From c75061f6ea965f73c28a2b012f6f49d79ef8637c Mon Sep 17 00:00:00 2001 From: Mary Crawford <29112142+marycrawford@users.noreply.github.com> Date: Fri, 13 Dec 2024 11:09:52 -0800 Subject: [PATCH] update app gateway with separate network and add WAF protections (#480) * update application gateway to include WAF protection * update appgw with WAF and separate networking * minor syntax corrections --------- Co-authored-by: marycrawford --- ops/terraform/locals.tf | 2 ++ ops/terraform/main.tf | 9 +++--- ops/terraform/modules/app_gateway/main.tf | 29 ++++++++++++------- .../modules/app_gateway/variables.tf | 4 +-- ops/terraform/modules/network/main.tf | 11 +++++++ ops/terraform/modules/network/outputs.tf | 5 ++++ ops/terraform/modules/network/variables.tf | 1 + 7 files changed, 45 insertions(+), 16 deletions(-) diff --git a/ops/terraform/locals.tf b/ops/terraform/locals.tf index 9f97e24c..b89969f8 100644 --- a/ops/terraform/locals.tf +++ b/ops/terraform/locals.tf @@ -14,6 +14,7 @@ locals { websubnetcidr = "10.0.3.0/24" lbsubnetcidr = "10.0.4.0/24" dbsubnetcidr = "10.0.5.0/24" + appgwsubnetcidr = "10.0.6.0/24" } } demo = { @@ -24,6 +25,7 @@ locals { websubnetcidr = "10.1.3.0/24" lbsubnetcidr = "10.1.4.0/24" dbsubnetcidr = "10.1.5.0/24" + appgwsubnetcidr = "10.1.6.0/24" } } } diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index 0d381b84..45d63fbb 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -19,6 +19,7 @@ module "networking" { ocrsubnetcidr = local.workspace["ocrsubnetcidr"] middlewaresubnetcidr = local.workspace["middlewaresubnetcidr"] dbsubnetcidr = local.workspace["dbsubnetcidr"] + appgwsubnetcidr = local.workspace["appgwsubnetcidr"] env = local.environment # The DNS zone and DNS link are managed inside the networking module. @@ -43,10 +44,10 @@ module "app_gateway" { resource_group_location = data.azurerm_resource_group.rg.location resource_group_name = data.azurerm_resource_group.rg.name - blob_endpoint = module.storage.primary_web_host - lb_subnet = module.networking.lbsubnet_id - tags = local.management_tags - env = local.environment + blob_endpoint = module.storage.primary_web_host + appgw_subnet_id = module.networking.appgwsubnet_id + tags = local.management_tags + env = local.environment fqdns_ocr = module.ocr_api.app_hostname fqdns_middleware = module.middleware_api.app_hostname diff --git a/ops/terraform/modules/app_gateway/main.tf b/ops/terraform/modules/app_gateway/main.tf index 2395b15b..ffe8e489 100644 --- a/ops/terraform/modules/app_gateway/main.tf +++ b/ops/terraform/modules/app_gateway/main.tf @@ -39,13 +39,27 @@ resource "azurerm_application_gateway" "load_balancer" { location = var.resource_group_location sku { - name = "Standard_v2" - tier = "Standard_v2" + name = "WAF_v2" + tier = "WAF_v2" # WAF tier depreciated, set to WAF_v2 tier + # capacity = 2 + } + + autoscale_configuration { + min_capacity = 2 + max_capacity = 5 + } + + # Enable Web Application Firewall + waf_configuration { + enabled = true + firewall_mode = "Prevention" # to block malicious traffic + rule_set_type = "OWASP" + rule_set_version = "3.2" } gateway_ip_configuration { - name = "${var.name}-gateway-ip-configuration" - subnet_id = var.lb_subnet + name = "${var.name}-gateway-ip-configuration-${var.env}" + subnet_id = var.appgw_subnet_id } # ------- Static ------------------------- @@ -272,9 +286,4 @@ resource "azurerm_application_gateway" "load_balancer" { } } } - - autoscale_configuration { - min_capacity = 0 - max_capacity = 5 - } -} \ No newline at end of file +} diff --git a/ops/terraform/modules/app_gateway/variables.tf b/ops/terraform/modules/app_gateway/variables.tf index 075aadd3..ed911168 100644 --- a/ops/terraform/modules/app_gateway/variables.tf +++ b/ops/terraform/modules/app_gateway/variables.tf @@ -1,7 +1,7 @@ variable "name" {} variable "resource_group_name" {} variable "resource_group_location" {} -variable "lb_subnet" {} +variable "appgw_subnet_id" {} variable "blob_endpoint" {} variable "tags" {} @@ -19,4 +19,4 @@ variable "ip_addresses" { type = list(string) default = [] } -variable "env" {} \ No newline at end of file +variable "env" {} diff --git a/ops/terraform/modules/network/main.tf b/ops/terraform/modules/network/main.tf index c498ef68..d36676fc 100644 --- a/ops/terraform/modules/network/main.tf +++ b/ops/terraform/modules/network/main.tf @@ -5,6 +5,17 @@ resource "azurerm_virtual_network" "vnet" { address_space = [var.vnetcidr] } +resource "azurerm_subnet" "appgw_subnet" { + name = "${var.name}-appgw-subnet-${var.env}" + virtual_network_name = azurerm_virtual_network.vnet.name + resource_group_name = var.resource_group + address_prefixes = [var.appgwsubnetcidr] + service_endpoints = [ + "Microsoft.Sql", + "Microsoft.Storage", + ] +} + resource "azurerm_subnet" "web-subnet" { name = "${var.name}-web-subnet-${var.env}" virtual_network_name = azurerm_virtual_network.vnet.name diff --git a/ops/terraform/modules/network/outputs.tf b/ops/terraform/modules/network/outputs.tf index ed901463..12f941da 100644 --- a/ops/terraform/modules/network/outputs.tf +++ b/ops/terraform/modules/network/outputs.tf @@ -8,6 +8,11 @@ output "websubnet_id" { description = "Id of websubnet in the network" } +output "appgwsubnet_id" { + value = azurerm_subnet.appgw_subnet.id + description = "ID of the appgwsubnet in the network" +} + output "dbsubnet_id" { value = azurerm_subnet.db-subnet.id description = "Id of dbsubnet in the network" diff --git a/ops/terraform/modules/network/variables.tf b/ops/terraform/modules/network/variables.tf index 7a8a63e3..79be04fb 100644 --- a/ops/terraform/modules/network/variables.tf +++ b/ops/terraform/modules/network/variables.tf @@ -7,6 +7,7 @@ variable "ocrsubnetcidr" {} variable "env" {} variable "middlewaresubnetcidr" {} variable "dbsubnetcidr" {} +variable "appgwsubnetcidr" {} variable "location" { default = "eastus2"