Name of the resource group where to create the resource. Changing this forces a new resource to be created.
location
string
None
Specifies the Azure location to deploy the resource. Changing this forces a new resource to be created.
front-door-object
object
None
Front Door configuration object as described in the Parameters section.
front-door-waf-object
object
None
Front Door WAF configuration object as described in the Parameters section.
tags
map
None
Map of tags for the deployment.
Parameters
front-door-object
(Required) Confirguration object describing the Front Door configuration.
The object has sections are as follows:
Front Door Parameters
Name
Type
Description
name
Required
Specifies the name of the Front Door service. Changing this forces a new resource to be created.
resource_group_name
Required
Specifies the name of the Resource Group in which the Front Door service should exist. Changing this forces a new resource to be created.
location
Required
Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
backend_pool
Required
A backend_pool block as defined below.
backend_pool_health_probe
Required
A backend_pool_health_probe block as defined below.
backend_pool_load_balancing
Required
A backend_pool_load_balancing block as defined below.
enforce_backend_pools_certificate_name_check
Required
Enforce certificate name check on HTTPS requests to all backend pools, this setting will have no effect on HTTP requests. Permitted values are true or false.
load_balancer_enabled
Optional
Should the Front Door Load Balancer be Enabled? Defaults to true.
friendly_name
Optional
A friendly name for the Front Door service.
frontend_endpoint
Required
A frontend_endpoint block as defined below.
routing_rule
Required
A routing_rule block as defined below.
tags
Optional
A mapping of tags to assign to the resource.
Backend Pool Block
Name
Type
Description
name
Required
Specifies the name of the Backend Pool.
backend
Required
A backend block as defined below.
load_balancing_name
Required
Specifies the name of the backend_pool_load_balancing block within this resource to use for this Backend Pool.
health_probe_name
Required
Specifies the name of the backend_pool_health_probe block whithin this resource to use for this Backend Pool.
Backend Block
Name
Type
Description
enabled
Optional
Specifies if the backend is enabled or not. Valid options are true or false. Defaults to true.
address
Required
Location of the backend (IP address or FQDN)
host_header
Required
The value to use as the host header sent to the backend.
http_port
Required
The HTTP TCP port number. Possible values are between 1 - 65535.
https_port
Required
The HTTPS TCP port number. Possible values are between 1 - 65535.
priority
Optional
Priority to use for load balancing. Higher priorities will not be used for load balancing if any lower priority backend is healthy. Defaults to 1.
weight
Optional
Weight of this endpoint for load balancing purposes. Defaults to 50.
Frontend Endpoint Block
Name
Type
Description
name
Required
Specifies the name of the frontend_endpoint.
host_name
Required
Specifies the host name of the frontend_endpoint. Must be a domain name.
session_affinity_enabled
Optional
Whether to allow session affinity on this host. Valid options are true or false Defaults to false.
session_affinity_ttl_seconds
Optional
The TTL to use in seconds for session affinity, if applicable. Defaults to 0.
custom_https_provisioning_enabled
Required
Should the HTTPS protocol be enabled for a custom domain associated with the Front Door?
custom_https_configuration
Optional
A custom_https_configuration block as defined below. NOTE: This block is required when custom_https_provisioning_enabled is set to true.
web_application_firewall_policy_link_id
Optional
Defines the Web Application Firewall policy ID for each host.
Backend Pool Health Probe Block
Name
Type
Description
name
Required
Specifies the name of the Health Probe.
path
Optional
The path to use for the Health Probe. Default is /.
protocol
Optional
Protocol scheme to use for the Health Probe. Defaults to Http.
interval_in_seconds
Optional
The number of seconds between each Health Probe. Defaults to 120.
Backend Pool Load Balancing Block
Name
Type
Description
name
Required
Specifies the name of the Load Balancer.
sample_size
Optional
The number of samples to consider for load balancing decisions. Defaults to 4.
successful_samples_required
Optional
The number of samples within the sample period that must succeed. Defaults to 2.
additional_latency_milliseconds
Optional
The additional latency in milliseconds for probes to fall into the lowest latency bucket. Defaults to 0.
Routing Rule Block
Name
Type
Description
name
Required
Specifies the name of the Routing Rule.
frontend_endpoints
Required
The names of the frontend_endpoint blocks whithin this resource to associate with this routing_rule.
accepted_protocols
Optional
Protocol schemes to match for the Backend Routing Rule. Defaults to Http.
patterns_to_match
Optional
The route patterns for the Backend Routing Rule. Defaults to /*.
enabled
Optional
Enable or Disable use of this Backend Routing Rule. Permitted values are true or false. Defaults to true.
forwarding_configuration
Optional
A forwarding_configuration block as defined below.
redirect_configuration
Optional
A redirect_configuration block as defined below.
