-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
323 lines (284 loc) · 9.65 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
variable "environment" {
description = "Environment name. Will be used along with `project_name` as a prefix for all resources."
type = string
}
variable "project_name" {
description = "Project name. Will be used along with `environment` as a prefix for all resources."
type = string
}
variable "azure_location" {
description = "Azure location in which to launch resources."
type = string
}
variable "tags" {
description = "Tags to be applied to all resources"
type = map(string)
default = {}
}
variable "existing_resource_group" {
description = "Conditionally launch resources into an existing resource group. Specifying this will NOT create a resource group."
type = string
default = ""
}
variable "existing_virtual_network" {
description = "Conditionally use an existing virtual network. The `virtual_network_address_space` must match an existing address space in the VNet. This also requires the resource group name."
type = string
default = ""
}
variable "virtual_network_address_space" {
description = "Virtual Network address space CIDR"
type = string
default = "172.16.0.0/12"
}
variable "waf_application" {
description = "Which product to apply the WAF to. Must be either CDN or AppGatewayV2"
type = string
default = "CDN"
validation {
condition = contains(["CDN", "AppGatewayV2"], var.waf_application)
error_message = "waf_application must be either CDN or AppGatewayV2"
}
}
variable "app_gateway_v2_enable_http2" {
description = "App Gateway V2 enable HTTP2"
type = bool
default = true
}
variable "app_gateway_v2_capacity_units" {
description = "App Gateway V2 capacity units"
type = number
default = 1
}
variable "app_gateway_v2_frontend_port" {
description = "App Gateway V2 frontend port"
type = number
default = 80
}
variable "app_gateway_v2_cookie_based_affinity" {
description = "App Gateway V2 Cookie Based Affinity. Sets an affinity cookie in the response with a hash value which contains the session details, so that the subsequent requests carrying the affinity cookie will be routed to the same backend server for maintaining stickiness."
type = string
default = "Disabled"
}
variable "restrict_app_gateway_v2_to_front_door_inbound_only" {
description = "Restricts access to the App Gateway V2 by creating a network security group that only allows 'AzureFrontDoor.Backend' inbound, and attaches it to the subnet of the application gateway."
type = bool
default = false
}
variable "restrict_app_gateway_v2_to_front_door_inbound_only_destination_prefixes" {
description = "If app gateway v2 has access restricted to front door only (by enabling `restrict_app_gateway_v2_to_front_door_inbound_only`), use this to set the destination prefixes for the security group rule."
type = list(string)
default = ["*"]
}
variable "app_gateway_v2_identity_ids" {
description = "App Gateway V2 User Assigned identity ids. If empty, one will be created."
type = list(any)
default = []
}
variable "key_vault_app_gateway_certificates_access_users" {
description = "List of users that require access to the App Gateway Certificates Key Vault. This should be a list of User Principle Names (Found in Active Directory) that need to run terraform"
type = list(string)
default = []
}
variable "key_vault_app_gateway_certificates_access_ipv4" {
description = "List of IPv4 Addresses that are permitted to access the App Gateway Certificates Key Vault"
type = list(string)
default = []
}
variable "key_vault_app_gateway_certificates_access_subnet_ids" {
description = "List of Azure Subnet IDs that are permitted to access the App Gateway Certificates Key Vault"
type = list(string)
default = []
}
variable "cdn_sku" {
description = "Azure CDN Front Door SKU"
type = string
default = "Standard_AzureFrontDoor"
}
variable "response_request_timeout" {
description = "Azure CDN Front Door response timeout, or app gateway v2 request timeout in seconds"
type = number
default = 120
}
variable "waf_targets" {
description = "Target endpoints to configure the WAF to point towards"
type = map(
object({
domain : string,
cdn_create_custom_domain : optional(bool, false),
custom_fqdn : optional(string, "")
app_gateway_v2_ssl_certificate_key_vault_id : optional(string, "")
enable_health_probe : optional(bool, true),
health_probe_interval : optional(number, 60),
health_probe_request_type : optional(string, "HEAD"),
health_probe_path : optional(string, "/"),
