From bf827b9e75f3c5d8d59d185b9db0e79dd1398c6d Mon Sep 17 00:00:00 2001
From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com>
Date: Fri, 24 Jan 2025 10:57:52 +0000
Subject: [PATCH] Remove Azure Front Door CDN
We are moving to use a consolidated AFD so these changes allow us to detach the service from the existing front door and manually specify the DNS and Monitor FQDN so that we can connect the public domain name to the consolidated AFD
---
terraform/.terraform.lock.hcl | 36 +++++++++++------------------
terraform/README.md | 14 ++++++-----
terraform/container-apps-hosting.tf | 10 ++++----
terraform/locals.tf | 2 ++
terraform/variables.tf | 23 +++++++++++++++++-
5 files changed, 51 insertions(+), 34 deletions(-)
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
index 97d83b85d..c4c7c5a3a 100644
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -62,32 +62,22 @@ provider "registry.terraform.io/hashicorp/azuread" {
}
provider "registry.terraform.io/hashicorp/azurerm" {
- version = "4.14.0"
+ version = "4.16.0"
constraints = "~> 4.0"
hashes = [
- "h1:0vnSH0it190JunY2VIdPlzOaWVzR8gKfjZCc29Qdwpk=",
- "h1:AvHvgsde5hTJioU4D5XhuJpmGgyvIU8Cj0BH1f+sy0Y=",
- "h1:BnU3mIjOiXS1qhv7gTPIS6oV3pp2HmYzexdXrGHf9vE=",
- "h1:FYWhn/x1jSjnxUsKkV4+sXIfOc+H3Sq8ja/ZBB2IAaU=",
- "h1:FYZ9qh8i3X2gDmUTe1jJ/VzdSyjGjVmhBzv2R8D6CBo=",
- "h1:OiREudlhrYJGfWsf+QKXFtGcwVX62RMXFEEFOazAGwk=",
- "h1:RdNHts0bahy1JX2YVMFey55h75W3+RVE4UZja3BCEGQ=",
- "h1:cGkb9Ps5A1FwXO7BaZ9T7Ufe79gsNzk6lfaNfcWn0+s=",
- "h1:kkfx+23uWhA5e6ME3NykR0isgarJo+83RPK6lCg+Ip0=",
- "h1:rIGu+pzk0AN1gCytz240hM7b0SfkAqYjIbLXBpUHN50=",
- "h1:sFyae2LAIb4zB9x1064E8tzsPgP8YCI/83NxMbxeUl4=",
- "zh:05aaea16fc5f27b14d9fbad81654edf0638949ed3585576b2219c76a2bee095a",
- "zh:065ce6ed16ba3fa7efcf77888ea582aead54e6a28f184c6701b73d71edd64bb0",
- "zh:3c0cd17c249d18aa2e0120acb5f0c14810725158b379a67fec1331110e7c50df",
- "zh:5a3ba3ffb2f1ce519fe3bf84a7296aa5862c437c70c62f0b0a5293bea9f2d01c",
- "zh:7a8e9d72fa2714f4d567270b1761d4b4e788de7c15dada7db0cf0e29933185a2",
- "zh:a11e190073f31c1238c15af29b9162e0f4564f6b0cd0310a3fa94102738450dc",
- "zh:a5c004114410cc6dcb8fed584c9f3b84283b58025b0073a7e88d2bdb27840dfa",
- "zh:a674a41db118e244eda7591e455d2ec338626664e0856e4125e909eb038f78db",
- "zh:b5139010e4cbb2cb1a27c775610593c1c8063d3a7c82b00a65006509c434df2f",
- "zh:cbb031223ccd8b099ac4d19b92641142f330b90f2fc6452843e445bae28f832c",
+ "h1:uulWiJ93kZmKKh6/EtHktJQ901npRmTb/ao7oTP402w=",
+ "zh:2035e461a94bd4180557a06f8e56f228a8a035608d0dac4d08e5870cf9265276",
+ "zh:3f15778a22ef1b9d0fa28670e5ea6ef1094b0be2533f43f350a2ef15d471b353",
+ "zh:4f1a4d03b008dd958bcd6bf82cf088fbaa9c121be2fd35e10e6b06c6e8f6aaa1",
+ "zh:5859f31c342364e849b4f8c437a46f33e927fa820244d0732b8d2ec74a95712d",
+ "zh:693d0f15512ca8c6b5e999b3a7551503feb06b408b3836bc6a6403e518b9ddab",
+ "zh:7f4912bec5b04f5156935292377c12484c13582151eb3c2555df409a7e5fb6e0",
+ "zh:bb9a509497f3a131c52fac32348919bf1b9e06c69a65f24607b03f7b56fb47b6",
+ "zh:c1b0c64e49ac591fd038ad71e71403ff71c07476e27e8da718c29f0028ea6d0d",
+ "zh:dd4ca432ee14eb0bb0cdc0bb463c8675b8ef02497be870a20d8dfee3e7fe52b3",
+ "zh:df58bb7fea984d2b11709567842ca4d55b3f24e187aa6be99e3677f55cbbe7da",
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
- "zh:f7e7db1b94082a4ac3d4af3dabe7bbd335e1679305bf8e29d011f0ee440724ca",
+ "zh:f7fb37704da50c096f9c7c25e8a95fe73ce1d3c5aab0d616d506f07bc5cfcdd8",
]
}
diff --git a/terraform/README.md b/terraform/README.md
index c1712d3c9..fdd232fb4 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -139,7 +139,7 @@ No providers.
