For enhanced security, SSL certificates are managed using Azure Key Vault. This scenario involves setting up Key Vault and integrating it with the Application Gateway. Detailed configuration for Key Vault and SSL certificates is necessary.
#----------Testing Use Case -------------
# Application Gateway + WAF Enable routing traffic from your application.
# Assume that your Application runing the scale set contains two virtual machine instances.
# The scale set is added to the default backend pool need to updated with IP or FQDN of the application gateway.
# The example input from https://learn.microsoft.com/en-us/azure/application-gateway/configure-keyvault-ps
#----------All Required Provider Section-----------
terraform {
required_version = ">= 1.5"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.0, < 4.0"
}
random = {
source = "hashicorp/random"
version = ">= 3.5.0, < 4.0.0"
}
}
}
provider "azurerm" {
features {}
}
# This ensures we have unique CAF compliant names for our resources.
module "naming" {
source = "Azure/naming/azurerm"
version = "0.3.0"
suffix = ["agw"]
}
# This allows us to randomize the region for the resource group.
module "regions" {
source = "Azure/regions/azurerm"
version = ">= 0.3.0"
}
# This allows us to randomize the region for the resource group.
resource "random_integer" "region_index" {
max = length(module.regions.regions) - 1
min = 0
}
module "application_gateway" {
source = "../../"
# source = "Azure/terraform-azurerm-avm-res-network-applicationgateway"
# version = "0.1.0"
# pre-requisites resources input required for the module
public_ip_name = "${module.naming.public_ip.name_unique}-pip"
resource_group_name = azurerm_resource_group.rg_group.name
location = azurerm_resource_group.rg_group.location
# log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
enable_telemetry = var.enable_telemetry
# provide Application gateway name
name = module.naming.application_gateway.name_unique
gateway_ip_configuration = {
subnet_id = azurerm_subnet.backend.id
}
# WAF : Azure Application Gateways v2 are always deployed in a highly available fashion with multiple instances by default. Enabling autoscale ensures the service is not reliant on manual intervention for scaling.
sku = {
# Accpected value for names Standard_v2 and WAF_v2
name = "WAF_v2"
# Accpected value for tier Standard_v2 and WAF_v2
tier = "WAF_v2"
# Accpected value for capacity 1 to 10 for a V1 SKU, 1 to 100 for a V2 SKU
capacity = 0 # Set the initial capacity to 0 for autoscaling
}
autoscale_configuration = {
min_capacity = 1
max_capacity = 2
}
# frontend port configuration block for the application gateway
# WAF : Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers.
frontend_ports = {
frontend-port-443 = {
name = "frontend-port-443"
port = 443
}
}
# Backend address pool configuration for the application gateway
# Mandatory Input
backend_address_pools = {
appGatewayBackendPool = {
name = "appGatewayBackendPool"
# ip_addresses = ["100.64.2.6", "100.64.2.5"]
#fqdns = ["example1.com", "example2.com"]
}
}
# Backend http settings configuration for the application gateway
# Mandatory Input
backend_http_settings = {
appGatewayBackendHttpSettings = {
name = "appGatewayBackendHttpSettings"
cookie_based_affinity = "Disabled"
path = "/"
port = 80
protocol = "Http"
request_timeout = 30
connection_draining = {
enable_connection_draining = true
drain_timeout_sec = 300
}
}
# Add more http settings as needed
}
# Http Listerners configuration for the application gateway
# Mandatory Input
http_listeners = {
appGatewayHttpListener = {
name = "appGatewayHttpListener"
host_name = null
frontend_port_name = "frontend-port-443"
ssl_certificate_name = "app-gateway-cert"
ssl_profile_name = "example-ssl-profile"
}
# # Add more http listeners as needed
}
# WAF : Use Application Gateway with Web Application Firewall (WAF) in an application virtual network to safeguard inbound HTTP/S internet traffic. WAF offers centralized defense against potential exploits through OWASP core rule sets-based rules.
