[!IMPORTANT] As the overall AVM framework is not GA (generally available) yet - the CI framework and test automation is not fully functional and implemented across all supported languages yet - breaking changes are expected, and additional customer feedback is yet to be gathered and incorporated. Hence, modules MUST NOT be published at version 1.0.0 or higher at this time.

All module MUST be published as a pre-release version (e.g., 0.1.0, 0.1.1, 0.2.0, etc.) until the AVM framework becomes GA.

However, it is important to note that this DOES NOT mean that the modules cannot be consumed and utilized. They CAN be leveraged in all types of environments (dev, test, prod etc.). Consumers can treat them just like any other IaC module and raise issues or feature requests against them as they learn from the usage of the module. Consumers should also read the release notes for each version, if considering updating to a more recent version of a module to see if there are any considerations or breaking changes etc.

Azure Application Gateway Terraform Module

Azure Application Gateway is a load balancer that enables you to manage and optimize the traffic to your web applications. When using Terraform to deploy Azure resources, you can make use of a Terraform module to define and configure the Azure Application Gateway. Here is a summary page about using an Azure Application Gateway Terraform module:

What is Azure Application Gateway?

Azure Application Gateway is a Layer-7 load balancer service provided by Microsoft Azure. It enables you to manage traffic to your web applications by providing features like SSL termination, routing, and session affinity. Using Terraform, you can automate the provisioning and configuration of an Azure Application Gateway.

Terraform Module for Azure Application Gateway

A Terraform module is a reusable and shareable configuration for defining and deploying Azure resources. To create an Azure Application Gateway using Terraform, you can use a pre-built module. This module simplifies the configuration process and allows you to create and manage an Application Gateway efficiently.

The terraform module supports following scenarios.

Supported frontend IP configuration

For current general availability support, Application Gateway V2 supports the following combinations

• Private IP and Public IP
• Public IP only

Supported Scenarios

The Terraform module for Azure Application Gateway is versatile and adaptable, accommodating various deployment scenarios. These scenarios dictate distinct input requirements. Here's an overview of the supported scenarios, each offering a unique configuration:

Each of these scenarios has its own set of input requirements, which can be tailored to meet your specific use case. The module provides the flexibility to deploy Azure Application Gateways for a wide range of applications and security needs.

Simple HTTP Application Gateway This scenario sets up a straightforward HTTP Application Gateway, typically for basic web applications or services.

Multi-site HTTP Application Gateway Multi-site hosting enables you to configure more than one web application on the same port of application gateways using public-facing listeners. It allows you to configure a more efficient topology for your deployments by adding up to 100+ websites to one application gateway. Each website can be directed to its own backend pool. For example, three domains, contoso.com, fabrikam.com, and adatum.com, point to the IP address of the application gateway. You'd create three multi-site listeners and configure each listener for the respective port and protocol setting.

Application Gateway Internal Azure Application Gateway Standard v2 can be configured with an Internet-facing VIP or with an internal endpoint that isn't exposed to the Internet. An internal endpoint uses a private IP address for the frontend, which is also known as an internal load balancer (ILB) endpoint.

Web Application Firewall (WAF) A Web Application Firewall is employed to enhance security by inspecting and filtering traffic. Configuration entails defining custom rules and policies to protect against common web application vulnerabilities.

Application Gateway with Self-Signed SSL (HTTPS) In this scenario, self-signed SSL certificates are utilized to secure traffic to HTTPS. You'll need to configure SSL certificates and redirection rules.

Application Gateway with SSL with Azure Key Vault For enhanced security, SSL certificates are managed using Azure Key Vault. This scenario involves setting up Key Vault and integrating it with the Application Gateway. Detailed configuration for Key Vault and SSL certificates is necessary.

Application Gateway monitors the health probes Azure Application Gateway monitors the health of all the servers in its backend pool and automatically stops sending traffic to any server it considers unhealthy. The probes continue to monitor such an unhealthy server, and the gateway starts routing the traffic to it once again as soon as the probes detect it as healthy.

Before running the script, make sure you have logged in to your Azure subscription using the Azure CLI or Azure PowerShell, so Terraform can authenticate and interact with your Azure account.

Please ensure that you have a clear plan and architecture for your Azure Application Gateway, as the Terraform script should align with your specific requirements and network design.

