Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/launchbynttdata/tf-azurerm-module_primitive-application_gateway
https://github.com/launchbynttdata/tf-azurerm-module_primitive-application_gateway
azure primitive terraform
Last synced: 5 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/launchbynttdata/tf-azurerm-module_primitive-application_gateway
- Owner: launchbynttdata
- License: apache-2.0
- Created: 2024-05-29T14:23:24.000Z (7 months ago)
- Default Branch: main
- Last Pushed: 2024-09-25T19:42:26.000Z (3 months ago)
- Last Synced: 2024-11-09T06:07:30.335Z (2 months ago)
- Topics: azure, primitive, terraform
- Language: HCL
- Size: 107 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS
Awesome Lists containing this project
README
# tf-azurerm-module_primitive-application_gateway
[](https://opensource.org/licenses/Apache-2.0)
[](https://creativecommons.org/licenses/by-nc-nd/4.0/)
## Overview
This terraform module provisions an Application Gateway.
## Pre-Commit hooks
[.pre-commit-config.yaml](.pre-commit-config.yaml) file defines certain `pre-commit` hooks that are relevant to terraform, golang and common linting tasks. There are no custom hooks added.
`commitlint` hook enforces commit message in certain format. The commit contains the following structural elements, to communicate intent to the consumers of your commit messages:
- **fix**: a commit of the type `fix` patches a bug in your codebase (this correlates with PATCH in Semantic Versioning).
- **feat**: a commit of the type `feat` introduces a new feature to the codebase (this correlates with MINOR in Semantic Versioning).
- **BREAKING CHANGE**: a commit that has a footer `BREAKING CHANGE:`, or appends a `!` after the type/scope, introduces a breaking API change (correlating with MAJOR in Semantic Versioning). A BREAKING CHANGE can be part of commits of any type.
footers other than BREAKING CHANGE: may be provided and follow a convention similar to git trailer format.
- **build**: a commit of the type `build` adds changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
- **chore**: a commit of the type `chore` adds changes that don't modify src or test files
- **ci**: a commit of the type `ci` adds changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
- **docs**: a commit of the type `docs` adds documentation only changes
- **perf**: a commit of the type `perf` adds code change that improves performance
- **refactor**: a commit of the type `refactor` adds code change that neither fixes a bug nor adds a feature
- **revert**: a commit of the type `revert` reverts a previous commit
- **style**: a commit of the type `style` adds code changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
- **test**: a commit of the type `test` adds missing tests or correcting existing tests
Base configuration used for this project is [commitlint-config-conventional (based on the Angular convention)](https://github.com/conventional-changelog/commitlint/tree/master/@commitlint/config-conventional#type-enum)
If you are a developer using vscode, [this](https://marketplace.visualstudio.com/items?itemName=joshbolduc.commitlint) plugin may be helpful.
`detect-secrets-hook` prevents new secrets from being introduced into the baseline. TODO: INSERT DOC LINK ABOUT HOOKS
In order for `pre-commit` hooks to work properly
- You need to have the pre-commit package manager installed. [Here](https://pre-commit.com/#install) are the installation instructions.
- `pre-commit` would install all the hooks when commit message is added by default except for `commitlint` hook. `commitlint` hook would need to be installed manually using the command below
```
pre-commit install --hook-type commit-msg
```
## To test the resource group module locally
1. For development/enhancements to this module locally, you'll need to install all of its components. This is controlled by the `configure` target in the project's [`Makefile`](./Makefile). Before you can run `configure`, familiarize yourself with the variables in the `Makefile` and ensure they're pointing to the right places.
```
make configure
```
This adds in several files and directories that are ignored by `git`. They expose many new Make targets.
2. _THIS STEP APPLIES ONLY TO MICROSOFT AZURE. IF YOU ARE USING A DIFFERENT PLATFORM PLEASE SKIP THIS STEP._ The first target you care about is `env`. This is the common interface for setting up environment variables. The values of the environment variables will be used to authenticate with cloud provider from local development workstation.
`make configure` command will bring down `azure_env.sh` file on local workstation. Devloper would need to modify this file, replace the environment variable values with relevant values.
These environment variables are used by `terratest` integration suit.
Service principle used for authentication(value of ARM_CLIENT_ID) should have below privileges on resource group within the subscription.
```
"Microsoft.Resources/subscriptions/resourceGroups/write"
"Microsoft.Resources/subscriptions/resourceGroups/read"
"Microsoft.Resources/subscriptions/resourceGroups/delete"
```
Then run this make target to set the environment variables on developer workstation.
