This Terraform module creates an Application Gateway associated with a Public IP and with a Subnet, a Network Security Group and network security rules authorizing port 443 and ports for internal healthcheck of Application Gateway. The Diagnostics Logs are activated.
Resource naming is based on the Microsoft CAF naming convention best practices. Legacy naming is available by setting the parameter use_caf_naming
to false.
We rely on the official Terraform Azure CAF naming provider to generate resource names.
Module version | Terraform version | AzureRM version |
---|---|---|
>= 5.x.x | 0.15.x & 1.0.x | >= 2.0 |
>= 4.x.x | 0.13.x | >= 2.0 |
>= 3.x.x | 0.12.x | >= 2.0 |
>= 2.x.x | 0.12.x | < 2.0 |
< 2.x.x | 0.11.x | < 2.0 |
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper
available in the documentation.
module "azure_region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
module "rg" {
source = "claranet/rg/azurerm"
version = "x.x.x"
location = module.azure_region.location
client_name = var.client_name
environment = var.environment
stack = var.stack
}
module "run_common" {
source = "claranet/run-common/azurerm"
version = "x.x.x"
client_name = var.client_name
location = module.azure_region.location
location_short = module.azure_region.location_short
environment = var.environment
stack = var.stack
resource_group_name = module.rg.resource_group_name
tenant_id = var.azure_tenant_id
monitoring_function_splunk_token = null
}
module "azure_virtual_network" {
source = "claranet/vnet/azurerm"
version = "x.x.x"
environment = var.environment
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
stack = var.stack
resource_group_name = module.rg.resource_group_name
vnet_cidr = ["192.168.0.0/16"]
}
module "appgw_v2" {
source = "claranet/app-gateway/azurerm"
version = "x.x.x"
stack = var.stack
environment = var.environment
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
resource_group_name = module.rg.resource_group_name
virtual_network_name = module.azure_virtual_network.virtual_network_name
subnet_cidr = "192.168.1.0/24"
appgw_backend_http_settings = [{
name = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-backhttpsettings"
cookie_based_affinity = "Disabled"
path = "/"
port = 443
protocol = "Https"
request_timeout = 300
}]
appgw_backend_pools = [{
name = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-backendpool"
fqdns = ["example.com"]
}]
appgw_routings = [{
name = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-routing-https"
rule_type = "Basic"
http_listener_name = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-listener-https"
backend_address_pool_name = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-backendpool"
backend_http_settings_name = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-backhttpsettings"
}]
appgw_http_listeners = [{
name = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-listener-https"
frontend_ip_configuration_name = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-frontipconfig"
frontend_port_name = "frontend-https-port"
protocol = "Https"
ssl_certificate_name = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-example-com-sslcert"
host_name = "example.com"
require_sni = true
custom_error_configuration = {
custom1 = {
custom_error_page_url = "https://example.com/custom_error_403_page.html"
status_code = "HttpStatus403"
},
custom2 = {
custom_error_page_url = "https://example.com/custom_error_502_page.html"
status_code = "HttpStatus502"
}
}
}]
custom_error_configuration = [
{
custom_error_page_url = "https://example.com/custom_error_403_page.html"
status_code = "HttpStatus403"
},
{
custom_error_page_url = "https://example.com/custom_error_502_page.html"
status_code = "HttpStatus502"
}
]
frontend_port_settings = [{
name = "frontend-https-port"
port = 443
}]
ssl_certificates_configs = [{
name = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-example-com-sslcert"
data = var.certificate_example_com_filebase64
password = var.certificate_example_com_password
}]
ssl_policy = {
policy_type = "Predefined"
policy_name = "AppGwSslPolicy20170401S"
}
autoscaling_parameters = {
min_capacity = 2
max_capacity = 15
}
logs_destinations_ids = [
module.run_common.log_analytics_workspace_id,
module.run_common.logs_storage_account_id,
]
}
Name | Version |
---|---|
azurecaf | ~> 1.1 |
azurerm | >= 2.56 |
Name | Source | Version |
---|---|---|
azure_network_security_group | claranet/nsg/azurerm | 4.1.1 |
azure_network_subnet | claranet/subnet/azurerm | 4.2.1 |
diagnostics | claranet/diagnostic-settings/azurerm | 4.0.2 |
Name | Type |
---|---|
azurecaf_name.appgw | resource |
azurecaf_name.frontipconfig | resource |
azurecaf_name.frontipconfig_priv | resource |
azurecaf_name.gwipconfig | resource |
azurecaf_name.nsg_appgw | resource |
azurecaf_name.nsr_healthcheck | resource |
azurecaf_name.nsr_https | resource |
azurecaf_name.pip_appgw | resource |
azurecaf_name.subnet_appgw | resource |
azurerm_application_gateway.app_gateway | resource |
azurerm_network_security_rule.allow_health_probe_app_gateway | resource |
azurerm_network_security_rule.web | resource |
azurerm_public_ip.ip | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
app_gateway_tags | Application Gateway tags. | map(string) |
{} |
no |
appgw_backend_http_settings | List of maps including backend http settings configurations | any |
n/a | yes |
