Tips-Of-Mine/terraform-azure
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add quickstart

Browse Source
This commit is contained in:
John Downs 2022-11-25 19:28:32 +13:00
parent 467e0a67f7
commit b7d0d3fd2c
8 changed files with 491 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
quickstart/101-front-door-premium-storage-blobs-private-link/front-door.tf Normal file
View File

@ -0,0 +1,73 @@
locals {
front_door_profile_name = "MyFrontDoor"
front_door_sku_name = "Premium_AzureFrontDoor" // Must be premium for Private Link support.
front_door_endpoint_name = "afd-${lower(random_id.front_door_endpoint_name.hex)}"
front_door_origin_group_name = "MyOriginGroup"
front_door_origin_name = "MyBlobContainerOrigin"
front_door_route_name = "MyRoute"
front_door_origin_path = "/${var.storage_account_blob_container_name}" // The path to the blob container.
}
resource "azurerm_cdn_frontdoor_profile" "my_front_door" {
name = local.front_door_profile_name
resource_group_name = azurerm_resource_group.my_resource_group.name
sku_name = local.front_door_sku_name
}
resource "azurerm_cdn_frontdoor_endpoint" "my_endpoint" {
name = local.front_door_endpoint_name
cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.my_front_door.id
}
resource "azurerm_cdn_frontdoor_origin_group" "my_origin_group" {
name = local.front_door_origin_group_name
cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.my_front_door.id
session_affinity_enabled = true
load_balancing {
sample_size = 4
successful_samples_required = 3
}
health_probe {
path = "/"
request_type = "HEAD"
protocol = "Https"
interval_in_seconds = 100
}
}
resource "azurerm_cdn_frontdoor_origin" "my_blob_container_origin" {
name = local.front_door_origin_name
cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.my_origin_group.id
enabled = true
host_name = azurerm_storage_account.my_storage_account.primary_blob_host
http_port = 80
https_port = 443
origin_host_header = azurerm_storage_account.my_storage_account.primary_blob_host
priority = 1
weight = 1000
certificate_name_check_enabled = true
private_link {
private_link_target_id = azurerm_storage_account.my_storage_account.id
target_type = "blob"
request_message = "Request access for Azure Front Door Private Link origin"
location = var.front_door_private_link_location
}
}
resource "azurerm_cdn_frontdoor_route" "my_route" {
name = local.front_door_route_name
cdn_frontdoor_endpoint_id = azurerm_cdn_frontdoor_endpoint.my_endpoint.id
cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.my_origin_group.id
cdn_frontdoor_origin_ids = [azurerm_cdn_frontdoor_origin.my_blob_container_origin.id]
supported_protocols = ["Http", "Https"]
patterns_to_match = ["/*"]
forwarding_protocol = "HttpsOnly"
link_to_default_domain = true
https_redirect_enabled = true
cdn_frontdoor_origin_path = local.front_door_origin_path
}

BIN
quickstart/101-front-door-premium-storage-blobs-private-link/images/diagram.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

3
quickstart/101-front-door-premium-storage-blobs-private-link/outputs.tf Normal file
View File

@ -0,0 +1,3 @@
output "frontDoorEndpointHostName" {
value = azurerm_cdn_frontdoor_endpoint.my_endpoint.host_name
}

20
quickstart/101-front-door-premium-storage-blobs-private-link/providers.tf Normal file
View File

@ -0,0 +1,20 @@
# Configure the Azure provider
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.27.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.4.3"
}
}
required_version = ">= 1.1.0"
}
provider "azurerm" {
features {}
}

330
quickstart/101-front-door-premium-storage-blobs-private-link/readme.md Normal file
View File