Forwarding Configuration Block
Name
Type
Description
backend_pool_name
Required
Specifies the name of the Backend Pool to forward the incoming traffic to.
cache_enabled
Optional
Specifies whether to Enable caching or not. Valid options are true or false. Defaults to true.
cache_use_dynamic_compression
Optional
Whether to use dynamic compression when caching. Valid options are true or false. Defaults to false.
cache_query_parameter_strip_directive
Optional
Defines cache behavior in releation to query string parameters. Valid options are StripAll or StripNone. Defaults to StripNone.
custom_forwarding_path
Optional
Path to use when constructing the request to forward to the backend. This functions as a URL Rewrite. Default behavior preserves the URL path.
forwarding_protocol
Optional
Protocol to use when redirecting. Valid options are HttpOnly, HttpsOnly, or MatchRequest. Defaults to MatchRequest.
Redirect Confirguration Block
Name
Type
Description
custom_host
Optional
Set this to change the URL for the redirection.
redirect_protocol
Optional
Protocol to use when redirecting. Valid options are HttpOnly, HttpsOnly, or MatchRequest. Defaults to MatchRequest
redirect_type
Optional
Status code for the redirect. Valida options are Moved, Found, TemporaryRedirect, PermanentRedirect. Defaults to Found
custom_fragment
Optional
The destination fragment in the portion of URL after '#'. Set this to add a fragment to the redirect URL.
custom_path
Optional
The path to retain as per the incoming request, or update in the URL for the redirection.
custom_query_string
Optional
Replace any existing query string from the incoming request URL.
Custom HTTPS Configuration Block
Name
Type
Description
certificate_source
Optional
Certificate source to encrypted HTTPS traffic with. Allowed values are FrontDoor or AzureKeyVault. Defaults to FrontDoor.
If Certificate Source is "AzureKeyVault"
Name
Type
Description
azure_key_vault_certificate_vault_id
Required
The ID of the Key Vault containing the SSL certificate.
azure_key_vault_certificate_secret_name
Required
The name of the Key Vault secret representing the full certificate PFX.
azure_key_vault_certificate_secret_version
Required
The version of the Key Vault secret representing the full certificate PFX.
The following front-door-object shows an example of the composition:
Sample of front door configuration object below
front-door-object={
name ="<your AFD Name>"
friendly_name ="My Azure Front Door Service"#Optional#disable_bgp_route_propagation = false #Default: false
enforce_backend_pools_certificate_name_check =false
load_balancer_enabled =true#Default: true
routing_rule = {
rr1 = {
name ="exampleRoutingRule1"
frontend_endpoints = ["exampleFrontendEndpoint1"]
accepted_protocols = ["Http", "Https"] #Default: "Http"
patterns_to_match = ["/*"] #Default: "/*"
enabled =true#Default: true
configuration ="Forwarding"#Options: Forwarding / Redirect
forwarding_configuration = {
backend_pool_name ="exampleBackendBing1"
cache_enabled =false#Default: false
cache_use_dynamic_compression =false#Default: false
cache_query_parameter_strip_directive ="StripNone"#Default: "StripNone"
custom_forwarding_path =""
forwarding_protocol ="MatchRequest"#Default: "BestMatch"
}
redirect_configuration = {
custom_host =""#Optional
redirect_protocol ="MatchRequest"#Default: "MatchRequest"
redirect_type ="Found"#Default: "Found"
custom_fragment =""
custom_path =""
custom_query_string =""
}
} #Add extra routing rules here (e.g. rr2 = {...})
}
backend_pool_load_balancing = {
lb1 = {
name ="exampleLoadBalancingSettings1"
sample_size =4#Default: 4
successful_samples_required =2#Default: 2
additional_latency_milliseconds =0#Default: 0
} #Add extra backend load balancing names here (e.g. lb2 = {...})
}
backend_pool_health_probe = {
hp1 = {
name ="exampleHealthProbeSetting1"
path ="/"
protocol ="Http"#Default: Http
interval_in_seconds =120#Default: 120
} #Add extra health probes here (e.g. hp2 = {...})
}
backend_pool = {
bp1 = {
name ="exampleBackendBing1"
backend = {
be1 = {
enabled =true
address ="www.bing.com"
host_header ="www.bing.com"
http_port =80
https_port =443
priority =1#Default: 1
weight =50#Default: 50
},
be2 = {
enabled =true
address ="www.bing.co.uk"
host_header ="www.bing.co.uk"
http_port =80
https_port =443
priority =1#default: 1
weight =50#default: 50
} #Add extra backend's here (e.g. be3 = {...})
}
load_balancing_name ="exampleLoadBalancingSettings1"#Name of backend_pool_load_balancing to use
