Front door redirect rules

Allow passing a list of redirect rules per environment. Rules are
triggered per domain and may:
- redirect to domain on the same front door or external
- redirect to the same path as in the incoming request
- redirect to a specific path
- add a query string

Additional rule sets may still be passed using the rule_set_ids variable

domains/environment_domains/front_door.tf

@@ -44,13 +44,16 @@ resource "azurerm_cdn_frontdoor_custom_domain" "main" {
 }
 
 resource "azurerm_cdn_frontdoor_route" "main" {
-  depends_on                      = [azurerm_cdn_frontdoor_origin_group.main, azurerm_cdn_frontdoor_origin.main]
-  for_each                        = toset(var.domains)
-  name                            = "${var.environment}-rt"
-  cdn_frontdoor_endpoint_id       = azurerm_cdn_frontdoor_endpoint.main[each.key].id
-  cdn_frontdoor_origin_group_id   = azurerm_cdn_frontdoor_origin_group.main.id
-  cdn_frontdoor_origin_ids        = [azurerm_cdn_frontdoor_origin.main.id]
-  cdn_frontdoor_rule_set_ids      = var.rule_set_ids
+  depends_on                    = [azurerm_cdn_frontdoor_origin_group.main, azurerm_cdn_frontdoor_origin.main]
+  for_each                      = toset(var.domains)
+  name                          = "${var.environment}-rt"
+  cdn_frontdoor_endpoint_id     = azurerm_cdn_frontdoor_endpoint.main[each.key].id
+  cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.main.id
+  cdn_frontdoor_origin_ids      = [azurerm_cdn_frontdoor_origin.main.id]
+  cdn_frontdoor_rule_set_ids = concat(
+    var.rule_set_ids,
+    azurerm_cdn_frontdoor_rule_set.redirects[*].id
+  )
   link_to_default_domain          = false
   cdn_frontdoor_custom_domain_ids = [azurerm_cdn_frontdoor_custom_domain.main[each.key].id]
   forwarding_protocol             = "HttpsOnly"
@@ -60,12 +63,15 @@ resource "azurerm_cdn_frontdoor_route" "main" {
 }
 
 resource "azurerm_cdn_frontdoor_route" "cached" {
-  for_each                        = toset(local.cached_domain_list)
-  name                            = "${var.environment}-cached-rt"
-  cdn_frontdoor_endpoint_id       = azurerm_cdn_frontdoor_endpoint.main[each.key].id
-  cdn_frontdoor_origin_group_id   = azurerm_cdn_frontdoor_origin_group.main.id
-  cdn_frontdoor_origin_ids        = [azurerm_cdn_frontdoor_origin.main.id]
-  cdn_frontdoor_rule_set_ids      = var.rule_set_ids
+  for_each                      = toset(local.cached_domain_list)
+  name                          = "${var.environment}-cached-rt"
+  cdn_frontdoor_endpoint_id     = azurerm_cdn_frontdoor_endpoint.main[each.key].id
+  cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.main.id
+  cdn_frontdoor_origin_ids      = [azurerm_cdn_frontdoor_origin.main.id]
+  cdn_frontdoor_rule_set_ids = concat(
+    var.rule_set_ids,
+    azurerm_cdn_frontdoor_rule_set.redirects[*].id
+  )
   link_to_default_domain          = false
   cdn_frontdoor_custom_domain_ids = [azurerm_cdn_frontdoor_custom_domain.main[each.key].id]
   forwarding_protocol             = "HttpsOnly"

domains/environment_domains/front_door_rules.tf

@@ -0,0 +1,33 @@
+resource "azurerm_cdn_frontdoor_rule_set" "redirects" {
+  count = length(var.redirect_rules) > 0 ? 1 : 0
+
+  name                     = "${var.environment}Redirects"
+  cdn_frontdoor_profile_id = data.azurerm_cdn_frontdoor_profile.main.id
+}
+
+resource "azurerm_cdn_frontdoor_rule" "rule" {
+  count      = length(var.redirect_rules)
+  depends_on = [azurerm_cdn_frontdoor_origin_group.main, azurerm_cdn_frontdoor_origin.main]
+
+  name                      = "rule${count.index}"
+  cdn_frontdoor_rule_set_id = azurerm_cdn_frontdoor_rule_set.redirects[0].id
+  order                     = count.index
+  behavior_on_match         = "Continue"
+
+  conditions {
+    host_name_condition {
+      operator     = "Equal"
+      match_values = [for d in [var.redirect_rules[count.index]["from-domain"]] : d == "apex" ? "${var.zone}" : "${d}.${var.zone}"]
+    }
+  }
+
+  actions {
+    url_redirect_action {
+      redirect_type        = "Moved"
+      redirect_protocol    = "Https"
+      destination_hostname = var.redirect_rules[count.index]["to-domain"]
+      destination_path     = try(var.redirect_rules[count.index]["to-path"], null)
+      query_string         = try(var.redirect_rules[count.index]["to-query-string"], null)
+    }
+  }
+}

domains/environment_domains/variables.tf

@@ -3,15 +3,19 @@ variable "front_door_name" {}
 variable "resource_group_name" {}
 variable "domains" {}
 variable "environment" {}
-variable "host_name" {}
+variable "host_name" {
+  default     = "not-in-use.education.gov.uk"
+  description = "Origin host name ie domain to where front door sends the requests. It may not be used if all requests are redirected."
+}
+
 variable "null_host_header" {
   default     = false
   description = "The origin_host_header for the azurerm_cdn_frontdoor_origin resource will be var.host_name (if false) or null (if true). If null then the host name from the incoming request will be used."
 }
 
 variable "rule_set_ids" {
   type    = list(any)
-  default = null
+  default = []
 }
 
 variable "multiple_hosted_zones" {
@@ -29,3 +33,21 @@ variable "exclude_cnames" {
   default     = []
   description = "Don't create the CNAME for this record from var.domains. We set this when we want to configure front door for a services domain that we are migrating so we do not need to wait for the certificate to validate and front door to propagate the configuration."
 }
+
+variable "redirect_rules" {
+  default     = {}
+  description = <<EOF
+    List of ordered redirect rules with format:
+    [
+      {
+        "from-domain": "One of the domains from var.domains to redirect from",
+        "to-domain": "Redirect destination domain",
+        "to-path": "Optional path appended to the destination URL. If not provided, the path will be the same as in the incoming request",
+        "to-query-string": "Optional path appended to the destination URL. If not provided, defaults to empty string"
+      },
+      {
+        ...
+      }
+    ]
+  EOF
+}