diff --git a/application_gateways.tf b/application_gateways.tf index 25efc6686f..1a8588448b 100644 --- a/application_gateways.tf +++ b/application_gateways.tf @@ -1,4 +1,4 @@ -module application_gateways { +module "application_gateways" { source = "./modules/networking/application_gateway" for_each = local.networking.application_gateways @@ -16,6 +16,8 @@ module application_gateways { public_ip_addresses = local.combined_objects_public_ip_addresses app_services = local.combined_objects_app_services managed_identities = local.combined_objects_managed_identities + keyvaults = local.combined_objects_keyvaults + dns_zones = local.combined_objects_dns_zones keyvault_certificates = module.keyvault_certificates application_gateway_applications = { for key, value in local.networking.application_gateway_applications : key => value @@ -23,12 +25,12 @@ module application_gateways { } } -output application_gateways { +output "application_gateways" { value = module.application_gateways } -output application_gateway_applications { +output "application_gateway_applications" { value = local.networking.application_gateway_applications } diff --git a/front_doors.tf b/front_doors.tf index 66f3b93e26..4aee4293d4 100644 --- a/front_doors.tf +++ b/front_doors.tf @@ -30,10 +30,14 @@ locals { # "az ad sp create --id ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037" data "azuread_service_principal" "front_door" { + for_each = { + for key, value in local.networking.front_doors : key => value + if try(value.keyvault_key, null) != null + } application_id = local.front_door_application_id } -module front_doors_keyvault_access_policy { +module "front_doors_keyvault_access_policy" { source = "./modules/security/keyvault_access_policies" for_each = { for key, value in local.networking.front_doors : key => value @@ -45,9 +49,9 @@ module front_doors_keyvault_access_policy { access_policies = { front_door_certificate = { - object_id = data.azuread_service_principal.front_door.object_id + object_id = data.azuread_service_principal.front_door[each.key].object_id certificate_permissions = ["Get"] secret_permissions = ["Get"] } } -} \ No newline at end of file +} diff --git a/keyvault_certificate_requests.tf b/keyvault_certificate_requests.tf index 5e45f17612..9fde275329 100644 --- a/keyvault_certificate_requests.tf +++ b/keyvault_certificate_requests.tf @@ -8,10 +8,10 @@ module keyvault_certificate_requests { for_each = local.security.keyvault_certificate_requests keyvault_id = try(local.combined_objects_keyvaults[each.value.lz_key][each.value.keyvault_key].id, local.combined_objects_keyvaults[local.client_config.landingzone_key][each.value.keyvault_key].id) - certificate_issuers = var.security.keyvault_certificate_issuers + certificate_issuers = try(var.security.keyvault_certificate_issuers, {}) settings = each.value } output keyvault_certificate_requests { value = module.keyvault_certificate_requests -} \ No newline at end of file +} diff --git a/main.tf b/main.tf index 037424a542..46e4346c4d 100755 --- a/main.tf +++ b/main.tf @@ -42,4 +42,4 @@ resource "random_string" "alpha1" { data "azuread_service_principal" "logged_in_app" { count = try(data.azurerm_client_config.current.object_id, null) == null ? 1 : 0 application_id = data.azurerm_client_config.current.client_id -} \ No newline at end of file +} diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index 38a9f02477..a5d9ff7460 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -39,9 +39,9 @@ resource "azurecaf_name" "rg_node" { resource "azurerm_kubernetes_cluster" "aks" { - name = azurecaf_name.aks.result - location = var.resource_group.location - resource_group_name = var.resource_group.name + name = azurecaf_name.aks.result + location = var.resource_group.location + resource_group_name = var.resource_group.name default_node_pool { name = var.settings.default_node_pool.name //azurecaf_name.default_node_pool.result @@ -60,53 +60,53 @@ resource "azurerm_kubernetes_cluster" "aks" { tags = merge(try(var.settings.default_node_pool.tags, {}), local.tags) } - dns_prefix = try(var.settings.dns_prefix, random_string.prefix.result) + dns_prefix = try(var.settings.dns_prefix, random_string.prefix.result) dynamic "addon_profile" { - for_each = try(var.settings.addon_profile, {}) - + for_each = lookup(var.settings, "addon_profile", null) == null ? [] : [1] + content { dynamic "aci_connector_linux" { for_each = try(var.settings.addon_profile.aci_connector_linux[*], {}) - + content { enabled = aci_connector_linux.value.enabled subnet_name = aci_connector_linux.value.subnet_name } } - + dynamic "azure_policy" { for_each = try(var.settings.addon_profile.azure_policy[*], {}) - + content { - enabled = azure_policy.value.enabled + enabled = azure_policy.value.enabled } } dynamic "http_application_routing" { for_each = try(var.settings.addon_profile.http_application_routing[*], {}) - + content { - enabled = http_application_routing.value.enabled + enabled = http_application_routing.value.enabled } } dynamic "kube_dashboard" { - for_each = try(var.settings.addon_profile.kube_dashboard[*], {}) - + for_each = try(var.settings.addon_profile.kube_dashboard[*], [{enabled = false}]) + content { - enabled = kube_dashboard.value.enabled + enabled = kube_dashboard.value.enabled } } dynamic "oms_agent" { for_each = try(var.settings.addon_profile.oms_agent[*], {}) - + content { - enabled = oms_agent.value.enabled - log_analytics_workspace_id = try(oms_agent.value.log_analytics_workspace_id, try(var.diagnostics.log_analytics[oms_agent.value.log_analytics_key].id, null)) + enabled = oms_agent.value.enabled + log_analytics_workspace_id = try(oms_agent.value.log_analytics_workspace_id, try(var.diagnostics.log_analytics[oms_agent.value.log_analytics_key].id,null)) dynamic "oms_agent_identity" { - for_each = try(oms_agent.value.oms_agent_identity[*], {}) + for_each = try(oms_agent.value.oms_agent_identity[*],{}) content { client_id = oms_agent_identity.value.client_id @@ -119,28 +119,28 @@ resource "azurerm_kubernetes_cluster" "aks" { } } - api_server_authorized_ip_ranges = try(var.settings.api_server_authorized_ip_ranges, null) + api_server_authorized_ip_ranges = try(var.settings.api_server_authorized_ip_ranges,null) dynamic "auto_scaler_profile" { for_each = try(var.settings.auto_scaler_profile[*], {}) - + content { - balance_similar_node_groups = try(auto_scaler_profile.value.balance_similar_node_groups, null) - max_graceful_termination_sec = try(auto_scaler_profile.value.max_graceful_termination_sec, null) - scale_down_delay_after_add = try(auto_scaler_profile.value.scale_down_delay_after_add, null) - scale_down_delay_after_delete = try(auto_scaler_profile.value.scale_down_delay_after_delete, null) - scale_down_delay_after_failure = try(auto_scaler_profile.value.scale_down_delay_after_failure, null) - scan_interval = try(auto_scaler_profile.value.scan_interval, null) - scale_down_unneeded = try(auto_scaler_profile.value.scale_down_unneeded, null) - scale_down_unready = try(auto_scaler_profile.value.scale_down_unready, null) - scale_down_utilization_threshold = try(auto_scaler_profile.value.scale_down_utilization_threshold, null) + balance_similar_node_groups = try(auto_scaler_profile.value.balance_similar_node_groups,null) + max_graceful_termination_sec = try(auto_scaler_profile.value.max_graceful_termination_sec,null) + scale_down_delay_after_add = try(auto_scaler_profile.value.scale_down_delay_after_add,null) + scale_down_delay_after_delete = try(auto_scaler_profile.value.scale_down_delay_after_delete,null) + scale_down_delay_after_failure = try(auto_scaler_profile.value.scale_down_delay_after_failure,null) + scan_interval = try(auto_scaler_profile.value.scan_interval,null) + scale_down_unneeded = try(auto_scaler_profile.value.scale_down_unneeded,null) + scale_down_unready = try(auto_scaler_profile.value.scale_down_unready,null) + scale_down_utilization_threshold = try(auto_scaler_profile.value.scale_down_utilization_threshold,null) } } disk_encryption_set_id = try(var.settings.disk_encryption_set_id, null) dynamic "identity" { - for_each = try(var.settings.identity[*], {}) + for_each = try(var.settings.identity[*],{}) content { type = identity.value.type @@ -149,14 +149,14 @@ resource "azurerm_kubernetes_cluster" "aks" { # Enabled RBAC dynamic "role_based_access_control" { - for_each = try(var.settings.role_based_access_control[*], {}) + for_each = try(var.settings.role_based_access_control[*],{}) content { enabled = try(role_based_access_control.value.enabled, true) - + dynamic "azure_active_directory" { - for_each = try(var.settings.role_based_access_control.azure_active_directory[*], {}) - + for_each = try(var.settings.role_based_access_control.azure_active_directory[*],{}) + content { managed = azure_active_directory.value.managed tenant_id = try(azure_active_directory.value.tenant_id, null) @@ -169,7 +169,7 @@ resource "azurerm_kubernetes_cluster" "aks" { } } - kubernetes_version = try(var.settings.kubernetes_version, null) + kubernetes_version = try(var.settings.kubernetes_version, null) # dynamic "linux_profile" { # for_each = var.settings.linux_profile == null ? [] : [1] @@ -179,21 +179,21 @@ resource "azurerm_kubernetes_cluster" "aks" { # ssh_key = try(var.settings.linux_profile.ssh_key,null) # } # } - + dynamic "network_profile" { for_each = try(var.settings.network_profile[*], {}) content { - network_plugin = try(network_profile.value.network_plugin, null) - network_mode = try(network_profile.value.network_mode, null) - network_policy = try(network_profile.value.network_policy, null) - dns_service_ip = try(network_profile.value.dns_service_ip, null) - docker_bridge_cidr = try(network_profile.value.docker_bridge_cidr, null) - outbound_type = try(network_profile.value.outbound_type, null) - pod_cidr = try(network_profile.value.network_profile.pod_cidr, null) - service_cidr = try(network_profile.value.network_profile.service_cidr, null) - load_balancer_sku = try(network_profile.value.network_profile.load_balancer_sku, null) - - dynamic "load_balancer_profile" { + network_plugin = try(network_profile.value.network_plugin,null) + network_mode = try(network_profile.value.network_mode, null) + network_policy = try(network_profile.value.network_policy, null) + dns_service_ip = try(network_profile.value.dns_service_ip, null) + docker_bridge_cidr = try(network_profile.value.docker_bridge_cidr, null) + outbound_type = try(network_profile.value.outbound_type, null) + pod_cidr = try(network_profile.value.network_profile.pod_cidr, null) + service_cidr = try(network_profile.value.network_profile.service_cidr, null) + load_balancer_sku = try(network_profile.value.network_profile.load_balancer_sku, null) + + dynamic "load_balancer_profile"{ for_each = try(network_profile.value.load_balancer_profile[*], {}) content { managed_outbound_ip_count = try(load_balancer_profile.value.managed_outbound_ip_count, null) diff --git a/modules/networking/application_gateway/application_gateway.tf b/modules/networking/application_gateway/application_gateway.tf index b6fc9d82ad..6dc497e82c 100644 --- a/modules/networking/application_gateway/application_gateway.tf +++ b/modules/networking/application_gateway/application_gateway.tf @@ -8,6 +8,15 @@ resource "azurecaf_name" "agw" { use_slug = var.global_settings.use_slug } +data "azurerm_key_vault_certificate" "trustedcas" { + for_each = { + for key, value in try(var.settings.trusted_root_certificate, {}) : key => value + if try(value.keyvault_key, null) != null + } + name = each.value.name + key_vault_id = var.keyvaults[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.keyvault_key].id +} + resource "azurerm_application_gateway" "agw" { name = azurecaf_name.agw.result resource_group_name = var.resource_group_name @@ -29,7 +38,7 @@ resource "azurerm_application_gateway" "agw" { subnet_id = local.ip_configuration["gateway"].subnet_id } - dynamic autoscale_configuration { + dynamic "autoscale_configuration" { for_each = try(var.settings.capacity.autoscale, null) == null ? [] : [1] content { @@ -38,7 +47,7 @@ resource "azurerm_application_gateway" "agw" { } } - dynamic frontend_ip_configuration { + dynamic "frontend_ip_configuration" { for_each = var.settings.front_end_ip_configurations content { @@ -50,7 +59,7 @@ resource "azurerm_application_gateway" "agw" { } } - dynamic frontend_port { + dynamic "frontend_port" { for_each = var.settings.front_end_ports content { @@ -59,7 +68,7 @@ resource "azurerm_application_gateway" "agw" { } } - dynamic http_listener { + dynamic "http_listener" { for_each = local.listeners content { @@ -67,14 +76,14 @@ resource "azurerm_application_gateway" "agw" { frontend_ip_configuration_name = var.settings.front_end_ip_configurations[http_listener.value.front_end_ip_configuration_key].name frontend_port_name = var.settings.front_end_ports[http_listener.value.front_end_port_key].name protocol = var.settings.front_end_ports[http_listener.value.front_end_port_key].protocol - host_name = try(http_listener.value.host_names, null) == null ? http_listener.value.host_name : null - host_names = try(http_listener.value.host_name, null) == null ? http_listener.value.host_names : null + host_name = try(regex("(.