health_probe_name ="exampleHealthProbeSetting1"#Name of backend_pool_health_probe to use
} #Add extra backend pools here (e.g. bp2 = {...})
}
frontend_endpoint = {
fe1 = {
name ="exampleFrontendEndpoint1"
host_name ="<your AFD Name>.azurefd.net"
session_affinity_enabled =false#default: false
session_affinity_ttl_seconds =0#default: 0
custom_https_provisioning_enabled =false#Required if custom_https_provisioning_enabled is true
custom_https_configuration = {
certificate_source ="FrontDoor"#Optional (FrontDoor / AzureKeyVault)#If certificate source is AzureKeyVault the below are required:
azure_key_vault_certificate_vault_id =""
azure_key_vault_certificate_secret_name =""
azure_key_vault_certificate_secret_version =""
}
#Links the WAF Policy to the Fronend Endpoints
web_application_firewall_policy_link_name ="TerraformPolicy"#Optional Enter the name of the waf policy you'll be creating
} #Add extra frontend Endpoints here (e.g. fe2 = {...})
}
}
front-door-waf-object
(Required_ Confirguration object describing the Front Door WAF configuration.
Front Door WAF Parameters
Name
Type
Description
name
Required
The name of the policy. Changing this forces a new resource to be created.
resource_group_name
Required
The name of the resource group. Changing this forces a new resource to be created.
enabled
Optional
Is the policy a enabled state or disabled state. Defaults to true.
mode
Optional
The firewall policy mode. Possible values are Detection, Prevention and defaults to Prevention.
redirect_url
Optional
If action type is redirect, this field represents redirect URL for the client.
custom_rule
Optional
One or more custom_rule blocks as defined below.
custom_block_response_status_code
Optional
If a custom_rule block's action type is block, this is the response status code. Possible values are 200, 403, 405, 406, or 429.
custom_block_response_body
Optional
If a custom_rule block's action type is block, this is the response body needs to be set here. Possible values are either a relative path to a file or content.
managed_rule
Optional
One or more managed_rule blocks as defined below.
tags
Optional
A mapping of tags to assign to the Web Application Firewall Policy.
Custom Rules Block
Name
Type
Description
name
Required
Gets name of the resource that is unique within a policy. This name can be used to access the resource.
action
Required
The action to perform when the rule is matched. Possible values are Allow, Block, Log, or Redirect.
enabled
Optional
Is the rule is enabled or disabled? Defaults to true.
priority
Required
The priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. Defaults to 1.
type
Required
The type of rule. Possible values are MatchRule or RateLimitRule.
match_condition
Required
One or more match_condition block defined below.
rate_limit_duration_in_minutes
Optional
The rate limit duration in minutes. Defaults to 1.
rate_limit_threshold
Optional
The rate limit threshold. Defaults to 10.
Match Condition Block
Name
Type
Description
match_variable
Required
The request variable to compare with. Possible values are Cookies, PostArgs, QueryString, RemoteAddr, RequestBody, RequestHeader, RequestMethod, or RequestUri.
match_values
Required
Up to 100 possible values to match.
operator
Required
Comparison type to use for matching with the variable value. Possible values are Any, BeginsWith, Contains, EndsWith, Equal, GeoMatch, GreaterThan, GreaterThanOrEqual, IPMatch, LessThan, LessThanOrEqual or RegEx.
selector
Optional
Match against a specific key if the match_variable is QueryString, PostArgs, RequestHeader or Cookies.
negation_condition
Optional
Should the result of the condition be negated.
transforms
Optional
Up to 5 transforms to apply. Possible values are Lowercase, RemoveNulls, Trim, Uppercase, URLDecode orURLEncode.
Managed Rule Block
Name
Type
Description
type
Required
The name of the managed rule to use with this resource.
version
Required
The version on the managed rule to use with this resource.
exclusion
Optional
One or more exclusion blocks as defined below.
override
Optional
One or more override blocks as defined below.
Override Block
Name
Type
Description
rule_group_name
Required
The managed rule group to override.
exclusion
Optional
One or more exclusion blocks as defined below.
rule
Optional
One or more rule blocks as defined below. If none are specified, all of the rules in the group will be disabled.
