-
Notifications
You must be signed in to change notification settings - Fork 702
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1237 from shanoor/sha/features/redirect-app-gateway
Added redirect configuration for app gateway
- Loading branch information
Showing
12 changed files
with
411 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
78 changes: 78 additions & 0 deletions
78
examples/app_gateway/211-agw-with-ssl-redirect/application.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
application_gateway_applications = { | ||
demo_app1_az1_agw1 = { | ||
name = "demoapp1" | ||
application_gateway_key = "agw1_az1" | ||
|
||
listeners = { | ||
private_ssl = { | ||
name = "demoapp1-443-private" | ||
front_end_ip_configuration_key = "private" | ||
front_end_port_key = "443" | ||
host_name = "demoapp1.cafdemo.com" | ||
request_routing_rule_key = "default" | ||
keyvault_certificate = { | ||
certificate_key = "demoapp1.cafdemo.com" | ||
// To use manual uploaded cert | ||
# certificate_name = "testkhairi" | ||
# keyvault_key = "certificates" | ||
# keyvault_id = "/subscriptions/97958dac-xxxx-xxxx-xxxx-9f436fa73bd4/resourceGroups/jmtv-rg-example-app-gateway-re1/providers/Microsoft.KeyVault/vaults/jmtv-kv-certs" | ||
} | ||
} | ||
public_ssl = { | ||
name = "demoapp1-4431-public" | ||
front_end_ip_configuration_key = "public" | ||
front_end_port_key = "4431" | ||
host_name = "demoapp1.cafdemo.com" | ||
request_routing_rule_key = "default" | ||
keyvault_certificate = { | ||
certificate_key = "demoapp1.cafdemo.com" | ||
// To use manual uploaded cert | ||
# certificate_name = "testkhairi" | ||
# keyvault_id = "/subscriptions/97958dac-xxxx-xxxx-xxxx-9f436fa73bd4/resourceGroups/jmtv-rg-example-app-gateway-re1/providers/Microsoft.KeyVault/vaults/jmtv-kv-certs" | ||
} | ||
} | ||
} | ||
|
||
request_routing_rules = { | ||
default = { | ||
rule_type = "Basic" | ||
} | ||
} | ||
|
||
backend_http_setting = { | ||
port = 443 | ||
protocol = "Https" | ||
pick_host_name_from_backend_address = true | ||
} | ||
|
||
backend_pool = { | ||
fqdns = [ | ||
"cafdemo.appserviceenvironment.net" | ||
] | ||
} | ||
|
||
} | ||
|
||
redirect-https = { | ||
name = "redirect-https" | ||
type = "redirect" | ||
application_gateway_key = "agw1_az1" | ||
|
||
listeners = { | ||
private = { | ||
name = "demoapp1-80-private" | ||
front_end_ip_configuration_key = "private" | ||
front_end_port_key = "80" | ||
host_name = "demoapp1.cafdemo.com" | ||
request_routing_rule_key = "default" | ||
} | ||
} | ||
|
||
request_routing_rules = { | ||
default = { | ||
rule_type = "Basic" | ||
redirect_configuration_name = "redirect-https" | ||
} | ||
} | ||
} | ||
} |
69 changes: 69 additions & 0 deletions
69
examples/app_gateway/211-agw-with-ssl-redirect/application_gateways.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
application_gateways = { | ||
agw1_az1 = { | ||
resource_group_key = "rg_region1" | ||
name = "app_gateway_example" | ||
vnet_key = "vnet_region1" | ||
subnet_key = "app_gateway_private" | ||
sku_name = "WAF_v2" | ||
sku_tier = "WAF_v2" | ||
capacity = { | ||
autoscale = { | ||
minimum_scale_unit = 0 | ||
maximum_scale_unit = 10 | ||
} | ||
} | ||
zones = ["1"] | ||
enable_http2 = true | ||
|
||
identity = { | ||
managed_identity_keys = [ | ||
"apgw_keyvault_secrets" | ||
] | ||
} | ||
|
||
front_end_ip_configurations = { | ||
public = { | ||
name = "public" | ||
public_ip_key = "example_agw_pip1_rg1" | ||
subnet_key = "app_gateway_public" | ||
} | ||
private = { | ||
name = "private" | ||
vnet_key = "vnet_region1" | ||
subnet_key = "app_gateway_private" | ||
