This Terraform module is designed to create an Azure CDN FrontDoor (Standard/Premium) resource.
Module version | Terraform version | AzureRM version |
---|---|---|
>= 7.x.x | 1.3.x | >= 3.0 |
>= 6.x.x | 1.x | >= 3.0 |
>= 5.x.x | 0.15.x | >= 2.0 |
>= 4.x.x | 0.13.x / 0.14.x | >= 2.0 |
>= 3.x.x | 0.12.x | >= 2.0 |
>= 2.x.x | 0.12.x | < 2.0 |
< 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper
available in the documentation.
module "azure_region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
module "rg" {
source = "claranet/rg/azurerm"
version = "x.x.x"
location = module.azure_region.location
client_name = var.client_name
environment = var.environment
stack = var.stack
}
module "logs" {
source = "claranet/run/azurerm//modules/logs"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
stack = var.stack
location = module.azure_region.location
location_short = module.azure_region.location_short
resource_group_name = module.rg.resource_group_name
}
# NOTE: In order for the certificate to be used by Azure FrontDoor, it must be PKCS#12 PFX 3DES.
# The PFX must only contain the leaf and any intermediates, but it must not contain any Root CAs
# already trusted by Azure. openssl v3 requires -legacy flag for 3DES compatibility.
# Generate the CSR, get it signed by the CA, then create the PFX.
#
# openssl pkcs12 -export -out cert.pfx -inkey leaf.key -in leaf.pem -certfile intermediate.pem -legacy
#
resource "azurerm_key_vault_certificate" "cert" {
name = "custom-contoso-com"
key_vault_id = var.key_vault_id
certificate {
contents = "abcd" # filebase64("./cert.pfx")
password = ""
}
# The following is required for PFX imports, but not PEM.
certificate_policy {
issuer_parameters {
name = "Unknown"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = false
}
secret_properties {
content_type = "application/x-pkcs12"
}
}
}
module "cdn_frontdoor" {
source = "claranet/cdn-frontdoor/azurerm"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.resource_group_name
sku_name = "Premium_AzureFrontDoor"
logs_destinations_ids = [
module.logs.log_analytics_workspace_id,
module.logs.logs_storage_account_id,
]
endpoints = [
{
name = "web"
},
{
name = "azure"
enabled = false
},
]
origin_groups = [
{
name = "contoso"
health_probe = {
interval_in_seconds = 250
path = "/"
protocol = "Https"
request_type = "GET"
}
load_balancing = {
successful_samples_required = 1
}
},
{
name = "contoso2"
health_probe = {
interval_in_seconds = 250
path = "/"
protocol = "Https"
request_type = "GET"
}
},
]
origins = [
{
name = "web"
origin_group_name = "contoso"
certificate_name_check_enabled = false
host_name = "www.contoso.com"
},
{
name = "azure"
origin_group_name = "contoso2"
certificate_name_check_enabled = false
host_name = "azure.contoso.com"
},
]
custom_domains = [
{
name = "www"
host_name = "www.contoso.com"
},
{
name = "custom-contoso-com"
host_name = "custom.contoso.com"
tls = {
certificate_type = "CustomerCertificate"
key_vault_certificate_id = azurerm_key_vault_certificate.cert.id
}
}
]
routes = [
{
name = "route66"
endpoint_name = "web"
origin_group_name = "contoso"
origins_names = ["web", "azure"]
forwarding_protocol = "HttpsOnly"
patterns_to_match = ["/*"]
supported_protocols = ["Http", "Https"]
custom_domains_names = ["www"]
rule_sets_names = ["my_rule_set", "my_rule_set2"]
},
{
name = "route2"
endpoint_name = "azure"
origin_group_name = "contoso2"
origins_names = ["web"]
forwarding_protocol = "HttpsOnly"
patterns_to_match = ["/contoso"]
supported_protocols = ["Http", "Https"]
rule_sets_names = ["my_rule_set", "my_rule_set2"]
},
]
rule_sets = [
{
name = "my_rule_set"
custom_resource_name = "custom_rule"
rules = [{
name = "redirect"
custom_resource_name = "myrulename"
order = 1
actions = {
response_header_actions = [
{
header_action = "Overwrite"
header_name = "Access-Control-Allow-Origin"
value = "https://www.foo.bar.fr"
},
{
header_action = "Overwrite"
header_name = "Access-Control-Allow-Credentials"
value = "true"
},
{
header_action = "Overwrite"
header_name = "Access-Control-Allow-Headers"
value = "Authorization, Content-Type, ocp-apim-subscription-key"
},
{
header_action = "Overwrite"
header_name = "Access-Control-Allow-Methods"
value = "POST,PUT,GET,DELETE,OPTIONS"
},
]
url_rewrite_actions = [{
source_pattern = "/"
destination = "/contoso"
}]
}
conditions = {
is_device_conditions = [{
operator = "Equal"
match_values = ["Desktop"]
}]
}
}]
},
{
name = "my_rule_set2"
custom_resource_name = "custom_rule2"
},
]
firewall_policies = [{
name = "test"
enabled = true
mode = "Prevention"
redirect_url = "https://www.contoso.com"
custom_block_response_status_code = 403
custom_block_response_body = "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=="
custom_rules = [
{
name = "Rule1"
enabled = true
