rsd-azure-front-door-waf

Azure WAF for RSD

Configuring the storage backend

The Terraform state is stored remotely in Azure, this allows multiple team members to make changes and means the state file is backed up. The state file contains sensitive information so access to it should be restricted, and it should be stored encrypted at rest.

Create a new storage backend

This step only needs to be done once per environment. If it has already been created, obtain the storage backend attributes and skip to the next step.

The Azure tutorial outlines the steps to create a storage account and container for the state file. You will need:

• subscription_id: The id of the azure Subscription the resource group belongs to
• resource_group_name: The name of the resource group used for the Azure Storage account.
• storage_account_name: The name of the Azure Storage account.
• container_name: The name of the blob container.
• key: The name of the state store file to be created.

Create a backend configuration file

Create a new file named backend.vars with the following content:

subscription_id      = [the ID of the Azure subscription]
resource_group_name  = [the name of the Azure resource group]
storage_account_name = [the name of the Azure Storage account]
container_name       = [the name of the blob container]
key                  = "terraform.tstate"

Azure resources

Requirements

Name	Version
terraform	>= 1.6.1
azurerm	>= 3.51.0
null	3.2.2

Providers

Name	Version
azurerm	3.103.1
null	3.2.2

Modules

Name	Source	Version
waf	github.com/DFE-Digital/terraform-azurerm-front-door-app-gateway-waf	v1.0.0

Resources

Name	Type
azurerm_storage_account.tfvars	resource
azurerm_storage_account_network_rules.tfvars	resource
azurerm_storage_blob.dfe_403	resource
azurerm_storage_blob.dfe_502	resource
azurerm_storage_blob.govuk_403	resource
azurerm_storage_blob.govuk_502	resource
azurerm_storage_blob.tfvars	resource
azurerm_storage_blob.waftfvars	resource
azurerm_storage_container.tfvars	resource
null_resource.tfvars	resource
null_resource.waftfvars	resource
azurerm_container_app.container_apps	data source
azurerm_linux_web_app.web_apps	data source
azurerm_resource_group.container_apps	data source
azurerm_windows_web_app.web_apps	data source

Inputs

Name	Description	Type	Default	Required
app_gateway_v2_waf_managed_rulesets	Map of all Managed rules you want to apply to the App Gateway WAF, including any overrides	map(object({ version : string, overrides : optional(map(object({ rules : map(object({ enabled : bool, action : optional(string, "Block") })) })), {}) }))	{ "Microsoft_BotManagerRuleSet": { "version": "1.0" }, "OWASP": { "version": "3.2" } }	no
app_gateway_v2_waf_managed_rulesets_exclusions	Map of all exclusions and the associated Managed rules to apply to the App Gateway WAF	map(object({ match_variable : string, selector : string, selector_match_operator : string, excluded_rule_set : map(object({ version : string, rule_group_name : string, excluded_rules : list(string) })) }))	{}	no
azure_location	Azure location in which to launch resources.	string	n/a	yes
cdn_add_response_headers	List of response headers to add at the CDN Front Door for all endpoints [{ "Name" = "Strict-Transport-Security", "value" = "max-age=31536000" }]	list(map(string))	[]	no
cdn_remove_response_headers	List of response headers to remove at the CDN Front Door for all endpoints	list(string)	[]	no
container_app_targets	A map of Container Apps to configure as Front Door or App Gateway V2 targets	map(object({ resource_group : string, create_custom_domain : optional(bool, false), enable_health_probe : optional(bool, true), health_probe_interval : optional(number, 60), health_probe_request_type : optional(string, "HEAD"), health_probe_path : optional(string, "/"), cdn_add_response_headers : optional(list(object({ name : string, value : string }) ), []), cdn_add_request_headers : optional(list(object({ name : string, value : string }) ), []), cdn_remove_response_headers : optional(list(string), []), cdn_remove_request_headers : optional(list(string), []), custom_errors : optional(object({ error_page_directory : string, error_pages : map(string) }), null) }))	{}	no
enable_waf	Enable WAF	bool	false	no
environment	Environment name. Will be used along with project_name as a prefix for all resources.	string	n/a	yes
existing_logic_app_workflow	Name, and Resource Group of an existing Logic App Workflow	object({ name : string resource_group_name : string })	{ "name": "", "resource_group_name": "" }	no
key_vault_app_gateway_certificates_access_ipv4	List of IPv4 Addresses that are permitted to access the App Gateway Certificates Key Vault	list(string)	n/a	yes
key_vault_app_gateway_certificates_access_subnet_ids	List of Azure Subnet IDs that are permitted to access the App Gateway Certificates Key Vault	list(string)	[]	no
key_vault_app_gateway_certificates_access_users	List of users that require access to the App Gateway Certificates Key Vault. This should be a list of User Principle Names (Found in Active Directory) that need to run terraform	list(string)	n/a	yes
monitor_email_receivers	A list of email addresses that should be notified by monitoring alerts	list(string)	[]	no
project_name	Project name. Will be used along with environment as a prefix for all resources.	string	n/a	yes
response_request_timeout	Azure CDN Front Door response or App Gateway V2 request timeout in seconds	number	n/a	yes
restrict_app_gateway_v2_to_front_door_inbound_only	Restricts access to the App Gateway V2 by creating a network security group that only allows 'AzureFrontDoor.Backend' inbound, and attaches it to the subnet of the application gateway.	bool	false	no
tags	Tags to be applied to all resources	map(string)	n/a	yes
tfvars_access_ipv4	List of IPv4 Addresses that are permitted to access the tfvars Storage Account	list(string)	[]	no
tfvars_filename	Name of the TF Vars file	string	"terraform.tfvars"	no
waf_application	Which product to apply the WAF to. Must be either CDN or AppGatewayV2	string	n/a	yes
waf_custom_rules	Map of all Custom rules you want to apply to the WAF	map(object({ priority : number, action : string match_conditions : map(object({ match_variable : string, match_values : optional(list(string), []), operator : optional(string, "Any"), selector : optional(string, ""), negation_condition : optional(bool, false), })) }))	{}	no
waf_mode	WAF mode	string	n/a	yes
waf_tfvars_filename	Name of the TF Vars file that contains the WAF rules	string	"waf.tfvars"	no
web_app_service_targets	A map of Web App Services to configure as Front Door or App Gateway V2 targets	map(object({ resource_group : string, os : string create_custom_domain : optional(bool, false), enable_health_probe : optional(bool, true) health_probe_interval : optional(number, 60), health_probe_request_type : optional(string, "HEAD"), health_probe_path : optional(string, "/"), cdn_add_response_headers : optional(list(object({ name : string, value : string }) ), []), cdn_add_request_headers : optional(list(object({ name : string, value : string }) ), []), cdn_remove_response_headers : optional(list(string), []), cdn_remove_request_headers : optional(list(string), []) }))	{}	no

Outputs

No outputs.