# TODO: insert resources here.

#----------About Terraform Module  -------------
# Azure Application Gateway Terraform Module
# Azure Application Gateway is a load balancer that enables you to manage and optimize the traffic to your web applications. 
# When using Terraform to deploy Azure resources, you can make use of a Terraform module to define and configure the Azure Application Gateway. 
#----------All Required Provider Section----------- 


#----------Local declarations-----------
locals {
  frontend_ip_configuration_name = "appgw-${var.name}-fepip"
  frontend_ip_private_name       = "appgw-${var.name}-fepvt-ip"
  gateway_ip_configuration_name  = "appgw-${var.name}-gwipc"
}

#----------Frontend Subnet Selection Data block-----------
data "azurerm_subnet" "this" {
  name                 = var.subnet_name_backend
  resource_group_name  = var.resource_group_name
  virtual_network_name = var.vnet_name
}

#----------Public IP for application gateway-----------
resource "azurerm_public_ip" "this" {
  allocation_method   = var.sku.tier == "Standard" ? "Dynamic" : "Static" # Allocation method for the public ip //var.public_ip_allocation_method
  location            = var.location
  name                = var.public_ip_name
  resource_group_name = var.resource_group_name
  sku                 = var.sku.tier == "Standard" ? "Basic" : "Standard" # SKU for the public ip //var.public_ip_sku_tier
  tags                = var.tags
  # WAF : Deploy Application Gateway in a zone-redundant configuration
  zones = var.zones
}

#----------Application Gateway resource creation provider block-----------
resource "azurerm_application_gateway" "this" {
  location = var.location
  #----------Basic configuration for the application gateway-----------
  name                              = var.name
  resource_group_name               = var.resource_group_name
  enable_http2                      = var.http2_enable
  firewall_policy_id                = var.app_gateway_waf_policy_resource_id
  force_firewall_policy_association = true
  #----------Tag configuration for the application gateway-----------
  tags  = var.tags
  zones = var.zones

  #----------Backend Address Pool Configuration for the application gateway -----------
  dynamic "backend_address_pool" {
    for_each = var.backend_address_pools
    content {
      name         = backend_address_pool.value.name
      fqdns        = backend_address_pool.value.fqdns != null ? backend_address_pool.value.fqdns : null
      ip_addresses = backend_address_pool.value.ip_addresses != null ? backend_address_pool.value.ip_addresses : null
    }
  }
  #----------Backend Http Settings Configuration for the application gateway -----------
  dynamic "backend_http_settings" {
    for_each = var.backend_http_settings
    content {
      cookie_based_affinity               = lookup(backend_http_settings.value, "cookie_based_affinity", "Disabled")
      name                                = backend_http_settings.value.name
      port                                = backend_http_settings.value.enable_https ? 443 : 80
      protocol                            = backend_http_settings.value.enable_https ? "Https" : "Http"
      affinity_cookie_name                = lookup(backend_http_settings.value, "affinity_cookie_name", null)
      host_name                           = backend_http_settings.value.pick_host_name_from_backend_address == false ? lookup(backend_http_settings.value, "host_name", null) : null
      path                                = lookup(backend_http_settings.value, "path", "/")
      pick_host_name_from_backend_address = lookup(backend_http_settings.value, "pick_host_name_from_backend_address", false)
      probe_name                          = lookup(backend_http_settings.value, "probe_name", null)
      request_timeout                     = lookup(backend_http_settings.value, "request_timeout", 30)
      trusted_root_certificate_names      = lookup(backend_http_settings.value, "trusted_root_certificate_names", null)