@ -0,0 +1,330 @@
# Azure Front Door Premium with blob origin and Private Link
This template deploys an [Azure Front Door Premium profile](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_profile) with an Azure Storage blob container origin, using a private endpoint to access the storage account.
## Architecture
![Architecture diagram showing traffic flowing through Front Door to the storage account.](images/diagram.png)
The data flows through the solution are:
1. The client establishes a connection to Azure Front Door by using a custom domain name. The client's connection terminates at a nearby Front Door point of presence (PoP).
1. The Front Door web application firewall (WAF) scans the request. If the WAF determines the request's risk level is too high, it blocks the request and Front Door returns an HTTP 403 error response.
1. If the Front Door PoP's cache contains a valid response for this request, Front Door returns the response immediately.
1. Otherwise, the PoP sends the request to the origin storage account, wherever it is in the world, by using Microsoft's backbone network. The PoP connects to the storage account by using a separate, long-lived, TCP connection. In this scenario, Private Link is used to securely connect to the storage account.
1. The storage account sends a response to the Front Door PoP.
1. When the PoP receives the response, it stores it in its cache for subsequent requests.
1. The PoP returns the response to the client.
1. Any requests directly to the storage account through the internet are blocked by the Azure Storage firewall.
## Resources
| Terraform Resource Type | Description |
| - | - |
| `azurerm_resource_group` | The resource group for all the deployed resources.|
| `azurerm_cdn_frontdoor_profile` | The Front Door profile. |
| `azurerm_cdn_frontdoor_endpoint` | The Front Door endpoint. |
| `azurerm_cdn_frontdoor_origin_group` | The Front Door origin group. |
| `azurerm_cdn_frontdoor_origin` | The Front Door origin, which refers to the storage account. |
| `azurerm_cdn_frontdoor_route` | The Front Door route. |
| `azurerm_storage_account` | The Azure Storage account. |
| `azurerm_storage_container` | The blob container within the Azure Storage account. |
| `random_id` | Two random identifier generators to generate a unique Front Door endpoint resource name and storage account name. |
## Variables
| Name | Description | Default Value |
|-|-|-|
| `location` | The location for all the deployed resources. | `westus3` |
| `front_door_private_link_location` | The location that the Private Link connection will terminate in when connecting to the origin. This must be one of the [locations in which Private Link origins are available for Front Door](https://learn.microsoft.com/azure/frontdoor/private-link#region-availability). | `westus3` |
| `resource_group_name` | The name of the resource group. | `FrontDoor` |
| `storage_account_tier` | The tier of the storage account. | `Standard` |
| `storage_account_replication_type` | The level of replication to be configured for the storage account. | `LRS` |
| `storage_account_blob_container_name` | The name of the blob contianer. | `mycontainer` |
## Example
```bash
$ terraform plan -out main.tfplan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# azurerm_cdn_frontdoor_endpoint.my_endpoint will be created
+ resource "azurerm_cdn_frontdoor_endpoint" "my_endpoint" {
+ cdn_frontdoor_profile_id = (known after apply)
+ enabled = true
+ host_name = (known after apply)
+ id = (known after apply)
+ name = (known after apply)
}
# azurerm_cdn_frontdoor_origin.my_blob_container_origin will be created
+ resource "azurerm_cdn_frontdoor_origin" "my_blob_container_origin" {
+ cdn_frontdoor_origin_group_id = (known after apply)
+ certificate_name_check_enabled = true
+ enabled = true
+ health_probes_enabled = (known after apply)
+ host_name = (known after apply)
+ http_port = 80
+ https_port = 443
+ id = (known after apply)
+ name = "MyBlobContainerOrigin"
+ origin_host_header = (known after apply)
+ priority = 1
+ weight = 1000
+ private_link {
+ location = "westus3"
+ private_link_target_id = (known after apply)
+ request_message = "Request access for Azure Front Door Private Link origin"
+ target_type = "blob"
}
}
# azurerm_cdn_frontdoor_origin_group.my_origin_group will be created
+ resource "azurerm_cdn_frontdoor_origin_group" "my_origin_group" {
+ cdn_frontdoor_profile_id = (known after apply)
+ id = (known after apply)
+ name = "MyOriginGroup"
+ restore_traffic_time_to_healed_or_new_endpoint_in_minutes = 10
+ session_affinity_enabled = true
+ health_probe {
+ interval_in_seconds = 100
+ path = "/"
+ protocol = "Https"
+ request_type = "HEAD"
}
+ load_balancing {
+ additional_latency_in_milliseconds = 50
+ sample_size = 4
+ successful_samples_required = 3
}
}
# azurerm_cdn_frontdoor_profile.my_front_door will be created
+ resource "azurerm_cdn_frontdoor_profile" "my_front_door" {
+ id = (known after apply)
+ name = "MyFrontDoor"
+ resource_group_name = "FrontDoor"
+ resource_guid = (known after apply)
+ response_timeout_seconds = 120
+ sku_name = "Premium_AzureFrontDoor"
}
# azurerm_cdn_frontdoor_route.my_route will be created
+ resource "azurerm_cdn_frontdoor_route" "my_route" {
+ cdn_frontdoor_endpoint_id = (known after apply)
+ cdn_frontdoor_origin_group_id = (known after apply)
+ cdn_frontdoor_origin_ids = (known after apply)
+ enabled = true
+ forwarding_protocol = "HttpsOnly"
+ https_redirect_enabled = true
+ id = (known after apply)
+ link_to_default_domain = true
+ name = "MyRoute"
+ patterns_to_match = [
+ "/*",
]
+ supported_protocols = [
+ "Http",
+ "Https",
]
}
# azurerm_resource_group.my_resource_group will be created
+ resource "azurerm_resource_group" "my_resource_group" {
