| app_gateway_v2_capacity_units |
App Gateway V2 capacity units |
number |
1 |
no |
| app_gateway_v2_cookie_based_affinity |
App Gateway V2 Cookie Based Affinity. Sets an affinity cookie in the response with a hash value which contains the session details, so that the subsequent requests carrying the affinity cookie will be routed to the same backend server for maintaining stickiness. |
string |
"Disabled" |
no |
| app_gateway_v2_custom_error_configuration |
A map of Status Codes to HTML URLs |
map(string) |
{} |
no |
| app_gateway_v2_enable_http2 |
App Gateway V2 enable HTTP2 |
bool |
true |
no |
| app_gateway_v2_frontend_port |
App Gateway V2 frontend port |
number |
80 |
no |
| app_gateway_v2_identity_ids |
App Gateway V2 User Assigned identity ids. If empty, one will be created. |
list(any) |
[] |
no |
| app_gateway_v2_waf_file_upload_limit_in_mb |
Maximum file size permitted in MB |
number |
100 |
no |
| app_gateway_v2_waf_managed_rulesets |
Map of all Managed rules you want to apply to the App Gateway WAF, including any overrides |
map(object({
version : string,
overrides : optional(map(object({
rules : map(object({
enabled : bool,
action : optional(string, "Block")
}))
})), {})
})) |
{
"Microsoft_BotManagerRuleSet": {
"version": "1.0"
},
"OWASP": {
"version": "3.2"
}
} |
no |
| app_gateway_v2_waf_managed_rulesets_exclusions |
Map of all exlusions and the assoicated Managed rules to apply to the App Gateway WAF |
map(object({
match_variable : string,
selector : string,
selector_match_operator : string,
excluded_rule_set : map(object({
version : string,
rule_group_name : string,
excluded_rules : list(string)
}))
})) |
{} |
no |
| app_gateway_v2_waf_max_request_body_size_in_kb |
Maximum request size for a single request in KB. Has no effect if 'app_gateway_v2_waf_request_body_enforcement' is set to 'false' |
number |
128 |
no |
| app_gateway_v2_waf_request_body_enforcement |
Should the firewall block a request with a body size greater than 'app_gateway_v2_waf_max_request_body_size_in_kb' |
bool |
true |
no |
| azure_location |
Azure location in which to launch resources. |
string |
n/a |
yes |
| cdn_add_response_headers |
List of response headers to add at the CDN Front Door for all endpoints [{ "Name" = "Strict-Transport-Security", "value" = "max-age=31536000" }] |
list(map(string)) |
[] |
no |
| cdn_host_redirects |
CDN FrontDoor host redirects [{ "from" = "example.com", "to" = "www.example.com" }] |
list(map(string)) |
[] |
no |
| cdn_remove_response_headers |
List of response headers to remove at the CDN Front Door for all endpoints |
list(string) |
[] |
no |
| cdn_sku |
Azure CDN Front Door SKU |
string |
"Standard_AzureFrontDoor" |
no |
| cdn_url_path_redirects |
CDN FrontDoor url path redirects [{ "redirect_type": "PermanentRedirect", "destination_path": "/example", "destination_hostname": "www.example.uk", "operator": "Equals", "match_values": ["/example"] }] |
list(object({
redirect_type = string
redirect_protocol = optional(string, null)
destination_path = optional(string, null)
destination_hostname = optional(string, null)
destination_fragment = optional(string, null)
query_string = optional(string, null)
operator = string
match_values = optional(list(string), [])
transforms = optional(list(string), [])
})) |
[] |
no |
| cdn_waf_custom_block_response_body |
Base64 encoded custom response body when the WAF blocks a request |
string |
"" |
no |
| cdn_waf_custom_block_response_status_code |
Custom response status code when the WAF blocks a request. |
number |
0 |
no |
| cdn_waf_enable_rate_limiting |
Deploy a Rate Limiting Policy on the Front Door WAF |
bool |
false |
no |
| cdn_waf_managed_rulesets |
Map of all Managed rules you want to apply to the CDN WAF, including any overrides, or exclusions |
map(object({
version : string,
action : optional(string, "Block"),
exclusions : optional(map(object({
match_variable : string,
operator : string,
selector : string
})), {})
overrides : optional(map(map(object({
action : string,
enabled : optional(bool, true),
exclusions : optional(map(object({
match_variable : string,
operator : string,
selector : string
})), {})
}))), {})
})) |
{
"BotProtection": {
"version": "preview-0.1"
},
"DefaultRuleSet": {
"version": "1.0"
}
} |
no |
| cdn_waf_rate_limiting_action |
Action to take when rate limiting (Block/Log) |
string |
"Block" |
no |
| cdn_waf_rate_limiting_bypass_ip_list |
List if IP CIDRs to bypass the Rate Limit Policy |
list(string) |
[] |
no |
| cdn_waf_rate_limiting_duration_in_minutes |
Number of minutes to BLOCK requests that hit the Rate Limit threshold |
number |
1 |
no |
| cdn_waf_rate_limiting_threshold |
Maximum number of concurrent requests before Rate Limiting policy is applied |
number |
300 |
no |
| enable_key_vault_app_gateway_certificates |