      dynamic "authentication_certificate" {
        for_each = backend_http_settings.value.authentication_certificate[*]
        content {
          name = authentication_certificate.value.name
        }
      }
      dynamic "connection_draining" {
        for_each = backend_http_settings.value.connection_draining[*]
        content {
          drain_timeout_sec = connection_draining.value.drain_timeout_sec
          enabled           = connection_draining.value.enable_connection_draining
        }
      }
    }
  }
  # Public frontend IP configuration
  frontend_ip_configuration {
    name                 = local.frontend_ip_configuration_name
    public_ip_address_id = azurerm_public_ip.this.id
  }
  # Private frontend IP configuration
  dynamic "frontend_ip_configuration" {
    for_each = var.frontend_ip_type != null && var.private_ip_address != null ? [1] : []
    content {
      name                          = local.frontend_ip_private_name
      private_ip_address            = var.private_ip_address != null ? var.private_ip_address : null
      private_ip_address_allocation = var.private_ip_address != null ? "Static" : null
      subnet_id                     = var.private_ip_address != null ? data.azurerm_subnet.this.id : null
    }
  }
  # Private frontend IP Port configuration
  dynamic "frontend_port" {
    for_each = var.frontend_ports
    content {
      name = lookup(frontend_port.value, "name", null)
      port = lookup(frontend_port.value, "port", null)
    }
  }
  #----------Frontend configuration for the application gateway-----------
  gateway_ip_configuration {
    name      = local.gateway_ip_configuration_name
    subnet_id = data.azurerm_subnet.this.id
  }
  #----------Http Listener Configuration for the application gateway -----------
  dynamic "http_listener" {
    for_each = var.http_listeners
    content {
      frontend_ip_configuration_name = var.frontend_ip_type != null && var.private_ip_address != null ? local.frontend_ip_private_name : local.frontend_ip_configuration_name
      frontend_port_name             = lookup(http_listener.value, "frontend_port_name", null)
      name                           = http_listener.value.name
      protocol                       = http_listener.value.ssl_certificate_name == null ? "Http" : "Https"
      firewall_policy_id             = http_listener.value.firewall_policy_id != null ? http_listener.value.firewall_policy_id : null
      host_name                      = http_listener.value.host_name != null ? http_listener.value.host_name : null
      host_names                     = http_listener.value.host_names != null ? http_listener.value.host_names : null
      require_sni                    = http_listener.value.ssl_certificate_name != null ? http_listener.value.require_sni : null
      ssl_certificate_name           = http_listener.value.ssl_certificate_name != null ? http_listener.value.ssl_certificate_name : null
      ssl_profile_name               = http_listener.value.ssl_profile_name != null ? http_listener.value.ssl_profile_name : null

      dynamic "custom_error_configuration" {
        for_each = http_listener.value.custom_error_configuration != null ? lookup(http_listener.value, "custom_error_configuration", {}) : []
        content {
          custom_error_page_url = lookup(custom_error_configuration.value, "custom_error_page_url", null)
          status_code           = lookup(custom_error_configuration.value, "status_code", null)
        }
      }
    }
  }
  #----------Rules Configuration for the application gateway -----------
  dynamic "request_routing_rule" {
    for_each = var.request_routing_rules
    content {
      http_listener_name          = request_routing_rule.value.http_listener_name
      name                        = request_routing_rule.value.name
      rule_type                   = lookup(request_routing_rule.value, "rule_type", "Basic")
      backend_address_pool_name   = request_routing_rule.value.redirect_configuration_name == null ? lookup(request_routing_rule.value, "backend_address_pool_name", null) : null
      backend_http_settings_name  = request_routing_rule.value.redirect_configuration_name == null ? lookup(request_routing_rule.value, "backend_http_settings_name", null) : null
      priority                    = lookup(request_routing_rule.value, "priority", 100)
      redirect_configuration_name = lookup(request_routing_rule.value, "redirect_configuration_name", null)
      rewrite_rule_set_name       = lookup(request_routing_rule.value, "rewrite_rule_set_name", null)
      url_path_map_name           = lookup(request_routing_rule.value, "url_path_map_name", null)
    }
  }
  #----------SKU and configuration for the application gateway-----------
  # WAF : Azure Application Gateways v2 are always deployed in a highly available fashion with multiple instances by default. Enabling autoscale ensures the service is not reliant on manual intervention for scaling.
  sku {
    name     = var.sku.name
    tier     = var.sku.tier
    capacity = var.autoscale_configuration == null ? var.sku.capacity : null
  }
  dynamic "autoscale_configuration" {
    for_each = var.autoscale_configuration != null ? [var.autoscale_configuration] : []
    content {
      min_capacity = lookup(autoscale_configuration.value, "min_capacity", 1)
      max_capacity = lookup(autoscale_configuration.value, "max_capacity", 2)
    }
  }
  dynamic "identity" {
    for_each = length(var.ssl_certificates) > 0 ? [1] : []
    content {
      type         = "UserAssigned"
      identity_ids = var.identity_ids # Directly use the list of identity IDs
    }
  }
  #----------Prod Rules Configuration for the application gateway -----------
  # WAF : Use Health Probes to detect backend availability
  #----------Optionl Configuration  -----------
  dynamic "probe" {
    for_each = var.probe_configurations != null ? var.probe_configurations : {}
    content {
      interval                                  = lookup(probe.value, "interval", 5)
      name                                      = probe.value.name
      path                                      = lookup(probe.value, "path", "/")
      protocol                                  = lookup(probe.value, "protocol", null)
      timeout                                   = lookup(probe.value, "timeout", 30)
      unhealthy_threshold                       = lookup(probe.value, "unhealthy_threshold", 2)
      host                                      = lookup(probe.value, "host", "127.0.0.1")
      minimum_servers                           = lookup(probe.value, "minimum_servers", 0)
      pick_host_name_from_backend_http_settings = lookup(probe.value, "pick_host_name_from_backend_http_settings", false)
      port                                      = lookup(probe.value, "port", 80)
    }
  }
  #----------Redirect Configuration for the application gateway -----------
  #----------Optionl Configuration  -----------
  dynamic "redirect_configuration" {
    for_each = var.redirect_configuration != null ? var.redirect_configuration : {}
    content {
      name                 = lookup(redirect_configuration.value, "name", null)
      redirect_type        = lookup(redirect_configuration.value, "redirect_type", "Permanent")
      include_path         = lookup(redirect_configuration.value, "include_path", true)
      include_query_string = lookup(redirect_configuration.value, "include_query_string", true)
      target_listener_name = contains(keys(redirect_configuration.value), "target_listener_name") ? redirect_configuration.value.target_listener_name : null
      target_url           = contains(keys(redirect_configuration.value), "target_url") ? redirect_configuration.value.target_url : null
    }
  }
  #----------SSL Certificate Configuration for the application gateway -----------
  #----------Optionl Configuration  -----------
  dynamic "ssl_certificate" {
    for_each = var.ssl_certificates
    content {
      name                = ssl_certificate.value.name
      data                = ssl_certificate.value.key_vault_secret_id == null ? ssl_certificate.value.data : null
      key_vault_secret_id = lookup(ssl_certificate.value, "key_vault_secret_id", null)
      password            = ssl_certificate.value.key_vault_secret_id == null ? ssl_certificate.value.password : null
    }
  }
  dynamic "url_path_map" {
    for_each = var.url_path_map_configurations != null ? var.url_path_map_configurations : {}