subnet_cidr_index = 0 # It is possible to have more than one cidr block per subnet | ||
private_ip_offset = 4 # e.g. cidrhost(10.10.0.0/25,4) = 10.10.0.4 => AGW private IP address | ||
private_ip_address_allocation = "Static" | ||
} | ||
} | ||
|
||
front_end_ports = { | ||
80 = { | ||
name = "http-80" | ||
port = 80 | ||
protocol = "Http" | ||
} | ||
443 = { | ||
name = "https-443" | ||
port = 443 | ||
protocol = "Https" | ||
} | ||
4431 = { | ||
name = "https-4431" | ||
port = 4431 | ||
protocol = "Https" | ||
} | ||
} | ||
|
||
redirect_configurations = { | ||
redirect-https = { | ||
name = "redirect-https" | ||
redirect_type = "Permanent" | ||
target_listener_name = "demoapp1-443-private" | ||
# target_url = "" | ||
include_path = true | ||
include_query_string = false | ||
} | ||
} | ||
} | ||
} |
85 changes: 85 additions & 0 deletions
85
examples/app_gateway/211-agw-with-ssl-redirect/certificates.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
keyvault_certificates = { | ||
"demoapp1.cafdemo.com" = { | ||
|
||
keyvault_key = "certificates" | ||
|
||
# may only contain alphanumeric characters and dashes | ||
name = "demoapp1-cafdemo-com" | ||
|
||
subject = "CN=demoapp1" | ||
validity_in_months = 12 | ||
|
||
subject_alternative_names = { | ||
# A list of alternative DNS names (FQDNs) identified by the Certificate. | ||
# Changing this forces a new resource to be created. | ||
dns_names = [ | ||
"demoapp1.cafdemo.com" | ||
] | ||
|
||
# A list of email addresses identified by this Certificate. | ||
# Changing this forces a new resource to be created. | ||
# emails = [] | ||
|
||
# A list of User Principal Names identified by the Certificate. | ||
# Changing this forces a new resource to be created. | ||
# upns = [] | ||
} | ||
|
||
tags = { | ||
type = "SelfSigned" | ||
} | ||
|
||
# Possible values include Self (for self-signed certificate), | ||
# or Unknown (for a certificate issuing authority like Let's Encrypt | ||
# and Azure direct supported ones). | ||
# Changing this forces a new resource to be created | ||
issuer_parameters = "Self" | ||
|
||
exportable = true | ||
|
||
# Possible values include 2048 and 4096. | ||
# Changing this forces a new resource to be created. | ||
key_size = 4096 | ||
key_type = "RSA" | ||
reuse_key = true | ||
|
||
# The Type of action to be performed when the lifetime trigger is triggered. | ||
# Possible values include AutoRenew and EmailContacts. | ||
# Changing this forces a new resource to be created. | ||
action_type = "AutoRenew" | ||
|
||
# The number of days before the Certificate expires that the action | ||
# associated with this Trigger should run. | ||
# Changing this forces a new resource to be created. | ||
# Conflicts with lifetime_percentage | ||
days_before_expiry = 30 | ||
|
||
|
||
# The percentage at which during the Certificates Lifetime the action | ||
# associated with this Trigger should run. | ||
# Changing this forces a new resource to be created. | ||
# Conflicts with days_before_expiry | ||
# lifetime_percentage = 90 | ||
|
||
# The Content-Type of the Certificate, such as application/x-pkcs12 for a PFX | ||
# or application/x-pem-file for a PEM. | ||
# Changing this forces a new resource to be created. | ||
content_type = "application/x-pkcs12" | ||
|
||
# A list of uses associated with this Key. | ||
# Possible values include | ||
# cRLSign, dataEncipherment, decipherOnly, | ||
# digitalSignature, encipherOnly, keyAgreement, keyCertSign, | ||
# keyEncipherment and nonRepudiation | ||
# and are case-sensitive. | ||
# Changing this forces a new resource to be created | ||
key_usage = [ | ||
"cRLSign", | ||
"dataEncipherment", | ||
"digitalSignature", | ||
