https://github.com/epomatti/az-static-webapps

Azure Static Web Apps demonstration with Private Link
https://github.com/epomatti/az-static-webapps

application-gateway azure pulumi static-web-app terraform

Last synced: about 1 month ago
JSON representation

Azure Static Web Apps demonstration with Private Link

• Host: GitHub
• URL: https://github.com/epomatti/az-static-webapps
• Owner: epomatti
• License: mit
• Created: 2022-05-11T17:28:10.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2025-05-16T14:51:49.000Z (about 1 year ago)
• Last Synced: 2025-06-26T08:42:54.474Z (12 months ago)
• Topics: application-gateway, azure, pulumi, static-web-app, terraform
• Language: HCL
• Homepage:
• Size: 134 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Pulumi Azure Native - Private Endpoints, Static Web App

Private static web app accessible via Private Endpoints and blocked to the internet.

Since it is not possible to use a [custom domain](https://stackoverflow.com/a/72241461/3231778) with private endpoints I deployed a private Application Gateway for the purpose of demonstration. This might not be optimal for a Static Web Site but get's the job done, but it would be prohibitive if you depend on Enterprise-Edge capabilities.

![](.docs/staticwebapp.drawio2.svg?)

## Terraform

### Provisioning

Create the infrastructure:

```sh

cp config/local.auto.tfvars .auto.tfvars

mkdir -p .keys && ssh-keygen -f .keys/tmp_rsa

terraform init

terraform apply -auto-approve

```

## Manual App Deployment

https://learn.microsoft.com/en-us/azure/static-web-apps/static-web-apps-cli-deploy

## Pulumi

```sh

npm install

az login

pulumi up -s dev -y

```

## Configuration

### 1 - Create the infrastructure with Pulumi:

#### 2 - Once the Static Web App is deployed, copy the deployment token `AZURE_STATIC_WEB_APPS_API_TOKEN` to GitHub as an Action secret. Triggering the pipeline will deploy the code to Azure.

#### 3 - Site should be available via Private Endpoint - Use the Jumpbox VM for testing.

The Static Web Site will be available by it's public name, but routed internally by the Private DNS Zone. External access is blocked by the Azure Firewall.

```sh

curl https://thankful-sand-084c7860f.1.azurestaticapps.net

```

For a detailed explanation check [this](https://stackoverflow.com/a/69423659/3231778) answer.

#### 4 - Application Gateway

```sh

curl http://gateway.intranet.mycompany.com

curl https://gateway.intranet.mycompany.com -k

```

---

####  Clean up

```sh

pulumi destroy -s dev -y

```

## Certificates

To generate your own certificates:

```sh

# use intranet.mycompany.com for CN

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3650 -nodes

openssl pkcs12 -export -out keyStore.p12 -inkey key.pem -in cert.pem

```