    content {
      name                                = url_path_map.value.name
      default_backend_address_pool_name   = url_path_map.value.default_backend_address_pool_name
      default_backend_http_settings_name  = url_path_map.value.default_backend_http_settings_name
      default_redirect_configuration_name = url_path_map.value.default_redirect_configuration_name
      default_rewrite_rule_set_name       = url_path_map.value.default_rewrite_rule_set_name

      dynamic "path_rule" {
        for_each = url_path_map.value.path_rules != null ? url_path_map.value.path_rules : {}

        content {
          name                       = path_rule.value.name
          paths                      = path_rule.value.paths
          backend_address_pool_name  = path_rule.value.backend_address_pool_name
          backend_http_settings_name = path_rule.value.backend_http_settings_name
          # WAF Enable Web Application Firewall policies
          firewall_policy_id          = path_rule.value.firewall_policy_id
          redirect_configuration_name = path_rule.value.redirect_configuration_name
          rewrite_rule_set_name       = path_rule.value.rewrite_rule_set_name
        }
      }
    }
  }
  #----------Classic WAF Configuration for the application gateway -----------
  # WAF : Use Application Gateway with Web Application Firewall (WAF) in an application virtual network to safeguard inbound HTTP/S internet traffic. WAF offers centralized defense against potential exploits through OWASP core rule sets-based rules.
  # To Enable Web Application Firewall policies set enable_classic_rule = false and provide the WAF configuration block.
  #----------Optionl Configuration  -----------
  dynamic "waf_configuration" {

    for_each = var.sku.name == "WAF_v2" && var.enable_classic_rule == true != null ? [1] : []

    content {
      enabled          = var.waf_configuration[0].enabled
      firewall_mode    = var.waf_configuration[0].firewall_mode
      rule_set_version = var.waf_configuration[0].rule_set_version
      rule_set_type    = var.waf_configuration[0].rule_set_type
    }
  }

  depends_on = [azurerm_public_ip.this]
}

# Example resource implementation
resource "azurerm_management_lock" "this" {
  count = var.lock != null ? 1 : 0

  lock_level = var.lock.kind
  name       = coalesce(var.lock.name, "lock-${var.lock.kind}")
  scope      = azurerm_application_gateway.this.id
  notes      = var.lock.kind == "CanNotDelete" ? "Cannot delete the resource or its child resources." : "Cannot delete or modify the resource or its child resources."
}


