Merge pull request #202 from aztfmod/akeloth-fd

akeloth frontdoor
aztfmod · Dec 21, 2020 · cbb56d3 · cbb56d3
2 parents f851b84 + 0e9e55b
commit cbb56d3
Show file tree

Hide file tree

Showing 46 changed files with 1,483 additions and 50 deletions.
diff --git a/.github/workflows/master-100.yaml b/.github/workflows/master-100.yaml
@@ -103,6 +103,8 @@ jobs:
             "machine_learning/101-aml-vnet",
             "monitoring/service_health_alerts",
             "mssql_server/elastic_pools",
+            "networking/dns_zones/100-simple-dns_zone",
+            "networking/front_door/100-simple-front_door",
             "networking/private_dns/100-private-dns-vnet-links",
             # "networking/private_links/endpoints/centralized",  # Requires launchpad scenario 200
             "networking/virtual_network/100-subnet-delegation",

diff --git a/examples/compute/virtual_machine/211-vm-bastion-winrm-agents/virtual_machines.tfvars b/examples/compute/virtual_machine/211-vm-bastion-winrm-agents/virtual_machines.tfvars
@@ -75,6 +75,14 @@ virtual_machines = {
         internal_dns_name_label = "server1-nic0"
 
       }
+      nic1 = {
+        vnet_key                = "vnet_region1"
+        subnet_key              = "servers"
+        name                    = "1-server1"
+        enable_ip_forwarding    = false
+        internal_dns_name_label = "server1-nic1"
+
+      }
     }
 
     virtual_machine_settings = {
@@ -85,7 +93,7 @@ virtual_machines = {
         admin_password_key = "vm-win-admin-password"
 
         # Value of the nic keys to attach the VM. The first one in the list is the default nic
-        network_interface_keys = ["nic0"]
+        network_interface_keys = ["nic0","nic1"]
 
         zone = "1"
 
@@ -124,6 +132,15 @@ virtual_machines = {
         lun           = 1
         zones         = ["1"]
       }
+      data2 = {
+        name                 = "server1-data2"
+        storage_account_type = "Standard_LRS"
+        # Only Empty is supported. More community contributions required to cover other scenarios
+        create_option = "Empty"
+        disk_size_gb  = "30"
+        lun           = 2
+        zones         = ["1"]
+      }
     }
 
     virtual_machine_extensions = {

diff --git a/examples/module.tf b/examples/module.tf
@@ -51,6 +51,9 @@ module "caf" {
     express_route_circuit_authorizations = var.express_route_circuit_authorizations
     network_watchers                     = var.network_watchers
     vnet_peerings                        = var.vnet_peerings
+    front_doors                          = var.front_doors
+    front_door_waf_policies              = var.front_door_waf_policies
+    dns_zones                            = var.dns_zones
     private_endpoints                    = var.private_endpoints
     local_network_gateways               = var.local_network_gateways
   }
@@ -77,7 +80,8 @@ module "caf" {
   }
 
   security = {
-    dynamic_keyvault_secrets = var.dynamic_keyvault_secrets
+    dynamic_keyvault_secrets      = var.dynamic_keyvault_secrets
+    keyvault_certificate_requests = var.keyvault_certificate_requests
   }
 