# Ensure that you have a WAF policy created before enabling WAF on the Application Gateway
# The use of an external WAF policy is recommended rather than using the classic WAF via the waf_configuration block.
app_gateway_waf_policy_resource_id = azurerm_web_application_firewall_policy.azure_waf.id
# Routing rules configuration for the backend pool
# Mandatory Input
request_routing_rules = {
routing-rule-1 = {
name = "rule-1"
rule_type = "Basic"
http_listener_name = "appGatewayHttpListener"
backend_address_pool_name = "appGatewayBackendPool"
backend_http_settings_name = "appGatewayBackendHttpSettings"
priority = 100
}
# Add more rules as needed
}
# SSL Certificate Block
ssl_certificates = {
"app-gateway-cert" = {
name = "app-gateway-cert"
key_vault_secret_id = azurerm_key_vault_certificate.ssl_cert_id.secret_id
}
}
ssl_profile = {
profile1 = {
name = "example-ssl-profile"
ssl_policy = {
policy_name = "AppGwSslPolicy20220101"
policy_type = "Predefined"
}
}
}
ssl_policy = {
policy_name = "AppGwSslPolicy20220101"
policy_type = "Predefined"
}
# HTTP to HTTPS Redirection Configuration for
redirect_configuration = {
redirect_config_1 = {
name = "Redirect1"
redirect_type = "Permanent"
include_path = true
include_query_string = true
target_listener_name = "appGatewayHttpListener"
}
}
# Optional Input
# Zone redundancy for the application gateway ["1", "2", "3"]
zones = ["1", "2", "3"]
managed_identities = {
user_assigned_resource_ids = [
azurerm_user_assigned_identity.appag_umid.id # This should be a list of strings, not a list of objects.
]
}
diagnostic_settings = {
example_setting = {
name = "${module.naming.application_gateway.name_unique}-diagnostic-setting"
workspace_resource_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
log_analytics_destination_type = "Dedicated" # Or "AzureDiagnostics"
# log_categories = ["Application Gateway Access Log", "Application Gateway Performance Log", "Application Gateway Firewall Log"]
log_groups = ["allLogs"]
metric_categories = ["AllMetrics"]
}
}
tags = {
environment = "dev"
owner = "application_gateway"
project = "AVM"
}
lock = {
name = "lock-${module.naming.application_gateway.name_unique}" # optional
kind = "CanNotDelete"
}
}
The following requirements are needed by this module:
The following resources are used by this module:
- azurerm_key_vault.keyvault (resource)
- azurerm_key_vault_access_policy.appag_key_vault_access_policy (resource)
- azurerm_key_vault_access_policy.key_vault_default_policy (resource)
- azurerm_key_vault_certificate.ssl_cert_id (resource)
- azurerm_log_analytics_workspace.log_analytics_workspace (resource)
- azurerm_resource_group.rg_group (resource)
- azurerm_subnet.backend (resource)
- azurerm_subnet.frontend (resource)
- azurerm_subnet.private_ip_test (resource)
- azurerm_subnet.workload (resource)
- azurerm_user_assigned_identity.appag_umid (resource)
- azurerm_virtual_network.vnet (resource)
- azurerm_web_application_firewall_policy.azure_waf (resource)
- random_integer.region_index (resource)
- azurerm_client_config.current (data source)
No required inputs.
The following input variables are optional (have default values):
Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: true
The following outputs are exported:
Description: n/a
Description: ID of the Backend Subnet
Description: Name of the Backend Subnet
Description: ID of the Frontend Subnet
Description: Name of the Frontend Subnet
Description: ID of the Azure Key Vault
Description: ID of the Private IP Test Subnet
Description: Name of the Private IP Test Subnet
Description: ID of the Azure Resource Group
Description: Name of the Azure Resource Group
Description: ID of the self-signed SSL certificate in Azure Key Vault
Description: ID of the Azure Virtual Network
Description: Name of the Azure Virtual Network
Description: ID of the Workload Subnet
Description: Name of the Workload Subnet
The following Modules are called:
Source: ../../
Version:
Source: Azure/naming/azurerm
Version: 0.3.0
Source: Azure/regions/azurerm
Version: >= 0.3.0
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.