-
Notifications
You must be signed in to change notification settings - Fork 1
/
loadbalancer_private.tf
331 lines (292 loc) · 14.1 KB
/
loadbalancer_private.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
/**
* Copyright 2020 Quortex
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
# A subnet for private application gateway usage.
resource "azurerm_subnet" "app_gateway_private" {
name = length(var.private_app_gateway_subnet_name) > 0 ? var.private_app_gateway_subnet_name : "${var.name}-app-gw-private"
resource_group_name = var.resource_group_name
virtual_network_name = var.virtual_network
address_prefixes = [var.private_app_gateway_address_prefix]
}
# The private application gateway public IP.
resource "azurerm_public_ip" "private" {
name = length(var.private_app_gateway_frontend_ip_name) > 0 ? var.private_app_gateway_frontend_ip_name : "${var.name}-private"
location = var.location
resource_group_name = var.resource_group_name
allocation_method = "Static"
sku = "Standard"
zones = length(var.public_ip_zones) == 0 ? [1] : var.public_ip_zones
tags = var.tags
}
# The private application gateway.
resource "azurerm_application_gateway" "private" {
count = length(var.private_app_gateway_backend_ip_addresses) > 0 ? 1 : 0
name = length(var.private_app_gateway_name) > 0 ? var.private_app_gateway_name : "${var.name}-private"
resource_group_name = var.resource_group_name
location = var.location
# Application gateway SKU.
sku {
name = "Standard_v2"
tier = "Standard_v2"
}
# Application gateway autoscale configuration
autoscale_configuration {
min_capacity = var.private_app_gateway_min_capacity
max_capacity = var.private_app_gateway_max_capacity
}
# Application gateway IP configuration.
gateway_ip_configuration {
name = var.private_app_gateway_ip_config_name
subnet_id = azurerm_subnet.app_gateway_private.id
}
# Application gateway frontend IP configuration.
frontend_ip_configuration {
name = var.private_app_gateway_frontend_ip_config_name
public_ip_address_id = azurerm_public_ip.private.id
}
# A frontend port for HTTP traffic.
frontend_port {
name = var.private_app_gateway_frontend_port_name_http
port = 80
}
# A frontend port for HTTPS traffic.
dynamic "frontend_port" {
for_each = var.ssl_enabled ? [null] : []
content {
name = var.private_app_gateway_frontend_port_name_https
port = 443
}
}
# HTTP listeners
dynamic "http_listener" {
for_each = var.dns_records_private
content {
name = "${var.private_app_gateway_http_listener_name_prefix}-${http_listener.key}"
host_name = "${http_listener.value}.${var.dns_managed_zone}"
frontend_ip_configuration_name = var.private_app_gateway_frontend_ip_config_name
frontend_port_name = var.private_app_gateway_frontend_port_name_http
protocol = "Http"
}
}
dynamic "http_listener" {
for_each = var.additional_dns_records_private
content {
name = "${var.private_app_gateway_http_listener_name_prefix}-add${http_listener.key}"
host_name = http_listener.value
frontend_ip_configuration_name = var.private_app_gateway_frontend_ip_config_name
frontend_port_name = var.private_app_gateway_frontend_port_name_http
protocol = "Http"
}
}
# HTTPS listeners
dynamic "http_listener" {
for_each = var.ssl_enabled ? var.dns_records_private : {}
content {
name = "${var.private_app_gateway_https_listener_name_prefix}-${http_listener.key}"
host_name = "${http_listener.value}.${var.dns_managed_zone}"
frontend_ip_configuration_name = var.private_app_gateway_frontend_ip_config_name
frontend_port_name = var.private_app_gateway_frontend_port_name_https
protocol = "Https"
ssl_certificate_name = var.private_app_gateway_ssl_certificate_name
}
}
dynamic "http_listener" {
for_each = var.ssl_enabled ? var.additional_dns_records_private : []
content {
name = "${var.private_app_gateway_https_listener_name_prefix}-add${http_listener.key}"
host_name = http_listener.value
frontend_ip_configuration_name = var.private_app_gateway_frontend_ip_config_name
frontend_port_name = var.private_app_gateway_frontend_port_name_https
protocol = "Https"
ssl_certificate_name = var.private_app_gateway_ssl_certificate_name
}
}
# Routing rules for HTTP listeners.
dynamic "request_routing_rule" {
for_each = var.dns_records_private
content {
name = "${var.private_app_gateway_request_routing_rule_http_name_prefix}-${request_routing_rule.key}"
rule_type = "Basic"
http_listener_name = "${var.private_app_gateway_http_listener_name_prefix}-${request_routing_rule.key}"
backend_address_pool_name = var.private_app_gateway_backend_address_pool_name
backend_http_settings_name = var.private_app_gateway_http_setting_name
priority = index(keys(var.dns_records_private), request_routing_rule.key) + 100
}
}
dynamic "request_routing_rule" {
for_each = var.additional_dns_records_private
content {
name = "${var.private_app_gateway_request_routing_rule_http_name_prefix}-add${request_routing_rule.key}"
rule_type = "Basic"
http_listener_name = "${var.private_app_gateway_http_listener_name_prefix}-add${request_routing_rule.key}"
backend_address_pool_name = var.private_app_gateway_backend_address_pool_name
backend_http_settings_name = var.private_app_gateway_http_setting_name
priority = contains(var.additional_dns_records_private, request_routing_rule.key) ? index(var.additional_dns_records_private, request_routing_rule.key) + 200 : 1000