priority = 1
rate_limit_duration_in_minutes = 1
rate_limit_threshold = 10
type = "MatchRule"
action = "Block"
match_conditions = [{
match_variable = "RemoteAddr"
operator = "IPMatch"
negation_condition = false
match_values = ["10.0.1.0/24", "10.0.0.0/24"]
}]
},
{
name = "Rule2"
enabled = true
priority = 2
rate_limit_duration_in_minutes = 1
rate_limit_threshold = 10
type = "MatchRule"
action = "Block"
match_conditions = [
{
match_variable = "RemoteAddr"
operator = "IPMatch"
negation_condition = false
match_values = ["192.168.1.0/24"]
},
{
match_variable = "RequestHeader"
selector = "UserAgent"
operator = "Contains"
negation_condition = false
match_values = ["windows"]
transforms = ["Lowercase", "Trim"]
},
]
},
]
managed_rules = [
{
type = "DefaultRuleSet"
version = "1.0"
action = "Log"
exclusions = [{
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "not_suspicious"
}]
overrides = [
{
rule_group_name = "PHP"
rules = [{
rule_id = "933100"
enabled = false
action = "Block"
}]
},
{
rule_group_name = "SQLI"
exclusions = [{
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "really_not_suspicious"
}]
rules = [{
rule_id = "942200"
action = "Block"
exclusions = [{
match_variable = "QueryStringArgNames"
operator = "Equals"
selector = "innocent"
}]
}]
},
]
},
{
type = "Microsoft_BotManagerRuleSet"
version = "1.0"
action = "Log"
},
]
}]
security_policies = [{
name = "MySecurityPolicy"
custom_resource_name = "MyBetterNamedSecurityPolicy"
firewall_policy_name = "test"
patterns_to_match = ["/*"]
custom_domain_names = ["www"]
endpoint_names = ["web", "azure"]
}]
extra_tags = {
foo = "bar"
}
}
Name | Version |
---|---|
azurecaf | ~> 1.2, >= 1.2.22 |
azurerm | ~> 3.39 |
Name | Source | Version |
---|---|---|
diagnostics | claranet/diagnostic-settings/azurerm | ~> 6.5.0 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
cdn_frontdoor_profile_name | Specifies the name of the FrontDoor Profile. | string |
"" |
no |
client_name | Client name/account used in naming. | string |
n/a | yes |
custom_diagnostic_settings_name | Custom name of the diagnostics settings, name will be 'default' if not set. | string |
"default" |
no |
custom_domains | CDN FrontDoor Custom Domains configurations. | list(object({ |
[] |
no |
default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
endpoints | CDN FrontDoor Endpoints configurations. | list(object({ |
[] |
no |
environment | Project environment. | string |
n/a | yes |
extra_tags | Extra tags to add. | map(string) |
{} |
no |
firewall_policies | CDN Frontdoor Firewall Policies configurations. | list(object({ |
[] |
no |
logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
logs_destinations_ids | List of destination resources IDs for logs diagnostics destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. Empty list to disable logging. | list(string) |
n/a | yes |
logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
name_prefix | Optional prefix for the generated name | string |
"" |
no |
name_suffix | Optional suffix for the generated name | string |
"" |
no |
origin_groups | CDN FrontDoor Origin Groups configurations. | list(object({ |
[] |
no |
origins | CDN FrontDoor Origins configurations. | list(object({ |
[] |
no |
resource_group_name | Resource group name. | string |
n/a | yes |
response_timeout_seconds | Specifies the maximum response timeout in seconds. Possible values are between 16 and 240 seconds (inclusive). |
number |
120 |
no |
routes | CDN FrontDoor Routes configurations. | list(object({ |
[] |
no |
rule_sets | CDN FrontDoor Rule Sets and associated Rules configurations. | list(object({ |
[] |
no |
security_policies | CDN FrontDoor Security policies configurations. | list(object({ |
[] |
no |
sku_name | Specifies the SKU for this CDN FrontDoor Profile. Possible values include Standard_AzureFrontDoor and Premium_AzureFrontDoor . |
string |
"Standard_AzureFrontDoor" |
no |
stack | Project stack name. | string |
n/a | yes |
use_caf_naming | Use the Azure CAF naming provider to generate default resource name. custom_name override this if set. Legacy default name is used if this is set to false . |
bool |
true |
no |
Name | Description |
---|---|
custom_domains | CDN FrontDoor custom domains outputs. |
endpoints | CDN FrontDoor endpoints outputs. |
firewall_policies | CDN FrontDoor firewall policies outputs. |
origin_groups | CDN FrontDoor origin groups outputs. |
origins | CDN FrontDoor origins outputs. |
profile_id | The ID of the CDN FrontDoor Profile. |
profile_name | The name of the CDN FrontDoor Profile. |
rule_sets | CDN FrontDoor rule sets outputs. |
rules | CDN FrontDoor rules outputs. |
security_policies | CDN FrontDoor security policies outputs. |
Azure Front Door REST API: docs.microsoft.com/en-us/rest/api/frontdoor/