-
Notifications
You must be signed in to change notification settings - Fork 36
/
Copy pathvariables-app-gateway.tf
382 lines (338 loc) · 13.1 KB
/
variables-app-gateway.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
variable "user_assigned_identity_id" {
description = "User assigned identity id assigned to this resource."
type = string
default = null
}
variable "autoscale_configuration" {
description = "Map containing autoscaling parameters. Must contain at least min_capacity."
type = object({
min_capacity = number
max_capacity = optional(number, 5)
})
default = null
}
variable "sku_capacity" {
description = "The capacity of the SKU to use for this Application Gateway - which must be between 1 and 10, optional if autoscale_configuration is set."
type = number
default = 2
validation {
condition = var.sku_capacity > 0 && var.sku_capacity < 11
error_message = "The capacity of the SKU must be between 1 and 10."
}
}
variable "sku" {
description = "The Name of the SKU to use for this Application Gateway. Possible values are Standard_v2 and WAF_v2."
type = string
default = "WAF_v2"
}
variable "zones" {
description = "A collection of availability zones to spread the Application Gateway over. This option is only supported for v2 SKUs."
type = list(number)
default = [1, 2, 3]
}
variable "http2_enabled" {
description = "Whether to enable http2 or not."
type = bool
default = true
}
variable "frontend_private_ip_configuration" {
description = "Configuration of frontend private IP."
type = object({
private_ip_address_allocation = optional(string, "Static")
private_ip_address = optional(string)
})
default = null
}
variable "frontend_ports" {
description = "List of objects with frontend ports. Each one contains the name and the port for the frontend port."
type = list(object({
name = string
port = number
}))
default = []
nullable = false
}
variable "ssl_policy" {
description = "List of objects with SSL configurations. The list of available policies can be found [here](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway#disabled_protocols)."
type = object({
disabled_protocols = optional(list(string), [])
policy_type = optional(string, "Predefined")
policy_name = optional(string, "AppGwSslPolicy20170401S")
cipher_suites = optional(list(string), [])
min_protocol_version = optional(string, "TLSv1_2")
})
default = {}
}
variable "ssl_profiles" {
description = "List of objects with SSL profiles. Default profile is used when this variable is set to null."
type = list(object({
name = string
trusted_client_certificate_names = optional(list(string), [])
verify_client_cert_issuer_dn = optional(bool, false)
ssl_policy = optional(object({
disabled_protocols = optional(list(string), [])
policy_type = optional(string, "Predefined")
policy_name = optional(string, "AppGwSslPolicy20170401S")
cipher_suites = optional(list(string), [])
min_protocol_version = optional(string, "TLSv1_2")
}))
}))
default = []
nullable = false
}
variable "firewall_policy_id" {
description = "ID of a Web Application Firewall Policy."
type = string
default = null
}
variable "trusted_root_certificates" {
description = "List of trusted root certificates. `file_path` is checked first, using `data` (base64 cert content) if null. This parameter is required if you are not using a trusted certificate authority (eg. selfsigned certificate)."
type = list(object({
name = string
data = optional(string)
file_path = optional(string)
key_vault_secret_id = optional(string)
}))
default = []
}
variable "backend_address_pools" {
description = "List of objects with backend pool configurations."
type = list(object({
name = string
fqdns = optional(list(string))
ip_addresses = optional(list(string))
}))
}
variable "http_listeners" {
description = "List of objects with HTTP listeners configurations and custom error configurations."
type = list(object({
name = string
frontend_ip_configuration_name = optional(string)
frontend_port_name = optional(string)
host_name = optional(string)
host_names = optional(list(string))
protocol = optional(string, "Https")
require_sni = optional(bool, false)
ssl_certificate_name = optional(string)
ssl_profile_name = optional(string)
firewall_policy_id = optional(string)
custom_error_configurations = optional(list(object({
status_code = string
custom_error_page_url = string
})), [])
}))
}
variable "custom_error_configurations" {
description = "List of objects with global level custom error configurations."
type = list(object({
status_code = string
custom_error_page_url = string
}))
default = []
}
variable "ssl_certificates" {
description = <<EOD
List of objects with SSL certificates configurations.
The path to a base-64 encoded certificate is expected in the 'data' attribute:
```
data = filebase64("./file_path")
```
EOD
type = list(object({
name = string
data = optional(string)
password = optional(string)
key_vault_secret_id = optional(string)
}))
default = []
}
variable "authentication_certificates" {
description = <<EOD
List of objects with authentication certificates configurations.
The path to a base-64 encoded certificate is expected in the 'data' attribute:
```
data = filebase64("./file_path")
```
EOD
type = list(object({
name = string
data = string
}))
default = []
}
variable "trusted_client_certificates" {
description = <<EOD
List of objects with trusted client certificates configurations.
