From 3226d364a8207ba48edf7dea264e878269075932 Mon Sep 17 00:00:00 2001 From: John Downs Date: Tue, 25 Oct 2022 10:20:57 +1300 Subject: [PATCH] Add quickstart --- .../app-service.tf | 42 +++++ .../front-door.tf | 63 +++++++ .../outputs.tf | 3 + .../providers.tf | 19 ++ .../101-front-door-standard-premium/readme.md | 166 ++++++++++++++++++ .../resource-group.tf | 4 + .../variables.tf | 41 +++++ 7 files changed, 338 insertions(+) create mode 100644 quickstart/101-front-door-standard-premium/app-service.tf create mode 100644 quickstart/101-front-door-standard-premium/front-door.tf create mode 100644 quickstart/101-front-door-standard-premium/outputs.tf create mode 100644 quickstart/101-front-door-standard-premium/providers.tf create mode 100644 quickstart/101-front-door-standard-premium/readme.md create mode 100644 quickstart/101-front-door-standard-premium/resource-group.tf create mode 100644 quickstart/101-front-door-standard-premium/variables.tf diff --git a/quickstart/101-front-door-standard-premium/app-service.tf b/quickstart/101-front-door-standard-premium/app-service.tf new file mode 100644 index 00000000..4932bcf9 --- /dev/null +++ b/quickstart/101-front-door-standard-premium/app-service.tf @@ -0,0 +1,42 @@ +locals { + app_name = "myapp-${lower(random_id.app_name.hex)}" + app_service_plan_name = "AppServicePlan" +} + +resource "azurerm_service_plan" "app_service_plan" { + name = local.app_service_plan_name + location = var.location + resource_group_name = azurerm_resource_group.my_resource_group.name + + sku_name = var.app_service_plan_sku_name + os_type = "Windows" + worker_count = var.app_service_plan_capacity +} + +resource "azurerm_windows_web_app" "app" { + name = local.app_name + location = var.location + resource_group_name = azurerm_resource_group.my_resource_group.name + service_plan_id = azurerm_service_plan.app_service_plan.id + + https_only = true + + site_config { + ftps_state = "Disabled" + minimum_tls_version = "1.2" + ip_restriction = [{ + service_tag = "AzureFrontDoor.Backend" + ip_address = null + virtual_network_subnet_id = null + action = "Allow" + priority = 100 + headers = [{ + x_azure_fdid = [azurerm_cdn_frontdoor_profile.my_front_door.resource_guid] + x_fd_health_probe = [] + x_forwarded_for = [] + x_forwarded_host = [] + }] + name = "Allow traffic from Front Door" + }] + } +} diff --git a/quickstart/101-front-door-standard-premium/front-door.tf b/quickstart/101-front-door-standard-premium/front-door.tf new file mode 100644 index 00000000..a9689423 --- /dev/null +++ b/quickstart/101-front-door-standard-premium/front-door.tf @@ -0,0 +1,63 @@ +locals { + front_door_profile_name = "MyFrontDoor" + front_door_endpoint_name = "afd-${lower(random_id.front_door_endpoint_name.hex)}" + front_door_origin_group_name = "MyOriginGroup" + front_door_origin_name = "MyAppServiceOrigin" + front_door_route_name = "MyRoute" +} + +resource "azurerm_cdn_frontdoor_profile" "my_front_door" { + name = local.front_door_profile_name + resource_group_name = azurerm_resource_group.my_resource_group.name + sku_name = var.front_door_sku_name +} + +resource "azurerm_cdn_frontdoor_endpoint" "my_endpoint" { + name = local.front_door_endpoint_name + cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.my_front_door.id +} + +resource "azurerm_cdn_frontdoor_origin_group" "my_origin_group" { + name = local.front_door_origin_group_name + cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.my_front_door.id + session_affinity_enabled = true + + load_balancing { + sample_size = 4 + successful_samples_required = 3 + } + + health_probe { + path = "/" + request_type = "HEAD" + protocol = "Https" + interval_in_seconds = 100 + } +} + +resource "azurerm_cdn_frontdoor_origin" "my_app_service_origin" { + name = local.front_door_origin_name + cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.my_origin_group.id + + enabled = true + host_name = azurerm_windows_web_app.app.default_hostname + http_port = 80 + https_port = 443 + origin_host_header = azurerm_windows_web_app.app.default_hostname + priority = 1 + weight = 1000 + certificate_name_check_enabled = true +} + +resource "azurerm_cdn_frontdoor_route" "my_route" { + name = local.front_door_route_name + cdn_frontdoor_endpoint_id = azurerm_cdn_frontdoor_endpoint.my_endpoint.id + cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.my_origin_group.id + cdn_frontdoor_origin_ids = [azurerm_cdn_frontdoor_origin.my_app_service_origin.id] + + supported_protocols = ["Http", "Https"] + patterns_to_match = ["/*"] + forwarding_protocol = "HttpsOnly" + link_to_default_domain = true + https_redirect_enabled = true +} diff --git a/quickstart/101-front-door-standard-premium/outputs.tf b/quickstart/101-front-door-standard-premium/outputs.tf new file mode 100644 index 00000000..3642fe18 --- /dev/null +++ b/quickstart/101-front-door-standard-premium/outputs.tf @@ -0,0 +1,3 @@ +output "frontDoorEndpointHostName" { + value = azurerm_cdn_frontdoor_endpoint.my_endpoint.host_name +} diff --git a/quickstart/101-front-door-standard-premium/providers.tf b/quickstart/101-front-door-standard-premium/providers.tf new file mode 100644 index 00000000..2a4539cd --- /dev/null +++ b/quickstart/101-front-door-standard-premium/providers.tf @@ -0,0 +1,19 @@ +# Configure the Azure provider +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.27.0" + } + + random = { + source = "hashicorp/random" + } + } + + required_version = ">= 1.1.0" +} + +provider "azurerm" { + features {} +} diff --git a/quickstart/101-front-door-standard-premium/readme.md b/quickstart/101-front-door-standard-premium/readme.md new file mode 100644 index 00000000..9f18dd38 --- /dev/null +++ b/quickstart/101-front-door-standard-premium/readme.md @@ -0,0 +1,166 @@ +# Azure Front Door Standard/Premium + +This template deploys an [Azure Front Door Standard/Premium profile](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_profile) with classic application and network rules. + +## Resources + +| Terraform Resource Type | Description | +| - | - | +| `azurerm_resource_group` | The resource group for all the deployed resources.| +| `azurerm_cdn_frontdoor_profile` | The Front Door profile. | +| `azurerm_cdn_frontdoor_endpoint` | The Front Door endpoint. | +| `azurerm_cdn_frontdoor_origin_group` | The Front Door origin group. | +| `azurerm_cdn_frontdoor_origin` | The Front Door origin, which refers to the App Service app. | +| `azurerm_cdn_frontdoor_route` | The Front Door route. | +| `azurerm_service_plan` | The App Service plan. | +| `azurerm_windows_web_app` | The App Service app. | + +## Variables + +| Name | Description | +|-|-| +| `location` | The location for all the deployed resources. | +| `resource_group_name` | The name of the resource group. | +| `app_service_plan_sku_name` | The SKU for the App Service plan. | +| `app_service_plan_sku_tier_name` | The name of the tier that the App Service plan SKU is in. | +| `app_service_plan_capacity` | The capacity (number of worker instances) for the App Service plan. | +| `front_door_sku_name` | The name of the SKU for the Front Door profile. | + +## Example + +```bash +$ terraform plan -out main.tfplan + +Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + + create + +Terraform will perform the following actions: + + # azurerm_firewall.fw will be created + + resource "azurerm_firewall" "fw" { + + id = (known after apply) + + location = "eastus" + + name = "testfirewall" + + resource_group_name = "test-resources" + + sku_name = (known after apply) + + sku_tier = (known after apply) + + threat_intel_mode = "Alert" + + + ip_configuration { + + name = "configuration" + + private_ip_address = (known after apply) + + public_ip_address_id = (known after apply) + + subnet_id = (known after apply) + } + } + + # azurerm_firewall_application_rule_collection.app-rc will be created + + resource "azurerm_firewall_application_rule_collection" "app-rc" { + + action = "Allow" + + azure_firewall_name = "testfirewall" + + id = (known after apply) + + name = "apptestcollection" + + priority = 100 + + resource_group_name = "test-resources" + + + rule { + + name = "testrule" + + source_addresses = [ + + "10.0.0.0/16", + ] + + target_fqdns = [ + + "*.google.com", + ] + + + protocol { + + port = 443 + + type = "Https" + } + } + } + + # azurerm_firewall_network_rule_collection.net-rc will be created + + resource "azurerm_firewall_network_rule_collection" "net-rc" { + + action = "Allow" + + azure_firewall_name = "testfirewall" + + id = (known after apply) + + name = "apptestcollection" + + priority = 100 + + resource_group_name = "test-resources" + + + rule { + + destination_addresses = [ + + "8.8.4.4", + + "8.8.8.8", + ] + + destination_fqdns = [] + + destination_ip_groups = [] + + destination_ports = [ + + "53", + ] + + name = "dnsrule" + + protocols = [ + + "TCP", + + "UDP", + ] + + source_addresses = [ + + "10.0.0.0/16", + ] + + source_ip_groups = [] + } + } + + # azurerm_public_ip.pip will be created + + resource "azurerm_public_ip" "pip" { + + allocation_method = "Static" + + availability_zone = (known after apply) + + fqdn = (known after apply) + + id = (known after apply) + + idle_timeout_in_minutes = 4 + + ip_address = (known after apply) + + ip_version = "IPv4" + + location = "eastus" + + name = "testpip" + + resource_group_name = "test-resources" + + sku = "Standard" + + zones = (known after apply) + } + + # azurerm_resource_group.rg will be created + + resource "azurerm_resource_group" "rg" { + + id = (known after apply) + + location = "eastus" + + name = "test-resources" + } + + # azurerm_subnet.subnet will be created + + resource "azurerm_subnet" "subnet" { + + address_prefix = (known after apply) + + address_prefixes = [ + + "10.0.1.0/24", + ] + + enforce_private_link_endpoint_network_policies = false + + enforce_private_link_service_network_policies = false + + id = (known after apply) + + name = "AzureFirewallSubnet" + + resource_group_name = "test-resources" + + virtual_network_name = "testvnet" + } + + # azurerm_virtual_network.vnet will be created + + resource "azurerm_virtual_network" "vnet" { + + address_space = [ + + "10.0.0.0/16", + ] + + dns_servers = (known after apply) + + guid = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "testvnet" + + resource_group_name = "test-resources" + + subnet = (known after apply) + + vm_protection_enabled = false + } + +Plan: 7 to add, 0 to change, 0 to destroy. +``` diff --git a/quickstart/101-front-door-standard-premium/resource-group.tf b/quickstart/101-front-door-standard-premium/resource-group.tf new file mode 100644 index 00000000..85fae84e --- /dev/null +++ b/quickstart/101-front-door-standard-premium/resource-group.tf @@ -0,0 +1,4 @@ +resource "azurerm_resource_group" "my_resource_group" { + name = var.resource_group_name + location = var.location +} diff --git a/quickstart/101-front-door-standard-premium/variables.tf b/quickstart/101-front-door-standard-premium/variables.tf new file mode 100644 index 00000000..9b6428ee --- /dev/null +++ b/quickstart/101-front-door-standard-premium/variables.tf @@ -0,0 +1,41 @@ +variable "location" { + type = string + default = "westus2" +} + +variable "resource_group_name" { + type = string + default = "FrontDoor" +} + +variable "app_service_plan_sku_name" { + type = string + default = "S1" +} + +variable "app_service_plan_capacity" { + type = number + default = 1 +} + +variable "app_service_plan_sku_tier_name" { + type = string + default = "Standard" +} + +variable "front_door_sku_name" { + type = string + default = "Standard_AzureFrontDoor" + validation { + condition = contains(["Standard_AzureFrontDoor", "Premium_AzureFrontDoor"], var.front_door_sku_name) + error_message = "The SKU value must be Standard_AzureFrontDoor or Premium_AzureFrontDoor." + } +} + +resource "random_id" "app_name" { + byte_length = 8 +} + +resource "random_id" "front_door_endpoint_name" { + byte_length = 8 +}