```
make env
```
3. The first target you care about is `check`.
**Pre-requisites**
Before running this target it is important to ensure that, developer has created files mentioned below on local workstation under root directory of git repository that contains code for primitives/segments. Note that these files are `azure` specific. If primitive/segment under development uses any other cloud provider than azure, this section may not be relevant.
- A file named `provider.tf` with contents below
```
provider "azurerm" {
features {}
}
```
- A file named `terraform.tfvars` which contains key value pair of variables used.
Note that since these files are added in `gitignore` they would not be checked in into primitive/segment's git repo.
After creating these files, for running tests associated with the primitive/segment, run
```
make check
```
If `make check` target is successful, developer is good to commit the code to primitive/segment's git repo.
`make check` target
- runs `terraform commands` to `lint`,`validate` and `plan` terraform code.
- runs `conftests`. `conftests` make sure `policy` checks are successful.
- runs `terratest`. This is integration test suit.
- runs `opa` tests
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | ~> 1.0 |
| [azurerm](#requirement\_azurerm) | ~> 3.77 |
## Providers
| Name | Version |
|------|---------|
| [azurerm](#provider\_azurerm) | 3.116.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [azurerm_application_gateway.app_gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway) | resource |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [name](#input\_name) | Name of the application gateway. | `string` | n/a | yes |
| [location](#input\_location) | Azure location. | `string` | n/a | yes |
| [resource\_group\_name](#input\_resource\_group\_name) | Resource group name | `string` | n/a | yes |
| [frontend\_ip\_configuration\_name](#input\_frontend\_ip\_configuration\_name) | Name of the frontend IP configuration. | `string` | n/a | yes |
| [public\_ip\_address\_id](#input\_public\_ip\_address\_id) | ID of the public IP address to use for the frontend IP configuration. | `string` | `null` | no |
| [frontend\_private\_ip\_configuration\_name](#input\_frontend\_private\_ip\_configuration\_name) | Name of the frontend private IP configuration. | `string` | `null` | no |
| [gateway\_ip\_configuration\_name](#input\_gateway\_ip\_configuration\_name) | Name of the gateway IP configuration. | `string` | n/a | yes |
| [sku\_capacity](#input\_sku\_capacity) | The Capacity of the SKU to use for this Application Gateway - which must be between 1 and 10, optional if autoscale\_configuration is set | `number` | `2` | no |
| [sku](#input\_sku) | The Name of the SKU to use for this Application Gateway. Possible values are Standard\_v2 and WAF\_v2. | `string` | `"Standard_v2"` | no |
| [zones](#input\_zones) | A collection of availability zones to spread the Application Gateway over. This option is only supported for v2 SKUs | `list(number)` |
[
1,
2,
3
]
| no |
| [frontend\_port\_settings](#input\_frontend\_port\_settings) | Frontend port settings. Each port setting contains the name and the port for the frontend port. | list(object({
name = string
port = number
})) | n/a | yes |
| [ssl\_policy](#input\_ssl\_policy) | Application Gateway SSL configuration. The list of available policies can be found here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway#disabled_protocols | object({
disabled_protocols = optional(list(string), [])
policy_type = optional(string, "Predefined")
policy_name = optional(string, "AppGwSslPolicy20170401S")
cipher_suites = optional(list(string), [])
min_protocol_version = optional(string, "TLSv1_2")
}) | `null` | no |
| [ssl\_profile](#input\_ssl\_profile) | Application Gateway SSL profile. Default profile is used when this variable is set to null. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway#name | list(object({
name = string
trusted_client_certificate_names = optional(list(string), [])
verify_client_cert_issuer_dn = optional(bool, false)
ssl_policy = optional(object({
disabled_protocols = optional(list(string), [])
policy_type = optional(string, "Predefined")
policy_name = optional(string, "AppGwSslPolicy20170401S")
cipher_suites = optional(list(string), [])
min_protocol_version = optional(string, "TLSv1_2")
}))
})) | `[]` | no |
| [firewall\_policy\_id](#input\_firewall\_policy\_id) | ID of a Web Application Firewall Policy | `string` | `null` | no |
| [trusted\_root\_certificate\_configs](#input\_trusted\_root\_certificate\_configs) | List of trusted root certificates. `file_path` is checked first, using `data` (base64 cert content) if null. This parameter is required if you are not using a trusted certificate authority (eg. selfsigned certificate). | list(object({
name = string
data = optional(string)
file_path = optional(string)
key_vault_secret_id = optional(string)
})) | `[]` | no |
| [appgw\_backend\_pools](#input\_appgw\_backend\_pools) | List of objects with backend pool configurations. | list(object({
name = string
fqdns = optional(list(string))
ip_addresses = optional(list(string))
})) | n/a | yes |
| [appgw\_http\_listeners](#input\_appgw\_http\_listeners) | List of objects with HTTP listeners configurations and custom error configurations. | list(object({
name = string
frontend_ip_configuration_name = optional(string)
frontend_port_name = optional(string)
host_name = optional(string)
host_names = optional(list(string))
protocol = optional(string, "Https")
require_sni = optional(bool, false)
ssl_certificate_name = optional(string)
ssl_profile_name = optional(string)
firewall_policy_id = optional(string)
custom_error_configuration = optional(list(object({
status_code = string
custom_error_page_url = string
})), [])
})) | n/a | yes |
| [custom\_error\_configuration](#input\_custom\_error\_configuration) | List of objects with global level custom error configurations. | list(object({
status_code = string
custom_error_page_url = string
})) | `[]` | no |
| [ssl\_certificates\_configs](#input\_ssl\_certificates\_configs) | List of objects with SSL certificates configurations.
