From 1b1172d2d1758cec53b961525287ffaf5d589c45 Mon Sep 17 00:00:00 2001 From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com> Date: Wed, 24 Jul 2024 17:30:06 +0100 Subject: [PATCH] Set custom CDN waf rules (#101) * this will be used for specific cases where we want requests to bypass the rate limit policy --- terraform/README.md | 1 + terraform/container-apps-hosting.tf | 1 + terraform/locals.tf | 6 +++--- terraform/variables.tf | 16 ++++++++++++++++ 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index 1b0aa90..7e2264b 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -173,6 +173,7 @@ If everything looks good, answer `yes` and wait for the new infrastructure to be | [cdn\_frontdoor\_host\_add\_response\_headers](#input\_cdn\_frontdoor\_host\_add\_response\_headers) | List of response headers to add at the CDN Front Door `[{ "name" = "Strict-Transport-Security", "value" = "max-age=31536000" }]` | `list(map(string))` | n/a | yes | | [cdn\_frontdoor\_origin\_fqdn\_override](#input\_cdn\_frontdoor\_origin\_fqdn\_override) | Manually specify the hostname that the CDN Front Door should target. Defaults to the Container App FQDN | `string` | `""` | no | | [cdn\_frontdoor\_origin\_host\_header\_override](#input\_cdn\_frontdoor\_origin\_host\_header\_override) | Manually specify the host header that the CDN sends to the target. Defaults to the recieved host header. Set to null to set it to the host\_name (`cdn_frontdoor_origin_fqdn_override`) | `string` | `""` | no | +| [cdn\_frontdoor\_waf\_custom\_rules](#input\_cdn\_frontdoor\_waf\_custom\_rules) | Map of all Custom rules you want to apply to the CDN WAF |
map(object({
priority : number,
action : string
match_conditions : map(object({
match_variable : string,
match_values : optional(list(string), []),
operator : optional(string, "Any"),
selector : optional(string, null),
negation_condition : optional(bool, false),
}))
}))
| `{}` | no | | [container\_apps\_allow\_ips\_inbound](#input\_container\_apps\_allow\_ips\_inbound) | Restricts access to the Container Apps by creating a network security group rule that only allow inbound traffic from the provided list of IPs | `list(string)` | `[]` | no | | [container\_command](#input\_container\_command) | Container command | `list(any)` | n/a | yes | | [container\_health\_probe\_path](#input\_container\_health\_probe\_path) | Specifies the path that is used to determine the liveness of the Container | `string` | `"/"` | no | diff --git a/terraform/container-apps-hosting.tf b/terraform/container-apps-hosting.tf index f97f1fb..d1b5f01 100644 --- a/terraform/container-apps-hosting.tf +++ b/terraform/container-apps-hosting.tf @@ -30,6 +30,7 @@ module "azure_container_apps_hosting" { enable_cdn_frontdoor = local.enable_cdn_frontdoor cdn_frontdoor_forwarding_protocol = local.cdn_frontdoor_forwarding_protocol cdn_frontdoor_enable_rate_limiting = local.cdn_frontdoor_enable_rate_limiting + cdn_frontdoor_waf_custom_rules = local.cdn_frontdoor_waf_custom_rules cdn_frontdoor_host_add_response_headers = local.cdn_frontdoor_host_add_response_headers cdn_frontdoor_custom_domains = local.cdn_frontdoor_custom_domains cdn_frontdoor_origin_fqdn_override = local.cdn_frontdoor_origin_fqdn_override diff --git a/terraform/locals.tf b/terraform/locals.tf index 10099b5..73d6f81 100644 --- a/terraform/locals.tf +++ b/terraform/locals.tf @@ -45,7 +45,7 @@ locals { statuscake_contact_group_name = var.statuscake_contact_group_name statuscake_contact_group_integrations = var.statuscake_contact_group_integrations statuscake_contact_group_email_addresses = var.statuscake_contact_group_email_addresses - - resource_prefix = "${local.environment}${local.project_name}" - private_endpoint_configurations = var.private_endpoint_configurations + cdn_frontdoor_waf_custom_rules = var.cdn_frontdoor_waf_custom_rules + resource_prefix = "${local.environment}${local.project_name}" + private_endpoint_configurations = var.private_endpoint_configurations } diff --git a/terraform/variables.tf b/terraform/variables.tf index ad38889..d3a991e 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -334,3 +334,19 @@ variable "private_endpoint_configurations" { })) default = {} } + +variable "cdn_frontdoor_waf_custom_rules" { + description = "Map of all Custom rules you want to apply to the CDN WAF" + type = map(object({ + priority : number, + action : string + match_conditions : map(object({ + match_variable : string, + match_values : optional(list(string), []), + operator : optional(string, "Any"), + selector : optional(string, null), + negation_condition : optional(bool, false), + })) + })) + default = {} +}