-
Notifications
You must be signed in to change notification settings - Fork 36
/
r-application-gateway.tf
441 lines (377 loc) · 14.7 KB
/
r-application-gateway.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
resource "azurerm_application_gateway" "app_gateway" {
location = var.location
resource_group_name = var.resource_group_name
name = local.appgw_name
#
# Common
#
sku {
capacity = var.autoscaling_parameters != null ? null : var.sku_capacity
name = var.sku
tier = var.sku
}
zones = var.zones
firewall_policy_id = var.firewall_policy_id
enable_http2 = var.enable_http2
frontend_ip_configuration {
name = local.frontend_ip_configuration_name
public_ip_address_id = azurerm_public_ip.ip.id
}
dynamic "frontend_ip_configuration" {
for_each = var.appgw_private ? ["enabled"] : []
content {
name = local.frontend_priv_ip_configuration_name
private_ip_address_allocation = var.appgw_private ? "Static" : null
private_ip_address = var.appgw_private ? var.appgw_private_ip : null
subnet_id = var.appgw_private ? local.subnet_id : null
}
}
dynamic "frontend_port" {
for_each = var.frontend_port_settings
content {
name = frontend_port.value.name
port = frontend_port.value.port
}
}
gateway_ip_configuration {
name = local.gateway_ip_configuration_name
subnet_id = var.create_subnet ? module.azure_network_subnet["appgw_subnet"].subnet_id : var.subnet_id
}
#
# Security
#
force_firewall_policy_association = var.force_firewall_policy_association
dynamic "waf_configuration" {
for_each = var.sku == "WAF_v2" && var.waf_configuration != null ? [var.waf_configuration] : []
content {
enabled = waf_configuration.value.enabled
file_upload_limit_mb = waf_configuration.value.file_upload_limit_mb
firewall_mode = waf_configuration.value.firewall_mode
max_request_body_size_kb = waf_configuration.value.max_request_body_size_kb
request_body_check = waf_configuration.value.request_body_check
rule_set_type = waf_configuration.value.rule_set_type
rule_set_version = waf_configuration.value.rule_set_version
dynamic "disabled_rule_group" {
for_each = local.disabled_rule_group_settings != null ? local.disabled_rule_group_settings : []
content {
rule_group_name = disabled_rule_group.value.rule_group_name
rules = disabled_rule_group.value.rules
}
}
dynamic "exclusion" {
for_each = waf_configuration.value.exclusion != null ? waf_configuration.value.exclusion : []
content {
match_variable = exclusion.value.match_variable
selector = exclusion.value.selector
selector_match_operator = exclusion.value.selector_match_operator
}
}
}
}
dynamic "ssl_policy" {
for_each = var.ssl_policy == null ? [] : ["enabled"]
content {
disabled_protocols = var.ssl_policy.disabled_protocols
policy_type = var.ssl_policy.policy_type
policy_name = var.ssl_policy.policy_type == "Predefined" ? var.ssl_policy.policy_name : null
cipher_suites = var.ssl_policy.policy_type == "Custom" ? var.ssl_policy.cipher_suites : null
min_protocol_version = var.ssl_policy.policy_type == "Custom" ? var.ssl_policy.min_protocol_version : null
}
}
dynamic "ssl_profile" {
for_each = var.ssl_profile
content {
name = ssl_profile.value.name
trusted_client_certificate_names = ssl_profile.value.trusted_client_certificate_names
verify_client_cert_issuer_dn = ssl_profile.value.verify_client_cert_issuer_dn
dynamic "ssl_policy" {
for_each = ssl_profile.value.ssl_policy == null ? [] : ["enabled"]
content {
disabled_protocols = ssl_profile.value.ssl_policy.disabled_protocols
policy_type = ssl_profile.value.ssl_policy.policy_type
policy_name = ssl_profile.value.ssl_policy.policy_type == "Predefined" ? ssl_profile.value.ssl_policy.policy_name : null
cipher_suites = strcontains(ssl_profile.value.ssl_policy.policy_type, "Custom") ? ssl_profile.value.ssl_policy.cipher_suites : null
min_protocol_version = strcontains(ssl_profile.value.ssl_policy.policy_type, "Custom") ? ssl_profile.value.ssl_policy.min_protocol_version : null
}
}
}
}
dynamic "authentication_certificate" {
for_each = var.authentication_certificates_configs
content {
name = authentication_certificate.value.name
data = authentication_certificate.value.data