#----------role assignment settings for the application gateway -----------
resource "azurerm_role_assignment" "this" {
  for_each = var.role_assignments

  principal_id                           = each.value.principal_id
  scope                                  = azurerm_application_gateway.this.id
  condition                              = each.value.condition
  condition_version                      = each.value.condition_version
  delegated_managed_identity_resource_id = each.value.delegated_managed_identity_resource_id
  principal_type                         = each.value.principal_type
  role_definition_id                     = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? each.value.role_definition_id_or_name : null
  role_definition_name                   = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? null : each.value.role_definition_id_or_name
  skip_service_principal_aad_check       = each.value.skip_service_principal_aad_check
}
#----------Diagnostic logs settings for the application gateway -----------
# WAF : Monitor and Log the configurations and traffic
resource "azurerm_monitor_diagnostic_setting" "this" {
  for_each = var.diagnostic_settings

  name                           = each.value.name != null ? each.value.name : "diag-${var.name}"
  target_resource_id             = azurerm_application_gateway.this.id
  eventhub_authorization_rule_id = each.value.event_hub_authorization_rule_resource_id
  eventhub_name                  = each.value.event_hub_name
  log_analytics_destination_type = each.value.log_analytics_destination_type
  log_analytics_workspace_id     = each.value.workspace_resource_id
  partner_solution_id            = each.value.marketplace_partner_resource_id
  storage_account_id             = each.value.storage_account_resource_id

  dynamic "enabled_log" {
    for_each = each.value.log_categories
    content {
      category = enabled_log.value
    }
  }
  dynamic "enabled_log" {
    for_each = each.value.log_groups
    content {
      category_group = enabled_log.value
    }
  }
  dynamic "metric" {
    for_each = each.value.metric_categories
    content {
      category = metric.value
    }
  }
}

# Other configurations for your environment

Requirements

The following requirements are needed by this module:

• terraform (>= 1.0.0)

• azurerm (>= 3.71.0)

• modtm (~> 0.3)

• random (>= 3.5.0)

Resources

The following resources are used by this module:

• azurerm_application_gateway.this (resource)
• azurerm_management_lock.this (resource)
• azurerm_monitor_diagnostic_setting.this (resource)
• azurerm_public_ip.this (resource)
• azurerm_role_assignment.this (resource)
• modtm_telemetry.telemetry (resource)
• random_uuid.telemetry (resource)
• azurerm_client_config.telemetry (data source)
• azurerm_subnet.this (data source)
• modtm_module_source.telemetry (data source)

Required Inputs

The following input variables are required:

backend_address_pools

Description: List of backend address pools

Type:

map(object({
    name         = string
    fqdns        = optional(list(string))
    ip_addresses = optional(list(string))
  }))

backend_http_settings

Description: List of backend HTTP settings

Type:

map(object({
    name                                = string
    cookie_based_affinity               = string
    path                                = optional(string)
    affinity_cookie_name                = optional(string)
    enable_https                        = bool
    probe_name                          = optional(string)
    request_timeout                     = number
    host_name                           = optional(string)
    pick_host_name_from_backend_address = optional(bool)
    authentication_certificate = optional(object({
      name = string
    }))
    trusted_root_certificate_names = optional(list(string))
    connection_draining = optional(object({
      enable_connection_draining = bool
      drain_timeout_sec          = number
    }))
  }))

frontend_ports

Description: Map of frontend ports

Type:

map(object({
    name = string
    port = number

  }))

http_listeners

Description: List of HTTP listeners

Type:

map(object({
    name               = string
    frontend_port_name = string

    firewall_policy_id   = optional(string)
    require_sni          = optional(bool)
    host_name            = optional(string)
    host_names           = optional(list(string))
    ssl_certificate_name = optional(string)
    ssl_profile_name     = optional(string)
    custom_error_configuration = optional(list(object({
      status_code           = string
      custom_error_page_url = string
    })))
    # Define other attributes as needed
  }))

location

Description: The Azure regional location where the resources will be deployed.

Type: string

name

Description: The name of the application gateway.

Type: string

public_ip_name

Description: The name of the application gateway.