cdn_add_response_headers : optional(list(object({
name : string,
value : string
})
), [])
cdn_add_request_headers : optional(list(object({
name : string,
value : string
})
), [])
cdn_remove_response_headers : optional(list(string), [])
cdn_remove_request_headers : optional(list(string), [])
})
)
default = {}
}
variable "cdn_host_redirects" {
description = "CDN FrontDoor host redirects `[{ \"from\" = \"example.com\", \"to\" = \"www.example.com\" }]`"
type = list(map(string))
default = []
}
variable "cdn_add_response_headers" {
description = "List of response headers to add at the CDN Front Door for all endpoints `[{ \"Name\" = \"Strict-Transport-Security\", \"value\" = \"max-age=31536000\" }]`"
type = list(map(string))
default = []
}
variable "cdn_remove_response_headers" {
description = "List of response headers to remove at the CDN Front Door for all endpoints"
type = list(string)
default = []
}
variable "existing_monitor_action_group_id" {
description = "ID of an existing monitor action group"
type = string
default = ""
}
variable "enable_latency_monitor" {
description = "Enable CDN latency monitor"
type = bool
default = false
}
variable "latency_monitor_threshold" {
description = "CDN latency monitor threshold in milliseconds"
type = number
default = 5000
}
variable "enable_waf" {
description = "Enable WAF"
type = bool
default = false
}
variable "waf_mode" {
description = "WAF mode"
type = string
default = "Prevention"
}
variable "cdn_waf_enable_rate_limiting" {
description = "Deploy a Rate Limiting Policy on the Front Door WAF"
type = bool
default = false
}
variable "cdn_waf_rate_limiting_duration_in_minutes" {
description = "Number of minutes to BLOCK requests that hit the Rate Limit threshold"
type = number
default = 1
}
variable "cdn_waf_rate_limiting_threshold" {
description = "Maximum number of concurrent requests before Rate Limiting policy is applied"
type = number
default = 300
}
variable "cdn_waf_rate_limiting_bypass_ip_list" {
description = "List if IP CIDRs to bypass the Rate Limit Policy"
type = list(string)
default = []
}
variable "cdn_waf_rate_limiting_action" {
description = "Action to take when rate limiting (Block/Log)"
type = string
default = "Block"
validation {
condition = contains(["Allow", "Block", "Log"], var.cdn_waf_rate_limiting_action)
error_message = "waf_rate_limiting_action must be one of 'Allow', 'Block', or 'Log'"
}
}
variable "cdn_waf_managed_rulesets" {
description = "Map of all Managed rules you want to apply to the CDN WAF, including any overrides, or exclusions"
type = map(object({
version : string,
action : optional(string, "Block"),
exclusions : optional(map(object({
match_variable : string,
operator : string,
selector : string
})), {})
overrides : optional(map(map(object({
action : string,
exclusions : optional(map(object({
match_variable : string,
operator : string,
selector : string
})), {})
}))), {})
}))
default = {
"BotProtection" = {
version = "preview-0.1"
},
"DefaultRuleSet" = {
version = "1.0"
}
}
}
variable "app_gateway_v2_waf_managed_rulesets" {
description = "Map of all Managed rules you want to apply to the App Gateway WAF, including any overrides"
type = map(object({
version : string,
overrides : optional(map(object({
rules : map(object({
enabled : bool,
action : optional(string, "Block")
}))
})), {})
}))
default = {
"OWASP" = {
version = "3.2"
},
"Microsoft_BotManagerRuleSet" = {
version = "1.0"
}
}
}
variable "app_gateway_v2_waf_managed_rulesets_exclusions" {
description = "Map of all exlusions and the assoicated Managed rules to apply to the App Gateway WAF"
type = map(object({
match_variable : string,
selector : string,
selector_match_operator : string,
excluded_rule_set : map(object({
version : string,
rule_group_name : string,
excluded_rules : list(string)
}))
}))
default = {}
}
variable "waf_custom_rules" {
description = "Map of all Custom rules you want to apply to the WAF"
type = map(object({
priority : number,
action : string,
match_conditions : map(object({
match_variable : string,
match_values : list(string),
operator : string,
selector : optional(string, null)
}))
}))
default = {}
}
variable "cdn_waf_custom_block_response_status_code" {
description = "Custom response status code when the WAF blocks a request."
type = number
default = 0
}
variable "cdn_waf_custom_block_response_body" {
description = "Base64 encoded custom response body when the WAF blocks a request"
type = string
default = ""
}