| Name | Source | Version |
|------|--------|---------|
-| [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.16.3 |
+| [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.16.5 |
| [azurerm\_key\_vault](#module\_azurerm\_key\_vault) | github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars | v0.5.1 |
| [data\_protection](#module\_data\_protection) | github.com/DFE-Digital/terraform-azurerm-aspnet-data-protection | v1.2.0 |
| [statuscake-tls-monitor](#module\_statuscake-tls-monitor) | github.com/dfe-digital/terraform-statuscake-tls-monitor | v0.1.5 |
@@ -157,10 +157,10 @@ No resources.
| [azure\_location](#input\_azure\_location) | Azure location in which to launch resources. | `string` | n/a | yes |
| [azure\_subscription\_id](#input\_azure\_subscription\_id) | Service Principal Subscription ID | `string` | n/a | yes |
| [azure\_tenant\_id](#input\_azure\_tenant\_id) | Service Principal Tenant ID | `string` | n/a | yes |
-| [cdn\_frontdoor\_custom\_domains](#input\_cdn\_frontdoor\_custom\_domains) | Azure CDN Front Door custom domains. If they are within the DNS zone (optionally created), the Validation TXT records and ALIAS/CNAME records will be created | `list(string)` | n/a | yes |
-| [cdn\_frontdoor\_enable\_rate\_limiting](#input\_cdn\_frontdoor\_enable\_rate\_limiting) | Enable CDN Front Door Rate Limiting. This will create a WAF policy, and CDN security policy. For pricing reasons, there will only be one WAF policy created. | `bool` | n/a | yes |
+| [cdn\_frontdoor\_custom\_domains](#input\_cdn\_frontdoor\_custom\_domains) | Azure CDN Front Door custom domains. If they are within the DNS zone (optionally created), the Validation TXT records and ALIAS/CNAME records will be created | `list(string)` | `[]` | no |
+| [cdn\_frontdoor\_enable\_rate\_limiting](#input\_cdn\_frontdoor\_enable\_rate\_limiting) | Enable CDN Front Door Rate Limiting. This will create a WAF policy, and CDN security policy. For pricing reasons, there will only be one WAF policy created. | `bool` | `false` | no |
| [cdn\_frontdoor\_forwarding\_protocol](#input\_cdn\_frontdoor\_forwarding\_protocol) | Azure CDN Front Door forwarding protocol | `string` | `"HttpsOnly"` | no |
-| [cdn\_frontdoor\_health\_probe\_path](#input\_cdn\_frontdoor\_health\_probe\_path) | Specifies the path relative to the origin that is used to determine the health of the origin. | `string` | n/a | yes |
+| [cdn\_frontdoor\_health\_probe\_path](#input\_cdn\_frontdoor\_health\_probe\_path) | Specifies the path relative to the origin that is used to determine the health of the origin. | `string` | `"/"` | no |
| [cdn\_frontdoor\_host\_add\_response\_headers](#input\_cdn\_frontdoor\_host\_add\_response\_headers) | List of response headers to add at the CDN Front Door `[{ "name" = "Strict-Transport-Security", "value" = "max-age=31536000" }]` | `list(map(string))` | n/a | yes |
| [cdn\_frontdoor\_host\_redirects](#input\_cdn\_frontdoor\_host\_redirects) | CDN Front Door host redirects `[{ "from" = "example.com", "to" = "www.example.com" }]` | `list(map(string))` | `[]` | no |
| [cdn\_frontdoor\_origin\_fqdn\_override](#input\_cdn\_frontdoor\_origin\_fqdn\_override) | Manually specify the hostname that the CDN Front Door should target. Defaults to the Container App FQDN | `string` | `""` | no |
@@ -180,13 +180,14 @@ No resources.
