update app gateway with separate network and add WAF protections (#480)

* update application gateway to include WAF protection * update appgw with WAF and separate networking * minor syntax corrections --------- Co-authored-by: marycrawford <[email protected]>
CDCgov · Dec 13, 2024 · c75061f · c75061f
1 parent 82c5224
commit c75061f
Show file tree

Hide file tree

Showing 7 changed files with 45 additions and 16 deletions.
diff --git a/ops/terraform/locals.tf b/ops/terraform/locals.tf
@@ -14,6 +14,7 @@ locals {
       websubnetcidr        = "10.0.3.0/24"
       lbsubnetcidr         = "10.0.4.0/24"
       dbsubnetcidr         = "10.0.5.0/24"
+      appgwsubnetcidr      = "10.0.6.0/24"
     }
   }
   demo = {
@@ -24,6 +25,7 @@ locals {
       websubnetcidr        = "10.1.3.0/24"
       lbsubnetcidr         = "10.1.4.0/24"
       dbsubnetcidr         = "10.1.5.0/24"
+      appgwsubnetcidr      = "10.1.6.0/24"
     }
   }
 }
diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf
@@ -19,6 +19,7 @@ module "networking" {
   ocrsubnetcidr        = local.workspace["ocrsubnetcidr"]
   middlewaresubnetcidr = local.workspace["middlewaresubnetcidr"]
   dbsubnetcidr         = local.workspace["dbsubnetcidr"]
+  appgwsubnetcidr      = local.workspace["appgwsubnetcidr"]
   env                  = local.environment
 
   # The DNS zone and DNS link are managed inside the networking module.
@@ -43,10 +44,10 @@ module "app_gateway" {
   resource_group_location = data.azurerm_resource_group.rg.location
   resource_group_name     = data.azurerm_resource_group.rg.name
 
-  blob_endpoint = module.storage.primary_web_host
-  lb_subnet     = module.networking.lbsubnet_id
-  tags          = local.management_tags
-  env           = local.environment
+  blob_endpoint   = module.storage.primary_web_host
+  appgw_subnet_id = module.networking.appgwsubnet_id
+  tags            = local.management_tags
+  env             = local.environment
 
   fqdns_ocr        = module.ocr_api.app_hostname
   fqdns_middleware = module.middleware_api.app_hostname

diff --git a/ops/terraform/modules/app_gateway/main.tf b/ops/terraform/modules/app_gateway/main.tf
@@ -39,13 +39,27 @@ resource "azurerm_application_gateway" "load_balancer" {
   location            = var.resource_group_location
 
   sku {
-    name     = "Standard_v2"
-    tier     = "Standard_v2"
+    name = "WAF_v2"
+    tier = "WAF_v2" # WAF tier depreciated, set to WAF_v2 tier 
+    # capacity = 2
+  }
+
+  autoscale_configuration {
+    min_capacity = 2
+    max_capacity = 5
+  }
+
+  # Enable Web Application Firewall
+  waf_configuration {
+    enabled          = true
+    firewall_mode    = "Prevention" # to block malicious traffic
+    rule_set_type    = "OWASP"
+    rule_set_version = "3.2"
   }
 
   gateway_ip_configuration {
-    name      = "${var.name}-gateway-ip-configuration"
-    subnet_id = var.lb_subnet
+    name      = "${var.name}-gateway-ip-configuration-${var.env}"
+    subnet_id = var.appgw_subnet_id
   }
 
   # ------- Static -------------------------
@@ -272,9 +286,4 @@ resource "azurerm_application_gateway" "load_balancer" {
       }
     }
   }
-
-  autoscale_configuration {
-    min_capacity = 0
-    max_capacity = 5
-  }
-}
+}
diff --git a/ops/terraform/modules/app_gateway/variables.tf b/ops/terraform/modules/app_gateway/variables.tf
@@ -1,7 +1,7 @@
 variable "name" {}
 variable "resource_group_name" {}
 variable "resource_group_location" {}
-variable "lb_subnet" {}
+variable "appgw_subnet_id" {}
 variable "blob_endpoint" {}
 variable "tags" {}
 
@@ -19,4 +19,4 @@ variable "ip_addresses" {
   type    = list(string)
   default = []
 }
-variable "env" {}
+variable "env" {}
diff --git a/ops/terraform/modules/network/main.tf b/ops/terraform/modules/network/main.tf
@@ -5,6 +5,17 @@ resource "azurerm_virtual_network" "vnet" {
   address_space       = [var.vnetcidr]
 }
 
+resource "azurerm_subnet" "appgw_subnet" {
+  name                 = "${var.name}-appgw-subnet-${var.env}"
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  resource_group_name  = var.resource_group
+  address_prefixes     = [var.appgwsubnetcidr]
+  service_endpoints = [
+    "Microsoft.Sql",
+    "Microsoft.Storage",
+  ]
+}
+
 resource "azurerm_subnet" "web-subnet" {
   name                 = "${var.name}-web-subnet-${var.env}"
   virtual_network_name = azurerm_virtual_network.vnet.name

diff --git a/ops/terraform/modules/network/outputs.tf b/ops/terraform/modules/network/outputs.tf
@@ -8,6 +8,11 @@ output "websubnet_id" {
   description = "Id of websubnet in the network"
 }
 
+output "appgwsubnet_id" {
+  value       = azurerm_subnet.appgw_subnet.id
+  description = "ID of the appgwsubnet in the network"
+}
+
 output "dbsubnet_id" {
   value       = azurerm_subnet.db-subnet.id
   description = "Id of dbsubnet in the network"

diff --git a/ops/terraform/modules/network/variables.tf b/ops/terraform/modules/network/variables.tf
@@ -7,6 +7,7 @@ variable "ocrsubnetcidr" {}
 variable "env" {}
 variable "middlewaresubnetcidr" {}
 variable "dbsubnetcidr" {}
+variable "appgwsubnetcidr" {}
 
 variable "location" {
   default = "eastus2"