From 780aee6321b0b1e77a4083780faca84c87106697 Mon Sep 17 00:00:00 2001
From: Arpith Varghese <a.varghese@f5.com>
Date: Fri, 20 Sep 2024 15:26:52 -0700
Subject: [PATCH 1/2] Add terraform snippet to enable NAP

---
 .../with-web-application-firewall/README.md   | 19 +++++
 .../with-web-application-firewall/main.tf     | 85 +++++++++++++++++++
 .../with-web-application-firewall/output.tf   |  4 +
 .../variables.tf                              | 22 +++++
 4 files changed, 130 insertions(+)
 create mode 100644 terraform/deployments/with-web-application-firewall/README.md
 create mode 100644 terraform/deployments/with-web-application-firewall/main.tf
 create mode 100644 terraform/deployments/with-web-application-firewall/output.tf
 create mode 100644 terraform/deployments/with-web-application-firewall/variables.tf

diff --git a/terraform/deployments/with-web-application-firewall/README.md b/terraform/deployments/with-web-application-firewall/README.md
new file mode 100644
index 0000000..95ab224
--- /dev/null
+++ b/terraform/deployments/with-web-application-firewall/README.md
@@ -0,0 +1,19 @@
+# Manage an NGINXaaS for Azure deployment.
+
+### Usage
+
+The code in this directory can be used to managed an **NGINXaaS for Azure deployment**.
+
+To create a deployment, run the following commands:
+
+```shell
+terraform init
+terraform plan
+terraform apply --auto-approve
+```
+
+Once the deployment is no longer needed, run the following to clean up the deployment and related resources:
+
+```shell
+terraform destroy --auto-approve
+```
diff --git a/terraform/deployments/with-web-application-firewall/main.tf b/terraform/deployments/with-web-application-firewall/main.tf
new file mode 100644
index 0000000..6b5e242
--- /dev/null
+++ b/terraform/deployments/with-web-application-firewall/main.tf
@@ -0,0 +1,85 @@
+terraform {
+  required_version = "~> 1.3"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.97"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+  subscription_id = "ee920d60-90f3-4a92-b5e7-bb284c3a6ce2"
+}
+
+module "prerequisites" {
+  source   = "../../prerequisites"
+  location = var.location
+  name     = var.name
+  tags     = var.tags
+}
+
+resource "azurerm_nginx_deployment" "example" {
+  name                      = var.name
+  resource_group_name       = module.prerequisites.resource_group_name
+  sku                       = var.sku
+  location                  = var.location
+  capacity                  = 20
+  automatic_upgrade_channel = "stable"
+  diagnose_support_enabled  = true
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [module.prerequisites.managed_identity_id]
+  }
+  frontend_public {
+    ip_address = [module.prerequisites.public_ip_address_id]
+  }
+  network_interface {
+    subnet_id = module.prerequisites.subnet_id
+  }
+  nginx_app_protect {
+    web_application_firewall_settings {
+      activation_state = "Enabled"
+    }
+  }
+  tags = var.tags
+}
+
+resource "azurerm_nginx_configuration" "example-config" {
+  nginx_deployment_id = azurerm_nginx_deployment.example.id
+  root_file           = "/etc/nginx/nginx.conf"
+
+  config_file {
+    content = base64encode(<<-EOT
+user nginx;
+worker_processes auto;
+worker_rlimit_nofile 8192;
+pid /run/nginx/nginx.pid;
+
+events {
+    worker_connections 4000;
+}
+
+error_log /var/log/nginx/error.log error;
+
+http {
+    server {
+        listen 80 default_server;
+        server_name localhost;
+        location / {
+            return 200 'Hello World';
+        }
+    }
+}
+EOT
+    )
+    virtual_path = "/etc/nginx/nginx.conf"
+  }
+}
+
+resource "azurerm_role_assignment" "example" {
+  scope                = azurerm_nginx_deployment.example.id
+  role_definition_name = "Monitoring Metrics Publisher"
+  principal_id         = module.prerequisites.managed_identity_principal_id
+}
diff --git a/terraform/deployments/with-web-application-firewall/output.tf b/terraform/deployments/with-web-application-firewall/output.tf
new file mode 100644
index 0000000..784ee54
--- /dev/null
+++ b/terraform/deployments/with-web-application-firewall/output.tf
@@ -0,0 +1,4 @@
+output "ip_address" {
+  description = "IP address of NGINXaaS deployment."
+  value       = azurerm_nginx_deployment.example.ip_address
+}
diff --git a/terraform/deployments/with-web-application-firewall/variables.tf b/terraform/deployments/with-web-application-firewall/variables.tf
new file mode 100644
index 0000000..3fa327a
--- /dev/null
+++ b/terraform/deployments/with-web-application-firewall/variables.tf
@@ -0,0 +1,22 @@
+variable "location" {
+  description = "Azure location name for NGINXaaS deployment."
+  default     = "eastus2"
+}
+
+variable "name" {
+  description = "Name of NGINXaaS deployment and related resources."
+  default     = "example-nginx"
+}
+
+variable "sku" {
+  description = "SKU of NGINXaaS deployment."
+  default     = "standard_Monthly"
+}
+
+variable "tags" {
+  description = "Tags for NGINXaaS deployment and related resources."
+  type        = map(any)
+  default = {
+    env = "Production"
+  }
+}