Type: string

request_routing_rules

Description: List of request routing rules

Type:

map(object({
    name                        = string
    rule_type                   = string
    http_listener_name          = string
    backend_address_pool_name   = optional(string)
    priority                    = optional(number)
    url_path_map_name           = optional(string)
    backend_http_settings_name  = optional(string)
    redirect_configuration_name = optional(string)
    rewrite_rule_set_name       = optional(string)
    # Define other attributes as needed
  }))

resource_group_name

Description: The resource group where the resources will be deployed.

Type: string

subnet_name_backend

Description: The backend subnet where the applicaiton gateway resources configuration will be deployed.

Type: string

vnet_name

Description: The VNET where the applicaiton gateway resources will be deployed.

Type: string

Optional Inputs

The following input variables are optional (have default values):

app_gateway_waf_policy_resource_id

Description: The ID of the WAF policy to associate with the Application Gateway.

Type: string

Default: null

autoscale_configuration

Description: V1 SKU this value must be between 1 and 32, and 1 to 125 for a V2 SKU

Type:

object({
    min_capacity = optional(number, 1) # Minimum in the range 0 to 100
    max_capacity = optional(number, 2) # Maximum in the range 2 to 125
  })

Default: null

diagnostic_settings

Description: A map of diagnostic settings to create on the ddos protection plan. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

• name - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
• log_categories - (Optional) A set of log categories to send to the log analytics workspace. Defaults to [].
• log_groups - (Optional) A set of log groups to send to the log analytics workspace. Defaults to ["allLogs"].
• metric_categories - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to ["AllMetrics"].
• log_analytics_destination_type - (Optional) The destination type for the diagnostic setting. Possible values are Dedicated and AzureDiagnostics. Defaults to Dedicated.
• workspace_resource_id - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
• storage_account_resource_id - (Optional) The resource ID of the storage account to send logs and metrics to.
• event_hub_authorization_rule_resource_id - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
• event_hub_name - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
• marketplace_partner_resource_id - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic LogsLogs.

Type:

map(object({
    name                                     = optional(string, null)
    log_categories                           = optional(set(string), [])
    log_groups                               = optional(set(string), ["allLogs"])
    metric_categories                        = optional(set(string), ["AllMetrics"])
    log_analytics_destination_type           = optional(string, "Dedicated")
    workspace_resource_id                    = optional(string, null)
    storage_account_resource_id              = optional(string, null)
    event_hub_authorization_rule_resource_id = optional(string, null)
    event_hub_name                           = optional(string, null)
    marketplace_partner_resource_id          = optional(string, null)
  }))

Default: {}

enable_classic_rule

Description: Enable or disable the classic WAF rule

Type: bool

Default: false

enable_telemetry

Description: This variable controls whether or not telemetry is enabled for the module. For more information see https://aka.ms/avm/telemetry. If it is set to false, then no telemetry will be collected.

Type: bool

Default: true

frontend_ip_type

Description: Type of frontend IP configuration. Possible values: 'public', 'private', 'both'

Type: string

Default: "public"

http2_enable

Description: The Azure application gateway HTTP/2 protocol support

Type: bool

Default: true

identity_ids

Description: Specifies a list with a single user managed identity id to be assigned to the Application Gateway

Type: list(string)

Default: []

lock

Description: Controls the Resource Lock configuration for this resource. The following properties can be specified:

• kind - (Required) The type of lock. Possible values are \"CanNotDelete\" and \"ReadOnly\".
• name - (Optional) The name of the lock. If not specified, a name will be generated based on the kind value. Changing this forces the creation of a new resource.

Type:

object({
    kind = string
    name = optional(string, null)
  })

Default: null

private_ip_address

Description: Private IP Address to assign to the Application Gateway Load Balancer.

Type: string

Default: null

probe_configurations

Description: List of probe configurations.

Type:

map(object({
    name                                      = string
    host                                      = string
    interval                                  = number
    timeout                                   = number
    unhealthy_threshold                       = number
    protocol                                  = string
    port                                      = optional(number)
    path                                      = string
    pick_host_name_from_backend_http_settings = optional(bool)
    minimum_servers                           = optional(number)
    match = optional(object({
      body        = optional(string)
      status_code = optional(list(string))
    }))
  }))

Default: null

redirect_configuration

Description: List of redirection configurations.