| [container\_port](#input\_container\_port) | Container port | `number` | `8080` | no |
| [container\_scale\_http\_concurrency](#input\_container\_scale\_http\_concurrency) | When the number of concurrent HTTP requests exceeds this value, then another replica is added. Replicas continue to add to the pool up to the max-replicas amount. | `number` | `10` | no |
| [container\_secret\_environment\_variables](#input\_container\_secret\_environment\_variables) | Container secret environment variables | `map(string)` | n/a | yes |
+| [dns\_alias\_records](#input\_dns\_alias\_records) | DNS ALIAS records to add to the DNS Zone | map(
object({
ttl : optional(number, 300),
target_resource_id : string
})
)
| `{}` | no |
| [dns\_mx\_records](#input\_dns\_mx\_records) | DNS MX records to add to the DNS Zone | map(
object({
ttl : optional(number, 300),
records : list(
object({
preference : number,
exchange : string
})
)
})
)
| `{}` | no |
| [dns\_ns\_records](#input\_dns\_ns\_records) | DNS NS records to add to the DNS Zone | map(
object({
ttl : optional(number, 300),
records : list(string)
})
)
| n/a | yes |
| [dns\_txt\_records](#input\_dns\_txt\_records) | DNS TXT records to add to the DNS Zone | map(
object({
ttl : optional(number, 300),
records : list(string)
})
)
| n/a | yes |
| [dns\_zone\_domain\_name](#input\_dns\_zone\_domain\_name) | DNS zone domain name. If created, records will automatically be created to point to the CDN. | `string` | n/a | yes |
| [enable\_cdn\_frontdoor](#input\_enable\_cdn\_frontdoor) | Enable Azure CDN FrontDoor. This will use the Container Apps endpoint as the origin. | `bool` | `false` | no |
-| [enable\_cdn\_frontdoor\_health\_probe](#input\_enable\_cdn\_frontdoor\_health\_probe) | Enable CDN Front Door health probe | `bool` | n/a | yes |
-| [enable\_cdn\_frontdoor\_vdp\_redirects](#input\_enable\_cdn\_frontdoor\_vdp\_redirects) | Deploy redirects for security.txt and thanks.txt to an external Vulnerability Disclosure Program service | `bool` | `true` | no |
+| [enable\_cdn\_frontdoor\_health\_probe](#input\_enable\_cdn\_frontdoor\_health\_probe) | Enable CDN Front Door health probe | `bool` | `false` | no |
+| [enable\_cdn\_frontdoor\_vdp\_redirects](#input\_enable\_cdn\_frontdoor\_vdp\_redirects) | Deploy redirects for security.txt and thanks.txt to an external Vulnerability Disclosure Program service | `bool` | `false` | no |
| [enable\_container\_app\_file\_share](#input\_enable\_container\_app\_file\_share) | Create an Azure Storage Account and File Share to be mounted to the Container Apps | `bool` | n/a | yes |
| [enable\_container\_health\_probe](#input\_enable\_container\_health\_probe) | Enable liveness probes for the Container | `bool` | `true` | no |
| [enable\_container\_registry](#input\_enable\_container\_registry) | Set to true to create a container registry | `bool` | n/a | yes |
@@ -208,6 +209,7 @@ No resources.
| [key\_vault\_access\_ipv4](#input\_key\_vault\_access\_ipv4) | List of IPv4 Addresses that are permitted to access the Key Vault | `list(string)` | n/a | yes |
| [monitor\_email\_receivers](#input\_monitor\_email\_receivers) | A list of email addresses that will receive alerts from App Insights | `list(string)` | n/a | yes |
| [monitor\_endpoint\_healthcheck](#input\_monitor\_endpoint\_healthcheck) | Specify a route that should be monitored for a 200 OK status | `string` | n/a | yes |
+| [monitor\_http\_availability\_fqdn](#input\_monitor\_http\_availability\_fqdn) | Specify a FQDN to monitor for HTTP Availability. Leave unset to dynamically calculate the correct FQDN | `string` | `""` | no |
| [mssql\_azuread\_admin\_object\_id](#input\_mssql\_azuread\_admin\_object\_id) | Object ID of a User within Azure AD that you want to assign as the SQL Server Administrator | `string` | `""` | no |
| [mssql\_azuread\_admin\_username](#input\_mssql\_azuread\_admin\_username) | Username of a User within Azure AD that you want to assign as the SQL Server Administrator | `string` | `""` | no |
| [mssql\_database\_name](#input\_mssql\_database\_name) | The name of the MSSQL database to create. Must be set if `enable_mssql_database` is true | `string` | n/a | yes |
diff --git a/terraform/container-apps-hosting.tf b/terraform/container-apps-hosting.tf
