/terraform-azurerm-app-gateway

Terraform module for Azure Application Gateway

Primary LanguageHCLApache License 2.0Apache-2.0

Azure Application Gateway

Changelog Notice Apache V2 License TF Registry

This Terraform module creates an Application Gateway associated with a Public IP and with a Subnet, a Network Security Group and network security rules authorizing port 443 and ports for internal healthcheck of Application Gateway. The Diagnostics Logs are activated.

Naming

Resource naming is based on the Microsoft CAF naming convention best practices. Legacy naming is available by setting the parameter use_caf_naming to false. We rely on the official Terraform Azure CAF naming provider to generate resource names.

Global versioning rule for Claranet Azure modules

Module version Terraform version AzureRM version
>= 5.x.x 0.15.x & 1.0.x >= 2.0
>= 4.x.x 0.13.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.azure_region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "run_common" {
  source  = "claranet/run-common/azurerm"
  version = "x.x.x"

  client_name         = var.client_name
  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  environment         = var.environment
  stack               = var.stack
  resource_group_name = module.rg.resource_group_name

  tenant_id = var.azure_tenant_id

  monitoring_function_splunk_token = null
}

module "azure_virtual_network" {
  source  = "claranet/vnet/azurerm"
  version = "x.x.x"

  environment    = var.environment
  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.client_name
  stack          = var.stack

  resource_group_name = module.rg.resource_group_name

  vnet_cidr = ["192.168.0.0/16"]
}


module "appgw_v2" {
  source  = "claranet/app-gateway/azurerm"
  version = "x.x.x"

  stack               = var.stack
  environment         = var.environment
  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  client_name         = var.client_name
  resource_group_name = module.rg.resource_group_name

  virtual_network_name = module.azure_virtual_network.virtual_network_name
  subnet_cidr          = "192.168.1.0/24"

  appgw_backend_http_settings = [{
    name                  = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-backhttpsettings"
    cookie_based_affinity = "Disabled"
    path                  = "/"
    port                  = 443
    protocol              = "Https"
    request_timeout       = 300
  }]

  appgw_backend_pools = [{
    name  = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-backendpool"
    fqdns = ["example.com"]
  }]

  appgw_routings = [{
    name                       = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-routing-https"
    rule_type                  = "Basic"
    http_listener_name         = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-listener-https"
    backend_address_pool_name  = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-backendpool"
    backend_http_settings_name = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-backhttpsettings"
  }]

  appgw_http_listeners = [{
    name                           = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-listener-https"
    frontend_ip_configuration_name = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-frontipconfig"
    frontend_port_name             = "frontend-https-port"
    protocol                       = "Https"
    ssl_certificate_name           = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-example-com-sslcert"
    host_name                      = "example.com"
    require_sni                    = true
    custom_error_configuration = {
      custom1 = {
        custom_error_page_url = "https://example.com/custom_error_403_page.html"
        status_code           = "HttpStatus403"
      },
      custom2 = {
        custom_error_page_url = "https://example.com/custom_error_502_page.html"
        status_code           = "HttpStatus502"
      }
    }
  }]

  custom_error_configuration = [
    {
      custom_error_page_url = "https://example.com/custom_error_403_page.html"
      status_code           = "HttpStatus403"
    },
    {
      custom_error_page_url = "https://example.com/custom_error_502_page.html"
      status_code           = "HttpStatus502"
    }
  ]

  frontend_port_settings = [{
    name = "frontend-https-port"
    port = 443
  }]

  ssl_certificates_configs = [{
    name     = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-example-com-sslcert"
    data     = var.certificate_example_com_filebase64
    password = var.certificate_example_com_password
  }]

  ssl_policy = {
    policy_type = "Predefined"
    policy_name = "AppGwSslPolicy20170401S"
  }

  autoscaling_parameters = {
    min_capacity = 2
    max_capacity = 15
  }

  logs_destinations_ids = [
    module.run_common.log_analytics_workspace_id,
    module.run_common.logs_storage_account_id,
  ]
}

Providers

Name Version
azurecaf ~> 1.1
azurerm >= 2.56

Modules

Name Source Version
azure_network_security_group claranet/nsg/azurerm 4.1.1
azure_network_subnet claranet/subnet/azurerm 4.2.1
diagnostics claranet/diagnostic-settings/azurerm 4.0.2

Resources

Name Type
azurecaf_name.appgw resource
azurecaf_name.frontipconfig resource
azurecaf_name.frontipconfig_priv resource
azurecaf_name.gwipconfig resource
azurecaf_name.nsg_appgw resource
azurecaf_name.nsr_healthcheck resource
azurecaf_name.nsr_https resource
azurecaf_name.pip_appgw resource
azurecaf_name.subnet_appgw resource
azurerm_application_gateway.app_gateway resource
azurerm_network_security_rule.allow_health_probe_app_gateway resource
azurerm_network_security_rule.web resource
azurerm_public_ip.ip resource