The path to a base-64 encoded certificate is expected in the 'data' attribute:data = filebase64("./file_path") | list(object({
name = string
data = optional(string)
password = optional(string)
key_vault_secret_id = optional(string)
})) | `[]` | no |
| [authentication\_certificates\_configs](#input\_authentication\_certificates\_configs) | List of objects with authentication certificates configurations.
The path to a base-64 encoded certificate is expected in the 'data' attribute:data = filebase64("./file_path") | list(object({
name = string
data = string
})) | `[]` | no |
| [trusted\_client\_certificates\_configs](#input\_trusted\_client\_certificates\_configs) | List of objects with trusted client certificates configurations.
The path to a base-64 encoded certificate is expected in the 'data' attribute:data = filebase64("./file_path") | list(object({
name = string
data = string
})) | `[]` | no |
| [appgw\_routings](#input\_appgw\_routings) | List of objects with request routing rules configurations. With AzureRM v3+ provider, `priority` attribute becomes mandatory. | list(object({
name = string
rule_type = optional(string, "Basic")
http_listener_name = optional(string)
backend_address_pool_name = optional(string)
backend_http_settings_name = optional(string)
url_path_map_name = optional(string)
redirect_configuration_name = optional(string)
rewrite_rule_set_name = optional(string)
priority = optional(number)
})) | n/a | yes |
| [appgw\_probes](#input\_appgw\_probes) | List of objects with probes configurations. | list(object({
name = string
host = optional(string)
port = optional(number, null)
interval = optional(number, 30)
path = optional(string, "/")
protocol = optional(string, "Https")
timeout = optional(number, 30)
unhealthy_threshold = optional(number, 3)
pick_host_name_from_backend_http_settings = optional(bool, false)
minimum_servers = optional(number, 0)
match = optional(object({
body = optional(string, "")
status_code = optional(list(string), ["200-399"])
}), {})
})) | `[]` | no |
| [appgw\_backend\_http\_settings](#input\_appgw\_backend\_http\_settings) | List of objects including backend http settings configurations. | list(object({
name = string
port = optional(number, 443)
protocol = optional(string, "Https")
path = optional(string)
probe_name = optional(string)
cookie_based_affinity = optional(string, "Disabled")
affinity_cookie_name = optional(string, "ApplicationGatewayAffinity")
request_timeout = optional(number, 20)
host_name = optional(string)
pick_host_name_from_backend_address = optional(bool, true)
trusted_root_certificate_names = optional(list(string), [])
authentication_certificate = optional(string)
connection_draining_timeout_sec = optional(number)
})) | n/a | yes |
| [appgw\_url\_path\_map](#input\_appgw\_url\_path\_map) | List of objects with URL path map configurations. | list(object({
name = string
default_backend_address_pool_name = optional(string)
default_redirect_configuration_name = optional(string)
default_backend_http_settings_name = optional(string)
default_rewrite_rule_set_name = optional(string)
path_rules = list(object({
name = string
backend_address_pool_name = optional(string)
backend_http_settings_name = optional(string)
rewrite_rule_set_name = optional(string)
redirect_configuration_name = optional(string)
paths = optional(list(string), [])
}))
})) | `[]` | no |
| [appgw\_redirect\_configuration](#input\_appgw\_redirect\_configuration) | List of objects with redirect configurations. | list(object({
name = string
redirect_type = optional(string, "Permanent")
target_listener_name = optional(string)
target_url = optional(string)
include_path = optional(bool, true)
include_query_string = optional(bool, true)
})) | `[]` | no |
| [appgw\_rewrite\_rule\_set](#input\_appgw\_rewrite\_rule\_set) | List of rewrite rule set objects with rewrite rules. | list(object({
name = string
rewrite_rules = list(object({
name = string
rule_sequence = string
conditions = optional(list(object({
variable = string
pattern = string
ignore_case = optional(bool, false)
negate = optional(bool, false)
})), [])
response_header_configurations = optional(list(object({
header_name = string
header_value = string
})), [])
request_header_configurations = optional(list(object({
header_name = string
header_value = string
})), [])
url_reroute = optional(object({
path = optional(string)
query_string = optional(string)
components = optional(string)
reroute = optional(bool)
}))
}))
})) | `[]` | no |
| [force\_firewall\_policy\_association](#input\_force\_firewall\_policy\_association) | Enable if the Firewall Policy is associated with the Application Gateway. | `bool` | `false` | no |
| [waf\_configuration](#input\_waf\_configuration) | WAF configuration object (only available with WAF\_v2 SKU) with following attributes:- enabled: Boolean to enable WAF.