+ id = (known after apply)
+ location = "westus3"
+ name = "FrontDoor"
}
# azurerm_storage_account.my_storage_account will be created
+ resource "azurerm_storage_account" "my_storage_account" {
+ access_tier = (known after apply)
+ account_kind = "StorageV2"
+ account_replication_type = "LRS"
+ account_tier = "Standard"
+ allow_nested_items_to_be_public = true
+ cross_tenant_replication_enabled = true
+ default_to_oauth_authentication = false
+ enable_https_traffic_only = true
+ id = (known after apply)
+ infrastructure_encryption_enabled = false
+ is_hns_enabled = false
+ large_file_share_enabled = (known after apply)
+ location = "westus3"
+ min_tls_version = "TLS1_2"
+ name = (known after apply)
+ nfsv3_enabled = false
+ primary_access_key = (sensitive value)
+ primary_blob_connection_string = (sensitive value)
+ primary_blob_endpoint = (known after apply)
+ primary_blob_host = (known after apply)
+ primary_connection_string = (sensitive value)
+ primary_dfs_endpoint = (known after apply)
+ primary_dfs_host = (known after apply)
+ primary_file_endpoint = (known after apply)
+ primary_file_host = (known after apply)
+ primary_location = (known after apply)
+ primary_queue_endpoint = (known after apply)
+ primary_queue_host = (known after apply)
+ primary_table_endpoint = (known after apply)
+ primary_table_host = (known after apply)
+ primary_web_endpoint = (known after apply)
+ primary_web_host = (known after apply)
+ public_network_access_enabled = false
+ queue_encryption_key_type = "Service"
+ resource_group_name = "FrontDoor"
+ secondary_access_key = (sensitive value)
+ secondary_blob_connection_string = (sensitive value)
+ secondary_blob_endpoint = (known after apply)
+ secondary_blob_host = (known after apply)
+ secondary_connection_string = (sensitive value)
+ secondary_dfs_endpoint = (known after apply)
+ secondary_dfs_host = (known after apply)
+ secondary_file_endpoint = (known after apply)
+ secondary_file_host = (known after apply)
+ secondary_location = (known after apply)
+ secondary_queue_endpoint = (known after apply)
+ secondary_queue_host = (known after apply)
+ secondary_table_endpoint = (known after apply)
+ secondary_table_host = (known after apply)
+ secondary_web_endpoint = (known after apply)
+ secondary_web_host = (known after apply)
+ shared_access_key_enabled = true
+ table_encryption_key_type = "Service"
+ blob_properties {
+ change_feed_enabled = (known after apply)
+ change_feed_retention_in_days = (known after apply)
+ default_service_version = (known after apply)
+ last_access_time_enabled = (known after apply)
+ versioning_enabled = (known after apply)
+ container_delete_retention_policy {
+ days = (known after apply)
}
+ cors_rule {
+ allowed_headers = (known after apply)
+ allowed_methods = (known after apply)
+ allowed_origins = (known after apply)
+ exposed_headers = (known after apply)
+ max_age_in_seconds = (known after apply)
}
+ delete_retention_policy {
+ days = (known after apply)
}
}
+ network_rules {
+ bypass = (known after apply)
+ default_action = "Deny"
+ ip_rules = (known after apply)
+ virtual_network_subnet_ids = (known after apply)
}
+ queue_properties {
+ cors_rule {
+ allowed_headers = (known after apply)
+ allowed_methods = (known after apply)
+ allowed_origins = (known after apply)
+ exposed_headers = (known after apply)
+ max_age_in_seconds = (known after apply)
}
+ hour_metrics {
+ enabled = (known after apply)
+ include_apis = (known after apply)
+ retention_policy_days = (known after apply)
+ version = (known after apply)
}
+ logging {
+ delete = (known after apply)
+ read = (known after apply)
+ retention_policy_days = (known after apply)
+ version = (known after apply)
+ write = (known after apply)
}
+ minute_metrics {
+ enabled = (known after apply)
+ include_apis = (known after apply)
+ retention_policy_days = (known after apply)
+ version = (known after apply)
}
}
+ routing {
+ choice = (known after apply)
+ publish_internet_endpoints = (known after apply)
+ publish_microsoft_endpoints = (known after apply)
}
+ share_properties {
+ cors_rule {
+ allowed_headers = (known after apply)
+ allowed_methods = (known after apply)
+ allowed_origins = (known after apply)
+ exposed_headers = (known after apply)
+ max_age_in_seconds = (known after apply)
}
+ retention_policy {
+ days = (known after apply)
}
+ smb {
+ authentication_types = (known after apply)
+ channel_encryption_type = (known after apply)
+ kerberos_ticket_encryption_type = (known after apply)
+ multichannel_enabled = (known after apply)
+ versions = (known after apply)
}
}
}
# azurerm_storage_container.my_storage_container will be created
+ resource "azurerm_storage_container" "my_storage_container" {
+ container_access_type = "blob"
+ has_immutability_policy = (known after apply)
+ has_legal_hold = (known after apply)
+ id = (known after apply)
+ metadata = (known after apply)
+ name = "mycontainer"
+ resource_manager_id = (known after apply)
+ storage_account_name = (known after apply)
}
# random_id.front_door_endpoint_name will be created
+ resource "random_id" "front_door_endpoint_name" {
+ b64_std = (known after apply)
+ b64_url = (known after apply)
+ byte_length = 8
+ dec = (known after apply)
+ hex = (known after apply)
+ id = (known after apply)
}
# random_id.storage_account_name will be created
+ resource "random_id" "storage_account_name" {
+ b64_std = (known after apply)
+ b64_url = (known after apply)
+ byte_length = 8
+ dec = (known after apply)
+ hex = (known after apply)
+ id = (known after apply)
}
Plan: 10 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ frontDoorEndpointHostName = (known after apply)
```