The path to a base-64 encoded certificate is expected in the 'data' attribute:
```
data = filebase64("./file_path")
```
EOD
type = list(object({
name = string
data = string
}))
default = []
}
variable "request_routing_rules" {
description = "List of objects with request routing rules configurations. With AzureRM v3+ provider, `priority` attribute becomes mandatory."
type = list(object({
name = string
rule_type = optional(string, "Basic")
http_listener_name = optional(string)
backend_address_pool_name = optional(string)
backend_http_settings_name = optional(string)
url_path_map_name = optional(string)
redirect_configuration_name = optional(string)
rewrite_rule_set_name = optional(string)
priority = optional(number)
}))
}
variable "probes" {
description = "List of objects with probes configurations."
type = list(object({
name = string
host = optional(string)
port = optional(number, null)
interval = optional(number, 30)
path = optional(string, "/")
protocol = optional(string, "Https")
timeout = optional(number, 30)
unhealthy_threshold = optional(number, 3)
pick_host_name_from_backend_http_settings = optional(bool, false)
minimum_servers = optional(number, 0)
match = optional(object({
body = optional(string, "")
status_code = optional(list(string), ["200-399"])
}), {})
}))
default = []
}
variable "backend_http_settings" {
description = "List of objects including backend http settings configurations."
type = list(object({
name = string
port = optional(number, 443)
protocol = optional(string, "Https")
path = optional(string)
probe_name = optional(string)
cookie_based_affinity = optional(string, "Disabled")
affinity_cookie_name = optional(string, "ApplicationGatewayAffinity")
request_timeout = optional(number, 20)
host_name = optional(string)
pick_host_name_from_backend_address = optional(bool, true)
trusted_root_certificate_names = optional(list(string), [])
authentication_certificate = optional(string)
connection_draining_timeout_sec = optional(number)
}))
}
variable "url_path_maps" {
description = "List of objects with URL path map configurations."
type = list(object({
name = string
default_backend_address_pool_name = optional(string)
default_redirect_configuration_name = optional(string)
default_backend_http_settings_name = optional(string)
default_rewrite_rule_set_name = optional(string)
path_rules = list(object({
name = string
backend_address_pool_name = optional(string)
backend_http_settings_name = optional(string)
rewrite_rule_set_name = optional(string)
redirect_configuration_name = optional(string)
firewall_policy_id = optional(string)
paths = optional(list(string), [])
}))
}))
default = []
}
variable "redirect_configurations" {
description = "List of objects with redirect configurations."
type = list(object({
name = string
redirect_type = optional(string, "Permanent")
target_listener_name = optional(string)
target_url = optional(string)
include_path = optional(bool, true)
include_query_string = optional(bool, true)
}))
default = []
}
variable "rewrite_rule_sets" {
description = "List of rewrite rule set objects with rewrite rules."
type = list(object({
name = string
rewrite_rules = list(object({
name = string
rule_sequence = string
conditions = optional(list(object({
variable = string
pattern = string
ignore_case = optional(bool, false)
negate = optional(bool, false)
})), [])
response_header_configurations = optional(list(object({
header_name = string
header_value = string
})), [])
request_header_configurations = optional(list(object({
header_name = string
header_value = string
})), [])
url_reroute = optional(object({
path = optional(string)
query_string = optional(string)
components = optional(string)
reroute = optional(bool)
}))
}))
}))
default = []
}
variable "force_firewall_policy_association" {
description = "Enable if the Firewall Policy is associated with the Application Gateway."
type = bool
default = false
nullable = false
}
variable "waf_configuration" {
description = <<EOD
WAF configuration object (only available with WAF_v2 SKU) with following attributes:
```
- enabled: Boolean to enable WAF.
- file_upload_limit_mb: The File Upload Limit in MB. Accepted values are in the range 1MB to 500MB.
- firewall_mode: The Web Application Firewall Mode. Possible values are Detection and Prevention.
- max_request_body_size_kb: The Maximum Request Body Size in KB. Accepted values are in the range 1KB to 128KB.
- request_body_check: Is Request Body Inspection enabled ?
- rule_set_type: The Type of the Rule Set used for this Web Application Firewall.
- rule_set_version: The Version of the Rule Set used for this Web Application Firewall. Possible values are 2.2.9, 3.0, and 3.1.
- disabled_rule_group: The rule group where specific rules should be disabled. Accepted values can be found [here](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway#rule_group_name).
- exclusion: WAF exclusion rules to exclude header, cookie or GET argument. More informations [here](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway#match_variable).
```
EOD
type = object({
enabled = optional(bool, true)
file_upload_limit_mb = optional(number, 100)
firewall_mode = optional(string, "Prevention")
max_request_body_size_kb = optional(number, 128)
request_body_check = optional(bool, true)
rule_set_type = optional(string, "OWASP")
rule_set_version = optional(string, "3.1")
disabled_rule_group = optional(list(object({
rule_group_name = string
rules = optional(list(string))
})), [])
exclusion = optional(list(object({
match_variable = string
selector = optional(string)
selector_match_operator = optional(string)
})), [])
})
default = {}
nullable = false
}
variable "waf_rules_for_dev_portal_enabled" {
description = "Whether to enabled some WAF rules if the APIM developer portal is hosted behind this Application Gateway. See locals.tf for the documentation link."
type = bool
default = true
}