+).", (try(http_listener.value.host_names, null) == null ? try(var.dns_zones[try(http_listener.value.dns_zone.lz_key, var.client_config.landingzone_key)][http_listener.value.dns_zone.key].records[0][http_listener.value.dns_zone.record_type][http_listener.value.dns_zone.record_key].fqdn, http_listener.value.host_name) : null))[0], null) + host_names = try(http_listener.value.host_name, null) == null ? try(http_listener.value.host_names, null) : null require_sni = try(http_listener.value.require_sni, false) ssl_certificate_name = try(http_listener.value.keyvault_certificate.certificate_key, null) } } - dynamic request_routing_rule { + dynamic "request_routing_rule" { for_each = local.listeners content { @@ -87,7 +96,7 @@ resource "azurerm_application_gateway" "agw" { } } - dynamic backend_http_settings { + dynamic "backend_http_settings" { for_each = local.backend_http_settings content { @@ -97,10 +106,11 @@ resource "azurerm_application_gateway" "agw" { protocol = backend_http_settings.value.protocol request_timeout = try(backend_http_settings.value.request_timeout, 30) pick_host_name_from_backend_address = try(backend_http_settings.value.pick_host_name_from_backend_address, false) + trusted_root_certificate_names = try(backend_http_settings.value.trusted_root_certificate_names, null) } } - dynamic backend_address_pool { + dynamic "backend_address_pool" { for_each = local.backend_pools content { @@ -110,7 +120,7 @@ resource "azurerm_application_gateway" "agw" { } } - dynamic identity { + dynamic "identity" { for_each = try(var.settings.identity, null) == null ? [] : [1] content { @@ -124,9 +134,17 @@ resource "azurerm_application_gateway" "agw" { # } - # trusted_root_certificate { - # } + + dynamic "trusted_root_certificate" { + for_each = { + for key, value in try(var.settings.trusted_root_certificate, {}) : key => value + } + content { + name = trusted_root_certificate.value.name + data = try(trusted_root_certificate.value.data, data.azurerm_key_vault_certificate.trustedcas[trusted_root_certificate.key].certificate_data_base64) + } + } # ssl_policy { @@ -136,7 +154,7 @@ resource "azurerm_application_gateway" "agw" { # } - dynamic ssl_certificate { + dynamic "ssl_certificate" { for_each = local.certificate_keys content { @@ -160,4 +178,4 @@ resource "azurerm_application_gateway" "agw" { # rewrite_rule_set {} -} \ No newline at end of file +} diff --git a/modules/networking/application_gateway/variable.tf b/modules/networking/application_gateway/variable.tf index 3b7cddf414..edea8e6024 100644 --- a/modules/networking/application_gateway/variable.tf +++ b/modules/networking/application_gateway/variable.tf @@ -1,31 +1,31 @@ -variable settings {} -variable global_settings { +variable "settings" {} +variable "global_settings" { description = "Global settings object (see module README.md)" } -variable client_config { +variable "client_config" { description = "Client configuration object (see module README.md)." } -variable diagnostics {} -variable resource_group_name { +variable "diagnostics" {} +variable "resource_group_name" { description = "(Required) The name of the resource group where to create the resource." type = string } -variable location { +variable "location" { description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." type = string } -variable public_ip_addresses { +variable "public_ip_addresses" { default = {} } -variable application_gateway_applications {} -variable app_services { +variable "application_gateway_applications" {} +variable "app_services" { default = {} } -variable vnets { +variable "vnets" { default = {} } -variable sku_name { +variable "sku_name" { type = string default = "Standard_v2" description = "(Optional) (Default = Standard_v2) The Name of the SKU to use for this Application Gateway. Possible values are Standard_Small, Standard_Medium, Standard_Large, Standard_v2, WAF_Medium, WAF_Large, and WAF_v2." @@ -36,7 +36,7 @@ variable sku_name { } } -variable sku_tier { +variable "sku_tier" { type = string default = "Standard_v2" description = "(Optional) (Default = Standard_v2) (Required) The Tier of the SKU to use for this Application Gateway. Possible values are Standard, Standard_v2, WAF and WAF_v2." @@ -47,16 +47,24 @@ variable sku_tier { } } -variable base_tags { +variable "base_tags" { description = "Base tags for the resource to be inherited from the resource group." - type = map + type = map(any) } -variable private_dns { +variable "private_dns" { default = {} } -variable keyvault_certificates { +variable "keyvault_certificates" { default = {} } -variable managed_identities { +variable "managed_identities" { + default = {} +} + +variable "dns_zones" { + default = {} +} + +variable "keyvaults" { default = {} }