   remote_objects = {

diff --git a/examples/networking/dns_zones/100-simple-dns_zone/configuration.tfvars b/examples/networking/dns_zones/100-simple-dns_zone/configuration.tfvars
@@ -0,0 +1,38 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "southeastasia"
+    region2 = "eastasia"
+  }
+}
+
+resource_groups = {
+  dns_re1 = {
+    name   = "sales-rg1"
+    region = "region1"
+  }
+}
+
+dns_zones = {
+  dns_zone1 = {
+    name                = ""                  // Set as empty for CI. this will creation a random_domain_name.com
+    region              = "region1"
+    resource_group_key  = "dns_re1"
+
+    contract = {
+      name_first   = "John"
+      name_last    = "Doe"
+      email        = "[email protected]"
+      phone        = "+65.12345678"
+      organization = "Sandpit"
+      job_title    = "Engineer"
+      address1     = "Singapore"
+      address2     = ""
+      postal_code  = "018898"
+      state        = "Singapore"
+      city         = "Singapore"
+      country      = "SG"
+      auto_renew   = true
+    }
+  }
+}  
diff --git a/examples/networking/front_door/100-simple-front_door/configuration.tfvars b/examples/networking/front_door/100-simple-front_door/configuration.tfvars
@@ -0,0 +1,14 @@
+global_settings = {
+  random_length  = "5"
+  default_region = "region1"
+  regions = {
+    region1 = "southeastasia"
+  }
+}
+
+resource_groups = {
+  front_door = {
+    name = "front-door-rg"
+  }
+}
+
diff --git a/examples/networking/front_door/100-simple-front_door/diagnostic_storage_accounts.tfvars b/examples/networking/front_door/100-simple-front_door/diagnostic_storage_accounts.tfvars
@@ -0,0 +1,11 @@
+
+diagnostic_storage_accounts = {
+  diagnostics_region1 = {
+    name                     = "diagrg1"
+    resource_group_key       = "front_door"
+    account_kind             = "StorageV2"
+    account_tier             = "Standard"
+    account_replication_type = "LRS"
+    access_tier              = "Cool"
+  }
+}
diff --git a/examples/networking/front_door/100-simple-front_door/diagnostics_definition.tfvars b/examples/networking/front_door/100-simple-front_door/diagnostics_definition.tfvars
@@ -0,0 +1,23 @@
+
+#
+# Define a set of settings for the various type of Azure resources
+#
+
+diagnostics_definition = {
+
+  azure_front_door = {
+    name = "operational_logs_and_metrics"
+    categories = {
+      log = [
+        # ["Category name",  "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
+        ["FrontdoorAccessLog", true, false, 7],
+        ["FrontdoorWebApplicationFirewallLog", true, false, 7],
+      ]
+      metric = [
+        #["Category name",  "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
+        ["AllMetrics", true, false, 7],
+      ]
+    }
+  }
+
+}
diff --git a/examples/networking/front_door/100-simple-front_door/diagnostics_destinations.tfvars b/examples/networking/front_door/100-simple-front_door/diagnostics_destinations.tfvars
@@ -0,0 +1,15 @@
+# Defines the different destination for the different log profiles
+# Different profiles to target different operational teams
+
+diagnostics_destinations = {
+  # Storage keys must reference the azure region name
+  # For storage, reference "all_regions" and we will send the logs to the storage account
+  # in the region of the deployment
+  storage = {
+    all_regions = {
+      global = {
+        storage_account_key = "diagnostics_region1"
+      }
+    }
+  }
+}
diff --git a/examples/networking/front_door/100-simple-front_door/front_door_waf_policies.tfvars b/examples/networking/front_door/100-simple-front_door/front_door_waf_policies.tfvars
@@ -0,0 +1,95 @@
+front_door_waf_policies = {
+  wp1 = {
+    name                              = "examplewafpolicy"
+    resource_group_key                = "front_door"
+    enabled                           = true
+    mode                              = "Prevention"
+    redirect_url                      = "https://www.contoso.com"
+    custom_block_response_status_code = 403
+    custom_block_response_body        = "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=="
+
+    custom_rules = {
+      rule1 = {
+        name                           = "Rule1"
+        enabled                        = true
+        priority                       = 1
+        rate_limit_duration_in_minutes = 1
+        rate_limit_threshold           = 10
+        type                           = "MatchRule"
+        action                         = "Block"
+
+        match_condition = {
+          allow_remote_subnets = {
+            match_variable     = "RemoteAddr"
+            operator           = "IPMatch"
+            negation_condition = false
+            match_values       = ["192.168.1.0/24", "10.0.0.0/24"]
+          }
+          countries = {
+            match_variable     = "RemoteAddr"
+            operator           = "GeoMatch"
+            negation_condition = false
+            match_values = [
+              "bahrain",
+              "Singapore"
+            ]
+          }
+        }
+
+      }
+    }
+
+    managed_rules = {
+      rule1 = {
+        type    = "DefaultRuleSet"
+        version = "1.0"
+        exclusions = {
+          ex1 = {
+            match_variable = "QueryStringArgNames"
+            operator       = "Equals"
+            selector       = "not_suspicious"
+          }
+        }
+        overrides = {
+          or1 = {
+            rule_group_name = "PROTOCOL-ATTACK"
+            exclusions = {