appgw_backend_pools | List of maps including backend pool configurations | any |
n/a | yes |
appgw_http_listeners | List of maps including http listeners configurations and map of maps including listener custom error configurations | any |
n/a | yes |
appgw_private | Boolean variable to create a private Application Gateway. When true , the default http listener will listen on private IP instead of the public IP. |
bool |
false |
no |
appgw_private_ip | Private IP for Application Gateway. Used when variable appgw_private is set to true . |
string |
null |
no |
appgw_probes | List of maps including request probes configurations | any |
[] |
no |
appgw_redirect_configuration | List of maps including redirect configurations | list(map(string)) |
[] |
no |
appgw_rewrite_rule_set | List of rewrite rule set including rewrite rules | any |
[] |
no |
appgw_routings | List of maps including request routing rules configurations | list(map(string)) |
n/a | yes |
appgw_url_path_map | List of maps including url path map configurations | any |
[] |
no |
autoscaling_parameters | Map containing autoscaling parameters. Must contain at least min_capacity | map(string) |
null |
no |
client_name | Client name/account used in naming | string |
n/a | yes |
create_nsg | Boolean to create the network security group. | bool |
false |
no |
create_nsg_healthprobe_rule | Boolean to create the network security group rule for the health probes. | bool |
true |
no |
create_nsg_https_rule | Boolean to create the network security group rule opening https to everyone. | bool |
true |
no |
create_subnet | Boolean to create subnet with this module. | bool |
true |
no |
custom_appgw_name | Application Gateway custom name. Generated by default. | string |
"" |
no |
custom_error_configuration | List of maps including global level custom error configurations | list(map(string)) |
[] |
no |
custom_frontend_ip_configuration_name | The custom name of the Frontend IP Configuration used. Generated by default. | string |
"" |
no |
custom_frontend_priv_ip_configuration_name | The Name of the private Frontend IP Configuration used for this HTTP Listener. | string |
"" |
no |
custom_gateway_ip_configuration_name | The Name of the Application Gateway IP Configuration. | string |
"" |
no |
custom_ip_label | Domain name label for public IP. | string |
"" |
no |
custom_ip_name | Public IP custom name. Generated by default. | string |
"" |
no |
custom_nsg_name | Custom name for the network security group. | string |
null |
no |
custom_nsr_healthcheck_name | Custom name for the network security rule for internal health check of Application Gateway. | string |
null |
no |
custom_nsr_https_name | Custom name for the network security rule for HTTPS protocol. | string |
null |
no |
custom_subnet_name | Custom name for the subnet. | string |
"" |
no |
disable_waf_rules_for_dev_portal | Whether to disable some WAF rules if the APIM developer portal is hosted behind this Application Gateway. See locals.tf for the documentation link | bool |
false |
no |
disabled_rule_group_settings | The rule group where specific rules should be disabled. Accepted values can be found here: https://www.terraform.io/docs/providers/azurerm/r/application_gateway.html#rule_group_name | list(object({ |
[] |
no |
enable_http2 | Whether to enable http2 or not | bool |
true |
no |
enable_waf | Boolean to enable WAF. | bool |
true |
no |
environment | Project environment | string |
n/a | yes |
extra_tags | Extra tags to add | map(string) |
{} |
no |
file_upload_limit_mb | The File Upload Limit in MB. Accepted values are in the range 1MB to 500MB. Defaults to 100MB. | number |
100 |
no |
frontend_port_settings | Frontend port settings. Each port setting contains the name and the port for the frontend port. | list(map(string)) |
n/a | yes |
ip_allocation_method | Allocation method for the public IP. Warning, can only be Static for the moment. |
string |
"Static" |
no |
ip_sku | SKU for the public IP. Warning, can only be Standard for the moment. |
string |
"Standard" |
no |
ip_tags | Public IP tags. | map(string) |
{} |
no |
location | Azure location. | string |
n/a | yes |
location_short | Short string for Azure location. | string |
n/a | yes |
logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
logs_destinations_ids | List of destination resources Ids for logs diagnostics destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. Empty list to disable logging. | list(string) |
n/a | yes |
logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
logs_retention_days | Number of days to keep logs on storage account | number |
30 |
no |
max_request_body_size_kb | The Maximum Request Body Size in KB. Accepted values are in the range 1KB to 128KB. | number |
128 |
no |
name_prefix | Optional prefix for the generated name | string |
"" |
no |
name_suffix | Optional suffix for the generated name | string |
"" |
no |
nsr_https_source_address_prefix | Source address prefix to allow to access on port 443 defined in dedicated network security rule. | string |
"*" |
no |
request_body_check | Is Request Body Inspection enabled? | bool |
true |
no |
resource_group_name | Resource group name | string |
n/a | yes |
route_table_name | The Route Table name to associate with the subnet | string |
null |
no |
route_table_rg | The Route Table RG to associate with the subnet. Default is the same RG than the subnet. | string |