12
quickstart/101-front-door-premium-storage-blobs-private-link/resource-group.tf Normal file
View File

@ -0,0 +1,12 @@
resource "azurerm_resource_group" "my_resource_group" {
name = var.resource_group_name
location = var.location
}
resource "random_id" "storage_account_name" {
byte_length = 8
}
resource "random_id" "front_door_endpoint_name" {
byte_length = 8
}

24
quickstart/101-front-door-premium-storage-blobs-private-link/storage-account.tf Normal file
View File

@ -0,0 +1,24 @@
locals {
storage_account_name = "stor${lower(random_id.storage_account_name.hex)}"
}
resource "azurerm_storage_account" "my_storage_account" {
name = local.storage_account_name
resource_group_name = azurerm_resource_group.my_resource_group.name
location = var.location
account_kind = "StorageV2"
account_tier = var.storage_account_tier
account_replication_type = var.storage_account_replication_type
enable_https_traffic_only = true
public_network_access_enabled = false
min_tls_version = "TLS1_2"
network_rules {
default_action = "Deny"
}
}
resource "azurerm_storage_container" "my_storage_container" {
name = var.storage_account_blob_container_name
storage_account_name = azurerm_storage_account.my_storage_account.name
container_access_type = "blob"
}

29
quickstart/101-front-door-premium-storage-blobs-private-link/variables.tf Normal file
View File

@ -0,0 +1,29 @@
variable "location" {
type = string
default = "westus3"
}
variable "front_door_private_link_location" {
type = string
default = "westus3"
}
variable "resource_group_name" {
type = string
default = "FrontDoor"
}
variable "storage_account_tier" {
type = string
default = "Standard"
}
variable "storage_account_replication_type" {
type = string
default = "LRS"
}
variable "storage_account_blob_container_name" {
type = string
default = "mycontainer"
}