Deploy a Key Vault to hold TLS Certificates for use by App Gateway |
bool |
true |
no |
| enable_latency_monitor |
Enable CDN latency monitor |
bool |
false |
no |
| enable_waf |
Enable WAF |
bool |
false |
no |
| enable_waf_alert |
Toggle to enable or disable the WAF logs alert |
bool |
true |
no |
| environment |
Environment name. Will be used along with project_name as a prefix for all resources. |
string |
n/a |
yes |
| existing_logic_app_workflow |
Name, Resource Group and HTTP Trigger URL of an existing Logic App Workflow |
object({
name : string
resource_group_name : string
}) |
{
"name": "",
"resource_group_name": ""
} |
no |
| existing_monitor_action_group_id |
ID of an existing monitor action group |
string |
"" |
no |
| existing_resource_group |
Conditionally launch resources into an existing resource group. Specifying this will NOT create a resource group. |
string |
"" |
no |
| existing_virtual_network |
Conditionally use an existing virtual network. The virtual_network_address_space must match an existing address space in the VNet. This also requires the resource group name. |
string |
"" |
no |
| key_vault_app_gateway_certificates_access_ipv4 |
List of IPv4 Addresses that are permitted to access the App Gateway Certificates Key Vault |
list(string) |
[] |
no |
| key_vault_app_gateway_certificates_access_subnet_ids |
List of Azure Subnet IDs that are permitted to access the App Gateway Certificates Key Vault |
list(string) |
[] |
no |
| key_vault_app_gateway_certificates_access_users |
List of users that require access to the App Gateway Certificates Key Vault. This should be a list of User Principle Names (Found in Active Directory) that need to run terraform |
list(string) |
[] |
no |
| key_vault_app_gateway_enable_rbac |
Use RBAC authorisation on the App Gateway Certificates Key Vault. Has no effect if key_vault_app_gateway_certificates_access_users is defined. |
bool |
false |
no |
| latency_monitor_threshold |
CDN latency monitor threshold in milliseconds |
number |
5000 |
no |
| monitor_email_receivers |
A list of email addresses that should be notified by monitoring alerts |
list(string) |
[] |
no |
| project_name |
Project name. Will be used along with environment as a prefix for all resources. |
string |
n/a |
yes |
| response_request_timeout |
Azure CDN Front Door response timeout, or app gateway v2 request timeout in seconds |
number |
120 |
no |
| restrict_app_gateway_v2_to_front_door_inbound_only |
Restricts access to the App Gateway V2 by creating a network security group that only allows 'AzureFrontDoor.Backend' inbound, and attaches it to the subnet of the application gateway. |
bool |
false |
no |
| restrict_app_gateway_v2_to_front_door_inbound_only_destination_prefix |
If app gateway v2 has access restricted to front door only (by enabling restrict_app_gateway_v2_to_front_door_inbound_only), use this to set the destination prefix for the security group rule. |
string |
"*" |
no |
| restrict_app_gateway_v2_to_front_door_inbound_only_destination_prefixes |
If app gateway v2 has access restricted to front door only (by enabling restrict_app_gateway_v2_to_front_door_inbound_only), use this to set the destination prefixes for the security group rule. |
list(string) |
[] |
no |
| tags |
Tags to be applied to all resources |
map(string) |
{} |
no |
| virtual_network_address_space |
Virtual Network address space CIDR |
string |
"172.16.0.0/12" |
no |
| waf_application |
Which product to apply the WAF to. Must be either CDN or AppGatewayV2 |
string |
"CDN" |
no |
| waf_custom_rules |
Map of all Custom rules you want to apply to the WAF |
map(object({
priority : number,
action : string
match_conditions : map(object({
match_variable : string,
match_values : optional(list(string), []),
operator : optional(string, "Any"),
selector : optional(string, null),
negation_condition : optional(bool, false),
}))
})) |
{} |
no |
| waf_mode |
WAF mode |
string |
"Prevention" |
no |
| waf_targets |
Target endpoints to configure the WAF to point towards |
map(
object({
domain : string,
cdn_create_custom_domain : optional(bool, false),
custom_fqdn : optional(string, "")
app_gateway_v2_ssl_certificate_key_vault_id : optional(string, "")
enable_health_probe : optional(bool, true),
health_probe_interval : optional(number, 60),
health_probe_request_type : optional(string, "HEAD"),
health_probe_path : optional(string, "/"),
cdn_add_response_headers : optional(list(object({
name : string,
value : string
})
), [])
cdn_add_request_headers : optional(list(object({
name : string,
value : string
})
), [])
cdn_remove_response_headers : optional(list(string), [])
cdn_remove_request_headers : optional(list(string), [])
custom_errors : optional(object({
error_page_directory : string,
error_pages : map(string)
}), null)
})
) |
{} |
no |