null |
no |
rule_set_type | The Type of the Rule Set used for this Web Application Firewall. | string |
"OWASP" |
no |
rule_set_version | The Version of the Rule Set used for this Web Application Firewall. Possible values are 2.2.9, 3.0, and 3.1. | number |
3.1 |
no |
sku | The Name of the SKU to use for this Application Gateway. Possible values are Standard_v2 and WAF_v2. | string |
"WAF_v2" |
no |
sku_capacity | The Capacity of the SKU to use for this Application Gateway - which must be between 1 and 10, optional if autoscale_configuration is set | number |
2 |
no |
ssl_certificates_configs | List of maps including ssl certificates configurations. The path to a base-64 encoded certificate is expected in the 'data' parameter: data = filebase64("./file_path") |
list(map(string)) |
[] |
no |
ssl_policy | Application Gateway SSL configuration. The list of available policies can be found here: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview#predefined-ssl-policy | any |
null |
no |
stack | Project stack name | string |
n/a | yes |
subnet_cidr | Subnet CIDR to create. | string |
"" |
no |
subnet_id | Custom subnet ID for attaching the Application Gateway. Used only when the variable create_subnet = false . |
string |
"" |
no |
subnet_resource_group_name | Resource group name of the subnet. | string |
"" |
no |
trusted_root_certificate_configs | List of trusted root certificates. The needed values for each trusted root certificates are 'name' and 'data' or 'filename'. This parameter is required if you are not using a trusted certificate authority (eg. selfsigned certificate) | list(map(string)) |
[] |
no |
use_caf_naming | Use the Azure CAF naming provider to generate default resource name. custom_rg_name override this if set. Legacy default name is used if this is set to false . |
bool |
true |
no |
user_assigned_identity_id | User assigned identity id assigned to this resource | string |
null |
no |
virtual_network_name | Virtual network name to attach the subnet. | string |
n/a | yes |
waf_exclusion_settings | WAF exclusion rules to exclude header, cookie or GET argument. More informations on: https://www.terraform.io/docs/providers/azurerm/r/application_gateway.html#match_variable | list(map(string)) |
[] |
no |
waf_mode | The Web Application Firewall Mode. Possible values are Detection and Prevention. | string |
"Prevention" |
no |
zones | A collection of availability zones to spread the Application Gateway over. This option is only supported for v2 SKUs | list(string) |
[ |
no |
Name | Description |
---|---|
appgw_backend_address_pool_ids | List of backend address pool Ids. |
appgw_backend_http_settings_ids | List of backend HTTP settings Ids. |
appgw_backend_http_settings_probe_ids | List of probe Ids from backend HTTP settings. |
appgw_custom_error_configuration_ids | List of custom error configuration Ids. |
appgw_frontend_ip_configuration_ids | List of frontend IP configuration Ids. |
appgw_frontend_port_ids | List of frontend port Ids. |
appgw_gateway_ip_configuration_ids | List of IP configuration Ids. |
appgw_http_listener_frontend_ip_configuration_ids | List of frontend IP configuration Ids from HTTP listeners. |
appgw_http_listener_frontend_port_ids | List of frontend port Ids from HTTP listeners. |
appgw_http_listener_ids | List of HTTP listener Ids. |
appgw_id | The ID of the Application Gateway. |
appgw_name | The name of the Application Gateway. |
appgw_nsg_id | The ID of the network security group from the subnet where the Application Gateway is attached. |
appgw_nsg_name | The name of the network security group from the subnet where the Application Gateway is attached. |
appgw_public_ip_address | The public IP address of Application Gateway. |
appgw_redirect_configuration_ids | List of redirect configuration Ids. |
appgw_request_routing_rule_backend_address_pool_ids | List of backend address pool Ids attached to request routing rules. |
appgw_request_routing_rule_backend_http_settings_ids | List of HTTP settings Ids attached to request routing rules. |
appgw_request_routing_rule_http_listener_ids | List of HTTP listener Ids attached to request routing rules. |
appgw_request_routing_rule_ids | List of request routing rules Ids. |
appgw_request_routing_rule_redirect_configuration_ids | List of redirect configuration Ids attached to request routing rules. |
appgw_request_routing_rule_rewrite_rule_set_ids | List of rewrite rule set Ids attached to request routing rules. |
appgw_request_routing_rule_url_path_map_ids | List of URL path map Ids attached to request routing rules. |
appgw_ssl_certificate_ids | List of SSL certificate Ids. |
appgw_subnet_id | The ID of the subnet where the Application Gateway is attached. |
appgw_subnet_name | The name of the subnet where the Application Gateway is attached. |
appgw_url_path_map_default_backend_address_pool_ids | List of default backend address pool Ids attached to URL path maps. |
appgw_url_path_map_default_backend_http_settings_ids | List of default backend HTTP settings Ids attached to URL path maps. |
appgw_url_path_map_default_redirect_configuration_ids | List of default redirect configuration Ids attached to URL path maps. |
appgw_url_path_map_ids | List of URL path map Ids. |
Microsoft Azure documentation: docs.microsoft.com/en-us/azure/application-gateway/overview