- Manages an Azure Application Gateway.
- Creates an Azure Application Gateway
- Creates a Lets Encrypt registration
- Creates Lets Encrypt ceritificates for the AGW
- Creates DNS records for the AGW public IP
- Creates one or more http listeneder, front and and backend for the AGW
- Only two environments - production and nonprod
- All non production environments will be serviced by the nonprod AGW
- All frontend and backend certs are stored in a dedicated keyvault
Certs are added to the AGW by their key vault secret id- Using the secret id always gives an error about improper format. Adding the PEM straight to the AGW after fetching it from the external key vault
export ARM_CLIENT_SECRET="xyz123"
# create file secrets/secrets.tfvars
cat <<EOF | ./secrets/secrets.env
ARM_CLIENT_SECRET = "${ARM_CLIENT_SECRET}"
EOF
# create file secrets/secrets.tfvars
cat <<EOF | ./secrets/secrets.tfvars
azure_client_secret = "${ARM_CLIENT_SECRET}"
EOF
set -o allexport &&\
source variables/local.env &&\
set +o allexport &&\
source variables/local.env &&\
source secrets/secrets.env
terraform init
terraform plan -var-file=variables/nonprod.tfvars -var-file=secrets/secrets.tfvars
- Populate "zones" param to agw module
- Add WAF configuration
Name | Version |
---|---|
terraform | >= 1.2.0 |
acme | ~> 2.11.0 |
azurerm | ~> 3.31 |
random | ~> 3.4 |
Name | Version |
---|---|
acme | 2.11.1 |
azurerm | 3.33.0 |
azurerm.dns | 3.33.0 |
tls | 4.0.4 |
Name | Source | Version |
---|---|---|
application_gateway | ./modules/agw | n/a |
keyvault | ./modules/keyvault | n/a |
letsencrypt | ./modules/agw_frontend_cert | n/a |
Name | Type |
---|---|
acme_registration.reg | resource |
azurerm_dns_a_record.agw | resource |
azurerm_key_vault_access_policy.external | resource |
azurerm_resource_group.agw | resource |
tls_private_key.acme_reg | resource |
azurerm_client_config.current | data source |
azurerm_key_vault_secret.trusted_root_certificates | data source |
azurerm_subnet.agw_frontend | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
acme_email_address | Email address used for ACME registration (Lets Encrypt) | string |
n/a | yes |
agw_configs | Map of AGW configurations | any |
n/a | yes |
autoscale_max_capacity | (Optional) Autoscaling capacity unit cap for Application Gateway | number |
null |
no |
az_sub_id | The Azure subscription ID to manage resources in | string |
n/a | yes |
azure_client_id | For the ACME provider | string |
n/a | yes |
azure_client_secret | For the ACME provider | string |
n/a | yes |
azure_subscription_id | For the ACME provider | string |
n/a | yes |
backend_ca_ssl_certificates | (Optional) Map of PEM certs of Certificate Authorities to use when verifying health probe SSL traffic. Format: name => key_vault_secret_id Ex: { vault_nonp = { name = "vault" key_vault_secret_id = } } |
any |
{} |
no |
environment | The name of the environment, FULL name, i.e. production, development etc | string |
n/a | yes |
frontend_ports | Map of frontend ports to configure. Ex: frontend_ports = { vault = 8200, https = 443, } |
map(string) |
n/a | yes |
frontend_private_ip_address | (Optional) the private IP to use for the AGW frontend | string |
null |
no |
git_repo | The name of the repository that managese these resources. | string |
n/a | yes |
keyvault_readers | Map of objects IDs to grant read access on certificates and secrets for. Ex: { devops = "8f2fccad-59de-4699-8e72-33adea4bcc8b" } |
map(string) |
n/a | yes |
location | Location for resources that require it | string |
n/a | yes |
ssl_certificates | (Optional) Map of SSL certs for frontend, stored in AKV. name => key_vault_secret_id The identity assigned to the gateway must have rights to read the secret(s). Format: name => key_vault_secret_id Ex: { vault_nonp = { name = "vault" key_vault_secret_id = } } |
any |
{} |
no |
subnet_name | The subnet name for the AGW | string |
n/a | yes |
trusted_root_certificates | (Optional) Map of PEM certs of Certificate Authorities to use when verifying health probe SSL traffic. Format: name => key_vault_secret_id Ex: { vault_nonp = { name = "vault" key_vault_secret_id = } } |
any |
{} |
no |
vnet_name | The VNET name that contains the subnet | string |
n/a | yes |
vnet_rg_name | Resource group name that contains the VNET | string |
n/a | yes |
zones | Azure availability zones in which to deploy the Application Gateway | list(string) |
null |
no |
Name | Description |
---|---|
backend_address_pools | Entire AGW object |