"keyAgreement", | ||
"keyCertSign", | ||
"keyEncipherment", | ||
] | ||
} | ||
} |
17 changes: 17 additions & 0 deletions
17
examples/app_gateway/211-agw-with-ssl-redirect/configuration.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
|
||
global_settings = { | ||
default_region = "region1" | ||
regions = { | ||
region1 = "australiaeast" | ||
} | ||
} | ||
|
||
resource_groups = { | ||
rg_region1 = { | ||
name = "example-app-gateway-re1" | ||
} | ||
} | ||
|
||
|
||
|
||
|
26 changes: 26 additions & 0 deletions
26
examples/app_gateway/211-agw-with-ssl-redirect/keyvaults.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
keyvaults = { | ||
certificates = { | ||
name = "certs" | ||
resource_group_key = "rg_region1" | ||
sku_name = "standard" | ||
|
||
enabled_for_deployment = true | ||
|
||
creation_policies = { | ||
logged_in_user = { | ||
certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Purge", "Recover"] | ||
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] | ||
} | ||
} | ||
} | ||
} | ||
|
||
keyvault_access_policies = { | ||
certificates = { | ||
apgw_keyvault_secrets = { | ||
managed_identity_key = "apgw_keyvault_secrets" | ||
certificate_permissions = ["Get"] | ||
secret_permissions = ["Get"] | ||
} | ||
} | ||
} |
6 changes: 6 additions & 0 deletions
6
examples/app_gateway/211-agw-with-ssl-redirect/managed_identities.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
managed_identities = { | ||
apgw_keyvault_secrets = { | ||
name = "agw-secrets-msi" | ||
resource_group_key = "rg_region1" | ||
} | ||
} |
65 changes: 65 additions & 0 deletions
65
examples/app_gateway/211-agw-with-ssl-redirect/nsg_definition.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
# | ||
# Definition of the networking security groups | ||
# | ||
network_security_group_definition = { | ||
# This entry is applied to all subnets with no NSG defined | ||
empty_nsg = { | ||
nsg = [] | ||
} | ||
|
||
application_gateway = { | ||
|
||
nsg = [ | ||
{ | ||
name = "Inbound-HTTP", | ||
priority = "120" | ||
direction = "Inbound" | ||
access = "Allow" | ||
protocol = "*" | ||
source_port_range = "*" | ||
destination_port_range = "80-82" | ||
source_address_prefix = "*" | ||
destination_address_prefix = "*" | ||
}, | ||
{ | ||
name = "Inbound-HTTPs", | ||
priority = "130" | ||
direction = "Inbound" | ||
access = "Allow" | ||
protocol = "*" | ||
source_port_range = "*" | ||
destination_port_range = "443" | ||
source_address_prefix = "*" | ||
destination_address_prefix = "*" | ||
}, | ||
{ | ||
name = "Inbound-AGW", | ||
priority = "140" | ||
direction = "Inbound" | ||
access = "Allow" | ||
protocol = "*" | ||
source_port_range = "*" | ||
destination_port_range = "65200-65535" | ||
source_address_prefix = "*" | ||
destination_address_prefix = "*" | ||
}, | ||
] | ||
} | ||
|
||
application_gateway_public_ingress = { | ||
|
||
nsg = [ | ||
{ | ||
name = "Inbound-HTTPs", | ||
priority = "130" | ||
direction = "Inbound" | ||
access = "Allow" | ||
protocol = "*" | ||
source_port_range = "*" | ||
destination_port_range = "443" | ||
source_address_prefix = "*" | ||
destination_address_prefix = "*" | ||
}, | ||
] | ||
} | ||
} |
12 changes: 12 additions & 0 deletions
12
examples/app_gateway/211-agw-with-ssl-redirect/public_ip_addresses.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
public_ip_addresses = { | ||
example_agw_pip1_rg1 = { | ||
name = "example_agw_pip1" | ||
resource_group_key = "rg_region1" | ||
sku = "Standard" | ||
allocation_method = "Static" | ||
ip_version = "IPv4" | ||
zones = ["1"] | ||
idle_timeout_in_minutes = "4" | ||
|
||
} | ||
} |
Oops, something went wrong.