}
}
# Routing rules for HTTPS listeners.
dynamic "request_routing_rule" {
for_each = var.ssl_enabled ? var.dns_records_private : {}
content {
name = "${var.private_app_gateway_request_routing_rule_https_name_prefix}-${request_routing_rule.key}"
rule_type = "Basic"
http_listener_name = "${var.private_app_gateway_https_listener_name_prefix}-${request_routing_rule.key}"
backend_address_pool_name = var.private_app_gateway_backend_address_pool_name
backend_http_settings_name = var.private_app_gateway_http_setting_name
priority = index(keys(var.dns_records_private), request_routing_rule.key) + 300
}
}
dynamic "request_routing_rule" {
for_each = var.ssl_enabled ? var.additional_dns_records_private : []
content {
name = "${var.private_app_gateway_request_routing_rule_https_name_prefix}-add${request_routing_rule.key}"
rule_type = "Basic"
http_listener_name = "${var.private_app_gateway_https_listener_name_prefix}-add${request_routing_rule.key}"
backend_address_pool_name = var.private_app_gateway_backend_address_pool_name
backend_http_settings_name = var.private_app_gateway_http_setting_name
priority = contains(var.additional_dns_records_private, request_routing_rule.key) ? index(var.additional_dns_records_private, request_routing_rule.key) + 400 : 2000
}
}
# Private App Gateway SSL certificate management.
dynamic "ssl_certificate" {
for_each = var.ssl_enabled ? [null] : []
content {
name = var.private_app_gateway_ssl_certificate_name
data = local.create_ssl_certificate ? acme_certificate.certificate[0].certificate_p12 : var.ssl_certificate_p12
password = local.create_ssl_certificate ? random_password.password[0].result : var.ssl_certificate_password
}
}
# Backend address pool pointing to private ingress controller.
backend_address_pool {
name = var.private_app_gateway_backend_address_pool_name
ip_addresses = var.private_app_gateway_backend_ip_addresses
}
# Backend http settings as HTTP.
# SSL termination is done at app gateway level.
backend_http_settings {
name = var.private_app_gateway_http_setting_name
host_name = var.private_app_gateway_backend_host_name
cookie_based_affinity = "Disabled"
port = 80
protocol = "Http"
request_timeout = 10
probe_name = var.private_app_gateway_hc_probe_name
}
# Private application gateway Health check.
probe {
name = var.private_app_gateway_hc_probe_name
host = "127.0.0.1"
port = var.private_app_gateway_hc_probe_port
interval = 5
protocol = "Http"
path = "/ping/"
timeout = 2
unhealthy_threshold = 2
match {
status_code = var.status_code_range
}
}
tags = var.tags
depends_on = [
azurerm_public_ip.private,
]
}
# Subnet <-> Network Security Group associations.
resource "azurerm_subnet_network_security_group_association" "private" {
subnet_id = azurerm_subnet.app_gateway_private.id
network_security_group_id = azurerm_network_security_group.private.id
}
# Manages a network security group that contains a list of network security rules asssociated to private AppGateway.
resource "azurerm_network_security_group" "private" {
name = length(var.private_app_gateway_security_group_name) > 0 ? var.private_app_gateway_security_group_name : "${var.name}-private-sg"
location = var.location
resource_group_name = var.resource_group_name
tags = var.tags
}
# Allow incoming traffic from a source IP or IP range and the destination as either the entire Application Gateway subnet, or to the specific configured private front-end IP. The NSG doesn't work on a public IP.
resource "azurerm_network_security_rule" "allow_whitelisted_ips" {
# Set this rule only if app_gateway_private_whitelisted_ips not empty.
count = max(0, min(length(var.private_app_gateway_whitelisted_ips), 1))
name = "AllowWhitelistedIPs"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefixes = var.private_app_gateway_whitelisted_ips
destination_address_prefix = var.private_app_gateway_address_prefix
resource_group_name = var.resource_group_name
network_security_group_name = azurerm_network_security_group.private.name
}
# Allow incoming requests from all sources to ports 65503-65534 for the Application Gateway v1 SKU, and ports 65200-65535 for v2 SKU for back-end health communication.
# This port range is required for Azure infrastructure communication.
# These ports are protected (locked down) by Azure certificates.
# Without appropriate certificates in place, external entities can't initiate changes on those endpoints.
resource "azurerm_network_security_rule" "allow_azure_infra_ports" {
name = "AllowAzureInfraPorts"
priority = 200
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "65200-65535"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = var.resource_group_name
network_security_group_name = azurerm_network_security_group.private.name
}
# Allow incoming Azure Load Balancer probes (AzureLoadBalancer tag) on the network security group.
resource "azurerm_network_security_rule" "allow_azure_loadbalancer_probes" {
name = "AllowAzureLoadbalancerProbes"
priority = 300
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "AzureLoadBalancer"
destination_address_prefix = "*"
resource_group_name = var.resource_group_name
network_security_group_name = azurerm_network_security_group.private.name
}
# Allow inbound virtual network traffic (VirtualNetwork tag) on the network security group.
resource "azurerm_network_security_rule" "allow_vnet_inbound" {
name = "AllowVnetInBound"
priority = 400
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "VirtualNetwork"
destination_address_prefix = "*"
resource_group_name = var.resource_group_name
network_security_group_name = azurerm_network_security_group.private.name
}
# Block all other incoming traffic by using a deny-all rule.
resource "azurerm_network_security_rule" "deny_all_inbound" {
name = "DenyAllInBound"
priority = 500
direction = "Inbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = var.resource_group_name
network_security_group_name = azurerm_network_security_group.private.name
}