From f8aef38737a5c9c253edc07a4b4b69934c64d725 Mon Sep 17 00:00:00 2001
From: Arpith Varghese <a.varghese@f5.com>
Date: Fri, 20 Sep 2024 15:30:19 -0700
Subject: [PATCH 2/2] update config

---
 .../with-web-application-firewall/main.tf     | 21 +++++++++++++------
 .../variables.tf                              |  2 +-
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/terraform/deployments/with-web-application-firewall/main.tf b/terraform/deployments/with-web-application-firewall/main.tf
index 6b5e242..e266d4f 100644
--- a/terraform/deployments/with-web-application-firewall/main.tf
+++ b/terraform/deployments/with-web-application-firewall/main.tf
@@ -38,10 +38,8 @@ resource "azurerm_nginx_deployment" "example" {
   network_interface {
     subnet_id = module.prerequisites.subnet_id
   }
-  nginx_app_protect {
-    web_application_firewall_settings {
-      activation_state = "Enabled"
-    }
+  web_application_firewall_settings {
+    activation_state = "Enabled"
   }
   tags = var.tags
 }
@@ -57,6 +55,8 @@ worker_processes auto;
 worker_rlimit_nofile 8192;
 pid /run/nginx/nginx.pid;
 
+load_module modules/ngx_http_app_protect_module.so;
+
 events {
     worker_connections 4000;
 }
@@ -64,11 +64,20 @@ events {
 error_log /var/log/nginx/error.log error;
 
 http {
+    app_protect_enforcer_address 127.0.0.1:50000;
+
     server {
         listen 80 default_server;
-        server_name localhost;
+
         location / {
-            return 200 'Hello World';
+            app_protect_enable on;
+            app_protect_policy_file /etc/app_protect/conf/NginxDefaultPolicy.tgz;
+            proxy_pass http://127.0.0.1:80/proxy/$request_uri;
+        }
+
+        location /proxy {
+            default_type text/html;
+            return 200 "Hello World\n";
         }
     }
 }
diff --git a/terraform/deployments/with-web-application-firewall/variables.tf b/terraform/deployments/with-web-application-firewall/variables.tf
index 3fa327a..be81ffa 100644
--- a/terraform/deployments/with-web-application-firewall/variables.tf
+++ b/terraform/deployments/with-web-application-firewall/variables.tf
@@ -10,7 +10,7 @@ variable "name" {
 
 variable "sku" {
   description = "SKU of NGINXaaS deployment."
-  default     = "standard_Monthly"
+  default     = "standardv2_Monthly"
 }
 
 variable "tags" {