Rule Block
Name
Type
Description
rule_id
Required
Identifier for the managed rule.
action
Required
The action to be applied when the rule matches. Possible values are Allow, Block, Log, or Redirect.
enabled
Optional
Is the managed rule override enabled or disabled. Defaults to false
exclusion
Optional
One or more exclusion blocks as defined below.
Exclusion Block
Name
Type
Description
match_variable
Required
The variable type to be excluded. Possible values are QueryStringArgNames, RequestBodyPostArgNames, RequestCookieNames, RequestHeaderNames.
operator
Required
Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. Possible values are: Equals, Contains, StartsWith, EndsWith, EqualsAny.
selector
Required
Selector for the value in the match_variable attribute this exclusion applies to.
The following front-door-waf-object shows an example of the composition:
Sample of front door waf configuration object below
front-door-waf-object={
waf1 = {
name ="TerraformPolicy"
enabled =true#Default: true
mode ="Prevention"#Options: Prevention / Detection
redirect_url ="https://www.bing.com"#Optional
custom_rule = {
cr1 = {
name ="Rule1"
action ="Block"#Options: Allow/Block/Log/Redirect
enabled =true#Default: true
priority =1#Default: 1
type ="MatchRule"#Options: MatchRule / RateLimitRule
match_condition = {
match_variable ="RequestHeader"#Options: Cookies, PostArgs, QueryString, RemoteAddr, RequestBody, RequestHeader, RequestMethod, or RequestUri
match_values = ["windows"]
operator ="Contains"#Options: Any, BeginsWith, Contains, EndsWith, Equal, GeoMatch, GreaterThan, GreaterThanOrEqual, IPMatch, LessThan, LessThanOrEqual or RegEx
selector ="UserAgent"#Used if matched_variable is QueryString, PostArgs, RequestHeader or Cookies
negation_condition =false#If result of condition is negative
transforms = ["Lowercase", "Trim"] #Options: transforms - (Optional) Up to 5 transforms to apply. Possible values are Lowercase, RemoveNulls, Trim, Uppercase, URLDecode or URLEncode
}
rate_limit_duration_in_minutes =1
rate_limit_threshold =10
} #Add extra custom rules here (e.g. cr2 = {...})
}
custom_block_response_status_code =403#Options: 200, 403, 405, 406, or 429
custom_block_response_body ="./blocked-response.html"#Options: Relative path to a file or content for the blocked response body. (e.g. "./blocked-response.html" or "Blocked by WAF Policy")
managed_rule = {
mr1 = {
type ="DefaultRuleSet"
version ="1.0"
exclusion = {
ex1 = {
match_variable ="QueryStringArgNames"#Options: match_variable - (Required) The variable type to be excluded. Possible values are QueryStringArgNames, RequestBodyPostArgNames, RequestCookieNames, RequestHeaderNames
operator ="Equals"#Options: Equals, Contains, StartsWith, EndsWith, EqualsAny
selector ="not_suspicious"
} #Add extra managed rule exclusions here (e.g. ex2 = {...})
}
override = {
or1 = {
rule_group_name ="PHP"
exclusion = {
ex1 = {
match_variable ="QueryStringArgNames"#Options: match_variable - (Required) The variable type to be excluded. Possible values are QueryStringArgNames, RequestBodyPostArgNames, RequestCookieNames, RequestHeaderNames
operator ="Equals"#Options: Equals, Contains, StartsWith, EndsWith, EqualsAny
selector ="not_suspicious"
} #Add extra override exclusions here (e.g. ex2 = {...})
}
rule = {
r1 = {
rule_id ="933100"
action ="Block"#Options: Allow, Block, Log, or Redirect
enabled =false#Default: true
exclusion = {
ex1 = {
match_variable ="QueryStringArgNames"#Options: match_variable - (Required) The variable type to be excluded. Possible values are QueryStringArgNames, RequestBodyPostArgNames, RequestCookieNames, RequestHeaderNames
operator ="Equals"#Options: Equals, Contains, StartsWith, EndsWith, EqualsAny
selector ="not_suspicious"
} #Add extra rule exclusions here (e.g. ex2 = {...})
}
} #Add extra rule to override here (e.g. r2 = {...})
}
} #Add extra overrides here (e.g or2 = {...}
}
} #Add extra managed rules here (e.g. mr2 = {...})
}
tags =""
} #Add extra WAF Policies here (e.g. waf2 = {...})
}
Output
Name
Type
Description
front-door-object
Object
Object with the outputs from the Front Door provider.
front-door-waf-object
Object
Object with the outputs from the Front Door WAF provider.
The WAF policies are linked to the Frontend Endpoints within Azure Front Door.
About
Azure Front Door module for Cloud Adoption Framework for Azure landing zones