_suspicious"
} #Add extra rule exclusions here (e.g. ex2 = {...})
}
} #Add extra rule to override here (e.g. r2 = {...})
}
} #Add extra overrides here (e.g or2 = {...}
}
} #Add extra managed rules here (e.g. mr2 = {...})
}
tags = ""
} #Add extra WAF Policies here (e.g. waf2 = {...})
}| Name | Type | Description |
|---|---|---|
| front-door-object | Object | Object with the outputs from the Front Door provider. |
| front-door-waf-object | Object | Object with the outputs from the Front Door WAF provider. |
The WAF policies are linked to the Frontend Endpoints within Azure Front Door.