Inputs

Name Description Type Default Required
app_gateway_tags Application Gateway tags. map(string) {} no
appgw_backend_http_settings List of maps including backend http settings configurations any n/a yes
appgw_backend_pools List of maps including backend pool configurations any n/a yes
appgw_http_listeners List of maps including http listeners configurations and map of maps including listener custom error configurations any n/a yes
appgw_private Boolean variable to create a private Application Gateway. When true, the default http listener will listen on private IP instead of the public IP. bool false no
appgw_private_ip Private IP for Application Gateway. Used when variable appgw_private is set to true. string null no
appgw_probes List of maps including request probes configurations any [] no
appgw_redirect_configuration List of maps including redirect configurations list(map(string)) [] no
appgw_rewrite_rule_set List of rewrite rule set including rewrite rules any [] no
appgw_routings List of maps including request routing rules configurations list(map(string)) n/a yes
appgw_url_path_map List of maps including url path map configurations any [] no
autoscaling_parameters Map containing autoscaling parameters. Must contain at least min_capacity map(string) null no
client_name Client name/account used in naming string n/a yes
create_nsg Boolean to create the network security group. bool false no
create_nsg_healthprobe_rule Boolean to create the network security group rule for the health probes. bool true no
create_nsg_https_rule Boolean to create the network security group rule opening https to everyone. bool true no
create_subnet Boolean to create subnet with this module. bool true no
custom_appgw_name Application Gateway custom name. Generated by default. string "" no
custom_error_configuration List of maps including global level custom error configurations list(map(string)) [] no
custom_frontend_ip_configuration_name The custom name of the Frontend IP Configuration used. Generated by default. string "" no
custom_frontend_priv_ip_configuration_name The Name of the private Frontend IP Configuration used for this HTTP Listener. string "" no
custom_gateway_ip_configuration_name The Name of the Application Gateway IP Configuration. string "" no
custom_ip_label Domain name label for public IP. string "" no
custom_ip_name Public IP custom name. Generated by default. string "" no
custom_nsg_name Custom name for the network security group. string null no
custom_nsr_healthcheck_name Custom name for the network security rule for internal health check of Application Gateway. string null no
custom_nsr_https_name Custom name for the network security rule for HTTPS protocol. string null no
custom_subnet_name Custom name for the subnet. string "" no
disable_waf_rules_for_dev_portal Whether to disable some WAF rules if the APIM developer portal is hosted behind this Application Gateway. See locals.tf for the documentation link bool false no
disabled_rule_group_settings The rule group where specific rules should be disabled. Accepted values can be found here: https://www.terraform.io/docs/providers/azurerm/r/application_gateway.html#rule_group_name
list(object({
rule_group_name = string
rules = list(string)
}))
[] no
enable_http2 Whether to enable http2 or not bool true no
enable_waf Boolean to enable WAF. bool true no
environment Project environment string n/a yes
extra_tags Extra tags to add map(string) {} no
file_upload_limit_mb The File Upload Limit in MB. Accepted values are in the range 1MB to 500MB. Defaults to 100MB. number 100 no
frontend_port_settings Frontend port settings. Each port setting contains the name and the port for the frontend port. list(map(string)) n/a yes
ip_allocation_method Allocation method for the public IP. Warning, can only be Static for the moment. string "Static" no
ip_sku SKU for the public IP. Warning, can only be Standard for the moment. string "Standard" no
ip_tags Public IP tags. map(string) {} no
location Azure location. string n/a yes
location_short Short string for Azure location. string n/a yes
logs_categories Log categories to send to destinations. list(string) null no
logs_destinations_ids List of destination resources Ids for logs diagnostics destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. Empty list to disable logging. list(string) n/a yes
logs_metrics_categories Metrics categories to send to destinations. list(string) null no
logs_retention_days Number of days to keep logs on storage account number 30 no
max_request_body_size_kb The Maximum Request Body Size in KB. Accepted values are in the range 1KB to 128KB. number 128 no
name_prefix Optional prefix for the generated name string "" no
name_suffix Optional suffix for the generated name string "" no
nsr_https_source_address_prefix Source address prefix to allow to access on port 443 defined in dedicated network security rule. string "*" no
request_body_check Is Request Body Inspection enabled? bool true no
resource_group_name Resource group name string n/a yes
route_table_name The Route Table name to associate with the subnet string null no
route_table_rg The Route Table RG to associate with the subnet. Default is the same RG than the subnet. string null no
rule_set_type The Type of the Rule Set used for this Web Application Firewall. string "OWASP" no
rule_set_version The Version of the Rule Set used for this Web Application Firewall. Possible values are 2.2.9, 3.0, and 3.1. number 3.1 no
sku The Name of the SKU to use for this Application Gateway. Possible values are Standard_v2 and WAF_v2. string "WAF_v2" no
sku_capacity The Capacity of the SKU to use for this Application Gateway - which must be between 1 and 10, optional if autoscale_configuration is set number 2 no
ssl_certificates_configs List of maps including ssl certificates configurations.
The path to a base-64 encoded certificate is expected in the 'data' parameter:
data = filebase64("./file_path")
list(map(string)) [] no
ssl_policy Application Gateway SSL configuration. The list of available policies can be found here: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview#predefined-ssl-policy any null no
stack Project stack name string n/a yes
subnet_cidr Subnet CIDR to create. string "" no
subnet_id Custom subnet ID for attaching the Application Gateway. Used only when the variable create_subnet = false. string "" no
subnet_resource_group_name Resource group name of the subnet. string "" no
trusted_root_certificate_configs List of trusted root certificates. The needed values for each trusted root certificates are 'name' and 'data' or 'filename'. This parameter is required if you are not using a trusted certificate authority (eg. selfsigned certificate) list(map(string)) [] no
use_caf_naming Use the Azure CAF naming provider to generate default resource name. custom_rg_name override this if set. Legacy default name is used if this is set to false. bool true no
user_assigned_identity_id User assigned identity id assigned to this resource string null no
virtual_network_name Virtual network name to attach the subnet. string n/a yes
waf_exclusion_settings WAF exclusion rules to exclude header, cookie or GET argument. More informations on: https://www.terraform.io/docs/providers/azurerm/r/application_gateway.html#match_variable list(map(string)) [] no
waf_mode The Web Application Firewall Mode. Possible values are Detection and Prevention. string "Prevention" no
zones A collection of availability zones to spread the Application Gateway over. This option is only supported for v2 SKUs list(string)
[
"1",
"2",
"3"
]
no