}
}
dynamic "trusted_client_certificate" {
for_each = var.trusted_client_certificates_configs
content {
name = trusted_client_certificate.value.name
data = trusted_client_certificate.value.data
}
}
#
# Autoscaling
#
dynamic "autoscale_configuration" {
for_each = var.autoscaling_parameters != null ? ["enabled"] : []
content {
min_capacity = var.autoscaling_parameters.min_capacity
max_capacity = var.autoscaling_parameters.max_capacity
}
}
#
# Backend HTTP settings
#
dynamic "backend_http_settings" {
for_each = var.appgw_backend_http_settings
iterator = back_http_set
content {
name = back_http_set.value.name
port = back_http_set.value.port
protocol = back_http_set.value.protocol
path = back_http_set.value.path
probe_name = back_http_set.value.probe_name
cookie_based_affinity = back_http_set.value.cookie_based_affinity
affinity_cookie_name = back_http_set.value.affinity_cookie_name
request_timeout = back_http_set.value.request_timeout
host_name = back_http_set.value.host_name
pick_host_name_from_backend_address = back_http_set.value.pick_host_name_from_backend_address
trusted_root_certificate_names = back_http_set.value.trusted_root_certificate_names
dynamic "authentication_certificate" {
for_each = back_http_set.value.authentication_certificate != null ? ["enabled"] : []
content {
name = back_http_set.value.authentication_certificate
}
}
dynamic "connection_draining" {
for_each = back_http_set.value.connection_draining_timeout_sec != null ? ["enabled"] : []
content {
enabled = true
drain_timeout_sec = back_http_set.value.connection_draining_timeout_sec
}
}
}
}
#
# HTTP listener
#
dynamic "http_listener" {
for_each = var.appgw_http_listeners
iterator = http_listen
content {
name = http_listen.value.name
frontend_ip_configuration_name = coalesce(http_listen.value.frontend_ip_configuration_name, var.appgw_private ? local.frontend_priv_ip_configuration_name : local.frontend_ip_configuration_name)
frontend_port_name = http_listen.value.frontend_port_name
host_name = http_listen.value.host_name
host_names = http_listen.value.host_names
protocol = http_listen.value.protocol
require_sni = http_listen.value.require_sni
ssl_certificate_name = http_listen.value.ssl_certificate_name
ssl_profile_name = http_listen.value.ssl_profile_name
firewall_policy_id = http_listen.value.firewall_policy_id
dynamic "custom_error_configuration" {
for_each = http_listen.value.custom_error_configuration
iterator = err_conf
content {
status_code = err_conf.value.status_code
custom_error_page_url = err_conf.value.custom_error_page_url
}
}
}
}
#
# Custom error configuration
#
dynamic "custom_error_configuration" {
for_each = var.custom_error_configuration
iterator = err_conf
content {
status_code = err_conf.value.status_code
custom_error_page_url = err_conf.value.custom_error_page_url
}
}
#
# Backend address pool
#
dynamic "backend_address_pool" {
for_each = var.appgw_backend_pools
iterator = back_pool
content {
name = back_pool.value.name
fqdns = back_pool.value.fqdns
ip_addresses = back_pool.value.ip_addresses
}
}
#
# SSL certificate
#
dynamic "ssl_certificate" {
for_each = var.ssl_certificates_configs
iterator = ssl_crt
content {
name = ssl_crt.value.name
data = ssl_crt.value.data
password = ssl_crt.value.password
key_vault_secret_id = ssl_crt.value.key_vault_secret_id
}
}
#
# Trusted root certificate
#
dynamic "trusted_root_certificate" {
for_each = var.trusted_root_certificate_configs
iterator = ssl_crt
content {
name = ssl_crt.value.name
data = ssl_crt.value.data == null ? try(filebase64(ssl_crt.value.file_path), null) : ssl_crt.value.data
key_vault_secret_id = ssl_crt.value.key_vault_secret_id
}
}
#
# Request routing rule
#
dynamic "request_routing_rule" {
for_each = var.appgw_routings
iterator = routing
content {
name = routing.value.name
rule_type = routing.value.rule_type
http_listener_name = coalesce(routing.value.http_listener_name, routing.value.name)
backend_address_pool_name = routing.value.backend_address_pool_name
backend_http_settings_name = routing.value.backend_http_settings_name
url_path_map_name = routing.value.url_path_map_name