- file_upload_limit_mb: The File Upload Limit in MB. Accepted values are in the range 1MB to 500MB.
- firewall_mode: The Web Application Firewall Mode. Possible values are Detection and Prevention.
- max_request_body_size_kb: The Maximum Request Body Size in KB. Accepted values are in the range 1KB to 128KB.
- request_body_check: Is Request Body Inspection enabled ?
- rule_set_type: The Type of the Rule Set used for this Web Application Firewall.
- rule_set_version: The Version of the Rule Set used for this Web Application Firewall. Possible values are 2.2.9, 3.0, and 3.1.
- disabled_rule_group: The rule group where specific rules should be disabled. Accepted values can be found here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway#rule_group_name
- exclusion: WAF exclusion rules to exclude header, cookie or GET argument. More informations on: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway#match_variable
| object({
enabled = optional(bool, true)
file_upload_limit_mb = optional(number, 100)
firewall_mode = optional(string, "Prevention")
max_request_body_size_kb = optional(number, 128)
request_body_check = optional(bool, true)
rule_set_type = optional(string, "OWASP")
rule_set_version = optional(string, 3.1)
disabled_rule_group = optional(list(object({
rule_group_name = string
rules = optional(list(string))
})), [])
exclusion = optional(list(object({
match_variable = string
selector = optional(string)
selector_match_operator = optional(string)
})), [])
}) | `{}` | no |
| [disable\_waf\_rules\_for\_dev\_portal](#input\_disable\_waf\_rules\_for\_dev\_portal) | Whether to disable some WAF rules if the APIM developer portal is hosted behind this Application Gateway. See locals.tf for the documentation link. | `bool` | `false` | no |
| [subnet\_id](#input\_subnet\_id) | Subnet ID for attaching the Application Gateway. This is a mandatory field. All App Gateway must be assigned a subnet. | `string` | n/a | yes |
| [user\_assigned\_identity\_id](#input\_user\_assigned\_identity\_id) | User assigned identity id assigned to this resource. | `string` | `null` | no |
| [appgw\_private](#input\_appgw\_private) | Boolean variable to create a private Application Gateway. When `true`, the default http listener will listen on private IP instead of the public IP. | `bool` | `false` | no |
| [appgw\_private\_ip](#input\_appgw\_private\_ip) | Static Private IP for Application Gateway. Must be within the range of the subnet used for Application gateway. Mandatory when
variable `appgw_private` is set to `true`. | `string` | `null` | no |
| [enable\_http2](#input\_enable\_http2) | Whether to enable http2 or not | `bool` | `true` | no |
| [autoscaling\_parameters](#input\_autoscaling\_parameters) | Map containing autoscaling parameters. Must contain at least min\_capacity | object({
min_capacity = number
max_capacity = optional(number, 5)
}) | `null` | no |
| [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `{}` | no |
## Outputs
| Name | Description |
|------|-------------|
| [id](#output\_id) | The ID of the Application Gateway. |
| [name](#output\_name) | The name of the Application Gateway. |
| [frontend\_ip\_configuration](#output\_frontend\_ip\_configuration) | The frontend IP configuration of the Application Gateway. |
| [frontend\_port](#output\_frontend\_port) | The frontend port of the Application Gateway. |
| [backend\_address\_pool](#output\_backend\_address\_pool) | The backend address pool of the Application Gateway. |