Giter Club home page Giter Club logo

iac-azure-agw's Introduction

iac-azure-agw

  • Manages an Azure Application Gateway.

What this configuration does

  • Creates an Azure Application Gateway
  • Creates a Lets Encrypt registration
  • Creates Lets Encrypt ceritificates for the AGW
  • Creates DNS records for the AGW public IP
  • Creates one or more http listeneder, front and and backend for the AGW
  • Only two environments - production and nonprod
    • All non production environments will be serviced by the nonprod AGW
  • All frontend and backend certs are stored in a dedicated keyvault
    • Certs are added to the AGW by their key vault secret id
    • Using the secret id always gives an error about improper format. Adding the PEM straight to the AGW after fetching it from the external key vault

Local use

export ARM_CLIENT_SECRET="xyz123"
# create file secrets/secrets.tfvars
cat <<EOF | ./secrets/secrets.env
ARM_CLIENT_SECRET = "${ARM_CLIENT_SECRET}"
EOF

# create file secrets/secrets.tfvars
cat <<EOF | ./secrets/secrets.tfvars
azure_client_secret = "${ARM_CLIENT_SECRET}"
EOF

set -o allexport &&\
source variables/local.env &&\
set +o allexport &&\
source variables/local.env &&\
source secrets/secrets.env

terraform init

terraform plan -var-file=variables/nonprod.tfvars -var-file=secrets/secrets.tfvars

TODO

  • Populate "zones" param to agw module
  • Add WAF configuration

Requirements

Name Version
terraform >= 1.2.0
acme ~> 2.11.0
azurerm ~> 3.31
random ~> 3.4

Providers

Name Version
acme 2.11.1
azurerm 3.33.0
azurerm.dns 3.33.0
tls 4.0.4

Modules

Name Source Version
application_gateway ./modules/agw n/a
keyvault ./modules/keyvault n/a
letsencrypt ./modules/agw_frontend_cert n/a

Resources

Name Type
acme_registration.reg resource
azurerm_dns_a_record.agw resource
azurerm_key_vault_access_policy.external resource
azurerm_resource_group.agw resource
tls_private_key.acme_reg resource
azurerm_client_config.current data source
azurerm_key_vault_secret.trusted_root_certificates data source
azurerm_subnet.agw_frontend data source

Inputs

Name Description Type Default Required
acme_email_address Email address used for ACME registration (Lets Encrypt) string n/a yes
agw_configs Map of AGW configurations any n/a yes
autoscale_max_capacity (Optional) Autoscaling capacity unit cap for Application Gateway number null no
az_sub_id The Azure subscription ID to manage resources in string n/a yes
azure_client_id For the ACME provider string n/a yes
azure_client_secret For the ACME provider string n/a yes
azure_subscription_id For the ACME provider string n/a yes
backend_ca_ssl_certificates (Optional) Map of PEM certs of Certificate Authorities to use when verifying health probe SSL traffic.
Format: name => key_vault_secret_id
Ex:
{
vault_nonp = {
name = "vault"
key_vault_secret_id =
}
}
any {} no
environment The name of the environment, FULL name, i.e. production, development etc string n/a yes
frontend_ports Map of frontend ports to configure.
Ex:
frontend_ports = {
vault = 8200,
https = 443,
}
map(string) n/a yes
frontend_private_ip_address (Optional) the private IP to use for the AGW frontend string null no
git_repo The name of the repository that managese these resources. string n/a yes
keyvault_readers Map of objects IDs to grant read access on certificates and secrets for.
Ex:
{ devops = "8f2fccad-59de-4699-8e72-33adea4bcc8b" }
map(string) n/a yes
location Location for resources that require it string n/a yes
ssl_certificates (Optional) Map of SSL certs for frontend, stored in AKV. name => key_vault_secret_id
The identity assigned to the gateway must have rights to read the secret(s).
Format: name => key_vault_secret_id
Ex:
{
vault_nonp = {
name = "vault"
key_vault_secret_id =
}
}
any {} no
subnet_name The subnet name for the AGW string n/a yes
trusted_root_certificates (Optional) Map of PEM certs of Certificate Authorities to use when verifying health probe SSL traffic.
Format: name => key_vault_secret_id
Ex:
{
vault_nonp = {
name = "vault"
key_vault_secret_id =
}
}
any {} no
vnet_name The VNET name that contains the subnet string n/a yes
vnet_rg_name Resource group name that contains the VNET string n/a yes
zones Azure availability zones in which to deploy the Application Gateway list(string) null no

Outputs

Name Description
backend_address_pools Entire AGW object

iac-azure-agw's People

Contributors

cultclassik avatar

Watchers

 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.