redirect_configuration_name = routing.value.redirect_configuration_name
rewrite_rule_set_name = routing.value.rewrite_rule_set_name
priority = coalesce(routing.value.priority, routing.key + 1)
}
}
#
# Rewrite rule set
#
dynamic "rewrite_rule_set" {
for_each = var.appgw_rewrite_rule_set
content {
name = rewrite_rule_set.value.name
dynamic "rewrite_rule" {
for_each = rewrite_rule_set.value.rewrite_rules
iterator = rule
content {
name = rule.value.name
rule_sequence = rule.value.rule_sequence
dynamic "condition" {
for_each = rule.value.conditions
iterator = cond
content {
variable = cond.value.variable
pattern = cond.value.pattern
ignore_case = cond.value.ignore_case
negate = cond.value.negate
}
}
dynamic "response_header_configuration" {
for_each = rule.value.response_header_configurations
iterator = header
content {
header_name = header.value.header_name
header_value = header.value.header_value
}
}
dynamic "request_header_configuration" {
for_each = rule.value.request_header_configurations
iterator = header
content {
header_name = header.value.header_name
header_value = header.value.header_value
}
}
dynamic "url" {
for_each = rule.value.url_reroute != null ? ["enabled"] : []
content {
path = rule.value.url_reroute.path
query_string = rule.value.url_reroute.query_string
components = rule.value.url_reroute.components
reroute = rule.value.url_reroute.reroute
}
}
}
}
}
}
#
# Probe
#
dynamic "probe" {
for_each = var.appgw_probes
content {
name = probe.value.name
host = probe.value.host
port = probe.value.port
interval = probe.value.interval
path = probe.value.path
protocol = probe.value.protocol
timeout = probe.value.timeout
pick_host_name_from_backend_http_settings = probe.value.pick_host_name_from_backend_http_settings
unhealthy_threshold = probe.value.unhealthy_threshold
minimum_servers = probe.value.minimum_servers
match {
body = probe.value.match.body
status_code = probe.value.match.status_code
}
}
}
#
# URL path map
#
dynamic "url_path_map" {
for_each = var.appgw_url_path_map
content {
name = url_path_map.value.name
default_redirect_configuration_name = url_path_map.value.default_backend_address_pool_name == null && url_path_map.value.default_backend_http_settings_name == null ? url_path_map.value.default_redirect_configuration_name : null
default_backend_address_pool_name = url_path_map.value.default_redirect_configuration_name == null ? url_path_map.value.default_backend_address_pool_name : null
default_backend_http_settings_name = url_path_map.value.default_redirect_configuration_name == null ? coalesce(url_path_map.value.default_backend_http_settings_name, url_path_map.value.default_backend_address_pool_name) : null
default_rewrite_rule_set_name = url_path_map.value.default_rewrite_rule_set_name
dynamic "path_rule" {
for_each = url_path_map.value.path_rules
content {
name = path_rule.value.name
backend_address_pool_name = path_rule.value.redirect_configuration_name == null ? coalesce(path_rule.value.backend_address_pool_name, path_rule.value.name) : null
backend_http_settings_name = path_rule.value.redirect_configuration_name == null ? coalesce(path_rule.value.backend_http_settings_name, path_rule.value.name) : null
rewrite_rule_set_name = path_rule.value.rewrite_rule_set_name
redirect_configuration_name = path_rule.value.redirect_configuration_name
paths = path_rule.value.paths
firewall_policy_id = path_rule.value.firewall_policy_id
}
}
}
}
#
# Redirect configuration
#
dynamic "redirect_configuration" {
for_each = var.appgw_redirect_configuration
iterator = redirect
content {
name = redirect.value.name
redirect_type = redirect.value.redirect_type
target_listener_name = redirect.value.target_listener_name
target_url = redirect.value.target_url
include_path = redirect.value.include_path
include_query_string = redirect.value.include_query_string
}
}
#
# Identity
#
dynamic "identity" {
for_each = var.user_assigned_identity_id != null ? ["enabled"] : []
content {
type = "UserAssigned"
identity_ids = [var.user_assigned_identity_id]
}
}
#
# Tags
#
tags = local.app_gateway_tags
}