Type:

map(object({
    name                 = string
    redirect_type        = string
    target_listener_name = optional(string)
    target_url           = optional(string)
    include_path         = optional(bool)
    include_query_string = optional(bool)

  }))

Default: null

role_assignments

Description: A map of role assignments to create on the . The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

• role_definition_id_or_name - The ID or name of the role definition to assign to the principal.
• principal_id - The ID of the principal to assign the role to.
• description - (Optional) The description of the role assignment.
• skip_service_principal_aad_check - (Optional) If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
• condition - (Optional) The condition which will be used to scope the role assignment.
• condition_version - (Optional) The version of the condition syntax. Leave as null if you are not using a condition, if you are then valid values are '2.0'.
• delegated_managed_identity_resource_id - (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.
• principal_type - (Optional) The type of the principal_id. Possible values are User, Group and ServicePrincipal. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

Note: only set skip_service_principal_aad_check to true if you are assigning a role to a service principal.

Type:

map(object({
    role_definition_id_or_name             = string
    principal_id                           = string
    description                            = optional(string, null)
    skip_service_principal_aad_check       = optional(bool, false)
    condition                              = optional(string, null)
    condition_version                      = optional(string, null)
    delegated_managed_identity_resource_id = optional(string, null)
    principal_type                         = optional(string, null)
  }))

Default: {}

sku

Description: The application gateway sku and tier.

Type:

object({
    name     = string              # Standard_Small, Standard_Medium, Standard_Large, Standard_v2, WAF_Medium, WAF_Large, and WAF_v2
    tier     = string              # Standard, Standard_v2, WAF and WAF_v2
    capacity = optional(number, 2) # V1 SKU this value must be between 1 and 32, and 1 to 125 for a V2 SKU
  })

Default:

{
  "capacity": 2,
  "name": "Standard_v2",
  "tier": "Standard_v2"
}

ssl_certificates

Description: List of SSL certificates data for Application gateway

Type:

list(object({
    name                = string
    data                = optional(string)
    password            = optional(string)
    key_vault_secret_id = optional(string)
  }))

Default: []

tags

Description: A map of tags to apply to the Application Gateway.

Type: map(string)

Default: null

url_path_map_configurations

Description: List of URL path map configurations.

Type:

map(object({
    name                                = string
    default_redirect_configuration_name = optional(string)
    default_rewrite_rule_set_name       = optional(string)
    default_backend_http_settings_name  = optional(string)
    default_backend_address_pool_name   = optional(string)
    path_rules = map(object({
      name                        = string
      paths                       = list(string)
      backend_address_pool_name   = optional(string)
      backend_http_settings_name  = optional(string)
      redirect_configuration_name = optional(string)
      rewrite_rule_set_name       = optional(string)
      firewall_policy_id          = optional(string)
    }))
  }))

Default: null

waf_configuration

Description: Web Application Firewall (WAF) configuration.

Type:

list(object({
    enabled          = bool
    firewall_mode    = string
    rule_set_type    = string
    rule_set_version = string
    # disabled_rule_groups = list(string)
  }))

Default: null

zones

Description: The Azure application gateway zone redundancy

Type: list(string)

Default:

[
  "1",
  "2",
  "3"
]

Outputs

The following outputs are exported:

application_gateway_id

Description: The ID of the Azure Application Gateway.

application_gateway_name

Description: The name of the Azure Application Gateway.

backend_address_pools

Description: Information about the backend address pools configured for the Application Gateway, including their names.

backend_http_settings

Description: Information about the backend HTTP settings for the Application Gateway, including settings like port and protocol.

frontend_port

Description: Information about the frontend ports used by the Application Gateway, including their names and port numbers.

http_listeners

Description: Information about the HTTP listeners configured for the Application Gateway, including their names and settings.

probes

Description: Information about health probes configured for the Application Gateway, including their settings.

public_ip_address

Description: The actual public IP address associated with the Public IP resource.

public_ip_id

Description: The ID of the Azure Public IP address associated with the Application Gateway.

request_routing_rules

Description: Information about request routing rules defined for the Application Gateway, including their names and configurations.

resource_id

Description: Resource ID of Container Group Instance

ssl_certificates

Description: Information about SSL certificates used by the Application Gateway, including their names and other details.

tags

Description: The tags applied to the Application Gateway.

waf_configuration

Description: Information about the Web Application Firewall (WAF) configuration, if applicable.

Modules

No modules.

Data Collection

The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.