Outputs

Name Description
appgw_backend_address_pool_ids List of backend address pool Ids.
appgw_backend_http_settings_ids List of backend HTTP settings Ids.
appgw_backend_http_settings_probe_ids List of probe Ids from backend HTTP settings.
appgw_custom_error_configuration_ids List of custom error configuration Ids.
appgw_frontend_ip_configuration_ids List of frontend IP configuration Ids.
appgw_frontend_port_ids List of frontend port Ids.
appgw_gateway_ip_configuration_ids List of IP configuration Ids.
appgw_http_listener_frontend_ip_configuration_ids List of frontend IP configuration Ids from HTTP listeners.
appgw_http_listener_frontend_port_ids List of frontend port Ids from HTTP listeners.
appgw_http_listener_ids List of HTTP listener Ids.
appgw_id The ID of the Application Gateway.
appgw_name The name of the Application Gateway.
appgw_nsg_id The ID of the network security group from the subnet where the Application Gateway is attached.
appgw_nsg_name The name of the network security group from the subnet where the Application Gateway is attached.
appgw_public_ip_address The public IP address of Application Gateway.
appgw_redirect_configuration_ids List of redirect configuration Ids.
appgw_request_routing_rule_backend_address_pool_ids List of backend address pool Ids attached to request routing rules.
appgw_request_routing_rule_backend_http_settings_ids List of HTTP settings Ids attached to request routing rules.
appgw_request_routing_rule_http_listener_ids List of HTTP listener Ids attached to request routing rules.
appgw_request_routing_rule_ids List of request routing rules Ids.
appgw_request_routing_rule_redirect_configuration_ids List of redirect configuration Ids attached to request routing rules.
appgw_request_routing_rule_rewrite_rule_set_ids List of rewrite rule set Ids attached to request routing rules.
appgw_request_routing_rule_url_path_map_ids List of URL path map Ids attached to request routing rules.
appgw_ssl_certificate_ids List of SSL certificate Ids.
appgw_subnet_id The ID of the subnet where the Application Gateway is attached.
appgw_subnet_name The name of the subnet where the Application Gateway is attached.
appgw_url_path_map_default_backend_address_pool_ids List of default backend address pool Ids attached to URL path maps.
appgw_url_path_map_default_backend_http_settings_ids List of default backend HTTP settings Ids attached to URL path maps.
appgw_url_path_map_default_redirect_configuration_ids List of default redirect configuration Ids attached to URL path maps.
appgw_url_path_map_ids List of URL path map Ids.

Related documentation

Microsoft Azure documentation: docs.microsoft.com/en-us/azure/application-gateway/overview