index e3bf1a4d1..a2c04c45c 100644
--- a/terraform/container-apps-hosting.tf
+++ b/terraform/container-apps-hosting.tf
@@ -1,5 +1,5 @@
module "azure_container_apps_hosting" {
- source = "github.com/DFE-Digital/terraform-azurerm-container-apps-hosting?ref=v1.16.3"
+ source = "github.com/DFE-Digital/terraform-azurerm-container-apps-hosting?ref=v1.16.5"
environment = local.environment
project_name = local.project_name
@@ -64,6 +64,7 @@ module "azure_container_apps_hosting" {
enable_dns_zone = local.enable_dns_zone
dns_zone_domain_name = local.dns_zone_domain_name
+ dns_alias_records = local.dns_alias_records
dns_ns_records = local.dns_ns_records
dns_txt_records = local.dns_txt_records
dns_mx_records = local.dns_mx_records
@@ -72,9 +73,10 @@ module "azure_container_apps_hosting" {
enable_logstash_consumer = local.enable_logstash_consumer
eventhub_export_log_analytics_table_names = local.eventhub_export_log_analytics_table_names
- enable_monitoring = local.enable_monitoring
- monitor_email_receivers = local.monitor_email_receivers
- monitor_endpoint_healthcheck = local.monitor_endpoint_healthcheck
+ enable_monitoring = local.enable_monitoring
+ monitor_email_receivers = local.monitor_email_receivers
+ monitor_endpoint_healthcheck = local.monitor_endpoint_healthcheck
+ monitor_http_availability_fqdn = local.monitor_http_availability_fqdn
enable_container_app_file_share = local.enable_container_app_file_share
storage_account_ipv4_allow_list = local.storage_account_ipv4_allow_list
diff --git a/terraform/locals.tf b/terraform/locals.tf
index d4e80d768..835213770 100644
--- a/terraform/locals.tf
+++ b/terraform/locals.tf
@@ -74,4 +74,6 @@ locals {
health_insights_api_ipv4_allow_list = var.health_insights_api_ipv4_allow_list
enable_cdn_frontdoor_vdp_redirects = var.enable_cdn_frontdoor_vdp_redirects
cdn_frontdoor_vdp_destination_hostname = var.cdn_frontdoor_vdp_destination_hostname
+ dns_alias_records = var.dns_alias_records
+ monitor_http_availability_fqdn = var.monitor_http_availability_fqdn
}
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 7f59a6d8a..aacdd1f46 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -121,6 +121,7 @@ variable "container_apps_allow_ips_inbound" {
variable "enable_cdn_frontdoor_health_probe" {
description = "Enable CDN Front Door health probe"
type = bool
+ default = false
}
variable "enable_dns_zone" {
@@ -172,6 +173,7 @@ variable "dns_mx_records" {
variable "cdn_frontdoor_custom_domains" {
description = "Azure CDN Front Door custom domains. If they are within the DNS zone (optionally created), the Validation TXT records and ALIAS/CNAME records will be created"
type = list(string)
+ default = []
}
variable "cdn_frontdoor_host_redirects" {
@@ -255,6 +257,7 @@ variable "container_health_probe_path" {
variable "cdn_frontdoor_health_probe_path" {
description = "Specifies the path relative to the origin that is used to determine the health of the origin."
type = string
+ default = "/"
}
variable "container_cpu" {
@@ -280,6 +283,7 @@ variable "container_max_replicas" {
variable "cdn_frontdoor_enable_rate_limiting" {
description = "Enable CDN Front Door Rate Limiting. This will create a WAF policy, and CDN security policy. For pricing reasons, there will only be one WAF policy created."
type = bool
+ default = false
}
variable "cdn_frontdoor_rate_limiting_duration_in_minutes" {
@@ -471,7 +475,7 @@ variable "health_insights_api_ipv4_allow_list" {
variable "enable_cdn_frontdoor_vdp_redirects" {
description = "Deploy redirects for security.txt and thanks.txt to an external Vulnerability Disclosure Program service"
type = bool
- default = true
+ default = false
}
variable "cdn_frontdoor_vdp_destination_hostname" {
@@ -479,3 +483,20 @@ variable "cdn_frontdoor_vdp_destination_hostname" {
type = string
default = "vdp.security.education.gov.uk"
}
+
+variable "dns_alias_records" {
+ description = "DNS ALIAS records to add to the DNS Zone"
+ type = map(
+ object({
+ ttl : optional(number, 300),
+ target_resource_id : string
+ })
+ )
+ default = {}
+}
+
+variable "monitor_http_availability_fqdn" {
+ description = "Specify a FQDN to monitor for HTTP Availability. Leave unset to dynamically calculate the correct FQDN"
+ type = string
+ default = ""
+}