+              ex1 = {
+                match_variable = "RequestHeaderNames"
+                operator       = "StartsWith"
+                selector       = "test"
+              }
+              ex2 = {
+                match_variable = "RequestCookieNames"
+                operator       = "EqualsAny"
+                selector       = "*"
+              }
+            }
+            rules = {
+              921150 = {
+                action  = "Log"
+                enabled = true
+                rule_id = "921150"
+              }
+              921151 = {
+                action  = "Log"
+                enabled = true
+                rule_id = "921151"
+                exclusions = {
+                  ex1 = {
+                    match_variable = "RequestHeaderNames"
+                    operator       = "StartsWith"
+                    selector       = "921151"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+
+  }
+}
+
+
diff --git a/examples/networking/front_door/100-simple-front_door/front_doors.tfvars b/examples/networking/front_door/100-simple-front_door/front_doors.tfvars
@@ -0,0 +1,124 @@
+front_doors = {
+  front_door1 = {
+    name                   = "sales-rg1"
+    resource_group_key     = "front_door"
+    certificate_name_check = false
+    # Keyvault key hosting the ssl certificates
+    keyvault_key = "cert_secrets"
+
+    routing_rule = {
+      rr1 = {
+        name                   = "exampleRoutingRule1"
+        frontend_endpoint_keys = ["fe1"]
+        accepted_protocols     = ["Http", "Https"]
+        patterns_to_match      = ["/*"]
+        enabled                = true
+        configuration          = "Forwarding"
+        forwarding_configuration = {
+          backend_pool_name                     = "bing"
+          cache_enabled                         = false
+          cache_use_dynamic_compression         = false
+          cache_query_parameter_strip_directive = "StripAll"
+          custom_forwarding_path                = ""
+          forwarding_protocol                   = "MatchRequest"
+        }
+        redirect_configuration = {
+          custom_host         = ""
+          redirect_protocol   = "MatchRequest"
+          redirect_type       = "Found"
+          custom_fragment     = ""
+          custom_path         = ""
+          custom_query_string = ""
+        }
+      }
+    }
+
+    # Following optional argument can be used to set a time out value between 0-240. If not passed, by default it will be set to 60
+    # backend_pools_send_receive_timeout_seconds = 120
+
+    # Following optional argument can be used to disable Front Door Load Balancer
+    # load_balancer_enabled  =  false
+
+    # Following optional argument can be used to pass a friendly name for the Front Door service
+    # friendly_name          =  "ExampleFriendDoor"
+
+    backend_pool_load_balancing = {
+      lb1 = {
+        name                            = "exampleLoadBalancingSettings1"
+        sample_size                     = 4
+        successful_samples_required     = 2
+        additional_latency_milliseconds = 0
+      }
+    }
+
+    backend_pool_health_probe = {
+      hp1 = {
+        name                = "exampleHealthProbeSetting1"
+        path                = "/"
+        protocol            = "Https"
+        interval_in_seconds = 120
+      }
+    }
+
+    backend_pool = {
+      bp1 = {
+        name               = "bing"
+        load_balancing_key = "lb1"
+        health_probe_key   = "hp1"
+        backend = {
+          be1 = {
+            enabled     = true
+            address     = "www.bing.com"
+            host_header = "www.bing.com"
+            http_port   = 80
+            https_port  = 443
+            priority    = 1
+            weight      = 50
+          },
+          be2 = {
+            enabled     = true
+            address     = "www.bing.co.uk"
+            host_header = "www.bing.co.uk"
+            http_port   = 80
+            https_port  = 443
+            priority    = 1
+            weight      = 50
+          }
+        }
+
+      }
+    }
+
+    frontend_endpoints = {
+      fe1 = {
+        name = "exampleFrontendEndpoint1"
+        # host_name                         = "randomabcxyz-FrontDoor.azurefd.net" ?? not used in the code
+        session_affinity_enabled          = false
+        session_affinity_ttl_seconds      = 0
+        custom_https_provisioning_enabled = false
+        #Required if custom_https_provisioning_enabled is true
+        custom_https_configuration = {
+          certificate_source = "AzureKeyVault"
+          #If certificate source is AzureKeyVault the below are required:
+            azure_key_vault_certificate_vault_id       = "/subscriptions/fed745fc-818a-4b9f-8338-22368e098c5c/resourceGroups/inos-rg-front-door-rg-guinc/providers/Microsoft.KeyVault/vaults/kv-certsecrets-ccmcj"
+            azure_key_vault_certificate_secret_name    = "test"
+            azure_key_vault_certificate_secret_version = "b672b38ce10245b8bd3ba75924c80d3d"
+          # Or if created from CAF module
+          # keyvault_certificate_key = ""
+        }
+        front_door_waf_policy_key = "wp1"
+        lz_key                    = ""
+      }
+    }
+
+    # you can setup up to 5 profiles
+    diagnostic_profiles = {
+      operations = {
+        definition_key   = "azure_front_door"
+        destination_type = "storage"
+        destination_key  = "all_regions"
+      }
+    }
+
+  }
+}